 Hey Aloha, how you doing? This is Andrew the security guy not Gordo the Texar here on Hibachi Talk Glad to have you back this week. We got some really interesting stuff for you today. I'm sorry Gordo's not here to host He's off chasing his grandson and UH, you know, they're on I think their last away game this this week So and he's traveled with every away game. They've had which has been amazing with us today, I do have a new co-host for you the professor in direct from Capulia Capulani Community College Dave Stevens and we're gonna give you that nickname because you've agreed to co-host once in a while We're just gonna call you the professor. I'm excited to be here and I thank you and our guest today is Rochelle My my links again. Yeah, did I get it close? She's a she's the ICT president at Capulani Community College and We're gonna talk a little bit about ICT But first we'd like to know a little bit about you like where did you grow up? How'd you end up where you are today? So maybe take us through some of that, okay? I grew up in Honolulu, Hawaii. I was born and raised here. I actually have a Nutrition degree a sociology degree. So I worked as a as a nutritionist and we're doing a school You each and we know before high school sacred hearts. Okay. Okay, right on. I'll go school And then I went on to UH Manoa and I worked in a hospital for over 10 years. Wow, okay in nutrition. Yes, okay Did you work with who do what professors at Manoa did you have? I have a friend I cycled with it's a nutrition PhD there, but I can't think I'm intentional. No, it's a name Maria Can't think of her last name off-hand sorry So so a background in nutrition and health care. So yeah, what kind of what did you work with like geriatric or? Who were you feeding someone? The staff The hospital I worked at is primarily geriatric, okay But then I had a few like one start took care of was a orthopedic and then there was cardiology as well Okay, interesting. How was it? Well, she's with ICT now It was rewarding in the many ways, but I Kind of wanted to do something else. Ah, so it took a different career. Yes, right on You're not an easy career path at that. She actually represents a large portion of our student population, okay? Returning students. Yeah, so changing careers just second and third careers Oh, yeah, a lot of them coming off of disability or retirement from the military or laid off from a big change like Aloha Airlines when it when it changed to just cargo, right? So a lot of those students are with us now. I said we need a such a shortage You know so did you did you know there was a such a workforce shortage? Or did you just want something with a different type of challenge? Well, initially when I went to KCC I was going to do radiology tech Oh, but I had to take a lot of classes that I already took over again to be more competitive I was like, there's no way there's so many sciences that I had to take So I was like, I really like computers and when I used to work at the hospital the IT guys would come in our office And I'll be helping them. Oh, really? Yeah Wow You had an aptitude. Yeah Pre-train Listen, we do a little segment called you know got one tech job And I don't know if we could have straightened these guys out, but let's have a quick look at some people who shouldn't have had a job now See you had one job now see these buttons. This is probably on a remote control But that's that's not left. Is that I mean isn't that confusing when you read left, but the arrow points, right? But I'm dyslexic so that's perfect that so but do you ever get where you're going like I mean that's Eventually if you keep turning right, you're gonna make a left Okay, so so maybe you know some of those guys that you were helping they maybe they should have been doing something else So let's let's talk a little bit about ICT which is the information communication and technology club And I know there's one at KCC I know there's a group at Honolulu that have a different name I think and then a group at Manoa have a different name. We've had IT MSA on here from Manoa I think Shardler School of Business So tell us a little about the club that you have there. So um, our club is pretty new Dave actually Asked any of us if you wanted to start a club and no one really jumped to it Ah, so I emailed him and said, you know, I'm interested because I I was President for other clubs before for school and for my son. I'm PTG Her teachers guild. I have I have background. You have leadership. Yeah Yes, if you're not reading between the lines So I took that opportunity and I actually are at KCC there's about over 20 Registered independent organizations on campus. So the ICT club officially became a Registered independent organization in September. So we're still fairly new but we're still trying to get more members and hopefully it goes And how do you go about recruiting like what do you hand out flyers? You knock on doors. You move ahead You drag We announced it in class, but actually just this past Tuesday. We had an RAO day club On campus. So we had because it's open to membership is open to everyone at KCC Sure, and also those that are at UH West Oahu that are taking at least one course in one course at KCC Like IT also some of them had to cross over just because of their schedules or the right offering Midstream transferring in Articulating to UH West so they're doing a couple classes at KCC and doing a lot of classes over at UH West at the same time I see awesome And so you open that up to them and do you have are you pulling members from there as well? Is that working out? There are there actually are members