 Welcome back to The Cyber Underground. I'm your host Dave Stevens. Welcome back. Boy, it's felt, I feel like I've just been in days for a month trying to recover from all the stuff that's been going on in the summer and it feels so good to be back in the show. Here at The Cyber Underground we dig deep to find out what's going on in cybersecurity, how it touches all of us in our everyday lives. And today of course I've got my exceptional co-host Andrew, the security guy. Andrew, welcome back, buddy. Yeah. And Reno Horonoki. Hiyoki. Hey, thanks for having me. Is it Reynald or Reynolds? Reynald. Reynald Hiyoki, sorry. And formally of Hawaii State Department of Defense, or you're in Department of Defense now. I got the title wrong on the show. I've actually been in Department of Defense for probably 20-plus years as a guardman. On purpose? On purpose. Was this like parole? I'm not gonna say anything bad about the National Guard. Good for you, buddy. Best organization, best kept secret in the state of Hawaii. I think so. It is. I was completely secret to me. I did not know we had a Hawaii State Department of Defense. Yes. I'm sadly misinformed. You're running the Cyber Underground. I'm part of the team. Okay. So we'll have to get him sorted out. We'll work on that. Sort me out. Yeah, but really just to clarify, so real quick, every state has something like the Department of Defense, they just don't call it Department of Defense. Okay. And really that's where the National Guard and other agencies like the Guard that kind of does protection kind of things fit in. So you'll hear like a military affairs division or something in other states. So I've never really hit another state that has a Department of Defense. We're the only one. State named. I think I've been told there's another one I just don't know, but it causes a lot of confusion, of course. Yeah. So let's talk about your new job, your new role that the state didn't even have. So this is a great role. They made it for you. Yeah. Well, no, they did not. That would cost some issues. Okay. But yeah, so last year, the Department of Defense started, well, there was a new position that was created. So it's called the Cyber Security Coordinator. So they did go through a process and interviewing so forth. And I was selected last year. So I was very happy to do that. Well, congratulations. Yeah, good to have you. Yeah, we appreciate the help you're everywhere. Yeah, every meeting where you go, Reynolds out there. I think he's recruiting, but he's spreading the word. Yeah, this is completely necessary. If you look at a map of the Pacific and all the countries around us, if it's a target, we're the bullseye. We happen to be the bullseye. We're the bullseye. We need this stuff. Did you see the headlines on the paper this morning about the North Korea preps? We're preparing for nuclear. I was like, I don't think we'll be here if we actually get hit. Are we small enough? Will it just be obliterated? Here's the thing. So the targeting mechanisms on these things have to be absolutely spot on to hit Hawaii, because we're just a speck in the middle of the Pacific. They hit Alaska. That's kind of a big target. They hit California, US mainland, big target. I'm thinking tsunamis. I'm just thinking it's ugly. So they hit anywhere around us. It could be a kind of a disaster, but hitting US in particular would be. But maybe they'll just go for like an air burst. Oh, like an EMP blast, or just above us somewhere 25 miles out. Just let it blow towards us. All they really got to do is get downwind. This is why my viewers say I'm so scared after watching your show. They are? No, we won't understand their fixes. So let's talk a little bit about what... Back to that. The word on screen with the North Koreans and their missile, a lot of things have to happen for them to be successful. I'll just throw it at that. So they got a launch. It has to survive the very, very hostile atmosphere as it comes in, and then it has to come in and hit a target at Mach 10 or whatever it is. In the meantime, the warhead's got an arm and a bow. It's going to be shooting back, by the way. We're not going to take... We do have the anti-missile system that's shooting what, 50% accuracy right now? Yeah, I can't on our stuff more than their stuff. I'm just saying to... But at the same time, as you put the timeline through, yeah, there's a possibility in the future. As time moves on, yeah. Don't get hysterical or anything like that, right? But it's a good awareness. Just information. And it really kind of goes with every other type of disaster, natural disaster we have. So if something happens, we'll be in a fallout shelter. So, yeah, 14 days worth of food is the word on the street right now, regardless of what it is. So, hurricane, tsunami, earthquake, whatever. It's good to have all those supplies. All the time. Yeah. And not be part of the Costco run the day before. Oh, no, it's not going to work. And they're going to return the day after. And there's only three days of food on the island or something