 Hey, Aloha, and welcome to the Think Tech Hawaii studios, Andrew, the security guy here today. I know you were hoping to see Professor Dave. He's busy. I ain't sure what he's doing. He's a hard-working guy, but I got another really hard-working guy in here, special guest today. Will Bales is here from the Honolulu Field Office. Thank you so much. I appreciate you taking the time to come in and talk with us today. My pleasure. This issue, this episode, I wanted to get a new program that the FBI has rolled out to the public, and this is about combating foreign influence. And it's really about the foreign influence that's gotten into the fabric of our society in a lot of ways through social media. And I want to give you a brief before we get to talk with Will about this. Some of the stuff that FBI Director Ray talked about that you may not understand how influential our adversaries are becoming and some of the things that they do. And here's just a few of the examples that he cited from the investigations that they've done. They basically are targeting U.S. officials and other U.S. persons through traditional intelligence tradecraft. There are criminal efforts to suppress voting and provide illegal campaign financing. They are using cyber attacks against voting infrastructure. That means the networks and the equipment that are used to vote along with computer intrusions targeting elected officials and others. So they're trying to get into their systems and steal information from it to use against them or maybe for them depending on which way they want to sway people. And a whole slew of other types of influence that are overt and covertly manipulating news stories, spreading disinformation, leveraging economic resources, or escalating just divisive issues in our community. And it's not just an election cycle threat. I mean, these are the kind of threats they're using to sort of break apart the fabric of our country over anything they can to just cause disillusionment with maybe our leadership of our country, you know? And that's damaging in and of itself when people lose trust in the sort of fabric, the foundations of our country, right? This is a problem. So I thought I'd get this out here today since Dave's not here, and Will's going to try to help me get through it. First of all, I thought, will we go back and look at sort of the rise of social media, right? There was a lot of hope for connecting people. And I believe that these Mark Zuckerberg and all these guys had an idea there, like, wow, cool technology we can all share. And it's gone kind of crazy, maybe. Like, I don't think we ever thought it would be weaponized. And so what give us your take on that there? That was broad. Sorry. No, that's fine. It really is. Social media is just like the Internet. The creation of it is an amazing thing. And it's for the benefit of everybody. However, select few individual or many individuals are just using that to do a lot of harm. So social media has morphed into, like you said, connecting users. Kind of primarily started at maybe the college age. And now it's branched out. So it's easier to use. And so we have all generations that are using social media. But I also don't think that social media was created to be the single source of information, which it seems to be for a lot of individuals these days. Yeah, you wonder if people get blinded, right? You throw your opinion out or you latch onto an opinion of someone. All of a sudden you find yourself either by chance or by manipulation in a whole group of people that seem to be like-minded. Yeah, more and more, especially with social media and the Internet as a whole, it's easier and easier to just pigeonhole yourself into more like-minded areas or sub-forums or whatever it might be. So then you're going to only be surrounded by that type of information. So it is great for connecting other people, but it also is very easy to disconnect from a certain group of other people. And that's something that is sort of isolating you without you knowing it. If you're not thinking about this potential that someone's maliciously exercising influence against you, you could be joining a group of people that you think like to knit the way you do. And you all make the greatest sweaters in the world and none of them actually exist. It's all fake. Yeah. It's really scary stuff. You know, I sat this past week up at InfraGuard National in a room talking about the counter-intelligence efforts that we've got going on. And the director shared with us that the shift towards recruitment for, are they HVEs, violent extremists, homegrown violent extremists, is recruiting, they're recruiting from the Internet. They've seen a massive shift of that through social media in the last three years. Right. Before, when people talked about cyber crime or just cyber in general, it was kind of the geeky mindset is people just hacking computers. Now there's a huge just migration of traditional crime, organized crime, recruitments, whether it's homegrown extremists or ISIL type of sympathizers. Everything is now on the Internet because it's easy. It's often anonymous and just the convenience of it makes it so that you can get connected or informed by whatever individual that you want to. So of course, these criminal organizations are using that, you know, Internet platform to recruit and get their word out. Yeah. I happened to take a visit to D.C. this year with the Federal Law Enforcement Foundation