 Welcome back to the Cyber Underground. I've missed you, everybody. I've been away for a while. I had some business to attend to. Now I'm back. We're going to start this episode real nice and easy. We're going to cover a lot of ground. And it's just me. I know. If you don't like that, come back on the next episode. We'll have a guest for you. It's okay. I understand. I'm feeling a little bit meh. Like everybody else these days, we don't know what's going on. We've had two years of this last Trump presidency. We have no idea where we're going. That's okay. For a little while, kick back, relax. Let's go through some cybersecurity tips, tricks, patches, fixes, and everything to keep you safe out there in the real world. We're going to split this episode up into a couple parts. The first part of this episode will be everything I just mentioned. The second part, we're going to go into some news about some surveys that have been conducted for cybersecurity and some shocking results. So stay around for that. We'll have a one minute break in the middle of the episode after we cover some ground. We're going to divide this up into local news, national news, and some tips and tricks. We're going to start out for local. As you all know, I teach for the University of Hawaii, a Capulani Community College, about nine-tenths of a mile from the beautiful sands of Waikiki Beach. Don't be a hater. That's just my job. I teach networking security and ethical hacking. That's what I do for a living, and I absolutely love it. So I try to keep everybody safe, and let me keep you informed of some local stuff. If you're a local watchin' out here, you're in Hawaii, especially on the island of Oahu, which is where I teach. This news is going to be important to you. If it's not important to you, and you just want to deal with the national stuff, fast forward a couple of minutes, and you can catch up there. So let's talk about the Capulani Community College. We out here call it KCC or CAPCC. We have at our community college level a certificate of competence and a certificate of achievement in cybersecurity, and it corresponds with our associate's degree courses in IT. And I teach the upper two-year division classes for those topics. We just need to make a couple announcements on what's going on in cybersecurity. We have some new online classes coming up for fall. We'll be teaching a lot more stuff online, not everything, but we're getting there. So if you're not on this island, you're one of our neighbor islands, you can't really get here on campus, you can take a lot of our courses online, including mine. I'm doing mine online. We're also teaching a third-year program called the Advanced Professional Certification. That's all the 300 level courses. You take six of them, that's 18 credits, and you get an Advanced Professional Certificate. And that now transfers to UH Maui for the rest of their online program for the applied business and information technology degree. So you get a block transfer grant of your associate's degree, plus the 18 units of your APC, a Capricorn Line at Community College, and the rest of the bachelor's degree, the last three semesters, you can do completely online. Of course, you can also go to Maui. That's not a bad place. I kind of like the campus, and they'd love to see you out there. But if you want to do online, you can. That's one of the big problems out here in the islands is driving to and from in the islands is kind of a pain in the butt. If you have to transfer to another campus, and it just happens to be, say, on the other side of Oahu, that commute can take you up to two hours in traffic. I know. Traffic is terrible on this island. So here's another option for all your students out there. Also, if you're going for one of the CompTIA professional industry certifications like Net Plus A Plus or Security Plus, we now teach not only the course, the 16 week course that gets you prepared for that material and teaches the material of the test, we also now teach you one credit, kind of a boot camp crash course to prepare you. It's called a cert prep course to get you ready to actually take the examination. We teach the Security Plus and Net Plus test this fall. They're coming up starting the 23rd of February and we'll run that the first one Net Plus for four weeks, four Saturdays, four hours. And then we'll skip a week and go right into March 30th. For the next four weeks, we'll teach the Security Plus cert prep course. And for those of you KCC students out there taking these courses for one year only, this first year we're starting the program. We're reimbursing you for the cost of the certification exam. So save a couple hundred bucks there. We'll pay you back for successfully passing that exam if you've taken the class with us first. All right, we'll also be teaching those same three courses in one week increments over the summer starting July 8th. We'll do one week A Plus, one week Net Plus, one week Security Plus. Tuition in summer is a little bit higher. However, it's still less than taking these Conktya bootcamps in the civilian sector. So consider that. We have some highly qualified professionals teaching these courses. You can knock it out in one week, prepare for the test and take it. And if you're a KCC student, again, you get reimbursed for the cost of that examination. So we'd love to see you think about that. We'll also teach these courses coming up in the fall. Schedules pending. I'll announce it at one of our later shows. Now we