 Welcome back to the Cyber Underground. I know you've missed this. I'm Dave Stevens. I teach for the University of Hawaii Kapiolani Community College, one of the ten campuses in the University of Hawaii system. We're about a mile from the shores of Waikiki Beach right at the base of Diamond Head and on the island of Oahu. And I teach ethical hacking and network security. And I do the Cyber Underground show, the show right here, every couple of weeks to bring you all into the cybersecurity realm and the new information age. And today I have, again, from Hawaii Tech Support, the CIO, or CTO? CTO of Hawaii Tech Support, David The Ames. Welcome, brother. Thanks. So, bye. All right. Well, welcome back. So, brief intro about yourself again for the people who had didn't watch the last time you were on. Sure, yeah. So, we're Hawaii Tech Support. We're a managed service provider here in Hawaii. We provide full IT scope of operations. So, everything from help desk support, all the way up to server infrastructure, whether that's on-premise or in the cloud, for your small and medium-sized businesses here in Hawaii. So, I don't have to have an IT staff. You don't have to have an IT staff. In fact, most of our clients don't have a dedicated IT staff. They'll have a POC, which is usually like an office manager or somebody who knows enough to, you know, point their staff in the right direction. We usually see around like 50 people. That's when you'll start to have a small IT staff, you know, good help desk support on-site. But even a good help desk person or even a good, you know, first tier one, tier two type, you know, response person can't really handle everything that's, you know, coming at them nowadays with security, networking, infrastructure, cloud. And a single person on staff, even 40 to 50 hours a week, you're paying close to 5,000 a month with benefits and salary and everything. Oh, sure. Well, this is Hawaii too, you know. And it's Hawaii. That's if you don't want them to be able to pay their rents. So, yeah. Yeah. So we're a cost-effective way to kind of bring in a lot of resources, a bigger, you know, bench strength. So we got a lot of players on our team that are familiar with networking, voice over IP, security, you know, those things that, you know, a lot of the newer entrants to the technology industry may not have a total grasp on. Can you manage the basics really? Office 365, you know, with people just need the basic public email and OneDrive and cloud share file systems. Yeah, it doesn't have to be totally complicated. In fact, one of our claims of fame recently is just getting them off the complication. We like to simplify IT. You know, we want to make it as simple as possible. So the days of going in and going into a new client, a prospective client and say, you know, you guys need to get a server in here to manage your authentication. You need a server to do your file storage. It's kind of gone. You know, now that you have Office 365, you have or even G Suite, you have the ability to both authenticate using cloud services, Azure Active Directory from Office 365, Microsoft, you know, for example. It's your single sign-on solution. Single sign-on solution. You log onto your computer using the same email address and password that you would use to get to your email, you know, and you have that same, that one password experience. So when you log in, all your files are stored on the cloud. No need to have a server. The serverless implementation now is, I think, especially for the smaller companies that don't want to spend every five or seven years. They don't want to spend another $10,000 on having a server. I think we can get five to seven years. The first company owned out here, we had physical servers and our hard drives went down every three years. Just by the basic humidity and the heat, I could not get climate control to keep my servers living. Yeah, you know, and that's a thing too, like every hardware has a mean time to failure and hard drives. Fans first. Yeah, and if you're not monitoring those fans and they go out and you're not monitoring it, well, hey, everything else is about to fall. I know no one wants a data center. No one wants a huge closet with a rack because you're sucking up electricity. I think we still charge 46 and a half cents per kilowatt hour in the state. It's the highest in the country and this gets us out of a lot of that electricity cost. Yeah, because you're not just cooling it during the day when you're cooling the rest of the facility too. You've got a plan to have that area cooled at night time. So it's a cost that you wouldn't normally have. And I think AC is definitely a big cost, but just running those servers too, I mean, they don't take up, they're not cheap to run. And then you've got to secure them. Yeah, you've got to secure them in the wrong place. And you know what? People don't. So then you just run into the problem like you have a big gaping security hole because your server, your switches, everything are sitting right next to where your people are working. And whether you mean to or not, I mean, that's a