 This is Think Tech Hawaii, Community Matters here. I am your guest host today, Jeff Milford, for the Cyber Underground. Dave Stevens is not with us, but will be returning soon. And with me today is my guest, Mike Turacco, a security analyst for ITSC. And we're going to be talking about the two processor flaws that have been discovered this week and how it's going to impact you, as well as some tips on how to protect yourself, a common thread in the discussions. So, as we've learned. Yeah, it's been a busy week. It has been a busy week. So, apparently for about the past 10 years, the security flaws have existed in these processors, they've only been discovered now. They're called Meltdown and Spectre. Meltdown is applicable to the Intel chips, which many, many people use, even people with Macs. The Spectre flaw affects the Intel AMD chips, as well as ARM chips, which most people may not know are the chips that power your smartphones. So both Android and iPhone. And iPhones, right. Maybe Windows phones. If there's something still out there. And people use them. Probably. So we're having fun, but obviously it's a serious problem. What it means is that someone could exploit this flaw and basically go into what's called protected memory on your system and learn about your passwords, basically any kind of personal information that you might have typed in or stored and have it be used against you. So, in looking at the detail on the chips that are affected, there's a huge laundry list. So basically, I think it's safe to say it's pretty much all chips out there, especially Intel in particular. But then, yeah, like AMD and AMR is also affected by this for certain devices. Right. So the hacker would have to get some software installed on your system. And there are many ways they can do that. They can trick you into clicking on a link, opening an attachment. I think for most of the home users, there's perhaps a little less risk than in companies. But unfortunately, the patches that are being discussed are going to potentially cause a performance hit. Yeah, and there is a potential performance hits for the machines themselves, but also for any AV that you might be running. I think there is something that got called out directly as having problems with it in particular. But I don't want to say names here, but you could research it. Right. And I think for most people, they're not going to notice a performance hit gamers, probably would. But I think for the average person that's browsing the web, looking at emails, things like that, maybe opening the occasional spreadsheet, they may not notice a performance hit. But it's very definitely going to be affecting companies. Companies with large servers, virtual machines. One of the big vulnerabilities is, so a virtual host is a very large server that hosts virtual machines, any number of them depending on the resources. The problem with this is that that flaw appears in the chips for the virtual host. So normally, the virtual machines themselves are isolated from each other. So on a virtual host, you could have, say, five different companies with all their servers and they're completely blind to the other four companies there. However, because these are affecting the chips of the actual hosts themselves, that puts all five of those companies at risk from that one single machine. I think from an IT security perspective, it would be more of a reason if companies haven't put their controls at the host level for VMs, this might be even stronger push to get in that direction. And we often talk about the layered approach, defense in depth, because there is no one solution for this. And every one of these breaches, flaw announcements, things like that, the upside to it is that companies and hopefully individuals sit up and take notice and also take action on them. I know a lot happened from the target breach. There was a lot of work done on companies' behalf. The WannaCry kept a lot of people busy. It raised a lot of people's awareness. It even got Microsoft to update Windows XP, which has been end of life for a long time. And we'll talk in the second half about things you can do to protect yourself. But the fact that this has been in existence for 10 years and it's only being discovered now is kind of scary. I think throughout last year and into this year, there's been a lot of these kind of bigger at the kernel level and firmware related things that are just kind of being disclosed now publicly. And so it's kind of concerning. I don't know if this is the end of it either, but we'll see. And what it's going to take is the chip manufacturers are going to have to basically re-engineer their platform. They're going to have to put in new instruction sets into their code. And I don't see companies going in and swapping out hardware to get new chips. I mean, that's an enormous expense. So what this is going to do is this patch is going to potentially impact performance. But one of the other things that is kind of frightening too is that we have antivirus products. We have antivirus installed on our machines and our smart phones too, right? So antivirus software runs with elevated privileges. It accesses what's called the kernel. The kernel is the part of the operating system that interacts directly with the hardware. So when you're playing a video, that video isn't going directly to the speakers or the sound card. It's going through the processor, talking to the kernel, and the kernel is managing the access to that hardware. So when you look at antivirus products, they are going to have to be updated. We saw one of the major vendors send an advisement out that they have a patch in place, but you need to patch your antivirus before you patch your system. Otherwise, there's a potential for what we used to call, laughingly, the blue screen adapt. Basically, when there's a hardware problem, the machine shows you a blue screen, and at that point, you're in trouble. So what