 This is Stink Tech Hawaii, Community Matters here. Welcome back to the Cyber Underground. I'm Dave Stevens, your host. I'm the Cyber Security guy, also an instructor at a Capulana Community College. I'm glad to have you back. I'm glad to be back. I've been out for two weeks. And it's so good to be back. What have you been doing? I've been sick. I guess, Andrew, the security guy. How the network guy. Hey, everybody. Welcome, guys. How's it? Oh, man. It feels good to be back in the studio. Yeah, so I was some student, got me sick. And then right after that. You blame our student, see? Well, he can't blame Lee, right? Because you come in here with, you know, guns blazing. You can't blame the misses. So that's rule number one. That's right. She's never wrong. No, but if they come in coughing and sneezing, I still got to teach, right? And then I went down for the count, man. That's, you getting old? That happens. They have those little flues, and they weaponize it and give it to you. And then it's like a new. It's like a zero day. It's a zero day. That's a great segue. It's like a zero day, man. It's a zero day bug. So let's talk about zero days. You guys know what zero days are. The theory is that a bug that has never been catalogued and there's no defense for, and no one's ever heard of, or very few people have heard of, that's a zero day. Because usually you can get by all the defenses that are up and waiting for viruses to come by or network attacks to happen. Yeah, and it might be a vulnerability, not necessarily a piece of malware, but it could just be a profound flaw in a piece of, yeah, a profound vulnerability that we didn't know about. Which is exactly. We got to ask the network guy for this stuff. The WPA2 exploit. Good Lord. The crack attack. The crack attack. That is a perfect example, right? It was a zero day. Now it's not, of course, but it was an exploit. It was just a missing piece of the puzzle in specification. And a lot of people didn't fill in the blank. Microsoft did. That was shocking to me. Microsoft filled in the blank so they didn't get hit as bad as everybody else, but for the rest of us we're still running around circles. And from what I've heard, not a lot of people are fixes. But Cisco. Is that right? A lot of gear? Yeah, Cisco, I know they put theirs out. And iOS put theirs out for the funnel for the, because you have wireless on your phone. I've seen four updates come out. For iOS? For the iOS. Out. Is they all related to that? Well, they thought it was to fix that. Windows 10 device. Oh yeah, okay. I got a big Android update. I'm assuming, hopefully that was included. Assuming you didn't test it yet? Let Dave's, you know, crack all the phones in. No thanks. Let the students, they'll get in. Oh, they will. They'll volunteer for everything. Our computer club is gonna be doing an honest to God pen test for a company here that volunteered for it. We just got the company to sign a legal document. They're gonna do a physical penetration, network penetration, and social engineering penetration. How's that? That is awesome. That is gonna be, that is gonna be one broken company which the students are doing. Let me tell you, is it non-destructive though? Let's talk about that. It's totally non-destructive. They're not gonna do anything bad, but we are getting mentors from Department of Navy, Cybercom, some SDI, some NSA volunteers are coming here to mentor. Great hands-on experience. Yeah, they're gonna mentor the students and say, you know, this is how the federal government, you know, goes in there. If we actually did those things. Does the company know the NSA is coming to look? We told them, yeah. They got really excited. Those guys have tools, man. They're gonna get in. They will get in. And I think this is gonna be like an awareness thing for the school. Like, wow, you know, we should close some of these doors as soon as possible. You know, some of these are a little too easy to get in. Sure. WPA2 is one of them. Let's talk about more zero days that come out all the time. There's a website called Zerodium.com. Zerodium. They deal in, this is a term now, gray market. Yeah. It's not legal. It's somewhere in the gray area in between. So they actually will pay for zero day exploits against certain operating systems or browsers or hardware. And they pay, some of them will pay over a million dollars for these exploits. And their website has a big chart about what they'll pay money for. And you can sell your exploit. And their customers, which they don't tell anybody about, but the customers are. North Korea, China, NSA. So rumor mill has it, Zerodium was the place that the FBI got the hack for the iPhone. Oh, nice. Did you know the hack? Good. Or a developer that uses Zerodium. And you should talk about the research that people do. So there's, you know, there's two sides of that. There's offense, defense, and there's research in both areas. Security research is absolutely essential. And I think people are terrified about it. But if we're