 Welcome back to the Cyber Underground. I'm your host, Dave, the Cyber Guy, Dave Stevens. I'm an instructor at a Capulani Community College for the University of Hawaii. And I'm here with my favorite co-host, Hal, the network guy. Welcome, brother. Thanks for being back. Good to have you back. Great to be here. Hal teaches with me as well. We teach the cybersecurity curriculum at Capulani Community College, and we do this show quite often to bring people up to date about what they should be worried about and things that keep me up at night, and how to avoid being hacked, which is pretty much what the show is about, right, the latest hacks. This show is about our bitter enemies in our new Cold War. We have two of them. We have Russia, and we have, not surprisingly, North Korea. We haven't heard a lot from China in a long time, which could mean two things. One, they backed off a little, or two, they got really good, and that should be really scary. That's the scary one. That's the scary one, if they're in there, and they're like, no, no, we'll attack later. That's kind of scary. But Russia hit us with VPN filter. Now, let's talk about VPN filter. What's going on with the VPN filter? What do you hear? What do you know so far? From what I've been reading, it's targeting primarily consumer-grade Wi-Fi router. They call that SOHO, right? Small Office Home Office. Small Office Home Office, right? Yep. So, it actually, it's a very sophisticated piece of software. It's not just a simple malware, it has various stages that it can develop different capabilities, and I guess the FBI had sent out a warning telling people that everybody should reboot their router in case they had an infection of a VPN filter. It turns out they've gathered some more information, and they said, although that's not going to work, it actually persists to a reboot, and if you want to get rid of it, you may have to actually do a factory reset and reboot, and then you have to completely reconfigure your router again. Well, think of it, you can save the settings, right? Most of them. You could save it externally, or you can print it out, or you can probably find a way to hold onto it. But you still have to go back in and reconfigure. Once you go to factory reset, then everything goes back to default, and you have to go back in and enter whatever IP address says, whatever special configurations that you had. But so this initial stage, this initial infection, I guess, is just the back door that lets everything else come in. So that's clearly the one that you want to get rid of. If you can give it a bit of that, then it probably won't make it to the other stage. But this can do everything from monitoring all the traffic going through your router to actually injecting malicious traffic into your router. So one of the examples I read was that you're on your banking site, and it says that shows you that your balance is $5,000 when actually it's zero because they just took it off. But you still see what they want you to see. So you can't trust even what you're seeing coming through your router anymore once you've got this infection. Now, we should emphasize also if you're going to factory reset a router, there's two things you should do. One, don't do it over Wi-Fi because Wi-Fi is going to go away, it's going to be reset to nothing, right? So plug in your Ethernet cord from your laptop or your desktop computer directly into the router. Another thing is take the router off the internet, disconnect that because when you factory reset, you go back down to defaults. Which probably means zero security setting. Right. It's default username password. Everybody knows it's admin-admin, yeah. You don't want to malware to just get right back in again because that defeats the purpose, right? So you take it offline first. By the way, at least with my family, tell everybody what you're doing first. Just yank it off. I would actually make the recommendation. I think it's a good idea. Whenever you're doing any kind of reconfiguration of your router, it's probably a good idea to do it wired with a laptop wired to the router rather than doing it over the Wi-Fi. If you're going to do that, then you don't even have to, you can really limit the admin access and how it can be connected to in administrative mode and how it can be configured. It's a little bit more of a pain. You have to unplug it and plug a cable in and set up a laptop. But it's just a good secure, you can be sure that nothing strange is going on if it's just you and the laptop. It's very intimate. Yeah. It can be intimate. I like that philosophy anyway because we're supposed to exercise least privilege with access control. You want to limit what everyone can do on your router. The administrative stuff should only be you and your router and nobody else should be able to get on there. We should also tell you that every once in a while, you should go on your router and check things out. You can do things like see who's got a lease on your DHCP addresses, count how many of them are there, and count how many devices there are in your house. If you've got more IP addresses in there, then there are devices in your house. Somebody else is on your network and you need to get them in the heck off. You can also, and what I