 Hey, Aloha, and welcome back to the Think Tech Hawaii studios. Andrew, the security guy here with another episode of Security Matters Hawaii. Got Dave Stevens, the professor in the house with me today, president of Kapu Technologies amongst his other various duties. And what we're going to do is we're going to kick around National Cybersecurity Awareness Month as ending. I thought we'd get a wrap on kind of what he's seen because he's got a special lab over there they play in. And recently to kind of give some closure to this thing, we had a lot of sessions going on around the state. Some well attended, some not so well attended. We had a lot of great questions. And it's been fun. But Dave, you know how I always start with, you know, what's keeping you, the cyber guy, what's keeping you up at night these days, man? Well, first of all, got to make a correction. I'm not the president. You're not? Oh, no. No. It's Lee the president. Lee is the president of my life. Okay. So he lives like I do. He knows who should be in charge. And that's Lee, which is his wife, which is a commend you for that decision, sir. It stood me well. But you can find yourself concerned about your paycheck. So you got to keep your skills up. I got to be relevant. To my own company. You've got to maintain value in the organization, I'm telling you, because your wife will have a different way of measuring that value than perhaps you will. That's all I'm going to say. I got to go by her measurements. Yes, you do. So that means it's like, you guys, it's a minority woman-owned business. That's what gets us the better deals, I think. And she's got just as much education as I do. Like Christine, we all graduated at HPU. Yeah, yeah. Right on. We all got our masters out there. And she got hers first. So I don't mind working for her in the least. It doesn't keep you up at night. You're not worried. No, not at all. Somebody else is in the lead. That's great. It's usually not bad to be the cart, actually. Sure, cause. I don't mind at all. So yeah, I teach for the University of Hawaii, Kapiolani Community College, and I teach ethical hacking and network security. And the things that keep me up are people. Oh. People. So over 50% of attacks start as social according to the latest Black Hat survey of the hackers that attended Black Hat. So the people that actually went to Black Hat and identified themselves as hackers said over 50% of the time they will start with a social engineering attack first and the second one they'll attack. And this is kind of scary. Over 20% of the attacks are against OS and application vulnerabilities. So the top two things you can do to keep yourself safe are train your people and update. Patch your stuff. Patch your stuff. This is too easy as fixes and it eliminates three quarters of the problems. Why don't people patch their stuff? Let me ask you that question. Oh, there's organizational differences, right? Everything from, you know, the board doesn't understand it. They don't want to release the money to do this on time. Or unfortunately companies make specific applications in-house for certain browsers. And you cannot upgrade that browser and that operating system unless that application is upgraded because your whole system runs on it. And they say, well, it's too much money and it's going to take too long and it's too much effort. Unfortunately by the time they choose to do it the national health system in the UK is one of those victims. Wow. They didn't want to upgrade. They kept pushing it off. We had Windows XP and Windows 7 on there, the SMB 1.0 and that's why WannaCry just went rampant on their systems. And it was a peace cake. Once you get one, you got them all. And that SMB vulnerability was known. Oh, known for years. Yeah. It was known for years. And so hackers go look at the common vulnerability database. ExploitDB.com. This is a simple list for these guys to find and they just run their scripts against your stuff to find out what kind of vulnerabilities you got. You don't have to be an expert. It's kind of like shopping. They just go shopping. That's right. So you can be a script kitty, which is the guy that doesn't know how to do this stuff professionally, but goes and gets the script because they give you the script and they tell you what tools to use and it's all free and you just set it up and fire it off and go get a cup of coffee and come back and see what you got. And it's that easy to do. And so things like OS vulnerabilities, patching your stuff and applications and training your people, you know, eliminate 75% of that. And so if the hardware attacks difficult or you're patched and you're looking good, they pick up the phone and call you and they're all of a sudden tech support from your company or they work their way in. That's open to intelligence and intelligence gathering. Yeah. So I watched a demonstration of this happen. It's on YouTube right now. You can go look it up. This is