 Welcome back, and thanks for joining us on the show today. This is the Cyber Underground. I'm your host, Dave Stevens, and I'm here with my co-host, Andrew, the security guy. How's it going, brother? Very well. You're back. You've been on the Cyber Underground. It's been a red wave for how long now? Man, I've been getting up there. I think I'm going to make like whatever Delta, whatever that thing is, man, dying in there. I'm going to be up there. I don't know. I'm doing it. I'm heading out again next week. I don't think to have that. I see you coming in the door. Oh, Mr. Landings on the way. There's this guy. His name's Ron, I forget his last name, but he sits in seat A1, and there's this big joke on the Delta. There's a Delta page for diamond people, and he's the... Ron's the guy. Yeah. So seat A1A, if you ever get that, that's Ron seat, because he's obviously not on your plane that day. So they make you move if he's on the plane. I don't know. He might be like a 50 million mile or something. I have no idea. I'm starting to feel that way, bro. I'll tell you, it's been a lot of travel this week. I don't know how you train for your Iron Man when you're on the road. Well, we'll see how if I'm lousy in the race, you'll know I didn't do well. Your Iron Man's coming up next year. Yeah. I got ways to go. Yeah, but you know, some training. I'm tracking in. Man, it's looking good though. It's looking tight. I have a lot of training to do. Hey, you must be tired now. Yeah. Yeah. I stay that way. I live that way. Well, you also do another show. I just mentioned your other show. You do this. Great. We had Hibachi Talk on Wednesdays. Yeah. And ThinkTec's awesome. You guys get a lot of education out of ThinkTec, don't you? Hey, ThinkTec's great. I love ThinkTec. We give. We give to the community. You should give back. Because our paychecks for this show are very pre-loaded out. There's no paychecks. No, zero. This is all community service. Right. Yeah. We're going to teach them about what. Well, let's mention one other show. No, not crack. Well, it's one other show. There's a new one on here. Oh, awesome. Out and About with Winston Welch. Nice. Now, Winston, he started up the Hawaii, or he's part of this group that started up the Hawaii Rainbow Chamber of Commerce. Okay. They fight for LGBT rights. For business. In for businesses. Equity across the business community. Like HR, or just to do business with us? Equal opportunity, doing business, contract, everything. They're like the Filipino Chamber of Commerce, but they support LGBTQ rights. And they were out at the Hawaii Pride Festival last weekend. Awesome. And they had some people stopping by at Willa Sparrow, came by, Brian Schatz was there, Douglas Chin, the guy that filed the motion to block the travel ban. Oh, yeah. He was there. So I guess they're all running for office because we got pictures. Yeah, of course. I mean, Hawaii is about equality for everybody, right? So that's all good here. That's one of the things people may not know. You know, if you're not from here, you don't spend time here. You don't really know, man. We love everybody. It's all good. It's all good. They let me on this show. I mean, that's fine right there. That's our EEO policy, right? EEO. We let Andrew on here. That's EEO. Equal inflame for Andrew. Zero pay, by the way. So yeah, let's talk about crack. Our last episode was just ad nauseam. We just did really good. Who was here? Hal? I didn't watch it. I'm so sorry. But that's okay. I mean, you know all about the key re-installation attack, crack. What did they actually do? Did you guys already talk about that? Yeah. If you did, then don't worry about it. There were eight or nine CERT CVTs issued. I mean, so there's apparently a lot of vulnerability. We'll talk about what those are, because I was going to bring up at the top. The computer emergency readiness team in the United States called CERT. They have C-E-R-T dot org. You should go see them. And they have all the knowledge-based articles that will tell you about the latest vulnerabilities. Yeah, they give number, CVNs, right? Critical vulnerability numbers. So when these get issued, the vulnerability that's been exposed sometimes results in more than one. And this hack apparently has many ways to, many things you can do if you can do this crack. Right, everything from man in the middle to key interception and replacement attacks. But CERT also has a mailing list. So you can get on the mailing list and they send you out these warnings, two or three a day. So you know when you have to do something as simple as Adobe or Flash or your Firefox browser or something as complicated as Fortinet Firewall. Yeah, so you can be as paranoid as me. We live in a dark place. Everything's broken. Everything's broken. So the TV installation attack named crack, basically there's a handshake that goes on when a device authenticates to a wireless router. And during this process is a four-way handshake. In step three, one of the keys gets sent across. And