 Yeah, I'm tired of being asked if I'm a robot or not. I'm Jay Fiedel. This is Think Tech, the three o'clock block with Think Tech Tech Talks with Attila Serres of Cylanda. Welcome to the show. Nice to see your smile and face, Attila. Hey, I was glad to be here. And if I can be as cool as you with your glasses, I'm gonna join in with a little bit of coolness too. So thanks for having me. We're doing cool here. So let's start out with the title, you know, about robots. I'm really interested in that because I've been hung up on robots many times. And I wanna hear, you know, why they started and who operates them and sells them and how, you know, nefarious people have gotten into the robot game. Can you talk about it? Well, sure, but in order to do that, I'm gonna have to take off my glasses to be a little bit more serious. I hope you don't mind. So, you know, I don't know about you, but every time I take my laptop somewhere new and I try to log into, you know, banking or financial institution website or whatever, I'm being asked, am I a robot? Am I a robot? Kind of drives you crazy because your IP address has changed, you're like a new entity. And they wanna validate that you are a real person, right? And this is called CAPTCHA. CAPTCHA, and there's a few ways that CAPTCHA works. So you can have fuzzy letters, you can be asked to do numerical math problems. You can figure out, like mine, the one that drives my kids crazy is Roblox. Roblox has an insane CAPTCHA mechanism where you have to like pick the matching shapes of like a six-sided dice and it's just, you know, irritating and no one likes it. It's terrible. So one of the biggest boys on this block is Google and they've put out an API that allows you to make a call and generate a CAPTCHA on your website that's gonna have, for example, ask you for which boxes have stop lights or which boxes have a crosswalk or which boxes on this series of pictures has a motorcycle, that kind of stuff. And if you answer correctly, then, you know, you can proceed into the website. Now, why this new scam is a little bit different is because they're taking that same mechanism, that same CAPTCHA mechanism and they're adding a sense of legitimacy to websites that are trying to harvest your information. So here's how it goes. A text message or an instant message or an email comes in, perhaps on your phone and notifies you and says, hey, you know, you need to update your information. One scam they're working on now or should I say, one scam they're working on alerting the public to right now. I'm glad you changed the way you phrased that. Yeah, it's important. But yeah, we try to like get these kind of critical time since this scam is out as fast as possible. But unfortunately, if we dump them all out at one time, then everyone gets overwhelmed. So we try to slowly feed them out and curate them so that, you know, folks can actually do something about them. There's a new one going on about expired driver's license scams, right? So those messages come in through instant messages saying, hey, that your driver's license is expired. You need to click here to go to this website, right? And at this website, we're gonna ask for your information. But before it allows you in to harvest your information or to harvest your credentials, ask for that CAPTCHA. And most people, when they see that, they're like, oh, this is a legitimate site. They wanna verify that I'm a real person and that I'm not, you know, out there doing bad things. And so that kind of gives it this sense of legitimacy. Now CAPTCHA is kind of nefarious in that not only does it give that sense of credibility, but it also shields the affected website for probes that can go in there and perhaps siphon out a file that could be infected and detect that site. And it also prevents, you know, just web crawling in general. So a lot of these sites, they're very difficult to find for that reason. Last month alone, according to one security firm, they found over 500 new sites per day being created with this big CAPTCHA, image CAPTCHA scam. And so obviously this is not a new scam. This has come up before, but the extent to which we're seeing this now is new. So it's not so much that the CAPTCHA function actually does bad things to you. It's only that it lends credibility to a site that is a false phony site. Is that what it is? Exactly, exactly. So just because you see that CAPTCHA on a link clicked on doesn't necessarily mean that it's safe to use. Well, you know, the thing about the CAPTCHA, a legitimate CAPTCHA now, is that it'll have something on the bottom that says, if you can't read the boxes that have the traffic lights or the stop signs or the bicycles or the crosswalks, press here and we'll send it to you in some other way. We'll verify with you in some other way. When you say yourself, that's pretty sophisticated that they recognize that I may not be able to deal very easily for whatever my handicap might be with the pictures of the traffic lights or the crosswalks and the like. And they'll play a sound or they'll play those cockamamie numbers that I'm supposed to read numbers. That's worse than when I go to the ophthalmologist and try to read the art, the eye chart. I have trouble enough with the eye chart. I have more trouble with the cockamamie numbers that are upside down and backward and reflective and so forth. But it seems to me that when Google does it, and I'll assume that the ones I'm talking about are Google, it's pretty sophisticated where if you can't do it one way, they'll present another way. So you can verify in any three or four different kinds of ways. And then you should have some confidence in that, right? Well, the idea is that there are legitimate capture, companies that create a capture product and anyone can use them, right? To validate someone on their existing website. If it doesn't matter whether or not it's the legitimate side or not. And the issue is here that there are so many tens of thousands of these sites being created that it's difficult for them to really vet out