 I'm Dave Stevens. Welcome back to the cyber underground. My name is Dave Stevens. I'm an IT and cyber security instructor for the University of Waikapualani Community College, and I have this show on Think Tech Hawaii to connect you, our viewer, with everyday cyber security connects to your life in more ways than you might know. Today I have with me Frank Haas and Gordo, the tech czar. Gordo, our co-host. Gordo. It's great being a co-host like that. You know, I'm just another pretty face. A lot of you are great. And I just sit here and you do all the work. Nice spin-off, by the way. This is a spin-off. That's right. Gordo is the host of Hibachi Talk, and I've been a guest or co-host on there about four times, and we're doing a spin-off show. That's what this is. And how did you put it, Gordo? It's like there was cheers and then there was Frasier. There was Hibachi Talk, and now there's your show. And that was my show, so I get to be Frasier. You can be Frasier. I'm Frasier. Oh, wait. Well, you know, he got married a number of times too, you know. Oh, I'm sorry. Let's see that. I joke with people. I came out to Hawaii for the job and I stayed for the divorce. There you go. That's how it happened. And I got my solo cup, so we're all set. That's right. Let's all take a nice shot of water. Yeah, but what, WC feels it. It put water in my water. Oh, that's refreshing. It does a body good. That's our guest today. This is Frank Collins. Oh, we have a guest. Oh, here we are. Oh my god, where'd you come from? Hello, Frank. I thought this was cyber comedy. Well, we kind of try to mix it up here. That's fine. Mixing it up is what it's all about. Frank, you lecture, kept you alive in community college, but you have a wealth of experience in hospitality and tourism. Why don't you tell us a little bit about yourself, how you got here, and what you're doing now. Okay. Well, how I got here is a long story. The U.S. Navy is the short version of that story. Would they just kick you off the ship and you got here? No, I was actually headed to Vietnam and for some reason they changed my orders and said, we want you to go to Hawaii. And I said, okay, I can do that. Yeah, all right. So I was stationed here for a few years. I went back to the mainland, got my MBA, came back here and I worked in a bunch of different jobs. My wife says I can't keep a job, but I worked in advertising. I've worked in fast food and marketing. I was a director of marketing for Hawaii Tourism Authority. In my advertising career, I've worked on a lot of hospitality and tourism accounts. So I've seen how that all plays through all the issues that very complicated industry faces. And we're here to talk about one important challenge. They're facing a big challenge. What could that be, Frank? There's a lot of things going on right now. I mean, before I get to what we want to talk about, I mean just the whole idea of security in general. When you've got a situation where they're saying we need to do serious vetting for people to come into the, to travel. You've got people scared to travel because of terrorism. To get a visa from China, I don't know if you know what's involved, but it costs a lot of money. And you have to bring, for the Chinese to come here, you have to have like your lease for your apartment, your utility bill, your, you know, it's like 10 different pieces of documents. So I had no idea. Yeah. So it's tough. It's tough to travel. Well, they're coming here with all that money to buy the condos and kaka. They got it anyway. But cyber security is another thing that's hot topic right now. So I assume that's why you invited me. Yeah. Why is it important to your industry? Well, hospitality embraced the tech world much and e-commerce, especially much faster than other brick and mortar businesses. I mean, in retail, you can go to, you can go buy a book at a bookstore or you can buy it from Amazon. You can go buy something at a store. You can buy it from eBay. You can buy it from some other e-commerce. But, you know, the whole transaction for travel is there's really nothing physical. It's a purchase of a bunch of services. And that's really easy to do in e-commerce. And that's why the hospitality industry embraced it. That's a huge portion of what we do. And it's a very complex transaction. So e-commerce was a way to make that easy for the customer. You take a lot of risk when you go to the bleeding edge of something. When you take that risk of being the first in an industry. And I think tourism was one of the first to venture out in the industry of e-commerce because they knew that there was potential for growth. So tell me, how does that affect the industry? I mean, on the bleeding edge and how do they cope? Well, there's a lot of dimensions to that. It's completely changed some of the distribution models in tourism. I mean, 30 years ago you had travel agents that had you sit in office, you go see the agent. Yeah, there's still some of those. And they managed to survive a portion of those and managed to survive by changing their business model. But that conventional business model they had, which was selling stuff at a storefront and taking commission on it, that doesn't happen anymore. Because of e-commerce, the airlines figured we don't need the travel agent anymore. You can book direct on our website. I'm the travel agent. You're the travel agent. And then into the breach came these online travel agencies. They said, well, people