 Okay, we're back. We're live on a Monday morning. Whoa, Community Matters. I'm Jay Fiedel, and with me is Dave Stevens. And he is the host, actually, of Cybersecurity, or Cybersecurity what? What do you call it? Cyber Underground. Cyber Underground, which plays later in the week. But he joined me on this special show, and he is a cybersecurity instructor at KCC Copulomic Community College. And we also have Andrew Lanning, another host on ThinkTech, and he is with integrated security technologies. And we have Rodney Thayer, and he's a security engineer. We have all of us together. And guess what we're going to talk about? We're going to talk about the big attack of want to cry, ransomware. Want to cry. Yeah, right. And which makes us all want to cry. So let's try to examine what happened here, what we can do about it, and how it is going to affect our world. First thing is, what is this thing? How does it work, Dave? Well, I think actually Rodney would give you a better explanation of that. Want to Cry is a released tool from the NSA that came out through Shadowbrokers via Wiki leaks. However, it's not on Wiki leaks in a place called Vault 7, where they release most of their stuff like this. It's no longer there. So how it got in the wild, I think probably Rodney can tell you better. But it's a tool that will encrypt the files on your hard drive and hold them for ransom. And if it sees other computers on the same network, it will try to attack those computers and hold those files for ransom as well. So it's possible your entire network could be held for ransom and take your business offline. Yeah. Oh, that's disgusting. That's existed for a while. That's not anything new. This is nothing new. However, this one attacked a specific vulnerability that hadn't been patched by Microsoft until March of this year. And unfortunately, the patch came out from Microsoft and it only addressed Windows 10 and didn't address Windows XP. And as we know, the National Health Service in Great Britain had been running mostly Windows XP, which had been end of life from Microsoft. It's really old. It's really old. Microsoft didn't allow any more security patches. So they were ultimately vulnerable. And unfortunately, they came out with a security patch. Microsoft went back and came out with a security patch for this particular virus for Windows XP, but it's after the fact. Yeah. Not for XP, though, because XP is beyond... No, they came out for XP. So there's one now, but they issued it the day after the ransom was on May 11th. Oh, that's not too helpful. Yeah. It's helpful, but not. I mean, the computers that haven't been affected now can be patched. Andrew, didn't you tell me that with an appropriate intrusion into your system, a hacker could change your operating system to one that is more vulnerable? Is that true? Actually, what I was talking about was that it's not uncommon for a hacker to, if he can gain command and control of a system, to roll back the firmware or the software on that system to a version that has known vulnerabilities. So that's like a vector of attack. So once you own a device, it's not uncommon to try to roll it backwards that open it up to other types of attacks, depending on what you're trying to accomplish. So, let me get it straight. So if you have XP, you're vulnerable. If anybody rolls you back to XP, you're vulnerable. If you have Windows 7, you're vulnerable unless you had a patch. Pretty good idea. So, but Microsoft stopped patching XP a long time ago, right? This was just a benevolent act of theirs to come out and do this. Yes, understood. XP should not have been... No one should be using XP. However, we found 150 million users globally are still using it, which is, in my opinion, they're them just not moving forward with technology. A lot of businesses will try to drive technology until the very end. And unfortunately, XP ended a while back, but they're still getting usefulness out of it. There's just no protection for it. Yeah. Now, you know, in China, they got a lot of bootleg software, probably a lot of Microsoft bootleg software. Maybe it's XP, maybe it's 7, maybe it's 10, but it's bootleg. Does it make a difference if it's bootleg software? Is it more vulnerable? It is more vulnerable. If it's bootleg software, then it's probably got backdoors or something in it. But otherwise, it's just the same stuff. Yeah. Yeah, this one's kind of interesting because of the way it moves around, and I think Rodney could give us some background on SMB1 and 2 and why there's such a problem with this software. Hey, Rodney, why don't you do that? Sure. So, once this thing, a compromised machine, it puts the ransomware in. So, that's the whole ransomware and crypto disk stuff. The thing that is relatively new about this is how did it get into people's systems? So, this exploit that they fixed in March affects a protocol that Microsoft uses to have machines share files and printers and other kinds of resources with each other. So, it's called server message block. It's a very old protocol. It's been around since the late 80s, been evolved over time. And there have been holes known here and there in this protocol. And apparently what happened is that the bug that the NSA had, there was a possibility to have one computer execute a program on another computer without its permission using this server message block technology. So, the series of events seems to be that the bad guys send phishing emails or somehow otherwise convince somebody inside a business to click on a link or something and somehow run a program. Also, they worry about macros and office documents. So, somehow the bad guy gets you to execute a program on a computer. That takes over that one machine and then uses this exploit against server message block to move among the machines inside your business. And then it would replicate across that. So, there's three or four layers of failed technology here. And