and got to meet a lot of different groups. It's amazing how much you guys all work together. And then we got to meet Interpol, finally, who seemed to be the nexus of knowing what these guys over in this country do and knowing if they're over here. And I thought that was amazing that we've got that sort of information sharing. Understand that this foreign intelligence is a new task force. Could you give the audience a feeling of just what is a task force when it's new like that? Sure. Whatever you can share there. A task force is vital, especially for combating something so complicated or as broad and big as cyber crime or foreign influence. So a task force is essentially not just one agency. It can be local, maybe comprised of local police departments as well as states. Of course, federal, we're going to have multiple types of different agencies involved in this task force, DHS, FBI, all the different types of intelligence services that might be involved with this. So with that as a task force or a united front, sharing information amongst each other. Maybe the locals, local PD gets some kind of on the ground, boots on the ground type of information that this person has been handing out a lot of these different pamphlets. We at the federal level, we might not have enough kind of a view or that high level of view into something that granular, but the locals then can pass it through the task force and now we all have that information. We share it amongst each other. And then there of course are different task force that might comprise of our foreign counterparts because cyber is a very global issue. We have to make sure that we're either working for Interpol or with Europol and all of our foreign colleagues to get this information, this vital information out to our partners. Yeah I was, shared some statistics with us about the, you know, we don't hear much about terrorism in the U.S. lately, but that's because, I think of all this sharing, he kind of said that the volume of the case load of current investigations is kind of the same and the volume of arrests, which aren't always terrorism related. You find a way to, we find a way, an illegality of someone based on maybe a state law or a local law or something they're doing wrong, that they can be brought off the street so they don't go active and really cause a problem. Right, especially with counter-terrorism investigations for the world, no news is good news. Yeah, that's what I was thinking. I don't think people know that, right? Like they don't hear about stuff so they think it faded away. In fact, some of the security presentations I've been doing, I tell people, you know, as security professionals we haven't been talking as much about terrorist activity. We were talking about the vehicle ramming activity and that wasn't always necessarily terrorist related so that that was on the rise and so, you know, it's just a different change in what we've talked about but that was a good thing. So let's change just a little bit. The director talked about, you know, that I think the traditional things that the Bureau has always done, you know, information tells and sharing that you just mentioned. But this, the third pillar approach he said is based on a strong relationship with the private sector and I don't think the public at large knows a lot of this. If you're not affiliated with InfraGuard or the Citizens Academy or FLEF, you know, I don't understand that this is happening. And he pointed out that the technology companies have a really frontline responsibility to secure their networks, products and platforms. They're doing, he says we're doing our part by providing actionable intelligence to better enable them to address abuse of their platforms about foreign actors. This year they're meeting with top social media and technology companies many times giving them classified briefings and sharing specific threat indicators and account information so they can better monitor their own platforms. Do you have a feeling or a vision on that response, reception, I guess, from that message from social media? Because that's their revenue generating and I think many of us are aware, they make money off visiting and clicking and moving through their sites. Do you think they're as helpful as those of us who are definitely out here working at InfraGuard and places? I never saw a Google guide at InfraGuard, for example. I'm sure they're there in Silicon Valley, I didn't know that. Right, it's definitely a balance that they have to do. Of course, their main objective is, you know, their business. Yes, sure. So, marketing, making money, things like that. But now more and more cybersecurity is just such a big deal. At the bare minimum, it's a reputation hit if there's some kind of breach or just something that makes the company have a little bit of doubt associated with them. So, I think more and more private sector is treating cybersecurity with the respect and just kind of importance that it deserves, but we do have room to improve. Yeah. Do you think it took like GDPR in Europe and the U.S. looking at that going, whoa, because the pendulum could really swing a long way and hurt their business model if they don't come to the table? Right, and GDPR has, there's a lot of implications that's yet to be found out on that one. Privacy, of course, is extremely important. Something, of course, the FBI is very familiar with the past. And we respect that. We definitely want to make