great. He called one person and said he was tech support and got all their information and then he called somebody else and said, I'm that person and he called tech support and tech support helped him out. And he said, well, I'm trying to open this PDF file. If you could browse to this website and open it for me, you could prove that it's actually opening and it's just something on my system. So the tech support guy did that. He went to that site, opened the PDF file and instantly was compromised. And as he was on the phone, the hacker just typed in a command line and got his entire sys info on there and so he knew he was on the inside. And you know, once you get on the inside, that's your pivot machine. Sure. You pivot, you scan the network, you escalate privileges and attack the main server. Okay. Yeah. And it took him less than a minute and a half. Yeah. So there you go. You're hacked in 90 seconds. So we went through a lot. I had a couple sessions. I did a session for NC SAM at the library. Yeah. I did. We did a thing at the mall. We were coming in and it was interesting how many people have actually had something happen. They're sitting there talking to us during our session, well, you know, I keep getting these phone calls from so-and-so or I keep getting these pop-ups saying I need help support for my computer. Something's wrong. And so I was amazed that they actually, a lot of people weren't aware that that was wrong. We'll talk about scams in a little bit. Malware, big thing. I think a lot of people maybe feel or don't know that they think if their machine gets compromised it's going to be instant and they're shut down. These guys really want to get in there and maybe stay for a while and hide. Cryptojack. So talk about that a little bit. Cryptojack is the latest where they want to stay in the background and hide and reduce the amount of processing power they use so you don't know. And this happened to me just several months ago. I must have clicked on a bad link or installed some bad software and not be paying attention. So I was moving my mouse around doing my work and I saw a little delay in the mouse pointer as I scrolled across and I thought that's kind of odd. So I thought, okay, maybe it's one of those cryptojacking things. So what I did is I shut off my Wi-Fi and my internet connection and the mouse moved freely. Oh. So then I knew, then I knew I'm connected. They're sending some of your processing power out the door. Yeah. So what I did is I turned that back on and then I launched my equivalent of a task measure on my Mac. And I looked and I saw an unrecognized process that had 12% of my system. That's not a lot, but it's enough that if you have other things running, that's taken up some time and you want to know what's going on in there. So a quick Google search and I found out that it's cryptojacking. So I just cleaned my system. And there was a removal tool you can get from places like RSA and Cisco. They all distribute this stuff freely and the FBI gives them out too. And actually I just cleaned my whole system off and reloaded. It was time. It had been a couple of years and I was free of it. But it was stealthful and I am in the business and I did not know I had that. But it was an interesting. They probably got a little greed. They were running three or four percent. They kept Jack. Yeah, let's bump it in. You finally your mouse told on them. That's right. And that ugly. Well, it can happen to your phone too. It's not just your computer. Yeah. So if you're... I was reading about that. A few of my friends said they had an Android phone that was scrolling through the mail. You know, as you scroll up to see your messages and still that's that little jerking motion. And so they went and looked at their processing to see in the utility on the Android how many processors are taking up their time. And sure enough, there's an unrecognized process. Couple of tools later, it's clean, but it was the same thing. Crypto Jacking. For sure. Crypto Jacking does not care where the processing power comes from. It could be your mobile phone, which is actually more convenient because you're always connected to the internet somehow. So it's better than computers. Imagine that. And they're making money. They are. They're playing the background. So your computer, like ransomware is actually trending down. Crypto Jacking is over 55% of the malware attacks these days. Wow. Yeah. It's huge. So that's this year then. That seems like a big flip because, you know, all the other malware, the ransomware stuff was... Sure. Monica and Nat Petya last year took over, right? Beat up some people, especially like healthcare like you brought up early. Right. Wow. Over 60% of healthcare right now is actually infected, they think. That is depressing, isn't it? Because the healthcare information is the worst and this is what keeps me up at night. Last year the House of Representatives, our federal government