the ransomware is the thing at the end of it. But it's the networking between machines that was a vulnerability in that. And that's what this is about. Yeah. So, if you got one of these machines on your network somewhere, maybe like in my world as a physical security systems integrator, perhaps somebody's got an old badging workstation, for example, that makes their badges for their access control system. And maybe they're still running an XP machine because it's not something they use very often. So, you know, a real-world example that would be a device like sitting around on a network that's not impatched in a long, long time and was vulnerable to this attack. Did I hear you say, though, Rodney, that you got to click on something to activate this ransomware. It doesn't happen all by itself. It's not autonomous. You got to actually do something. That's the current understanding. Now, if this is one of these things where, you know, we're all caught off balance trying to chase this. So, my understanding is the current thinking is they don't know precisely precisely what it does at the initial moment of compromise. And clicking on a link from that email is the most common way. The other thing they're talking about is with Microsoft systems is a thing called remote desktop protocol, which is so you can have a remote site connect into a server and do maintenance work. And so people will sometimes allow remote desktop in from the outside world. And there was there's potentially an issue with that related to this. And this is one of these things where, you know, it's kind of like Ebola. We got thousands of scientists sitting around trying to look at samples in labs, figuring out what's going on with this thing. We don't have a complete explanation yet. Yeah. Andrew, am I right to say, Dave, you were talking about the possibility of having multiple variations of this. It's not just one ransomware. It's got various versions. Sure. I'll give you a great example. WannaCry right now was thwarted by a 22-year-old security engineer. And what he found was that there was a failsafe built in. When it starts to execute, this virus will go out and look for a website. If the website is actually active and has a website, it discontinues its attack. So that website wasn't ever registered. The domain was never registered. And so this ransomware would go out to the internet, not find that website, and continue its attack. So the security engineer went and bought that domain name for 10 bucks. And put a fake website up. And now it's kind of a sinkhole for this first variant of WannaCry. It'll go out and check the website. Oh, the website's there and discontinues its attack. However, that's just a script. So the moment somebody sees that that's the vulnerability of that virus, they'll just change that. They'll take that out. So now we have to look for more ways to end this. It can be changed. Yeah. Well, today I've got some additional insight on that. I sat in a presentation last week at PSA Tech, and Bikino was Matthew Rosenquist, and he's the cyber strategist for Intel's Global Operations. They're tracking about 400,000 variants per day of malware globally. Not only this, but all the malware. 400,000. Yeah. So that's kind of hard to stop. It is kind of hard to stop. We're living in a new world. But let me just sort of relate back to some of the things you guys have said. Number one, you didn't mention Apple. So I guess Apple is not in the target area. This is a Microsoft vulnerability. Microsoft only. And it's only XP without the patch, which came late. And seven without the patch. Microsoft seven. Well, this can affect any computer all the way up through Windows 10 until that security patch that was released in March is applied. So you need to patch on Windows 10 also. Seven, eight, and then 10, which they've patched. Okay. Right. So the current version of Windows 10, they put out a patch as their regular operating procedure. If you don't have Windows 10, you should really upgrade and then apply the patch. Yeah. And the other thing that I caught here is that if you don't click on anything, or if you're not using that Microsoft protocol you're safe. That sounds like an overstate. We don't know that for certain yet. And what Rodney said, we don't know. But usually the way in for a virus, the 90% of attacks currently are social. First, someone gives you a USB drive you plug it in, someone sends you an email, you click on a link. Those things that we fool humans into doing something that executes something on a computer. And usually we're logged in as, you know, if you log into your computer, you're the administrator. So if you click on something, whatever is executing is your permissions on there. So God writes to your computer. What really prevents us is user training. That's the first thing you got to tell people don't click on these kind of links. If you don't know who it's from, delete that email. Well, suppose you do know who it's from, but it's phony anyway. I worry about getting, you know, getting a nice looking email. It's nothing suspicious about it, but a machine generated it somewhere else. And it's not the guy that it pretends to be. It's possible. This is possible. The example I was given is that inside NASA, there are bad guys chasing engineers inside NASA looking specifically like the guy who works on pumps and rocket engines or things like that. You know, the specific team members they'll be focusing. So the phishing emails can be very, very sophisticated. The other thing about this is it's ransomware, which means one of the things it does is it catches you having bad backups. There is a line of reasoning that says you should do backups because, for example, your building might burn down. You should backup copies of your files and you should be doing backups frequently enough so that you can survive rolling back to the last backup. That's just standard data processing