 Welcome back to the Cyber Underground. I know it's been a while. I'm Dave Stevens and I've been busy with other stuff. You know, I'm a teacher and I teach cybersecurity, network security, and ethical hacking at the University of Hawaii, Kapi Island and Community College and I'm now the IT program director of that program. And with me today, I have proudly one of our adjunct faculty, Percy Ellis. Welcome brother. Hey, how are you doing? Welcome aboard. Okay, today let's talk about some of the five biggest headlines of cyber security. And then on the back half of the show, you're going to tell us all about how to get into drones, because we can use drones for security too, physical and cyber, right? And you're going to tell us how to get started because that's kind of a steep learning curve for some folks. It can be, yeah. So let's get into Gosnip. It just came out, $100 million stolen. And they caught these guys. So this is what countries here. The USA, Georgia, Ukraine, Moldova, Germany and Bulgaria participated in this. And they deployed, Gosnip is the organization, but it's also the combination of two pieces of malware put together, neither of which I can pronounce properly. But it came out to Gosnip and it's a trojan. It steals your login credentials, mainly for banking applications. And they stole $100 million from all of those countries I mentioned, except for the USA. I don't see any USA institutions breached. But that's, I guess that's good for us, but for the rest of the Europe, they use Europol, formerly Interpol. So this is a European Union police force, which I have never heard about until just a couple of days ago, which is odd. Have you ever heard of Europol? No, I've heard of Interpol. Interpol, right? Well, I guess it's changed. Maybe there's another Interpol. I haven't researched it. But this brings up a great point right now. Many websites are initiating multi-factor authentication. Do you use it? Absolutely. Use it at KCC. I use it at my bank. I won't even bank at a place that doesn't use multi-factor authentication. And Google, Yahoo. Even Facebook. I'll use multi-factor authentication from the calling me back with a text one-time password or fingerprint or Irish scanners. I use them on my mobile devices and on my pads, my little pads. Right. The phones now, some have a fingerprint reader. Some use face recognition. And that could be your second factor of authentication to get into the device, plus the password. Or sometimes, face is your password and they also give you the one-time password also known as an OTP. But it's important to recognize that this kind of Trojan would not be able to succeed with a multi-factor authentication process. So these banking institutions should really wake up and notice that multi-factor authentication protects their users even when there's a Trojan operating in the background. So again, you don't have to be faster than the bear chasing you in the woods, just faster than the guy next to you, right? So you don't have to be super, super, super secure with all these fancy tricks and Irish scans and all that. But multi-factor authentication makes you more secure than the next guy, right? And 41 institutions were hacked. I like the simple, send me a text one-time password. That is a nice one. We should remind our users though that the text is non-encrypted over a cellular signal. So it can be theoretically taken as a radio frequency transmission between cell powers. And you can get a hold of it. It's highly unlikely because it's a cell transmission. And that password will change every time you try to log in. So you'd have to be logging in, intercepting the authentication credentials, the user ID, the password, and have that one-time password. Got to have everything. Another one, do you use the Google Authenticator or a Duo, we call it Duo Security for UH, right? You just tap it and it gives you for 60 seconds at six or seven digits that you can use to log in as your second form of ID. And then you see it blink or turn red. And then it cycles to a new number in 60 seconds. So you have, you're on the clock. And then it'll change numbers, yeah. It's a multi-factor authentication, something that you are, something that you have. Right. It's something that you know, like a password. Well, that's, that would be three. Something you have, something you know is two. Two FA or two-factor authentication. So you'd have to have your cell phone with you. For that you do. Yeah, you'd have to have a cell phone or another OTP generator. So you can get that, Amazon sends about for it, it's cloud customers for commercial customers. So send you a little battery operated OTP, which has got the same algorithm and clock synchronized with Amazon. That's kind of one of the things with cybersecurity in general for that kind of security, that kind of cryptography. Key generation and key distribution is a problem. So they have to send it via the mail. So it's, if it's intercepted, someone's got your generator and if they get your password as well, then they can generate that OTP. So if you lose it in the mail or you never get it, you really should tell the vendor or they can send you another one that's logged differently. The first time you use it, doesn't it have to be synchronized at that time that you have it, similar to when you receive your credit card? Never receive one like that. They always sync it