 Welcome back to Cyber Underground. I'm your host Dave Stevens here at Cyber Underground. Our mission is to dig deep to find out how cybersecurity touches all of us in our everyday lives. Today we've got a special treat for you. We've got a co-host that used to be a guest. Mr. Perfect, Jeff Milford. Welcome back. He's the president of ISC2 Hawaii chapter and our guest Mr. Russell Seney. Russell, why don't you tell us a little bit about yourself? Okay, I've been in computers for quite a while. So your first time out? First time out of computers? I mean it's, I know it's a little studio but were you inside a little computer? Is it a big computer? No, it's a pretty big computer. Good computers, okay good. Built my first computer years ago and I can then, was in the Army, went to Ethiopia and we had a deep space tracking station. We were watching the other guys. We had, you know, really good tracking. You know, it was kind of neat and worked at NSA for a year. I can then, my parents moved over here so I moved over with them and been here ever since. So where'd you go first in the United States, in the mainland? Well, I was living on the East Coast. My dad was in the Army so we moved around but I was living in the D.C. area when I went into the service. I was in the Army Security Agency so I've been doing security stuff for years. Pretty much your whole life now, yeah? Pretty much. You're pretty good at it right now. I don't know about that but I've been doing it a long time. Well, that's good enough for us. So when did you come to Hawaii? 1971. Yeah, I told you I'm old. I've been doing computer stuff all this time. We actually started up our computer company 33 years ago. Which company's that? Pacific Business Services. And you're still doing that? And we're still doing that. Good for you. That's a lot of years that we put in the business. Yeah, and we specialized in compliance and security for financial institutions. But we did a number of projects like Verifone, Bishop Trust when they were still around, Hawaiian Trust, Bank of Hawaii, First Wine Bank. Verifone was an interesting one because we went from zero to intergalactic with them. And we built custom packages for them. Yeah. And that was a lot of work, but it was a really interesting time. That was tech infancy here in Hawaii. Oh, it was. And you were there at the birth? Actually before the birth. You had to raise our tech child as it were, yeah? Well, I saw you if you go to like any of the stores and you see the little Verifone unit, you know, like I saw the preliminary one that one of the owners had come back from, I think was from China. And he was trying to show me this is the wave of the future as far as like card validation and everything. And the little key caps were falling off. And one of my friends that was working for him, I said, you should work on your resume. And so that was years ago, too. So tell me about the InfraGuard member alliance with the FBI and how you got into that? Okay. We were doing one of the cyber exercises at UH with the National Guard. And I had been in InfraGuard, but I hadn't been like in any position of anything. And two of the FBI agents, we were on a break and they were standing in front of me. And like, and one of them said to the others, like, I heard that Russ would want to be on the board of directors and like in the other one goes, Oh, I heard the same thing. He'd be really good at it. Yeah, it was a little bit of peer pressure. I'm standing right behind them. And I'm trying to explain to them, I hear you. But I also knew that they were both armed. So I thought it would be a good thing if I went ahead and then I got nominated as my first job was BW president. Oh, well, I skipped all that board of directors stuff, you know, those other steps went straight for the top. Just both feet right in. Tell us about what the association does. Okay, the FBI InfraGuard is an outreach program from the FBI. They partner with different organizations. The whole goal of the InfraGuard is really to provide information out to the community, as far as the partnership goes, and also to collect information and to get information from the community. So we have members that are law enforcement. We have cyber tech people. We've got people from HPD, from the fire department, people that are just in the community that are members. Jeff and I. Jeff and you guys are now members. So the goal basically is to provide a vehicle for the FBI to disseminate information, but also to be able to get information back from the community. And what did they disseminate in particular? It could be like what they call flashes, which are basically the current latest stuff. So like when WannaCry was out, there was the WannaCry stuff happening a couple weeks ago, a month and a half ago now, that was showing up in the media, but also there was some stuff showing up on, we've got an FBI InfraGuard site that gives us a little bit more privy information sometimes. Sometimes we can get the same information if we go to CNN. Sometimes it'll be scrubbed so that we actually get additional information. Or we may actually have special meetings and stuff. We had one on a couple months ago on ransomware. It was done out at the FBI headquarters out in Kapolei. And it was done by the FBI cyber squad over here. And the Secret Service. So they covered a number of different things that you don't see out in the public. So what do you mean by scrubbed for audience now? The information is scrubbed? Yeah, they'll either look for things that are like issues that they don't want to divulge yet. Yeah. Because it may damage a case. The FBI is like as far as their mandates go. They