not doing it, we never find these things, the hackers will find them. And the security researchers are actually out there, most of them doing what's right for the right reasons. And, you know, you may not want to trust them, but what they're doing is essential. Just last year we had the black hat. And we heard a lecturer and a guy that had in the beta release of Microsoft's advanced threat protection had found a flaw already. And released it to the general public, but also to Microsoft more importantly so they can fix that. So I think people like Microsoft shouldn't be afraid. They should be saying thank you. Well, and they pay, don't they pay bug bounties and you can. Bug bounties, that's a good term. Yeah, the bug bounties, there's a contest out there, Facebook holds one all the time. Google's got one all the time. Yeah, Apple. So you can make 20, 40, $60,000 on finding a serious bug or flaw in existing software. You go out there and that's a good way to make a living actually for a kid. Just sit around looking for bugs. And if you're inquisitive, I mean, I think it takes a special kind of person to try these overflows. And you gotta be sort of patient, right? Cause it's over and over and over. You gotta try to make something go wrong, right? And you know, it's cause it's probably built fairly well. You know, it's been tested quite a bit, but there's always a way in. And maybe we should just explain what exactly makes a zero day a zero day. The way that the antivirus engines, most of them work is that they have to have a signature for the malware in order to find it. Yeah, right, so if it's a brand new piece of malware, a zero day that no one's ever seen, there's no signature so they can't find it. So that signature could be a number of different things. Could be the file size, could be the name of the file, could be a hash representing the number of bits in the file, could be the attack vector, how they're trying to get in, what port they're attacking, if it's a teardrop, a malformed packet attack, something that's the signature we're looking for and we can identify that attack, but it's never happened before. Then it's a zero day, no one's seen it, no one knows what to look for, almost everyone's gonna be available for it. There's gonna be no patch to fix it. All of the signature-based antivirus, now there is the AI stuff like Silance and who's the other guys, the newer one, I can't even name it off-hand, but those guys are looking at data that comes across the box. If you can actually manipulate the strings and see what this thing can mutate into or what might come up, right? They're out there looking for the new stuff. The problem is that nation states have unlimited resources, unlimited time. So North Korea, they just dedicate, I don't know, 50,000 people to doing this zero day, whatever zero day they want so they can attack people. Is there any way we're flying in bombers over at country 24-7 now? I, oh, how do you guys feel about that? I don't wanna give my opinion about that. I'm just saying. I'm a little bit anxious. I don't think I'd be parking my butt in a building that holds 50,000 people right now because that's a pretty good target. Yeah, that would be a great target, but I don't think they get a choice actually, but they're forced to work, right? I don't even think they're fed. Yeah, well, I mean, I think if you work, you get to eat the other way. That's true, you don't work, you know. Yeah, I really don't know much about their culture, but there's ample evidence that they're buying and creating a lot of these attacks and trying to get, well, they're attacking everybody. Twice Sony, right? Sony system, which is random to me. I mean, there's, you know, Microsoft. Well, they watch movies, too. Yeah. And they play games, right? Of course, yeah. Right, so the Sony attack, right? Yeah, that was kind of random to me, but yeah, they got endless resources and now I know that if we actually have another war, we're not gonna see the opening salvos. It's gonna be cyber. Isn't it happening now? It could be happening right this second and we don't know it. That's kind of how I look at it. I mean, you know, when you see that Norse attack map, it looks like a war to me. That's right. Yeah, what's that website? We can go and see the Norse attack map. Norse attack map, yeah, Google that. That is awesome. I think so, yeah, it's a good viewpoint of what's happened. Next show, we gotta put that up on the screen and show people what that looks like. It's real-time attacks. And that's those guys sending this kind of stuff at, you know, bouncing it off of firewalls, bouncing it off of websites, bouncing it off of wherever, looking for these exploits to show up. Remote attacks, yeah. Yeah, well, let's talk about, there's zero days, which can be a number of different attack vectors, you know, approaches, but there's also file less attacks, which are becoming extremely popular. That's what Dave builds in his lab. No, I don't do that. That would be illegal. File