there's a sequence number in there and there's a unique number of part of the encryption key. And all that can be intercepted and repeated. So if I'm sitting in the middle, I can grab that message and send out my own message and the router's going to think I'm you. So when the router responds, I not only know the encryption key, but it's responding to me. And if I want you back on the line, I'm going to pass that message on. But in the meantime, I see everything you're doing back and forth. And so obviously this has been around a lot. So just no one exploited it. Several months now. No, I mean we've been doing WPA for a long time. WPA too has been out since 2004. So this has been broken since 2004. I hate to say that, but we should have seen this coming. Yeah, I don't understand how in those handshakes and that intercept. So has someone developed a new technique for that interception or what? I'm kind of wondering what brought this to light. No, actually. I feel like we'd have known about this forever. Right, we should have. And if we read the paper that was put out as a brilliant paper. Got that. I read the paper, which is hard when you're not a scientist. I got the gist of it. This attack actually refers back to the actual IEEE standard that came out to tell people how to implement WPA2. And there's a gap in the procedure that allows this to happen. So if you implement it exactly according to spec, it's going to fail. There's a gap. But a couple of vendors like Microsoft said, no, we're going to go further. So you cannot do this on a lot of devices that Microsoft controls. So they actually had a little stop gap in there because someone was thinking ahead. They identified it or were they just lucky? I think they were just lucky. I didn't see a statement from Microsoft. We told you so. Yeah, yeah, yeah. Because they might not say that anyway. But this is a really bad because WPA2 is kind of the default. I'd say it's what everyone uses everywhere for all their Wi-Fi stuff. It's been the top encryption protocol for 14 years. So go look for patches. You can just Google crack updates, crack vulnerability page, whatever. I did that. There's a page here that's got probably 100 vendors on here that make this stuff and it tells you their status. So if they don't have a patch issued yet, it'll be coming soon. So get your stuff updated and be careful if you're using wireless that's not patched right now. Yeah, run that patch immediately about when you get notified iOS, Android, whatever. The good news is a lot of industrial stuff is Cisco. Cisco is a big player in the internet market and they have already started blasting out patches. They're right on top of this. So is it automated? But you still probably got to go do it, right? No, you have to do the patch as a firmware update. Don't be an Equifax, right? Then their page sells you, you have to configure some stuff. But it shows you on the command line, do these things. And I look very happy with Cisco that it did this. I mean they're right on top of things. Good job, Cisco. In North America, they're a big leader. I mean, Taylor's Group, you know, they're always out there in front of there. They bought OpenDNS now. It's Umbrella. They're sharing all that information. I signed up for a free account, free for 60 days. They've had me enough for six months. They said it worked. Still works like a champ, caught a little malicious redirect the other day. Somewhere I was trying to go that wasn't even real. I love Cisco for all the help that they give us. Their devices work forever and they patch them forever. I've never seen a notification from Cisco saying, you know the device you bought in 2002, we no longer support it. Oh, like Windows 95? Yeah, that's 20-something years old now we're done. Yeah, we're still going to have to cut that off. It's 1995, man. Yeah, so the ancient history. Stuff has to go away. Yeah, well, that's why I'm so surprised about WPA2. You know, when you configure your router, you get a little dropdown. What protocol do you want to use? And the one that's most secure is WPA. And that's it. There's no more choices. Yeah. So we're going to have to add one now. But in the meantime. WPA3 maybe. Yeah. Somebody will write one. Yeah, hopefully. In the meantime though, you can use HTTPS on all your websites that you go to. Yeah. I'm going to have that HTTPS anywhere, right? Right. You can implement that in your browser. You can also use encrypted email. Yep. And you should anyway. You should anyway. We have a local vendor, Powbox. Yep. Does that PA, you? Oh, WALOX. Yeah, they... Oh, Huala? Huala Griebi. Oh, I didn't know that. Okay. We should get him on the show. Well, he's in San Francisco. When he's out here, you can get him on the show. I bet he'd fly out for a bit. He just came and gave a talk. He's been on a few shows. Not on our show, but he's been on a bunch of talk a couple times. Darn it. I miss him. Huala's a good guy. Smart. We're getting a Brian Krebs on here too. Okay. Skyping him in. Let's talk