 This is ThinkTek, I'm Jay Feidels at a nine o'clock block on a given Wednesday and we have Chris Gubeca. She's a good hacker, good hacker smile. There it is. She joins us and she's been writing books about this and ironing on in various places around the world to help people with hacking. Chris, say hi and hold up your book, your latest book. Hello, everyone. This is my latest book, Hack the World with Opens Intelligence Gathering. Okay, thank you very much. So we start with the colonial pipeline, you know, what happened? Well, colonial pipeline unfortunately did not have the greatest cybersecurity. And there currently aren't strict regulations that critical infrastructure companies like colonial pipeline have to. There's also the sticky problem of the fact that they had had outstanding job posts for a security manager for two and a half months. And it doesn't look like they were focusing that much on the risks of technology security, but more the business risks and technology risks. They affect business risks. There's a problem here and I was telling you before the show I'm impressed I was with this book that just came out about the secret service, you know, indicating that the secret service we all respect and admire actually is not all that effective it hasn't been all that effective. And it isn't all that effective it's been compromised in so many ways. And the public is wrong to believe that, you know, the president Dennis and his people are protected. And so the same here. I mean, we have that we carry around this notion that the government will predominant from the government I made a protection right. That's true. Where can you can give me just a pricey handle on whether the government is competent to do this, how well it does and protecting us from big hacking jobs, hacking of government agencies, hacking of the industrial military complex, hacking of the infrastructure. How well protected are we. I'll give you a good example. When I was 10 years old I was busted by the Department of Justice for breaking into the FBI and things have changed. However, they have not changed enough. And one of the things that I run into is various government agencies, typically their focus is not cyber security. They might dabble a bit or have certain functions like the FBI has a cyber crime team, but that is not their main focus. Even though we're seeing more and more that the majority of costs of crime are now shifting from the physical world to the digital world. Yet there still isn't a really strong focus where it needs to be. The government could become more competent. However, they're also constrained by the fact that it currently can take up to a year and a half to get security clearance to work in those types of jobs. So how do you dynamically hire a bunch of good people when they can't actually sit at a computer and do their job. So that's kind of an impossible situation. And another thing to understand about the government and this affects most governments around the world is they might have this team called a computer emergency response team. And that's when everything hits the fan. Think of them as the fire department. Your house is already on fire, it's probably going to be lost, but they are trying to stop the blaze so it doesn't affect other houses around you. But there's only a couple of countries in the world that actually have what I call a septic computer emergency prevention team to actually and actively look at critical infrastructure and go hey colonial pipeline. We found all these problems. Let us help you fix these because somebody could, you know, cause gas shortages along the East Coast of the United States. So, this is a great concern, because it is infrastructure it affected millions and millions of people. It disrupted, you know, the supply of so many things, including gas products. And it, and it was nothing we could seem to do about it. And it was ransomware that was that was really interesting to me, because at first the news plainly to see the news was no we didn't pay, we don't pay ransomware. One of my buddies said no, they do pay ransomware. Otherwise it wouldn't have gotten, they wouldn't have gotten it up again. And sure enough, a few days later, well, it came out they did pay ransomware at $5 million. I wonder if the if the hackers could have gotten more than that actually because the stakes were so high. But you know you you really have to think twice about how well protected we are and and who is attacking us. Can you give us a handle on who might have been responsible for colonial pipeline. This brings back to a particular cyber gang out of Russia. And what's interesting about that is Russia does not allow the extradition of their citizens, no matter how blatant or open it is. One of these gang members actually has an Instagram account where he posts his supercars purchased with the illicit gains of ransomware. What makes it even worse is for those who want to do these types of attacks to make a quick buck. They also were reselling what's called ransomware as a service. So just like many of us use office 365 as a software of a service. So it's more complicated than it needs to be but easy to do these types of attack. And one other thing to add is the ransomware gangs have been watching very closely what cyber insurance pays out and they try to stay below those minimums so that they can actually get paid. So they're really looking at the economics and how much money they can get without it causing too much problems. So this is a bit of a digression but I just read that two