 Welcome back to the Cyber Underground. I'm Dave, the Cyber Guy. I'm here with Hal, the Networking Guy. Once again, we teach for Kapiolani Community College at the University of Hawaii System here on the beautiful island of Oahu about 9-tenths of a mile away from the sands of Waikiki Beach and about 500 yards away from Diamond Head Crater, the one that's not exploding right now. That's the volcano we're talking about. The extinct one. Yeah, the extinct. Well, gosh, I hope it's extinct. We keep finding out that volcanoes really don't go extinct. They just kind of slow down to a murmur and they can blow up at any time. Hopefully, this is not a Mount St. Helens event, but I was watching just yesterday. There was a video of the lava flows and they were so powerful that tore a piece of rock off of the side of the lava flow and carried it downstream. This boulder was the size of about eight different trucks put together. It's pretty spectacular. Some of the lagoons that are getting inundated with molten lava and all that steam comes up and maybe our fans should know that the vapor contains a particulate glass. You don't want to breathe it or get in your eyes. You don't want to be in the area. If you're out sightseeing and you think, I'm going to go see a volcano, you better stay away because if the wind shifts and you get blasted with that fog, that smoke, it's going to do permanent damage to your lungs and could blind you. So stay away. If they say, stop, do so. Well, today is a good day. It just seems like sitting around the house thinking, yeah, what are we going to talk about on Friday? And then the news just keeps writing itself. We have this great political environment, so I guess comedians have their share of anything they want to talk about it, just it's a wonderful time for comedians. But it's the same for a cyber people. It just seems to be either through zero days and ingenuity of hackers or just through laziness. People are getting hacked all the time. And this one that we're going to talk about is not one that most people expect. So let's talk about Sarah Huckabee Sanders, our White House spokesperson. And like I was saying, I can't believe I missed George Stephanopoulos, but I missed those days. I missed what he would say over and over again what the president meant to say was and you have to make up for it. But Sarah Huckabee Sanders apparently got kicked out of a restaurant. Yeah, I guess she was asked to leave by the restaurant management. It was apparently a reaction to the administration's policy on separating children from illegal immigrants. And so they asked her if she would leave him. From what I understand, it was pretty calm and quiet. I read the story. Apparently the manager took a vote in the back room and everyone voted her off the island as it were. And they came out and they said she had to leave. And he even paid for their appetizers. And so she wasn't billed for anything but she had to leave. And funny, like the next day, that red hen, the restaurant, their website was hacked. And most people would think, oh, it's a Republican retribution. Trump ordered that site to be hacked in retribution. But the reality was quite different. You want to go through that with us? Yeah, you would expect that those things were connected somehow and they were going to put some kind of political message on the site after they hacked it, but not the case at all. What they did was they used it for an old type of black hat trick, which is a search engine optimization. And this is using the algorithms that Google and these other search engines use against them to try to artificially elevate the status of some sites. So the more people visit the site, the higher it will show up in the search results. Now, we got to go the way this works. In the HTML on the site, you can put hidden text in the same color as the background so no one can read it. That text can be all the keywords and also links to in an iframe, links to another site that they want to elevate in the search ranks in Google or Yahoo. And that's the secret. So unless you're really looking, you can't tell to the ordinary user. They would have no idea. They would just know something's wrong with the site. They're not seeing what they expect. Instead of seeing the menu from red hand or whatever, they're either seeing nothing or they're seeing something that doesn't seem to be the right content. And so this was apparently used to redirect people to an Australian pharmaceutical site where they were selling Viagra and other pharmaceutical products and to elevate to increase the hits on that site and therefore elevate it in the search algorithm. So this was a little bit of business espionage and we should also add that sometimes the content of the site doesn't change at all. And it's just the way it's always been with those little iframes, those embedded links are in the background bringing up content which you don't see on the screen because the content comes up in the font that's the same color as the background. And the only way to tell really is you look in the lower left hand corner of your browser and you can see all the redirection happening. It's saying TLS connections being made, waiting for this site, waiting for that site redirecting to the site. Most browsers, Safari, Mozilla, Firefox, Opera, Chrome, they all do that. And that's a