awesome. So how do you get help? Do you have to run on you know when you get these volunteer organizations like no one helps you? You're the one who's running it I know I was gonna be president. He told me he's like, okay, so that's all I'm told. Yeah I don't know. I have all-in told people to be vice-president And so what what's the mission of the club what's you know, what's what's your vision for right? Well, our mission for the club is just to promote the IT fields in the community and also Around campus where we were trying to teach more like do like more community service kind of like Dave was saying Go to like retirement homes and teach about like cyber security like Seniors get scammed a lot big so we're trying to do that as well That's excellent. Some of the most egregious victimization of people through social engineers who are seeing your community We want to get out there and and teach them how to avoid that. Yeah, I know they're they're Predated right there. They're unfortunately. They're a targeted audience That's important to do that work for the community. So what about on campus? I'm kind of interested. Is there a is it a competitive right trying to recruit people into the to the sec field with like you So yourself went back for radiology, but end up getting an sec. What what do you find? No, our main people just are the younger they older like we talked about these some multi career path What what do you what do you see there on campus like what's the impact of sec? The population is young and I'm the mixture of Older Yes, so multi career so people you said some would come back for maybe second right And then we have a lot of a lot of that or a lot of students from UH who got their degree their undergrad and something else and Didn't enjoy the career field or couldn't really pursue a career field as far as they wanted to go in Wow so they're changing and we we have you know a few people that got a bachelor's in business and they're now in cyber security and One of them just interviewed and is now an official DoD cybersecurity contractor. Well, he's still taking my class The kids get hired right out of class. Yeah, so he's he's an he's an average student You know a mid-range student average age or about 26 to 28 years old Oh, so we don't we don't have so these aren't like teenagers. No, sir You've got a I would say to me a little bit slightly older popular slightly older than more mature right out of high school Very motivated sure Money's good. Well, when they see that they're tremendously motivated But they're motivated just to change their lives and do something to really want to be interested in for the rest of their lives So most people get into a career and they think oh my gosh But these are people like you know, they're motivated to change make that change and we support that and I think I see T So but you have you have other disciplines not just cyber security, right? You obviously if I have database sure we do the broad spectrum everything from media arts on down to gaming and databases and programming and Working and that were security and we do cyber and is is is the ICT club opened up all those disciplines as well Like you're okay. Good. Awesome. So Let me see. So What are you pulling to the club that same mixture or is it more more order is you know responsible? Or what would you try? What are you getting in your club? What's your what's your? Yeah It's a mixed year The original intent of the club really I wanted to get them all to an industry standard conference full black hat and Defconn right next year And I was informed by you know upper management at the university that I should start ICT club on campus and promote that and do fundraisers for that club so that club can go to the conference So that's what we've done. We're trying to do there that Evolved rapidly. So what we're doing now is we were talking about this last week I put out a feeler to all our IT advisory folks and I said look you all have companies Can we do some mock back black box spearfishing campaigns against your companies? And you give us a donation if we get anyone to click on our links and interest and personal information We had a very positive response at about 15% response So we're actually in our first cycle right now. We have our first customer. Are you and are you on the team? Yes, no, what's your favorite? Are you a technical fisher or a bus? You're doing social engineering pick up the phone call No, I'm the research organizer Sure Yeah, yeah, exactly you go to the social media sites and then maybe you do I find out what their website is doing a couple banner grabs You know tell that to that site and see if you can pull back some information Are they running Microsoft IIS or they're running Apache and then you know, what are the exploits now? How can I get around this? How can I send an email without them knowing or knowing it's from me and outside their organization? It's sure so right now. We're in the research phase. Yeah, we've got 30 days to get this done Oh, we have to report is it? Yeah, I told them just Is How many is it teams? How are they how are you organized for that that particular effort because that's that's a donation I should a classroom effort or is it some boat? No, no, it's outside the classroom Okay, so this is this is a extra time that they're putting in on the careers And I'm really excited about that because they get the hands-on experience sure of actually doing this when they go into a company They're not saying oh, I did all this theoretical and lab stuff in school But now I'm ready for my on-the-job training. No, they're ready