to the manufacturer before they send it out. So Amazon would order it and when it got to Amazon, Amazon would key it and synchronize it with their clock and then they'd send it to you. So all you'd have to do is press a button. When I work for the Department of Transportation, we have secure ID cards. Okay. And so they came in the key fob and the six digits would change on your key fob, similar to what you were talking about, or they came in a little credit card sized. That's great. So it's something you have, something you know. Like no one can get inside your brain. So if they don't know your password, that's hidden even if they steal your ID card. So for this Gosnym, that's a good way to avoid it. Let's go on to Facebook has just banned an Israeli company, the Archimedes Group, for influencing elections in these African countries, Nigeria, Senegal, Togo, Angola, Niger and Tunisia. No Nambia there, by the way. Okay. No Nambia. Big orange buffoon said there's a Nambia, but there's no Nambia. I love making fun of Trump. He's great. Over 200 Facebook and Instagram accounts with over 2.8 million followers. Just to influence them, they were representing themselves as locals, including representing themselves as local news organization. I love the sophistication of these Facebook attacks, where they can actually influence the elections by saying things that aren't even really related to the election. Right. So this is a good example. They were just talking about the politicians and their personal lives. So most of the attacks were how they live, their affairs, salacious details that weren't always true. But social media, you shouldn't trust this. It's not a news source. My wife loves Twitter. She's always on Twitter. She gets the news. She says, oh my gosh, look at this news story. This is incredible. But then we actually go to the media outlets and you start trying to correlate these facts. They don't line up. And it's amazing to me that people will believe Facebook news or just go to say Fox News, one of their affiliates, and believe whatever they say. But then they don't go and see, hey, what about Al Jazeera English? What about NPR? What about BBC? What about even, I've even had the LA Times not agree with Fox News, which is, I grew up with the LA Times. They were kind of right-leaning, and they usually agree with Fox News. But when they disagree, that's big red flag. There's some facts missing there. So you grew up in Northern California. So Francisco Chronicles, Sacramento Bee. And left-leaning, right-leaning? You know, I think they try to be fair. So they've had reporters from both sides. And it depends on the issue. But I've noticed the Facebook advertising hacks, which can be done by anyone. I can set up a Facebook account and advertise a political point of view are usually hot button issues. Yeah, yeah, they want to get you passionate. They want to get you angry. They want to get you engaged, right? So I've seen those. They come on. There was a there was a resistance ad with a fist on it, right? And it turned out to be a fake Russian account for the 2016 election. But it got a lot of people motivated and protesting. They actually went to a protest. This protest was hilarious because some journalists recognized that it was fake. And they went to this protest and they passed out big flags that said Trump on them. And they were red, white, and blue. But they weren't the red, white, and blue from America. It was the Russian flag. They said Trump on it. And people held them up. Yeah, he's just pay attention, folks, right? Just pay attention. So Facebook, I go to other news sources, right? What are your favorite news sources? There's Newsy, which is an internet news source. CNN, MSNBC, just for cable television. I only watch Fox News. If it's something really important, I want to balance. Yeah, but I don't take them too seriously because hot button topics. I was surprised. I watched, I actually dedicated two hours of my life to watch Fox News to see what it was what it was doing and why people said it was good or bad. And what I saw was their actual news program seemed to be, and I'm not lying, pretty balanced. But right after that show, immediately following with no warm up was just a political pundit saying all these things that I don't agree with. Sure. But it looked like that political pundit was a news person like another anchor man like this is another new show. But it's not. It was personal opinion. With all of the news anchors that can, they know that they can throw their weight around by pushing hot button issues. I'm not surprised at all that CNN versus Fox is just so unbalanced. You have to find something in the middle. It's hard to find that. That's why I stick to things like Presta Olegram, London, BBC News, NPR, Al Jazeera, English, and even if you don't agree with their opinions, the common facts and all the stories will align and you can figure out for yourself what's going on. So I think trying to train people, young people coming up today, and the older folks, like my parents, I got to train them to actually correlate all this information and come up with your own opinion, use some critical thinking. Well, we've had NBC, ABC and CBS for years. Oh, yeah, grew up with us, grew up with us. And along comes Fox, MSNBC and CNN. And you really have to look outside of the United States then to the BBC Al Jazeera to