less attacks. File less attacks. That's not a great market. I don't have to deliver a payload to your system to activate malware to open a backdoor or Trojan or something. What I want to do is I want to bring you to me so that the theory is, if I want to get to the king, I'm not going to storm the castle gates. I'm going to wait till he takes a trip. He's going to come to me. I'm going to be on the road and I'll get him there. The same thing happens when you're on the internet. This is a drive-by shooting, you know, you visited a site that... A legitimate site. It's a legitimate site that might have an injected script from another site framed inside of it that gets activated in your browser. Now, a lot of people don't know that when you're saving all the passwords to your favorite websites... Now, we don't do that anyway. Don't do that because it's stored in your browser and these drive-by attacks, when you visit the malicious sites or the sites that have infections in them, they can actually extract all that information, all your browsing history, all your passwords and user names, cookies, everything that identifies you as you and lets you get into other sites like your bank. And they can just extract those. Yeah, I get it. So I run Cisco's umbrella, which you used to have to put on like a firewall but you actually run, you can get an agent now and run it on a machine. I've been running on this one for a while and I've had like 14 of those drive-bys since I put it on here. Really? And so they're probably coming in via Amazon or Google or somewhere, but I get a report every week, it tells me, you know. And so, you know, and I'm unaware of these things, but it's preventing them because it knows what it is. So the cool thing about Umbrella is it stops it, which is just interesting because it's completely... But you wouldn't know without the umbrella. Without something. Oh, I wouldn't even know. I wouldn't even know what they might've got from me. I mean, as if I had some. Which means that's a good attack. A very good attack. A great many people think the best hackers are the ones that pull off these incredible hacks and they're really popular. No, best hackers are never known. They're ghosts. They're invisible. Oh, we never know that you were hacked. You never know, and you never know. So since we're on here, you know, we're not hacking anything. We were discussing a certain type of attack that this is completely hypothetical, but we were discussing the network security class and they said, what's the best kind of attack? I mean, what's gonna be pulled off is it always nations say, I said no, sometimes it's business to business. And let's take two ice cream makers. They're in business. They wanna make the best ice cream. They want the best market share, but one of them hacks the other. Now, the best attack would not be to take that other ice cream maker's computers down because then there's an investigation. Someone might know the best attack is to go into that ice cream manufacturing system and just throw their mixture off just a little bit. Change the recipe. Change the recipe. Add a little bit more cream. A little bit more salt or something. Well, when you turn off the compressors on their chillers. No, you want the ice cream. All the ice cream makes it. It only works once. It only works once. Just keep making ice cream. Just bad ice cream. Or good ice cream that costs too much to make. How is the bad ice cream hack, man? You guys are mean. This is good. This is good. So if I'm the hacker, I'm destroying the other person's business. I'm taking them down. Even if I don't destroy them, they're still in business, but I still gain market share. And it's a small tweak, so they might think, well, we didn't get hacked. It's just a mistake. That's the perfect hack. That's what you got to be looking for. If you're defending your network, look for the little nuances that would just throw things off just a little bit. And I think that's what you're seeing with the drive-by attacks and the umbrella. As you wouldn't know, that's a good attack. So you got to have those kind of systems. You know, that's kind of like, wow, I want to get the report. I'm like, what was I doing? Where did I go? That's scary when you think that's on your computer. But when you put IoT devices up, you put webcams up, you put a door lock with a camera. You have no idea what's going on and who's using that for nefarious purposes. The last big botnet had refrigerators, DVRs and webcams. And all those Dahula cameras, right? Right. Yeah, 60,000 of them. What are they doing now? What are manufacturers doing now? You went to IoT training with Cisco. Yeah, the big takeaway as far as security was that the IoT manufacturers, for the most part, aren't even thinking about security. And until the customer base demands security, they're not going to. Yeah, because it's expensive, right? So they've got to use a better chip set to do encryption and all they don't want to do any of that. So why, you know, that