still need to put stuff together. They need to have an air ticket, a hotel, a car and all this stuff. So OTA's online travel agencies stepped into the breach and they get very, very high commissions and margins on that stuff, which has changed the industry as well. But all this activity online has really attracted people who say, hmm, no, there's a lot of money sitting around. There's a lot of money there. There are people who want to get a piece of it. And all those people are good guys. It's real easy to steal money online. Why would you rob a bank? Yeah, there's less risk in online. I think back in 1991, in the early days of the internet, the National Research Council said exactly that, the modern thief can steal more with a computer than with a gun. Yeah. So we don't need weapons. And the warranties were out on the missiles that we just shot over to Syria. So those warranties were out. We have 59 missiles. It wasn't 60. We shot $50. Well, that's why we shot them all. The warranties were expired. So we had to get rid of them. Yeah, bury them in a Nevada desert or get rid of them. You've got to rotate the stock. It's how you do things in the military. Sorry. We're off. This is not my show. I'm going to keep my mouth shut from this point forward. Anyway. So there's a huge risk in this industry and an enormous amount of loss year over year. Can you discuss the kind of loss we incur in the travel and tourism industry? And where does that loss come from? Well, it comes from a bunch of different things. Some of it's hacks. Some of it's just a loss of business. Some of it's lawsuits. Somebody in the travel industry estimated that overall losses in the industry is about a little under a half a percent of profit. And, you know, in a for-profit business. But what's the size of the industry? Oh, it's a trillion dollar industry. That's a lot of money. That's a lot of money. $400 billion. I don't even know what a trillion is, but I can tell you the difference between a million and a billion. So a million seconds is 12 days. And a billion seconds is 32 years. So can you imagine what a trillion seconds must be? It's got to be hundreds of thousands. Hopefully it's my lifetime. So that's the kind of money we're talking about. A half a percent of that is a lot. That's a lot of money out there. Yeah. The losses are pretty big. IBM has estimated that the average breach costs an average company about $4 million. So these small-time players would get devastated by this kind of a breach? If you want to look at it on a per record basis, the estimate for, if you get hacked, it's about $158 per record. So if you're talking about 10,000 records or 20,000 records, that's a lot of money. That's on the travel industry records? That's general. That's general. Well, I believe that's what Visa and Mastergram might charge the customer or the vendor for losing that number. Plus other affiliated charges. That's on average, which includes lawsuits and things like that. I mean, that's a huge number. When you're talking about a couple hundred thousand. It's not a couple hundred thousand. When you're talking about some of the big breaches that there have been. It's the B word again. Yeah. I've got some notes here. Epsilon compromised a bunch of, they handle a lot of business with Fortune 500 companies and they had a breach that cost them between three and four billion dollars. That affects the bonuses. Sony in 2011 had a breach of 100 million customer records. And that was 2011. You'd think they'd learn their lesson. No, no, no, no, no, monomy. They got hacked again. And this time it cost them about a hundred million dollars. Oh, I mean, that makes me cross my legs. That hurts. So yeah. So my question is like, you know, the travel industry, because it's so, that's the word bifurcated, but it's everywhere, right? Yes. There's so many different people touching the pieces of your record. One of the reasons we're such a good target is we have, okay, we're so big, we have, we have a lot of data. And it's not just, it's not just your financials. It's, it's names. Family members. Yes. We're a rich data source for thieves. We, if you're booking a trip, we tell you your name, your payment information, credit card information, but also dates, dates of travel. Yeah. Names of other people. And then we give it to somebody and say you're booking a cruise. So you call a travel agent, I'm going to book a cruise. So the travel agent takes your information. What does the travel agent do with it? Well, they have to call the cruise line and give that information to the cruise line. If they're booking your air, they, they give to the airline. The cruise line then takes that information and say, okay, we're going to, we're going to book a short excursions. So they give the information to short excursions. And the information just goes out, all over the place. And that's why, you know, if you, if you can crack into the visitor industry, it's a huge. From the hacker's perspective, these are called multiple attack vectors. There's multiple paths to get into this information. And you don't have to hack the big Sony. In fact, they can act a smaller vendor and get in. Weakest link. And take the cruise example. I mean, some of those service providers, some of those short excursions are in Lithuania. It's a little town somewhere. Mazelon. Whatever. Kauai. Kauai. That's true. Yeah. So when, when we're, when we're travel industry, when we're any industry and we're