now, tried to pass a bill that says companies can use your personal data from websites to find trending analysis to price out your healthcare. So this is great. I have brought this up before. I'm sorry, Amazon, I'm going to pick on you for a minute, I'm sorry, this is probably not you, but if Amazon gives away the data of all the clothes you buy and they find out in your company, 25% of the people are buying plus sizes, right? Now they know you're trending towards diabetes and they'll discontinue the diabetes offering on your medical healthcare. It's already happened on several plans on this island. I've already seen companies discontinue all diabetic medications. No coverage. Like a major carrier. A major carrier. I won't mention them because I'll get sued. But the major characters, there are some plans that will not cover that at all. You get it by the Cadillac coverage. And that's like the type two, whatever, from just eating poorly or whatever. Right, not taking care of yourself. Perhaps. Sure. Wow. Amazing. I'm glad we have a good health and wellness program at ISD, so hopefully that'll keep us off of that list. Well Congress shot it down, so they did not accept the bill. But they offered it. The fact that somebody wrote it up. Yeah, they wrote it up. Because the data's available. It went for a vote. Wow. That's scary. Yeah. Okay. All right. Let's see. Now what keeps you up? This seems a little beat up, but let's talk about, let's talk about cloud. Cloud seems to stay out of the news. I know there's been some problems with VPN. People talking about being able to get inside of VPN. I'm on the opinion that it's really just an authentication thing where they get some credentials. Then once they're in, of course they're in as with anything, but they're inside the VPN. So what's your, what have you read anymore is attacking on VPN, attacking on, I think it was a remote desktop RDP was in the news from Microsoft, some kind of stuff. It's always been a huge hole. It's very hard to secure RDP. That's the port 3389 on Windows, right? It's always been a problem. However, there's certain ways to lock it down and cloud providers do it pretty well. The biggest problem with any VPN connection is compromising either one of the end points. Yeah. So you compromise an endpoint. The VPN encryption has, it's meaningless, right? If I took your key fob and I knew your password and I could log in as you, if I stole your session key, I'm you. So once I'm in a cloud environment, the security beyond that is irrelevant. So that's the biggest worry I have with clouds is implementing that VPN correctly. And sometimes it's just not, but the bigger vendors, Microsoft, Azure's top of the line now. Microsoft has really offered a good cloud solution. I think you use this for a lot of stuff. I was using Amazon Web Services. Just classically good. I mean, they really did their research. Amazon set up environments for the CIA and for the FBI and for SPA war, which is Space Air and War. Fade ramped environment, sure. Fade ramp. Yeah. And they deal with FISMA. So they're excellent. And now I use Office 365 for my company. I think you do too. And I've read all their security offerings and they're FISMA compliant, which is wonderful. Everybody's stepping up their game because we all know it's a running game. You slow down at any time and you are overtaken. Yeah, I know the, so we talked a little bit about multi-factor authentication to folks this year. And so we run the federated Azure Active Directory authentication, which is a, it's really good. You don't see it very often if you're always logging in from the same machine or the same place. But as soon as you go somewhere else or anytime you change your password, which you have to do, I think every 90 days, it will send you a text code that you have to use. So I have to use that. And I have to use it for the two or three different places, including my phone, if I'm pulling mail off there, every time I change that. So that, I've been really happy that there's that much supervision over the people and the authentication. So that, you know, typically some guy's not authenticating from somewhere else as me. And if he is, the text comes on my phone. I'm like, whoa, somebody's trying to get into my account and I wouldn't know that. Right. So it's pretty good. First get it, the feature to have users change their own password when they lock themselves out, that's disabled by default. They want you to call into the admin. I had to enable that for my company. And yeah, the multi-factor authentication, out of band, they send you a text code or the one-time pin and they use something like Google Authenticator, which is great. You get a one-time pin on your phone, which I really enjoy. I think that's great and convenient. Facebook uses that. And they got compromised just a couple of weeks ago. 30 million users, I got an email saying, congratulations, you're not compromised because you enabled