find out what unbiased opinions are all about. Right. It's important to use some critical thinking to figure out what news is real. Let's go to I got to cover this really quick data breaches. Data breaches over the last three years have caused massive financial damages. And I always emphasize to companies, you got to put some serious money into cybersecurity. And here's why. These three companies, Marriott, Equifax, Yahoo, their average stock price after those those incidents over 2018, 17 and 16, their average stock price dropped by 7.5%. A large company. That's a lot of money. That's massive, right? Their market capitalization decreased average $742 million. I don't even know what that looks like on paper, right? I couple thousands all I ever have in my bank account there to drop in 742 million because they didn't make an investment. Not only in their company, but I think it's important to emphasize that you should invest in your people. Because you can't just go hiring a couple cyber guys, right? You got to train your folks. Yeah. So you have a frontline person deals with the public all day being socially engineered. I went into a show in Las Vegas, I forget which one it was. And I met Kevin Metnick. Oh, yeah, yeah. He's one of the greatest fresh out of jail and he's rich. He's turned to the other side, though. He's defending companies. But he says you go for the low low hanging fruit. Yeah, that's and that's you're right the frontline people. So train all your people, not just those couple of cyber individuals, you got to get everybody on the same team because like you're saying to me before the show, it's the weakest link in the chain. And that's the low hanging fruit. And then you log in to their accounts and you pivot until you get to the account with a password or the administrative rights that you need, right? I think that's that Equifax went down between the two acts. Let's talk about zombie load really quick. Everyone's heard about zombie load. This is one of those Intel processor hacks that you can do. But software can actually look at the speculative processing or the speculative cash in a processor as it hyper threads. And this is a very fast processing is makes your computer go 30 to 40% faster to process data. They found where software can actually read that cash. And here to tell people that there's fixes out there in software and operating systems. Don't disable your hyper threading. Are you going to go down in performance by a lot? A lot and you're not going to enjoy that. You'll go back to the 1990s. That's what we're first came around. I think was the 46 processor introduced the hyper threading. Yeah, the read ahead. Yeah. And this is a good thing to have. So don't disable it doesn't necessarily protect you. As a matter of fact. And to get out of this update your OS all the time just keep updating Microsoft is issued stuff. So is AMD Intel and Mac OS. Now how does zombie load infect the computer? Well, I'm going to have to take you after the break. Okay, that's the question. We'll be right back until we come back. Everybody stay safe. Aloha, I'm Gwen Harris, the host here at Think Tech Hawaii, a digital media company serving the people of Hawaii. We provide a video platform for citizen journalists to raise public awareness in Hawaii. We are a Hawaii nonprofit that depends on the generosity of the supporters to keep on going. We'd be grateful if you go to think tech Hawaii dot com and make a donation to support us now. Thanks so much. Aloha, I'm Wendy Lowe and I'm coming to you every other Tuesday at two o'clock live from Think Tech Hawaii. And on our show, we talk about taking your health back. And what does that mean? It means mind, body and soul. Anything you can do that makes your body healthier and happier is what we're going to be talking about, whether it's spiritual health, mental health, fascia health, beautiful smile health, whatever it means, let's take healthy back. Aloha. Welcome back. Did you miss us? We've been lonely waiting for you to come back and join us. We're talking about all the ins and outs and tips and tricks to keep you safe in the internet world, the gig economy. I'm here with Percy Ellis, adjunct faculty in my IT program, and we're here to tell you more about Zombie Load, which is an end-to-end-tell processor vulnerability. Zombie data can be the data that the application that's processing data needs help. So it asks the CPU for some help, and the CPU uses its cache. And it's the data that's speculated on the read-ahead data, and you can actually read that data with certain software. So you have to have, like you said, a virus or a trojan running on your computer, but if you do, browsers can get at it, and it can cross boundaries. So if you're using Firefox and that's where the data intrusion happened, this software cache can be read by other programs that are already operating. So your malware doesn't have to be in Firefox or in another application. It can be running independently. But whatever's running on your system, generating that zombie data on your processor, it can be read. Now I've written an article about Zombie Load, and Microsoft and Intel both defended themselves by saying you'd have to be very meticulous about the data that you're gathering. Because as you know, and maybe not our audience, the information that is in those caches is just bits and pieces of passwords. And