 Tech of Hawaii, civil engagement lives here. Welcome back to the Cyber Underground. I'm your host Dave Stevens, also known as Dave the Cyber Guy and I'm here with Andrew, the security guy. Welcome Andrew. Hey everybody. We got some guests here today. Stanley and Tim, they're gonna introduce themselves from Hawaii High Tech Support or Tech Support? Hawaii Tech Support. Hawaii Tech Support. And the reason we got you guys on the show today is we're gonna be starting to talk about why is it important to trust your tech support? There's some things we need to talk about with tech support because it's a matter of trust. You guys that help people out, you're helping them out with one of the most sensitive instruments they've got, their computer, their smartphone, their internet, and all their personal data flows through that thing and all resides on that thing. It's all in the cloud. And you guys have the privilege of helping those people out without harming their data or harvesting their data and they gotta know who to trust and why to trust. So let's start with you. And you are the CEO of your own company now? Yes. How did you start? How did you get here and start this company? Absolutely. So the company started in 2004. I was in California prior to working in IT, the early days, first.com. Northern? Southern? Southern. Southern, okay. And then I went to school out there, computer science, and... Where'd you go? UCLA. UCLA computer science, whoa. Yeah, so. Serious. I grew up here after living there for a while. I decided to come home and be back part of this community. Good for you. No more contributing to the brain drain. How to bring back from UCLA. Absolutely. Seriously. So Stanley Lau, right? CEO. And how did you decide to do tech support as a business model? Yeah, so in terms of what we do right now, we actually, the tech support, it's so varied in terms of what we do. I think the name itself kind of just, it doesn't really pigeonhole us, but it really, when you think of tech support, you think kind of low level L1 type services, but the services that we provide actually span all IT needs in a business. Right, when you do tech support, you think running cable, hook up my printer. Yeah, or call, pick up a phone and call, but that's not all that we do. Right. But it's just the name has stuck and it's actually, you know, one of the, in terms of Google searches. Friendly name. Friendly name. Yeah, it comes right up. Yeah, great keywords, yeah. So, Tim. Yeah. Tim Ames, you are the CTO, the Chief Technology Officer. Yeah. And did you lose a bet? You had to hire him, or? No. No. I brought him a big gun. Yeah, you brought him a big gun. Yeah, actually, so I have a little bit different history than Stan. He went through the IT, he went through the commercial side. I came up through the Department of Defense side. Oh, yeah. So I was 10 years active duty Marine Corps, got out, came over to Hawaii. Yes, right on. All right. Came over to Hawaii, joined the Hawaii Army National Guard. I actually retired a couple years ago as a chief warrant officer. From the National Guard. Yes. It's okay, I like you anyway. That's all right, thanks. And yeah, so I did a stint with the financial industry. So I was the director of information security for a $4 billion financial institution. Wanted to come back to Hawaii, to bring some of my experiences that I learned abroad back to Hawaii. And you know, my wife's from here. So we're here forever. Good for you. Yeah. No, I love to see that, especially from the DOD side, when people get out of the service, we try to encourage them to make the transition to civilian life and keep their skill set here. That kind of motivation, that dedication, that discipline, and all that skill that you have. And then people move back home. We want them to stay here. Sure. So what do you guys do? What's the crux of how you perform business on a day to day? I know tech support is that huge umbrella. Everything from, do you help people with their OS upgrades at companies all the way down to, hey, I can't get in my email today? Yeah, so we're actually a little more focused. We're business B2B only. So the only service businesses. But the core of what we do is, in the industry we're MSP managed service provider. So we're basically outsourced IT for businesses. We handle everything from help desk support all the way through implementation, security, everything IT related in a company. So for small businesses, it's massively important to save on costs, right? And this kind of thing could save you a lot of money rather than have two or three of the tech guys on site all the time, right? Well, not only save on costs, but it increases your band strength. So if you hire a guy, hire a couple guys that may have good specialty in sysadmin, you know, they might know their Windows products. They might have a good web developer. When it comes to, when it comes to doing networking, networking security, some of the more esoteric needs and requirements of a business in the technology sector, that's where we come into play. So we do have that bench strength. We have security