 7-1. We're back, we're live. Welcome back to Think Tech and our 3 o'clock rock. I'm Jay Feidel. This is Think Tech Tech Talks. Certainly everyone has heard of claims and sanctions around the hacking of our presidential and other elections in November. And we've heard of hacking in so many other places and contexts. After all, North Korea hacked Sony badly two years ago, and there have been regular hacks into government and industry in the U.S. and Europe ever since then. Seems like hacking is the word of the day, the new normal. And as it gets more malicious and dangerous to us and everyone else in the world, we should be increasingly concerned about it. Some say hacking large companies and government agencies by state actors or by state agents for actors is tantamount to war without the blood. Some go so far as to say we are not only at war, but that the level of hacking is really World War III. But do we know how they do it and how we can catch them doing it? No, not really. Maybe government knows, but the public doesn't really know much about it. Until now, until today. Today we have cybersecurity expert Andrew Lanning, who is incidentally the co-host of Hibachi Talk on Fridays. And he's going to elucidate what's going on in detail in the latest threat to our country and our society and our civilization. No stress, Andrew. Welcome to the show, Andrew Lanning. Thanks for having me. Happy New Year. It's good to be back on Think Tech. I think I was here Friday. We could never have enough of it. Thanks for the great intro. Oh, yeah. I'm scared, you know. I'm scared, too. They might shut us down right in the middle of this, if we'll get into too much of that detail you're talking about. Yesterday or the day before, and or the day before, every international airport in the country was stopped because the computer system that Homeland Security and Customs uses to vet people, you know, to vet people on the way into the country from foreign ports was broken for hours. I don't know if they fixed it even now. And, you know, you can't help but thinking, my goodness, this is, you know, a tidying of things to come. Maybe this is some intentional maneuver. It's not the first time that Homeland Security and Customs have lost their computer system, but this is the first time it affected every international airport in the country. It's a little scary that this could happen, and it really makes you wonder if there are state actors involved in that, too, just giving us a warning, just telling us, watch out, because we can do this. My thought on that is that if, you know, if their intent on coming in, they wouldn't want to shut the airports down. So to me that's a little counterintuitive, but you never know what the intentions are. You know, infrastructure scares are one of the big concerns. Obviously everyone's concerned about the power grid, the wastewater treatment plants. All of these facilities are run by what's called programmable logic controllers, PLCs. These are devices that are, by and large, an interface between the controlling software and the devices that are doing the measuring, generators, pumps, these field devices that measure the flow of fluids, for example, through a pipeline or a gas through a line. You remember Stuxnet? Sure. It comes to mind, and those were Siemens' controllable PLCs, and somehow the Israelis, working with the US, found a way to create a virus that would go around the world but only visit in the ones in the Iranian centrifuges, nuclear centrifuges. And so it was really quite remarkable that they would only go into action when they found those Siemens' PLCs. But, you know, it can be done again. It can be done in PLCs everywhere. And PLCs that do incredibly critical things for our grid, for our water supply, for, you know, all our civic infrastructure. All of the automation that occurs in our critical infrastructure in the city is running with SCADA logic, right? So SCADA's very old protocol. It's on that side that talks to all those devices. Those devices, by and large, sat alone, and we talked to them through, you know, relay logic for many, many years. And then once they figured out how to put those onto the network, of course, they started talking via IP. And when they started talking via IP, those were initially, which is Internet protocol, they were initially closed systems, closed networks. But as things have gone on, those facilities ultimately brought in Internet connectivity, and the networks got merged, and somehow they found a way, you know, perhaps on purpose, perhaps not on purpose. But those controls were exposed to interfaces that were able to be opened. You know, when you say hacking, you're really just taking things that are available and putting them together in a new form, right? So, you know, these, when we talk about these things, we really have to talk about the people, the processes and the products, right? So this is what this is composed of. People say IOT, I call it the Internet of Theft. Most people think of that as the Internet of Things, and they think of the things. But things are only a part of that equation. The people are a part of the equation, and the processes themselves are a part of the equation. You've got social engineering possibilities. I mean, that's the way hackers started doing that. We had a hacker on