 Hey, aloha everybody. You are watching think tech Hawaii and this is the cyber underground Hosting today because Dave is not well Andrew the security guy I've got Hal Corcoran here from Capulani Community College and we're gonna be digging into a little bit of IOT for you today Maybe we'll just kick the tires on it from a few different directions Dave we hope you get well. I'm used to sitting on the other side of the table over there So we'll see you next week the professor's out. We have another professor. So somebody here knows what they're talking about Welcome how good to have you a back. I think this is your second time. This is them. Thanks for having me back Good. Well, we need somebody that knows about IOT and so, you know, Dave said you're the guy So I call it internet effect because of course, I'm a security guy So I'm always working on the you know those those those the problems with like IOT There's a big concern for our industry our camera systems or have prop, you know Vulnerabilities our access control systems that vulnerabilities our intrusion systems our intercom systems all those devices that for many years our industry built Unfortunately, we're built a lot of different types of vulnerability So we've been working on getting that piece of the industry fixed up, you know It's kind of what IOT brings to my mind But when we say IOT, you know, that covers a lot of ground what what's the first thing that comes to mind for you? It goes around and it's continually Expanding it. There's there's so many things that are network now I mean from refrigerators and people people have smart homes. They can control their door locks. They can they can control the temperature In the house remotely, they can they can check it on the house, you know Remote video cameras. We've got smart cities. I came down here on the bus I could check my app and the bus tells The system exactly where it is like I can watch it on a map coming nice how far how far away it is Toys, I mean there are like network teddy bears now that talk to kids I'm not sure if that's scary or not, but that could be a little scary if it gets hacked. It could be a Especially scary so that they're more and more of these devices that around the yeah The the network now and I agree 100% with what you're saying about the security side to me IOT Today is where you know the internet was maybe 25 years ago We're not really thinking about security yet Thinking about functionality and and getting all these all these cool things working and they haven't maybe learn a lesson that you learn You know back when we put all these computers on the internet all of a sudden we realized Hey, these things are vulnerable to hacking Well, they don't seem to have really gotten that point yet that all of these iot devices you put it on a network It's it's vulnerable to hacking. Yeah, I think maybe our our Audience may not understand most of these devices if they're networkable They probably have an entire Linux kernel an entire operating system inside them just like a computer a server and if you can get on that kernel you can activate or Upgrade or perhaps get that server to do just about anything any other server could do Uh, yeah, there was one uh incident that I heard about where there was a denial of service attack uh distributed denial of service attack launched from all these of video cameras and shuffled in uh Houses because so he uh essentially turned them all into a botnet and and launched an attack from it So yeah, well all of these vulnerabilities that that you that you have on computers that most of us know about Well, you know the computer is vulnerable to this or you know Other devices are also are also, you know vulnerable to these these type of but they don't have Any virus they don't have firewalls the things that we've added on to the computers to make them a little safer These devices don't have any of that. So they're kind of wide open Yeah, they you know the in my industry print particularly with the video cameras and the the access control panels The the processors that they've used aren't powerful enough to run Like some type of an agent like you can't put like a silence agent or or uh semantic You can't you know, they're just not enough there's not enough leftover processing power You know, so they they give enough chip power to be a camera in a server But not enough chip power to secure the server and so we're you know as an industry I think um the underwriter labs, you know, ul which which does a lot of um Um standards for like fire systems is what most people are are familiar with ul from so uh ul rated fire systems ul rated burglary systems ul's writing some stuff now to start to weigh into that industry. So Hopefully the manufacturers will you know, uh Be asked for Hardenable devices and then be forced to go make them because they're not Running out to spend more money making their devices, right? They're busy in in the capitalistic sense of earning money So, you know and people usually tend to buy the cheapest device They they're not thinking well if I spend 20 dollars more for this device They maybe these people thought about security a little bit more than than this cheap one So they they they usually go with you know with the cheapest one and they don't consider, you know, who has a track rest Track record of you know building more secure devices I'm thinking about you know some of these issues. Yeah, especially I know the um, I know I saw somewhere I was traveling but I did see some of your episode