good way to watch. And sometimes you will not know that the site has been hacked. You know, there are extensions that you can download and install for your browser that will show you every one of those redirects, every ad, every click, every, there's so many things going on in the background. You think you click on one site, you go to that one site, but that site can call, you know, double click and a thousand other sites to track you or, you know, for a number of different reasons. And there is software that you can install that will show you every one of those and everyone I know has ever installed that has been amazed. How many different sites are actually involved in the background when you just go to visit, you know, one site like CNN.com or something? There's all the pass through advertising, click aware stuff that's going on ad aware from Google, tracking cookies, all kinds of stuff. And it can slow you down. You don't even know about it. I've heard that there's there's plugins and I have not tested these yet. But my friend Tom did. He tested a number of plugins they've been using in Europe. And he said his his pass through rate now is much faster. He's about 52% faster because he's taking away a lot of the advertising clicks and the redirects going on in the background. And it's actually accelerated his experience, which is kind of nice because things have been slowing down with the advertising revenue going up. Our experience on the internet goes down, which I guess plays back into you want to buy more bandwidth from your provider to make up for it to make up for the advertising that's right. So this is like a steamroller that you can never get away from. And especially with the price of internet nowadays in some places like out here, our rates just went up again. And we just had a take over by another major major corporation. It just it all plays into security in one way or another. One thing that hackers do know if they want to get into a website, that they will research the company and try to find out and assess the budget of the company and where they're putting their dollars. So Red Hen obviously not putting a lot of time and effort and dollars or security into their website. And website is one of those as a public facing piece of technology that's vulnerable. And if you're not putting money into your website, you know, you're probably not going to be putting into CIO chief information officer or security officer, and you're probably not going to buy the latest firewalls. You're not going to be providing user training to your employees and how to keep yourself secure. Yeah, most restaurants aren't going to focus on that. They're focused on the food, the menu. The website is just kind of an afterthought. And they probably outsource it to someone who just builds up a quick website for them and gives it to them. And once that website is built, if no one is maintaining it and continually monitoring it, then, you know, it's likely to be vulnerable, you know, to these types of attacks and maybe other types of attacks. This site was built on WordPress, which you got to keep up with WordPress updates. Yeah, had a good track record. It's had, you know, a steady stream of vulnerabilities, which are then patched, but you need to continually stay on top of it and maintain it and patch it. Otherwise, you're going to be vulnerable. And so apparently, this, this wasn't, you know, this wasn't fully patched site. And so they were able to get in and embed this code that did the redirect to the Australian site. I mean, what I'm going to do a website and someone says, I'm going to use WordPress, which is a content system that's database driven, right, and has templates. And it's very easy to put up a site with WordPress for most people, especially web developers. But if I'm going to do that, I need to know that the host of that, the internet service provider that's hosting that site is going to continuously upgrade and update their WordPress engine, right? I have a WordPress site for my website. And I know about every two months, I get notification that they upgraded the WordPress. And I have to go through my whole site to make sure that nothing broke. And none of my code is bad. But it's a continuous process. If you leave it alone, like you said, you're just asking for trouble. Yeah, you can't you cannot set up a website and walk away from it. That's a mistake that that so many people make who don't, you know, who just don't know any better. Because sooner or later, there's going to be vulnerabilities and then someone's going to come in, and they're going to deface it or they're going to do, you know, some kind of there's any number they could use you as a bot in an attack. They could use you as a proxy to commit another crime. They can do what they did this time. Spam dexing is what they call it, right? When they elevate other sites based on the hits on your site. Spam dexing, yeah. And if they conquer, you know, 10,000 other sites through some kind of malicious activity, and those sites never know that those redirects are happening in the background, then they have this botnet that they can plug into and increase their advertising rate, and then they can sell that to people. Hey, look how good we did for these people. We got them six slots up on the Google homepage, right? And that's worth a lot of money