would you say for people as far as the patching and whatnot? So I think as far as patching goes, like any time your patch significant changes, I would say testing is key. You don't want to just patch it and let it rip. There tends to be some downside to that as we've seen in the past. It's a nice idea to protect yourself, but I think you need to be sure that what you're patching actually works and have the ability to roll back if needed so you don't put systems out of commission or some critical systems for your company or for your personal. We often advise people to turn on automatic updates, and what Microsoft has done is their update for this vulnerability in the processor, it will actually look for a specific version of a vendor's antivirus, and if it sees it, that it's at the compatible version, it will run. But if the antivirus hasn't been updated, it won't run, which is very helpful and very forward thinking. I would have to say that lately Microsoft has learned a lot about creating better patches from some of the things that we've seen in the past. Yeah, Microsoft used to have a very bad reputation in the past for patches and things would break and the like. So for most of you at home, you want to keep all of your software updated, you want to keep your virus protection updated, but in this case, you really want to make sure that that virus software is updated regularly. I personally update mine every time I log into my machine. I just run a quick update, make sure I have the most current, and at the end, before I turn my machine off, I set it to run a scan and the software I use has the ability to turn itself off the machine if it doesn't find anything. And then I think at the corporate level as well too, you want to make sure that your updates are on, if the machine is on the network, say a laptop comes into the environment, you want it to get updated through the network, but then a laptop in particular is off the network a lot of times, so you want it to be able to get updates while it's connected to the internet. That's a good point. You want to make sure those are both available. So understand also that your phone is potentially at risk, and there are antivirus vendors that make software for your phone. I have it on my phone being a security guy, and that's probably a really good idea. It treats your phone just like it treats a computer, it runs scans, it keeps an eye out for exploits and malware and those types of things, so that's definitely a recommendation for everybody out there. Let's see what else we can find out about this, and I apologize I'm having to go to my notes, but I know that broadcast people do it all the time. They have papers in front of them. Well, this was something that just came out a couple days ago, so we're all trying to catch up. Yeah, it was just announced Wednesday, and honestly we haven't been able to memorize all these details. So again, most of the larger vendors have release their patches for this, but some of the other smaller vendors, niche companies, probably will take a little longer. They don't have the resources that the larger companies have, but it just goes back to how important it is to constantly update your software. When we talk about the WannaCry vulnerability, when was the patch released for that? Two months before. Exactly. Or three months before. Right. For a security person to hear that, you wonder how people were impacted at all. Individuals understandably, but companies, companies should have processes in place where they test these, test the patches and whatnot, but to be two months behind on a Microsoft security patch and then find that your machine's turned into an encrypted brick, very disheartening. I think also along those lines, it's important to think about, you have the regular cycle for most machines in your environment, but then there's always some machines that don't get patched because of certain issues with the application or some other complications or it's critical to the organization, but at the same time, you want to make sure that you don't miss any of these machines if you can. That's kind of a push for the application side to keep their vendors on it and keep their applications up to date so that new patches don't break things. The company that we work at, we've instituted a new procedure where we ask the vendors to notify us when they've made their patches for the various devices and applications on our network and that's just due diligence. That's not telling the vendor that they're not doing their job, it's just making sure that things are happening the way they should because again, for the wanna cry virus, there's really no excuse. Home users, not so sophisticated users as companies with IT teams, and you've heard me on the show over and over and over, update, update, update, even things like your television needs software updates periodically, your router needs to be updated. Change your passwords on your router. Yes, don't use the default passwords. We smile about all this, but it's because we see it so often and for a hacker to find a default password, it's golden for them, they laugh. You can go on the internet and find all these default passwords, unfortunately. I think we know about them from looking at certain builds of servers and appliances, especially web-based, some of the default passwords are well-known out there, so if you go to check something, try the default and if you get in. I'll admit I've done that before where I've had a business reason to do it, not a bad reason and I found the password that I needed and it helped me do my job, but the first thing I did was change that to a non-default password, hopefully one that's a little more complex than one, two, three, four, five, six. I think the second half will get into a little bit more of the ongoing hygiene for systems and your passwords and things like that, but those things help when there's vulnerabilities like this that come