the ones that are malicious. The way they've been able to find some of these is API key reuse. So what that means is that the key, the token, the authentication token that's being used to generate the capture is being used on a website that's requesting users input their Office 365 password and their Apple ID, right? So they can see right away, oh, look, we have a reuse there. So there's a little bit of laziness on the hacker side. But I would definitely not say that this is gonna go away anytime soon. Just be aware that they try to lend credibility any way they can. How can I tell a phone to capture from a real one? Well, look at the URL, that's the easiest place to start. And they're getting really sophisticated now. The folks that we're talking to announced particularly in financial services and in government contracting they are being phished heavily with highly customized domains that are exact duplicates of even some federal and state websites. There are some DMB websites that are out there that are perfect match. So far we haven't seen them in Hawaii. They've been more in the Midwest. So like Minnesota, Illinois, Michigan, those kind of places, they've been subject to these kind of DMB attacks. How can I get a perfect match on a domain name? That sounds like it's structurally impossible. How do they do that? Well, think about it this way. Let's say I want to register a domain name that no one's used before. Let's say that domain name is XYZ 2003, right? So let's say I wanna create a Microsoft phishing webpage that I could say, I could create a domain prefix. www.microsoft.com.xyz200. And most people will just read the beginning of that and not follow through all the way to the end. So that domain prefix at www or the secure or the, you know, I could call it jfidel.thinktech.com. That domain prefix, that's where they're able to really make the difference. I wouldn't know the difference if you sent me something that said www, Microsoft, whatever and some kind of, you know, name of an organization or, you know, a business group that was exactly the same as the one that I'm familiar with. I couldn't tell the difference. As a matter of fact, if they could slip the word Microsoft in there, even though it's not legit in that domain name and that return address, that would lend credibility if they did that. How in the world would I know it wasn't legit? Well, that's where it comes to security awareness training. I mean, the human firewall is ultimately your best effort. I mean, that is your best bet. So if you can really get that human firewall figured out and, you know, we can figure it out from there. That's how security awareness training is so important. Well, you know, I always look at the return address of email that sounds fishy, fishy, not fishing, fishy fishing. I always look at the return, always. But I'll tell you the truth, if it had a, you know, if it had the name of a legitimate tech company in there, I wouldn't really be, I would buy into that. But let's talk about, you know, fishing in general these days, it seems to me that they're always trying to, I got a call this morning from, it was a recorded call and it said, this is the Social Security Administration calling, and there's been a breach on your social security number. So if you do something, you know, it'll connect you with somebody who's gonna help you clear up your social security number breach. And I said, well, no, that's a funny way to do it because the very first question that person is gonna ask me or that automated, you know, telephone message is gonna ask me is what is your social security number? And I said, well, don't they tell you not to give you a social security number out to anybody? So, you know, they're gonna ask that question and you know it's pretty strange that they're calling you like this. So, you know, I feel that you always have to be on your toes, that's a complete phony. And you've seen that ad, this kid is at his computer and his mother is, you know, making dinner or something and he turns to his mother and he says, mom, you know, what's the password on your 401K account? It's a great ad. His mother says, what? What did you say? But I think that happens. It does happen, doesn't it? Well, you know, password reuse is a big problem. That's, you know, that's part of the credential harvesting is that if they are able to obtain a username and password and then reuse that username and password on your bank account or, you know, social media accounts, et cetera, that's where you kind of run into some trouble. So, if you do have to reuse the same password, by the way, most people use the same password on more than one account. So let's just be real here. Not me and not you Attila, right? Well, it's because of pretty diligent about it. And, you know, this is our profession, but most people don't. So the way to, you know, to do that is to at least turn on two factor authentication for every web service that you can. That way, if someone does try to log in from a foreign country into your Gmail account, boom, they're going to be prompted with an authentication method. It's going to show up on your phone and you can deny them, right? Is there a way to crack that? Is there a way to crack two factor authentication? There are starting to become ways, yes. And, you know, if you go back to the T-Mobile data breach that just recently occurred, I'm sure you've heard about it where it was millions and millions of customer accounts, IMEI numbers, geolocation, some credit card numbers, social security, that kind of stuff was leaked out from T-Mobile. Which, by the way, I know they're saying that they're taking security seriously. We'll wait and see. I mean, this is their third breach, I think in three years or four years. So, you know. For T-Mobile, for T-Mobile. For T-Mobile, yeah. And this doesn't necessarily mean, you know, active accounts. This is anyone who's been a T-Mobile customer who has applied to be a T-Mobile customer. So, there's some of that there. Yeah, well, I know it's just an ongoing