to a lot of people. And we got to emphasize this is not just in the U.S., and it's not always that they hacked through the web server. They can also hack through the other networking equipment that's attached behind the server somewhere, like a Wi-Fi router or some kind of other router. Now the civilian encryption protocols we've been using, we did a whole show on that. The Crack Attack, the Key Exchange Attack, that has basically compromised all of the encryption protocols on all of our network equipment right now because we haven't found a solution. Thankfully Microsoft did not follow the publications from the IEEE to follow this protocol exactly. They changed a little bit, so they did not fall victim to it in any great way. But Cisco and everybody else that did the rules, they followed the rules, they fell victim to it. But now we're getting Wi-Fi protected access 3, the WPA 3. It's about time. I mean WPA has been around for so long that it's... 15 years now, right? Yeah, so it's kind of due for now. Yeah, it is due. And it was about that between the last the web and WPA. We spent a long time on the web encryption protocol, which of course hacked in the 90s. But we got to emphasize though for our people out there that there's a couple of different things you got to watch for, WPA 3 will take away the key installation attack vector. However, there's still multiple vectors available to hackers. That's just one of many. And one of the things you got to realize, if I had a router right here and had WPA 3, but your tablet didn't, I can't use WPA 3. I've got to go down to the lowest protocol available on the lowest device I have on my... It needs to be available on both sides, on both ends, on both devices, both the access point and the wireless device trying to connect to it. Right. And even if they do have that, we got to emphasize don't get lazy and type in the password 1, 2, 3, 4. Still making it tough. No, you still have all of the vulnerabilities, you know, of authentication and of, you know, admin passwords and all those things are still a problem. WPA 3 is just going to maybe increase the level of encryption and solve this one crack attack issue. But it's not going to be a panacea that you can just do anything. Now I've got WPA 3, so I don't have to worry about it. Right. And that's what a lot of people think. Oh, cool. I am secure and there's no such thing, right? There's always a running game. We keep saying you running away from the bear. Be faster than the guy next to you, right? So lace up your Nikes and then start running and just be faster than the other guy. Because as soon as you stop running, the bear starts to gain. And the other guy starts to get away from you. Then you're in a bad situation. Okay, we're going to take a little break. We're going to come right back after we pay some bills. Until then, stay safe. I'm Jay Feidell, ThinkTech. ThinkTech loves energy. I'm the host of Mina, Marco and me, which is Mina Morita, former chair of the PUC, former legislator and energy dynamics, a consulting organization in energy. Marco Mangostorf is the CEO of Provision Solar in Hilo. Every two weeks, we talk about energy, everything about energy. Come around and watch us. We're on at noon on Mondays every two weeks on ThinkTech. Aloha. Are you tired of sleep walking through life? Are you dreaming of a healthier, wealthier, happier are you? You're not alone. And that's why thousands of people tune in each week to watch RB Kelly on Out of the Comfort Zone Tuesdays at 1 p.m. Make a change. Get the help you need and stop sucking at life. The army, we're going to go live. Hello, it's 1 p.m. on a Tuesday afternoon and I'm your host RB Kelly. Welcome to Out of the Comfort Zone. Alright, welcome back to the Cyber Underground for a second part of the show. I'm Dave, the cyber guy. Here's Hal, the networking guy. Welcome back, brother. Let's talk about a couple things. We were just talking about WPA3 and router security and just because you got WPA3 doesn't mean your problems are solved. There's a couple other things going on there. The first thing that we talked about is not every device is going to have the ability to upgrade to WPA3. If you have a modern router, you do what's called a firmware update. You probably get WPA3 as a drop-down selection in your protocols, but it's very well could be that manufacturers want you to buy newer equipment. And I can see, I can actually see this happening to Samsung devices and Android devices in general because those updates for the Android kernel are vendor-specific and that's, you know, toruously slow. Google keeps right up on top of it. LG is okay, but Samsung is, they have such great phones, but their updates are just so slow. And I don't know if you want to don't tell me if you do, but I can see you having to buy more equipment to keep up with the pace of what's going on and I just wanted to issue some warnings out there to people. First of all, don't buy cheap piece of equipment thinking that, oh, it's got WPA3. Great, it's only 50 bucks. I'll take that home. Don't buy it off a Craigslist, sorry to say. If it's been in somebody else's possession, there's a good chance that they've rewritten the firmware with a back door for them. So as soon as you hook it up to your network, somebody else can get into your network. And again, they can see everything that