previous You know, you guys were talking a little bit about like cable modems And I don't know if you got into home routers, but they're hard the same DDoS attack that attacks some of those cameras a lot of those um poorly made or Lesser secureable home routers had a quite a bit of vulnerabilities in them back doors written into them Hard-coded passwords written on certain ports and they were able to be attacked and using some of these botnets as well Um, what do you think someone should be looking for? Um In a hardenable device, you know the homeowner has a hard time going out and buying a sysco router for their house, right? They're like this is a $2,000 router. You know my gosh this one over here You know 99 bucks from from netgear or whoever it's from, you know, what do you think they're missing? uh, well, I I I think if they if they want to be safe they need to do some research and find out like what companies are releasing patches firmware upgrades and You know when necessary and in which companies are just just releasing things as they are and they're never maintaining them Right because that that that's a big part keeping keeping things current keeping, you know Updates can close those vulnerabilities as they're As they found and it also has as we mentioned a little bit before you kind of get what you pay for If you buy the cheapest device you're going to get the cheapest device and it it may not, you know They may not have thought about security at all if you buy one that's that's from a A more reputable vendor. I might question a little more But they might have thought about some of these issues and it might save you a lot of trouble down the road Yeah, I really I tend to to advise people anyway to look at, you know Commercial grade and stay away from consumer grade as much as possible minimally get up in Into that sonic wall level or even smaller fort net bro Okay, there are some smaller routers from some of the big players that are made with a lot Um Better firmware they're maintained the patches are maintained on them So there's there's ways you can get your hands on some gear without you know It's going to be more than the 99 dollar router, but it doesn't have to be too grand You know, there's some stuff in there in that mid to four or five hundred dollar range that's Business class might say it's not enterprise class um I think uh for me the other the other Reason I talk about iotb and internet of theft is that you know when when we've done some penetration testing on businesses and we Maybe they're good and we we fail We really don't get inside from a from a technology from a technical attack perspective You know Usually the boundaries are written. Can I follow the person home and attack them from home? I can get their credentials there then I can use them at the office Very rarely is that allowed So most of the people that we've worked with don't don't want us to go there They let us go with follow them to lunch maybe within a mile of the office right during lunch and try to get some credentials from them or whatever But not at home And at home is perhaps where people are most vulnerable because of the these iot devices What are your thoughts about that? Yeah, so if if if someone can get down to your network through you know a vulnerable iot device you brought that work laptop home. That's on the network now I can you know somebody can Can install some malware that when you take Take it back to work now now now they're on the network They want to go and they can work that that that malware and you know do whatever kind of various things that that they're trying to do So I mean these can definitely be weak points in In Your network each you know chain is only as strong as the weakest link You've got some iot device that's that's wide open or vulnerable and it's on your home network with other devices It it it definitely endangers, you know everything that's that's on the network. Yeah, I I don't know how long business will be able to continue to allow You know, it's it's um, you know sort of the boi would be think bring your own devices and and you know work from home all those types of things I think security when you're doing that is gonna Continue to the cost is going to continue to go up. I guess is what what we should look at You know, it's not that it can't be done securely But it needs to have some scrutiny put on it and you can't just trust that the guy's not home with a wide open Wi-Fi thermostat or or whatever it may be, right? I mean who patches their thermostats? How many of you patched your thermostats this year? You know who we clue you think about that. Yeah, exactly exactly So what um, so what what do you so I know you're at cap Cc teaching over there What did the what did the students think about iot? I mean do they do they is it seamless? Or do they are they aware? I mean I guess in your classes They're obviously learning about how some how some vulnerabilities that are there But do they walk in the door kind of a while? I didn't know Uh, well, I think I think these devices are just I mean they they just grew up You know with all these different types of devices all everything can be it can it can be networked and always Was as far as they're concerned. They don't they don't know what time when it wasn't So yeah, I think they understand, uh, you know, how many things Can be networked and how many things you can do with with with these devices But some of them haven't thought about security implications of what can you know somebody