 Aloha and welcome to the Cyber Underground. I'm your host, Dave Stevens, and today we've got a lot to talk about. We're going to cover a lot of ground, a lot of dangers, a lot of things that are out there looking for you, trying to open up a back door and open up your life and phone home. With me today, I have Hal Corcoran, guest host, been promoted. Host today. Hal Corcoran, he's an assistant professor at Capulani Community College for the University of Hawaii. Welcome back. Thanks, Dave. Thanks for having me back on the show. Oh man, I love it. So, audience, we teach together at a Capulani Community College. Hal does mostly the networking stuff. I do mostly the network security ethical hacking line, the cybersecurity stuff. And we have a great time and I love having him on the show because he has so much knowledge, especially when we talk about the cybersecurity ethical hacking kill chain when it comes to getting inside your network and pivoting to another system. So, we'll talk about that. Right here in our studio, one of our new guests right here in front of us is Alexa. And she's listening right now. Alexa, play. Alexa, pause. But there's some problems with Alexa. She's voice activated and she does just about everything you want now and she's getting more and more abilities as she gets software upgrades from Amazon. But let's ask her a question. Alexa, are you secure? I'm not sure about that. So this could be a problem. Yeah, it's not, I'm not sure about it. It's plausible to not be able to do it. So let's just demonstrate Alexa mute. Okay, so this is Alexa on mute. You see a little yellow line and then it disappears. However, you can see it's still blinking. So if I say Alexa, she's going to come to life again. But there's a little button on top. Show these buttons on top, power and mute. You can manually mute her. You get a red circle. You should get a red circle here. Give me the red circle. There we go. So now she's muted. Now, according to the literature that I read, that turns off the microphone. Again, it's according to the literature that comes with the device. So I cannot promise you this thing is not listening to you. Here's the problem, ladies and gentlemen, do you want a device in your home that listens to everything you say and probably caches it, which is a small memory amount inside the device. So you could be talking about something that's incredibly personal or tragically nefarious, planning a murder, and it's all right there. And apparently the police know this and they're already trying to subpoena these devices. Yeah, so this is, it's a benefit and it's not a benefit to society. And the reason I want to put this front and center is because Alexa can do so much for you. It also learns about you. So it's got a little bit of artificial intelligence there. And it's phoning home to Amazon using their big, massive data servers and giving them all your searches. So just now we heard a little bit of Jimi Hendrix Wuduchile. And that's one of my favorite guitar licks. But now Amazon, if my account was in this Alexa, Amazon would now know I like Hendrix songs. So now when I log into my account on Amazon, I'm going to see probably Hendrix music, Hendrix memorabilia, t-shirts, whatever, all around the sides. And that's my advertisements now, right? That's not just listening to what you're saying. It's collecting information about you. Right. And from a hacker's standpoint, if I can hack this, I can listen in to everything that you do, everything that you say when you're within a voice range. That's right. That's remarkably scary when you think about people are voluntarily putting in surveillance equipment in their house and giving control to somebody else. You would not let someone come in and install bugging devices around your living room, probably. Right. But you're essentially opening yourself up to that by having this activated and running in here. Unbelievable. Right. You know what's scary is, say I was a criminal and I made the FBI's most wanted list and they're looking for me and they found me, but they wanted to collect evidence and I got this on in my house, stupidly. And they hack into it. Now they can use this as a surveillance device because they can do that with phones. Why not Alexa? It's just another type of tap. Right. And they didn't have to plant anything. It's there. It's working for you. All they'd have to do is make sure that they don't make a trigger in there that tips you off. You know, maybe you logged in with your profile accidentally and it plays classical instead of Hendrix. Then I'd be really suspicious. Right. But this could be in several rooms of your house. They have the echo dot now when you can order things from this and the little sub Alexa's, the smaller ones that you can put all over your house and you can control your entire house with this. You can also hook it in. There's APIs now. You can hook this into systems that control things in your house. Smart home. You heard about the heating systems and alarm systems. Doorbells, cameras. Right. Why would that be bad? Because it opens a hole where someone can get in and now monitor or control all of those devices within your house. That's right. So they don't want to mess with you. They turn the heat up in your house. They want to rob your