you would have to really know what you're searching for. And then you'd have to be pretty sleuthy to put those little bits and pieces back together, even form a password. You know what this reminds me of is when you're doing data recovery, you get bits and pieces because someone's form out of the hard drive or it got thrown in a lake or something, you don't get the whole thing. But the software that you run to reconstruct the data speculates what could be in there. And it's for the most part, I think it's fairly accurate. It's getting better. I've been using this stuff since the 1990s. And it's pretty darn good now. There's free stuff out there called Recover. Spelled wrong. Recover. And it's free Windows utility, hasn't had any malware attacks that I'm aware of. But it can actually recover like a four minute hard drive. And it gets all the files and it just speculates what's in them based on what it found. And for the most part, it's pretty darn good. It's actually helped me save my thesis. Because I deleted it accidentally long time ago. But the forensics toolkit as well, the forensics toolkit, which is on Cali. Oh, I didn't know that. I believe it is. I might be wrong. Check me on this. Somebody write me a letter to say this. Yes, it's not. Or yes, it is. No, it's not. Let's move on to the WhatsApp malware that everyone's talking about. And I just installed it. Well, you probably installed the good word, right? This is they've already come out with Facebook issued an update. So if you install the update, you should be okay. The WhatsApp though, the scary part about it was that if you have it loaded, and I have WhatsApp loaded, all I have to do is call your phone on WhatsApp using that application, you don't even have to answer. And I get into your phone, I can turn on the camera and get all your information, have admin rights to it. And it's there's some there's a multi level step process that you have to go through to make sure that this is not going to affect you anymore. If you've had this before, and I don't think you will, but you should update the operating system on your phone. You should update the application or deleted it from not going to use it. And I wouldn't keep it running. Keep it in his sandbox, keep it off unless you're actually going to use it. I only use it for cross platform. So I someone has an iPhone and they want to do a video chat with me and I have my Samsung Android. There's a problem with Android, right? You can't update your OS. Sure, I can. How do you do that? There updates that are issued. And you get an alert on your phone and how often does that happen? Samsung used to be notorious for not issuing updates. Um, I could check my phone and tell you what version it is. And when you go into your system, you can say update to the newest version. Oh, I did not know that you can do you can check and do it manually. Usually it's a push notification that you get. Oh, that's great. Um, so you just get the little badge saying there's an update. There's an update on the iPhone. Make sure it's make sure it's plugged in and you get the little robot and he starts feeding himself updates. Is that that's a graphic? Yeah. So can you set that on the Android to do automatically when you're asleep? You can do. Yeah, you can set timing like that. But every now and then, especially if I hear about the latest update, I'll go ahead and manually do it. Well, that's good to know. Samsung used to be just terrible notorious for not giving. Yeah. And the reason is every Android build is tied to the manufacturer of that device, right? LG, Samsung, whoever's making it Google and they and they put out the update for their build of Android is they're all particular to the phone, right? Whereas the iPhones are all generic. We all get the same iOS. And if it sucks, it sucks, everyone just suffers. We all just got to get through it. But you'd like the Samsung and the updates. It's going okay for you. It's gone very well for me. I think we just got an update last month. Because I remember having to plug my phone in and not use it for 20 minutes. That's a push update. It was a push. That's great. That's good. It's good to know. So for WhatsApp, install the new version of WhatsApp. If you have to use it, keep it off. Update your operating system on your phone. And don't use it unless you have to. The crazy thing is, Israel's in the news for this one too. Their NSO group is the one who created the software and somehow it's in the wild. And they, they, they say they were only selling it to law enforcement, which is troubling in itself. But it's now being used by private enterprise. Well, yeah, everything that gets leaked like that is going to be used by it's all getting leaked. Nothing, nothing stays within their realm anymore. You know, this is this is how we got the shadow brokers. They use leaked stuff all the time. Have you heard the phrase data wants to be free or software wants to be free? I do. I know that phrase. Hey, let's talk about drones. We just changed topics here really quickly. We talked about your starter drone here. So I'm somebody who doesn't know anything about drones. I've always wanted to get into them. Your drones are being used in movies and and farms, even for painters, instruction, security. Everyone wants to use a drone. Now, the first time I picked up a little mini drone, and I got the controls, it