also have the Collegian Cyber Defense Competition coming up. We have a qualifying round at our school on February 23rd. If you're a local student, a KCC student, especially come see us. We're putting together a team of eight professional students that will defend a network and lock down some servers for four hours to qualify for the next round, which is a defensive posture competition where students will defend a network while an active red team attacks. This is a great competition. It's a real life scenario where you're protecting a business and someone's trying to compromise your computers. And don't get disappointed if you do the test or the competition and you fail because everybody in this competition eventually succumbs to the red team because they're fantastic. They're professionals. They do this for a living and they're going to get in. So it's just a matter of time, but it's a fun exercise. It's a great competition. It's free. I was always bringing in pizza for the day. So anyway, February 23rd, give me a contact shout out there. I'm at David.Stevens at Hawaii.edu. And I will respond and put you on the team if you're a KCC student. If you're not, I will forward you on to one of the other local campuses where you might be taking classes and you can participate there as well. Oahu has several college campuses that you can participate in. Also, we're going to move now into the more national stuff. There's a Women in Cybersecurity Conference coming up in Pittsburgh, Pennsylvania, the March 28th through the 30th as a gen cyber competition in the first day of presentations, workshops, panels, and a career village of women we need you in the cybersecurity field. If you didn't know this, there's not a lot of you in the cybersecurity field or IT in general. And we've come to realize, all of us as Earthlings, that diversity actually increases efficiency. So we can't have a bunch of guys in IT in cybersecurity. We need your perspective too. So please join the workforce. We need you. This is a reflect in some of my classes. When I first started teaching cybersecurity just a few years ago at KCC, we only had one or two girls in the program. They're proud graduates now of UH West Oahu and the information and assurance degree for the bachelor level. But now my classes are up to 40% young women. And I'm quite proud to say they're doing very well. So please come join us. Participate in this fantastic career and cybersecurity right now has a 0% unemployment rate. So join the workforce. We need you. That's just one of the events coming up. And women in cybersecurity is a big thing out here. Let's talk about upgrades in the first half of the show. And I personally promote upgrades to your system, patches fixes and security upgrades. They take care of what I believe are about 90% of the problems you're going to experience and here's why. There's a couple of different types of hackers. And the most prevalent type of hacker is the extremely lazy hacker. The lazy hacker will go to a website like offensive to security.com. And find their offensive security database and look at all the vulnerabilities and hacks. They will download those hacks that are already figured out by somebody else. They'll apply a scripting tool, which is freely available, open source, or they'll make a small purchase. And they'll run this script against dozens, if not thousands of computers to try to hack into a system. But that's not really not a hacker. We call them script kitties. And if you're constantly upgrading your system to the latest version of the OS and the most efficient and most recent security fixes, these scripts will not work. The only thing that will work if you keep your system completely up to date is something called a zero day. Which of course it's a vulnerability that hasn't actually been tried or has been tried but never published. So you don't know it's out there. So zero days are still about 10% of what's going on out there. And the professional hackers, the serious security researchers can get into your system with these. And we'll talk about those in a second. However, let's talk about patches and upgrades, fixes, and what you can do to stay safe with your system. If you're a Mac user, let's talk about the Mac OS right now. Mac OS, if you're running a Mac OS and your computer is within 2015 or above, you should be able to upgrade to Mac OS 10.14.3. You should be there. That's Mac OS Mojave. Even if you don't like it, it's the most secure Mac OS out there. There's still a couple of vulnerabilities. However, we'll talk about those in a few minutes. However, it's still the most secure system out there. If you're running an iOS device, that's an Apple TV, that's an Apple Watch, or you're running an iPhone or an iPad, you have one of the iOS operating systems on there. iOS, you should be up at 12.4.1. That's the major, minor, and revision number of the latest OS out there. And you should upgrade that because there's a lot of security challenges to these devices and mobile is one of the targeting mechanisms for or vectors for some of these advanced hackers. So upgrade your phones and your other systems as well. Now, out there on Firefox and Chrome, your latest browser, there's a couple of different versions of Firefox out there. Firefox uses Firefox Chrome, sorry, Firefox Quantum. And you should be up to version 65. But Firefox has another version out there, this Mozilla browser called the extended service release or ESR. So Firefox ESR, bring yourself up to 60.5. That's