also recommend, and maybe I get your advice on this, and this is a pain in the butt, go get the MAC address, the electronic code, the hexadecimal code for each unique device in your house, and whitelist that on your router. So that's a whitelist. Hopefully those devices are supposed to be able to connect. I would absolutely recommend doing that, but if you have a good intelligent router, it will actually, it will list them for you. And all you need to do is basically enable this one, enable this one, and then disable anything that's not on that list. Only if you've just configured it. I mean, if it's been on for a while again, if you have more MAC addresses, then you have devices on the network. I would do this on initial configuration, so set the thing up, connect your laptop to it, go on, get the MAC address, add it to the whitelist, and disable everything else, and then the next device that needs to connect, do the same thing. So it's a little bit of a pain because you may have several devices that need to connect, but once you've got all of the Wi-Fi devices that regularly connect to your network in there, then you don't have to do that. Again, it's not something you have to keep updating or anything. A lot of people have guests that come over to the house and they want to use the Wi-Fi network, and they apprehensive about handing out the Wi-Fi password, but most routers now come with a guest network. It's a separate Wi-Fi network. It's kind of a VLAN or virtual local area network, where it's logically separated and the two can't touch each other. So if you have devices on your regular Wi-Fi, people on the guest Wi-Fi, those devices can't see each other. So it's a safe way to do it, and you can have different password. Different passwords, different configurations, different back address wireless. I mean, you can pretty much have a complete virtual network. That's a lot of work. It can be, but it's worth it. It's worth it if you're going to get infected with something like this, that could be a real major problem for you. You'd probably be happy that you spent a few minutes setting up some of these more advanced configurations on your router. I would think so, and what I get from most people, just regular ordinary people, most of them say, well, nobody really wants me. I have no value, and I would counter with, yes, you do have value. There's a couple of things that you do have value. If I'm casting a wide net, and I have a very large piece of malware that can do quite a bit, every little dollar is going to help beef up my bank account. Also, I can use you as a proxy to attack somebody else. As a jump off point, if they try to trace me back, they trace it back to your router and some other poor person's router and some other poor guy's router, and you never get back to the actual perpetrator who's, as you said, sitting in Russia somewhere. So forensically, it's hard to find the actual person. Also, you could be used as a bot, like someone could zombify your system and use it as an attack vector to amazon.com, and you get 50,000 routers at the same time or a million routers all going to browse amazon.com at the same time. You could essentially take it offline for a couple of days. And that brings us full circle because this VPN filter, one of the capabilities is to take over command and control in these devices that have been compromised can then be used as part of a botnet to attack someone else. So you don't want to become part of that. So this is actually worth it because when you're a botnet, you might not know, except that your internet slows down to a curl and your computer seems to be very slow and nothing's reacting very well and nothing's behaving the right way. And it's a little inconvenient for you, but whoever's being attacked is down. So they're losing probably essentially millions of dollars. And that's usually malicious or someone's being blackmailed. There was a couple of kids doing that for blackmail. You could pay them a couple of grand and they wouldn't do a DDoS attack on you. Thankfully, they got arrested. I haven't heard if they're prosecuted yet. I hope so. Got to set an example. So that's something you got to do to the router. Now, the router, usually to do a factory reset, I tell people on the back, there's usually that little pinhole and you stick a paperclip piece in the pinhole while it's powered on, hold it down for about 30 seconds, usually, yeah. And then release it and power off the device. And here's the important part. Most people just unplug it and plug it back in. You should wait. You need to wait. So inside there's capacitors. They're electrolytic material that carry charge for several seconds. Sometimes 30 seconds or a minute. And you need to bleed that off. So all the active memories is gone. Then plug your device back in. And it's just like you get out of the box. Then, like a Lexus router will let you in the web interface save your settings to a text file in a certain format or an XML file. I can't remember now. But then when you reboot the device after factory reset, you can load those settings back in. Now, I wouldn't recommend doing that actually. I'd start from scratch. Because you might get settings that were maliciously altered, right? Unless you go through and understand