like that. So there's not a lot of stores here. So you do need to be supplied for whatever may occur. Well, let's talk about some cyber. Yeah, what are we doing with the CyberStart? That's your program, right? Yeah. So CyberStart, real quick. In the cybersecurity world, for the training perspective, there is a company organization called SANS Institute. So I'm not sure if you guys are familiar with that. I use other stuff. They're premier leaders in cybersecurity. And if you're in the cybersecurity arena, yeah, that's what you want to be in. So just a clarification this word out is SANS came to us in other states and asked if we wanted to, you know, do this program called CyberStart. And it wasn't much time. Yeah. So we opted in. I mean, there's, as a coordinator, I can't say, well, no, we're not going to opt in. Of course, we're going to do that. So we're in a time crunch right now. And we all understood that at the time. And I say this, I'm getting poked in the eyeballs as I walk around. But it's not your fault. I think this happened from the executive order from the president, get this done right this second. So in several organizations, there's huge time crunch to get this done by the middle of the summer, right? So this is one of them. This is this is really what they don't want to do is interfere with the school year for the student. Right. But they wanted to get it out as early as they could. So August is kind of with a second. Let me just start how it is. So CyberStart is a program where it's really a youth program for our students. And the range is 16 year olds and older. And you have to be in high school or college, any college undergrad, graduate, whatever it is. And it's three phases. The first phase started last Friday, and it goes to next Friday. And you've got to be in that phase to be eligible and qualify for the next phase. And it's sort of the online assessment you're talking about. This is the online assessment. Once you go through the online assessment, which ends next Friday, which is the 28th, then you're allowed to go into CyberStart. And if you go into CyberStart, it's $150,000 worth of scholarship. So let's back up for a second. So the first of all, we got to go to www.samsas.org, forward slash CyberStart. US. US. All in one word, CyberStart US. So that was on the flyer. There it is. But our podcast people don't have that. So once again, sands.org, forward slash CyberStart US. All in one word. And the assessment now, a couple of my students have already taken this. And they're really worried because out of seven things that they were supposed to do, or eight, they only got through like five. And the last three were really hard. And I said, well, you don't have to be perfect. You just got to get in there and qualify. So they could, you know, what's the qualifying measurement there? So I really don't know what the qualify measurement is. I think it's four or five. There were some discussions with sands and it kind of bounced around. So I think if they did five, I think they're fine. Nothing like getting a number six. I got number six. It is possible. I haven't done this, but it's puzzles. It's puzzles, challenges. They're kind of cyber riddles, right? So that's what it is. So when you look at it, I mean, there's clues all over the place. And you just kind of know, like, what's the clue? There was a JavaScript one, just some cryptography one, right? Well, I won't go into what they were. This is the kind of one thing you can expect. We won't confirm and deny, but that's kind of things you might expect here. Code, cryptography, security related. So what if you go through a cyber program of study and just do a finger in there? Okay. And so what for dibs is if you're selected out of the first assessment, right, they're taking not everyone that completes the assessment, but they're going to take the top performers in the assessment, as my understanding, or some number of them. Yeah. So after the 28th of this month, those that actually qualify, we're talking four or five, maybe more, maybe less, they will actually get a code for the second half, which is actually cyber start. Yeah. And that's going to be the first to the 28th of August. What is cyber start? So cyber start is kind of what the assessment is, but it's going to be a little more different. So basically, you're a cyber security agent, I think is the term they use. And you're protecting the organization. And you get these different scenarios, and you have to just fix it. There's going to be a training guide or materials that you can reference. So, you know, you're not just, you don't come with whatever you know. There's help in there. Yes, material. And then the real focus is really not people that are, you know, cyber security guys. So like your ICT club guys should do pretty good. I mean, don't run in the hats guys and all those, but soon as they're not there should also do good also. So the idea is you don't have to have the training and all of that. Because they're not really looking for what you know. It's really the