ThinkTek back in the middle 2000s who used social engineering to get into, we get his software into people's homes. And he, you know, he had a way of appealing to them, and they believed him. It's still the preferred method. So in fact, you know, we talk about the cybersecurity framework. I'm giving a talk to the folks at RecordArma next week on a lot of this procedure that NIST has built. There's great guidance out there on how to protect ourselves, but it's all of the technical controls. So we have a cybersecurity framework. We have a CSC top 20 controls. All of these things you can do to really, really limit the tax surface that you have out there technically. But once I harden myself very well with my perimeter and all of my technology sound, and I'm monitoring for people trying to get in, what's the next thing you do? You pick up the phone and call you. Call the guy on the inside and get him to give me his password or find him how to give him some information. You know, Herman, this is, this is, well, I'm on the fourth floor of the company. You see me all the time in the men's washroom, you know, and I just forgot my password. And could you just let me have, meanwhile, that call is emanating from Moscow. Yeah, which usually they'll call as your IT service company. And hey, I got a problem with your account right now. I can see it's locked up. Can you do this? Yeah. And they try to get you to log in and share some information. Yeah, or the utility in Texas that sent away to China for boards, for boards, you know, for their, you know, electrical generation equipment. And the boards come back from China with a little tiny chip that's not in the specifications. Just piggybacking on the board, and they're all trying to figure out what happened. So I can tell you a bit about that. I sit on, on U.S. Cyber Security Committee, underwriter labs, which is responsible for vetting a lot of that technology that's been implemented, right? In, in your fire control systems, in your skated control systems. And there's really not in the past been a process to, not that there's not a process, there's not a guidance or a regulated process to determine that your lab and the environment that you're loading this firmware onto these chips in is clean, first of all. It's not available to penetration. In other words, it's a dark room. It's not connected to the network road where I'm loading this. And in fact, that the load of firmware I'm putting on that chip completely fills that chip set up. Or, or that I can alert myself if that chip set's been tampered with after the fact. Once it goes out of production, out in the environment, is someone else taking it, you know, there's say you're only using 80% of the space available for your firmware. Well, there's 20% more space to put malware in there. And then I, if I'm a state actor, for example, and I want to get that type of equipment into a bunch of, of another government's military facilities or state facilities, sure, I'd love to be able to embed that into Cisco routers, for example, and sell fake Cisco routers. So, right, fake Cisco routers and fake Cisco. Sure, like, you know, and, and, you know, procurement agent goes out and guy finds a way to sell, he may not even know he sold stuff that's not, you know, he maybe got a great price on it, doesn't know why, but doesn't question it. And the procurement process doesn't look at it deeply enough and makes, you know, there goes some, there it is, sort of like contraband, you know, fakes, they fake purses, they fake lots of stuff, and that's another form, sort of hacking, if you think about it. Yeah, well, so a lot of the social engineering has happened, will continue to happen. Sure. And you have to be smart about it. You have to, you have to think like a, like a hacker. And there are people who make their living thinking like that. But I want to tell you an article that I saw over the weekend, I think it was in the Times, and it said that in Russia, Mr. Putin, remember him? Mr. Putin has made a concerted effort to build a veritable army of hackers. Sure. And he's hired them from the schools, he's hired from industry, he gives them incentives, he gives them threats, whatever you need. And he hires them from the prisons, too. Sure. So there's all these people who are all under intimidation, under sort of a control, social control that he has over them. And they're spread around the country, and they all work for this army of hackers. And they've been very successful. They hacked into the Ukraine. You know, as the war there was unfolding, they were bringing everything down. And now in the Baltics, you know, a couple of countries in the Baltics, you know, Estonia, Latvia, there's one other, where it's funny, the same kind of things happening. Their power grids are going down on a regular basis. Their government agencies are losing computer control. And it's just, it's too much coincidence to be coincidence. And so it's got to be coming from Russia. This is what he's doing. And, you know, I'm sure that social engineering is part of it, but there's a big part of it is getting in the back door, finding those ports. Sure. Finding ways to actually insinuate malware into government, you know, government computer systems. And with very smart guys, very heavily motivated or threatened to do what they got to