launched it hovered up for a second. I pushed a little lever to the side. It didn't do anything. So I pushed more and then it shot across the room and hit a wall. And that's the last time I could use it. Because it broke there. I worked for a company here locally. I think it's called the Hawaii Drone Academy. It's run by Samantha Kimsey. And I was training with a helicopter pilot by the name of Alex. And he showed me some really useful tricks in learning to fly a drone for the first time. So you're right. It'll hover. And you can manage that maneuver. The first thing you should do is go forward and use your right stick and your controller to move the drone forward. And very gentle movements of that right stick. Then you'll want to form a box. A little bit to the right. Sounds like dance classing our kids. You're going to do the box step. Yeah, absolutely. And then back. Yeah. And then to the left. So you want to repeat this motion until you've got it in an open space. You could do it. You should probably do it in an open space. I should because I broke your other drone. And it had sensors around it. Now this one does not have the sensors around it that prevent it from hoping into walls. But it does have little protectors here. I like that. Yeah, this is more to protect. If this was to come and hit you in the face without these protectors, it probably wouldn't. These are pretty soft. So you might get a scratch in the neck. But they have they have drones that have really nice shielding. You can run them into people. So not recommended by the way, audience, don't run these into people. We're not advocating that. So I have in this bag, a controller. Okay, no. Sorry, let's just talk about the this one real quick. This is you said this $100 about that. Yeah, $100 that it comes with this controller, which is a ps2 controller or it looks like an Xbox controller. Yeah, it's just a Bluetooth controller. This is called the Game Store. And you'll see me pushing on the right stick. So this is forward and back forward back left and right. Okay, just want to form those boxes. Now if you were to go left and right with this joystick controller, it turns the it turns the body of the crap. Yeah, the point in a different direction. So your second thing you want to learn how to do is go forward, turn, go forward, turn, go backwards. This is helpful when there's a camera. When you have a camera mounted on that because you want to aim the camera at different things. Yeah, absolutely. There's different camera maneuvers that you might want to try. The trucking shock is just strafing left to right. Then you want want to try what they call a roadie and DJ, DJ I'd parlance, where you go back. So that's called a droney, excuse me, a droney droney. Yeah. Okay. So you have your target on the ground. And you back up like that you back up like that really great for cinematic shots. And there's a lot of pre programmed cinematic shots that you can you can use. And that's what I mainly use when I'm going out for area aloha aerial imaging. Let's stop there for a second because you have a lot of examples of these shots. Yes, I did. At your YouTube site. You want to give yourself a little plug really quick. Sure. Visit aloha aerial imaging. And you'll see some great videos the ones that's been getting the most attention is the video we took a China man's hat. Oh, that was great. We're Ross was Ross on the island standing waving at the top and you flew all the way out there. This is several thousand meters away from you. Yeah. And another example that we went out to Rabbit Island, which is probably a mile out. And we went to the far side of Rabbit Island, which is not hard to anyone ever knows what that looks like, right? You can't see it from by the way, audience, if you don't live in Hawaii, those are two mini islands off the coast of the island of Oahu on the windward side on the windward side. And I got up there and I said it to do a circle of the entire island. And it automatically does. Not this one. Not this one. Yeah, you have a fancy one. Far too small. But this is a great drone to learn how to do all of those cinematic shots. And you can do them in a small environment. You don't want to fly drones over people's heads. Now you don't need a license for this one. You do not. But the big ones, you went out and got license half a pound to 50 pounds half a pound to 50 pounds. You need a license. You need a license. Okay. And how much was that? Oh, gosh, I forget the the actual FA exam is not too bad. And I need to take it again probably in a year. So you have to redo it every year? Every two to three years, every two to three years. Wow, that was quick. We're out of time. That was too quick. We'll do more on this. I just asked Percy, audience, you should be aware I just asked Percy to consider creating a junior level course on using drones for security. And we might be teaching that in the next year or so at Capitol County Community College. Get ready for FAA ground school part one. All right. Thanks for your brother. I appreciate it. Ladies and gentlemen, thank you for joining us for Cyber Underground. Again, please come back. I will be back in about four weeks. I know I'm on vacation. It's going to be a little while. Try to bear with me and I'll bring you some great updates and some great facts and some interesting stories maybe from a land far away. Until then,