innate desire to do cyber type things. So I know the creativity in the approach. Try to problem solving. So that there's, you know, we, the people who learn have a fixed sort of window. But you need critical analysis. Exactly. And the whole thing of the problem of, you know, once you've learned something, you can't know more, right? Because you've learned this thing now. Two plus two is four. It can never be something else. It's kind of an aptitude thing. And really the stuff that they sent us previously had to do things like, you know, I'm going to use the term the hacker from the old days, right? So I won't mention my friend's name. Although I should. Sure we should. You know, as we go to briefings in the Department of Defense, something like this or whatever will show up. And, you know, you know, they check this out and it goes down the table. But a friend of mine, you know, will grab it and he'll start looking at it underneath. You know, trying to figure out what the, try pressing things, kind of things. So that's, that's the curious nature that they're, you know, in a cybersecurity environment. A person that gets highly focused in an area and kind of blocks things out, just wants to do that. That's what they're actually some of the elements of the characteristics, profile type things of what a cybersecurity guy is. So it could be anybody kind of thing. And so that's what this thing kind of measures. So I was, I was going to say, I was talking to a couple of STEM students who thought this, this couldn't be a good fit for them. I said, you know, you might be surprised because in STEM, especially with people like coding backgrounds, you're problem solvers. That's critical thinking, right? This might be something that you come up on and you kind of enjoy. And I tell all my IT students, this is a personality cake. You know, IT is a wide open field. It's no longer, you're just the IT guy at a company. There's specializations networking websites and server administration, blue team, red team, whatever. And you know, you get a computer science degree. You have to focus on something. Otherwise you're going to be miserable. You can't do everything. And so it's what's, what's your personality fit? And this has got to fit your personality. Yeah, this is definitely, I think, a personality thing. So, but, you know, again, everyone has to figure out where they are. I really, you know, a good example, probably a bad example in my household today. I'm talking about my son. I have two, so they don't know which one. But I asked my son. It's one of you two. I asked my son to do this. So he, he signs up and I said, son, you know, just sign up, take 10 minutes, see what you like. And, you know, you can go back to what you were doing. Xbox. Yeah. Well, that's just cars. Yeah. But, yeah, 30 minutes later, he's, I mean, and every 10 minutes, okay, thank you so much. You know, you can go back. But he still wants to do it. Still wants to do it. All right. Basically, I had to kick him off the computer because it was my computer. I was doing some stuff and I had to get forward. But, and the sad thing about it was he passed challenge five quicker than I did. That's a good thing. That's a good thing. And this is my son that says, dad, I will never be a cybersecurity guy. Ah, he never knows. Well, that's botchy right there. He cursed himself. And I think the other part of it is, I don't know people, but cybersecurity, cyber hygiene, there's its people, its processes and products, right? So there's that three-legged stool. And so, you know, social engineering is as much a component of cybersecurity as is the code work or the hardware, you know? So, I mean, it's all, who knows. It's broad. Everybody's going to be cyber-aware or none of your stuff will work. Let's put it that way. Yeah. So, the con man of old that would sell you a bridge, you know, they're going to sell you a broken bridge or whatever, those are the social engineers of today. Oh, definitely. Yeah. And we're just as much in danger of the con man on the web as we are a hacker that has all the networking skills. What, Roddy Thayer? Yeah. An amazing man. Yeah. If you've ever seen him do his work, he's a magician. And he's a network kind of guy, ethical hacker, network defense and so forth. But he knows everything about this. But you get a con man, give him a little bit of technical skills and you've got just a big of a threat. And he can buy the tools today. I mean, they're all for sale online. Or downloadable off a GitHub. It's amazing. Yeah. But the difference, of course, now is that con man can hit a thousand people simultaneously, right? Versus, you know, 10,000. Maybe half a million, right? Not just one-on-one thing, right? So, yeah. That's a bit scary out there. It is a bit scary, especially when you think people will just plug a USB drive into a computer. Oh, what's on this? I just found this USB drive. And then you're done, right? You're toast. But you might not know it. Many people say, yeah, what am I looking for when I get hacked? Oh, there's tons of signs. But