basically do the law enforcement, go out and chase the bad guys. But then they also have to do the prosecution. So they actually need to make sure chains of evidence are clean. That when they go out and do the prosecution, that nothing's been tampered with, or like they've done everything that they need to do as far as to So this is a federal law enforcement organization that does what our local law enforcement and state law law enforcement does but across all state borders, yes, but only domestically. Yeah, yes, right. And they actually cover Guam, the Pacific Islands and stuff in here. And they work well with Pacific region or like Washington DC. So when did they start this infraguard? And what was the impetus for for starting this alliance with the members? The initial setup and the initial forming of it was in 1996. It's been around a while. I did not know that. Yeah. And it was done with Cleveland. And it was of all places. Okay. The FBI organization or the field office in Cleveland. They looked at like partnering with industry. And so they actually their field office actually started it. They started working with subject matter experts in the Cleveland area. And once they got going, it started showing up. There was a national push to move it to Washington DC. So like FBI headquarters like got more involved in it. And then I think in 2003, FBI Infraguard National like where it was rolled out to all 56 offices. So like the local office here, they have a FBI coordinator that takes care of us make sure that we're not doing wrong things, make sure we're doing the right things. And we have our own special agent. It's like the gift you a special agent. Yeah. Well, that's that's great. He's gonna shoot me for this. We keep him busy though. Okay, so how do you keep him busy? What comes back from private industry to the FBI? There's a number of things as far as the sites go. The Infraguard is built up not only the Infraguard org site, but they actually have an iGuardian site and eGuardian site, which allows like, Joe consumer like business person, cybersecurity guy that's working in a company to be able to provide information to the FBI, and possibly to get next. So say you've got new ransomware showing up, or you haven't seen anything in the, in the media about it. There's actually a site that you can turn in like suspicious activity reports, SR, and they will actually roll it up to national to see if it's been showing up someplace else also. So what you think might be just something happening, maybe just in financial institutions, and you know, two other CIOs, they like, they mentioned something about possibly, they think it was something similar, but they scrubbed the machine, like so they don't know for sure now, you know, you roll it up, and you can see whether it's happening someplace else. Just like any other investigation, the more data you consume, the more conclusions you can draw from the data. Yes. And see, what's the causality here? What happened first? And what's kind of interesting about it is when you do submit information, you can submit it either anonymously, and you'll get kind of like filtered information as far as the anonymous stuff coming back to you. Nothing to do with anonymous guys. And then that was a side joke. Oh, it's sort of no mask, no guy folks mask, right? Gotcha. And then, but there's also a second site that you can actually upload like the malware. So you can actually take and send them the malware, send them the malware. It's a special like upside upload site. That's great. But say you've like actually isolated it out into some particular machine, and you actually want to figure out like, maybe what this is, or like if anybody's else seen it, and they can actually take it apart. They'll start ripping apart to figure out what the codes are, what kind of threads are. They deconstruct that code. They can deconstruct it. See, there's a way to actually upload actual malware to the FBI on their special sites. Well, so how long does it take for people to find out if there's been a nationwide attack? Like want to cry, I remember InfraGuard gave me a broadcast email. But wasn't a lot of information at first. So how about how long does it take for like, that was a worldwide event? Yeah, that was on May 12th of Friday. Yeah, I can by Sunday it was like at 60,000 sites or something like that, whatever the number it was. We got up to like 200,000 computers in the first week. Yeah, right? It was insane. And so there was some stuff that started filtering out like right away, like within the next day. And then as they start rolling up information. But because we're have contacts into the cyber squad, we can actually contact agents and see if they've been hearing of any upticks and stuff. Because we have customers and stuff and we're concerned about our customers, like, is there something that something else that they've heard? You guys also do events. And there's one coming up. You guys, you want to tell me anything about that event? Which one is that the one I just got a broadcast email from last night. I don't know exactly what it is. I can't tell you. I don't know my computer. I know you guys have events. Can you tell us about some of the events you do the outreach to the community? Okay, training. Yeah, we've had like for 2016, we had actually I want to cheat and look at a little bit of my notes. Because we had like a ton of things. He has notes. Yes, I've heard of those. But we had cybersecurity, like research on China and Russia from a professor from UH from the East West Center. And she went into like some really good details on like what she was seeing from a research