do. So my question to you, well paid, well paid, our combination of the four. Yes, all the above. And so my question is this, you know, we have heard for years. Don't worry, Jay, because the United States of America has Silicon Valley. They have Andrew Lanning. They have all these guys in Washington in the NSA, you know, who do all the secret stuff. We are way ahead of them. And my question to you, Andrew, is really? Well, I like to think so. That is no reason to rest on our laurels. I do believe that all of these threat actors are actively collecting zero day vulnerabilities. I believe they have been for quite a while. Zero day means? Zero day means a currently undiscovered or unpublished vulnerability. So that, you know, if I know that I want to perhaps get into a Siemens controller, for example, and I've discovered a way to do that, and no one knows about it, I keep that. Or I sell that to some of these threat actors, for example. There are people that make a living going and discovering those vulnerabilities and then auctioning them off. All over the world. For example, sure. So a way to make a good buck. We also buy those. So, you know, that's a free market economy in the globe. I believe that as much of a threat as others pose, I believe we pose a similar threat to them. We are not inept in this space. I think we like to show a lot less of our capability than we have. I think in the cases that you're speaking about, perhaps these actors are showing their rays in their skirt a little bit high. This stuff is trackable. It's easy to figure out where it's come from. It's easy to see its footprint, how it moves. And so when I say easy, I say there are people that are watching this stuff constantly as it unfolds, as it develops, and then study in the ramifications. So it's kind of easy for them to see the tools that are used. And these tools are freely available for you and I to buy. They're packaged, bundled, talk about that because I've looked at that. That's Andrew Lanning. He's with Integrated Security Technologies. We're talking about cyberterrorism as a new normal in our world, not only our country, our world. We'll take a short break and come back. We're going to find out about these tools that you can do and I can do and anybody can do for the cost of nothing that are available on the web right now today. Become a cyber terrorist yourself. We'll be right back. Hello, I'm Marianne Sasaki. Welcome to Think Tech Hawaii where some of the most interesting conversations in Honolulu go on. I have a show on Wednesdays from one to two called Life in the Law where we discuss legal issues, politics, governmental topics, and a whole host of issues. I hope you'll join me. Oh, huh. How are you doing? It's me, Angus McTech. Wishing you to welcome and join us to see us on Hibachi Talk on Think Tech Hawaii. Join my co-hosts, Gordo the Tech's out and Andrew the security guy every Friday from 1300 to 1345. We look forward to see you. We'll talk tech and we'll have some weave into fun. And remember, let your wing gang free where area B. Aloha. Okay, we're back alive with Andrew Lanning talking about cyber terrorism as a new normal. So, you know, a few months ago, just for fun, I decided to go on the web and I, you know, I googled for fun. Yeah, for fun, you know, you know, curiosity. It drives us here at Think Tech. We're curious about everything. All right. You know, lo and behold, I found a bunch of programs that allowed me to hack and they were free, actually free. And I know they're not the big time stuff that you would use. For example, they might not be any good. They might not even work. But if I wanted to be a cyber terrorist, if I wanted to discover some backdoor thing that I could sell, say to the Russian government, you know, how would I do that? Well, so anybody, I don't, I don't, I don't actually can't sit here and say that I know the law around reverse engineering things or exploring them for vulnerabilities. I do know that once you find a vulnerability there, you know, we have, you know, the Whitehead hacking team that tends to send that vulnerability out to that manufacturer, ask them to patch it. They'll tend to ask a few times, they'd like to be paid. If you don't patch it or ignore them, oftentimes they will release that information into the wild and then the manufacturers will patch it. You know, manufacturers have a part to play. Remember I talked about we have people, products, and processes, right? The manufacturers, by and large, the makers of many of these IoT devices specifically have been riding a wave of consumerism and they have been making money and they're not really willing to add expense to their manufacturing process unnecessarily. And as long as people keep consuming these products, these insecure products, they're not going to fix them. So there's one issue there that's a piece of this equation. But if you've discovered zero days, zero day vulnerabilities in an item, and this is something you would probably be doing in a lab, the feasibility of the vulnerability, of using the vulnerability, some are simpler, some are very difficult, some are man in the middle type of tax where you've actually got to be sitting on the device already. You know, they're not necessarily available through an open FTP port. But some are very poor manufacturing flaws where