you have to know how your computer worked before before you can profile to see if you've been hacked currently. Yeah, I think Windows made a generation of people pretty crippled, you know what I mean? And they just expected to work. It's too easy. And they didn't know. And they're really insulated from the operating system and the kernel and all that stuff. So this program, I think, is really targeted at making the kids aware first, getting some programs out there to get them involved. Because if we don't start to educate them now, younger, you know, we're going to have a country of people that are way behind the rest of the planet, right? We're getting there now. We had a great discussion about... We're going to have to take a break for one minute. We're ready to break. We're ready to break. That went fast. Okay, we'll be right back. Stay safe. Aloha. My name is Steven Phillip Katz. I'm a licensed marriage and family therapist. And I'm the host of Shrink Rap Hawaii, where I talk to other shrinks. Did you ever want to get your head shrunk? Well, this is the best place to come to pick one. I've been doing this. We must have 60 shows with a whole bunch of shrinks that you can look at. I'm here on Tuesdays at 3 o'clock every other Tuesday. I hope you are too. Aloha. Hello, everyone. I'm DeSoto Brown, the co-host of Human Humane Architecture, which is seen on Think Tech Hawaii every other Tuesday at 4 p.m. And with the show's host, Martin Desbang, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. So join us for Human Humane Architecture every other Tuesday at 4 p.m. on Think Tech Hawaii. Hey, welcome back to the Cyber Underground here on Think Tech, where we really work to help you understand how cybersecurity affects all of our lives. Any security guy here with a little thing I want to talk about, there was a critical vulnerability announcement about a little protocol called SOAP that's been used by a lot of IOT products, but also the electronic security industry, a lot of camera products. Many of the manufacturers went ahead and put out an update for that. So if you've got electronic security equipment, make sure you're checking with your manufacturer to see if they've issued a recent update, as recent as today, so you can update your products and keep them safe. We're not going to get into the details of SOAP, but it's out there. Everyone uses SOAP. So update your stuff. That was my point for today. David Rainoad and David Professor. All right. So we're talking about cyber starters. We were talking about workforce development. I know when we first had a few hours in our office to discuss this problem that we're all facing, if we don't get these kids engaged, we're going to lose them to the medical marijuana industry or someone else. So, you know, we need them on our side with the good guys. We need them doing white hat work. We need them doing defense for our organizations here in Hawaii, for our government in Hawaii. And this program, I think, just gives them an example of, wow, anybody can do this. So, you know, if you're 16 and you're in school and you've got a computer and you've got internet access, what are you waiting on? You should do this. Yep. You don't have to be into cybersecurity. That's right. Just go try it out. It's a puzzle. And this is a supplement to other programs we have out there. We have cybersecurity at the community colleges and, of course, at the universities. And we also have, in the high schools, the CyberPatriot program nationwide. The Institute that's doing this is a global organization. Yes. This is not state or national. This is international. Worldwide, SANS has been a worldwide moniker for cybersecurity for decades now. And I love it to come out with stuff like this. Yeah, I teach our, for a people, I teach out of that Securing the Human program that they have. It's freely available. And the great material is great. And that's what I use to constantly keep awareness in our organization high. And when I speak to other groups, I let them know. A lot of people just don't know all the resources that are available. In the Department of Defense, though, in the State Department of Defense, we use that also. Securing the Human? Yeah, it's great. I have those posters all over my office. You know, if I tape them on the restroom and tape them on people's monitor, I move them around, you know. Well, you know, inside the stall door. Yeah, yeah. It's anywhere. Man, you never know where you're going to get that reminder. Don't get fished. That's what the military does, Jesse. Right inside the stall door. Inside the stall door. It's perfect. I love that. It works. You got a couple minutes. Yeah, you might as well. Yeah, right. Remind yourself. Here's some reading material. I was looking at our firewall logs. I've got a three. I've got persistent guys trying to brute force us under a couple of different administrator passwords that we have. Administrators, constant. Had three drive-bys on umbrella this week, which is monitor our firewall. So that means that inside our