sure that we are treating our citizens because that's what we are. We are public servants. Yes. As government officials and workers, we are protecting our civilians and citizens of the United States. So, it is something we have to balance. Privacy as well as just the interaction because we need to make sure that the intelligence that we're getting at the FBI is shared appropriately with the private sector so that they never have to worry about just not knowing. Sure. If we provide that to them as best as we can, then they can try to hopefully fend off. Yeah. I really wish that if more people knew, I think, the depth of privacy protection that goes into the investigations that you folks do, I think they would wish that business functioned that way. Business functions a whole lot more loosely than the myriad laws that you guys have to move through. It's always amazing when I hear an investigation briefing, everything that goes on. So, you think the public should be able to count on, you know, I mean, I know there's a thing with Facebook going on today, for example, but do you think the public should be able to count on more growing support from these large social media companies? Do you think that's the trend? Even though we're pushing them and prodding them a little now, maybe they'll continue to come our way. I hope so. I hope that they continue to have that momentum into a more secure environment. We went from probably not even a decade ago that passwords were just clear text. Yeah. You know, that was kind of a standard practice to have clear text passwords stored in a lot of these companies. Now, of course we know better than that, but we do in our investigations come across a lot of private sector individuals or companies that still operate that way. So, I think a lot of it has come down to education, which is why we're trying to educate the public. That's why we're here today. Sure. What we're going to do, we're going to step into some of the elements of this, well, let me just say, alongside the combating foreign influence task force, and the output of that has been a program the FBI has released called Protected Voices. And there's several elements in that, I think 10 or 12, which only gives us about a minute each after the break, but we will come back and passwords is going to be one of those. We're going to talk about some of those elements and kind of direct you to where you can get this information if you don't know what's going on and you don't know how to get started, or you're not sure if your company is using clear text or not using HTTPS or whatever your problems may be. We'll get some guidance here. So give us about a minute to pay some bills and we'll be right back. Aloha. I'm Wendy Lo, and I'm coming to you every other Tuesday at 2 o'clock live from Think Tech Hawaii, and on our show, we talk about taking your health back. And what does that mean? It means mind, body, and soul. Anything you can do that makes your body healthier and happier is what we're going to be talking about, whether it's spiritual health, mental health, fascia health, beautiful smile health, whatever it means, let's take healthy back. Aloha. Hello. My name is Stephanie Mock, and I'm one of three hosts of Think Tech Hawaii's Hawaii Food and Farmer series. Our other hosts are Matt Johnson and Pomei Weigert. And we talk to those who are in the fields and behind the scenes of our local food system. We talk to farmers, chefs, restaurateurs, and more to learn more about what goes into sustainable agriculture here in Hawaii. We are on a Thursdays at 4 p.m., and we hope we'll see you next time. Hey, Aloha, and welcome back to the Think Tech Hawaii Studios. Andrew, the security guy here with Will Bales from the Honolulu Field Office. Today we are kicking through combating for an influence for a little bit, which is a new task force that the FBI set up based on some of the selection stuff, but it has implications for all the social media out there. So be careful where you play. An outgrowth of this task force has been some videos that they've generated. This information is called Protected Voice, a protected voices program. And I thought we'd just kind of walk through the elements of it and maybe sort of reinforce some of the stuff you'll see. But these are two, three, four minute videos on a variety of topics that are great information if you want to figure out what to do or you're not sure if you're doing all the things you should be doing. And again, what we'll do is just sort of overview these. We're not going to play all these videos. We don't have time. But it's on the same website. So if you just go to combating for an influence, you'll end up right here at Protected Voices. So social engineering. I think we were sort of kicking that around. I'm not sure if people know how vulnerable they are to social engineering. Do you even come across a lot of investigative avenues or places where that was the origin of the exploit in their problems that arose in their company? Absolutely. Social engineering is very interesting because it usually has a lot of clever wording. People, I don't want to say problem. The problem with people is we're trusting in nature. Yeah, like we're supposed to be, but it's a problem. Right. So with that, then people will a lot of times through phone calls. They'll call into a company. I need my password reset or I forgot my email or my information or whatever. And just the companies and people in general