house. They can unlock your lock remotely. And they know we're not there. That's somebody they can listen and watch to see if anyone is home at that time. Right. You can the perfect robbery. It's just the perfect robbery, right? External cameras would probably show you if your neighbors are home. Internal would show you I don't know why people do this, but they install internal cameras in their security systems. Internal cameras, ladies and gentlemen, internal cameras are monitored by security companies and can be monitored via the internet by you. But if someone hacks your account, they can monitor your house from the internet while you're home and you don't know it. Just food for thought. If you're installing a security system. But Alexa can do enough damage. What convenience do we get from her? She can she can actually get airline tickets for me now, I think. No, is that she has your credit card can do purchases. I think that would be bad, though, because I don't think she differentiates between voices. So if I'm logged in here, and I give this device my credit card information, I think one of my kids could walk up and say, Alex, I want to go to Paris today. Yeah. When that credit card information is transmitted back to Amazon, is it encrypted? What type of encryption? My God, I hope so. I don't know. Yeah, if it's in the clear because if it's in the clear, you're in poor shape, right? Especially most people don't know that Alexa is a wireless device. You don't plug it into your network. It's not wired. So a wireless device, if you're going to take the wireless down to its its lowest tech, what you're looking at is a radio and a radio transmits in all directions at the same time. And it really does not care if things are encrypted or secure. It just broadcasts. So if you're listening into a wireless broadcast, say you're at Starbucks, you got Wireshark Open, that's the tool we talked about a little while ago, and you're gathering packets. The things that aren't encrypted as we showed could be your username and password, could be a credit card, your credit card data, the number, the date, that little CCV code on the back of the card, and that's all they need to be up and running, right? And your zip code, right? Actually, Amazon will actually ask you your address now, I believe you got to put in the address for the credit card. So they're asking for more information. I hope they would do it. To their credit, I mean, they're actually taking another step there. But Alexa can be an incredibly wonderful device and incredibly dangerous device. Yeah, would you ever put this in your house? I would put it in my house, but I would keep it disabled, except when I was actually, actually listening to it, I didn't think I would just let it run in the background, you know, to have this listening device is always listening to everything that I'm doing and saying it would kind of make me feel kind of creepy to have it. What would you feel like if you walked into a hotel room or Airbnb and there's an Alexa sitting there? Yeah, that would that might be a little disturbing. Yeah. Can I order a room service? Send me send me up a cheeseburger. Right. That would be great. On the other hand, anybody can be listening, right? Okay, so these are dangerous. Let's talk about other dangerous things on your network. These connect wirelessly. Let's talk about stuff that you might voluntarily, accidentally put on your own system. So there's tons of ways that this can happen. A lot of ways you need to do something on your computer. You don't have any commercial software on your computer to do something. And you don't want to go out and spend 150 bucks on a piece of software. So you download something for free, right? And free software. This is an anomaly and kind of an oxymoron. How would you do this? It's, it's, it doesn't make sense to give away something for free unless you're getting something back. Right? So when people are giving away something for free, how do they usually pay for it? They ask for donations, or there's some secondary thing attached to it that they hope you're going to buy or pay for. So some advertising too. Yeah, they can feed advertising, right? Sometimes they let you use it for a limited amount of time. And then at the end of that time, they ask you to pay for it. Or they might give you a reduced functionality. Say, well, if you paid for this, boy, you could do so much more. You get the pro version. Exactly. And there's a lot of good free software out there. That's that's good for, you know, a lot of different purposes. But there's usually some kind of a hook to try to, you know, to try to get you to subscribe or purchase something, something else related to because they have to make money and they have to follow themselves. Noodle accession is a wire shark. Yeah, no, they asked they might ask for a donation, but there's no advertising. No, I think they run some training and things like that that they might pay for. They publish books, they make money. Yeah, that way. And they publish books, but the tool itself has completely free Firefox. I've used it for years. Yeah. I trust it. I don't know if I should, but I trust it. Trust it as much as I trust any of that as much as I trust anything. Yeah. But when you download other stuff, little tiny