techniques. The ransomware guys are catching people having bad backups. That's the other thing going on here. The other thing we see is people doing backup, doing a backup, doing a backup for months on end with ever testing one. So you need to make sure that your backup files are actually restorable periodically as well. Yeah, you bet. We touched a little bit on how this got out from NSA, as you say, and it came out through Julian Assange and WikiLeaks. He had ripped them off for that and then somehow distributed it. Well, there was a group called Shadow Brokers. And again, I think Roddy could probably speak better to this, but there's a group called Shadow Brokers who sells this kind of technology when they get a hold of it. And when it's not saleable, they'll just release it to the wild. The theory with a lot of gray hats out there, kind of the situational moral kind of hackers, they want to put every vulnerability out there and every tool out there to make people more aware so they can reinforce their systems. If they know there's a vulnerability and they know there's a tool to attack it, then they'll patch their systems. The problem is nobody pays that close of attention to these scenarios. So unless everybody participates all the time, that theory doesn't work out very well. Yeah. So NSA actually invented this, designed it. That's what they think. NSA or CIA. It doesn't make the US look too good. We don't know that they invented it. We know they were using it. The NSA and lots of other organizations have been buying weapons for a long time. They've been buying cyber weapons from people. So there are hackers out there who have been selling exploits to the government, the military, not just ours but other people's. So yes, the NSA's got lots of smart people and they might have invented this themselves, but what we know is they were using this weapon. We don't know if they invented the weapon. Just a point on that is that suppose I'm in Russia or China, I got badly burned by this ransomware. I don't know what to do when you get nailed. We'll talk about that. Now is there justification for me to blame the United States for starting this up? Currently, Russia is. Russia put out a statement that they blame the US for this attack. Yeah, well they do. Everyone will, don't you think? I don't know. I don't know if that's going to go down. I know that in my personal point of view, if a company really wants to be safe they'll have a security plan which includes patches and updates and upgrades and backups and user training. And if you don't have a security plan, it's kind of your own fault. No matter where the attack comes from, you didn't prepare properly for that. We live in different times. So I'm getting a headache about this, so whenever I get a headache I want to take a break. So we take a short break from my headache, we'll be right back and we'll talk some more about it. The global implications of what's going on. We'll be right back. This guy looks familiar. He calls himself the Ultra Fan, but that doesn't explain all this. Why? Why? He planned this party, planned the snacks, even planned to coordinate colored shirts, but he didn't plan to have a good time. Now you wouldn't do this in your own house, so don't do it in your team's house. Know your limits and plan ahead so that everyone can have a good time. Welcome back, welcome back to Community Matters. I'm Jake Feidel and we have Andrew Lanning on the phone, integrated security technologies. And we have Rodney Thayer with him. He's a security engineer. And of course we have Dave Stevens, and he is a professor of cybersecurity at Copy Learning Community Colleges here in the studio. So you guys just wonder where this oil takes us, because it's really chilling and shocking. We knew this kind of stuff was happening, but this is on a scale much larger. This is on a scale you bring down major institutions in major countries. So what happens when you bring them down? Do they run off and get bitcoins? How do they pay the ransom? Do they pay the ransom? What follows the attack? So the proper thing to do is don't pay the ransom, contact your local law enforcement and go load your good, validated backups that you made within the last week or so. Load your system and move on. Suppose you don't have good, validated... Don't pay the ransom, please. Why not? This only helps the criminal enterprise grow its machine, so you don't want to fund that, right? And again, we had this discussion about cybersecurity is people, it's processes, it's products, right? So in this instance we've got people using old outdated product, Windows XP, that shouldn't even be in use in the enterprise. Actually no one should be using it anymore. It died a long time ago, right? And then you've got processes where people didn't update Windows 7, Windows 8, or Windows 10, right? Because they don't accept automatic updates from Windows for various reasons. So there's a process there that in some cases allowed this to occur. And then there's the people side of it where some people just don't want, they don't want, like an administrator may say, I'm not going to accept all these updates because perhaps it causes problems to other systems he has. Not an invalid reason, but he's got to understand and have some you know, there's a liability, there's a risk assessment that has to happen when you make that sort of decision not to accept the current updates from a manufacturer for their product. So you know, all three legs of that stool sort of got exposed by this. And you know, I think the product piece, you know, Windows XP, 150 million machines still being out there in the wild. That's, you know, people really driving their technology a little too long. This is a hard lesson to learn for IT departments. And I've worked for several companies like this that want to get the best return on investment for their money. And budgets get cut on IT all the time