about Brian Krebs. One thing I want to say. Eris, right? So the one thing that I noticed that Eris hasn't said anything. So this site talks about all the affected stuff and gives the announcement for the manufacturer what they're doing when they're going to fix it. Eris is one of the heavily used modems from all these cable modem companies and they're all over Hawaii and they said a word. So if you got Eris and you don't have another firewall in front of it, that's bad enough. But if you're running Eris, it looks like they're wide open without a plan to fix or a plan they're willing to share. That's for consumers out there that might not know how that works, right? When you're looking at your home network setup, you'd know the modem because there's a cable coming out of your wall. Yeah. And the first thing it's going to go into is a cable modem. And they have like Wi-Fi built into it now. So a lot of people, it's all they run and they're all used to it. Right. I wouldn't recommend that. Never. But out of that cable modem, you can branch off into your DVR and you can branch off into your own wireless router, which I recommend, right? Yeah. But your DVR is still wide open. Yeah. And that's a problem. That's a problem. DVRs got used in the DDS attack last October. Yeah. And refrigerator. DYN. I mean, it's just... And webcamps. I had 60... I was in town actually in Kona last week. I talked to them a little bit about that. Yeah. Yeah, they got crushed. It really hurt their reputation that companies are still battling that note. Because they have 60,000 of their cameras spread around the world. Do you feel any sympathy for them, though? The manufacturers have failed to implement security. You know, I've got to say this. I mean, that could have been that it was in some of the home installers and people could have been part of the process. So it's not always the device. In that case, there was a back door in there that was hard coded, right? Yeah. In their own firmware. So in that case, no, I have no sympathy for them whatsoever. But today, we've been talking about this for years with our devices. And so today, the manufacturing in our industry, we're coming down quite a bit harder. And just at least Andrew is, you know, I'm on my soapbox about cyber. I had been for a while for the electronic security industry. And yeah, there's no longer an excuse. I don't think so. Especially with ISO jumping on board now with the new rule set. Yeah. So the UL is applying. You know, we've got ANSI now for the UL guidance. And we're going to ISO. So when we have that, you know, I mean, just getting ANSI is good enough. I mean, the manufacturers should be lining up, getting their stuff assured. You know, getting that extra level of assurance from a third party like UL. You know, they all say we use Veracode and da, da, da, da, but that ain't been enough. So all these acronyms are standards organizations within the world. Right, right. And ISO, International Standards Organization, is coming out with a whole new set of rules. Underwriters Laboratories, ULs, coming out with the new rules that they can provide to hardware manufacturers, and they recommend you implement that set of standards or rules to alleviate some of the crap that we've been seeing. And you mentioned one, hard coding passwords in a framework. Backdoor. So if I want to debug something before I release it to the public, I'll leave that backdoor in there. Because if something locks up, I want to be able to log in. But when it's released to the public, that stuff ought to be taken out. Got to. And it's getting released. And folks, this isn't about just changing your hard drive. What happens is, this is a little chip on the motherboard of a device that you have no access to. You can change your operating system. You can change out the hard drive. It does not matter. This is written into the firmware on your device, and it's getting released. And there's a lot of that out there. And it was initially thought of as a maintenance tactic, right? So that the manufacturer could get in that gear and do maintenance actions on it. Sure. That was the thinking. It's old world thinking, because it's a bad idea. Because eventually, someone figures out those passwords and hacks them, and then your devices are waddled. Oh, sure, Dan. Publishes it. Oh, sure. Just sending that. Well, what is that device? I don't even get how much it is. Yeah, it's a big problem. And UL has the 2,900 series now. And this isn't just electronic security devices. We're talking about industrial control devices. And we're talking about health care devices. So the 2,900 series encompasses those three. There's going to be a dash four for IoT devices. Yeah. So we'll work on this, because manufacturers just didn't seem to fix it of their own accord. So now we want some regulatory guidance, some certification. And until the consumers ask for that, I want that device to be certified 2,900 series compliant. Manufacturers aren't going to push through there, because it costs