 Think tech away, civil engagement lives here. Welcome back to the Cyber Underground, sorry we missed last week, hope you liked our replay of another episode, whatever it was. I'm Dave Steem as I teach for the University of Hawaii Capulani Community College. My new nickname now is the Professor, no longer the Cyber Security guy. So it is the season to get scammed and I've got someone here to help me explain to you how not to get scammed, how to prevent getting scammed, what to do if you get scammed, some of the pitfalls and some of the things you should watch out for in the season because you're the kind of people that are nice and you're generous and you give and you want to help other people out and other people, criminals will take advantage of you if you do that. With me today, Timothy Ames, the CTO of Hawaii Tech Support. Welcome brother. Thank you. Thanks for having me. First of all, start right out. Thanks for your service. I know you did the United States Marine Corps. You're an officer. I'm glad you're alive and here with us and I'm proud you're on my show. You yourself and you know I had a few run ins with MPs but I won't hold that against you. Well, it's not for fly brother, it's not for fly anyway. Well, it's great to have you and we have so many things going on today that some have specifically to do with the Christmas season. It's the season of giving. So people will scam and scam and scam because there's charities out there that they'll try to imitate or they'll make up their own charity or there's some kind of event in another country like the war in Yemen and the starving people and they want to make you give money thinking that you're giving to that cause but really you're just lining someone's pockets. Yeah, a lot of people, you know, we're more charitable around the holidays and you know, it's just built in because we're already in the gift giving mode. So a lot of us kind of, we look towards our charities at those ends and a lot of charities have big fundraising events, fun drives at the end of the year and yeah, scammers take advantage of that. So it's good to stick with the charities you know. It is, yeah. And I mean, on that topic, we have a few tips for cybersecurity for shopping because that's what most people do. Yeah, you're at their shopping, okay. Yeah, and since 2016, this is an interesting fact, since 2016 holiday shopping more has been done online than in the stores. So we've made that, we cross the threshold. Yeah, and I don't expect it, I don't expect it to go back down, so. Not unless someone pulls a plug. Yeah, that would be, that would be an interesting event. I talked to my kids the other day and I said, what would we do without electricity? Because I don't think we even know how to build chairs. Sure. We were helpless. Yeah, if I didn't have a fridge, if I didn't have beer or cold beer, I mean, well, the German strength one. So I guess it can be done. No cold beer though, it's fine. Well, we have, email scams are really common these days and people will try to lure you in and the phishing attacks, so we have a statistic here. Phishing attacks have gone up 350% and that includes ransomware, just since last year. That's an enormous amount of new scams that are coming out and they're creative. Some of them want you to give money to a charitable cause, but others like, we just heard about the other day, they're saying we put a bomb in your business. And we have a representative that's snuck in there and he's watching you. Don't call the police. Send me 20,000 bitcoins or 20,000 dollars in bitcoin. That takes it to a next level. Holding somebody's information hostage or claiming to hold somebody's information hostage, I mean, that's a lot different than claiming to hold somebody's lives hostage and that's just, that's terrible. But yeah, people target vulnerable computers and they target vulnerable companies. So you got to make sure that you have a really good, not only a cybersecurity plan in place, but a good physical security plan in place. And even the biggest companies fall victim to this stuff. I mean, we just heard at Facebook has developer apps or developer APIs, the application programming interfaces that they hand out to developers for third parties to interact with their services and use their data, hopefully in a good way. But this last API that they just realized it was out for 12 days and they didn't know there was a hole in it, 6.8 million users on Facebook had their private photos shared with these apps. So someone downloaded all their data. And that's the problem. So even if you build a really secure solution, Facebook is secure. It's secure if it's used as purpose, but it's not all like one single development team. Nobody has a single development team. You're working on APIs because you want to integrate with other solutions. You want to be able to offer your users and experience with other organizations to be able to have that single sign-on. So you don't have to sign on to multiple sites. So you just use one. You only have one set of credentials and that's using the OAuth and OAuth2. Another thing to