experts. We have network experts. We have Windows and Linux experts and- Could be a real help because some companies will do Cisco, other Palo Alto networks, in other words, Fortinet or they might have a mix of it and you don't have one guy that knows them all, right? So they call you guys, you might have a channel to each one of them. Absolutely. You don't want to depend on things like TALOS and stuff to take care of every little problem. So what else do you provide? Email service, the phone support, I think it's probably really important, right? Do you do 24-7 phone support? Yeah, we do. So we actually work with, we have a 200 person helped us team. 200 people. Right, that's actually part of a partner group that we do. And so we are able to offer the 24-7 support to our customers. Out of the islands or you do a rotational around the world? Yeah. It's a little bit of a hybrid model. Yeah, okay. So you have call centers at different places, yeah. I know Microsoft moved to that model now. You can call, you get Nova Scotia or you get something in the Dakotas or you might get Chennai India and it's just wherever it's daylight. You know, someone's working on- Yeah, it's following the sun. Following the sun? It's a good model because, you know, your issue is always being handed off to somebody that's awake and, you know. You're not working with that midnight shift, you know. The guys that aren't really happy to be there, yeah. Can I help you? I've had those guys before. So you work with, what other countries do you work with? Where are your call centers? Yep, so can I know? Actually, they're primarily in the US. In the US? East Coast. East Coast centers, yeah. So I've never been to the East Coast. You guys been to the East Coast? Do you must have gone over there somewhere? Yeah, I've been in DC, Boston. Different mindset. Sure. But now that you're back here, the similarities and differences you see in your business model now, versus East Coast versus the Hawaii customer? I think, so one of the biggest differences, I think, is that people think that Hawaii is technologically behind. No. Where that's not absolutely, absolutely not the case. Is that true? That's what people think about it? Probably. I think that's something, you know, Ethernet was invented at UH. And you know. That's right, a low on it. That's right. But, you know, when it comes to like businesses and like the, we don't have a lot of huge corporations. We don't have a lot of those, you know, 20 billion dollar corporations, but we do have a lot of small, medium sized businesses that need that kind of, you know, enterprise support that you don't get unless you have the big IT teams. So I think that's probably been the biggest difference is that you don't have a lot of big IT teams and a lot of these core businesses, but what you have is you have a lot of smaller teams that are, you know, more dynamic and unfortunately what people get into a company over here and they don't move around a lot, which is good for the company, but at the same time, if you're not training that employee, if they're not growing with the technology, it becomes kind of like a stagnation. So that's a mainland thing, right? Every two and a half to three years you're moving between companies and you pick up a massive amount of experience in enterprise environments in different company sets, right, different business models, different programming models, and yeah, and people out here tend to stay with the job five, 10 years, so you need to train them more. Which is, do you guys train also? Absolutely, that's one of our partners, yeah? All right, you do security training, user training, what do you do? What kind of training? So there's a few different fronts. You mentioned the primary goal for us is customer service is big, so we focus on that in addition to the technical training. We have different tracks that we go through at different platforms, so that's something that, like you mentioned here, we try, you know, as a business owner, I think it's tough to retain really good people and that's one of the things that we really need to focus on is to be able to get people motivated and trained up. Tremendous is difficult to hold on to people, especially because it's so expensive to live out here, and if someone offers you a job for, say, 20k more a year, you have to go. It's not like you can stay, right? And you can't keep raising everybody's pay to keep them, so what do you do to motivate people to stay on board? Can I ask about how many businesses you serve right now? Yeah, so right now we're at about 80 companies. 