 cyber attacks on Hawaii's airports. We'd better find out what's going on, don't you think? This is Think Tech Tech Talks. I'm Jay Fidel, Think Tech, of course, and our old friend Attila Suresh is here to join us. And he's with Cyber Hawaii, and he can tell us what is going on with the airports and what we should know about it and do about it. Welcome to the show, Attila. Well, thanks for having me, Jay. I appreciate that. And you are right. We do have attacks on the airports, but it's not as bad as you think. Good news is that the attacks are on their websites. And it was through something called the denial of service attack or coordinated DDoS attack. And what that means is these bad guys get inside of computers that have been compromised all across the globe. And at some point, they all decide to flood the internet with a bunch of traffic, but they do it in a coordinated way towards a coordinated target. This case, it was a series of airports across the country. There are about 14 of them, Honolulu Airport being one of them, and they attack the website, not necessarily the air traffic control or any of the critical stuff that we depend on to get our airplanes around in the sky. So they hit those specific websites and they cause them to go down and be inaccessible. So those folks who are perhaps trying to travel and look up information about the airports, such as like Word Park or what the layout of the terminals might be, they may have had some interruption in service, but other than that, denial of service attacks are generally more of an annoyance than anything else. They don't physically take down or destroy anything that just kind of created traffic jam on the way to those websites. So if you try to access the Honolulu Airport website and we're unable to do so last week, now you know why. Those attacks were attributed to a Russian state-sponsored threat actor. And although we don't have all the details about them themselves, we do know that this was a coordinated attack and it didn't affect just us. It was all United States or a number of United States airports across the country. Lots of questions bring out of that data truth. So the first thing is, so are you saying that these websites do not affect operations at the airport? In other words, the traffic controllers never look at them. The people who run the airport, run the aircraft, the individual airlines, they never look at them. So if you just turned them off completely, the airports can still function fine. Is that right? Right, exactly. Most critical infrastructure networks such as this one or such as those involved with transportation, there's something called air gapping. Air gapping means that you literally have an air gap between the critical part of your infrastructure and the type that you use for everyday operations and perhaps a separate one that you use for marketing. And in this case, it was strictly the marketing and PR-facing portion of these airports that got hit. Getting inside of the critical infrastructure piece, those kinds that might be critical to actually keeping these planes in the air. Well, those are safe, typically. And they have a different level of protection. They have different equipment and they have compliance standards that's gonna prevent these kinds of things from recurring and affecting other parts of air traffic control. This reminds me of a very interesting story about a college campus on which there were a lot of dormitories and a lot of engineering students. And so their mission as a practical joke was to see if they could break the plumbing. And what they did is they coordinated their watches and then in an exact moment in time, they all flushed the toilet at the same time. And lo and behold, they found they could do it. If everyone flushed the toilet at the same time, they would break the plumbing and that was pretty funny, but it actually cost the university millions to put new plumbing in. So at the end of the day, it was not funny. But that's kind of a denial of service attack, isn't it? It is. What's good about data versus water, for example, is that it doesn't have a lot of spillover effects, literally. When you kind of clog up the data pipe between one point to the next or to prevent communications from going out, you're not actually destroying it or taking it down, you're just kind of creating noise and an inconvenience. So everything's still intact. And once the denial of service attack was over, the websites were accessible again and everyone kind of forgot about it. But what it comes down to is we do have Russian speaking operatives that were supposedly behind this attack. And so now this becomes more of a political problem. It also could mean that perhaps they're testing the waters. They wanna see what they can get away with and see if they can do a more coordinated attack that could be more destructive later on. If they did have a backdoor into critical infrastructure and wanted to say take down the websites for those critical infrastructure companies and then take down the critical infrastructure themselves, while now you're doing a one-two punch, that would be severely detrimental to us here, especially on the most isolated landmass on the planet. So we don't wanna have any sort of coordinated critical infrastructure attacks hitting us here. Although I do suspect that because we are in Hawaii, we do have a critical attack that hits us once every, about 11 minutes of every day. So probably as during the time we've been talking, a big attack has come our direction and it has been thwarted by our infrastructure that is here on the island. So we do want to be cognizant of real attacks that are coming at us, but also be aware that we do have good safeguards in place. And I believe that everyone here in Hawaii does consider this a real threat and they do invest in making the correct safeguards for their organization. If they don't, well, it's just a matter of time, right, Jay? What's a good safeguard? I mean, in the engineering example I gave you, you could make it so, it could have