are trusting of the other person on the end of the phone. So they will reset the password or the email or whatever it might be with good intentions, of course. But obviously on the other side of the phone is a subject or a bad guy. A criminal. Yes, a criminal. Let's call them criminals. We don't call them hackers anymore. Hackers are good and bad. We call them criminals. Right. And with that, maybe they just want to get your credit report or they change something around. That of course affects an individual and it's inconvenient but in the grand scope of things not as big or they go into your corporate network. They get the password reset and now they have user access into whatever it might be. And then from there they can pivot into a lot of different things because people use the same passwords. It's definitely a big problem. Yeah, we're going to get to password usage here. So don't think you don't do it. We know you do. So video number two is about patching. Patching firewalls and then antivirus. And to me firewall is a little bigger animal than patching and AV. Let's talk about patching first. What do you see? You know, when you go out there and look at when you need to find things, are they unpatched? Often. Very, very, very often. Does that help you? Yes. And unfortunately so we understand that they're unpatched. But we, and I want to say we understand it, but there's instances where we see something's unpatched for multiple years. Yeah, years. How is that? That one's a little bit more frustrating because that's, of course, could have been remedied and prevented and we have other things we could have been doing. But we also do understand that especially if you're a large organization and with the patching and things like that, it's not just a one-click and everything's all hunky-dory but often when you patch something, something else is going to fail. There's often testing and things like that. So we do understand that it's easy just to say patch everything. We're still going to say it because you do need to patch. Yeah. Best you can for sure and then know the implications of it. Not everybody can have a development environment to do their beta testing of patches and all that. So yeah, understood. AV. Do you find AV updated? Is it, you know, so we got sort of the local machine version and then you've got it run on maybe a little more of a modern type version. What do you see in the small business taking advantage of that? Yeah, AV has been something that is, for the most part, it's there. The problem is that they have an uphill battle because malware is being able to change so easily, so often. You can't just do things by hashes anymore. Of course, it has to be signature-based and it's definitely something that the AV companies have their work cut out for them. But a bare minimum, somebody should have AV software on their computer because it has a baseline. It gets rid of most of the traffic or malicious attempts towards your computers. The sophisticated ones might be a little bit different, but you're going to filter out 99% of the issues out there. Yeah, you don't want to get beat by the old stuff. Right. The stuff that we know about and that AV will at least stop that. Firewall is a little bigger animal, maybe outside the expertise of many, but how about the stuff about the home user and his firewall settings? Do you think he plugs it in, gets internet, and he's done? Right. Firewalls and then similar to the routers, which is another topic point, default is not good. No, never. Especially when you're using default credentials with whether it's firewall or routers. Admin, admin. Right. We see that way too common. Of course, with websites out there like Shodan and whatnot that just really shows all the different unfortunate individuals that leave default credentials in place, firewalls need to make sure that you, of course, update them, customize them if possible, but at the bare minimum, make sure you're changing default stuff. Yeah, and turn off that external management. You're not going to manage it from somewhere else. Turn that off. Every remote port, you don't need it. Passwords is in here. A video for passwords. We have been harping on passwords for so many years now. Let's give them, give me your top three advice for passwords and then we'll move on. Stop using the same ones. Yes. We know you do. And don't use short ones. That's another thing. The longer the better. They used to be, you know, as long as you use different characters and made it kind of complex, then that would mean you're safe. That's no longer the case. It's just because of all the different computing power that we have out there. So longer is better. There are password managers out there. We don't recommend specific ones, but if you have a good one, make sure that the password for the password manager is extremely long and complex and two-factor with that so that you can make sure that you kind of manage that properly. Yeah, I love the point of two-factor. It's rolled out into almost everything now. Go turn it on. If it's available for whatever that site is, whatever you're doing, turn on two-factor. I know it's a little bit of a headache, you know, but use a Google Authenticator, use Microsoft Authenticator. Use a text. Text is less... I guess it depends on what you're doing, but, you know, take advantage of it. Passwords just aren't... I hope they don't last much longer. I hope we just move away. I'd like a triple