organization, some people clicked on a link and it got, it was a known bad link, so it didn't allow it. Good. But three of those this week. So, I mean, you know, it takes constant diligence. So that's why we got to teach the kids to help. But you're right. It's a culture, right? We have to build a culture of this awareness. So I want a little plug. Yeah, go for it. You mentioned cyber patriot. Yeah, great. Good stuff. It starts awareness at the high school level. So I'm associated with cyber hui, which is kind of the umbrella, the nonprofit for that. This summer we had cyber camps. We've never done cyber camps in this state. Just didn't have the momentum to get it over the threshold. But the help of cyber hui, we had 17 cyber camps statewide. Wow. There's a couple going on right now at Punahou coming up next week with Mililani Middle School. And then the last week of, I mean, the last week of the year, I'm sorry, the summer, Campbell, Roosevelt, Wailua High School. It's all Anahu. Anahu, Kamehameha schools, Anahu, and that's it. So that's, after that we close it up. But with that said, the reason I mentioned this is we're actually down to the elementary school level. Yeah. We're going to build it now. When they get the smartphone in their hands when they're a kid, this is what that tool actually does. And what they can do. It's just a little scary out there. People are losing PII. I mean, personally, I don't file information. And people are giving their information away freely because they don't know that people use it. They tag themselves on Facebook. The dumbest feature I've ever seen on Facebook, Facebook is an incredible organization. But come on. That's so dumb. Check in. Yeah. And a GPS is you on your phone. It triangulates your location. So here's where I am currently. No, we were talking about that when we had Jeff on the show. Hey, my sister's in Barcelona. Now I know nobody's home. But the important thing is, I mean, that's possibly a value to somebody, right? It's just we don't even know that it's there, right? And that's really the awareness for all of us, really. Hey, you know, I could be, someone could be stalking me. But the more information they know, the easier it is to guess. Oh, definitely. Right? So not just passwords, but your location and how to get in and out. You don't want to give them too much because they can piece it all back together. Oh, right. So in the military, there was always this, we used to do surveys of internal spaces. And these things were, you know, not sensitive information. However, if you had enough of them, you know, the diagrams of what's going on inside a base, you know, where people are sitting. Wall thickness, you know, where the skiffs are, you know, how far back from the fence it is, it could, you know, give you a penetration plan. So not a lot of that stuff is released en masse, right? It's now, and as a group, it's sensitive information. Oh, yeah. Well, there's stories of, you know, the number of pizzas that came to be delivered at the Pentagon. Oh, really? You know, during Desert Storm. Oh. I mean, you know, you don't, you know, really, it's nothing. I'm ordering a pizza. But obviously, something's happening, right? So that's, yeah. There's, that's a big thing in the military that we are very concerned about. This all data is actually valuable to somebody. Yeah. Right. And the difference between data and information is the organization of the data and what questions you're asking. You know, I've got this huge group of just raw data. If I ask the right question, that could be a goldmine. It will draw a picture. Yeah, it will draw a picture for whatever you want to do. And that kind of awareness is what we've got to build in people in elementary school that are posting all their personal details. Hey, I won this award. I go to this school. Hey, meet me here at 3.30 p.m. That's when I get out of school. Okay. Now attackers got a lot of details about your child. And so you've got to monitor that kind of thing. So adults out there monitor your kids. Yeah. So the program that we're pushing, that cyber police pushing out the elementary, talks about that. I mean, there's actually a video game. Okay. Can I give my name to strangers, police officer and brother? So you can give your name to the police officer and the brother, but not the stranger. Then you go on. So it's, it's kind of interesting. It's a very simple program, but you know, they're thinking about at least, I need to decide kind of thing versus something happens and they just give it off really. Sure. Well, you remember 25 years ago, you never accepted a ride from a stranger. Today, you call a stranger to get a ride from them. Yeah. That's right. But you got to kind of, you got to think about how things have shifted, you know. Oh, it's a big shift. You're right. The barriers come down with that. And some of the privacy concerns don't come along with that. It just becomes an accepted sort of way of functioning. And you don't think about some of the vulnerabilities that are posed by that. It's hard to tell