to, that if you pass a certain number of flushes at the same moment, it doesn't flush. I suppose you could do that with a website too. You could say if there's more than X number of people trying to get on the website, access to website, then that's gotta be a denial of service attack. So you can't and it stops you. How do you stop this from happening? Is that the approach or is there some other approach? There's lots of approaches. And what's funny is that you mentioned this denial of service attack. Every once in a while I hear about how Ticketmaster will announce a new concert or some sort of event and then everyone rushes the website and the website crashes because everyone's buying tickets within minutes. So that's essentially a denial of service attack, right? So I think it concerns the application of how the infrastructure is designed and what it's designed to do. Computers and equipment and networks and all that, they're built around the business or the service delivery model. So for example, an engineering firm might be working on plans for federal contracts and those plans need to be safeguarded in a certain way. A critical infrastructure organization such as a power company or an oil company might have industrial control devices and those industrial control devices make control pumps and pressures and regulars and valves and all that stuff. And all that needs to be regulated and put aside separately versus an engineering firm, their critical piece may be the data that they're housing themselves and that data may need to be air gapped or stored separately so that it's not accessible if there is a breach. So we're talking about two separate things and two separate applications even though the equipment is fairly identical. So it all depends on the industry. I guess the best rule of thumb is if you think that it could be a problem, go overboard in protecting it. So that's everything from safeguarding private data to employee behavior, right? If that employee behavior is a problem, you gotta kinda go a little bit overboard and see if you can correct it before it becomes a problem. If there is a outdated systems, go overboard and get the newest stuff that's gonna last the longest. One of the things that my grandparents taught me many years ago, which was, I guess the best translation is that the cheap costs more. So as you know, you buy the cheap stuff, it costs more in the long run. That's very good. So I'm just wondering where this happens, the place it happens. It could happen at the, I guess at where the server, if you will, the server, which serves up the website. Seems to me that's the most likely place rather than the individual terminal where somebody's looking at the website. Where's the denial of service attack bring things down? Is it at the server level or somewhere else? That's a good question. So I guess we can get a little bit more specific on this. So web servers do have to physically reside somewhere in the world. Let's just start there. And in between your server or website, depending on the type of volume of traffic that it's expected to take can be distributed amongst multiple locations, right? And there's different, you know, there's Kerberos, there's different technologies out there that allow you to distribute the web traffic amongst multiple physical devices. But in front of that, there's something called DNS. And DNS is the kind of like the guideposts where when someone tries to access, say Google.com, that guidepost is gonna send your traffic to one of multiple servers and distribute that traffic amongst them. And during that... What does that stand for? Which one? DNS, DNS. Oh, domain name service. Okay. And yeah, it's kind of like one of the fundamentals of the whole internet. So when you have a DNS services running, then it's distributing that amongst the different servers that could be out there. But what you really wanna use is a service that anonymizes that. And so that way, a bad actor doesn't have access directly from point A to point Z, right? So they're not going through that DNS or that DNS proxy. Cloudflare is the most popular DNS proxy out there. And it simultaneously proxies and anonymizes the traffic so that let's say a bad actor wanted to take down an airport web server, they wouldn't actually be able to see it on the far end. It would take quite a bit of investigation to kind of circumvent that entire proxy service. It's not publicly disclosed. So think of it this way, kind of like using a PO box instead of your home address, right? That PO box is gonna be in between to kind of take all that junk mail so it doesn't end up in your home mail box and fill it up and cause any problems. So in terms of best practice, if you are running any sort of web services, it's a good idea to use something like Cloudflare or another proxy or anonymizing service that allows you to host your websites without, or should I say with minimizing the danger of someone coming in as a direct attack for it. And this would be more relevant for financial institutions, larger organizations such as car dealerships or staffing companies or larger engineering firms that could be a potential target for this type of activity. So yeah, the other thing is Russia and a state actor in Russia. And I take it that means a bunch of guys in a building like the ERA building as they call it in Russia, you know, they do nefarious things and they hack people at the instruction of the Russian government that is Putin. And they've been hacking Ukraine for example and other targets around the Ukraine war invasion. So here we have a Russian actor taking the time and energy and technology to bring down airport web servers in various places in the country. I suppose as many places as they can possibly achieve that. And you mentioned that it might be kind of a test of our system with the notion that they'll come back later after they learned a few things or two and they'll make it worse. What in the world benefit are they getting is the Russian government, the Russian state actor getting out of this