the default password and the default logon are actually available always, even after you've changed them as the administrator, they're available through an obscure port on the device that's open, like FTP for example. So this is a poor manufacturing flaw that I was sort of talking about, which Underwriter Labs is working to fix. We have the Series 2900 coming out, which we're working on is the, there's a piece for the life safety products, there's a piece for the health care products, you're concerned about your pump, your sugar pump getting artificially hacked and then they change the dosage, things like that. Then there's also the PLC, the industrial control system piece. So Underwriter Labs is working its way into that. Industry is obviously going away. We're not ready. Don't wait, you know, across their arms. They want to fix it themselves, but they haven't for 20 years now. So I don't believe that they will. Can the government incentivize them to fix it? I think they've made enough money that government expects the industry, ultimately you and I'll pay. The better hardened devices will go up. The consumer, what I call this IOT to me is this consumer level of product that I think will always be fraught with this vulnerabilities. You know, the consumers are the last to get, take advantage of better technologies, right? It ultimately prices trickle down into the consumer grade products. The consumers, the guys with the the old junkie PCs on their desks. Yeah, they're killing us. Yeah, well what I mean though is if I have an old junkie PC at my desk and I don't have virus protection in there, then it's only a matter of time before I get a virus. I can sit there and watch it. It's a few seconds. A few seconds. Windows 95 today is broken in under a minute. You plug it in, you cannot patch it any longer. Now you can say oh that's bad because my machine will slow down and it won't work right but it's much worse than that. Oh yeah, it becomes a bot on there. It becomes a tool and agent for the bad guys. Yes. And then there's a global network of all this malevolence software out there and I am I'm part of it. Yeah. I'm part of the problem. Yeah. And I mean there must be millions and millions of junk old computers out there which don't have virus protection or do for that matter and have these bots on them and if somebody pushes a button in Vladivostok you know to activate all these bots we'll have a terrible price to pay. So you can go rent time on them. You and I can rent time. If I wanted to attack this studio for example and shut down this broadcast I can rent time from those bots, from those bot armies and they sell it by the minute, by the half hour, really, by the by the packet size, sure. So what does it take to take you down? So I don't want to buy 600 terabytes, I don't want to buy 600 terabytes per second for example or megabytes per second but if I only need 100 for example. So it's very tailorable to whatever I need. Maybe I just want to shut down a competitor of mine for a few hours because he's having a sale, for example. So this is all freely available. It's illegal. Don't get me wrong. You don't want to be involved in it. I could find it on the web. I could find it on the web and I could buy time on the bots to do horrendous things in around the world. Now just trust me. If you engage in this type of activity I'm quite confident there's people that know you're engaging in it, right? This is again how we talked about. We're also watching. Now we have organizations that are taking care of the security of our nation and they are monitoring this stuff so just because you go out of your home first time and you want to rent a bot, they want to watch what you want. This means they're going to come knock on your door. They're busy. They're really chasing. They're chasing really bad guys but they're chasing bad. Now if you're successful and you start to show a pattern of this and you actually cause some damage, you may find somebody at your door saying, hey Jay, we just like to talk to you and by the way we're going to take your computer with us and keep all your syslog files so we can demonstrate in court what you've done. Yeah and you can prove a case against me and I might get six months in the can. Or you might get a slap on the wrist. I might get nothing. It depends on the amount of damage. Because it's white collar crime just for kids. Sure. And you're not treated as having real criminals see enter over it. Yeah. And so I think a lot of them either don't get prosecuted or get away completely and that's got to change. I don't think. I sat through the FBI cyber or not cyber but the FBI citizens academy this year earlier the earlier last year sorry and we we got a briefing you know from all the different departments and I was amazed and I kept bringing up to them how often these white collar criminals only get very lenient sentences in my opinion. Like six years seem to be a very common thing for really hundreds of millions of dollars worth of theft or fraud or whatever oftentimes. Now they did talk the cyber unit has a very difficult time building its cases right because a lot of this stuff is international. That's what Donald Trump said yesterday. Yeah and they hard to prove hacking. It isn't hard to prove it attributing exactly who it's to takes a lot of forensic