children these days, the internet is stranger. Strangers. Sure. That's the stranger. You don't tell the internet things. And so the fight back on some of these, oh, only my friends on Facebook can see me. Well, no, you've got a few of those settings we talked about last time. Friends of friends can see what you're doing. So if you've got a friend who friended somebody else that didn't know, now they can see all your stuff. And what kids use in a tough password? I mean, come on. Yeah. Password creation is something I teach in college. So in high school, that should be something that we... They should force multi-factor. There's just a bunch of things that need to happen to clean some stuff up. Multi-factor authentication, yeah. So the military has been instituting multi-factoring for years and years and years since I worked with the military. I now know the contrast when I was in the Marines in the 80s versus now. The contrast is, it's pretty hilarious. The IDs we used to have in the 80s, the paper with the laminate over it versus now with the chip and all the other stuff you get. I love that our military is progressing. The military actually has done very well. They're the lead. So we touch on this a little bit and some of this information you were talking about, they get shared. So businesses share facility drawings. Architects draw them. They get passed to people like us, like security plans. So the government's come out with a new thing this December it goes active, the 800-171 compliance for controlled, unclassified information, which is all these little bits of information that we tell you talked about a facility site plan, the actual architectural drawings, for example. We didn't just think about those necessarily being valuable, but to a hacker they are. It's interior spaces. It can tell you a lot. Now the government's leading, I think, that push. We'll start to see that effect of the regulated industries as it flows down. And everybody that does business with the government has got to comply. That's where it's trickling down. Exactly. And we'll see it. And so the state has a cybersecurity incident response plan. Where'd you build that from? Where'd you build that from? Little segue. Yeah, that's still in the works. Okay, good. So we all know we need something like that. And just to clarify, because a lot of people say, well, there's another state has it and so forth. So the state cyber incident response plan, what I'm talking about is really a response plan statewide. A lot of plans, it sounds the same thing, but it's just within the state government. And every organization has an incident response plan, hopefully. And those are relatively simple. So what I'm working on right now is really a statewide. For anyone out there. So I'm going to move to critical infrastructure. So these are sectors that have a capability that if we took it, someone took it down, it would cause some significant pain. Like border water, wastewater treatment. Electric, financial sector, all of those kind of things. So the thought to this, and the challenge is anything could be happening to anything, but the thought is if that happened and it's catastrophic, it's not, you know, I don't even want to mention an entity. Sure. But an entity has a bad day that's bad, but I'm sure they can figure it out. Two entities, but the concern is if we're targeted by a nation state or something and multiple things go down. It's a really bad day. If I don't have any, it's the middle of the summer. My air conditioning doesn't work. Right? I can't get water. I go to the ATM. It doesn't work. Yeah. We're kind of in a spiral kind of thing. And it's really kind of an impact even our national security. And panic can ensue. Panicking, riots and all of that. So when that happens, we really need a plan. And right now it's very blurry as to who does what. So what happened beginning of this year, actually it's very strange. What I've read, it actually happened in January, but here it is that the federal government released their national cyber incident response plan. And you're building up for this. And so based on that, we're going to, we're building the state level incident response plan. And then based on that, we're going to ask the counties if they want to, to build the county level response plan. Good. And so with our last 20 seconds, what do you want to say about that? We went through that like fire. So last 20 seconds, let's talk about a cyber start or whatever you want. You got the floor. Oh, what can I talk about? What do we have there? Well, I think we should. I need to go back to cyber start. Let's give a plug to sans.org. We're showing the flyer to all our podcast people. We're showing the flyer on the screen right now. And again, it's sanssans.org forward slash cyber start us. Yeah, check it out. Yeah, check it out. Take the assessment, see if you can get some scholarship. We're helping you in the cyber world. Okay, everybody, we're going to have to wrap it up. Thanks for being here, guys. Everybody out there. Remember, stay safe.