vulnerability right there. So your company, Hawaii Tech Support is a managed service provider otherwise known as an MSP. You also do stuff like virtual CIO, which is a great service for small business. Right. I think that's a really good value add so that we're not just managing your services. We're actually coming in and telling you, hey, look, we're looking at your business. We're looking at you kind of doing a little bit of business analysis with what kind of programs and functions that your lines of business are doing and need. And we're trying to adjust our, your IT profile to match that. So it's not a sunken cost. You're not sinking costs in IT. A lot of people look at IT as a cost. It's a line item cost that you don't really get a return on investment on it. Right. But we like to turn that around. We like to say, hey, look, you're paying for this. You mentioned like how much everything is automated today. If your IT goes down, you're just, your people are going home. You know what I mean? Outcomes the paper. And nobody does, you know, and who knows how to do that? You don't print those forms anymore. So first of all, it's a necessary cost. It's a necessary evil. You can't get out of it. Can't get out of it. But if you can start making your IT, increase your productivity, you know, not just using IT, but using it in a way that increases productivity, maybe frees up people that shouldn't be working on IT. Can add to your bottom line. Absolutely. As a business person, right? You reduce costs by reducing complexity. Yeah. And you can also, you know, you can expand your market reach with properly using IT. You can expand your market reach not just by web pages, but by, you know, being able to manage services across the ocean. Because a lot of Hawaii's businesses are professional service type, you know, business. So being able to expand your market reach from, you know, very close, you know, ecosphere of business and maybe reaching out to the mainland companies. B2B's big. Yeah. And the more automation, the better, because you can reduce your staff load. Right. Right. That's an important thing. I like the CIO thing because you're telling the person, we care about how you personally do business. We're not here to sell you just this package of activity that we're going to do month over month and just send you a bill. We're actually going to go in there and say, how do you do this? Right. What's the best way to do this? We might not need this huge package. You might just need Alucard. You know, and someday soon you could go up to the next level. Where we find that people get a lot of savings is they'll be using some older technologies, things like MPLS circuits, which are like, you know, private kind of Ether, Metro Ethernet circuits going across. They're spending upwards of $1,000 per month on these services, where, you know, the technologies just evolved to the point now where and Spectrum has been really in Hawaii telecom. They've both been really good at running the internet servers. They've been really good about running fiber to pretty much everywhere. And with that kind of speed, when you're getting talking about really good backbone internet speed, you don't need those private networks anymore. Solid throughput. Solid throughput. And you could get rid of a thousand, if you could replace $1,000 a month service with $120 a month, you know, service and then have that have an additional layer of security that's not costing you any extra. That's, you know, to me, that's, that's like an easy, it really justifies having us on board when we're going through and we're looking at those costs that you have and we're able to quickly turn those around. Same thing with people using some servers applications that are on-premise. So again, they have these servers that they're going to have to refresh every five years, three years, you know, for hard drives and stuff. If we can find a software as a service and we can help them do that migration to where they're no longer running that software locally. So software as a service is a service provided in the cloud, which is data centers located all over the country, right, that back each other up and use each other as a shared resource. Yeah, for one big example of software as a service that tons of people are using now, a lot of people migrated to is Office 365, right? That's the new Microsoft. That's the new Microsoft, yeah, environment. People used to have email servers locally. They were called exchange servers. Oh, they were so insecure. They were insecure. They were hard to manage. You know, if you only had one of them and it went down and you had to recover the mail database, you've been talking about days. Yeah, for real days. And the bigger it got, the more, the longer it took to recover. And you always had, I think there was either one guy or at least a half a full-time employee dedicated to that exchange server. Right, because the first time it went down, everybody freaked out and they're like, we can't do our business. So let's get somebody looking at this every day. Right. Being able to replace that, I think was a big