major Bitcoin Bitcoin companies have have crashed this morning and not a big surprise. Like they lost half their value and then you know and collectively in terms of billions. And I recall that the ransomware often asks you to pay off in Bitcoin. So query whether you know the what I want to call it the decline of the value of Bitcoin has an effect on ransomware. Absolutely we've actually seen increases in ransomware type of attacks when cryptocurrency was higher and then less attacks when it's lower because it's just not as advantageous to do that. Interesting. So if by the way so we're pretty sure the Russians do it is consistent with their whole attitude about things. But query what about the Chinese are they are they also doing this to us. Well not so much ransomware attacks because they generally don't need the money. However there are other countries that do do this who are sanctioned countries like North Korea and Iran where they do desperately need the money. So North Korea is probably one of the bigger offenders in this area. She has so many questions for you but let me let me ask you the one the one that really appeals to me. So suppose I'm 10 years old just picking that number. And I decide you know that I want to do something like this. How high profile tell all my friends in school what I did what not. How would I start and how you know ransomware or hacking as a service as the case may be how available is it for me. You know can I buy it or subscribe to it for a dollar half and learn how to do this and will it work. Well there are some packages that you can purchase or rent where if you purchase the software it will cost you probably about 2500 all the way up to 15000. But of course you could do other types of attacks to come up with that money first or you can rent the service software as a service. And they will take part of the take of what you hit. And what you generally do is remember I am a good hacker is you perform something called systems based open source intelligence gathering or what some of the intelligence community calls reconnaissance. And you will find your target and some of their easy vulnerabilities because ransomware is a more simplistic attack. It is something that attaches to things that nearly anybody could find. If you can recognize who I found this whole ransomware can now go into it. Then you've got gold. And then once you start doing that you start making money. And then when you want to move your money out of cryptocurrency there are services which is the digital version of money laundering called the laundromats. And they will clean up your cryptocurrency so that you actually have cash currency in hand. Okay, so the question that follows is exactly how does this work. How does this work to the ransomware user. How does this work, you know, in the computer. And it's okay you can, you don't have to hold back. Tell us what it's like to be a hacker. What steps do you take. What what is the expertise involved and how do you implement the plan. Well, so you pick what you want to do. And there are so many different ways to make money off of cybercrime. We've all seen spam attacks. And spam attacks also by the way do not affect just computers they also affect internet of things. There was once involved in a spam attack that involved internet capable refrigerators. So wasn't just keeping the mouth cold. And once you figure out the type of attack you want to do which is available to the target and also the type of say software that you'll need to buy the criminal software, you go ahead and link those two things together. You can also hide yourself. That's a big difference between a bad hacker and a nice hacker is try to hopefully cover your tracks and avoid law enforcement knocking at your door. And once you do that, you also will set up some sort of encrypted communications usually conversations private, and also check out the financials of your target. If they are willing to pay and capable of paying X amount, and you don't want to be too pushy because you want your money quick, then you're going to only charge that amount. Quick and quick out. How does it work actually. I mean what what kind of what kind of software process is involved. I know I've got to find a portal, but this software to find the portal. Now I found the portal. I guess, I guess, is it fair to say you can always find a portal somehow. Always. Thank you. Yes. So now I found a portal. What do I do with my portal. Well, as long as your ransomware software package is capable of getting both into the portal. And also, once you find either the operating system like windows or Linux or whatever it might be or an application within it. It can then take advantage of a system and a couple of different ways. One is what we would call breaking it making it unusable. And let's you provide some sort of code or way or method to bring it back. Another way is through the use of encryption. Any of us encryptor stuff every day more and more. The difference is they're the ones encrypting they hold the keys and they will only give you the keys if you pay up. But on a side note, even if you pay up. And they say they're giving you your encryption keys, some of the ransomware software actually cannot decrypt. So you've lost your money and your stuff. Oh, how nice. Now I don't I don't have to code in order to achieve that right. I can use these software products I can get off the net. I can just drag and drop and push buttons and create this monster that will go out there through the portal and do these things and encrypt and maybe