exercise? Well these guys are, this specific group is called Kilnett and they're considered hacktivists, right? So they're coming out and at least that's the public story. But their ties to the government are unknown. So that's not exactly clear. But, you know, let me give you a good example of what's probably going on and what we see personally when we have to deal with financial fraud because it is the same process. So there's something called tapping. So let's say a bad actor gets their hands on a credit card. Right, and that stolen credit card number they go to perhaps a small, you know, web store or they go on eBay and they just buy something for like $2 and it clears. Hey, now that's great. Now they're gonna do another one for $3. A few days later, that clears too. Then they'll do one for maybe $100 a week later. That clears our also. Then the big payout comes, $3,000 from a store in South Africa, from a grocery store in South Africa. Now you know that's fraud. But sometimes even that third one will go through but they tap that card a few times. This could be a perfect example of tapping. We don't know. They could be tapping the system. Let's just see if we can take down the websites first. Okay, now we know we can take care of the websites. Let's see if they're putting any other safeguards. They'll tap it a few more times. And if they do have the ability to do a coordinated attack on critical infrastructure and the air gap to part of the network. Remember what I described earlier, that inner part of the network that is actually in charge of air traffic control. Now we have a real problem. And the same thing happens in all critical infrastructure, right? Think about this. If you pay your electricity bill or water bill online, well, do you think that system is tied directly into the pump controls or into the power control system? Of course not. No, that's completely separate and air gap. But if they need to take the entire network down, they're gonna want to do both at the same time or maybe multiple ones at the same time. Hit the inside, hit the outside and the entire infrastructure is crippled and there's no way they can really recover from that very quickly. Can they do that now? Or are they still at this kind of primitive level testing and testing and testing without being able to go further? Yeah, these things sometimes take a lucky break. So some poor cyber hygiene on behalf of the company that they're targeting. Sometimes it's just a matter of time and they have to wait it out. Other times they're already inside the networks and they're just waiting for everyone to kind of get their act together so they can all strike at the same time. We've seen all the above. Many times we'll walk into a network and they say, you know, something suspicious here. We're just not a hundred percent sure. Some sort of ghost in the machine. Can you investigate? When we investigate, we find them. At that point they say, oh, we've been found and they attack. So it's one of those things where sometimes it's better. You don't want to say it's better not to know but if you do have a feeling that something is not right within the network, there's been unusual activity. Those are prime indicators that you may already have a bad actor within the network and investigating further may point you to where they are and if you find them and don't disable their access right away and remove all the footholds that they've put inside the network while they've been inside, it's very difficult to stop them from deploying a malicious payload. Now when I say malicious payload, that is ransomware. All right, so ransomware is kind of like the last-ditch resort. Okay, you know, let's just throw a bomb into the network, lock it down because there's nothing, they found us, let's just, you know, hit and run here. And it's unfortunate because sometimes because these bad actors have been in the network for so long and they've already disabled that business's ability to recover their data or their entire operation because they've been watching it for six months, right? Or they've been selling access to multiple bad actors for many months from there. So it may not be that it's just one bad actor in there. It could be, well, you know, we had a few Russian guys in there, a few Chinese guys in there, you know, who knows, it could be from all over the world. They could be in there kind of going inside now, picking and choosing what they want and disabling everything. And then finally, once you discover them, boom, now they stopped the entire network. So it's a mixed bag to discover them because you could discover them and find out they attack you big time instead of just gripping around. You know, the other thing is you said, if you find there's something peculiar in your system, I think you use the word ghost, I like that ghost, magic. Then you have to take a closer look at it. But what does that look like? In other words, help us understand what a ghost is like and what a peculiar phenomenon is like. So we know it's not just that we're having a bad day. That's just really something ghost like going on. While thinking about what ghosts do, right? They appear and they disappear. Wow, everything's working great on the network. Today it's not for 15 minutes and then it stops working and then now it's back up again. What was that all about? I don't know. How about files disappearing? We'll see that sometimes. We've seen even anomalous movement. So sometimes if an employee is using their computer and they just happen to be eating their lunch at their table, they look up at the screen selling the mouse moves over a few inches. Whoops. Bad guy could have been in there and accidentally tapped his mouse while he's watching your screen. Ooh, that would really give me the heebie-jeebies. If my mouse was moving by itself. It happens. It happens if you're an IT department watching the traffic patterns that go in and out of your gateway. So your gateway is your firewall or UTM device, right? And if your intrusion detection system has been bypassed or if you're