the version you should be on. Chrome, now when you see the major, minor, revision and build number of Chrome's software release, it's fairly long. So I'm just going to tell you go up to version 72. Another easiest way to upgrade these things on a Mac, you can go to about in the upper menus of these browsers and look for about, click on that and it'll upgrade you automatically to whatever the latest version is. Then on Windows 10, all you need to do is remember patch Tuesdays. No Microsoft releases, all their software patches, usually on the first or second Tuesday of the month, I forget which one it is. But that Tuesday, they'll release a package which covers the OS, Microsoft Office and a number of other Microsoft applications included in that release and it covers all the security features and all the tweaks and patches and fixes that you need to keep Windows safe. And you should be on Windows 10, not Windows 8, not Windows 7 and certainly not Windows XP. That was a workhorse OS, but it was the downfall of the British national health system just a little while ago when WannaCry took over using SMB server message block 1.0. And it was because the management of that organization decided to save a little money by not upgrading their systems. Kiss it, dad. Don't ever let that happen to you if you're managing a system, by the way. Let's talk about the latest OS hack for Mac OS. A security researcher has published a way to get your key chain information on a Mac computer. That's all the information that has all your passwords all tucked away and supposedly encrypted and safe. But he found a way to do it even without admin permissions. Now he published screenshots only and he won't publish the actual hack because there is no bug bounty program at Apple. Apple, shame on you, you should be paying for this. Get out there and use your security researchers. They're actually working for you. Don't be afraid, don't have them arrested. They're actually making things safer in the world and you need them. So Apple, wake up. All right, with our last 30 seconds here, we'll talk really quick about the default passwords on devices now. Information goes all over the place, all over your home all the time. And we keep adding little devices out there with the Amazon Alexa. We have the Apple TV. We have web cams. We have pet cams, horrible things. Change at the very least, change the default passwords that come with those devices. We're gonna talk about that a little bit more right after the break. Until then, let's take a minute, pay some bills, and we'll come right back. Aloha, this is Winston Welch. I am your host of Out and About, where every other week, Mondays at 3, we explore a variety of topics in our city, state, nation and world. And events, organizations, the people that fuel them. It's a really interesting show. We welcome you to tune in and we welcome your suggestions for shows. You got a lot of them out there. And we have an awesome studio here where we can get your ideas out as well. So I look forward to you tuning in every other week where we've got some great guests and great topics. You're gonna learn a lot. You're gonna come away inspired like I do. So I'll see you every other week here at 3 o'clock on Monday afternoon. Aloha. Aloha and welcome to At the Crossroads. I'm your host, Keisha King. You can catch me every Wednesday. Alive at 5. I'll see you there. Welcome back at the Cyber Underground for the second half of our show. We did not get to everything I wanted to talk about in the first half of the show. Guess I talked too slow. Oh well. We're talking about default passwords on IoT or Internet of Things devices, those devices that don't actually do computer work in your house, but they have a solid function. You could have an Internet-enabled toaster or microwave oven or refrigerators. Those are proper to now. You may not know it, but there's a computer inside the DVR. You use that the cable company gave you those pet cubes with a camera on them. So you can keep track of your pets while you're at work. Those are horrible. Don't use those. But if you do, change the default passwords to come with that system. One of the pet cubes I tried, the webcam, didn't even ask for a password. Just used my Wi-Fi, which I was really upset about. So those default passwords are monitored on a website called Shodan. And if you look up Shodan in Google, they'll show you where Shodan is. Go look at Shodan and I'll show you all the IP addresses out there that are publicly accessible. They're using default passwords for things like your links router, your Belkin router, your other IoT devices, your webcams that you forgot to change the password on them. Change that password. Make it a tough password. Don't use a password. Use a passphrase. The longer the better. If you can memorize, Mary had a little lamb and change out some of the words for another language. Great. Works for me. A lot of special characters don't really meet a lot. The length of the password is actually what makes it stronger these days. So think about that passphrase, that password. And if you've got passwords out there that are old, that are, say, older than three or six months, change them. Don't depend on those passwords. And for God's sakes, don't use the same password for everything. Please. You'll be calling people like me to fix your problems. Or you'll be a victim of identity theft. They'll let that happen. OK. Let's look at the next item on the list. We have some conferences here in