problem, but, you know, there's a number of password protection software programs, apps, available for your phone, for your computer, and good news, they talk to each other as you put it in on your phone and it comes up on your computer and it's supposed to be safe. But I really wonder about how safe it might be because if they, you know, because if I was a hacker, I'd really try to crack that program. That would be a bonanza for me if I could do that. Can you do that? Are people doing that? Absolutely, yeah. So, that's a supply chain attack. And, you know, the only defense you're gonna have against that is some sort of mobile device monitoring. We do quite a lot of that. It's called MDM and there's different levels of mobile device security that you should be aware of. So, first is like a non-intrusive layer, something where you can go and look at websites, whatever you want. But if one of those ad networks on one of those websites, like let's say you go to people.com, that ad network is infected and it tries to deliver malicious code onto your device, it's gonna stop that in its tracks, which is nice. And, you know, then you get into the more restrictive type of mobile device management, such as geo-tracking, text message monitoring, that kind of thing. So, most for compliance reasons, unless it's a company's supplied phone, you just wanna go with a level one type of mobile device management solution. On a commercial level, it is readily available, but it is relatively complex. I believe there are some consumer grade ones for consumer devices, but I wouldn't consider them as viable as something as a product that's being watched 24 seven by a live SOC team. I mean, that's what we have. So. Wow, it's getting more complicated. It seems like every time we talk, it's more complicated and with threatening. You know, my wife got an email today, today, this is all today from some girlfriend of hers and she called, it was a very bizarre email, but she looked at the sending address and it was the address of her friend, for sure. But since it was bizarre, she'd called the woman on the telephone and she said, did you send me this email, which seems bizarre? And the woman said, no, somebody is hacked into my email account and is sending everybody on my email account, these bizarre messages. How do they do that? And how do you stop them from doing that? Well, just like what I described, I mean having that two factor authentication on it, I'm assuming this is like a Gmail account or Yahoo account, turning that on, at least on your personal level, is a good place to start. Now think about this, imagine if this is the HR manager's email and this is a big takeaway. If anyone has a notepad and they're listening to this and they use Office 365 for their work, know this, Office 365 out of the box, straight from Microsoft comes insecurely configured. You wanna get yourself something called a secure store, a Microsoft secure store, Microsoft.com slash secure store. That will show you what the security posture is of your organization. If you don't have two factor enabled, if you don't have a lot of these places, these holes plugged, then they can get right in there and they can jump not just into a personal email that might go out to friends and family. We're talking about employee HR records, money transfer, money theft, intellectual property theft. They can get inside your cloud accounts, your storage repositories. If you're handling government contracts with controlled and classified information, then you risk exposing that to the outside world. And in that case, you have a breach protocol. You put yourself at risk for not being up for renewal on those government contracts. This is some pretty serious stuff, all of which can be avoided from Microsoft 365 secure score tool that most people don't know about. And that's gonna give you a secure score. Two factor, two factor verification, authentication. How does that play into email? I mean, I have the email account on my machine, this other person, my wife's friend has the email account on her machine and she's sending me an email. So where does two factor play in that? Sure. So let's say, I know that you guys use Google for your think tech. I'm not admitting anything. Except I wanna tell you that everybody I know uses Gmail. I mean, Gmail is free, Gmail has issues, but it's free. And everyone that you know uses Gmail, don't they? Sure. It's scary that Google has so much control over our lives. Well, they have a lot of information about us. That's for sure. They know you better than you think you do. Just go on your YouTube feed and you'll find out. So let's just pretend, because this isn't very hard to figure out. I know think tech, why uses Google Apps or Google Workspaces is called now. If I were to know your username and password that was breached perhaps from your Star Advertiser account and if that username, password combination matches and I try to log into your account, if you have two factor authentication enabled, you're gonna get a pop up on your phone that says, hey, someone's trying to log in. You wanna let them in? And you're gonna say, heck no, because that's not me, right? If you don't have that enabled, I'm in, I could do whatever I want. I could start emailing guests and say, hey, this is Jay, I want you to send me $5 because I'm in a Mexican prison and I need to get out. Well, the old story, we've all got your mail like that and we all should be suspicious of that. But sometimes, let me say I wanna go on record about this Attila. Sometimes two factor authentication is a real royal pain into Royal Oak Holy, isn't it? It can be. So I'll give you another little tip here. We use something called Keeper. Keeper is a password manager, but it's also a two factor authentication tool. So what that means is that once you're authenticated with your Keeper account, it's similar to last pass and there's other password managers out there. Having that two factor code flopped into your website for you when you're trying to log in, gold, I love it. So