stepping stone in getting people more comfortable with cloud technologies and software as a service. So people were already using things like Gmail in the past. And when you kind of put those, you know, you connect the dots and you say, well, Office 365 is the same security that you've always had with your exchange, even better. It's in the cloud. So it's got, you know, you're not relying on your person, you know, your staff to maintain that server that's always like on the verge of, it's always on the verge of just collapsing. Right. And they're hot stand-byes, right? But yours goes down. The next one takes over. You don't even notice it. Yeah, you could be, your data center could be on the West U.S. and, you know, the West U.S. has some kind of problem. They just, now you're out of, you know, West U.S. too, which is in Washington, or you're over in the East Coast or, you know, the Midwest. They just switch you over. Just a few years ago, we had that huge blackout in the East Coast. And I noticed Amazon Web Services, who was another MSP provider for a lot of, like cloud services, they went down in three different states. But of course, they had six other locations across the U.S. that all took over. Right. It's very fault tolerant. It's great. Yeah. All right. You need this kind of stuff for your business. Even when you're a small business, you need to be able to recover quickly from something that goes down. And Office 365 is a no-brainer. It does. You know what, one thing though, so we're talking about Office 365 and software as a service, one thing I've seen that's kind of a fallacy that, you know, it has become so easy to set up that a lot of companies think, okay, we can do this without any kind of support. Oh, yeah. Let's do it all ourselves. Yeah, let's do it all ourselves. And it is easy to set up. I'm not going to lie, it's really easy to set up. But, you know, what we've seen is people aren't saying it up securely. So we've been seeing things like, you know, attacks that are attacking specifically Office 365. So this is the same thing that we've been preaching for years. You know, you go to Best Buy, you pick up a new Wi-Fi modem, you bring it home and you just turn it on and it works. Great. But you took all the defaults. Yeah, you took all the defaults. And, you know, who knows, you might have even left just the default username and password. Right. So now you're on, what's that site? I can go to Showdown. Yeah. Right. You know, have I been owned or you know, it's like, yeah, the Showdown will just tell you every single device that's on connected to the internet that has the default username and password. And that's crazy. Showdown.io if you want to go look. That's scary. Yeah. So yeah, with Office 365, for example, nobody's setting up the auditing or logging. We recently have been seeing a lot of attacks, like they're called inbox forwarding attacks. Oh, you're going to tell us about this inbox forwarding. It just happened. Right. Like we're going to take a break right now and we're going to get out of here and come back after we pay some bills. Yeah. So commercials and then we'll start up again with this inbox forwarding attack. Awesome. Okay, everybody, we'll be right back until then. Stay safe. Hello, I'm Mufi Hanuman. I want to tell you about a great show that appears on Think Tech Hawaii. It's all about tourism. In fact, we call it Tourism 101, where we talk about the issues and challenges that faces our number one industry throughout the state. We'll have some interesting guests, very informative dialogue, and allow you an opportunity to maybe learn a little bit more about why this industry is so important for our state. It's been great for us in the past. We need it today, and especially going forward. That's Tourism 101 on Think Tech Hawaii. Mahalo. Aloha. My name is Mark Shklav. I am the host of Think Tech Hawaii's Law Across the Sea program. My program airs every other Monday at 1 o'clock on Think Tech Hawaii. Most of my programs deal with my own life and law experience. Recently, I interviewed Alex Jampel, who I have known for over 30 years about his voyage across the sea as a lawyer from Tokyo to Hawaii. Those are the type of stories that I like to bring and like to talk about human stories about law and life. Aloha. Welcome back to the Cyber Underground. We're going to get back into Timothy Ames, the CTO of Hawaii Tech Support, and he's going to tell us about a new attack that he's been experiencing. It already happened to one of his customers, and you helped him recover, right? Yeah, we helped him recover. We helped him identify it based on some errors we were seeing. Okay. What did you see? What are the IOC's, indicators of compromise? Okay, so there were some rejection emails coming from a email space that was outside of their own, and it looked like the email was forwarding to a Gmail account, basically. So we were getting some rejection notices, and we also correlated that with some audit logs, saying that there was an inbox forwarding rule added inside of their Office 365 account. An admin has to go add that then. No, and that's the