 Aloha. Welcome to the Cyber Underground. I'm your host, Dave Stevens. Andrew will be our guest today. He's the co-founder of Integrated Security Technologies, protecting the businesses and communities of Hawaii and the Pacific region with industry-leading electronic security solutions. Today we're discussing the robbery of the Rolex store at the Bellagio in Las Vegas and the physical and electronic security that will undoubtedly be used to apprehend the criminals still at large. Only two of them are still at large. So that's how they apprehend them. They got one hour winning. There's a really funny story about that. These guys went in with a smash and grab at the Rolex store and they took a whole bunch of jewelry and they cared nothing of security. They put pig masks over themselves and they wore gloves and heavy clothes and they ran to a parking lot and got into a car which did not start. So they instantly caught one of the guys. Isn't that something? You can never tell what people are going to try. And the funny part is I think the Rolex store might have been a little bit complacent and they just thought there's cameras everywhere in Vegas. No one will ever try something so stupid. But I think maybe they forgot about things like people always have smartphones. Everywhere you go there's a smartphone. There's probably a video that they can piece together from that store to the car to anywhere in the United States based on just smartphone footage uploaded to Twitter and Facebook in the hour after the robbery. Yeah and a car in Vegas too is well tracked. They have a lot of surveillance because of the type of town it is. So you know it's a guy who in my opinion that type of criminal first of all couldn't be stopped. They were going to commit that crime regardless of the outcome. They weren't worried about the surveillance from the perspective of at least trying to cover themselves and hide from the cameras. They didn't want to leave behind fingerprints that type of thing. So they watched CSI. They've seen the CSI episodes. Yeah they hoped that that was true. The clothing realistically Vegas is pretty locked down. Not much happens there that they don't investigate and figure out. I would imagine there's a lot of money floating around that city. There is and there's a lot of surveillance and there's a lot of great investigators and there's been every scam and every crime done or run there since the place opened for business. Most of the stuff these guys have tried to do there someone's thought of tried before. It's interesting how physical security I love the perspective of access control for example which you can't really use on a retail store. Because you need people to walk into your business so you've got to take that risk. I can't keep that door shut and buzz them in for example. So there's the assumption of risk so you have to mitigate that somehow. Typically you're almost left to insurance. As far as the physical security, the surveillance stuff is not going to stop that. Some guys came in, they just make it happen. They're not concerned about whatever you've done because you've allowed them in to the spot. Now maybe put fake Rolexes in there because I wouldn't sell a fake Rolex to a guy who wanted to buy one but maybe all the stuff under the counters is just those $100 what they call them full-exes. I think of things like that people like that what are Rolexes worth 10, 15, 20, 50 grand? They go up from there. They're hard to come by. If you can get a hold of them and get them out of the country and they probably had a place to take them and sell them already. That kind of stuff is fairly targeted. It's hard to say. Let's go steal some Rolexes. Criminals that get caught look stupid. Criminals get away with it. They look brilliant. We're talking about why am I learning cybersecurity when I can get away with 10 or 15, 20 million dollars and make that break to South Shore, France and just live off the grid for the rest of my life. That's 20 million dollars. They're not going to let that go. I don't care who you took it from. Someone's coming looking for you. It's not that you just live off 20 million dollars and fade into the nothingness. You're always on the grid somewhere. Someone's going to find you with enough money. What's 20% of 20 million? That's a good hit man. And a student, an unpracticed criminal. He's not a criminal. He doesn't have any way to get away. He's a student. Those are those dumb crimes. An opportunity shows up and he's having a bad day, makes a bad decision, whatever it may be. For some reason they take advantage of a situation that presents itself and it could be cyber. It could be that why are you poking around with some stuff and you find a vulnerability and next thing you know, wow, you're looking at a C-prompt. You're looking at somebody's bank account. Wow, got their password. I could transfer money. Who knows? That seems targeted to me. Situations arise. You're in the building. You find yourself behind somebody's computer and they haven't logged out. It's an important system. Maybe you can use that to get whatever you want and get out of there. Just information sometimes