think about is that when you've authorized Facebook or Google or any of these other providers to use your authentication from them for a third party, are you going in and checking to make sure that you're discontinuing that authorization? Oh, I don't think anyone ever does. Nobody does. But you say, yes, you're done. Yeah. So yeah, that's something to keep on top of. Right. Right. And when you use that authentication, usually those apps launch on your phone for the first couple of times, right? And they ask you, we want access to your contacts. We want access to your photos. We want access to the other records on your phone. And if you say, yes, those apps can then forever have access to the things that you've entered outside of the app. Right. And just even at the company that you're sharing that with is up and up 100% up and up, just think of that company is at risk and they're exposed and they get hacked or, you know, there's some kind of breach of their information. You're connected. Now they have your information. Yeah. So it might not be malicious on the company's part. Honestly, you know, it's just bad code. You should ask for the permissions that you actually need. If the companies are asking for more, they may be using it for marketing purposes. They may be reselling your information. So those are really questions that you have to ask by looking at the privacy policies when you sign up for the stuff. And it's getting better because, I mean, there's been a lot of push for legislation to make the privacy policies or the agreement policies less than 40 pages. You know what I mean? So that it's right up front. It tells you exactly what you need to know. Best sleeping material. Absolutely. It's better than like a drug. Yeah. You just read the TOS on some of these applications and I'm out like a light. I can't stand it. The legalese just boggles my mind, the party, the first part and all that stuff. But there are little chunks in there. Every once in a while, we find that it's just a generalized statement saying, we can do whatever we want. Yeah, it's jaw-dropping, right? Amazing. The one that gets me and I warn people about this and it's Catch-22. I don't know how to deal with it very well. It's one of those things you can't get around. If I go to you and I give you my email address and your terms of service say, we're not going to do anything outside of our scope with your email, but some fine print down below says, we reserve the right to share your email address with other partners. So if at one time I go and unsubscribe from your site, you could say, well, I can no longer use that email, but I can sell it to this person. Yeah, or I've already given it to them and you're not getting it back. So I've had the experience when I unsubscribe. I have one email that I do this testing with. I unsubscribe. Within days, I have 10 other emails from other vendors. And I find out they're partners of the people that I did the unsubscribe to. So they wait and they sell. And it's a moneymaker. Emails are worth money. It's a good tip to the folks that, when you hit the unsubscribe button, that shows that you're active in that account. That's right. So that's one of our tips too. So one of our tips for shopping online, especially, is let me go over a few of them. OK. So the first one, the first and foremost, would be to use sites that have a good reputation. So sites like Amazon, shopping sites that you go to Best Buy, or I'm into electronics. These are my sites. I go to Target at Best Buy. I go to Walmart or Amazon. And I know these are reputable sites. I know they have security programs in place. They're big companies. They might not be the best. They've been breached, but there's incident response. Yeah. They have a plan once they've been breached. Use a reputable site for two reasons. One, they have an incident response plan. But two, you know they're not scammers. So this is a good season for people to be sending out links that are just too good to be true. You can get a $100 iPhone or just something that's too, if it's too good to be true. I mean, this is just a life lesson, right? It probably is. 20 or 30 of those a week. Hey, Amazon is throwing you a $100 gift card just because you've been a customer so long. And it's kind of believable because I've been, you know, I bought books with them in the 90s. We're first opened up, right? So they were my tech book place. And so the first thing, hey, that's great. And then I look at the email address it's actually from. Right. And it's nowhere near amazon.com, right? Amazon's somewhere in there in the sub or something like that. But it's not amazon.com. Or it's just from an email that's just wildly different. And then if you hover over the images and look at the links that you might click on, they're abominable. And it's just huge links, but they start out with something that's nowhere near amazon.com, right? Yeah. So take our, so our website, for example, our email address is hightechsupport.net. So if I'm, if I want to impersonate hightechsupport.net, it'd be really easy to just do H-L-T-E, you know, techsupport.net. H-I-G-H. Right. You