taking credit cards, what's some of the liabilities that we accept, some of the risks that we have to deal with being a credit card accepting kind of company? Well, the part of the risk is just being hacked. That's the first thing. The other is that, that if you are hacked, the rep, your reputation's on the line. I mean, if you're a starwood or a Hilton, you just don't want that. Home Depot. Target. Then there are losses. I mean, the, one of the, one of the newest threats in the travel industry, we've been watching people steal financial currency. Right. You know, they hack, they, they take their money. That's why I got money in Bitcoin and don't let me get started on that. The latest and greatest thing, because the travel industry started to get more sensitive and secure about, about currency information. But they were, they're also sitting on this, these other assets called member benefit stuff, miles, points. People have hacked that, steal the points, put it on the dark web. You can go on some dark web sites and actually put put a package together. You can buy, you can buy air seats. You can buy hotel rooms. You can buy rental cars. You can do it all. On miles that you don't even have. Right. And that's a form of cryptocurrency, no matter what you look at. Well, you can buy those miles on the dark web using whatever currency they'll take. Whatever on your tour browser. I'm not telling you how to do this stuff, but there's just ways to do this stuff. When I teach, I introduce my students to the tour browser. And I'm always a little nervous at KCC as I bring it up. No, I do the same thing in my cyber classes, but I tell my students, do not have an expectation of privacy in any circumstance. Even tour will probably be open to somebody who has the time and resources to try to hack the browser. NSA, CES, CIA, FBI, the Kremlin, whoever wants to get in really has the time and resources and finance to put enough people on that, they'll get in. But tour can't protect you from the script kitties. The people that are just out there practicing with some tools that they downloaded off the web, you're safe from them. The problem is when you look at the tour browser, I mean, it's really slow. Right. But then you're getting encrypted randomized links throughout the tour network, which is kind of... Which is why it's slow. Which is why it's slow. It's why it's doing all of that stuff. Okay, we're coming up on our break, but really quick. Why the hospitality industry in particular? Is it just because they have so much money and there's also banks out there? But hospitality, is it multiple attack vectors or it's just the ease of entry? Well, part of it's the ease. One of the things about hospitality is that we're hospitable. We want to make it easy for our customers. So do we want to have really strict protocols on two forms of identification or other things a normal company might do if you're worried about security in the hospitality industry. We want to make it quick and easy for people to do booking. Otherwise, someone might choose another vendor. Yeah. The convenience is always going to kill that CIA triangle of confidentiality, integrity and availability. It makes something too available. Confidentiality and integrity fade away. You flatten out that line. And that's a huge deal. Okay, we're going to take a break. We're going to come back in two minutes or one minute. We've got one minute. Hi, I'm Marianne Sasaki. We just completed another great episode of Life in the Law. And I'm here today with Jay Fidel. Hi, Jay. Hi, Marianne. And what do we love about the law, Jay? There's so much to love about it, right? There's more to love about it all the time. No kidding. We have to be a nation of laws. We have to be a nation of laws. We have to be diligent nation of lawyers and citizens. It's all about the rule of law, Marianne. The rule of law is alive and well and life in the law. Yes, it certainly is. Tune in every Wednesday from one to one-third on Think Tech. Hello, huh? How are you doing? It's me, Angus MacTech, asking you to come join us on Think Tech Hawaii Hibachi Talk. Join me and my two hosts, Gordo the Texan, and enter the security guy every Friday from 12.45 till 13.45. See you on Fridays. And remember, play your wing gang free wherever you be. Welcome back to Cyber Underground. I'm Dave Stevens with my co-host, Gordo the Texan and Frank Haas, a lecturer at Capitol Island Community College, talking about the dangers in cybersecurity relationships in the hospitality and tourism industry. Now, we discussed a number of things, and I'd like to ask you about the latest and most concerning threats. Well, I just mentioned the people stealing points and other assets that are not money. You can plan a whole vacation. Yeah, you can plan a whole vacation. Certainly denial of service if you're an airline, if somebody wants to shut you down. Delta had their computer system go down. I don't think it was a cyber threat, I don't know. Yeah, I remember that. But it was recent, and it basically shut down the airline for a couple of days. Delta stands for DELTA, doesn't ever leave the airport. That's my Delta. There's a little shot down here. You've been taking Hawaiian everywhere now. All of the airlines have one of those. I know, they do. The Northwest was the one that was North Worst, you know. North Worst. I knew that it was untidy. I mean, they all have their own. Actually, when you talk about threats, apart