80 companies. Locally. And so, like Tim was saying, because Hawaii, the mix of business really is, we're primarily small business driven here, so that's the core of our business. We're finding that there is a large market for what we do, but I think Andrew knows as well, it's a great marketplace for small businesses and it's a good focus for us. So I know if small businesses are watching right now, they're probably asking, do I have to pay thousands up front, or can I just do a per phone call model, or a per visit model, or how do I get involved? If I'm a small business Sam, I just opened up my liquor store, and now I have a POS, now I have some other kind of computer equipment in the shop and I want to remote in and have some security cameras. So I call Andrew for the security cameras, but I call you guys for tech support. How do you handle that? So it's really going in and doing an assessment. That's step one. It's to say, look, these are all the disparate systems that you've brought in over time, and we want to make those, you want to coalesce those into a good business solution for you, and then we want to get it baselined. You know, we want to get that security patching done. We want to get you up to the current operating system. We want to get you up to your, you know, current hardware systems that you need. So that's the initial outlier of money. So let's go back for just a second. You said we want to baseline it. So for our viewers out there, you want to baseline of something because you're looking for anomaly detections. Correct. If I'm using this amount of bandwidth through the day, but all of a sudden I've got this huge spike to a whole bunch of websites I've never been to before, that's an anomaly. You can say, hey, set up an alarm, right? And call you guys. Yeah, so before we even bring on a customer, what we want to do is bring them up to a good patch level, you know, make sure all the security patches are applied. Make sure that they have the right authentication model, you know, so that people are locked in. That's not just for operating systems, right? You're already talking about electronic applications, and applications, and your network devices, all have to be patched. Oh, even on the physical security devices, the camera systems, I mean, if those just go left unpatched, those firmwares need to be patched as well. Big problem, right? Yeah, that's a huge problem. And then patching them because sometimes they're air-gapped. What? That's one bit of, you know, I think you guys probably see, you know, the small business guys are trying to save money, so they're running all this stuff on a single land, right? And, you know, escalation of privilege for services and applications is a problem. So rarely, you know, they've had some vendor come in and drop something, and another vendor came in and dropped something, and no one's really paid attention to the user privileges that are out there. And that, you know, if you get something, some malware anchored in their escalation of privilege makes it fairly easy to move around, especially if it's a network running across one switch, right? You can kind of see everything all of a sudden. Life gets easy for a hacker, and I think there's a lot of vulnerability that, you know, when the services that they're bringing, the small businesses' owners are interested in their own business, and they just don't have time to take care of their IT environment. Classic business problem. You start your business, you don't have time to do taxes, you don't have to do payrolls, a big thing, you want to outsource legal, and IT's going to be another time consumer, right? So calling you guys, that's a good way to spend a little bit of money and solve a big problem. Yeah, making it preventive, too. So once we get somebody to that baseline level, we want to build them into a kind of a preventive maintenance model, so that instead of calling us when something breaks, we'll keep it for breaking, you know? So we'll do the patches monthly, we'll do the, we'll keep control of your disk sizing, so if you start to run out of space, or if your power supplies start to fail, before those fail, you know, in the middle of the day and bring down productivity, we'll say, hey, look, we're getting these alerts, we're getting these errors. Let's bring you down on Saturday night, 2 a.m., we'll switch it out, and then you won't lose any productivity. Make sure they're doing backups, right? Oh my gosh. They all think they're doing backups. I mean, if they find out they call you, we were doing backups, but the little sand drive died a year ago, we didn't know. Right, right, right. Or whatever, right? Like, no one checks the backup, no one ever tries to restore them to make sure that. Yeah, that's a key. That's good. You gotta go through the plan to make sure the plan works, otherwise it's not a real plan. And so many people don't test their backups, so it's just an overriding of this bad data over and over and over again, and you never know if it's gonna work. Until you need it. Until you need it, then you know it doesn't work, right? That's a terrible thing, and I know a lot of people will hook up their backup drive to the main computer, and they'll just leave it in there. And then they get rid of it with ransomware, and of course that's a network to drive, so of course your backups are not. Even from a physical perspective, I mean, we live in Hawaii. We have elements to worry about, rain, water, ocean, it's all there. So if you have all your stuff in one spot, and you get flooded in that one spot, no offsite backup, you lost the hole. That's right, you