standpoint. And she was a guest speaker early in the year. Raspberry Pi, you asked about that, which can be converted into just about anything. Yeah. So could you describe the Raspberry Pi for our audience really quick? Sure. Raspberry Pi is a unique device that you can just buy on Amazon.com. I can go to Walmart too. And Walmart for 85 bucks. No, but that's a kit. That's a that's it's beautiful that you can do this. Bob Monroe and like, did a presentation at one of our meetings. And he brought all the toys like he bought. And I want to say there was at least a dozen different raspberries that he brought, which was really neat. It's like you you bring it to the candy store and I can everybody wants. Oh, can I have one of those? Like, but he built one while talking to us. So he took it and he described it as a Lego kind of framework. And he took like, Nick cards, plugged it in. He took like a network interface card. Yeah. So he put in the network interface card, he put in like a BGA for you talking to a monitor, he plugged in a keyboard, a small keyboard, battery pack. So the Raspberry Pi is a small component. There's a standard size, but I think it's got a main board and a processor and some you can put memory in it. And you put memory into it. You can also put in like a flash drive. So what he did on the one he had was he had like, I don't know if it was Linux or Windows, but he had on the on the flash drive. And he plugged it in and he had an operating system, like fully operational. Now, these are the devices that have been converted into mock cell towers. Yeah, so the capture cells, you put this somewhere like on a wall somewhere and people walking by with their cell phone. And their cell phone cellular technology passes your signal off to every tower, as the signal diminishes from the previous tower. And it think this, this Raspberry Pi that's been configured, right, it thinks that's a cell tower. So as you're walking by, you're talking to that device, yeah, and it can capture all your traffic. Yeah, Bob gave a good information on a pen testing, which was somebody that was like, I don't know if it was he was involved in the pen testing or not. But it was kind of interesting because they did the pen test. What they did was they were that's a penetration penetration testing, offensive security trying to break in and they were tasked to do a penetration testing on this company. The pen testers like they figured out that the CEO was going to be on vacation on such and such days. And what they did was they built up a Raspberry Pi, put it in a nice case so that it actually looked nice. Put it in a box. And I can it had Wi Fi and sell it you're built into it. Wow. Okay, and it had Cali Linux, like for doing the offensive security Linux flavor with all the offensive tools. They had all of that on there, like fully operational. This is big. This is a good build up. And we got to take a break. So we're going to get people to come back and find out what happened. I love this. We're going to take a break, pay some bills. Please come back until then stay safe. We'll see you in just a minute. Aloha, my name is Steven Philip Katz. I'm a licensed marriage and family therapist and I'm the host of shrink wrap Hawaii where I talk to other shrinks. Did you ever want to get your head shrunk? Well, this is the best place to come to pick one. I've been doing this. We must have 60 shows with a whole bunch of shrinks that you can look at. I'm here on Tuesdays at three o'clock every other Tuesday. I hope you are too. Aloha. Welcome back to Cyber Underground and part two of our drama. We're hearing about an actual penetration test using a raspberry pi, which is exceedingly interesting. So let's let's get back into this. Okay. So like what they did was they used like FedEx or UPS or whatever. Put this raspberry pi in the box and I powered on like with a battery in it that would have had it delivered and had it delivered to the CEO. Really? Okay. So they just put it on his desk or something because he's not there. Like whoever the staff was. They figured that oh it's for him. So they put it on his desk and I can it sat there with Wi-Fi scanning their network and scanning whatever it could find. And where there's Wi-Fi there's a way. Yeah. Right. Yeah. Never heard that one before. And it had cell capabilities. So it was actually broadcasting out whatever it was discovering. It was phoning home. Yeah. And so because it had a battery at some point the battery would die and so the CEO comes back has no idea what this present is that he's got. It looks like a little raspberry pi. By then the battery had died and it was a present. I can just part of the penetration testing executive summary and results included the penetration testing results on his desk. That would have been great. They included the flash drive with the raspberry pi. Here's your results. Please plug this into your computer. Gotcha. By the way we got you again. So what were the results of that? How far did they get in? Did they actually penetrate the Wi-Fi, enumerate the network, find out all the other computers? Yeah. They could for whatever the range was for Wi-Fi at that point it was like three hundred feet or whatever. It's in the middle of an office. So it probably had a fairly good. So people don't know this. That's plenty. As long as you get to one system that you can compromise nearby you can use that as what's called a pivot. Right. You pivot to other systems. You can use that as a compromise computer pivot to another system and wander your way through the network until you find some valuable stuff and then just back your way out. How hard is it do