utilities that you might use just once or twice, they have the potential of using something called a rapper. And not like the music rap, but like a rapper like Christmas rapping. And this is a technique hackers can use to attach their malware, the nefarious program to a legitimate executable, right? So when you launch that legitimate software, you're also launching their malware, and it always operates in the background. So this could be like a Trojan horse where it's a legitimate good piece of software, but something is hidden inside. Right. Like, like in the movie, you know, where Brad Pitt is hiding in that, in that horse where there's plenty of sort of way to rape and destroy. And so it looks great on the outside. And it works great. But inside there could be that there could be something nasty, you know, hiding. Right. And they have so let's say we got a Trojan, and there's a number of different things this Trojan could do. If somebody just wanted to mess with you, like some of the things you might see are your screen turns upside down, your mouse pointer is now left and instead of right, you know, what they might change the default language in Windows, right? So you're looking at Slavic or something, right? You don't you don't understand anymore. That's actually happened to me in a change to Chinese. And, you know, I could probably get by with Roman characters, and I could see the letters and I could kind of piece it together. But the pictures they use the little pictograms and Chinese, those symbols, I have no idea. I just I don't those people must be so smart, because I could never speak that language or write those things. But that that would really confuse me. And I would have a rough time getting away from that. And the problem is once you change those back to what you want, that program can go right back and change them again. And you're stuck some more. So that could be one thing they can do. What's another thing they might do? One of the most annoying things that I see is when they change my search engine, you install something and it automatically changes your search engine to whatever search engine they want. And they have to go back and change it back again. And sometimes they're really stubborn. So you go back and change it. And then the next time you restart the browser, it changes it back again. It's a continuous struggle. You got to take out whatever you installed. Yeah. So that the terrible thing is that sometimes legitimate software vendors will do this and it's not a Trojan. Most notably Java will do exactly that you install Java if during the install procedure, most people just go next, next, next, next, next. But one of those screens says, Hey, would you like to make Yahoo your search engine? And would you like to update all this other stuff? And if you don't uncheck the box, they just if you just brought if you just brought to accept accept accept you've now changed your search engine and probably several other options on your system, right, which are hard to fish out. I mean, and you don't know what's going on until you search and like, Wow, this doesn't look like my regular Google search. Something's different. Something's different. Something's not not right here. Yeah, so that's that's one of the things that can happen. And the other one could be nefarious. They want to control your computer. They want to make you a zombie device or part of their botnet. So they can remote control your computer to do things like denial of service attacks on other computers. So if they control, they get the software on a million computers, a million computers all going to one spot at one time on the internet will crash almost any server right away and and stop that system from working. So that's another a botnet controller or a nefarious storage device. So they're using you to store files that might be used for bad purposes. Unfortunately, some some things that have to do with child pornography and stuff, you don't want that on your system. You're liable, right? We're going to talk more about that. We're going to take a little break and pay some bills, come right back until then stay safe. Hello, everyone. I'm DeSoto Brown, the co host of Human Humane Architecture, which is seen on Think Tech, Hawaii every other Tuesday at 4pm. And with the show's host, Martin Despeng, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. So join us for Human Humane Architecture every other Tuesday at 4pm on Think Tech, Hawaii. I just walked by and I said, what's happening guys? They told me they were making music. Welcome back to the Cyber Underground. I'm your host, Dave Stephens. And we've been talking about malware and how it gets onto your system with your help right here with me, Hal Cochran from Capulani Community College. Welcome back from the break. Those are great commercials. Yeah, I'm sure we'll see them when we review the reels. We've been talking about Alexa and how people will put this device behind their own firewall, which gives people an opportunity to hack this device and be on your network. And then we talked about downloading software that might have a nefarious purpose, and just a mess with you, just to make your life miserable, or to do some damaging stuff like take control of your computer and use you as a botnet. And one of