from cyber crimes, one of the threats is your reputation. And a lot of these airlines, a lot of the hotels, have sites that are created by unhappy customers. There's a site called Untide, which has a big disclaimer when it comes up that this is not the United Airlines site, but it's unhappy customers who are posting. Also, there are things like Yelp. It's like Yelp, you get blame for things maybe you didn't do. Well, the challenge in the service industry is even the best, even the four seasons of the world, the Ritz-Carlton's of the world, it's hard to be 100% with guest service. There's something I teach, a marketing course, it's called the heterogeneity of service. I can't even spell that word. That's why it's in college. See, we don't understand. In the IT industry, we shoot for 100% reliability, and we always get there. It's never... But you're not dealing with this. You're getting a lot closer. Damn hearing aids are acting up again. The problem with hospitality is different people are providing that service all the time. I mean, I can go to the front desk of a hotel, I have a really hospitable, friendly, well-trained person, and then I come back the next day, and it's a new hire that doesn't know where anything is, it's got a bad attitude that day. So that's a challenge where we have a reputation. And customers now, when they get some bad service, they'll go on, create their own website. Create a website, they're going Yelp. I used to... When I was in advertising, I used to advise my clients to register whatever their company name was, SUCKS, because if they weren't going to own the name, somebody would do it. They could block it from that. Well, they don't... I bet it... If I actually talk SUCKS, I better go get that one out. I better go get the cyber... I better go get the ground SUCKS. Better than you have it. There's so many else. That's great. I need a cyber squad on that right now. They're going to do the KS and the X, and they're going, oh, that's a lot of domains, man. That's a lot of... You need to buy in both, man. Dot org dot com dot name. So we're looking at a lot of things, though, right? You asked about risks. Some of the other risks are... RVs just got hacked, and a lot of their customers are joining a class action lawsuit. Not only is it bad reputation, there's legal fees, there's probably going to be a settlement, so that's a lot of money. And ransomware now is costing a lot of money. A lot of money, and people are falling for this left and right. And if you're a ransomware attacker and someone pays you the money, you still have the choice to unlock the software or not. If you really want to get away clean, you don't send them the key to the software, and you just walk away. And that's a huge problem. I mean, we've really had businesses here that have been affected. I think there's statistics in... I was looking at Threat Brief this morning, and a huge population of big companies in Great Britain have been the victims of ransomware, and they're not... They don't want to tell anybody. Well, here again, the hospitality industry wants to be responsive. I mean, they're trained to... You get an email, you respond. So you get something that looks like it comes from... Oh, you want to be right on it. I want to respond right now. Right. Right. Yeah. And then, you know, with social engineering, these ransomware emails look legit, and they've actually gotten pretty sophisticated in terms of their look and feel. And, you know, boom. And guess how you pay the ransomware? I just got to insert this. I just got to do it. Bitcoin. Bitcoin, right? Bitcoin. And guess what? The state of Hawaii shut down Coinbase, which is one of the largest Bitcoin traders exchanges in the country, and the state of Hawaii shut them down. So now, if someone gets a ransomware attack, those of us that get called to help them out have to find another way to get their problems solved. Someone on the mainland problem. Yeah, yeah. Like, they think you're going to shut down every Bitcoin in there. And now, there's always going to be some... All day long, I've been... I was looking at the message that comes a little bit for somebody that hits... It didn't happen to me, but somebody that hits the ransomware response. And it's instructions. It says, first, download... Here's how you download Tor. Here's how you're going to have to pay for it, and then you're going to get this key and you have to install the key. They're very customer service friends, actually. But a good thing for the viewers that watch the show, that if you go to the FBI websites and a number of websites, they do have the keys. So a lot of the keys now have been published. Oh, they've been reusing the keys. So they've been reusing them. Don't figure that out. That's... At least for... Paying it, go check to see if the key is there, and you might be able to get it unlocked without having to go through the payment. I can't believe how easy this is now, though. There's a Security Engineering Toolkit, or SET, set. You can download this. It comes with the Cali Linux flavor, and all the cybersecurity tools are on it. And if you know how to do a little bit of Linux, you can operate this thing. It's just a menu-driven program. You go and you copy facebook.com or whatever you want, and you send out emails via this program. It's... In 15 seconds, you can get this working off your laptop. It's insane how easy that is, and you can get people's passwords right away. Yeah. Well, and you can buy identity on the dark web. Oh, the dark web. Yeah. Any websites I don't want to be a member of, actually. You were talking about what other things are going on with the visitor industry, the sex trafficking. Get information about that. It's marketed through the dark web. So... There's some sick folks out there. Yeah. That's sick. The dark web is pretty incredible. Now, you were mentioning to me events called Black Swan. You describe that for our audience and how that affects your industry. Well, Black Swan is something you absolutely can't predict because it's never happened before. It's outside of your realm of logical thinking. 