raises your price. Until they actually do more work to code the system. Oh yeah. They've got to put secure coding in there. So the IoT internet of things. Internet of theft. Yeah, internet of theft. It's pretty much anything without an operating system or the miniaturized operating system. So it's not an interactive computer with a keyboard, but we're talking your refrigerator, your DVR at home. Embedded. And it's Linux. It's Linux. It's an embedded Linux kernel of some type, right? Minix, and when we come back from the break. Minix. Discuss something Intel has added to their chip set on the main board, which scares the absolute crap out of me. I think I read about this. Yeah, this is bad. But we're going to take a break. We're going to pay some bills. We'll come right back until then, stay safe. This is Stink Tech Hawaii, raising public awareness. Aloha, I'm RV Kelly, host of Out of the Comfort Zone. And Think Tech is important to our community because it gives us a chance to learn more. We get to learn more. We get to give more. We get to grow more. Now for the first time, Think Tech Hawaii is participating in an online web-based fundraising campaign to raise $40,000. Give thanks to Think Tech. We'll run only during the month of November and you can help. Please donate what you can so that Think Tech Hawaii can continue to raise public awareness and promote civic engagement through free programming like mine. I've already made my donation and I look forward to yours. Please send in your tax-deductible contribution by going to this website. Thanks for Think Tech, dotcausevox.com. On behalf of the community enriched by Think Tech Hawaii's 30-plus weekly shows, Mahalo for your generosity. Welcome back to the Cyber Underground. We're talking about all those things to keep you up late at night thinking, oh my gosh, what can I do? Maybe I should just unplug everything. You should unplug it late at night. Just unplug it all. You ain't using it unplug it, I mean, for sure. Yeah, that's right. A Wi-Fi runs 24-7, yeah? Ah, why? Turn that off. Why are you doing that off? You should have a Wi-Fi switch, just turn it off. Even, I think my Mac actually has something called, what is it called, PowerNap? So it's kind of wake on land. So if it has to run updates, even though it's sleeping, it will run the updates in the background. So it's always on the Wi-Fi. So it's on, even though it's off. Always on. Yeah, it's really scary. Wake on land, like that. We are always plugged in in our society. Are you supposed to disable wake on land and down? I would. I would. I don't think so. I'm not gonna be waking on the land. So who's gonna be waking on the land? Yeah, I don't know, anyway. So as far as our honest is concerned, we're completely secure and we don't enable those. What's this, Minix? Tell me about this, Minix. Yeah, let's get back to that. So Intel has put another chip on their motherboards that can actually handle an operating system, a miniaturized Linux, they call it Minix. It was actually around before Linux, I believe. Got a name, Tannenbaum, created it. Very, very lightweight system, but it has ports, protocols, operating system, connectivity, and command and control of your system. So if I'm a company, I buy all these Dell computers with these Intel chips on them, I can provision or prep all of 1,000 laptops in the field remotely if I want, install the operating system, get Windows 10 set up, set all my group policy up, all my GPO rules and networking security and antivirus install on my software all by remote, and it never touches the main CPU on the computer, which means if I sometime else in the future wanna monitor what's going on on anyone or all of those provision systems, I can tap into it and you're not gonna know. So, and they all talk, the Minix is its own network. It's all nodes talking to each other. It's actually part of the host on the network, so it's not an independent device as far as I know. Wow. But it's a separate protocol. Wow, so if you hack that, I could own your whole all your machines. And in fact, if you hack that one, you know now all of them, you could hack the entire enterprise system and own a company and they would never know. Oh, that's not good. No, it's not. So some of these devices people install, engineers build things for convenience and for functionality and for durability and for productivity and never do they build it for security. How are they protecting the Minix? This has gotta be encrypted. I do not know yet. Well, what have you been doing? You're the one with the lab. Is there even authentication? I have no idea. I just... It's gotta have some sort of encryption. Well, let's hope so. Besides username and password, and then it's admin and... User name and password. Well, I thought we got rid of passwords last week. Default password, and you're in. We're supposed to be using past phrases. So when you make a password, make it a past phrase and white space counts. So you can just type in a sentence, don't use Mary Head