much easier. So having that two factor inside of a password management tool is very useful. We roll that out quite a lot for companies because as soon as they see that feature the IT department sees that they don't have to deal with those two factor nonsense, they're on board. So blessing. Yeah. So on phones, you know? So phones now have pretty good the Android, which you sold me on Android years ago. I'm sure you remember. It has to be 10 years ago. Now has very good fingerprint recognition. And so, you know, there's two or three ways you can log in where you can have a combination of ways which actually sounds dangerous. Any number of ways to log in. But the fingerprint thing, more and more I'm coming to the conclusion that is the way of the future because the technology is so good. Then, you know, what do you think about the fingerprint thing? What do you think about the facial recognition to allow you in? Well, biometrics has its own challenges been around for a long time, but for those with arthritis or who develop arthritis, not gonna work for those that have wet fingers or after you've washed your fingers, you know, wash your hands, which we do a lot of these days, of course, in COVID times. Well, not gonna work. And if you have a band-aid on your finger, it's also not gonna work. So don't catch your finger. But it has more than one finger registered on the phone. Exactly. I mean, you're a Mac user. I'm sure you saw with your MacBook that also has biometric unlock. There's a unique approach when it comes to biometric. You can use your fingerprint or you can also use your password. So that's not a bad approach, especially when it comes to your mobile devices. The key, though, is to have the ability to remote wipe those devices if they're lost or stolen and to make it so that if they try a few too many times then the device is wiped on itself. Well, sure. Well, that takes me, say remote wipe, that it takes me to a question which I knew a fellow who always said, hey, every six months, and this is for consumers, not companies, consumers, every six months wiped your machine, start from fresh, keep a record of the software you had on there, a record of the serial numbers or passwords or access codes to get back in. But wipe it, man. There's all kinds of stuff, kinds of little chicken tracks that various exchanges have left on your machine and you really have to clean it off every now and for many reasons, do you agree? No. Hmm, what's your philosophy on that? Well, whether you should wipe your machine, I mean, that's kind of like saying, well, if you're not sure what you're eating, you should just not eat for a week. Well, come on. Hey, that's not a bad idea, you know. There is a thing called fasting. I mean, you can fast a little bit, but making more permanent changes in your behavior that you can leave a healthier lifestyle makes more sense than going dramatic and jumping off a cliff in terms of your behavior. Same thing for your machine. I mean, if you have bad security posture, if you've got cybertosis of your system, maybe it's time to start brushing those teeth, clean up your files. If you don't have a good inventory of your system in terms of its soft or just put some of that aside, I don't think it's realistic to wipe your system every six months. You can, but I think that's just trying to force you to get into line with a behavior that you should have already, which is have good file management, have good cleanup, have good practices, and my personal favorite are the fingerprints on the screen and that drives me crazy. So, you know. You don't want to wipe it off every six months. Anyway, okay, tracking from that, there are a number, we all know for years and years, a number of virus protectors, they don't all work the same way, they're not all as good. There are a number of programs that help you manage your files and delete duplicates and clean up the space. So you have more space, more memory, all that. And you don't know if they're really invasive, especially if they have Russian names on them, I think you would be a little especially careful about that. But, you know, query, is it worth using that? Is it worth installing that? How risky is it? And which are the ones that you trust to tell it? Well, that's a great question. So there's a difference between antivirus and EDR. EDR is endpoint detection response and antivirus typically works reactively, right? So you go to a website, you download something, you click on a link, whatever, and reactively it tries to prevent you from continuing or prevent the software from spreading on the network. And antivirus programs have increasingly become less effective because the way that cyber criminals internet works is no longer a simple executable with a malicious payload inside. It's gaining access to vulnerability and then sitting there and watching the network and slowly taking things over. And EDR endpoint detection response is a proactive approach. So EDR software, and you're gonna see this from everywhere today, the consensus is that Sentinel-1 is the top EDR software, it's what we use, but the EDR will go and look for unusual behavior, right? Is there something in the supply chain, which we've seen, by the way, in the supply chain where the actual manufacturer of the software bought a component that does a certain function and that component that they purchased was accidentally infected through the supply chain. And EDR is gonna find that, it's gonna look for lateral movement, it's gonna look for unusual activity from the employees such as, for example, keyboardless logins, it's gonna look for misconfigurations in the system that could leave it open for vulnerabilities. So the EDR really is the next evolution in antivirus software. We've been using it for a number of years and paired with a live operating service at Security Operations Center, which is the pictures behind me. Once you pair those two things together, that's when the magic happens because it's not just enough to install some software and forget about