guys utilize the cloud a little bit more now, right? Absolutely. Do you recommend this to Amazon or Azure? Google, do you use Google? We're agnostic, we actually use... Good for you, I like that. We use what works for the customer, what works for the business case. AWS has really good product with Glacier. That's Amazon Web Services? Yes, and Glacier is the slow product. Long-term storage. So if you need it back, it could take anywhere from 30 minutes to six hours, depending on where it's stored and how it's stored. So it has its purpose? Yeah, but it's cheap. But it's super inexpensive. Super cheap. It's like a penny a meg or something. Yeah, it's a really, it's a good deal. Whether or not you use the S3 was a simple storage service and it's just immediate. It's basically on your hard drive as fast as your internet speed is. Absolutely. We have to take a quick break, pay some bills. Not that we pay bills. We'll be right back. Until then, stay safe. Aloha, my name is Mark Shklav. I am the host of Think Tech Hawaii's Law Across the Sea. Law Across the Sea comes on every other Monday at 11 a.m. Please join us. I like to bring in guests that talk about all types of things that come across the sea to Hawaii. Not just law, love, people, ideas, history. Please join us for Law Across the Sea, Allah. Good afternoon, my name is Howard Wigg. I am the proud host of Code Green, a program on Think Tech Hawaii. We show at three o'clock in the afternoon every other Monday. My guests are specialists both from here and the mainland on energy efficiency, which means you do more for less electricity and you're generally safer and more comfortable while you're keeping dollars in your pocket. Welcome back to the Cyber Underground. Let's do the second half of the show. We've already been introduced to Andrew, the security guy. Tim Ames and Slandly Lau from Hawaii Tech Support and they've been great in telling us their business model, how they came to start the company and what they usually do for customers and how they help customers get done what they need to get done. So they don't have to run a business and be their own tech support. So that's a drag. A lot of value there. Right, if you're not an IT person but you want to, you know, if you got to mix Rick's shirts or SIGsane, you don't want to concentrate on the computer. You want to do your art, right? Well, let's talk about something else that happened on the 28th. We got an alert, but we already knew that. You guys being in the business. This alert came out from the United States computer emergency readiness team. Cert. I always want to say response team. I don't know why. Anyway, US Cert, the blanket emails that come out to all of us nerds and it said, hey, beware of tech support fraud. Let's talk about tech support fraud and how people can fall for it because I have family members who have fallen for it. And it sounds pretty believable, especially when they go to a website and you get that pop up. You're confused in fact to please call this number right away and you get somebody on the other end in line that sounds just like tech support. Usually from another country and they help you through it and they always say, well, we need to take control by remote. Would you install this little utility for us? How do we know it's you guys versus the bad guys? Yeah. My recommendation is we're never going to ask you for your password. We're never going to ask you for your information. If you get a call from us and this can be manipulated so you might get a call that says it's from us that can be manipulated. But if you get a call from us we're not going to ask you for your information. We're calling you. We should know who you are. We should also know things about you that only you should know. So there should be some kind of, you know. Like what? I saw you at Trudan last night. Remember? Hi. Well, and that's a public honor. That's a lot of public relationships. That's a lot of older scientists. But for your home customers, for your home customers that's what I'd be more concerned about because with our business customers we already have relationships. If they call us they know who they're talking to. We already have that relationship. But your home customers would get the pop ups or get these drive by downloads where they go to a website and malicious code gets installed, you know, JavaScript, cross site script get installed in their web browser. They're going to get a notification on their screen that says this is Microsoft tech support call this number. Now this is even worse because by the time they're calling that number they're already all in. You know what I mean? Yeah, because they clicked it. They're the ones initiating the call. So this becomes even worse. They call the number. The person on the other end is really good. These guys are really good customer support. I want them on my help though. That's how good they are. They're smooth. They're good talkers. They can talk the least technical person through opening up a remote session. Patient. That is a skill to translate geek to human, right? I mean, that is a