you got on your network, they can pivot to all the devices on your network, they can hack whatever they want, but they can use you for other attacks, which is the biggest problem, right? You don't want to be part of the investigation when someone forensically finds your IP address in somebody's logs and they come knocking at your door and most likely they take all of your computers to go through them and then you're stuck with no devices for a little while. I mean eventually you get them back, but how long do they keep evidence? It could be a long time. So I don't even want to go there, right? The other thing is passwords. Let's talk about passwords really quick because we didn't really get deep into that. We do pass phrases now. Yeah, the length of passwords just keeps increasing the recommended length. Yeah. What do we have? Fourteen characters or something? At least. Yeah, it used to be six. It was eight and ten, twelve. Now we're up to like fourteen to sixteen. And that's because computing power, you know, keeps growing. So if you're running a password cracker, it's running faster and faster on newer hardware, so you need a longer password in order to make sure it takes long enough to discourage people from trying to... Longer than the other guy. Because any password can be cracked, give it enough time. Right. So you want to make it so that they'd have to spend months or years on your password before they would be able to eventually crack it. And so that's not really worthwhile. And they're running the age of combined computing power in the cloud. You can put together thousands of processors to work on a process. Because big data is so popular, people want to do data mining and things. It takes a lot of processing power so they can hook up something like Hadoop on Amazon Web Services and put 10,000 cores on it for an hour and a half. And they pay, you know, a hundred or a thousand dollars, but then they can turn it off. It's scalable. Right. And they can do the same thing your password. If they really want in, they could get the hash of your password, put into a cracker like John the Ripper or something on Linux, and just put all the cores in the world on it and they'd get it. They get it. So it's the longer it is, the better and the more secure you are. The longer it is, the better, the more complex the better. And complexity, as it relates to passwords, means different types of characters. So lowercase, alphabetic, uppercase alphabetic numbers, special characters, combine all of those, and then that's a complex password and it makes it harder to crack because I can't just run through all of the, you know, lowercase letters and expect to get. I have to run through all of those different types of characters in, you know, so many combinations that it's going to make it take a lot longer for me. And the blank space is valid, right? So you can write in a sentence, a normal sentence and use the spacebar and you're good because that is an ASCII character. It's not something people usually think of, so it's probably, it's probably a good thing to have in your in your password because it's probably not that common for people to even check for that yet. I would even recommend, I say this to everybody else, make it a passphrase, switch out some of the words for other languages. So a common dictionary attack in a single language could take quite a while, but if you mix up the languages, now you have multiple languages to use in the dictionary attack. It could take three, four, five times as long. It's probably unlikely that although there are definitely rainbow tables and password word lists that are in different languages, it's probably less likely that you'd have a combination of different languages within a single one, so it would make it a little... I saw a password phrase. It's just one more. So one of our Japanese students used some of the kanji characters and, you know, the pictograms and I thought that's brilliant. I love it. And when you use extended ASCII smiley face, you know, the diamond from the deck of cards, you know, those are extended ASCII characters, it was great. The only problem is that those can be difficult to type on certain devices. Yeah. It might be hard to get on your phone or on your tablet. True. If you're trying to log into a site. So those are great on your desktop or on your laptop system, but sometimes they can be problematic on some websites, may not support them. And again, they could be difficult to type on certain device. Well, let's wrap this all up by talking about another thing that people can do if they get on to your network and they have access to your system or they get on to just your smartphone. They can do cryptojacking. Yeah. So this is really just another type of malware attack that's out there, that's a relatively new. Some of these criminal gangs that we're doing like the ransomware to make money, they've found that it's actually more lucrative to do this type of attack, this cryptojacking. So what they do is they install code or they install malware on somebody's system. Somebody's got a vulnerable system. And what it does is it mines cryptocurrency. Now, we should discuss what mining cryptocurrency actually means. So we want to go through that with us? Sure. So cryptocurrency, I mean, is it's just a digital thing, right? It doesn't actually, it exists