know how it is. Yeah. It's close enough. You know, humans, we don't really read the middle of the words. Anyway, we read the first letter and the last letter and our brain puts it together for us. Right. It's a little too good at it sometimes. Yeah, it's a little bit dangerous, right? So you guys handle a lot of things that small and medium businesses don't want to deal with. And I wanted to mention some of the statistics that actually drive, I think, part of your business model. Let's go over a couple of these things. Now, this is a study of 2,400 different decision makers and IT companies and InfoSec companies in six different countries reported that 91% of them said that it, there's at least one business disrupting cyber event every 24 months. And the average cost of that event is $7.5 million. Now, that's a big, over the last, what, three, four years because three, four years ago was you're looking at $3 million per instance. Right, I think in 2014 we were at $3.5 million, 2015 we were at $4.5 million and now we're at $2,018 million, coming out in $19 million and we're at $7.5 million. So it's this asymptotic launch curve. Right, so it's got to tell you that the attacks are being more, they're better attacks. So they're doing more damage when they do them. I think that's a lot because of the rise of ransomware. It's profitable now. It's profitable. It's something that's profitable if you follow the money. Lots of people are going to do it. Yeah. Right, so I wouldn't sell cars if it wasn't profitable. And it's a very low barrier for entry too. Low barrier. The attacks that the cyber criminals get, they pull them up the dark web and they're usually exploit packages. They're not writing them themselves. They're going out and buying them. Yeah, script kitties. They're going out and purchasing them. And they may download a database of email addresses or it may come as part of the package that they download. You could do something free on a Cali Linux package like Maltigo to trace all the emails associated with the domain. And it's free. And it works in seconds. And you can do that over and over again and have thousands of email addresses. Sure, or if you're lazy like I am, you could just go out and buy a database. And you know that. So there's a lot of ID. It's cheap now. Yeah, there's a lot of dark web protection companies. All they do is they go out and get these databases, whether they purchase them or just find them freely available. They'll purchase them and they'll create its huge database of email addresses and passwords that are associated with those addresses or credit card information. And then they resell you that and say, would you like to see if you're being owned or not? Or if your password has been owned. And if it has, you can pay to at least find out so you know to change your password. And that's the next step, right? You shouldn't be using passwords for multiple sites. You shouldn't be using the same password for multiple sites. Password reuse is one of the most common exploit pathways are evaporated. Because if it's already out there, if I know that you like to use my little doggie for your password with Gmail, I'm pretty sure that you're probably going to use it with Amazon or at least it's worth trying out. You know what I mean? Right, right. Yeah, there's only two pathways. You can memorize a whole bunch of passwords or reuse them. Or like a lot of people you have a spreadsheet on your computer. Oh, perfect. It's named passwords. Yeah, that's a great honeypot. Yeah. So we recommend people use programs like LastPass. It's a password management program. So you enter in all of your, you save all your passwords in LastPass. It's encrypted. It takes a master password to get into that database. But it helps you out. It fills in all your passwords on websites. So it makes it so you don't have to memorize it. But at the same time, it's not part of your operating system. It's a separate sandbox outside of the main memory area of your operating system that it's not impenetrable, but it's obscured enough. So it's very difficult to get to. And if you do get to it, it's encrypted, like you said. Yeah, and you can turn on things like multi-factor authentication where to get into the LastPass, you'd actually have to get a text from your phone. Yeah, that is a great idea. Multi-factor authentication in many different types. If you get a push notification, if you use something like, what is that, dual mobile? Where we're using that for UH now? That's a great idea because it's something you have and something you know. So if you don't have one of the pieces, you cannot get in, even if you've answered all your security questions and tried to do the forgot password. Multi-factor, that's a good thing to turn on. Facebook has it, Google has it. Amazon is going to start this now. University of Hawaii, did I work for it? We just did multi-factor authentication. It's great. It's not across the board, but we're kind of... Okay, we've got to take one minute break. We're going to pay some bills and be right back. Until then, everybody, stay