two-factor authentications. So I've been using the out of band text code or the Google Authenticator and actually I've gone towards a Google Authenticator. We use it for a lot of the different apps. We have some apps for our CRM and things like that. So I have that in addition, right? So that if you were to get in and you tried to get into that app where all our client, our CRM system is, you'd run in the same problem again. It has a different password and a different two-factor, which is always required. So I get you. And we talked about quite a bit of this with the folks around town who weren't even aware of 2FA. I still think they study up and read this kind of stuff. It's not like great midnight reading unless you're really into it and you've got to go to sleep. Yeah, and it does have to be done right. We're going to take a break. We're going to pay bills about 60 seconds and we'll be right back with Dave Stevens. Aloha, I am Howard Wigg. I am the proud host of Cold Green for Think Tecawaii. I appear every other Monday at three and I have really, really exciting guests on the exciting topic of energy efficiency. Hope to see you there. Aloha. My name is Mark Shklav. I am the host of Think Tecawaii's Law Across the Sea. Law Across the Sea is on Think Tecawaii every other Monday at 11 a.m. Please join me where my guests talk about law topics and ideas and music and Hawaiiania all across the sea from Hawaii and back again. Aloha. Hey, welcome back to Security Matters Hawaii. We're here with the professor Dave Stevens. We're talking about National Cyber Security Awareness Month and it's wrapping up. We've done a lot of teaching around town, trying to just get back to you with those final things that we learned and maybe a bit of an update for what's been going on in case you haven't been paying attention or you didn't catch up with us at any of the events that we held in October. Some people brought up scams, getting the phone call scams at their house, getting email scams, getting the pop-ups on their computer. What do you think about that stuff? Is it stuff people should be just like, oh my gosh, I didn't call you? Like if someone calls you out of the blue, hang up the phone. If they email you out of the blue, just delete it. Like, what's your take on scams? So tech support scams are really gaining traction right now because it's the trust thing. They want to develop a trust relationship with you. That social engineering technique works very well, especially with credit card companies. They can call you and say, look, we noticed some purchases that you might not have made. Were you in Portugal last week? Oh no, I wasn't. And then they start phishing information out of you to get account information so they can pretend to be you. So you've got to be careful about these things. So the tricks, call those people back. I always do that. Like say thank you. Let me call you back. Hang up and call the number on your credit card. That's right. Like don't ever talk to anyone who reached out to you. Verify them by calling back the source company. Not even that person call. And they'll never give you the right number. Oh yeah, yeah. The caller idea is always wrong. So it's a great idea to call back. And I've done that twice and found out that people. Wow, you were getting scammed. I was getting scammed, yeah. Lee will actually play them because she's been in credit cards. Oh, does she like it? She keeps them on the phone. She reels them in, man. It's great. It's so nice to hear. And then she'll report them. So those call centers can go down rather quick. But they pop right back up. I had, it seemed to me that in the sessions that we did, it was primarily seemed a lot of older folks had really been victimized, especially by the tsunami stuff, the hurricane stuff, the sort of charity type things where they're calling them. And it's a fake charity. And they think they're doing something well. They want to participate in something that changes the lives for those people for the better. And scam artists. And that was the first thing that US cert sent out. And in regard, don't pay attention to these things. Go to reputable companies. If you want to help out, best thing to do, pick your charity and you go get them. Don't let them call you. Exactly. Yeah, you got to do that. Yeah, hang up on these guys. People don't want to be rude. Yeah, I was surprised that there's this, I guess, this romance thing, too, where people, they say, they set up the Romantic Association, like they really love you. But if you send me money, I'll come see you. And I had some people admit to sending money to people. That's been going on for decades. What kind of scam is this? The Philippines, Africa, Romania, and, of course, Ukraine and Russia all had scams set up where a person who says they're a woman sends you pictures, they build a relationship, they build up some trust. They say, here's where I live, and it's a real address. You can