else leverage this device Against me to do you know to to to steal my information to get on to my my home network And some of them just haven't thought about that until you know, maybe we bring it up in class and show some examples of Some of the different things that can be hacked. I mean, there's been research showing I mean If if I hack your refrigerator, I can spoil your milk. That's that's not a big deal, but People are showing that that that they can hack hack pacemakers Cars, I mean if I can hack your car, I can I can disable your brakes. I can drive you off a bridge I can do almost anything that I want. So, you know, some of this is is high stakes Yeah, and and and that the threat vector could have been the refrigerator is sort of the issue there, right that that weakest link piece that you talked about Um, tell you what we'll do. We'll take a real short break. We'll be back with Hal Corcoran back on think take away back on cyber underground In about a minute this guy looked familiar He calls himself the ultra fan, but that doesn't explain all this Why He planned this party plan the snacks. He even planned to coordinate colored shirts, but he didn't plan to have a good time Now you wouldn't do this in your own house. So don't do it in your team's house Know your limits and plan ahead so that everyone can have a good time You can be the greatest you can be the best you can be the king conveying now your chest Planning and welcome back to think take away. We are on the cyber underground today And we're talking with Hal Corcoran about the internet of things I call it the internet of theft There's the internet of everything going on. There's internet internet everything everything. I don't know the world's connected And getting more and more and more connected every day. So we left off talking a little bit about some of the You know problems with the idea that you can actually connect You can get your car online. You can get aircraft online trains or online Obviously some nefarious People could do some nefarious things with things like that and cause a loss of life So there's there's that physical attack side that could be executed through some of these vulnerabilities And then there's also the data exfiltration piece that is it's kind of more common these days The um other than the big DDoS attacks that we've seen happen with these some of these iot botnets What i'm what i haven't really seen is a as other than used as a vector to get onto networks Um all of them masked up to do something else. So they're not no ones I've seen yet ransoming my video stream for example, right? So you'd if you want to watch your camera send me 20 bitcoin You know or whatever What where do you think we're headed with some of these these these guys are creative right in the ways that they're trying to make Money these criminals. Yeah, they'll they'll Probe and try to hack anything that you put on the network and they'll try to leverage it to see what they can do Maybe we haven't seen you know the ransomware on the video cameras yet, but I I wouldn't be surprised I hope I didn't just introduce that idea Well, maybe uh rather than advancement you to uh To release your video camera. Maybe they'll threaten to release video of you if you don't oh, yeah from your Off to your home tv or something I guess it depends where you pointed your camera and what kind of thing you're doing in front of it But yeah, there was actually a hotel in europe. They got um, they did get ransomed for their their door locks They had electronic door locks and so that that got hacked and then they wanted to ransom on saw the guests couldn't get in their rooms Kind of you know, so there's a using sort of the physical security Component against you know the facility interesting stuff So and we're talking a little bit about the students. So what um when they come through a typical course Are they learning ethics? Are they Are there this this um, you know The vulnerabilities of iot speak a little bit to that that part of the industry, right? What are your ethics as you can obviously go make some money hacking or you can go be a whitehead guy I'm sure the schools are we want all these students to be whitehead cut types But what's uh, what's the how do you introduce that type of discussion? Well, we decided early on that if you're going to teach cybersecurity and things like You know Sort of find ethical hacker and show people how to do so many things that ethics had to be Had you know had to be a part of so we we have ethics modules and we and you know that we We we talk about About ethics and and more than that just all the way along the course always, you know There's always that kind of kernel of the ethics of of this, you know Use this power for good Not for they go home and hack their dad right and get his get his bank account or I don't know I don't know what students do these days. This is not meant, you know to get you free wi-fi access from your neighbor You know if you do that you get in trouble. You're on your own Yeah, you steal your neighbor's router right because he left the default password and you own it sure We all we've all done that probably um Is uh, so how do they take that so because sort of there's there's some philosophy there right behind behind ethics, right? And so do you does it is it is it administered? Uh, I guess where where does that body of ethics come from for the students that that that curriculum? Is it just um um there are Some resources out there. Uh, I think like sands and some other