because IT people are highly creative and we can adapt. The problem is when you can't upgrade your systems to the current systems that are most secure, you're helpless. And no matter how many times you warn people, look, you're assuming too much risk, you could crash. This could hit you. What affects the business is the loss of business continuity. So your profitability ceases to exist. If say you're Amazon and you got hit by this thing, how many seconds can you be offline for Amazon and lose a million dollars? Probably a couple of seconds. What happens if you're down for six hours? You've lost the significant piece of change that you can no longer provide your shareable. Say nothing about Goodwill. Goodwill PR. It's a bad public relations. It's a nightmare. But if you have a good security plan and people are adopting this security plan and sticking by it, this is one of the things that you should be paying attention to. It's a kind of enterprise risk people have to look at. And by the way, if you pay the ransom so you have to go to your CFO and say I need money to pay a ransom, I would have thought that would be on the list of things that's kind of naughty to spend company money on. It's not going to help your career that's for sure. Especially when he says how come we got into this predicament? Accounts payable would be actually the best one. You've got to pay via Bitcoin. So if you're in Hawaii, the state's outlawed Bitcoin here. Yeah, there's no exchange. There's no exchange in Hawaii. Well, let's assume you find a Bitcoin. I mean, with a sufficient Bitcoin. Let's assume you make some calls and you get somebody to help you with Bitcoins. Can we trace the Bitcoins or are they completely untraceable? No, you can trace. Everything on the internet. Love to find these guys and put them in jail. Go on rather quickly though, that's the problem. Is there any way we can catch them? Is there any way we can deter them by punishment? Punishment. Since the code was released publicly, I'm just going to guess that them is a whole bunch of different criminal enterprises, right? And even if you did catch somebody there's a cross-border problem. So they could be attacking from Slovenia or Poland. We have no jurisdiction in those countries. So it would be an international nightmare to try to get some empathy from that country to go arrest those people and help us prosecute them. This is a huge problem. And what if they're in a country that's, there's animosity between us in that country. Russia, for instance. There was a failure in Russia. North Korea, for instance. Yeah, they don't care. So even if we could catch them prosecuting them is very difficult. Well, that's the irony. I don't know about North Korea, but China has been hit. Certainly Europe has been hit. Russia has been hit. And we've been hit. So is there a state actor? Could there be a state actor in a state which has been hit? How does that work? So last year, Edwin Snowden actually tweeted that. Has anybody really unwound all the pieces? Not trying to pick on Russia. And a state actor could cause some self-inflicted damage just to make sure it looks good. I don't know. Russia took a lot of damage. I mean, their main cell phone company, Megafon, got hit. They have over 70,000 hits as of Friday. They were the biggest hit country. I mean, so, self-inflicted damage, that's pretty bad. Does anybody know if they paid their ransom? Well, I have no idea. Even if I did pay the ransom, I wouldn't tell anybody about it. And you should know that if you pay the ransom... I heard your website up that's counting the payments. You should know that if you pay the ransom, it's just like someone you love and you pay the ransom. They're under no obligation to give back. So you may not get your data back. You may not get your data back. However, sometimes hackers will reuse the decrypt keys for these attacks. So if you're attacking, you know, thousands of computers, you don't want to create a unique key for each computer. You might reuse it. Sometimes the NSA will have that key on file and they publish it on their website. And it will open your machine up again. That's right. They can decrypt with those keys. What strikes me is this is really an extraordinary event. It's in one day. It's global. It's affecting everyone around the world. I'm sure it's affecting the state of Hawaii, which must be on old computers. Sorry. Probably PCs. We haven't heard about that yet. I'm not going to comment on that. You're not going to call Todd. What I get is, is there an end here? Is there an end in sight? Or is this just going to keep on going on? They're going to be encouraged. Even if they get only one in a hundred ransoms, they're going to be encouraged. And furthermore, you know, other people will jump in on it. And before you know it, we'll have a whole world of black hats or somebody attacking us, not only today and tomorrow and this week, but all the time. How is this going to revolve? You guys have some view of the future you want to share about this? I can tell you that the stats that Matt Rosenquist was talking about is, you know, the criminal enterprise piece of this is going to move from a half a billion dollars a year in revenue up. They're not going backwards. So you can take that for what it is. There's also more nefarious purposes sometimes for these attacks. They can be a misdirect. They can make you want to look in one area or test the waters to see if they can actually do damage in an area before they do a real attack. So state players will often do this. And I wouldn't doubt that the attacks on Sony twice from North Korea were prefaced with some kind of a smaller attack to see if they could test the waters to see if that was effective before they really attacked hard. And I'd hate to think that this was a testing the waters because if this was a global incident like this could take everybody down. We don't know what the actual target