a lot of money, right? Right. It's a business call on their part. They assume risk, but they still want to make a profit. Sure. And they have to do some beam counting. How much is this going to cost me to implement it versus how much I want to profit? And truthfully, if I had to give recommendations to a company, I'd just say, maybe you ought to provide your CEO $1 million less this year in bonuses and apply that to security. And with the cost. And the chips are cheap. Right. So they've got to run more expensive chips to be able to handle the certificates and the encryption levels that we're going to require in these devices. And so the cost, yeah. Manufacturing up and down the board, the code's got to get better. Yeah. The hardware's got to get better. And so when we've, the consumers have gotten so used to getting more and more features and benefits for less price every year. You know, the price of technology keeps dropping. It's going down. It's smarter and smarter. That's false, because what we didn't get was any security. Let's do the trick. And we're going to pay some bills, and we'll come right back and we'll pick that up because we're going to talk about industrial controls and healthcare devices, which are shockingly not secure. Okay. We'll be right back in one minute. Stay safe. Aloha. My name is Mark Shklav. I'm the host of Think Tech Hawaii's Law Across the Sea. Law Across the Sea comes on every other Monday at 11 a.m. Please join us. I like to bring in guests that talk about all types of things that come across the sea to Hawaii, not just law, love, people, ideas, history. Please join us for Law Across the Sea. Aloha. Fastest Minute Ever. We're back. Welcome back to the Cyber Underground. I'm your host Dave Steves. We're here with Andrew, the security guy. Hey, Andrew. I'm just going over the fastest minute ever because we're all the same length. No. That was faster. They must make minutes different in the studio. Robert counts them down quickly. Nice. We were talking about the hardware and the chipsets and the firmware and how this relates to insecure devices for industrial controls and healthcare. Let's tell our audience about what industrial controls are and what they do. Sure. PLCs, programmable logic controllers. These are devices. They're really built to an industrial hardening level because they implement the tools, the instruments, is what they're called. Actually out there that measure pumps and gauges and pressures and fluid flow are high voltage. And so we've got to have some sort of interface between high voltage devices, high voltage circuitry, and digital circuitry. And so that PLC is that brick in the middle there that uses ladder logic or different types of programming to interpret that instrumentation signal into something, get converted to IP, send it down into the control room where you see it displayed as a pump running or a pressure on a tank or whatever it may be. But they run really simple logic most of the time. Yeah, ladder logic is what I'm only familiar with, the GE-FANUC programming stuff. I've seen that ladder logic how it works and it's quite straightforward. They build all the displays. You run a fluid at some pressure through a valve and you actually build the device and it shows the pressure. You can make it go round or up and down or how you want to display it whatever makes sense for yourself. But that interpretation was the important point. We used to have to use... RT used a lot of relay circuitry to do that with and you go to these rooms with huge relay cabinets all over the place to interpret all that to bring that data in about a minute away from the control display information. And now we have one more unit that... Yeah, you got a little PLC. These things are hyper-focused on their one task usually and there's not a lot of room for tons of code. They're very limited in their memory and storage space on them. So the code has to be super lean. So simple this is best and that's the way people code these things and sometimes they don't think about security. That's one of the biggest problems, right? Not only on the device, but the device that's reading from that device. And so if people say, let's just use an example, you have a gate or a valve or something that's critical like a water system for a sewage treatment plant, if someone hacks your system, they can remotely control whether or not you release water or don't release water or take on too much or don't mix the right chemicals in the water. And this is a big issue. If you hack these things you can do damage to our critical infrastructure. Yeah, imagine people may not think about but one way to really shut a city down is to destroy the wastewater treatment systems. Imagine that, no toilets for a couple of months. Yeah, that would be bad. That's a lot of problems. We had a discussion in one of my classes about what if we shut off the water and a lot of people thought, oh, no big deal. And I said, oh, you shut off the electricity in the water in New York