is highly valuable. Super valuable. Maybe you can tell me if this actually happens. I knew this happened a lot when I was in the industry. The physical security part of the security plan, if you even have a security plan, usually fell under facilities. Unfortunately. And the facilities guys aren't really IT. No. And if they need to fill a gap they might take a webcam that they buy it best by. Take the tape off the back, stick it up. It's Wi-Fi enabled. Cool. I don't even need a string of cable. Let's just hook this up. Username, password, default. And I'm on the network. Now you have a brand new hole in your network with default credentials that can talk to any other device. Because the Internet of Things is made up of all these devices that have the lowest basic level of security on them. They have maybe a username and password. They have hardly any authentication. So when you get in your root level it's an admin. And hardly any of these devices will do any logging or notification that they've been hacked. And you can knock them off the network and reset them as you wish. Yeah, once you own them. Right. And once you own them you can use them to get anywhere. Or as it was done last year you can use them as a DDoS device. You can use them as a botnet and use all those devices. We were using webcams and refrigerators and DVRs. And those were the three biggest devices I believe I read that were used for a DDoS attack. Yeah. And all your audience may want to know that that's dynamic denial of service. So what occurred right? So these guys took all those devices and flood like your website so no one can get their embass stuff from you. Just for example, denial of service. And they flooded the domain servers. So all the websites. That was pretty smart. When you go and you type in the name of Amazon.com and you get that's translated by a server into an IP address and it points you to that server or bank of servers. And when you knock down that Amazon.com name and domain name server, Amazon.com is basically offline. You can't get at it. So they can't sell stuff and they sell $100,000 a second or whatever they sell. I would imagine they'd lose millions of dollars per minute. It's got to be crazy. You can't go down with a company like that. And the other thing or the redirect, the malicious redirect, you're going to Amazon.com and try to buy some tennis shoes. The next thing you know you're actually entering your credit card information into a tennis shoe site that looks like a tennis shoe site that looks like Amazon but it isn't. Somebody is capturing your information. Then you find out you bought four new cars and your credit card is blown up and you don't know why. What happened? It happens by the time you got out of the computer and walked away. People understand how quickly that malicious transaction becomes an illegal transaction somewhere else. Well all of us including the home users have now accepted other devices and other security into our home networks. I have my Wi-Fi network at home. I have my wireless router. I also have a DVR. The DVR I have no control over. It is somebody else's. However, it is on my network. What's in the DMZ? Well, you put it outside. You would think there's a way in through the DMZ. It's only netted. And there's a way in through the, you read about the BDTV signals. So there's several signals out there that the cable providers are running. There's nothing on them. So they're right into all the smart TVs instantly. That's ugly. I was just reading about that one yesterday. It's like, really? What do you do for your customers? All these openings that... Firewall it. Firewall it off. Yeah, it's just bad. So the webcams that are wireless, do you always plug them in? We just don't use them. Okay. Wireless is even worse. I mean, so what happened, this is my experience in the industry, our industry in particular, physical security, we used to... Wireless was developed because we couldn't get a wire. It cost 10 grand to cut through the concrete and do all the stuff we would have to do to run a wire. So wireless. Okay, so let's use wireless where we really just can't cost effectively get a wire there. And then what happened was everybody said, why run wire at all? So the whole industry went berserk. It started, so all the home alarm systems, a lot of devices adopted a wireless potential, a wireless opportunity. So you get a hard wire or a wireless. And that spectrum isn't owned. And it must accept interference. You know how you read the device? You know you ever read the tag on your wireless device from the FCC that must accept interference. Because it's not what they call a registered. You can buy bandwidth that's yours that you use from the FCC and you can pay it for a licensed bandwidth. If you don't, then it means it's available to everyone. And once that's the status of it, unfortunately, it can be broken with software defined radio. Which back when all this started, software defined radio you probably had to pay 100 grand for one. I don't even know. Today you can build it on a raspberry pi with open source software for $29. And tune it to whatever. And I can listen to the devices