the islands that you should always attend. If you want an excuse to come out and attend conferences in the islands, there's always one at the beginning of the year, right around the second week of January, first week of January. We do the Hawaii International Conference on System Sciences. There's always a cybersecurity track in there. I'm usually there participating in the cybersecurity track. So I'd love to meet you if you come out here to the islands. It tours the islands, actually, two years at each island. We've done two years at Kauai and the Big Island. And now we're on the second year of Maui at the Grand Wailea. Next year, it'll be starting on January 7th in 2020. And it's a great little conference and bring the family and enjoy Maui, as well as getting to meet some of the people that do cybersecurity out here in the islands as well. There's another conference that started up here just a little while ago, a few years back called the Pacific Rim Critical Infrastructure Cybersecurity Conference, hosted by energisec.org. You can look it up on their website. We're going to be doing this on February 12th and 13th, right down the street in Waikiki. And yeah, I'll be speaking on one of those at 10.30 in the morning on February 12th. I'll be there. I'd love to meet you. Come on out. It's not that expensive. You just got to get to Hawaii. And what's wrong with that? Right. Come on out and see me. Let's talk about more IoT threats and the weaponizing of these information systems. These are the Internet of Things devices that you may not suspect can do a lot more damage to not just your home network, but many government networks as well, because we're installing these devices all over the place. And I'm going to give you examples of some research that prove that this could be detrimental on a grand level. And if any of you are working for the DoD out there, please listen, because this was actually a demonstrable model. And it's written in a paper, and I'm going to tell you where to find it. Some researchers went out and they did a simulation of a network in Poland. And yeah, in Poland, in Europe, they said, okay, we have a lot of these IoT devices that just happened to control the flow of electricity on the power grid. And what they found, these statistics that I'm going to read you here, they found that if they increased the power by only 1%, they caused an 86% power blackout on the grid. That's not a lot to adjust a power output in a very small system, but they had enough of these systems, these little IoT devices all over the network, that a 1% power increase across all those IoT devices caused an 86% blackout across the grid. This happened in Poland, imagine if it happened in America. That kind of a blackout could cause some serious trouble, especially when you talk about the security of the nation. This was done at the USENIX security symposium, and it's a paper, if you look up USENIX, US-E-N-I-X security symposium this last year, look up that paper on the Polish power grid, and you'll see those statistics. And they're a little scary that IoT can take down in the entire grid. Now if you leave up a webcam, you're on your own. Those are easy to hack, they're easy to knock off the network, and when they re-authenticate to the network, you can use a monitoring tool to grab the username and password, especially because most of them don't use encryption, and then they're easy to get onto your network. Now once someone gets on to that webcam on your network, they can use that as what they call a pivot point and get to the rest of the systems on your network. So IoT, you take in your chances by using some of these limited function systems, at least change the default password and give yourself a little bit of safety there. Take it up a little bit. And remember, security is a layered approach. We use defense and depth. So change the default password and do that for all your systems. And then you can add other security features as well, but we're not going to get into that in this episode. Well, let's go into some shocking business statistics for security that I just find at the same time hilarious and saddening at the same time. CreditCards.com did a survey. And here's some of the results from the respondents who apparently were painfully honest when they responded. 82% of the respondents, ladies and gentlemen, let that sink in. We're talking about 82% of the people surveyed reuse passwords for different accounts. You just give that a second. Again, let it sink in. Why would you use the same password for multiple counts? I know you're lazy. Stop it. Don't be lazy. That leads to people hacking one account and then saying, hey, I got this password. Let me try it on all the other accounts this person might have. And guess what? If you've used it also on Amazon and Netflix and your bank account, well, now they have access to all those things. And once they're in, they can change the password and all the other default information. So it's no longer your account. It's their account. So change your passwords and keep different passwords. All right. 22% of those users do use the same password across multiple accounts all the time. And that's their only password. 