of the Lamb. Chains out some of the... But don't use Mary Head of the Lamb. Yeah, because I just thought that... You just killed that one. Yeah, I just... Well, I mean, it's just a song. Don't use song lyrics. Don't use common stuff. Oh, I can't use voodoo child. No, no, no, I can't do that. Let's talk about what you can do to protect yourself against some of these drive-by things. So... Umbrella. Umbrella's cheap and it's actually free for 60 days. So try it, load it and see if anything happens. And I got the 60-day free and it's been... I'm ahead for months. I don't know, maybe I don't ever charge you. I don't even know. I think they're waiting for you to advertise for them. I'm doing it right now. I love umbrella. Get some free umbrellas, whatever. I don't know. You're the evangelist now. Yeah. And you got that from Cisco? Yeah. You can just go Umbrella. It used to be open DNS. Okay. And they bought open DNS until they turned it into this tool, Umbrella. Okay. And it's talking with their... The Taylos, you know how the Taylos group is monitoring the Cisco, monitoring all the... No, we should... The threat fabric, right, or whatever. Talk about that because that's a great creation, I think, by Cisco or a modification of somebody else's creation, where a vast number of hosts on a vast number of networks worldwide report to a centralized system about virus signatures, about potential attacks. And if my computer gets attacked and it reports to that system, your computer's gonna know. Well, that threat fabric's gonna know. And it talks to all the firewalls and they can push it down to... If you have agents running like I do, then it pushes it down to that, which is, I think it's so cool. I think that would have really helped for WannaCry. Yeah. Oh, for sure. Yeah, because once you have a little infection spreading in a certain area, the threat fabric's updated and then everybody gets the updates and then WannaCry's stopped. SMB attacks were shut down. I would hope that that would happen if we're all using this. So Umbrella's a good product. If you don't have the money or the time to do Umbrella, you can do some basic things in your browser. So browser, they always have a privacy browsing session you can use. Use Tor. You should clear your browser cache. Yes. Never store your passwords in there. Clear all your cookies. Clear all your cookies. You're not using them anymore? Yeah. The best way to do this is set up Edge, Firefox, and Chrome all have a setting that you can go in and shut off storing all that stuff. Every time you shut down your browser, it gets deleted. Clear as all of that. Clear as it all, so you start fresh every time. Now, the bad part is when you get to your favorite website, your username's not already in the username box, which scares the crap out of me when that happens, like, oh, I must have messed up somewhere. Yeah, when you forgot to. Yeah, and then there's dots in your password box, so it knows your password. But the scripting attacks, when you go to some of those malicious sites, it can extract that stuff from your browser. Read your cookies on there, which identifies, you might see an Amazon cookie with a string in numbers, which is your user identification number on the Amazon website. That's probably the last thing you bought and a whole bunch of other stuff's tied to that, right? So isn't it tied to your behavioral data, right? Which is what they like to have. Right, right, so I wouldn't do that, but it come with maybe it's a little bit personal information, too, so. That's just things that you bought, but also just. Places you went. Items that you've looked at. You know, it's when you go out. Oh, yeah, yeah, yeah. These are the things that you've looked at recently, the behavioral analysis. Would you like to add this to your cart? Oh, yeah. I'd like to add it to Dave's cart. People who looked at this often bought that. No, I gotta say, that is a funny trick and it's a good way to teach people a lesson. If they leave themselves logged on. Buy them some stuff. And they're on Amazon. Now just go browse for something like, I don't know, adult toys. A Ferrari. And the next time they go and see it, hold on. And just put it in their cart. So it comes up there. Wouldn't you like to add this? Send that to their wife. Hey honey, should we get some of this? Yeah, I'll send an email. Help, I'm stuck in the trunk of a car in Bangkok. Please send money to Hal. He's taking money for me because I'm in trouble and he'll help me bargain with the State Department or something. See how much money you get, you know? Because that's the way to teach people a lesson. It's a harsh lesson. But the other one you can do is change your spell check. They're autocorrect. Yeah. That's a wonderful one. Yeah, it's a love. Autocorrect is one of my favorite things. I love messing with the human mind. It's my favorite toy. So what do you point it at Russian Library? Or what do you do? Do you put your spellings in? Yeah, no, I just changed it. Well, my favorite