thing. Okay, so everybody knows about malware. Everybody knows about phishing and stuff like that. There's something really, you can do what's called a fileless malware now. So fileless malware means it's not something that you have to download. So it's not something that you even give your antivirus a chance to recognize as being malicious. So visit a website? First, for example? You go to a website, or you click on a link in an email that you send, or that was sent to you. Okay. This could run a PowerShell script on your computer. PowerShell is something that's just built into a lot of people would recognize it kind of like manline or the old DOS on Windows, right? It runs a PowerShell script that can just add an inbox rule. It doesn't require any kind of, even if you have multi-factor authentication to your personal inbox, whether, and that's on your Office 365 side, there's other ones for different types of email, email clients, right? So it added an inbox rule that said any kind of email that I'm getting that has this different type of information in it, I want it forwarded to a Gmail. Okay. Now this, I'm talking about, so this is actually the third time I've seen this this year, both with customers and people coming to us with a complaint. Now, what happens then is it'll look through any email. So you know, just like a regular forwarding rule. Forwarding is really useful. Like if you're going out of office and you want it to forward to somebody, you know, so there's a real use for it. But if you don't disable it to external accounts or you're not blocking where it's going to, you can run into this situation where now this Gmail account is getting all these emails forwarded to it, anything that has like account numbers, anything that has invoice, you know, the word invoice in it or any of that. So we should go check our rules now. Yeah, definitely go check your rules. Make sure that there's no, you know, forwarding rules that you don't know about or that you don't recognize. Yeah, so luckily, this email box had filled up and started spinning back, you know, message can't be delivered. It worked too well. It worked too well. It was getting too much. So this is something that we've seen. And what other indicators of attack that we've seen or indicators, compromise that we've seen now is that these attackers will take that information and they'll look at it and then they'll see who the target was or who the target email was and they'll send out a new specially crafted email with an updated maybe invoice saying, oh, instead of paying this way, pay this way instead. Okay, this would be interesting because if you get one of those emails and you're the attacker, you can then use the content of that email and forward it on to somebody else and it looks like that you're in the thread. Right. Yeah, you can use that or you could just craft your email to look like it's, you know, it's from the original recipient saying, you know, hey, I know you've been paying to this account number for, you know, this checking account number, for example, you've been paying here. We just changed our procedures. Can you please send it to this checking account number instead? Or can you click on this button and submit your payment, your ACH payment this way? Scary. Very scary. All just because they clicked on a link. Yeah, and we're not talking, you know, they could be looking at all the emails that come in and they're not going to, you know, they're not going to blow their load on one, you know, on the first one that comes in. They're going to wait till they see like a big fish and they're going to say, okay, here's a payment that they're waiting for, you know, accounts payables looking for $20,000. This is the one we're going to hit. So this is an interesting thing you bring up. Hackers really are patient. Very patient. They look for the biggest bang for the buck. Right. It's rare that they just go for the first thing that crosses their path. They're looking for, like, they have to take a risk, right? Yeah. So the risk has got to be equal to the reward. Right. And then, like you said, you're not going to take the first thing. They're going to wait. Well, because once they show their hand, it's, you know, it's over, you know, once you're, once, you know, they do that and then some client says, comes back to you and says, hey, can you explain why we're changing this? And it's over. Then you go through the process of shutting everything down. Luckily, we caught it before any of that happened. Oh, wonderful. But, you know, still that information's out there. You know, it's been a compromise is a compromise. How do you go about fixing it? And that's where you got to really look at, you know, the reporting procedures in state of Hawaii. If you don't know it in your small business, you're really going to have a tough time, you know, following the actual, you know, HRS rules as far as like what your reporting requirements are. Let's talk about that because Equifax, I think, ran afoul of those rules. Yeah. They were attacked. They knew they were compromised, but they didn't report it. Right. Because