to hit the ground run it And you got this real life Test that got going on. Hopefully it'll evolve from this to maybe security audits Where they go in the organization, you know, what are your network ports? How often you change your passwords and stuff like that? So yeah, I'm really excited. You know, I just had to hand a little paper about the new NIST guidance for small business. I don't know if you saw that document Haven't seen it. It's it just came out a few days ago But it is it you know the small business is really struggling Hawaii has a ton of them, right? And they really struggle with just just even invent auditing their type of information that they have right and the minor assessments There's some minor assessment tools But I was thinking that your group could take something like this because many are in the supply chain to do D Which these are going to be requirements from their aqua's from this way is from a small vendor Yeah, and the these these controls that they need to implement based on this is based on Unclassified information being considered a moderate risk to well enough unclass information that sensitive can be compiled into Sensitive and terminal information exactly cute and attack. And so this I thought we'd not maybe not today But this is something that I think that you could take that time and help help consult to small businesses How to get implemented how to get started as many of them aren't aware They're gonna start losing their contracts if they can't fulfill these requirements Simple stuff to they just don't know a wireless router. You leave the default settings for username and password things like that It's really easy to break into some of these places. Sure. Just a just a punch list. Yeah, and it's an it's an absolute Vulnerability that's out there. So we're gonna take a break for about a minute. We'll be back with Rochelle and Dave We're gonna pay a few bills. We'll see you right after Thank you, Hawaii Asia and reveal. I am Johnson choice the host I'm looking forward to see you next month December 15, Thursday 11 o'clock Right here again. Aloha everyone. I'm Maria Mera and I'm here to invite you to my bilingual So we've a Hawaii on think tech Hawaii every other Monday at 3 p.m We are here to talk about news issues and events local and around the world. Join me. Aloha I'm Ethan Ellen host of likable science here on think tech Hawaii every Friday afternoon at 2 p.m You'll have a chance to come and listen and learn from scientists around the world Scientists who talk about their work in meaningful easy to understand ways They'll come to appreciate science as a wonderful way of thinking way of knowing about the world You'll learn interesting facts interesting ideas. You'll be stimulated to think more Please come join us every Friday afternoon at 2 p.m. Here on think tech Hawaii for a likable science with me your host Ethan Allen Hello, hi, welcome back to about you talking here with David Rochelle, and I got a security minute for you Came across a nice article about two-factor authentication And you know, this is something that it's something that you have something that you know something that you are And using any two of those three to help authenticate yourself or help prove that you are who you're supposed to be to a system like a Bank for example, you know you show up and use you have a card with you and you know the pin code, right? So that's an example of two-factor authentication There's a lot of other services out there that you may not know about they use things like Google authenticator Which is an app you can download that runs a constantly changing number and you can use that along with your password to log into certain sites Microsoft has one You can go look at the stuff I'm quoting is from a surveillance self-defense just a site And I thought you know have we talked about some of these things, but we really don't don't tell you where to get the information so You know if you if you're visiting places, and you need greater or you want better account security I would advise you to try these types of things and keep someone from sort of hijacking just your password Learning it and then getting into your site and emulating you or changing it and locking you out of your site things like that There's a couple of problems that you should know about with two-factor course if you lose one of your factors You may be locked out of that account until you can get your factor back Like if you're relying on your phone or like a mobile authenticator on your phone You don't have your phone with you obviously you may not be able to get access to that data Most of these sites do allow you to have a one-time code of some type that can get you in no matter What the remember if you're keeping that you've kind of defeated the purpose So don't if you have something like that keep it very secure You can definitely go to two factor off org for more information was just flashed up there The other thing I want to talk about was a lot of these we use SMS messaging right to send you a message for a one-time code and SMS goes in the clear so that that Code is going out and it's captureable by people who are seeing with me today who'd like to capture this kind of stuff So anyway But anyways, it's still better to have a single factor authentication So if you don't know about 2fa go to 2fa dot to factor off dot org Get some more information and see if you can keep yourself a little better protected All right, that's it for my security minute for today back to our guest Rochelle from the ICT program a KCC the president and the professors here with us