you think to cover the tracks of something like that? I mean they left a raspberry pi in there. Right, right, right. So that's right. I don't know if they did any self-destruct stuff on it or not. It's not like Mission Impossible. It burns itself up. But that's a really interesting, I'm going to, so my computer club at Capuline and Community College we do penetration testing. That's a great idea. I don't think we've done that before. Another thing that you can do on penetration testing is, and this wasn't from InfraGuard. This is just something from my computer company, but we were doing some testing at one site and it included, you get all these new printers that have Wi-Fi capability. You can plug in your laptop and you're like, I don't actually need to physically plug it in. I can direct connect to it. So convenient. Yes it is. And a lot of people will take that and they'll plug it into their Cat5 or into their computer, into a USB port. So Cat5 is a network cable. That's a network cable plugged into the computer. So that way you get direct connect and the rest of the family can use the Wi-Fi wireless connection. So you talk about printer sharing from one computer and that computer opens up a share to the rest of the computers on the local network. So anybody else in that network can go through your computer to use the printer. Or they can go directly to the printer. And just use you as a bypass. Yeah as a bridge. Now the downside of that is if you haven't changed the default passwords on your printer. That never happens. Yeah and so you haven't changed the default passwords on the printer. We did it at one site where we actually connected into the printer. We connected wirelessly into the printer. We didn't know whether it was on the floor above us or the floor below us unfortunately, but we were in there and we were trying to print it out and we actually created a test page and stuff to print it out. Now that's funny and you bring it with that point. We could actually see the PC that it was connected to. Oh that's hilarious. I could go upstream. So you bring up a great point. Wireless people tend to think of wireless as point-to-point. You know I'm going between your device and my device and my device and your device. But it's no it's a radio. Yeah. It broadcasts in all directions all at the same time. It's a big circle of radio waves going out. So that's why we didn't know upstairs or downstairs right because it's coming from somewhere. And it was done on a Saturday and like so there was nobody in the other office who couldn't tell where it was. But we had a nice clean signal. How nice. So what do you guys do with the infreguard when it comes to things like let's get into the new executive order by the president. You know PPD 41. Yeah let's talk about that for a little while. It seemed a little aggressive and assertive. No I think it's actually geared toward making all the players play together. You think it's a little overly ambitious though or do you think this is actually can happen this time. We've tried before. Yeah. Yeah. I think basically what they tried to do is like define who's going to be responsible for what. Okay so roles and responsibilities across organizations. So department of justice like through the FBI is basically responsible for threat responses. Okay so cyber and it's basically cyber oriented. So threat responses. So the threat responses we're responding to something like cyber security. It's a suspicion of something that it hasn't actually happened. Or it could be in motion. Oh it could be in motion. Yeah. Okay so it's an incident response as well. Yeah. And then asset risk responses like department of whole members security. Can you describe that for our audience. Basically what kind of responses you're going to have as far as like equipment and stuff. And like just like are you going to have failures. Like and it may have something to do with like the cyber area or maybe something that they're just affecting. It might be skater machines or something. So skater machines are human machine interface or controller systems. Yeah like electric companies. Hydraulics and things like that. Hydraulics and stuff. Usually air gapped from the rest of the world. Usually however people still plug USB drives into the computers that control them. Yeah. Yeah. Stuxnet was a perfect example of it. Yeah. Okay so let's let's tell our audience about Stuxnet. Really quick if you can. I don't know. Really quick. That was an Iran. It was a it was a targeted attack on like the nuclear plants. I don't know if they spun them up too fast or slowed them down. Either way is bad. Like for like a nuclear plant. So the the the stepper motors inside the controlled things went too fast or too slow and actually burned to a point where they couldn't function anymore. Right. And so you could have a potential. Yeah you could have a potential. It was on the centrifuges. Okay. You know more than I do. That's good. That's awesome. Yeah I know I should have you as a co host. Good good. And the devices like systems like that need to be air gapped. Like an air gapping is basically you're not allowed to plug in that into your internet. No physical connection between the two. So there is literally air in the gap between the two systems. And so like somebody taking a flash drive and plugging in into the external devices that you're not allowed to touch. Like is a perfect example of like how it crosses that air gap. Yeah. And like vendors needing to do uploads and downloads or whatever to the devices makes it like a challenge also. Right. Firmware updates. And you know the update does the software on the device. You