seeing that the traffic that is going inside and out is going to foreign countries or it's going to unusual IPs or let's say there's a lot of upload traffic and not a lot of download traffic. That could be that the data inside of your network is going out of your network. So it could be exfiltrated. Look for road connections, unusual firewall rules that don't need to be there anymore. We come across folks that use VNC. I hate to see it guys. I use VNC myself. I understand it. It's so easy but it's also sending passwords to clear text. I'm sure there's some other ways around this but in general there's been a lot of security concerns with using these kind of remote access tools that maybe IT departments erected very quickly at the beginning of that pandemic because they needed something, some way, somehow to get their employees working offsite. But the end result is that you've now opened up a back door into your network. If anyone else is piggybacked on that, you've got a problem. So think about using only approved tools for your industry. Everything that you have there should be not A, should A, not be end of life, B, manufacturer supported. So if there's a software contracts that are available for your products, make sure that they're all paid up and you are updating those platforms. Everything needs to be updated. You need to be running the latest stuff. And let's just be clear on cost. I know a lot of folks that sometimes we talk to there's been a lot of deferred maintenance. So think about it like a roof on your home if it has not been cleaned or if you haven't done any sort of maintenance on your vehicle or on your teeth, right? There's gonna be a major job coming up. And so those kind of costs that are incurred with that shouldn't be a surprise exactly, right there. It's deferred maintenance. It's something you're gonna have to do and spend the money, do it right, sleep well at night and off you go. Let's all get back to business. Well, talk about change and as we know when great adage that I've always bothered is nothing so unchanging as change. And so you have to change these tools on a regular basis because the bad guys out there are changing their techniques on a regular basis. But what's the cycle? Do I have to look at this and be mindful every day, every minute? Do I have to look at it every week or every month? What's the cycle I should have in my mind as to changing in order to meet the changes that are generated on the other side? J, I'm gonna give you the best piece of advice anyone's ever heard. It's three words. And it's what every scammer, every bad actor depends on. Three words are, don't get emotional. Don't get emotional about any sort of sunk costs and existing infrastructure or existing systems or different or ways of doing things. Don't get emotional about it. Don't hang on to the old ways that we used to do things. Oh, do you remember when we used to do everything through carbon copy? And we'd write it out on paper or we use those dot matrix printers. Do you remember the old, you gotta let all that stuff go. So how does that translate into an answer to my question? Oh, absolutely. Because the way that you were doing things today is not the way that you should be doing things five years from now. And it's certainly not the way that you did things five years ago, right? And the only reason that people continue to do things the same way is because they have an emotional tie to their old habits. You gotta let that stuff go. We just got some calls last week from some other people that had been scammed. Why? Because they were doing things an old way and they got tied up and emotionally compromised. When you're emotionally compromised, you don't make good decisions. You're easily fooled. And that's all of us as human beings. You gotta let those emotions go. Let the old ways that you've been doing things go. Let the new ways come in. Because I totally agree. We all have to be in the 21st century. You'll have to be thinking change all day long on every level, not just this. But let me go back to a larger issue. You mentioned, and the article that I saw talked about how these denial of service attacks were happening at airports across the country. So how does that work on both sides? In other words, how does somebody generate a denial of service attack in airports across the country? Just airport service for public use, non-operational use across the country. I guess there's a Y in there too. And then the other thing is how do I, how do I as a country find out about this? Is that you call my buddy in the next city and say, have you noticed there seems to be a ghost in my machine or have you noticed that I've been having denial of service attacks and it doesn't work anymore? What's your day been like? And then somehow you find, you know, there are virtually tens of thousands of airports in the country. How do I find that out? Where's the central repository of this information? You know, that's a good question. So you're kind of, what, if I understand correctly, you want to know like, how does a denial of service attack even happen in the first place? How do we find out so that we can write articles so we can talk to the government so that, you know, you would know and I would know and we could have a talk show about it. How do we know that this is happening? So there are remote command and control pieces of software that end up on systems all around the world. And remember I was talking about good cyber hygiene and all this stuff. If you're clicking on an email, it's not necessarily that it's there to, you know, wipe out your system or hold it hostage. A command and control component can be then installed on your computer and it just sits there and waits for a command. And that command could be, hey, go attack this website right now. And when we talk about how many devices are out there on the internet, we're talking the millions, if not tens of millions of devices that are connected to central repositories where there are command and control modules that then send out a command