investigation and that's expensive. So I'm going to talk about that with the records group but you do want to you know if you're if you have liability for information you're storing and let's say you just decide well I'm going to keep two years of email well you know how much you might have to pay to have gone through if you get named in a suit two years of email so maybe you want to limit the amount of data that you store um from a liability perspective just so that the the in the discovery is not as expensive should you be named in a case for example. Huge expense undiscovery of all this all this forensic work is very very expensive in examining firewall logs and sys logs. But the likelihood is that there's really not not enough government prosecutorial interest in pursuing these cases and and putting bad actors in jail for significant periods of time and they do it and they essentially get away with it even if they have done real damage to the community. I was amazed to find and I can tell you that there are there's a lot of value gained in watching these actors until they really go too far there was a group of um gentlemen recently eight of them who were arrested for found they got into the controls in a dam in the united states uh they actually got to the controllers of the sluice ways Americans yes no they were not Americans they could have opened the sluice ways the sluice ways were offline for maintenance but they did get that far now these guys had been doing a lot of other stuff and our services had been watching them for a while doing crime but once they went that far they went and got them yeah so what I'm saying is they gain a lot of you know they're gathering intel right and you know so maybe they put up with a little bit of this and a little bit of that to get learn more about the operations of the team and learn more about the team members all that kind of stuff so gathering intel and I was when I left I was like wow you know they're bad guys me I wouldn't have the patience to do that kind of investigation but I'm glad that we have people that do yeah I hope we continue that but here we are and it's never been raised so starkly in this country where some foreign actor has manipulated I think it's clear that some foreign actor has manipulated our election process and it's not clear whether you know the ballot box was tampered with one way or the other I mean I our public opinion or whatever it may be sure it's public opinion that was tampered with which is actually it's a root of the ballot box you know very well and will leverage there than on the ballot box so you got to give them credit for going to where decisions are made and I think that Russia has done that before arguably we have done it before and I think that's the new normal too manipulating public opinion with false news fake news and then fake news about the fake news you get there was an article about that too how the people who are generating the fake news when charged with generating fake news they come back and and say that the charges itself fake news everybody's doing fake news and you can't believe anything anymore so my question to you here at our closing Andrew okay is all regard to reality to all that we know to all that you know in the business what's going to happen here where is the world going what is this new normal where is it going to take us is it are we going to resolve this are we going to you know sort of compensate for the problem deal with it or are we going to you know sink the ship under it oh well I'll keep getting better at the game it's a game it's a game and we'll all keep getting better at it and better at it and better at it where it ends up I don't know if we start to lock countries out of each other lock everyone's doors lock all their power grids and that becomes the the game so be it but it you know I think the world economy uh we'll we'll keep a lot of that in check you know we it doesn't it doesn't help any piece of the the world anymore to have a nation shut down so I don't know it's interesting to see what that type of impact would be yeah well you know Donald Trump and for that matter Putin have been talking about escalating nuclear proliferation these days and of course North Korea so we have this whole proliferation on us and then Donald Trump says that's not going to happen well remains to see be seen whether that happens but I think one thing is clear is that the same as you mentioned the same principle of deterrence is present on cyberterrorism it's the same thing if I know that you can you know really hurt me and we both have arguably equal capability with each other I'm not going to hurt you because I don't want I don't want to pay back it's surely a thing of where we don't know what we don't know and again that goes with hiding all those vulnerabilities that everyone knows about you know and so that's a you know we don't know what they know they don't know what we don't know and it's an interesting it's an interesting detente I guess of a new kind perhaps you know if I were a world leader it would it would concern me I don't think any of them will let up with their efforts to to raise their game let's put it that way it's the new normal it's the new normal thank you Andrew Andrew Lening great to have you on the show we gotta do this again it's fun