in your house talking to your alarm. Probably those little wireless contacts. And when you go to bed and you quit moving around, they all quit firing. So now I know, you're in that part of the room. That's the last one that fired and you went to sleep. So I can do stuff on the other side of the house if I wanted to, for example. So software defined radio is a different sort of a problem, but another easy to use hacking tool for a guy who wants to spend the time to learn how to use it and sit right out in front of your house. You can saturate the receivers and other things you can do just from an intrusion system perspective. And then when we go to the other, the wireless packets and you're aware of these tools like a web crack and once the other one that's kind of popular. So the idea is that if I can sit there in a wireless environment and collect enough packets I can kind of figure out the encryption. Even if it's encrypted, like SHA-1, there's tools out there now that can help me figure out what the encryption is, break the encryption and then the transactions that are occurring are available to me to capture. So I could perhaps capture the next login of that password, your user and password to the PC that's using that Wi-Fi network in the house, for example. And then those tools will actually knock that device off the network and then it has to reoff. Yeah, so it will emulate your wireless access. That's the ones we use in the hotels and stuff like that. Your home network's got issues. I don't know what the consumer grade is. I don't work in that industry. It's even worse. My industry at the commercial grade and DOD grade, the DODs truly doesn't let this stuff on. We run on different networks for a reason because you should and that's a practice that all businesses should do, but businesses can't really afford separate networks like the DOD can. So we've got to firewall that stuff off. Then the business owner wants to use a feature set that's built into the system. We're coming up on a break. I do not know exactly when it's going to happen. Well, we've got a second, but we've firewall that VMS off and then we let the feature come in via VPN. So we can do it. We just need to do some things to mitigate some of the risks. Hi, I'm Nicole Alexandreinos and I was born three weeks ago. Congratulations on being there for me for some of the few weeks of my life. I'm starting a new show, The Millennial Mind, every Wednesday at 2 p.m. for the month of April, where we'll go over some of the reasons why millennials are some of the most anxious and frustrated people at the moment. I'm Ethan Allen, host of Likeable Science here on Think Tech Hawaii. Every Friday afternoon at 2 p.m., you'll have a chance to come and listen and learn from scientists around the world. Scientists who talk about their work in meaningful, easy to understand ways. They'll come to appreciate science in a wonderful way of thinking, a way of knowing about the world. You'll learn interesting facts, interesting ideas. You'll be stimulated to think more. Please come join us every Friday afternoon at 2 p.m. here on Think Tech Hawaii for Likeable Science with me, your host, Ethan Allen. Welcome back to the Cyber Underground. I'm Dave Stevens, my co-host and guest today, Andrew Lanning from Integrated Security Technologies. Andrew, why don't you tell me, what is your company all about? What do you do for people to secure their devices and their hardware and their companies? That's a big question. We get calls because people have problems. A lot of times those problems are related to intrusion. So they wait until they have a problem. Or unauthorized access. Sometimes it's design work too. It just depends on the client. The more challenging ones are typically someone that's had a problem. They're really fired up. I've had some kind of break-in in my parking lot to a car. I want to get some cameras. I'm like, well, how do you want cameras? Because I had a break-in in my parking lot. I said, well, cameras won't really stop the break-in. They're just going to let you see someone who broke into your car. So what do you really want to do? You want to see who it was? Or you want to stop the break-in? A lot of times our work is education. Helping people understand that you need to control your perimeter. We come out of the military, so I use those types of ideas to help protect the commercial businesses in Hawaii. That starts at the perimeter. Now, perimeter if you own a huge lot is expensive. You've got a big perimeter to protect. Sometimes you have to fall back from your fence line perhaps to the building. Then we use maybe access control on the doors so that that's your perimeter. The actual physical building itself. So you're talking about the fence in depth. You have a fence. You have a door lock and something behind that. And even response in time so that the way I can detect something that I don't want to happen or want to know about then the more response time I have. So if I can detect it out of the fence line, I've got more time to figure out what it is as it's approaching my assets. Versus if it breaks in the door then there's maybe perhaps