safe. And aloha. My name is Calvin Griffin, host of Hawaii Uniform. And every Friday at 11 o'clock here on Think Tech Hawaii, we bring in the latest on what's happening within the military community. And we also invite all your response to things that's happening here. For those of you who haven't seen the program before, again, we invite your participation. We're here to give information, not disinformation. And we always enjoy response from the public. But join us here, Hawaii Uniform, Fridays, 11 a.m. here on Think Tech Hawaii, aloha. Hey, Stan the Energyman here on Think Tech Hawaii. And they won't let me do political commentary. So I'm stuck doing energy stuff, but I really like energy stuff. So I'm going to keep on doing it. So join me every Friday on Stan the Energyman at lunchtime, at noon, on my lunch hour. We're going to talk about everything energy, especially if it begins with the word hydrogen. We're going to definitely be talking about it. We'll talk about how we can make Hawaii cleaner, how we can make the world a better place. Just basically save the planet. Even Miss America can't even talk about stuff like that anymore. We got it nailed down here. So we'll see you on Friday at noon with Stan the Energyman, aloha. Welcome back. I'm Dave, the professor here in the Cyber Underground. Thanks for joining us again. Thanks for putting up with that break. Those are important infomercials. We're going to roll right back in with Timothy Ames, the CTO of Hawaii Tech Sport. We're talking about TIS, the season two gets scammed. Hawaii Tech Sport. Welcome, buddy. Thank you. Right on. Hey, let's talk about some of the statistics we just went over. We went over a study of 2,400 IT and infosex companies over six countries. And they all said that 91% of them had a business disrupting event in the past 24 months. Now, that one's shocking in itself. But then when you go into 60% had two or more of those events in two years, that's huge. And when you think about this new rise in the cost of the average breach, and this is a big one, 7.5 mil, most medium-sized businesses will fail. That's it. Yeah, if that breach targets your information, your data, your customer data, and you don't have a way of recovering it because you don't have proper backups, that's really high. So I've heard one out of every three businesses that go through something like that are done within the next year. Wow. And so pushing that out even further, I can imagine the third and fourth order effects. Sure. And we're... Oh, well, we're talking about the fines you get from banks for every credit card number that gets ex-filled off your... So everyone that gets the number, not the customer, the credit card number gets ex-filled. You get charged like a box 75 or something. And then you have to go in and you have to notify. So it's bad PR. Right. That's not going to be great. You have to tell all your customers. It's going to get out. Folks are going to hear about it in the news. And then you're on the hook for fraud protection. And then insurance rates go up, too. Yeah. And then it leads... I think 73% of these organizations say they now use a third-party organization to do some kind of cyber assessment, auditing, and risk remediation. Yeah. Makes a good sense. So we at Hawaii Tech Support, we do what's called security risk assessments where we'll go in and we'll run a bunch of scanning tools on your network. We'll see where the vulnerabilities are, what your patch levels are, and what you can do to make a significant difference with maybe not a lot of investment, hopefully. What's your backspan for your buck yet? Yeah. What's your best... You know, is it just turning on better... Turning on your firewall to block everything except for the stuff you want to go out? Or is it turning on, you know, replacing your typical antivirus? You know, antiviruses are great to do what they do. And they check the file and they say, does this match something that's in my records as being a malicious file? Unfortunately, a lot of the new attacks, they're only a couple of days old. So there's no chance for these antiviruses to update. There's no signature out there. Yeah. We've been pushing and pushing our customers and people in Hawaii to look at more advanced security features or more advanced endpoint protections. They also incorporate AI and things like that. Yeah, things like machine learning and AI. So it's not just looking at the signatures of the package, it's actually looking when that program executes. So if you get a PDF in the email and you double click on it and nothing happens, that's a really... Red flag. Yeah, it's a red flag. Why is this not opening? Yeah, right. A normal AV, first-generation AV. Yeah, I'm not going to target anybody. It's the Microsoft, McAfee, you know, they're not really made to look at what's happening after the file is open. You know, what are the heuristics? Or, you know, what processes is that one file spawning? Things like Carbon Black Sentinel-1, which is what we use because it has 24-7 monitoring with our Security Operations Center. Cylants. These are the next