today again Dave Stevens, so Let's talk about how we marry up these services. So, you know, you're putting together a penetration testing Capability that you're gonna offer out to the community to try to it would be much cheaper than a professional pen test But it lets an organization find out where they're at in their vulnerabilities And then they can make a donation to the club that helps get the students off to places like def con or black hat So great opportunity for community Awesome coming out of KCC, but how do we get the rest of the campuses engaged because to me? I think we need a hundred of these teams running around we have like 70,000 small businesses in Hawaii that could take advantage of this I agree with you and what we're gonna do is we're gonna take this in the next level and offer the system-wide So what we're doing right now is creating a nonprofit organization separate from the university that will hire out just these Interns from the University of Hawaii cyber system. So we have 11 Physical campuses in the university system right now two in the big island Three on the big island and we want to bring all of them together to do these kind of services for their local communities So once we get that going once the students graduate We'd also like to give them employment in the organization while they wait for their first gig Oh, and if we're making enough donations, we can actually give them a living stipend So that is their first paying job in cybersecurity Wow have to go out into the community having no actual job experience right and they can help Rochelle manage the committee Are you are you interested in driving helping drive this to actually across the state? You know, I mean, that's an awesome idea We're really excited about you know Imagine she gets to be president of this organization for several years and then she goes to another organization She's already been president of a cybersecurity company. Sure. I mean that's basically that's what it is Okay, so getting that next job is gonna be that much easier. Yeah, and there's I mean there's no shortage of jobs You know, you'll get sapped up quickly here in Hawaii is What what so you start with social engineering? So when we talk about a penetration test for social engineering, right? We're really talking about manipulating someone's internal email getting someone inside of a company to click on a bad link or something like that Are there other types of services that you guys folks are looking to roll out all the security audits are next plan Okay, you know some kind of a security that we walk in the organization How do you how do you do your business day-to-day? Okay, and what are the potential threats that could come out of that? What are your vulnerabilities and what are the access points to your organization? We'll go through you know basic punch lists We'll send students out to evaluate that that that organization and say based on this We recommend these seven steps to get you to a basic security level that'll take you know The the script kiddies off the off the table. Okay, we'll just running, you know scripts against your your organization Random attacks, right random attacks I like what you brought up just a moment ago when you're talking about cell phones and sending in clear text Most people don't realize that a cell phone is a radio It's sending messages every direction all the time clear text unless you put specifically encrypted with an end user So it's it's an important point to realize that you're just walking around with a radio and somebody said everybody else So they're old scanners that used to pick up the police bands You need the same with a cell phone you just turn to the right frequency and you get all that information So yeah, you send something out here SMS. It's basically in the clear in the clear unless you've encrypted it So there and I was talking with Bob Monroe who was showing me a software to find radio Was this stuff used to be super expensive hundred grand. He's built it on a raspberry pie Tunable to whatever frequency I want. This is a couple hundred bucks device right with the antenna costs in the most The pies 40 bucks and the soft the software is open source free software today So, you know very rapidly that the technology for sniffing signals has gone from six figures to Something almost any person could afford and this is scary When you go to black hat and Defcon like I did last year you see kids walking around with backpacks on an antenna sticking up Oh, yeah, and so they tell you don't take your cell phone or turn it off. Oh, yeah, you got to have a burner Yeah, and don't don't take any credit cards, you know the mag strip can be read Oh, yeah, so this close hook in the radio frequency chip on your card, right? So a lot of these radio frequency chips used to transmit all the information about you But now they transmit a serial number and that's it Yeah, so you go you transmit the serial number and whatever reader you're attached to Can equate that serial number to your personal information, but you don't carry the personal information around with you anymore But some of the old ones. Yeah, we'll still give it all up You walk up and they scan you from about this distance in your back pocket and you hear a beep That's it. You're done. They've got all your information So they you're supposed to get a RFID blocking wallet when you go to these things and use cash Don't swipe your card. Yeah, it's a it's a scary place to be but you get to meet the worst of the best of the worst Yeah, and we had we have a friend who set up just a rogue access point in his In his