maybe or maybe not decrypt. So it's not like I have to write assembly code to do this right. And it's becoming easier and easier every day. They make software packages available for those who know how to use a mouse and can click the point and click boom you're in. Well, let's trouble some you mentioned before that Russia had, you know, closed down any extradition of its hackers and as you know it's a good strategy if you have the Internet Research Agency and other organizations in Moscow doing that on a regular basis, which I think they do. So the question is, how, how do we stop this? How do we have the bad guys? How do we find them individual people and arrest and prosecute and convict and imprison them? How do we do that? Well, I don't think we're going to change Mr. Putin's mind anytime soon about the extradition of Russian citizens. We do have sanctions, which sometimes work, but they also cost money time and effort to actually enforce. And many times they're just on paper because they can't actually enforce them. There are several ways, for instance, the FBI has been able to nab individuals when they go on vacation to some exotic place and they speak to the local government say, listen, we want to, you know, take this person back. That sometimes works. But another way that works, and this is something that the Dutch have been doing for a while. Is there a bit unique? They actually have a place in law where as long as a prosecutor signs off on it, they can hack back. And this was part of what was done in this particular case where they went after the wallet of some of these individuals of the gang. And they made it economically much more difficult for them to get away with this by taking some of their cryptocurrency. They can also hack into their systems, get to their contacts and generally make life difficult for them. I just wonder in identifying a potential hack, are there signals that I should be looking for? Or does this happen like all of a sudden? Is it a ramp up? Is it some telltale signs canary in the coal mine and coal mine sort of thing? Or is it bang? Well, yes, there actually is. There are ways that you can see that people are probing your systems and you can set up alerts for that. There's also a system called canary tokens where you can actually set up little canaries in the coal mine. And if any of the juicy bits or areas are accessed, it alerts you of what it does is say there is no legitimate purpose for someone snooping around or going in this way or that way. So now you know you definitely have a problem because the canary has died. You know, I've often thought maybe this is a naive tale, but I've often thought that if you could reorganize the internet, if you could make everybody stand up and identify himself or herself before they had access to bloody anything, then you can stop this. But how likely is it that the internet can ever be reformed that way? I think it's pretty unlikely for a couple of different reasons. When the internet was set up, they had no security in mind. They did not think that it would be the way it is right now. So anytime you have to bolt on things, it's going to be much more difficult, plunky, and not going to work the way that you intended. So I think we have to look at an alternate type of internet that is actually set up more for security. For the identification portion, not everyone is either going to be able to produce a valid ID or you can quite easily fake these things. Several years ago, me and a journalist from the Netherlands, we got IDs that looked very much like German identification cards at a conference. And he used his to get into about 30 different government buildings because it didn't actually look all that closely. And he did a news story on it. And you can easily fake these things. And then if someone wants your ID, like Instagram or something like that, they just ask you to take a picture with your face in it and your ID. But they don't actually check to see if the ID is valid. So it's not a very easy thing. There's always a little social engineering involved. Absolutely. Social engineering gives you some tremendous leverage. Suppose I am the IT manager of a very large utility company in the United States. And this utility company is connected by the electric grid to a large geographical area in the United States. And the damage that would be done would be, if somebody hacked this, it ran somewhere or just brought it down as a geopolitical decision brought it down. Call it war, if you like. And I am responsible for stopping this and defending against it and protecting. What do I do? Do I call you up, Chris? What do I do? You can call me up. You can also contact your local computer emergency response team who should be able to get involved and help you with the contacts of who you call next. And there's even some talk of, in certain circumstances, if your National Guard is capable of assisting. However, since most National Guard are not cyber warriors, that still would have to be matured and thought out very, very carefully. You know, one thing that has struck me over the years when you read these stories about hacking and cyber attacks is that they seem to happen at random, but never in close proximity to each other. In other words, you wouldn't find one one week and one the next week. So the spread out and they happen only after it seems like only after you've gotten complacent to get only after you come to the conclusion, hey, this doesn't really affect me. I don't have to worry so much and then bang. Another one. So is that the