nothing got X filled. So in Hawaii, you have a reasonable amount of time to report the attack. Okay. Is that the exact words? Yeah, reasonable amount of time, which for the reasonable amount of time, it says that, you know, you have time to kind of isolate the compromise, figure out the scope of it, and do different things. So if it's less than a thousand users or a thousand people that were affected where their information was breached, you don't have to report it to the Hawaii, I think, consumer affairs. But if it, even if it's less than a thousand, you still have to update your, you know, the people that were potentially compromised with the data breach. And it's fine. What's it even imported to in the state? So it would be the Hawaii Department of Consumer Affairs. Oh, okay. I believe it's a department. Hawaii is something consumer affairs. And then there's other things too, like it can be less than a thousand, but if it's a certain monetary value, you'd also have to report that. Just notifying the people that, hey, you know, this is the information that was breached. That's what you want to do. You also want to notify law enforcement. So either, I think, ICC or IC3, so the Internet cybercrimes, you know, for the FBI, basically, you can report it there. You can just say, hey, look, this is what the attack looked like. That way, they're on the ball too, so they can kind of, you know, look into it or start to put together trends. This is sad. It's so prevalent, these kind of things, that the FBI and certain law enforcement agencies have actually come out with statements saying, we will not pursue criminals unless it gets over a certain monetary amount. Right, because it's just so prevalent, you know. It's out there and they just don't have the resources, so now criminals are kind of throttling back. The ransomware WannaCry attack in Great Britain only got about $36,000 or something. There's a really small amount, but it was a little tiny chunks. And each one was a different Bitcoin account, so when you go to investigate, you're spending, you know, hundreds of thousands of dollars of FBI resources or whatever to go after a $300 bill. Sure. And now sometimes they do put extra effort into certain cases, especially like egregiously horrible cases like, you know, they recently shut down. They were able to shut down a very highly trafficked dark web pedophile website. That was worth it. Yeah, because yeah, totally worth it. The IRS was able to, the IRS actually got involved and was able to trace the Bitcoin transactions. Oh, fantastic. Finally someone said, hi, everyone's been telling me, you know, Bitcoin's anonymous. No, no, it's not. Yeah. You have a number attached to an account. It's just like, you have a sort of. You just kind of find out where it ends. Yeah, right. Yeah, it's always out there. I mean, every transaction that you do with Bitcoin is public. I mean, that's the, that's the whole beauty of it. Yeah, so everything is public. And everybody knows every transaction. Right. All right. So yeah, they were able to put that together. So I think they, I think they do use their resources wisely and they put down some of these bigger type criminal organizations. Now they also have partnerships with businesses and civilians in the state. I know FBI now has InfraGuard. Yeah, InfraGuard is available. They'll come and remember that in Hawaii. So they work closely with the civilian population to get information from us when we are compromised and answer our questions about how we can protect ourselves. Yeah. And they have the different sectors. So they'll have like different industries. So you have your financial, your industrial control systems and all that kind of stuff. That's important to discuss too, because not all cyber securities is for each company, right? We have different enemies. Yeah. Right? If I'm a bank, my biggest enemy is probably North Korea. North Korea wants money. Sure. We're starting, right? So as I ran, so like North Korea is going out to hack the Swift system for the banks, right? So I got, I got to kind of research my enemy. What are they using against me? But if I'm a oil company or shipping company, I got different enemies. Yeah. And they may be looking to more disrupt operations at that point than anything else. Yeah. Because that would, that would be a bigger loss to the business. You know, maybe like some kind of hack to vision, hack to vision or something. All this is going away, but then it comes back even stronger. Yeah. You know, I think it's just because the tools are so easily readily available now. And it's just so, there's so much money in it. You know, it's, it's, it makes really good financial sense for these hackers and to get into the business because there's the ability to sell information. You know, if I, if I'm able to get somebody's username and password, and I'm able to use that for credential stuffing and start attacking like every single account with that username and password that I can think of, and then I'm able to get their date of birth and their address. And I'm able to attribute more and more to this