the things that we should talk about is what happens to, like our anonymous friend, we're not going to put out that person's name. We will tell you this, this happens quite a bit to the elderly, I must say, because they, they came into the world not knowing about computers and they retired probably before computers became prevalent in the workplace. So their knowledge of computers is quite limited. And it's a wonderful device to get on the internet, search, purchase stuff. But then they tend to trust it a little bit too much. And let's let's run through the scenario. Our anonymous friend somehow got one of these pieces of software in a system, we don't know how. And a message popped up and said, warning, your computer's been infected. Please call this number right away and we can help. And it's just a one eight eight eight number. And he called. And of course, somebody with an accent that sounds like a region that might have a lot of help desk support in it answered, we won't tell you what region, but I'm sure we can all figure that one out. And so it sounded legit. So we walked through the process and the person asked, can I get remote access to your system so I can clean your system from here? And our friend said, yes, that sounds okay. And so you got remote access to the computer. And of course, he knew the person to log in knew exactly what to take off the system to make it seem like the damage was gone. And then But what did he add in while he was there? That's the part that we can't what do you do? At that point, you know that somebody might have left something behind. What are they after? Do you think they're probably leaving a back door so they can come back in later and take control of that machine. As you said, use it as part of a botnet or, you know, spamming the machine, or I've seen one where someone had actually actually had a web server with a fake baking site and was collecting mastercard numbers on on somebody else's computer and they had no idea that any of this was going up. Yeah, and it's hard to find I showed up and took the FBI showed up took the PC as evidence and also lost the computer to get away. Yeah. One of the bad parts is if your your computers get taken by the authorities, they're going to take the computers, they're going to take the backup and you're lost. You have no data and no computer. And you got to start from scratch. So what do you do? I mean, if you walk through that process and someone says, Oh, you shouldn't have done that. What's probably going on now is someone can control your computer. What would what would your advice be? The only the only absolutely sure way to get rid of this unknown malware because we don't know what was left where it was left. The only true sure way is just to completely wipe out that computer and reinstall it and start from scratch. Yeah. Sure. Out of that, you can try antivirus programs and and and malware removal and anti root kit type of software. But and if you're lucky, maybe you'll get the bad stuff off, but you you don't know for sure. So the problem with the software that you use to get the stuff off your computers is that they have to have a known attack in the past with the same signatures, same properties, same file names and so forth. And they use that to run the scan and pull that stuff off your computer. However, there isn't a various software out there that we just heard about. I could not believe this one because I used to use this when I first started the computer company, millions and millions of users see cleaner. Not only did people install this software, but see cleaner installed what's called a secondary payload. So a secondary payload is a different executable from the original. And it's installed to do something different that you can't detect. And it's usually named something different. If they're really smart, they put in a mutating string property. So it propagates itself and deletes its old one every couple of days. So you can never trace it. And it changes its process ID. So you can't find it in something like the task manager in Windows. One of the ways that I usually track stuff like down. Most people will have nefarious software try to imitate a known program that comes with Windows. So you might see if you open up your task manager, notepad exe is running. But then you look in your taskbar and there's no notepad. Yeah. So what is going on here? So that that's one of the clues. What's bad about C cleaner is not every version was infected. There was just a few versions and you can find them on the web. It's a long trailer numbers, the major, minor and revision numbers. But what's bad about that is only a few numbers got infected. And they got infected from the manufacturer from the producer of the software. That's a vast right? How do you think they pulled that off? It was I was only from August into September. Those those versions that were downloaded there in that time by the ones that were infected. And this software had a digital signature that the signature is supposed to prove that nothing has changed. There's nothing bad hidden in here. This is the original software directly from the software vendor. But someone was able to get this malware in at the vendors before it was signed. So it was signed with the malware in it. So it had to