gens, right? These open up files. They could open up in a sandbox and see, hey, this is trying to start another process. That's not normal. A PDF shouldn't be starting another process. Because it shouldn't launch Notepad. Right. Or PowerShell, yeah. Right, and PowerShell, which is built in. And most people are just running their workstation as a Windows power user, like an admin, right? Yeah, and these viruses, they could send thousands of commands to your computer in just a short amount of time. That's just opening up wide open is like a turkey. It's so much for a small business owner. Say if I have 100 employees, and that's about a medium-sized business. It's so much for me to deal with to say, gosh, I need a couple of cyber people, and I need to spend all this money, and I need to make all these investments, and then I need to do these audits, and we're always working. It's always this running game, and I just want to do my business. Yeah, you got to separate the what is your, what's your organizational IT versus what your organizational, you know, cybersecurity is, because they're not always one in the same. Cybersecurity does fall in the realm of information technology, but it's a very specific realm. Not every IT person is going to know security, just like, they'll have a good fundamental understanding. Of course, you know, good IT folks do. But not the specifics. Right, and, you know, maybe not have the products on hand, or maybe not have the procedures on hand, may not have the regulatory, you know, knowledge, you know, what's right. Yeah, that's a big one, too. So, you know, especially for, like, defense, finance, you know, people with regulatory. So, yeah, there is a lot of outsourcing. We get a lot of requests to handle just cybersecurity. You know, they're happy with their internal IT, but you need a little extra. With IT in general, though, I mean, you're talking about simple stuff that just could be a waste of time to a lot of people, and has been a major source of vulnerability over many large organizations. So, let's take Windows updates. Okay. Right? I didn't want to go from Windows 7 to Windows 10 because it cost me a whole bunch of money. Well, the national health insurance, NH, what is it? NHI. NHI for Great Britain. That was their excuse. We didn't want to spend the money to go up, and they got attacked by WannaCry. Like, the whole thing went down and ran somewhere. In one patch. It was just one patch. One patch. They were missing one patch, but it just opened up wide up. Maersk also got hit. You know, Maersk is the... Oh, the freight lines. Right, the freight lines. So, those kind of decisions are costly in the long run. And so, if you're thinking short-term, you can't really get around that. But some of these business owners now, they can come to you and do a managed approach. So, all their workstations, they turn them on every day, you're making sure they're all updated. Right? The first, I think, the front line against the attack is to update the system with all the known patches. Yeah, it's not... They're talking about... When your IT experts are talking about or your industry leaders are talking about business disruptions, sometimes patches can be a business disruption. That's true. If you're just applying patches as they come out, I mean, that could cause problems right there because they don't always play well. And it's a really a managed approach for patch management, I think is one of the key issues for resolving 95% of your vulnerabilities. Because if they try and run the program and the vulnerability is not there in the operating system, then the program is just going to do nothing. Right. So, most hackers out there, you know, the beginners of ScriptKitties, they're going to go to something like XplateDB by Offensive Security and they're going to download the patches. There are, I mean, all the Xplates that are out there and they're going to say, okay, Windows 7, it's 32-bit, and it's this version of IE 8. Oh, yeah. And so, I'll run this Xplate. And if you've upgraded your systems to Windows 10 or if you've applied the patch that overcomes that vulnerability, that ScriptKitty can't do his work. So, you're right. 95% of this stuff is gone. You're dealing with the 5% of the hackers that actually write their own code. Right. And those are more difficult, but if you take 95% of your resources and apply it to that, you know, 5%, then you have a better chance. Yeah. Yeah. And you guys do that, right? We do. So, if I had 100 workstations and I said, look, I don't want to think about this anymore. I want a cloud environment to secure. I want a backup rotation. I want a security plan. I want you guys to manage my workstation. I'd say call Hawaii Tech Support. Right now, what I don't understand is why people don't do this more, because when you look at the cost analysis of this thing, right, you can go down this, I'm doing it all myself, or you can say I'm doing this with Hawaii Tech Support, right? You do this like a two-year plan, and the cost is going to even out. Yeah. Well, it's going to even out really quick if you ever get hit with the