identity. Once I have all that information on that, ooh, their health information, you know, or, you know, any of that kind of stuff, their health record number. Once I get a good amount of information on somebody, that person's information becomes really valuable to resell. I teach this in my ethical hacking class. How to go out there with open source intelligence tools, gather a bunch of information and use it for an attack like spearfishing. Yeah, and there's just even on this, not even on the dark web, just the regular web, you know, the OSINT framework, you know, you just go out there and look at, you look at all kinds of stuff that, you know, it's pretty scary actually. You just go to, you know, people.com and look at yourself and say, hey, that's a lot of information out there. I was shocked to find, I was so easy to find. Because, you know, I, Dave Stevens, that's a pretty generic game. But, hey, I popped up on Google a couple of times that it was- Dave Stevens, Hawaii, I mean, I don't know, there you go, there you go. Even though I think there's six of me on this island. Sure, yeah. But I, you know, in ethical hacking and in network security, I have, both those classes download a distro for security called Cali Linux. But there's several other ones, PeridOS and, you know, several other ones out there that are just packed full of these tools that they can experiment with things that can break passwords and decrypt information and hack websites and SQL injection attacks. And all these tools, you can just enter your information and run them. Yeah, Cali Linux is so, I mean, it's probably the most well known of all distros after, you know, backtrace from way back when. Yeah. Or backtrack. The Cali is so well known and it has so many tutorials out there that it doesn't take much. You know, just a few hours of watching some YouTube channels and you'll be able to launch some pretty successful attacks. And now, VulnHub has distros of Metasploitable and a couple of other virtual machines you can download and instructions on how to hack them specifically with Cali. So you have this entire instruction set and I recommend to people if they're sort of a defendant network, go out and do this stuff. Yeah. So you know what people are doing. In your lab. Don't do this. Yeah, but yeah, VulnHub is really good. So you can build these virtual machines with vulnerabilities and you find the vulnerabilities and you exploit the vulnerabilities. Yeah. So that's huge, especially if you're on the defense. It teaches you to update your systems. It does. Yeah, you got to keep those patches running. Windows 7 is end of life January 14th. As of January 14th. But you tell us about this extended life that you were doing. So yeah, I think this is just Microsoft's way of doing this to encourage people to eventually get over. So you can pay an extra, I believe it's $100 for next year to get a year of extended support so that you can download security updates for the next year. If they do it like they've done it historically, like when Windows Server 2003 went out of date, they'll double it the next year. And they'll just keep doubling it. Or you know, I think Windows 2003 server actually went from $100,000 to $250,000 a year. My, for exponential costs. Yeah, yeah. So you're looking to move you off. Yeah, you might consider, so I mean, obviously you don't want to leave yourself unpatched for the next year. That's a non-starter. And maybe you just didn't plan it and I know we're two months away. Maybe you just didn't plan for it so you just don't have time to replace all of your computers. Any computer that you don't replace or upgrade to Windows 10. Get that extended support. But don't plan for it for the next year. Because by the time you do this two years in a row you might as well just bought a whole new computer. I feel for those computers. Windows System is great. It is. Because Windows 7 was a great OS. Yeah. And I'm going to miss it. You know, I have to get used to Windows 10. I'm glad Windows 8 is gone. But Windows 7, I sympathize with those folks. But yeah, it's time to move on. Yeah, I sympathize more with folks that have legacy software that won't run on Windows 10. So I get that, you know, they're, and again, that's where you want to bring somebody in. You know, hit up the software providers. You know, find a new software vendor. Maybe that does the same thing. But just don't leave your Windows 7 running. With our last 15 seconds, you want to just promote your company? Sure. Yeah, Hawaii Tech Support. Visit us at www.hitexsupport.net. That's hitexsupport.net. You can contact us. Learn at hitexsupport.net. We're happy to help you guys out. I mean, we don't charge for questions, you know, about, you know, how we can, how we can support you. And we're happy to come in and give a look at your, your business and tell you how we can support. Right on. Thanks, brother. Cool. Thanks for being here. Let's say bye-bye. Thanks everyone for being here on the Cyber Underground. We'll see you really soon for our Halloween episode. And we got some treats in store for you then. Until then, stay safe.