serious skill. Social engineers. Yeah, you don't get out of school and you have all this knowledge and then you can describe to your CEO why you need a new firewall. You need to be able to play to your audience, right? They're just training academies. They're training them to do that. Absolutely. Wow. You know who owns them. Dave owns them most of them. He's the only guy who ran some of his own family. You know who owns them most of them. That hasn't happened in a while. I mean, I never did that. I listened to an actual staged call recently. And it's amazing what they'll tell you. So there was a university in New York. They set up, had their CS students or ICS students call these companies and entertain a situation. And it's amazing what these tech support guys, and this call went to India. And I think it's upwards of 80% of these phony, helped us scams come from India. And so if you listen to it, the guys are so good. They're so patient. And the way they lure you in, they start talking about, if you start saying, my computer's, oh, it's getting old. It's about two, three years old. Responses, no, that's not old at all. We can get this working. It'll be five or six times faster than when you first had the problem. So they're so smooth. Yeah, and they're leveraging people without a lot of computer knowledge from the get-go, right? Or they wouldn't have gone in there. So, and they're trained. I mean, they make a lot of money for every bot they can create, right? They're trying to own that PC, and then they sell off thousands of them at a time. Well, let's talk about that. You're making a bot net. Yeah, it's a business, sure. So you zombify a computer. You turn it into a zombie. That's a piece of a bot net. So when you want to attack a big target, when you want to break some serious code, you can use that processing power, that internet power, from all the computers that you've compromised, and the people that are compromised might not even know it. Yeah, well, there's a tiny amount of cryptocurrency on it, if nothing else, while it's waiting to be used for something else. Right. So I mean, you know what's going on. Yeah. How many of them are owned right now if we looked on Shodan, you know, 750,000, I don't know. Is that Shodan.org? .io. .io. Shodan. S-H-O-D-A-N. Yeah, and then you can go look and see who's advertising what size botnets I mean, there's guys that will reach 60,000 bots for, you know, something per hour or something per, that usually 15 minute increments, right? I mean, it's all in the dark. A lot of that stuff's got to be driving your business, right? How do you, what do you monitor on a daily basis to make sure you're on top of these kinds of situations? Now you got US cert, we have InfraGuard, which is FBI and civilian sector together. Oh, what else do you monitor? So IC3, which is the internet computer crime center, which is the one that actually came out with the, you know, the advisory for the US cert. Right. DHS, the Department of Homeland Security has a lot of advisories, but yeah, InfraGuard and US certs are, those are the big ones. Every once in a while, NSA will put something out, yeah? Yeah, sure. Every once in a while. But they look closer to the best for NSA. More DOD those guys, yeah. They just, they usually backing up DHS, which is their mouthpiece, which is good. You know, they all work together, so. In none of the alerts in the past, I'd say five years, with the exception of when the FBI tools or the NSA tools got leaked out, none of them have ever been really to, like, oh, that's blowing my mind, you know, none of them have really caught me by surprise. So. Yeah, Mariah was a big one. Yeah. Yeah, that was one of those tools, yeah. Right, and it's, it's, it's hitting, it's hitting hard again, too, with the ransom, the petia virus and, you know, it's. So ransomware, this is a great one, right? You guys have to have a response team for ransomware. You have to have this, right? What do you do? I called you up. My account double clicked on something, and now our whole network is encrypted. Help. Yeah. What's your first response? It's. Assessment. Yeah. I isolate, you know, so the first thing. You don't get the empathy first. I just lost soul story. Yeah. So I've dealt with ransomware several times, and in my experience, it's really comes down to a business decision. If you're coming to us for the first time and saying we've been exposed to ransomware and they've got all our shared files, they've got all of our business data, I'm going to ask, well, have you, do you guys have the backup? Do you guys have shadow copy? Now a lot of these ransomware's will disable the shadow copy feature in Windows first before they start encrypting. And then there's a delay. And then, yeah. And then so you can't even get to the, you know, those old automatic copies. If you don't have a good backup solution and you get hit with ransomware, there's not much you can do because a lot of them are encrypted with RSA type encryption, which is, you know, DoD string level encryption. Yeah, encryption's good. You just can't encrypt it. Do you tell them ever