 Think tech away, civil engagement lives here. Welcome back. I'm Dave Stevens, host of the Cyber Underground. That's right. I'm all alone today. I have no guests. So have a little mercy. Cut me a little slack. I'm a little nervous. So we're going to go through 28 minutes of, you guessed it, just me. Isn't that great? Okay. Let's roll on. First of all, if you're tuning in for some of the great information that people all over the country and all over the world are going to want, you might want to fast forward about a minute on this YouTube video or your local podcast because I'm going to do some local announcements for about a minute or a minute and a half first. Now as you know, I am faculty at the University of Hawaii Capulani Community College and we do an event called Wet Wear Wednesday, Wet Wear, like the old noodle. And we do this once a year at the Capulani Community College campus. This year Wet Wear Wednesday falls on October 31st. That's right. From 6 to 8 p.m. on our campus at the Copico building, it's top of campus in our little enclosed courtyard. And from 6 to 8 p.m. we're going to be inviting some people from the local IT industry as well as students from the University of Hawaii System, all 10 campuses, and maybe some other students as well from the local high schools. So you can all get together and meet each other. We'll even have a costume contest. We'll be serving some soft drinks and water, sorry, no alcohol, and we'll have some free food. It's always good food. So come on by and enjoy. And since you end at 8 p.m. and our campus is only a mile away from Waikiki, you can do all the after parties down at Waikiki Beach and Kalakaua and Cuhiu Avenues, depending on your taste. And have a great time. It's always interesting doing Halloween down at Waikiki. All right, let's move on for the people that are tuning in now that don't care about our local events. Let's move on. I have a tech support horror story to tell you. And I'm sorry, I am going to out the vendor that did this because I want them to change their behavior. And after I'm done, I'm going to send a little clip of this YouTube video to Brian Krebs. Hopefully he'll post it on his site as well. This is before I do this, I must put out a little disclaimer. I think this is a huge security breach. They have the chance to respond and say, no, it's not. However, when you see this and I tell you what I'm looking at from my point of view, you might think this is an egregious security concern from a website host called Bluehost. And it can be found at Bluehost.com. Let's discuss this. I'm going to put up a screenshot now of a chat I had with tech support when my credit card failed to make a payment. For some reason, Bluehost.com was flagged as a fraudulent transaction and a security concern to MasterCard. So that prompted this chat. As we scroll down, you can see that my chat support agent, Poro Prasad, who I do not blame for this in any way whatsoever. By the way, he's just a great guy. He's working his job. He's getting it done and he's following the policy of his company. Now if you'll look at his statement as the beginning of the conversation opens, he asks you, can I get the last four characters of your cPanel login password? So the cPanel is a control panel for all the website hosting activity for your account. It actually controls everything you do. If you have to put up a new website, change out files, set security settings, HTTPS settings, put up a new web page, it's all in the cPanel. So if you have the cPanel login, you have administration rights, God rights to the entire account. So he's asking for four characters of that account. Let's examine why that's a bad thing. So we can take that away for now. We just go back to looking at pretty old me while I tell you why that's a bad thing. Thank you. When people store passwords, they usually don't store what's called clear text or what's also known as plain text, which is the actual characters that are human readable characters in a password. When you store those in a database, that's exceptionally, tremendously a security concern. If it's a danger, you might get breached and all that ex-filled data can be used to hack an account at some other time. So one of the cautions that providers will take is they run these passwords through what's called a hash algorithm, a mathematical algorithm that's called a one-way algorithm. So you take a certain amount of data, text passwords or some numbers, you run it through the algorithm. And the other side of the algorithm that comes out is a certain set amount of bytes and it's a mixed up alphanumeric character sequence that is unique to whatever went into the algorithm. So if I was to change even so much as one character of the input data, the output would be absolutely different. Now if I put in different text and I come out with the same result out of the hash algorithm, that's called a collision, and older hash algorithms can have that. So we keep improving hash algorithms in the cryptographic industry, rather frequently we're up to SHA256 and some others. MD5 is still used though to store passwords and that's another hash algorithm. Now my password I