Google it. And then, yeah, I've got to get my passport together. Can you send me 500 euro or something like that? There's always a, yay, can you help me out because I want to come see you, but I need an airline ticket or I need some money for this. That's when you know you're getting scammed. And these are lonely people, I'm thinking. I think there's a group of them in a call center somewhere. This is a profession for them. Yeah, I mean, you think they're finding you because you're lonely. I'm wondering how they, are you think it's just a mess? There's three dating sites out there. There used to be plenty of fish, we used to be one, where this is just scams galore. If anything outside of the country tended to be a scam and it was a terrible thing, a lot of people got reeled in, especially older folks, maybe they're widowed. And we're talking about older folks now that you got to imagine they're not technology natives. Yeah, exactly. They've inherited technology. They witnessed the advent of technology, but when they were kids, when we were kids, what's the best technology you'd get at the fax machine? A bike, man. Bicycle. That was as good as it. I remember when I had a three speed, instead of a one speed. I have gears, yeah. Well, we got a fax once in our office when I was really young. And I thought, oh, I can send a whole page of information across the country in 11 minutes. By God. In 11 minutes. I thought, my God, it's amazing. But now, gigabytes of information, streaming movies and social media, and they really don't understand the stuff's not out. They're always helping them, and people will take advantage of you. Little too trusting, yeah. Yeah, if it seems too good to believe, don't believe it. But to our folks in Hawaii, there's definitely, there are these type of attacks. They're definitely targeting people here via phone, via email, via text, via social sites, what do you call them, dating sites, whatever they may be. So be aware of this. If someone's asked you for money and you don't know them, really, if they just walked up onto the street and asked you for money, would you give them money? State of the reputable sites. There's things like JDate, eHarmony, Match.com. They've been around for years. They charge you an admission fee. You go through an extensive vetting process to make sure you're a real person. You write a statement on your own. You answer a bunch of questions. Your relationship begins by answering questions from either party. It's a much better way to get to know somebody online rather than just jumping online and saying, hey, let's go out. Right on. It's the, what do they call it, Tinder? Yeah, you can get into a lot of trouble there. Is that right? Yeah, you can. Okay. Oh, one more thing. A lot of phones, the phone scams are targeting immigrants a lot now. And I've gotten a few in African Mandarin. So what they do is they'll call you and they'll scare you and say, the FBI is on the way. They're gonna arrest you. We need to take care of your immigration status right now. So get us some money into this count. Hurry, the feds are on their way. And what they've done is they called the police on you. Oh. They called in, it's called the swatting. You're maybe here too long on your visa or something. It could be anything. So that really scares you. It scares the crap out of you because the police are actually coming up to the door. And then your English isn't good. So you probably don't understand how to ask how they got the call about you or whatever. Right. And the person on your phone is talking to you in your native time. Yeah, and he's building some trust. I can help you with this. They'll go away. Just agree to work with me. This has happened dozens of times in the Midwest. I didn't even hear about that yet. That's crazy. Well, we had some top tips that we gave out, typically in a finale. I've got them up there on the screen for you now. So we'll kind of walk through some of these. Think before you click. Now this is a, this sounds really simple. But you know, you're up too late at night. You're tired. I mean, truly, if you weren't expecting it, don't click it. If you don't know who it is, definitely just delete these things. Important people will, and important information will get to you, right? If it's Hawaiian Electric about your bill or your bank and you just delete the email, trust me, they'll call it. Someone will get a hold of you if it's important. Yeah. I try to just tell people it's just junk. I've been talking about, I think email maybe has become too risky to even use in business. I'm starting to just. Extremely risky. It's become that bad. So think before you click. It's good advice. There's a lot of stuff behind that advice. But 50% of the problems in malware, social engineering, phishing, all this stuff begins with people clicking. So man, delete it first. If it comes again, call the person. Hey, is this really from you? Like do something. There's more