to, I know there's a slim chance if you keep the power on, you can get into main memory and the key might still be there. Do you guys ever been, do you ever try that? Yeah, so what they'll do is, the way RSA works is it uses the private and public key. So it'll encrypt with the public key and then you'd have to have that private key to unencrypt it. So even with the public key, you wouldn't actually be able to reverse engineer it most of the time. I haven't ever had success with having it powered on. I don't know anybody that's had that success. I just read the article on my desk. That was a neat theory, but I've never heard of anyone be able to do it. And the only real success I've had in recovery from ransomware is either restoring from backup to where you're gonna lose at least a little bit of data from when the ransomware attack hit to when your last backup dataset was. Right, just that gap, yeah. Or in the FBI doesn't recommend this, but it becomes business decision, pay the ransom. Pay the ransom. Aren't you taking a chance though? They don't have to give you the key. They don't have to, but you know what? It's their business model at stake then. I haven't seen anybody pay the ransom and not get the key back yet. And that's just my own experience. I can't say that that's true all across the board. I've heard stories, but when you pay the ransom it behooves them to give you the key because otherwise if people aren't trusting that they'll get the key then they'll let them pay the ransom. It's a business model. And you gotta click home through their network and clean it up for what's been like. Absolutely, yeah. Just because now you're back working. Right. It doesn't mean they didn't drop socks in there. Yeah, right, right, right. Something that looks different, but it's the same guy. Now, do you guys report this to the FBI? It should be reported to the FBI. All these things should be from the consumer level, from the home level, it should be reported to the FTC as well. So if you're falling for these tech scams, the Federal Trade Commission is actually the people that they're the consumer protection. They handle phone systems and stuff. Yeah, FTC. That's the FCC, yeah. Oh sorry, FTC Federal Trade. Right, so they're the consumer protection arm of the government. Do customers who have been hit by ransomware ever ask you, hey, can you track where my money went? That happens and that's when you pull in the FBI level assets. You can actually go in, if you make the payment via cryptocurrency, Bitcoin 99% of the time it's Bitcoin or Bitcoin. So if you make that payment, payment you can actually track the transaction and you know where that transaction ends up. So if the FBI has a list of wallets that are being used for these transactions, they may be able to do something with Interpol. Yeah, the biggest problem is if it's in Ukraine or North Korea. Yeah, something like that, you'll never get it back. North Korea. They're very money driven now. So yeah, I think the FBI is biggest, I'm not gonna speak for them, but I've heard what they've said that they're working with Interpol and these other agencies. They're trying to bust up these rings, but that's not gonna stop these onesie-tosies people from going onto the dark web ordering exploit kit and just doing it, you know. It's getting too easy, right? The kids are, there's what, 10,000 new people a day coming online, right, they got access. They're living in, they're making a buck a day as they're living wage and if they can double or triple that with just a little bit of ransomware, they carry, you know what I mean? Yeah, it's a new movie. I think we're actually gonna go to this ready player one. I think we're all gonna be there. With the final couple seconds, we have about 30 seconds left in the show. I want you guys to talk up your business. Tell us what you do, why should we go to you? How do we save money with you? Tell us who you are. Sure, so in terms of IT, small businesses, we really help companies with their technology. So our typical customer, they're busy doing, like you said, their real estate engineering. Security is a very, very big thing and Tim can talk more about the security aspect of that as well, if you wanna. So yeah, we're actually, we have a really good package together with Security Incident Event Management where we aggregate all the data going in and out of your network. It's affordable, it works from a small business all the way up to enterprise level businesses and it's 24 hour, 24 seven, you know, the security operations center, monitoring the stuff that's going in and out of your network so that when we stop things before they happen, hopefully that's our intent, is to make the system secure so that ransomware, when you click on it, it doesn't do anything. That's the answer. That's the ultimate model right there. Thanks for being on the show, you guys. And hopefully we'll get you guys back. And on that show, we'll start drinking again. Yeah. Thanks for being on the show. Okay, thanks everybody for joining us here on the Cyber Underground. Join us next week, until then. Stay safe.