expected to be hashed. Now the result of a hash algorithm is called a message digest. That digest is that alphanumeric sequence in a fixed amount of bytes representing my password. If that's stored in a database, there's not that much problem with that. So when I log in the next time, my clear text password is rehashed with the same algorithm and compared to what is stored in the database. Now if those match on that comparison, I'm allowed to log in and have access to my account. If they don't match, I have not entered the original clear text password and that's how you know. However, when our tech support agent asked me for the last four characters of my cPanelogin, he was inadvertently telling me that somewhere in Bluehost, most likely they have my password stored in plain clear text. This is an egregious security area. You cannot do this Bluehost and this is a giveaway. Now I'm going to let you off with a little bit of a warning. If you did this, you could have, when I originally made that password, taken four characters of my password and hashed it somewhere else. So you could have rehashed and compared if I had given my clear text four characters. However, my guess is you didn't because I've had other experiences with you, Bluehost, that are very similar to this one and this one is a tragic error. We could put up that screenshot. Once again, this should never happen with tech support of any kind. And I'm telling you this because Bluehost did it and many vendors still do it. In the very beginning in 1989, when I first got into social media, I was on AOL. And when I needed tech support one day, AOL asked me for my password and I refused and I could not get support. Those were the old days. These are the new days. We are here over 30 years or almost 30 years later and I'm still being asked for my password characters for verification purposes. There's all kinds of ways to verify who you are. You can have a unique pin code. You could have any kind of special code word. You could have your address, zip code, phone number, email address. Many pieces of personal information can verify you. You don't need to verify with a password. Bluehost, you need to fix this. All right. Moving on. Now, this is national cybersecurity awareness week and I'd like to address the biggest concern I have with cybersecurity and it's something called zero days. Zero days are malware or infections, viruses, worms that can get onto your computer that have never been documented and don't have any signatures for virus protection or malware protection, anti-malware to take that software off your computer or stop it from proceeding like ransomware. You want to stop that. But if someone's got a piece of malware that's never been identified or has been used frequently but somebody has not developed a signature or cure basically for that virus, that can run rampant on your system and you're not going to know about it unless it shuts your system down like with ransomware. So let's talk about zero days and the best ways to effectively prevent against zero days and the best way to prevent that is to keep your system up to date. Now, if you want to know how to keep your system up to date, when to keep it up to date, I'm going to run you through a few steps to identify some of the things you should be doing on a daily basis to keep yourself safe. So first thing you do, go to a place called US CERT, the United States Cyber Emergency Readiness Team. The website is US-CERT.ORG. Now, if you go there, you can get into their mailing list. Their mailing list comes out with daily warnings. This software for this vendor has been updated to this version. If you don't update it, here's the danger. And they give you something called a CVE, a common vulnerabilities and exposure number that's unique to that vulnerability. And you can go look it up in a CVE database. A CVE database is located at CVE.MITRE.ORG. The MIT.ORG is a company that does federally funded research in cybersecurity and many other security research activities for the federal government. And they have a database of all the CVE numbers that can help you identify if your computer is in danger. Now, let's go through some of the other things that you can do. CVEs are also something that is a concern to the National Institute of Standards and Technologies, or NIST or NIST. Now, NIST is an organization that puts out special publications like the 800.171 or 800-171. It's a list of 14 families and each family has a number of different checkpoints where you can go through your entire small or medium business network and all your personal security and see if you've addressed all the security concerns that can help protect you as a small business owner. This was developed so that you could do business in a certified and auditable way with the DOD or federally funded agencies, which have a higher standard called the 800-53. The 800-171 is by NIST. Now, NIST is federally funded and gives money to MITRE.org. And our President Trump has decided in 2019 to remove $6 million from NIST's budget. And therefore, that's going to affect the CVE database as well by default. So if you're out there in the midterms voting, do