way this is done and if that's the way it's done. People who do it, especially if they coordinated through, for example, the Russian government, they could do it in quick time to they could bring the grid down the northeast and the southeast and the west and so forth, in quick time. Is there anything preventing that, or is that something in the future. It's difficult to prevent if you the organization is not actively looking for ways to get in. And I'm glad you you mentioned the Russia example because there's a reason why I put a picture Putin on the back of my latest book. Can you show us the picture. See the picture. Candor, the power of candor. Probably not allowed in Russia now. But also when they hit organizations, they try to divert resources. They're going to pick not Monday morning at 9am they're going to pick a holiday period of low staffing times are also going to say hey, if I get, say the FBI cyber team out to the northeast. I'm also going to hit the southeast, then I'm going to hit, you know, this other area in this other area, so that they're so spread in that they are not as effective as they should be or could be. But there are ways to this and if they're not as effective, and there are multiple things getting hit. That means that it will be also more likely for you to pay the ransom. Yeah, and it seems to be I mean I'm not suggesting that that the individual is off the hook here, you know, me running my computer at home or my laptop, so forth. It's more likely is it not, especially with sophisticated attacks, that'll be a big company and it seems to me also that that that it's getting bigger and bigger, not only because of the ego trip involved but because, because we can. Imagine this nowadays warfare causing a crisis used to involve people on the ground sabotage teams tanks the plane some votes, but you can now do that all just set a click of a button over the internet from anywhere in the world. So the amount of effort that it used to take moving people in the logistics now is just in the digital form and done split very, very quickly once you find a hole. So it's moving more and more towards that and even crime in general is moving more towards the digital world. We've seen with the pandemic, there's been some crimes that have been cut down, but at the same time cyber crime has gone up, because we can see each other. And we're also seeing traditional criminal gangs move into cyber, because it's a higher profit margin, they don't have to worry about the logistics of smuggling this arms, or these particular drugs. They can make the same amount of money or more from anywhere in the world in a location where they can't be extradited from. You know, it seems the ransomware is a pretty good business model because you can be, you know, you can be a ninja. You know, you can you can operate with a small cell of people in Albania, and nobody will know you and you're not working for anyone else particularly just working for your own profit profit margin on the cost of doing it versus the benefit of having the ransomware I'm wondering also if there are other business models out there, for example, somebody comes to me is a horrible example, somebody comes to me and say you know I have I'm a big company, I have a competitor, I want to bring that competitor down. Okay, so I'm the same guy in Albania right. So I'm going to pay you a million dollars to bring him down for a few hours on a given Thursday. I can do that. Okay, go do it and I will pay you in Bitcoin. It'll be our little deal together. Is that another business model that that did you find in this area. Yes, there is, especially amongst competitors we've seen in Texas there was a case of a hacker that was hired by one oil company to attack another oil company. When it comes to critical infrastructure. Go all the way up to the point where, for example, over two and a half year period the Iranian government approach me personally and offered me 120,000 a month to teach them how to hack into critical infrastructure with a focus on nuclear facilities. A lot of these state actors are just as irresponsible as the guys in Albania, I have to say, and it seems to me that where we're going with this Chris is we're going to have more hackers. And the defensive mechanisms are not going to keep up with the, you know, the hacking mechanisms. And we're going to have more random infrastructure attacks random institutional attacks, random attacks on government, but we also have the risk of having you alluded to in a war, where you try to take another country or group of countries and just undermine everything and not a shot is fired. Nobody's hurt. There isn't even a physical, but physical expression of the war. It's just that all your infrastructure came down and all your institutions are inoperative. I mean, is that where we're going on this. I believe so certainly cyber crime is a growth industry, but so are digital arms, which are sold around the world. And they've got different purposes, you know, either for criminality or for other governments to attack other governments or surveil them. And there are some countries that part of their GDP is driven on some of these digital tools, which can also unfortunately be used as weapons to do this. So it's going to keep getting worse because it's kind of easy to do. It's easy enough for 10 year old. It's easy enough, looking at a few videos and taking about half a day to watch these videos on various places, similar to YouTube, and making a few grand that day your first go out. It's not bad that'll buy you a lot