ransomware. Yeah. That tips the scales easily. However, if you don't get hit, that two-year plan, the cost could be the same, and most people say, well, why should I do it then? Because I'm not really getting anything out of it. Well, one, you're not getting hit. And two, now you get to concentrate all your resources on doing your business. Right, yeah. I get to do what I want to do. I get to do running my food trucks. I get to do my hotel chain or selling automobiles or whatever my business is. I can do that instead of concentrating on IT. Yeah. I can have one or two IT guys, and the rest is just you guys. That's what usually works out. So especially with larger organizations, they already have an internal IT team, and those guys are great. I mean, they know the environment. They've been working in there for many years in some cases, so they know where everything's at. They're a perfect asset on the ground. They probably ran the cables. Right, yeah. So it's like, if you need some tribal knowledge in this network, those are your guys. But at the same time, people use us because we offer a little bit more service. We do things like, we're your virtual CIO, so we can help you out with the business decisions. We can help you out by taking over your management, by becoming your help desk. Letting your internal guys focus on the business part and letting us focus on just keeping it running, keeping it operational. One of the biggest costs out there is running some kind of help desk. Yeah. I mean, the rotational stuff. Economy is scale. Yeah. I think that's why we can do it so affordably is because we have a large economy of scale. We can have. It's no longer like that. You have to outsource if you're going to succeed in your business now. You cannot scale without outsourcing. Right. Cloud's part of it. What you guys do is part of it and security's part of it. If I want to open a business and scale, I have to outsource things. I'm not going to open my own human resources department. I'm not going to have my own legal team, so I'm going to go out and hire a white tech support. Yeah. And you don't have to pay our insurance. You don't have to pay our. Oh, right. That's huge. That's huge, right? Right. It's all in the cost. And I don't have to think about that. And if I can concentrate on my business, shipping things back and forth or selling support, I'd rather do that. Right? It ends up. At the end of the day, it ends up, in most cases, being cheaper to hire an MSP to do your work than it does to hire an employee. Unless you already have. Managed service provider. Managed. Oh, I'm sorry. Yeah. Managed service provider. So you have your ISPs, which are the ones that give you the internet, and we're the ones that manage the backend. Right. All the servers, and routers, and switches. And it becomes more affordable, because if you can hire us for whatever it is, say it's $1,000 a month for all your systems, or you can hire a person, a new employee, that will cost more. And it comes with a lot more lives. It comes with a lot more. Yeah. And we're easier. We have to work for our business every month. We have to work to get you on the next month. So we're easy to fire, too. We're not the only people in the game. That's right. It's a cat-backed, bottom-line expense. That's right. Yeah. Turning your capital expenditure into an operational expense is huge, too. For accounting purposes, that's huge. Why don't you take the last 30 seconds of our show and just do a promo for Hawaii Tech Support. Tell us what you're all about and what you do and what you want to do for us. All right. So Hawaii Tech Support is a local managed service provider. We provide small and medium-sized businesses in all industries, so mini-verticles with 100% IT coverage. That's anything from 24-7 help desk support to advanced security features, the stuff we were talking about with the security incident event management, the correlation. So if you have a business and you're anticipating growing or you just kind of want a little bit more in the IT department, a little deeper bench strength and a little bit more response time. And you can scale up and down with the business. Yeah, absolutely. So especially with the cloud, right? I need a whole bunch of storage and processing today, but tomorrow I don't need it. We've been using Azure a lot. That's Microsoft Cloud. Microsoft's Cloud. And we're moving entire... Nobody's having servers on site anymore. If they're getting decommissioned, we say, you know what? Let's just move into the cloud. Yeah, it's about the same cost right now. But something tells me that Azure is going to continue. Cloud computing is going to continue to go down while the hardware is going to stay about the same. Plus you're talking about electricity. Yeah. Yeah, and then the house. Air conditioning. If you're in the flood plain. Yeah, all that kind of stuff. Well, thank you so much for being on the show, man. Yeah, I appreciate that. Merry Christmas and Aloha. Aloha. Thanks for joining us, everybody, on the Cyber Underground. Tune in next week for another exciting episode. And stay safe.