was here. We assume it's the ransom, but you know that well, but Bitcoin is anonymous. You can look up for an individual Bitcoin account, how much money it's got. So last statistic I saw was that they really had only earned about $25,000 so far from this thing. So the Bitcoin, I guess there's some Bitcoin addresses hard coded in the exploit that was around a few days ago as we've said it's going to morph into this. So this whole thing could be a cover for them trying to steal the recipe to Coca-Cola. Which would be nice to have. Right. I'm on that. Not new Coke. Well you know this does suggest though. I mean we always knew this was going to happen. Didn't we know this was something like this would happen? Of course. Especially when you go to the leaders of a company and they dismiss these warnings. As a company owner, I think a small, medium, large business owner, your responsibility, your fiscal responsibility, fiduciary responsibility is to reduce the amount of risk your shareholders and stakeholders experience at any given time. And when you dismiss security warnings, you've increased your threat landscape and you've increased more risk that you're assuming. So there's a chance you could lose tremendous amounts of money. So I mean just look at Google and Facebook paid out just recently here, over $100 million in fake invoices because they were victims of a phishing scam. Wow, fabulous. And that's Google. Yeah, incredible. So you know what. Some of this stuff is just business practices. You know businesses are supposed to keep decent records and make sure their records are robust. You know the IRS might show up and have to audit you for the last seven years or in various things. SEC, other kinds of organizations. So the idea that companies aren't doing clean backups is a business process comment not just a cyber security hacker thing. Well what does this tell us? I mean to me it's really scary because it's everywhere. I mean even the Russians can't control it, right? Even if they started it. Or the Chinese even if they started it. Or the North Koreans for that matter. But you know just wonder what this means is from a business point of view a lot of people are going to lose access to their data. And it's going to slow the economy. It's going to slow business. It's going to really separate people from making money. But it also shows how you can have global effect in almost no time. And it scares me in the sense that this is bad. But it scares me in the sense that I see in here the possibility that state actors could bring the whole bloody system down. They don't want to ransom. They just want to crush the society. They want to crush the grid. They want to crush all the data. They could attack. And this must be in the military you know thinking about this. And I mean so cyber, Kapersky is working on this. Norton is working on this. Microsoft must be working all night on this. Are we going to be able to control this? Or is this just going to go on? And can we ever really escape this possibility? So you brought up an interesting point. And the reason I assume that a state agency of some kind, either our country or another actually created this virus is there was a safety protocol in there to go look for a website and stop if they couldn't find the website. So someone actually knows the gray goo scenario. Which is if you have an automated self replicating bot that consumes say organic material and you let it loosen it replicates so fast that within a couple of days the entire earth is dead and it looks like gray goo everywhere. There's no safety protocol in to stop those bots from replicating too fast to be controlled. The same thing that can happen with this virus. And if you release something like this into the wild what's to stop it from infecting an old computer everywhere all the time and as soon as someone activates an old computer you've got it back again. So there was a control protocol put into place so I would imagine somebody created this tool who was thinking about that. What has this got out of control? But now that we've gone beyond that though. Yeah and now it's morphing and people are going to change. Not only is it a test to see how well they can have much damage they can wreck but it's a test to see what other things they can think of. Right. To get even worse next time. You guys have any closing remarks Rodney and Andrew? There are a lot of safety guidance suggestions out there in general making your network safe, doing updates, segmenting your network from the public internet and all these kinds of things that you know one sounds like one starts droning when you say these things over and over but it really is you know that's why we have safety rules in place to deal with a survey. That's why we suggest you wear seatbelts while you're driving because there are good reasons. So this is a reminder to everybody that they actually need to pay attention to some of that stuff. Yeah and from my perspective it's just that three-legged stool. Make sure you're training your people, you're measuring your processes, you're following the policies you've implemented according to the risk appetite that you have and then again make sure that the products that you're using can be secured to the best of your ability. Yeah that would be my finding closing argument also is I agree with these guys although it should be in a plan that your company signs off on and the company leadership agrees with you and supports you and gives you the money to implement that. All I can say is you guys know about this and that means they're going to be beating a path to your door. You're only going to be busier than you ever thought. Man I hope so. That's Dave Stevens at KCC and Andrew Lanning at Integrated Security Technology and Rodney Thayer as security engineer. Thank you so much gentlemen for joining us on this very important discussion. Thanks Jay. Hello hi everybody. Thanks.