City. Okay, first of all, everything below ground level has pumps working 24-7 to keep the water out. So instantly you flooded the whole rail system and everything underneath and everything's gone. They shut down in what, two days? And they're done. And the city's just collapsed. Yeah, and plus everyone in the high-rise can't get water, right? No pumps. There's no pumps. The only thing that would probably work is fire hydrants, but only barely, right? So you can destroy a city with water. So is it the actual, because I know a lot of those devices talk skated to outbound so the ones that are converting IP, so I was of the opinion that the hacks for these was actually on the IP side that there's a leak. Like, Landtronics used to make a lot of these modules for devices, right? That were converting serial to IP data back, you know, been around a long time. And then a lot of it got embedded into the device itself. And I'm presuming that those are the same guys who made it, but a lot of the, my understanding is a lot of that hackability of those devices because that IP interface was just not built with any real, there's no HTTPS in it. It can't handle a certificate or anything. Right, so it's just sitting there waiting for instructions and it really doesn't care who's getting the instructions. It's open HTTP. Someone can walk in with a USB drive. You think this is so because it's air-gapped, right? Which means you're... Yeah, it's not touching the internet. It's not touching the internet. It's not touching your regular network. It's completely, you know, it's like a closed circuit TV camera system. But you can walk in with a flash drive you found in the parking lot and plug it in. And really great programs at DEF CON this year were demonstrating how they hack the drivers on a USB drive. And a lot of people don't realize when you put a USB stick into the computer it automatically, your computer will reach out, the operating system will reach out to that USB drive and say, hey, what driver do you want me to install for you to operate? Ouch. And if someone's hacked that driver you've just given them permission to write to your operating system. Something simple, just enough to get a back door open and let someone channel in from the outside. Ouch. So you don't want to put in USB drive. There's no fix to this right away. Yeah. By the way, none. Yeah. You have to glue the USB drive shut. Yeah. You have to just glue it in there and make sure they don't work. Right. Just turning them off doesn't do that. And you can shut them off, but the operating system is still going to see it's there and reach out for it. Try to query it. It's built in. Ouch. It's a convenience for the user, right? So the USB attacks are big. Let's talk about healthcare devices now. Now the latest one to get out and this is the scariest one. The pacemaker. How's that? What happened? So I was at the convention so I'm not up on it. What happened to this pacemaker? So this was a live pacemaker? Like in somebody's body? Yes. So what happened was no one died yet that we know about, but the pacemaker has a Wi-Fi or Bluetooth close range radio signal to talk to human machine interface so the doctor can read irregularities in the heartbeat and skips and to see if you're healthy or not. The old ones, you actually have to have a plug to plug into the person's chest. Like a port. Yeah, like a port. You'd have to leave a port open or actually cut them open. So this one was wireless. It's very convenient. But as we all know, the more times you build in convenience to customers, the less security you implement. So we're stuck with a pacemaker now that can not only be altered to give you the wrong data so the doctor doesn't realize there's a problem happening, but you can also deliver a shock that will interrupt the heartbeat. That lethal shock could potentially stop your heart. So researchers did this or someone got hacked? I do not want to review my sources. But it's out there. It's out there. I definitely saw that there was a report about it. I didn't know if it was a... A lot of times researchers are finding these vulnerabilities and then other times, the victim finds the vulnerability. So it's like, wow. Oh, yeah. They specifically said the folks that I was voting here, nobody's died yet that they know of, which is a really good thing. So if you have one of these kind of pacemakers, you can get a pacemaker. Here's the caveat. Okay. The patch could damage the pacemaker. That's not good. So there's a potential... You need a new pacemaker. You need to have your pacemaker replaced. Or just take some precautions so people can't wander around getting access to your pacemaker. I don't know how you do that. I guess we're... Turn off the light. RFID-proof clothing. Do you think wrap yourself in foil? Oh my gosh. The new Florida jacket. Wow. But healthcare in general, the devices are not secure. Another one that they researched was there's devices that will administer the right dose of morphine or insulin or something when