and says, okay, go ahead and attack this website. Last year, Microsoft did a coordinated effort internationally to shut down one of these bad actor groups that had a command and control. The name just at this moment escapes me, but it was several million computers were infected at the time. And at any time they could have pressed a button and all those computers would have attacked. So this is kind of rewinding back down to your IT department watching the network traffic that's going in and out of their network. If there's a sudden spike like this and it's all attacking a singular node, well, now you know that there are machines inside of that network that have been compromised and they're sending out bad traffic. When we talk about, you know, holding on to old legacy ways of thinking and doing, those old WordPress websites that keep having, you know, security problems, it's time to let some of those old websites go. Even us as a company, we moved away from WordPress. We're now doing everything at Wix. It's because those kind of older kind of type of software methods, which were really good for a long time, but WordPress has been really strong, kept getting compromised and then those web servers were taken over and used for command and control, right? So it's not just individual user workstations that servers out there that are doing this kind of work. But how do we collectively find that these broad-based attacks are happening? How does the airport in Alameda find that the one in O'Hare has been attacked? What's the conglomeration, you know, of information that makes us as a community, a national community, aware that somebody is trying to do this to our airport? Well, the good news is that Homeland Security is also watching this kind of stuff. So it's not like, you know, all these computers suddenly wake up and come out with this, you know, that there are purposely infected machines that are sitting there waiting for command and control module to see what happens. And so there are cyber ranges that are established throughout the country where this kind of stuff is practiced. There are labs which are running these kind of command and control bots. And if something does happen, at least then they're gonna know, oh, okay, this is the command that's been sent. We're going to go ahead and alert these targets that they're potentially under attack. But at the end of the day, it's bad cyber hygiene to not at least do some sort of basic cleanup and not run into the situation where you have deferred maintenance inside of your network. You want to make sure that your systems are fully patched. You have the proper software installed so that these NASCs don't get on your systems in the first place. Yeah. You know, I've come to the conclusion in large part from our discussions that there's this kind of baseline of nefarious activity going on in the world today. And it isn't only the state actors or quasi state actors, either in Russia or China, both are apparently doing it. And maybe in this country, there are people in this country who may be doing this stuff. And I guess the question I put to you is that they all seem to be tinkering around and somehow it all gets resolved. The one with the airport's got resolved. It's no longer a threat. The denial of service attacks have stopped. You know, I'm not sure why, but they have stopped. And then we're into the next cycle, whatever kind of attack there is in a different industry, a different, you know, hostility or infrastructure. And so suppose I am Vladimir Putin. Just suppose. I don't want to be associated with that. Why should you say next, Jay? A pathological person. I mean that in the nicest way. And he decides, enough of this, I'm really ticked off at the United States. I'm gonna take all my little tricks through my, you know, state actors and the friends of my state actors and all those little things I, the little breadcrumbs I've left behind on everybody's computer. And I'm going for the brass ring right now. I'm gonna let it all fly. I'm gonna knock off every power grid I can. I'm gonna knock off every airport I can. I'm gonna attack every military contractor I can. I'm gonna bring the whole thing down right now. Can he do that? How can he do that? And what do we do in response? So Jay, what makes you think that's not happening already? It's because we're talking to each other and because my machine works. I'm telling you, we have, it's not just one directional. We have a national effort of network defenders that do really good work in protecting our critical infrastructure, our country and our state. Yeah, sometimes things get through, but overall, remember I said earlier, big network attacks around every 11 minutes. Well, we've been on the air roughly, you know, there's been roughly three big attacks on our, just on our state. And well, we're still talking. So we do have some really good tools out there, some really good software. And thankfully federal, there's some federal pushes now to ensure that anyone who is operating with any sort of sensitive information that they have to have some basic safeguards in place, otherwise they can't continue to operate. So it's becoming grained in the DNA of doing business with the federal, with state. You do have to have some basic cyber hygiene in place. You do have to follow some rules. And if you don't, you can't play. Yeah, and we're aware of it, you're aware of it and through you, we're aware of it. Anyway, you point out that we've been on now for three cycles of 11 minutes each. And that means we have to get off. Attila Suresh and Cyber Hawaii, thank you so much for joining us today. We're answering these questions and for helping us stay alert, stay aware. Thank you very much, Attila. You got it, Jay. Stay safe out there. Aloha. Thank you so much for watching Think Tech Hawaii. If you like what we do, please like us and click the subscribe button on YouTube and the follow button on Vimeo. You can also follow us on Facebook, Instagram, Twitter and LinkedIn and donate to us at thinktechhawaii.com. Mahalo.