out, that makes it a little bit easier for the attacker to... And we'll talk about Zero Day, which there is not much protection for, those are the really scary ones. Aloha, I'm Keeley Ikeena and I'm here every other week on Mondays at 2 o'clock PM on Think Tech Hawaii's Hawaii Together. In Hawaii Together we talk with some of the most fascinating people in the islands about working together, working together for a better economy, government and society. So I invite you into our conversation every other Monday at 2 p.m. on Think Tech Hawaii Broadcast Network. Join us for Hawaii Together. I'm Keeley Ikeena, Aloha. Aloha, I'm Richard Concepcion, the host of Hispanic Hawaii. You can watch my show every other Tuesday at 2 p.m. We will bring you entertainment, educational and also we tell you what is happening right here within our community. Think Tech Hawaii, Aloha. Welcome back to the Cyber Underground. I'm your guest host, Jeff Milford here with Mike Taracco. We're discussing the recent news about the processor flaws and now we're going to talk about some of the things that individuals can do. Companies have IT departments to help them on a regular basis, but I think for most home users, they don't have the ability to or the knowledge or experience to do these things. For sure. So let's talk about what they can do. Well, I think still, you know, unfortunately, the most common way to get into most systems these days is still password, right? So passwords are very convenient. It's easy to do, makes life a little bit easier, but at the same time people reuse passwords or they have their certain password that they like. I think the most popular password is still 1-2-3-4-5-6 for this year as well. Yeah, they just had the report. So yeah, I think just having a little bit of understanding around, you know, the need for complex passwords and, you know, protecting yourself both at the office, in your office or at home. And depending upon if it's email or if it's financial data, there are, you know, certain passwords that you want to have pretty tight. And then other ones that you can, you know, you change more frequently, it's more flexible. And one of the reasons this is important is how many accounts at Yahoo ended up being hacked was the final number for, I don't know, four million or something? No, it was way more than that, yeah, billion, maybe four billion. It was in the billions. Yeah. Everybody. The reason that's important is if you use the same password for different accounts, especially things like banking, so the hacker now has your user ID, your basically your email address and a password, and he can start banging that against all these other sites, softwares written that allows him to do it automatically. And sooner or later, they're going to get a hit and be able to get in there. So we talk about the complex passwords. I personally keep mine written down in a very secure place. They're locked up. They're in a safe. I doubt somebody is going to break into my house and find my passwords. But it's a lot of people tell you don't write them down. I have probably 200 different passwords. I can't remember all those. But you use a different solution. Yeah. So I use a locker on my cell phone. So that's one method too. But if it does get cracked, the password to that, it's actually a multi-factor to get into it as well, which is a benefit also. But I do actually have it a little bit obscured as well. So there's a method behind it. So even if you get those passwords, it's still not going to get you straight into wherever you need to go. But yeah, that being said, depending upon what the access is related to, I mean, if it's email, yeah, that's OK, I guess. And you should change it more frequently. Have something you remember. For example, my sister, I was getting spam emails from her endlessly. So obviously somebody got into her account and was sending things out to her address book. And so I said, hey, why don't you change your password? I haven't changed my password in eight years. It was an AOL account. And I'm like, well, that's more of a reason to do it. I don't even know how to do it. Well, you'd better figure out how to do it because you're spamming the world or you're helping the world. Yeah, I find I get fish probably six to eight times a year. And the funny part is that these are people I used to work with at the phone company that are IT people that their accounts have been compromised. And you and I know what to look for. But one of the things that I like to ask people to do is just take a minute to look at something. People tend to be very quick reacting with the mouse, clicking on things. I think they're used to the TV remote as their timing, I guess, for one of a better word. But if you just take a moment and look at it because the majority of people don't understand how these things can be used against them. Because they're good people. They don't expect people to take advantage of you. But online, it's so much easier to do that as opposed to in person, right? It is. And there's so much information out there that people share. I've read different accounts on how people create these fishing attempts. And with just a few things, open source intelligence, you can go to Facebook. You can go to Instagram. You can go to all these places where people share. When I used to do security awareness training for new hires at the company I was at, I would say, I would look out at everybody in the audience and I would be like, what can I Google about taking your name, putting it out on Google, and figure out your dog's name. Figure out your birthday. Figure out your family members' names and things like that. Because those tend to be things that people use. Or even just password one, something like that. Certain companies, when they issue new passwords, they use something that's near and dear to their heart. And they put a one after it or something. And that's the default password that goes out. But