already on top of my staff before I've had much time at all to do anything. So just as an example. So we have to have those education things. A lot of stuff comes to us that's already designed and built by consultants in the industry and someone's building the building. So we will supply those systems. But the people that need more help are the ones that don't know what to do. They just don't have a problem. They're helping them to find that problem and understand how to address it in a way that fits their economy. Perimeter security. Doing security properly is not inexpensive. You can just throw up a camera and maybe that runs people off who've been doing something. That's a good tactic. But most ill intended people know you can just like pull your hat down and hide from the camera. Put a hat on. Whatever it takes. So cameras are just not cameras have never been about security. Cameras have been about even today about 99% of the video in the industry is still used for post incident investigation. Now we've got analytics today. There's a lot of things that have developed and I don't want to take away from any of that work because it's good. We can do a lot more detection. Object moving in one direction say a driveway you're watching. Things should only be coming in. If something goes out, boom, we can alert on that. We're much, much better at detecting people and anomalies outdoors than we were just a few years ago. So that machine learning there's a lot of things that have brought that industry way, way up. Outdoor motion detection has for years been fraught with positives. Now when you address this with your customers, do you fall back to the NIST rules and explain to them what NIST is and how they set up these standards for certain industries? In the last couple of years the cybersecurity framework cybersecurity just as a word, cyber hardening, cyber maturity all these things have entered our industry because realistically for the last 25 or 30 years we hadn't done any of it. We used to be an analog business and we had RS485 communications which is serial communications like your old phone line just as an SRS232 but similar. We had coaxial cable with analog signals to the cameras. We got someone discovered internet protocol and someone figured out how to convert these company called Landtronics actually how to convert RS485 to IP. So all of a sudden we're on networks. Well we just went crazy as an industry and we started delivering all these great things right over your network and people loved it. The problem is convenience. Super convenient and a lot of functionality. The problem with our manufacturers really didn't take security seriously and so the chip sets that they used for example when all these devices wouldn't support protocols like we see in the IT industry. Your computer here can have a certificate loaded on it. It has enough horsepower to run a transport layer security when I connect to a device and I can use secure HTTP instead of just HTTP Hypertext terminal protocol. So we're talking about balancing that CIA triangle of the convenience integrity and the security of any given organization and they went way too far into the convenience area. Way too far. In fact they only went there. They didn't go with security at all. I mean seriously. Our industry did a terrible job of becoming a problem for the customer today. Once the hacking industry grew to what it is today and everybody can make money stealing information and selling that information all information became a target and now all these systems that lacked correct hardening really just lacked the horsepower to be hardened started taking a beating. And you were telling me before that the central control center for like a camera set and some other security devices if they all feed into the central security system you're monitoring all of them but then you have an update to make one more secure it might break your central command center so you have to upgrade that but then that might break your connection to the older system that hasn't upgraded to this new security protocol. Yeah so the firmware problem. We have a firmware problem in these devices and manufacturers got in the habit because it's inexpensive. Tomorrow libraries DLL so they would compile their firmware from existing libraries that were already broken or poorly written or had vulnerabilities in them. But they worked. They delivered video to the customer who wanted to see it or you could use your phone to open the door for example. The problem is it was very badly built and unregulated and no one paid attention to this. No one paid attention to this until a few years ago and so now our industry's having to correct itself and our customers who've been getting more and more functionality for lower and lower price points for many many years now all of a sudden have to pay more for us to go back and check on these you know run these types of scans like you're talking about and we're a guy company that does this and a lot of the devices we scan they blow up. I mean they absolutely can't even handle a simple in map scan for example. So they reset and then they reset and so when