got to bring in a flash drive or connect to the internet one or the other. And so like our local electric company is the same kind of thing. All the equipment that like the power plants and stuff is all air gapped. Thank God. Yeah. If you start looking at ships we're starting to do some stuff with maritime stuff with U.S. Coast Guard. We're trying to set up a Infraguard special interest group with the like the local U.S. Coast Guard with District 14 and the maritime group. And some of the things that I was researching I had to talk to them about some cybersecurity stuff. I got some maritime cybersecurity information and it was talking about air gapping the ships. Could this actually help us? This partnership with the Coast Guard could this actually help us address horrible problems like human trafficking? If we can catch these people to perpetrate these crimes using cyber tools? Probably not from Infraguard standpoint. We might be able to pick up some. I haven't heard anything on that area. Doesn't mean that's not happening. So you guys deal with just mostly computer stuff. Yes. Okay. But then if you look at something like when the ships come into port like they've got all this equipment and everything to like lift the containers and stuff. All of those are like air gap from their networks like that runway ship because the people that are working on the ship they like do a Skype to home to say hi Mary how's it going? You know I can just like happy birthday to the kids and so they're connected and now they're connected like they've got their own land WAN and everything else and they've got the air gap, the equipment that needs to be kept separate. When they pull into port you know like you got all the containers like loading and unlocking equipment like it's got exactly the same kind of things but they have to actually transfer what's on that container. Now those containers just brings a point since they're air gapped since they're very contained. Are they IoT devices, Internet of Things? They could be. They kind of qualify. They're intelligent devices which aren't what are sometimes but not always connected to the Internet. I don't know like a lot about what they're using but yes it would be. So it's in danger like the rest of the IoT universe Internet of Things is becoming a huge deal. Yeah we had an interesting discussion after one of our InfraGuard meetings a couple months ago. Now that you brought up IoT we may as well go down there. Let's go! It was an after the meeting meeting kind of thing and this one lady who's a retired secret service agent, she was concerned about like renting cars, like car rentals. I'm sure you plug in your smartphone and you got the infotainment systems and all the car companies are trying to make it so that it's really really good for you and it just started this whole dialogue because like one of the agents said that he had been renting a car on the mainland. He used the Bluetooth to be able to talk Bluetooth so you can get your hands free and you don't get arrested. And when he finished he had all of his GPS information, his maps, whatever he had done. He had his contacts roll in there but when he went through the contacts it wasn't only his contacts it was whoever had rented the car before him. Oh, that's terrible. That is terrible. You got to be careful not just car rentals, now the charging stations I heard about this. And the airports are putting up charging stations and someone hacked the charging station. So when people go up and plug in for power so most smartphones power and data is the same cable. Right, yes. You have a pen for power, you got an open wire for data. You're plugging in, you're getting power and a lot more. Then you can be hacked that way, yeah? Well, it could be in both directions. True, you can be hacked. After I transfer to you then I'm going to transfer your stuff to me. Right, right. So we've got about one minute left. What do you want to tell us in our final minute as we go out you were mentioning something about the University of Hawaii and some NSF funding. They have an NSF grant. Jody Ito was at our InfraGuard presentation the other day. She's a CIO? She's a CIO for CIO or CISO? I think she might be both. No, no, I think Garrett's CIO. Garrett Yashimi's CIO. He's CIO. Okay. And she does all the work. I get it. Now we've known each other for years. But there's an NSF grant that they just recently got specifically to help in the cybersecurity area. NSF is National Science Foundation. Yeah, yeah. Okay. And thank you. You did it. You did that. I gotta do that. We got an audience. But the information and stuff that we've seen on it is that it's got to be geared toward a cyber security like diploma or certificate or some kind of achievement that they can get awarded. But you could actually get funds for the place where you're staying. You can get funds for so there's other funds that per DM or whatever it's called that would cover other things that as a student. That's fantastic. And we just did one from the Department of Labor for the community colleges called the TACT grant. I'm gonna tell you I'm happy with that abbreviation stands for it's ridiculous. But next week we will have one of our students that just completed cybersecurity training from beginning to end. He came out of no experience and now he's a certified ethical hacker and he went through the community colleges. So we'll have him on the show and we'll discuss this again. Okay. Thanks for being on the show. Awesome. You were a great guest. Thank you sir. And as always, thank you Mr. Perfect for being here. Okay. Aloha everybody. And while you're out there remember, stay safe.