not vote for someone who's reducing your security and increasing your risk. And our President has just done that recently. So just something to remember when you go out there and cast your vote. On November 6, 2018, by the way, if you're a Democrat, don't get lazy. Get out there and do your duty. We need your voice and your vote. Let's go over some of the ways you can update your equipment. First of all, when you use Microsoft, you're going to use Windows, and you probably have Microsoft Office. Windows has an update feature that you can set to automatically update. However, if you don't want to automatically update once a month on a Tuesday, Microsoft comes out with something called Patch Tuesdays. It's a list of security vulnerabilities and patches and hot fixes that they're going to run on your computer if you let them. And it will address some of the latest concerns and upgrade your computer to the latest versions. Now, zero-day attacks are based on whatever the computer configuration was before the attack. So they take a long time to develop. It's not like NCIS or one of these other TV shows where there's a hacker that just a couple of strokes on the keyboard and they come out with a great new hack and they execute and they're instantly on someone's computer. That doesn't happen. There's a lot of research that needs to go in. Use open source intelligence to footprint your target. You get some social information from social media and we get all those pieces of the puzzle together. Then you scan the systems you want to attack and you get information about what operating system they're running and then you start formulating what's called a kill chain. It's how to attack that computer and if those attacks don't work, what attacks do I fall back on and what is my actual goals. That kill chain is what guides zero-day as well as other attacks and the zero days the difference is they have to be developed from scratch. Most hackers right now don't want to work that hard. So they go to someplace called exploit-db.com, that's exploit-database.com and they can look up exploits by searching for things like Microsoft or Internet Explorer or Flash Player and they can see the exploit. They can download the code to exploit it, something called a payload and they can actually execute this attack without actually knowing too much about programming. But zero days, zero days are from the expert hackers who are developing from scratch and they don't want anyone to know about it. Now those zero days are based on current configurations and when we come back from the break, I'm gonna go over how you can update your systems, whether you're on Linux, Mac or Windows and keep yourself safe from these zero days. Now keep yourself safe while we take a little break and pay some bills. Aloha. I'm Jay Fiedel, ThinkTech. ThinkTech loves energy. I'm the host of Mina, Marco and Me, which is Mina Morita, former chair of the PUC, former legislator and Energy Dynamics, a consulting organization in energy. Marco Mangostorf is the CEO of Provision Solar in Hilo. Every two weeks we talk about energy, everything about energy. Come around and watch us. We're on at noon on Mondays, every two weeks on ThinkTech. Aloha. Hello, I'm Yukari Kunisue. I'm your host of new Japanese language show on ThinkTech Hawaii called Konnichiwa Hawaii, broadcasting live every other Monday at 2 p.m. Please join us where we discuss important and useful information for the Japanese language community in Hawaii. The show will be all in Japanese. Hope you can join us every other Monday at 2 p.m. Aloha. Welcome back to Cyber Underground. I'm Dave the Cyber Guy. I teach for the University of Hawaii, Kappie Line and Community College, and I'm here to give you guys some information on how to update your systems to prevent the zero day attacks, the expert hacking attacks that have not been identified yet and that can make it through all your malware security like anti-virus systems and anti-malware. How do we do this? Well, on Microsoft, you can go to the control panel and set all your automatic updates. I would do this if I was you. Now there was a time, way back when, when Windows first came out, if you set automatic updates on, you were rolling the dice because every once in a while an update from Microsoft would kill your system and destroy all your files. Microsoft, go ahead and contact me. I can give you the times, dates and the operating systems and the updates that did that to me, but I don't wanna have that discussion. That doesn't happen anymore. Windows has actually made a pretty good product. They've broken away from Microsoft. Windows is their own independent deal now and they're actually taking some care to make this a very secure operating system. They've actually put some Linux back in stuff on there and you can do some Linux commands as well as the Radar, Command, DOS and PowerShell activities. All that keep you secure. So set those automatic updates on and if they're not, you can run them manually just by going to updates. You go down to the little search bar in Windows 10, type in Windows updates and what you're gonna get is a Windows update screen. You hit enter and