organizations have uh, that they they're a coach of ethics Uh, different organizations. I think cssp has code of ethics and um, there's a Forensics group that has codes. So we go through different codes of ethics from you know and From some of these these different organizations and and into what will why you know, sure Why is this you know forbidden to do this or why are you required to do that? So that they you know, hopefully really understand What it's It's why it's more it's more than just words on a page. It's something like they can understand what the what they're The uh repercussions are if they decide to go To the dark side rather than to the lake. Yeah, and and that there's a trail of that typically, right? So, you know, if you're thinking about that nsa job a few years from now and you've actually left some Some crumbs out of there from some nefarious things you shouldn't have been doing Uh, you could be disqualified. Don't think that they don't know Especially in hawaii where you know, there's there's so much department of defense and you know, uh In it hiring consultants hiring people if you've got that that smudge on your record, you know When you go up for that clearance, yeah It's it's not gonna fly. It's not gonna happen. Yeah. Yeah, so you'll be down here with the commercial grade guys so the I had I was a little bit interested in the the um Sort of the the the body of work that they Come across so I guess I guess my idea is that if they could come out and sort of help like so we don't have a um Like an americor for iot. Wouldn't it be nice if we could get these students to help the More challenged folks in our community show up their homes or show up there You know, they they keep giving probably these devices right by their grandkids or their kids and they got all this stuff sitting on that They have no idea how vulnerable they are and they're getting You know They're getting spearfished because people have been able to pull their emails off of this off of these devices and things like that And they're using the same passwords maybe for all these different accounts if they're managing them at all You know, I wonder if the kids could get engaged and kind of offer some assistance out there in the community, you know I I I would love to do something like that. We we we've talked about Uh Trying to create a student help desk for not only security, but all you know all types of uh technology problems where where People from the community can just come and get advice get help Get assistance and it's great For the students. I mean it's it's it's it's it's great experience for them I mean they can learn the technical stuff about that But how do you learn? Customer service and do your people if you don't actually have to have to You know have to deal with with people in the in those types of situations. So Yeah, there's something that we we've talked about For some time and we're hoping Yeah, see That you can get that going it seems that the need for iot You know iot is creating this need because the Everyone wants those features and benefits and all the stuff that comes with The enablement of these devices on the networks or you know talking to them with your mobile or whatever it may be And the security piece that's evades everyone not only not only just networking evade people But you know the security of networking is even works, right? So, you know, you immediately go from a user base that wants to use to People that understand the problem to People that know how to secure it and it's very very small up here for this broad base of users So the opportunity to get iot i think or the evolution of iot brings to to a student base It's huge and i don't know i don't know how we get Get that knowledge outside of them, right because you you can't educate 10 000 in a year, right? You've got limited sized classrooms and besides funding. How are the how are the classes? I mean, are they are they loaded full? Yeah, yeah our Backlogged our classes are are usually pretty full especially, you know in The information security Area it's a it's a hot topic now the the students know there's a lot of jobs out there and And there's a high demand for people with these type of skills So they're you know, they're they're signing signing up for those classes. Yeah, so yeah I can't you know, I can't educate that many people but maybe if I can educate, you know 100 and send them out. Yeah to educate, you know another 100 and 100 more that will just yeah spread like a Like a beneficial virus, you know, of course the cross the island you have iot knowledge. Yeah, I um What do you think's coming next? You know, I'll be here today of you know, they're gone from iot that internet of everything, right? I just starting to see ioe used a lot more, you know talks in the industry things like that Um, what is this? Where's the limit? Deck of cards deck of cards going to be network. That's a good question. Uh, I think there are You know a few things that won't eventually Have some type of uh networking technology component. I think it's just going to continue to spread until you know especially in the home and in In industry, I think everything is going to be monitored. Everything is going to be never going to be sensors You'd be able to tell you know exactly what temperature it is in my refrigerator right now if if if that if that's what I want to do or Uh, you know Stop my car in the morning or order my you know order my lunch and I I think that we're going to be doing you know a lot of the