be some kind of someone with inside access that was able to add this malware at the compilation stage when they're building the software before it gets signed and then put out onto the $1 site. So look the legitimate to everybody. Absolutely. This is not the first time it's happened. Apple had this. I could not believe this. So their free development software is called Xcode. And you can download off the the Apple website. And that's always legitimate from the Apple website. However, other people were offering that. And sometimes the Apple website slows down. There's a lot of downloads during the about September when the new stuff comes out every year. And so other people were offering, Oh, you can download it from us. What happened was a I believe it was a Chinese group had replicated that software that Xcode software decompiled it. That means they broke it open. They ripped something out and put their own code in there and padded the the characters so it would be the exact same size as the old executable. So the signature that was originally used to verify that code was still valid. And then they recompiled and put it up for download. Now people downloading this, the software would still work. You could use Xcode to create iOS apps on the iPhone iPad and the Mac. Here's the exception though. Those compilations that you made and you produced to make iOS apps, the apps that you distributed and were put on other people's phones or iPads would phone home and give you remote access. So you're just you're unwittingly just spreading this malware for right. That's right. And and usually so people know out there when when you make a iOS app, you got to give it back to Apple and they examine it. And they say yes or no, it can go or it can't go. And we all assume they're looking for security holes. This one got through. So it had the signature. It had the signature. It was it was just fine. So you never know what's going to get through the front door. Now in the CC cleaner, the here's the unique properties, right? We just found out CC cleaner went in there and installed a secondary payload and that payloads job was to try to go to other we're doing a pivot right. It's going to it's trying to get into a system to specific companies, Google, Sony, couple others, tech giants, there was a list of 18 of them. So let's talk about what we can do if we get CC cleaner in there with with the criminals, we get CC cleaner in, we deliver the secondary payload, we actually get into Google. We're behind the Google firewall, we're installing someone's PC, and we're trying to pivot. What are we doing? You think we're trying to infect Google sites, any Google software? What if we could get, you know, our malware into Google Chrome? How many millions of people download that right, right? It's just a wide open opportunity to spread our malware even further. What about just sitting there looking around? Data, Google, do you think Google collects any data? There might be some data. I don't know one or two pieces maybe. Yeah. So there's I think volumes and volumes of data on billions of people. And what was when I had a kidney stone? I mean, I know everything about me. That's so sad, right? And I think when we talk about like the Equifax hack, they were hacked by the same hackers in March. And then again, they realized that by July, right? In that time, I've been asked, Well, what the heck were they doing? Why didn't they just start ripping out data? And I said, Well, they didn't know where the data was when they got in there. So that couple of months might have been them pivoting through the systems in the network, looking for that right server, and then taking the data out. The biggest problem to me is, the data should have been encrypted inside the firewall to because we're supposed to do defense in depth. So it's another Equifax fail, right? Their systems and passwords weren't updated. Adobe struts hadn't been updated in the two and a half, three months between the patch date that got released in March. And when they got hacked, they didn't they didn't release that and update it. And then on top of that, they didn't have their database encrypted. It should have been encrypted. And it should have been on its own private, so more heavily secured network, right, right. Shouldn't have been out there with, you know, people's desktop. So with this, you know, sales department or anything. That and that's a big problem. The companies make that big network. And they say, cool, we're up and running. But then the marketing guys can see it, the sales guys can see it, the CEOs can see it. Everyone can see the data you don't want anybody to see. That's a bad thing, right? Well, this went so fast. We're almost out of time. Yeah. Let's just say Capulani Community College is going to have a wetwear Wednesday for those of you local residents out here. Come on out to Capulani Community College at the Copico building. We're going to be doing a wetwear Wednesday presenting our program at Capulani and what we're doing in cyber networking databases and programming. We'll have heavy poopoos and some bentos for you mainland people out there. What that means is organized foods, plates of food, right? All right. Thanks for being with us and join us next week, everybody. Until then, stay safe.