biometric, and I wanted to know where I'm geolocated. I want a whole bunch of stuff where it lets me in, but I'm different from a lot of people. Oh, this is good. Browsers and then application safety. Let's talk about browsers first. The settings in browsers. Browsers, of course, is what we use to surf the Internet. Make sure that they're updated. There's a lot of these attachments or extensions on the browsers. You have to make sure that when you install those, you know what you're installing. There's a lot of malicious ones out there. Of course, there's also different types of scripts and scripting that a browser can run. If you want to be safe, you disable that. You kind of mentioned that security is inconvenient. Yes. Unfortunately, a lot of the things that... to make you a real secure individual on the Internet is an inconvenience. The more that you feel very frustrated and things are inconvenient, that probably means that you're doing it right. Don't take that high security browser setting and start lowering it so your life is easier. Leave it up there and live with it. Depending on what you're doing. If you're looking at Mickey Mouse videos, well, maybe there could be bad, but I don't know how many malicious guys target Mickey Mouse to serve the people. Let's talk about browser mobile apps a little bit. I know some of the stores recently have kicked up there getting rid of guys with no bad code and no bad libraries and things like that. What's your take on that? I'm always scared. Especially like I'm updating. I'm updating twice a week the same app. What's the problem there? Our lives are going to be on our phones. That means that the computers that we're using is all going kind of migrated to the phones. Everything on a phone is an app. The malicious or the criminals that are targeting mobile platforms is not going to go away. That's only going to increase. We have to be very, very cautious of the apps that we download. Make sure that it's from a reputable company. You've got a little bit of research. Don't get those weird ones. Right. If an app is usually paid, why is this one similarly named and it's free? You've got to be really skeptical with downloading these apps. There's a lot of bloatware out there anyway. Maybe it's not even malicious, but do you really need to download that one more game app on your phone? You downloaded it and now your phone is slow to a crawl and all that. Do you wonder what it's doing to drain that battery? Siphoning off everything you are and everything you've ever known is sending it to somebody. Woo! Let's talk about comms real quick. Just the kind of information that people put out. Talking third party, talking in the hallway. Just communicating about important assets of your information, important operational elements of your company, or perhaps your important elements of your financial aspects of your own life at the mall with your sister and talking too loud with people standing around. How much intel are people giving away out there that they're not aware of? Tons. Absolutely tons. There you go. You don't have to work for the government to be paranoid about the information that you're conveying out there. Not everything needs to be classified to be important as well. There's a lot of information, a lot of vital information important to you personally, important to me personally as well as for my job. And when you just talk about it, you feel confident maybe nobody's listening to that but they can be and especially if it has to do with a computer or digital then it's going to be out there. Anything you say. Whether it's social media, whether it's potentially e-mail because we're seeing more and more data breaches out there. We've seen companies e-mails leaked into the internet through different data breaches and things like that. So more and more when you're texting or comprising that e-mail you might rethink what would this look like if it was out in the world. If the public could see this. Exactly. Be careful what you say. It's being recorded probably somewhere. So we've got a few minutes left. Let's combine Wi-Fi and VPN. So public Wi-Fi, I'm always freaked out and scared we have VPN so give us some advice on those usages there. Sure. Public Wi-Fi it's great, it's convenience especially here in Honolulu because we have a lot of tourists coming in and I think more and more the cities are opening up to have open Wi-Fi but it's also extremely scary. Because when you're on open Wi-Fi malicious people can essentially see all the traffic. All your web browsing potentially that you're going, anything that you're doing if you're doing banking they're going to potentially see that. So don't do banking. Don't do anything financial related on open Wi-Fi. Basically anything that you want or worried anybody could be seeing. So general web browsing, sure that's probably okay. With VPNs, we can mitigate the open Wi-Fi problem using VPNs. Essentially it's a tunnel into whether it's a secure server that you have or your work and that is that secure tunnel is encrypted and then people can't even though you are on open Wi-Fi read your traffic. Awesome. So October is National Cyber Security Awareness Month. There are tons of trainings going on all over the state. Tomorrow starting at Pearl Ridge downtown there's a bunch of infregard folks are going to be there. So come on down if you want more information use I think I should say your voice is important so protect it. Thank you.