when we test these things and you crack passwords, you can see even just looking at the hashes, which is the encrypted version of the password that they're very similar. Yeah. So yeah, those are some things to keep an eye on. I think a lot of the attacks come through email, which is a common way that you can get to people. People tend to be the softer area to get through as opposed to cracking it directly to the machine. Just little things like hovering over links with your mouse, not clicking on them, but hovering over them. You could actually see if the package is supposed to come from UPS and it's coming from somewhere else, you probably can assume that it's phishing. And I'm not trying to give a shout out to Microsoft, but I use Outlook at Home and one of the advantages to that over just a web-based interface with your mail is that when you see the sender, it'll show the sender's name, but then it shows the address right afterwards. And the really bad phishing attempts, they don't even match. They're not even close. So that's a real obvious thing. But if you don't have that ability to actually see the sender's address, you're just seeing a name, you're at a disadvantage. And I think one of the other things happening nowadays, especially in Hawaii, I believe, the phone calls that are coming through off of your car warranty is expiring and things like that. We'd like to raise your credit limit. Are you looking for a job? So I'm not exactly sure how these scams are working, but they're very, especially in the past month or so, they've been very pervasive and they're spoofing local numbers. They all come in as 808 numbers. And my wife and I have reached a point that if a phone number comes in that's not in our contacts, we don't answer the phone. If they want to leave a message, then we'll go pick up a voicemail. But you don't want to be in stealth mode. You don't want them to find that it's an active phone number and that they've got somebody on the end that they can contact. One of the phishing attempts that was, on the one hand, I kind of admire the ingenuity, but I also say use your talents for good, not evil. But the person was talking about they saw a picture of a woman on Facebook in her kitchen. You'd think that sharing a picture of yourself in the kitchen would be fine. But you could see the appliances in the background. And this person was saying you could craft a phishing attempt. Say you see a cuisine art something. You craft this phishing email that says it's from cuisine art and that there's a problem with your device and click here. And people will do that. And that's, you can't be paranoid, but you do need to be cautious to be able to protect yourself. I heard there was also some other things where people post their flight tickets, the tickets for getting on an airline flight. It has a barcode on there. And people posted on Facebook or Twitter or wherever, hey, I'm going to New York or I'm going to Honolulu or something. And then you could actually scrape off a lot of information from those barcodes. So it's something that you really kind of need to be thoughtful about. And people just throw them away, but this information on there that could be used for evil. And again, we spend our time, our working lives, and our home lives in this environment. And most people just don't understand how that kind of information can be used against them. And I hear some people like in the IT security industry saying, I'm paranoid about this. We need to be paranoid about it. I don't think it's actually being paranoid. I think it's just being thoughtful. It's just thinking things through. And just it's a lot of common sense just not to leave very much information around for people to pick up. Let's talk about backups for a minute. Sure. The number one recovery for ransomware. How many people, first of all, do backups? And how many companies have we worked for that do backups but never test them, their ability to recover from them? So at a former company, part of our, we were listed on the stock exchange. So we were required to test backups. But smaller companies tend or they have different regulations tend not to have to do that. So they don't do it. Yeah, they see backup completed successfully. OK, we're good. So it needs to be backups of the user's data and then also backups of major systems at incremental times. And if you're going to do backups, make sure that if you're backing up to an external device that you disconnect it properly when your backup is finished. Because if ransomware hits your machine, it's going to crawl down that cable and it's going to encrypt your backups and then where you'll be. So online backups, putting backups into the cloud is another option. Some people are leery about putting their data in the cloud. There's still lots of companies. It depends on the availability need and how frequently you need to get it. So we've talked about a lot of fairly technical solutions, things that you need to do. And I think what we found in our lives is that everyone pretty much knows someone in their circle of friends, family, that has that kind of skill. I mean, all of us in IT are the support for our families and friends. But even if you don't have someone like that, vendors can help get you set up. But it's really important that you have backups of your data. What would the cost be to you? Not the financial cost, but the social cost, the psychic cost. If you lost all of your photos of a loved one that had passed away or all these things that we really want to keep. So do yourself a favor. Run your updates. Make sure your backup's occurring. Test your backups occasionally. And all that means is open the backup. Can you read a few of the files? Make sure they're not corrupt. If you're using encryption, you'll be testing your encryption key to make sure that it's actually the one that encrypted the data. And stay safe. That's the best advice we can offer. Good advice. Good advice.