it resets it goes back to a default state. And you gotta set it again. Very bad. That is very bad. So brings into to light the standards organizations that we should be depending more on. NIST for the rules for example National Institute of Standards and Technology. Yes. And then also things like the IEEE would handle that. Yes. The Institute for Electronics. Those are the guys we ignored all these years. But they have those standards online. So if you want to build a device and you want it to integrate and be upgradable and have your firmware the most secure you go read the latest standard in your protocol and you should build it to those standards as people aren't. So the expensive stuff is same place. I mean seriously this the industry is from top to bottom. Just now are we just now I mean just now there's a big security show like honestly next week a big national security show and we've got I saw some devices last week that are now you can load a certificate on them. Now they only do TLS which you know Transport Layer Security is the latest version of SSL but TLS 1.2 is the norm and these only can handle TLS 1.0. And so that's a as you know a function of the type of encryption and the amount of processing it takes to do it quickly for the thing times out or blows up or whatever. So you know there's progress and I haven't been able to say that yet but I can I can say it today and I'll be back here in a few weeks and I'll be able to talk about hopefully more that I found in the meantime what we've been doing is you know scanning these devices making sure that all the extra FTP the ports are closed that aren't being used right if you're just streaming video out of a camera I don't need the email port open I don't need FTP open and so you know going in to make sure those are all closed so that this device can't be you know attacked through those ports and then documenting the type of encryption that's on it you know and understanding what it is and taking a look at and then documenting it right so we do that on the bench before we go install it in your business. Then when we install it we run the scan again to make sure nothing's changed. Yeah you gotta verify. Yeah and then we come back as a part of the maintenance plan we come back and do that periodically just to make sure that someone puts a webcam up that you didn't know about and just hooks up to the network or your administrators in their plane with the settings and actually it turns on FTP or someone hits the restart because the guard sitting there all night long nothing's going on he doesn't have anything better to do so he decides to start poking around. I can host a music server right here. Yeah exactly he's doing his homework he's bringing in a USB device stick and loading up some other garbage. Now I was reading some articles about the consumer electronics show that just happened in January. CES every year and that's all there about convenient electronics the newest greatest most convenient stuff and they're all about the smart refrigerators now. You can see the huge screen on the refrigerator door we can order milk and whatever this one had you know I saw believe it was a Samsung open the door and you put in the milk it knows because of the barcode on the milk when you put it in how much is supposed to weigh. Yeah you put it on the shelf the shelf weighs it. Yeah. Oh it's only half full you might want to order some milk so it asks you to order some milk and you do it through your little computer on the refrigerator. No security they're really on the refrigerator. They're doing the IPVO POE they're actually on the power line on the power cord of the of the fridge. And that's it. I think so. Yeah wow and just so long distance you have USB ports. Oh yeah. So you can walk right up and put a USB stick in there which is one of the biggest holes in security in the entire world. You know walk through a parking lot. Hey I found another USB. Any portable media. What's on this USB stick. Let's plug this in and find out. Yeah. Oh look I won something. I'll just fill this out. You know. Yeah it's the consumers are just being duped. I mean you know they just don't know and so as long as people buy this stuff it's going to continue to be made and continue to be sold. And you know it's a you know it's a sort of a buyer beware and you know there's a lot of people that you know are they all being victimized. Do they all have things worth taking. I don't know. I don't know. But I do know that they they're not aware. I mean I have entire industries that I talked to in the whole room. You know 1% or 5% of the companies are doing anything about cybersecurity or cybersecurity. C suites. Managers. Right. And so if they're not I know that the homeowner Right. Well you have to develop a culture with cybersecurity and physical security. Yeah. Everybody's got to be. It's kind of high mentality or it doesn't work. Everybody's got to know what's going on. Now you run integrated security technologies Yes. My wife runs it. I use text. I use text.net. Yes. Right. That's where you can see everything that Andrew does. Yeah. Thanks for being on the show. Thank you. Hello.