9-11 was a Black Swan. Nobody really thought that somebody was going to get in an airplane and drive it into a building. But it happened. The question is, almost by definition, it's impossible to predict Black Swan because it's unpredictable. The terrorism version of zero-day hack. But the way to do it, or the way to at least try to do it, is I know, I've been talking to you, David, about some of the stuff that you do. It's the white hats and black hats. You do what the US Navy does. They do war games. You know, the blue against the gold and see who wins. I was reading about Pearl Harbor. And prior to World War II, there was a war game where the enemy team bombed Pearl Harbor. And they figured out how to do it because the harbor is shallow. They figured out how to develop these torpedoes that would run in shallow water. And they actually successfully attacked Pearl Harbor. And documented it. And documented it. And documented it. And the US Navy didn't believe it. So they ignored it. And I don't think they showed that documentation with the people that were in charge of Pearl Harbor in 1941. Well, we need to do sort of the same things where people game, try to break into systems, try to test the systems. And I know you're doing that. Yeah, right now, yeah. We do that. We do the cyber defense competition, collegiate cyber defense competition, CCDC, every year. And we also have another competition called the National Cyber League that happens two or three times a year, fall and spring at a very minimum. And then we have Paul Ihe, which is here at UH. We do another cybersecurity competition. And these are all captured the flag, red team, blue team. And we have a defensive team and an offensive team. And we practice attacking networks. And the networks are simulated companies. You have a web server, file server. You have customer service agents. And then you have things called injects where the judge will inject, oh, my website went down, or oh, I need to recover my password. Please walk me through these steps. And they try to socially engineer those people. So if I can just interject, because I've got, I'm using your skill sets of the students to do white hack hacking of clients, right? So who have agreed to have you come in and do this. I think it's important that people watch this show that realize that if they want to have someone come in and do a white hack to test their security systems, you're doing that now. You're providing that. We have an ICT club at Capitol County Community College that does actual penetration tests on private companies for donations. What you have to realize is the black hats are doing this all the time. Oh, I know. That's exactly how they come up with the black swans. We finally get security in the securities of the airports. And what do the terrorists do? They set off a bomb outside of that. They did that in Istanbul and Brussels. You know, they get screening of certain explosives that get caught and they invent liquids. That's why you can't bring liquids on the airplane. Oh, yeah, the binary liquid combinations, right? So the black hats are always doing that. So it's incumbent upon industry, the private sector, to have the white hats do that challenge and see how they can. There's another thing, though. Not only the penetration test, but what I'm finding is that most companies will say, we've gone out and we've hired a couple of cybersecurity professionals. They're going to protect us. And I tell those people, no. This is a hive mentality operation. You need to get everybody involved. If everybody knows what these possibilities are, then you're much more defensible than if just one or two guys are trying to go out there and protect your network. I love that term hive, but it really translates to having a culture in the company that understands the importance of security and cybersecurity. And that starts management all the way down to the front desk. A lot of what I teach at Capilani Community College is just be aware. Whether you're running in the front desk or a department, you need to know that training is important. Awareness is important. Security is important. And then it's got to permeate through the whole staff. Continuous, because you're always rotating people through there, yeah? Okay, so we're almost done for today. I want to thank Frank for being on the show. Happy to be here. And Gordo, you're always welcome. I love having you. But anytime you provide the water, man, I'm here. Take another sip of water. Thank you so much. And we'll be back next week with another episode. I think next week we're going to handle cybersecurity in academia, which is a huge deal. That's a joxymoron or whatever you're going to call it. Oh, oxymoron. Well, let's give everyone a great big aloha, everybody. One, two, three.