of sugar candy if you like. So what about the the Rip Van Winkle sleeper thing, you know, where, I mean, for example, it occurs to me that in the case of colonial pipeline. They said, government said, I guess, or the oil industry said, we had to take a few days and look at it and make sure that it was clean. Actually, then I take a few days and pay off the ransom is more like what happened. But, but is it possible is it happening that the cyber attackers leaving little, little crumbs behind very hard to find these crumbs but they can be activated at a point in time later. And that's the kind of thing that happens. For example, if I buy software that comes from a Russian company and there are some doing, you know, grand business in the United States, they're very good, very good software. But could it be that they are leaving little crumbs and one day they can activate, you know, 20 million computers to do something as their agents in a kind of mesh network attack. Is this possible with the crumbs. Yes, it can be possible. We actually call it a logic bomb for a reason. And I'll give you a good example in 2012, Saudi Aramco big energy company was hit with one of these a logic bomb, which sat in their systems for months and only at a certain time at 11 08 am on August 13 2012. Did they activate that and then it destroyed for 80% of their computer systems inside Saudi Arabia and cause something similar to the colonial pipeline where there were gas shortages because their systems that actually load gasoline onto those tanker trucks. And it affected country of Saudi Arabia and Bahrain, eventually Qatar. And so we were looking at if they did not restore their systems in a timely manner. 39% of the world's energy was affected and a barrel of oil could have gone up to $450 barrel. Looking forward to better times. So what last question Chris. Tell me how I should think about this. Tell me how I should think about this as an IT manager for a company or a government agency that is a potential victim. Tell me how I should think about this as a member of the public concern that my, my, my, my, my, my, my society is protected. How should I think about this. As a team manager, there are many low cost, no cost tools out there that you can actually set alerts and look proactively at your infrastructure. Because even if your team isn't doing all of the management, your third party might and all they have to do is make one mistake and you've got a big hole. So if you do not have a great budget for security, there are ways that you can actually address it. For governments, they need to look at proactive security. We need smoke alarms before there is a four alarm fire and a way that the public trusts us. Speak with the government and go, yeah, here's some data. We, you know, we weren't sure before, but we think so. And they're not afraid of getting hit with a big stick for reporting what might be a crime or is a crime. If you're a member of the public, if you get hit with any sort of ransomware or spam attacks or things like that, although not all police departments will be receptive. There's some that are and you can also contact the US government's national search and report what had happened. And they add that to a database to try to figure out how to stop it. And they've got various alerts and things on how to keep you safe. And that's the database of some of the encryption keys for ransomware that hit consumers, you'd unlock your data. Well, we live in strange times, getting stranger. And, you know, this is this, I think it's more and more this is going to dominate our society. And all I can say for myself is that I'm concerned and that if they catch anybody who is charged with hacking and ransomware and the like. Call me because I want to volunteer for the jury. I want to be. I have a few things I want to say to the other members of the jury. Well, thank you Chris. We have a question from a viewer. How effective are antivirus solutions that detecting ransomware encryption in progress and halting files from being encrypted on mass and let me add another one along the same lines. Our encryption keys typically discovered and released after a period of time after the malware has been analyzed, or is it wishful thinking to hope for decryption keys to be released. Can you get around that one. Antivirus, some antivirus is better than others. They have to be very aware of that, even though your role might not be in security. So, the antivirus sometimes again, but very much like with COVID. It needs to know what the illnesses before can actually build a vaccine to address it. So if you're one of the first, you're kind of out of luck. On the encryption key side, sometimes when they can actually analyze the malware and find a way in because sometimes malware has its own exploits that a government agency or an organization can actually exploit. And once they find those keys, there are two places you can find them. One is via US cert. And another is EU cert, which publish those keys as soon as they're found, and you can then use it to decrypt. Chris, can you give us your website so we can take a look at this. Yes, it is MEI.edu, which stands for the Middle East Institute, and my area is the cyber area or write about and also write policy on these particular topics and how they affect us. It's been great to talk to you. I have a feeling that I would like to call you again for the next major attack so we can share notes on that one too. Thank you, Chris. Chris, Rebecca really enjoyed this conversation. Thank you. Thank you so much, Shay.