physically and it's created by these mining algorithms. So they're doing these complex mathematical problems and the result of it is a small amount of cryptocurrency. So it's your reward for verifying transactions between other members that are using cryptocurrency. So if we do a transaction between us, multiple ledgers, they're called ledgers that keep track, they're everywhere. So they're just engaged from a single server. And those all have to be verified and that takes computing processing power. So volunteers will volunteer their computing processing power to verify those transactions and update those logs with the transaction we just made. And after, I don't know, a million transactions that you verified, your reward is a Bitcoin or Ethereum or whatever that you're mining. So that's the mining process. Now, it used to be that I could set up my own little box and have that running all the time and I could mine a Bitcoin every couple of days. But that's back when Bitcoin was 36 cents of Bitcoin. Now it's spiked at 20 grand and it's back to around, what, 900 or 9,000 now. That's okay. It's got some shift to it, but you can't do that. The processing power is not there anymore. And it's not really worth it for someone to rent a whole bunch of space on Amazon Web Services to mine this stuff. Somebody just put a data center down here on the Anant of Oahu to specifically mine Bitcoin. And they put in somewhere close to $5 million, but they're going to make it all back in about a year and a half with Bitcoin. If Bitcoin stays valuable, you're taking a risk. Assuming that the value stays with what it is now. So I guess it's easier for criminals to use somebody else's system so they don't have to pay for that processing power or the electricity, right? What they'll do is they'll set up a bot. So not just using your system, they're using hundreds or thousands of systems to mine. And so that's what makes it worthwhile. And they find that this is more lucrative than the ransomware attacks because with ransomware, maybe one in a hundred people would actually pay their ransom. With this, every single computer that I'm able to compromise pays back because every single one is running the mining algorithm for me. So I'm getting something back from them. And they're not actively looking to clean their system because they might not be aware of what's happening. You would have no idea that this was going on. Your system would slow down, but you might just think, you know... That's an old computer. Maybe my network is slow, maybe it's my... Maybe I need to update Windows. Yeah, Windows tends to slow down at various times when it's doing things in the background. Anyway, so this is all in the background and you might have no idea whatsoever that this is going on. I know if you're a gamer, you'd not right away. Because you're always running benchmarking utilities to see where you're processing core power and temperature and your bandwidth always is. So you can keep up with games because you don't want to be that guy in the game that says, oh, my controller broke. That's why I lost. So to avoid whining, they just keep track of it. So they'd know. But some of the normal business user, teacher, bus driver, police officer, they might not know right away. They would probably have no idea. Actually, the surest way to detect this is network monitoring. Monitoring the network and you can see the connections when it connects back home to transfer the product of the mining process back. That's the easiest way to detect it. And so for home users, people usually don't have any way to monitor them. The network, large enterprise networks, you usually have intrusion detection systems or some kind of monitoring system. So that's how you could look for this. But for home users, it's pretty tough. Well, so for home users, we can protect ourselves by continuously keeping our systems up to date. The latest patches and fixes and hot fixes from Microsoft, they do patch Tuesdays every Tuesday in a month, right? Was it the second Tuesday or first Tuesday? It's patch Tuesday. But they come up with security updates. You should do these Mac continuously updates. But so does your phone. iPhone updates all the time. Android runs a little behind. But they do update. They do update every once in a while. You should do the updates. I know it's a pain in the butt and you think you might something might break. But every time you update, you remove those flaws that might be used to compromise your system and install this stuff in the first place. You should also not download that software in the first place. Don't jailbreak your phone. Keep the security systems on there. Go to Google Play. Go to the iOS App Store. Get the verified software. Buy real software. Don't get stuff that's not up the shelf or sold by the vendor. Any other recommendations? Avoid suspect websites. Oh, yeah. Avoid shady websites because this mining code can actually just be a JavaScript that. See, visit the site with an out-of-date browser and it activates on your computer. And it downloads a JavaScript and it starts up the process and and there you are mining away and you don't have any idea. You have no idea. Okay, everybody, thanks for joining us. Join us next week and more great content here in the Cyber Underground. Thanks for joining us today. Until next week, stay safe.