you watch as it goes out in searches for updates. Now if you're on a patch Tuesday, you're gonna get quite a bit of results and it's gonna take quite a long time. So I suggest you do this say overnight. Hit update, walk away. Go get yourself a drink, watch some TV, go to bed, get up the next morning, you're all done. Most of the time your system will reboot on its own and wait for you to log in as a new user. I'm hoping that's how your system is configured. Do not have it log in automatically. Have a password. Okay, moving on. That's Microsoft. Now if you use MS Office, it has its own update system built in to Word, Excel, PowerPoint, Access and all the other programs. However, if you're using Windows Update, Windows and Microsoft will work together to update MS Office on your Windows system. Where that doesn't work is with Mac. Mac auto updates, you actually have to go into MS Office on the Mac and set the automatic updates for Word and Excel and PowerPoint and ALIC manually. However, it works pretty well. They've come out with some really good updating systems. They have a Microsoft updater application and you can set it to automatically update everything and they have security patches coming out at least once a month for Mac as well. So, good job Microsoft. Thank you for taking care of us. And by the way, while I'm talking about this, Microsoft Office is probably the best Office applications package to ever come out and Microsoft Outlook, if I had to choose an application to handle my email, my calendar and my contacts, it would be Outlook. It was a very well done program, always has been and they're keeping it up to date very well. So, you can trust that program and it's highly secure if you use the cryptographic features of the system. So, good job Microsoft. Let's move on to how to update a Mac. Now a Mac, you can do system preferences and you can, in the software updates, you can actually go to the system preferences, an icon called software updates and click automatically install updates. That feature has been around for the last several iterations of the Mac OS X and I love it, I do it and I keep myself up to date and it usually runs again overnight when I'm not looking and when it's not gonna bother me. Now, let me just reiterate, these automatic updates should not be going, should not be updating or running your processes while your backups are running. So, I would recommend you do a full backup first. Unplug whatever device you've got plugged in there for your backups. Turn off that network device, unplug your USB, external hard drive, whatever you're backing up to. Make sure your backups don't run while the Windows updates are running because sometimes those two processes can interfere with each other and when they do, the results can be catastrophic and if you have an encrypted backup, it's even worse because then your password doesn't work because the encryption is broken and you don't want that to happen. Then you just bricked your device and you might as well just go out and buy another one or erase it and do a new backup if you can get back on your computer. So there's a lot of problems, just make sure backups, updates don't happen at the same time, enough said. Let's go over to you Linux users. There's only a few of you out there. I know, I'm gonna speak to you guys because you're in the front row and you're listening intently. Linux is built off of the old Unix, Linus Travolz in the 90s came out with his own version of Unix and of course he called it Linux after himself, Linus of course and it's a great system. However, it's open source. So that means there's a lot of distributions or a lot of different versions of Linux and the two main distributions that came out were Debian and Fedora. And Fedora came out with, you've heard of Red Hat but it had an enterprise Linux and of course CentOS. Now the Debian channel of course has my favorite Cali Linux and we also have Mint is a good one. So you have to do updates different ways and there's no auto updates really that work all the time because GNOME has something built in that's the user interface for Linux. However, you should do it on your own and it's easy. So for Red Hat, Enterprise Linux or CentOS, the Fedora chain, you're gonna use something called the yellow dog updater modified or Y-U-M, YUM, the YUM command, YUM space update dash Y. So it answers yes to all the questions. You can update all your stuff. There's a couple more commands but use YUM, you can look up YUM commands for CentOS or for Fedora and get that job done. Again, it's gonna take a while and at the end you'll have to use a command called auto remove to clean up everything you don't need anymore. But Linux is a little harder to use. It's just much more stable. So if you're thinking about going to Linux, that's how you update the Fedora side. Now for the Debian channel for you security guys who use Debian, I like Debian, Cali is a great system. We use the APT or advanced packaging tool. APT or APT dash get is the command on the command line for Debian updates. You can use apt get app dash get. And again, update and space dash wide answer yes to all the questions. You'll also have to