The normal day-to-day things that we do are all going to go Uh online before before so I just thought it was like an automated life I saw that uh jack ma you know the founder valley bobba was saying that in 30 years He thought people will Work about three or four days a week for about three or four hours a day because the rest will be done for us You know and I know the the big the big money guys are all getting into ai and robotics um What do you think about um, you know the the humanoid right the the implanted Maybe something they can fix my brain with a little bit augmented ai or something. You know, I mean uh Uh That's uh, I don't know that that might be a little bit a little scary And then then we get back into ethics again If you make me smarter, is that ethical? I don't know Cyborgs, I don't know. Maybe uh, I mean, I'm I'm I'm sure things that uh wearable, you know technology and things that I can you know, I can put on That will Help me to do things that I couldn't do normally like exoskeletons or x-ray vision Or whatever sure all those kinds of things Well, I'm not sure about the cyborgs and yeah the brain augmentation Implant something into my head to give you know to to give me more memory a chip Although I can really use it Well, if you just if you had just had access to google and you're thinking right you could just know everything pretty much I'm sure that eventually We will have uh access to that type of of affirmation control over some type of a network device without having to have Any type of a physical interface if we won't have to have a keyboard you won't have to have a Swipe there's there's going to be a way that I can just think it I can think it or I can you know just move my my hands and and it's kind of like uh There was a Movie with uh tom cruise where he did that all of them. Yeah, I'm up in it He just moved the screens until he went to uh minority. Yeah minority report. Sure that type of Well, in voice voices sort of had that impact You know in the last few years right siri and then you got alexa and all those So now there's not you know, you can ask for what you want right and those are I remember when dragon speak first came out for like 20 25 years ago and it didn't understand a thing I said, you know You had to really work with it to make it palpable But now these these these algorithms for speaking are starting to get pretty You know usable, you know, I mean they rarely does it tell me it didn't understand what I said It might tell me it can't help me with my request But it understood what I asked for and it used to it used to have a lot of problems with accidents Yeah, I'm from the boston area. So I'll say park the car and have a guy And so you won't know what the heck I'm talking about. Is that right? But now they seem to have gotten a lot better where they can actually kind of learn your accent and And understand what it is that you're yes So maybe soon we'll be able just to think it, you know You just think of something and there'll be some thought receptor out there That'll know that'll know you had a question that came through your mind and the answer will just Be beamed into your brain. I don't know. I'd like to look that smart as smart as google is or it's not smart It's just being able to get information right maybe we're just dumber because we know we can go get information So we walk around with a lot less of it. You know, I don't know my wife's phone number anymore I have but you know, I don't know her number nobody knows anybody's number. Yeah, I mean, you know, so are we really probably dumber We don't need to store data Anymore because it's all stored for us. Yeah all that data that we used to remember we just done Yeah, we just don't need it anymore. What are we doing with that with that brain power we used to use? That's a good question Maybe we're you know, we're doing facebook and we're playing games with it. I hope that we'll We'll start to use it for You know for thinking more and to learn more about securing our IoT devices, you know You've got some time and some brain power on your hands. Put it to use folks interesting stuff So iot ioe Where are we headed? What do you think the security problem really is? I mean, is it is it going to be the users? Or do you think industry will solve it? You know, I mean there's always that user interface Right where people using the wrong passwords or default passwords, you know the technology can do a lot for us There's always a conflict there because people want something that's easier. They can just plug in and it's gonna work Yeah, and that's typically not the most secure setup You need to spend more time you need to know more about it, you know in order to To secure it. So this kind of plug-and-play Tends to work against Against security, uh, and you know people in insecurity The user is is usually the weakest link link there So that's probably going to continue to be an issue I hope that the that the industries will will start to To spend more time and spend more money on security and But it's probably not going to happen until people demand We'll have some big you know Attacks That'll be All over the news and in this paper and that's when they'll they'll say, you know, maybe we need to To do something about the security. We don't want this bad PR So there's an iot wake up call coming your way folks professor How corkman's been with us today on think tech away and a cyber underground Hope you learned a little bit more about iot and I hope you locked your stuff down Aloha