was, there was a person I worked with, his name was Warren, and I put a T on the end of his name, so it was Warrant. And nobody knew for about six months that people actually started calling him Warrant and his new business cards came in the mail. So it was Warrant. No way. Yeah, and you know, finally you realize what was going on. All his emails, he'd sign Warrant. It's pretty good. Autocorrect. Because he never saw the T. No, it's one letter. Yeah, yeah, yeah. It looked like his name, right? It's like reverse fishing. He's fishing. Yeah. You gotta change people. You let him change his own identity to everyone else. Well, let's talk about it. So these drive-by attacks can occur not only with scripting attacks, but when you don't update things like flash. So when you go to your favorite. Which is known to be really bad, right? Right, flash gets updates every other week. Has everybody deprecated it? Yeah, for good reason. Haven't they deprecated it? Isn't it going away? Isn't it dying? That's been the rumor for years. Oh, I see. But I still go to Google News and I see different websites like New York Times, Washington Post, whoever. It's got flash going and if I don't keep updating that, I can be a victim. Especially on the Mac, they had the flashback attack last year where flash actually was the problem. That was the way in. So you could just disable it and then not view flash files, right? Which is probably safe. And force yourself to read instead of watching. Imagine that. Imagine reading. I was looking at this. So in the week of September 3rd, a couple of drive-bys that it caught. And this is interesting. So one of them was, probably was GoPro. I was messing with it. It's GPWPRO. So instead of GO, it was GP. It was what a redirected. Somebody tried to hijack me on. And then it caught. And the other one was just numbers. URL.150409.us.snd15.ch. So some garbage that some, like you said, someone obviously had injected somewhere. I was browsing and this thing caught that. Ah, it's nice to have that. Might have saved me from ransom. Who knows what happened? Some of the other things you can do, don't view PDF files in your browser. So when you see a link and it's got, it ends in .pdf, that's a photo, like Adobe Acrobat file. And the browser has a plug-in to read the PDF file. But if the PDF file is infected with some other kind of malware, they call this a wrapper. They wrap the malware in a legitimate program or they attach it. And they just put PDF on the end of it. And they put a PDF on the end of it. You will see the file. Everything's fine. And it looks like a PDF. Right, but in the background, they're harvesting from you and your browser session, all these things that could come. We're installing a keylogger. Well, so only some, let's talk about browsers now. So most browsers, the more updated browsers, will have a dedicated memory space on your computer, which will try to sandbox most of that stuff. So if you don't have that dedicated memory space, you don't update your browser, that could happen. So keep an updated browser. Firefox just came out with Firefox Quantum. Yeah, I saw that. It's using Google for service. It's primary, is it? You running it? Twice as fast as the old Firefox, just the previous version. But Chrome came right up to speed. Chrome 62 came up with an update, just as fast as Firefox now. I'm really impressed. So all the new security features got added. So the cert blast that we get, the emails that we get from the federal government saying, hey, all these security features just came out, Firefox and Chrome were in there. Good. Yeah, thank you for that. Thanks for fixing it. We're keeping it up now. Wow, we're getting up to one minute. Let's talk about, we have a website here. If you think you're, you're out there doing your holiday shopping and you think you've been victimized, you can actually tell the FBI. And please do tell them. It's ic3.gov. ic3.gov, and that's the FBI's website. You can report suspected malicious activity, and they will investigate. No promises, they're gonna get right back to you. But at least you can be part of the solution in trying to get some of these people to stop doing all the malicious stuff they do and start really watching out for social engineering attacks. And the holidays, especially people are doing charitable donations. This is the time for social engineering attacks. Don't give away your money without knowing where you're giving it to, right? All your information. All your information. Oh, please, the information is the most important, right? So we got about 30 seconds, any guys? You guys wanna say anything to wrap us up? 30 more seconds. What do you got, Hal? Happy Thanksgiving. Yeah, happy Thanksgiving. Happy Thanksgiving, that's right. I just gotta say, be safe. People are much more vulnerable this time of year, and criminals know that. And they're canvassing for you. They're looking to take advantage. That's right. Okay. Thanks, Dave. Well, hello, guys. Thanks, Hal. Bye, everybody. Stay safe.