do something called an upgrade and a dist upgrade. Now these are different. An upgrade will upgrade all of your software. Good, distribution upgrade will upgrade your OS and your Linux headers if you wanted to and upgrade all the packages that have come out that are brand new. So this is a little bit of a challenge for people trying to keep their environment stable in an enterprise environment. You probably just wanna do the upgrade and save the dist upgrade for a later time and definitely test those upgrades out before you put them in an enterprise environment. Also, if you're working in a business, if you're doing any kind of upgrades to your system, I'd recommend not only disconnecting your backups, but having a separate system where you can test these upgrades and test all the software that's running in your company and have a whole bunch of functions that you can test in each one of those software packages to make sure nothing broke when you did that update. Then when you're sure nothing broke, you can let everybody else in the company do the update. So if you're the administrator of the company's smaller medium business and you wanna make sure your updates are nice and secure and nothing's gonna break, make sure that you test your updates before you let people go and do their updates. Or if you're a really good system administrator, you'll take over those updates from the administration console on a domain server and make sure everyone's updates is only the updates you want. Now, here's a big warning for you companies out there that don't keep up with all the updates and don't have time to test them all so you don't perform the updates. That's a bad thing. The national health system in the UK fell victim to one of those budgeting and time constraint activities where people said, well, we just don't have the money to upgrade from Windows 7 or Windows XP. We just don't have the time to test new updates. We can't come out with a new browser because we've written software for that browser especially. So if we upgrade the browser, we break our software and we can't afford to redo our software right now to write it again for another browser and truthfully, browser updates come out almost every day. So what they do is they don't upgrade. Well, when they don't upgrade, the exploit database comes into play and people that don't really know about hacking but that can execute commands are called script kitties and they just go to exploit DB. They grab a known exploit that works on Windows XP with Internet Explorer 7 and they know that's your system through open source intelligence and they execute that hack. Now, some of these hacks, they don't need to be on your network. They just need to send you a link in your email that says cutest kitten video ever. You click on it, you hit the webpage, you're hacked. The hacker gets a command line prompt on his system but it's actually looking at your system and he can do whatever he wants and you won't even know it. You'll think your webpage crashed or that video might even play and you'd never know that you were hacked. Once a hacker's on your machine, they can do something called a pivot. When they pivot, they can scan the rest of the network that's around you and use your system as an attacking machine to get other machines. Now, your system might not be, or your computer might not be too valuable but if it's pivoting and you find a domain controller, you have the keys to the kingdom. So watch out companies delaying too long to upgrade to new systems to go to the latest operating systems, to run the latest patches because the longer you delay, the more risk you assume. Now in cybersecurity, we have a threat landscape. We wanna reduce our exposure, reduce our threat landscape by implementing as much of these processes as possible. Updating your systems to the latest operating systems, the latest security patches, the latest hot fixes and having all your software up to date is the first line of defense, then you add malware, then you add networking security and 99.9% of the time, you're safe. It's very hard to get past all that, usually as a social engineering attack but for the most part, you're safe. Now let's talk about some of these browser plugins. Flash just came out with some updates. You should update this immediately. Flash is now at 31.0.0.122. If you're not running that version of Flash, the plugin for the browser updated immediately. Chrome just came out with security updates, version 70. So upgrade to version 70 of Chrome, the browser, immediately and if you don't have Firefox version 62.0.3, you're out of date and you are vulnerable to an attack that could allow an attacker to take control of your system. Also, VMware, the virtualization software came out with patches for all of its systems. For Windows, version 15 is the best system to have right now or the best version of the software and for your Mac, VMware Fusion, you should be up to version 11. Those are our updates now. Thanks for joining me on the Cyber Underground. Next week, we'll be back hopefully with a great guest and I won't be just boring you with just myself. Until then everyone, aloha and stay safe.