48% of the respondents use public Wi-Fi networks. Now go ahead and use these networks, but don't do your banking. Don't do your personal business. Don't even send email over a public Wi-Fi network because that's all unencrypted traffic. And anybody can get it with a tool as easy to operate as Wireshark. And that's, of course, an open source system. So go out there and use something like a VPN. VPNs are cheap. Some of them are free. Use at least a VPN and give yourself a little bit of a protection layer there. But as soon as you're on a public Wi-Fi network, you have to employ more security methods because someone's always watching. Especially at Starbucks, hate to say it, but that's one of the main places hackers go. 45% of the respondents to the survey store passwords on their computer or smartphone. Don't do that. Please don't do that. If there's a file anywhere in your smartphone or any computer, you'll probably call it passwords or access or my file or something easy to recognize. So when someone gets into your computer somehow, they know that's the file they should rip off because it has the kings to the kingdom. So don't do that. Keep it somewhere else. Now, some of the smarter people I know actually handwrite their passwords and usernames and websites in a little book. And if they need their passwords, they can use it and find their password. And when they're done with that book, they put it in drawer and they physically lock the drawer. Lots of layers of security there. It's physically separated from the network. We call that an air gap. And it's not even digital information. So again, a lot of layers of security. That's a good system. You should try that out. Props to my brother-in-law for telling me he does that. I'd bring that to the show. All right, 35% do the same with payment information. They keep it on the computer. Again, don't do that. If you have to print it out, keep it in a file cabinet somewhere, but if it's digitized, if it's digitally accessible, you're increasing the risk to yourself. So just stop doing that. I know it's a little bit more work, but in the end, no identity theft. It's worth the effort, right? Let's look at some more business email compromise or what they call BEC. Those scams, this is incredible now. In the last year, those scams are up 476%. 476% more prevalent in the attacking scheme of hackers. Business email. People get busy with their days and they don't think about what they're clicking. They just click on that link, and it can be an avenue for malware to be downloaded on the computer. Once somebody is on your computer at work, it doesn't matter if you're an administrator or not, they will use your system as a pivot point. The first thing to do is change the process ID so you can't recognize it for virus control. They'll change the name of their program to match something in your task manager like iExplore or Notepad that's completely innocuous and then they elevate privileges to an administrator level and they'll start scanning the network so they can pivot to another system that's more important and has more important data. You're the key to that. Don't get compromised. One weak link in the chain can break the whole thing. And of course, firewalls don't matter if somebody gets in that way. There's been a 442% increase of phishing attacks. Now those are the business compromised emails that we're talking about. In the enterprise or business, if you get in in any way to that person's email account and drop some malware on the computer, like I said, you can pivot. And there's been a 442% increase in phishing attacks. That's when they use a piece of personal information that resonates with you to make you click on a link and they're using social media support accounts. So if you see a support account from Facebook or from Bank of America, be highly suspicious. Check out those links. Make sure it's from that organization. And if you're at all suspicious, don't call the number in the email. Go look up their number and call that organization directly and see if they actually sent you that email. Happened to somebody I talked to this morning. She called that organization. It just happened to the U.S. Postal Service. And they said, nope, that's not our email. Proving she'd been a victim of a phishing attack. Comparatek, this is great. Just did a survey of which countries have the best and worst cybersecurity. Now, I don't think we have enough time to go into all the factors that made the best and the worst cybersecurity, but I'd like to read you some best and worst countries. First of all, the best countries to live in for cybersecurity. And guess what? North America, Canada, and the United States. Top two. Third, Australia. Good job, Aussies. I like it. Way to go. Worst. And I don't know why, but Algeria? I don't know. I'm not hacking Algeria. I don't know who wants Algeria, but Algeria is the worst. Followed by Indonesia, pretty country, not very good cybersecurity, and then Vietnam, which is right now synonymous with chaos, unfortunately. I'm not going to go into what made this survey happen, but I will read you some shocking statistics at the highest percentage of computer malware infections in the world right now. Algeria, 32% of the people that use computers in that country, that's a third of the people, almost, have malware on their computers. The highest percentage of Telnet attacks. China, almost 30%, it's 27.15. And the highest percentage of crypto miners, which we've discussed on this show before, Uzbekistan, almost 15% of the people. Well, that's the news and events, tips, tricks, patches, and fixes to keep you safe in today's cybersecurity space. And I hope you join us next week, and I'll give you some more tips and tricks, local and national news and cybersecurity. Until then, stay safe.