it, it does need to be monitored much the same way as a security system at a professional business would need to be monitored as well. You can't just expect to put it up and hope that the alarm scares the burglars away. You've gotta have some police notification and that's very important and critical to making this all work. And the chances that you have somebody trying to snoop on your system seem greater all the time. And that's what I wanna ask you about one other thing before we close. And that is, we've heard from time to time that there are programs and functions that wind up leaving little breadcrumbs on your system. And you're just Joe Schmoe, the ragman. You have no fancy computer, but you have a system which has these breadcrumbs on it. And there might come a time when somebody in a far off land decides that it's time to include you in a nefarious mesh operation where a lot of computers are strung together and they all cooperate in a sinister plan. So I would like to know whether that kind of thing exists on my computer because that's worse than somebody, it's worse than somebody slowing my machine down or taking my data or holding it ransom. It's making me a party to a much larger, more damaging event. Yeah, that would be a coordinated attack. And without proper monitoring on your individual systems, this can happen from mobile devices, it can happen from laptops, workstations, servers, cloud connected devices, IOT devices. I mean, just think about, I know it's old news, but the target attack and that came from a temperature monitoring system. It was an IOT device. IOT is the next big holy grail, the next big problem for consumers. And it's a great opportunity for a cyber crime because these devices are wide open most of the time, they're pushed out to market with very little consideration for security or they get pushed out and then they discover vulnerabilities afterwards because they're using a lot of the same kind of common components. For example, OpenSSL just came out with a big vulnerability just yesterday. And it's affecting countless devices across all different industries, everything from NASs to cameras to phones. I mean, it's a problem. IOT is unlimited. So I guess the question is, are state actors involved? And this goes back to the conversation we had before the show began, as to whether and to what extent we are already involved in a cyber war and what role the strategy of deterrence plays just in a nuclear kind of cold war, nuclear deterrence environment. Are we there now? Well, we've been there for years. I mean, it's not very public because you can't physically see it or touch it but you can see in real time, go to real time threat maps, just Google that, Kaspersky, Fortinet, all the big boys, they all have them going on, they're watching and publishing in real time. These attacks that are going back and forth, not just here in Hawaii, but all around the world and you can watch these real time maps. They're fascinating to watch because it really is cyber warfare at its best. And unfortunately, as we also talked about before the show, much the same way that the arms race the nuclear arms race was going full flight during the Cold War, we are in the same kind of circumstance with cyber. It is just a matter of time before a nation state is discovered for injuring or killing a human being. And that can be a real problem because then what do we do at that point? There are, I mean, you just listen to the news, the mention of cyber is coming up more and more in talks with the presidential concerns, with state concerns, with foreign policy concerns. Cyber is just getting, it's kind of a public awareness even though it's been around for a long time, kind of like climate change, same kind of idea. Yeah, but I guess worse. Yeah, am I wrong to associate cyber as you would have just described it with cyber in connection with elections and public sentiment and social media tricks and devices to affect public sentiment. Isn't that kissing cousin to the hacking kind of cyber? Well, election manipulation is not, it's something that's been around for and disinformation has been around for some time, not just, and that is by the way, nation state. And I'm not sure I can say which nation but you can probably Google it and find out for yourself but it's been around for some time, not just affecting our country but elections all around the world for years now. This is not new territory for cyber criminals. It's not new territory for you and me and we're gonna see more of it, I guarantee it. This is not going away anytime soon. So last question before we quit, because I could stay with you all afternoon here. Can I keep up and we keep up? Because it seems that it's a spiral and gets faster and it gets more sophisticated and we are lazy and we think that old systems will suffice to protect us and we don't follow the latest action necessarily. Can we keep up? Well, I'll pose this question to you and you don't have to answer. Do you feel safer now than you did five years ago? No, not at all. And so if that's the case, then you have to do something different and those systems that are five years old and old ways of doing things are definitely not gonna work. You gotta do something different. This is why we protect companies. That's why we're dedicated to that. It's because the world has changed. Luckily, we saw it years ago when it was still manageable and we really got a head start and decided to focus strictly on cyber and the world needs us now more than ever. I vouch for that. Thank you very much, it's always great to talk to you and I thank you. And I guess I should say it's great to talk to you but I always feel a little depressed after we finish our conversation. But I will get over it and we will do it again, right? Well, that's why it leaves this. So that when the depression sets in, we're the pill to make you feel better. Absolutely. I always knew you were a pill but here's living proof. Thank you until there's a rest who could be a pill. We'll see you next time. Aloha.