to do to the thing before you click thing. You know, you could pop up messages all the time. Windows is notorious. You could pop up messages all the time. Don't click them. Yeah, when you're in a hurry, when you've got to get work done, it's called a modal window. It won't go into you. Click on it. Read it. Read that thing. Because you click OK. You're giving permission for that thing to run with your permission on your computer. And if it's not something you want, you can close it or you can kill the process with Task Manager. But if you just keep clicking OK, that's how viruses get permission to run on your computer. They're launching. And it's just right-click Task Manager. I used to be control out the lead, but now you can just right-click the bar and click Task Manager. And you'll see those processes. And if it ain't Word or Excel the stuff you're running, close it. And watch that little window go away. And Mac gets called Activity Monitor. Same thing, you can kill the process. You can. And then search your machine because you've got a problem. Run a full scan. And a lot of it's click adware. And a lot of it's not super malicious, but it's still taking CPU cycles. And it's still tracking where you go. I got one more tip about email. When you're writing an email, don't put anything in the two or CC fields until you're done and you proofread it. More problems happen when people send that email before you're done or if you've typed in the wrong. Because it fills it out for you. You type in the first three or four letters and it tries to guess what email you're sending it to. And I've sent stuff to my ex-wife. Be careful. Wow. Be careful with the email. That could be scary. Yeah, you could really blow it. So just calm down, take it easy, find your zen. And if it's an angry email, definitely. Hold that in drafts for a while. Think about it if you really need it. Sometimes just typing it will relieve that stress. You might even need to send it. Let's go back to the tips. And we talked about getting AV protection, keeping it updated, keeping the machines updated. For consumers, this could be a little more difficult. Don't rely on some service provider out of the blue calling you or emailing you saying your machine needs to be updated. That's a scam. That's a scam. This kind of thing you need to do yourself. Right. And a lot of pop-ups will say your machine's been affected. Click here to purchase this software. My poor father-in-law, like three, four times now. Ouch. Yeah. To the tune of $24, $25, but that adds up. Sure. You scam 1,000 people a day, you're making some serious coin. Sure. And a lot of people are doing these scams and running this stuff are living in places in the world where a buck or two a day is the living wage. So if they can double or triple that, they'd now increase their means of living 100% or 200%. So getting a few bucks out of you is well worth their time. And good luck catching them. Yeah. Oh, yeah, that's out of here. Public Wi-Fi, we got about a minute. Let's beat on this just briefly. No, let's beat on passwords. We had a lot of people agreed that they use this. They admitted they use the same passwords over and over and over again. Oh, bad news. This will eat you alive. Right? Yes. Because if they find your password, then every other site's got that password or some derivative of that password. A lot of people say, I got this password and a 1. Dog name 1, dog name 2, dog name 3. Or the birth date or something. Yeah. And they think they're smart, and that's not true. You've got to use a long one. You've got to use a unique one and keep track of them. Yeah, once you've compromised, and especially your financial sites, your health care record sites, got to have different passwords for that stuff. If you care about your social media, getting hacked, then whatever. But those things that are critical in your life, you've got to use different passwords there and use two-factor authentication if it's offered and make it difficult. Right, because hackers are inherently lazy. I know I'm a hacker. And we're lazy. We want to move on. Oh, that's too difficult. I'll go hack Henry and then I'll mon to him and see if he's got something easy. And if he is, great. And I'll leave you alone, because you were too hard. Yeah. Be difficult for hackers. National Cyber Security Awareness Month is wrapping up. You've got a whole other year for you. You're going to hear about this stuff again ad nauseam. Don't stop practicing. Don't stop improving. Don't stop getting better. Dave, thanks for coming in. Oh, can I make one last announcement? Real quick. This is Wednesday. There's an event tonight on my campus at Capitol Hill Community College. We're going to have wet wear Wednesday for Halloween. 6 to 8 PM on campus. Free food. Wednesday. Not tonight. Wednesday night. We're going to broadcast on Wednesday. Awesome. So this will be Wednesday. So get over to KCC, Halloween. Aloha, everybody. Aloha.