suitcase he was dragging around a major trade show in Vegas, right? So and using up to get the the tool that knocks you it basically knocks people off of the Local access point and emulates it and then attaches it to him. Oh, yeah, and in for our before lunch He had 36,000 logons and passwords from people that were using the public Wi-Fi 36,000 Wow, this was a big show, but it was that easy just just to roam around So I mean, I don't use public Wi-Fi things like that. It's scary. You can do that with cell phones, too Yeah, exactly exactly if you're talking on your cell phone You can be bumped off that channel and get on someone's roving. Yeah unit and that's more the more that I think that Yeah, and look law enforcement. I know there's those those radio kits that they're using, you know So you're driving through a town you think you're on a real cellular network, but you're actually on their cellular network, right? Yeah, and they're passing you through, you know, they're in certain people Interesting information is in it. So is that are you specializing in in cyber or like offensive defensive or have you decided yet? Where you're where you're headed my career. Yeah more security. So but defensive. Yeah, okay. Gotcha. Yeah I'll have to do both in the in the major right there. We did a security class first and then we went into office of security So we do the defense. How do you defend your network? Mm-hmm. I mean we do offense. How do you get around all those? Sure, and it's been a real and what do you think? What have you told do you think anyone can really be secured like no technique. I love that. I'd even finish my Right there with the research. Oh my gosh. I'm like so paranoid And it goes it goes back to real history all this stuff, although it's Electric goes mechanical right anything that can be built can be unbuilt. That's right And she witnessed it in a classroom. I actually challenged the students in a class And they did it. Oh, they've actually hacked me. Yeah In physical and with the DNS are poison in one class or in one class So the all 23 students got together you did a social engineering attack on me and in one Like one hour and one in one. No, no, no over the course of the course. Okay I was like that's pretty creative a thing. No, they really one guy said he never slept for five weeks But they did it and I'm really proud and feeling a little squeamish and vulnerable at the same time Sure, that's so I think and I've never I know a lot of groups that do pentesting They never fail actually, you know, they they don't actually ever stop I've never heard of anyone saying ours. We couldn't get in it's just a matter of time It's a matter of time and a matter of resources and a matter of effort So, you know that shouldn't scare people people should still defend themselves. You want to be difficult to attack, right? I mean if you the harder you make it the hopefully someone who's you know, really interested in getting in will either not be Smart enough or run out of time or run out of resources, right? Because it's good board move on sometimes You really hope that they just have had enough, right? So if someone's paying someone to get to you, you know You know like the dark in dark dark weeks, right where you can go on and Advertise what you who you want and what you'll pay for and someone takes that on and you know, if it's too hard You hopefully they'll quit because the fact is as you said if they won in They're gonna get it. Yeah, just look at the yeah, I guess so we're blaming Russia now for the Democratic National DNC the DNC hack yeah, so if they wanted they'll get in and it doesn't matter where they are on the planet Yeah, nation states have a lot of resources, right? So I mean of all the the last person you want chasing you're those guys You're pretty much done. Yeah, you go on north you got you show them Norse like the Norse map of all the The ones that crack me up the ones that coming in from like central Italy Who's in Tuscany? They're just getting drunk and running a script I think they're using being redirected right so they've they've attacked somebody there They've got bots in there that are launching the stuff. It just seems like a random place, you know, Tuscany something along the al-Mafi coast Sicily, you know, Sicily Yeah, so give us a pitch about the club. We got a minute or so left and what what what can we do to help promote your the club here? Tell us tell us why we should join You should join You should join because Michelle You're gonna get to know her just Well, if you want to if you're really interested in computers and technology, I would definitely join our club We're we have a lot of things that we're planning to do and it's pretty interesting especially in the cybersecurity areas so That alone just excites me And they're doing real-world stuff right now, yeah So if you want to learn about the real world join the ICT club at KCC Join Michelle help her out. She's got a lot of work on she could use some help over there I think that's gonna wrap us up for the day. We normally have a Solo cup to give you this is episode 93 or 4. I'm not sure I will make sure you get that autographed by Gordo the professor in this case and myself and we'll get it delivered over to Your office there at ICT at KCC. Okay promise you that On the way out. We always just have a little thing we say on the count of three one two three How you doing? In case you didn't understand me University of Hawaii football team is gonna kick butt under all of it's this season So be sure to follow us on think tech Hawaii and Yobachi top. I'll be at every game and remember aloo