you're in your bed and the nurse isn't actively making rounds. They have a reduced staff. So they have these automated mechanisms. So someone at the main nursing station can monitor how much insulin you're supposed to get at a certain time. Well, again, if that's hacked, you can administer a lethal dose of insulin. So what's the connectivity to the console? It's Wi-Fi. It's Wi-Fi. And so you can hospital Wi-Fi, which is using WPA2. Which is now crackable. And so is home. There's just no good news sometimes from this show. WPA2 is really bad. That hurts a lot of us. And it's apparently difficult to fix because fixes aren't rolling out the door. It's been a week, right? Well, for healthcare, it's not just this. I think that they reduce staff to increase profitability or at least make a living. And unfortunately, they reduce the amount of IT staff they've got on hand. And the IT staff is stretched so thin that they have to implement so fast that they're not going behind and showing the controls the way they should. We've got to get somebody in here to talk about that. Steve Ross. Somebody from the hospital in the hospital has talked about that. No, that'd be great if they didn't increase too much liability. Yeah, see what they could... What can they tell us about what they're up to? You know, how are they working to work on that problem? You know, I know they're all not just sitting there. You know, they're busy, right? They're busy working on their infrastructure. That's why they're so, I think, abstracted from the problem is they're just so busy doing so many things. Yeah. Sometimes you wear multiple hats. Sure. So you forget about it. Mm-hmm. You know, hey, it's a work-in. Great, I've got to move on. Yeah. That's the worst part. Has there been a report, like, from Krebs or anyone yet on that particular issue? He does healthcare, yeah. Healthcare. Has he talked about the pacemaker yet? He hasn't talked about the pacemaker. Okay. So he's still researching. That guy's great. I guess something. So go to, look up Brian Krebs, KrebsOnSecurity.org. Yeah, I think so. Yeah, and he's probably the best security researcher out there. As a matter of fact, he's on everybody's crap list, who's a bad guy, and we were talking about this from the show. Somebody actually sent him a package of heroin to his door and then called the police and said, go look at this guy because he's got heroin. Because he's got heroin. Right, right. But the hacker didn't know that Brian Krebs had already infiltrated his drug ring on the dark web. Oh, so he knew the package was coming? He knew it was coming. That's awesome. Brian's that good. Good for you, man. I'm going to get you on the show. I was thinking that maybe the insights guys might be helping him out. Tom, Tom and his crew, some of that, that's their kind of homework. That's the deep dark intelligence on the dark web, and they use artificial intelligence to reason all that stuff out. And they impersonate people on the web? Yeah. So you never know? So you can see who's building hacks against you, and they would probably help someone like Brian, I'm sure. Like Brian, we found this clown coming out of there. Highly valuable to Brian, I would imagine. Oh, yeah. Give him a little bit more free time. Yeah, I got him busy. He could do some real research, get an outsource that, Brian, to insights. Let's talk about really hard things to overcome. Let's talk about access cards. This is something you do a lot, right? Oh. You can use proximity cards. You can use proximity cards, or the old-school swipe, right? Mag stripe. They can all be copied. Oh, yeah. Right. And the RFID cards, where you just walk up to the reader and beep it, that can be read and duplicated from three feet away. And replayed. Sure. Right? And that's a danger. And also the signal going, the weigh-in is unencrypted, so the signal on the wire. So, you know, even if I can't get it from the car, I can just put a little device on the wire that broadcasts it to via USB. You can put, like, on your phone. And then, like, when you go put your car to the reader and go in, I can come by behind you and play it from my phone to the reader. It just lets me right in. So, easy fix. So, when you're not at work, put that RFID card maybe in an RFID proof wallet. Yeah. Well, we use one that's got some encryption on it. I mean, so we have some higher-level cards. We're talking about 125k prox here that's very, very simple to hack. 125k. Yeah, so the 13.56 can carry more circuitry. That's megahertz. It can carry a certificate. You can have encryption from the car to the reader. So, those, you could copy, but you can't read it. So, good fix. Low budget, high budget, and we're out of time. Yeah, spend the money for a good card. Can you believe it? We're out of time already. That fast? It just flies by. Thanks for joining us, everybody. And Aloha from the Cyber Underground. Come back next week and we're going to be doing some more great stuff and talking to some more great people. Until then, stay safe.