exactly what those settings are. Oh yeah, I set that. I set that. Right. But yeah, if someone had, for example, added extra MAC addresses. Or port forwarding. No, or some kind of port forwarding. Right. Yeah. And they could get in. Or they activated the, what is that? Remote WAN. Wide Area Network Remote Capability. So you could log in from the internet if that's active. And you don't see that flag. You've just enabled it. Or they could reset your username and password to default. By the way, you've been to showdan.io? Yeah. Yeah, that's very interesting. So our audience should know showdan.io is a website where you can go see all the routers and IoT devices out there that are on the internet. That are actually on the public internet. They have their default username and password enabled. Which I think is useful and scary at the same time. Because when you see the IP address on showdan, you can do a geolocate on that IP address and see where that IP address is. And if you get a little bit more information, you could zero in on that person and hack that person. And that's a terrible thing. But then it's a good thing at the same time. It's one of those conundrums. How do we... It's open source versus keep the secret so no one gets hurt. But if you release the secret, everyone can protect themselves. It would be nice if everybody knew about that site. So they would actually go and look and say, Oh no, that's me. I better fix that. Right. That's good. That would be hard. Okay. Let's talk about the next big threat that's out there right now. And the reason I bring up North Korea all the time is because North Korea, Russia, China, they've all done this. They're attacking. However, they don't attack to the level of, say, a Cyber 9-11 event. It's not Cyber Pearl Harbor. So the footprint of the attack never sets off those big alarm bells. Oh, we're under attack. It's war. So we're always handling these on one off. Oh, this is just Sony Pictures. This is just the office of personal management, OPM. And this is just this company, Home Depot, Target, whatever. But it's a test. Ransomware, let's do this one. Ransomware, when they attacked the UK, they did almost the entire national health system and it just over the UK. And they collected a total of what, $30,000 in ransomware? That's a test. They weren't in it. They just wanted to know if they could press a button, could they get something done. And it was a successful test. I mean, England should, you know, wake up. You've been probed. It was a proof of concept. It was a good proof of concept. I shouldn't use that word probe. This could have negative connotations. Alien probe. No. Okay, we're going to take a little break, come back right after we pay some bills, until then, stay safe. I'm Andrea Gabrieli. The host for Young Talent's Making Way here on Think Tech, Hawaii. We talk every Tuesday at 11 a.m. about things that matter to tech, matter to science, to the people of Hawaii, with some extraordinary guests, the students of our schools who are participating in science fair. So Young Talent's Making Way every Tuesday at 11 a.m., only on Think Tech, Hawaii. Mahalo. I'm Pete McGinnis-Mark. And every Monday at 1 o'clock, I'm the host of Think Tech, Hawaii's Research in Monart. And at that program, we bring to you a whole range of new scientific results from the university, ranging from everything from exploring the solar system to looking at the earth from space, going underwater, talking about earthquakes and volcanoes, and other things which have a direct relevance, not only to Hawaii, but also to our economy. So please try and join me 1 o'clock on a Monday afternoon for Think Tech, Hawaii's Research in Monart. And see you then. Welcome back to the Cyber Underground. I'm Dave, the Cyber Guy, here with Hal, the Network Guy. Welcome back. Let's talk about how a civilization dies, not with a bang, but with a whisper. And this is definitely how it's going to happen. I used to think that World War III was going to be a huge cyber attack, then it was going to be some kind of EMP blast where we lose all our electronics. And then it's down to sticks, guns, and knives, you know, conventional warfare. I'm beyond that now. I think that the whole take over the Ukraine by Russia, the Crimea, I think that that's the way we can lose countries now. Somebody wants it, they engineer a way to sway the public to think that's an OK thing. And then they just start attacking little stuff, never enough to set off the alarm bells to say, we're in a full-scale war, so no one's ever thinking call out the troops until it's too late. It's bit by bit. Bit by bit. It's how to eat an elephant, you know. And, you know, I compare the Crimea take over to Sudetenland in 1938. For those of our audience members out here that don't know history, please go read a book. Anyway, same thing, Germany took back to Sudetenland, and then the prime minister of the UK said, oh, it's OK, just stop there. And then in 1939, well, World War II, Hitler takes over Poland, rocks into all the other countries and takes France. But I don't want that to happen to the United States, and it seems like we're ready for the big attack. You know, we're ready for the big stuff, EMP blasts, nuclear missiles, land troops landing on the mainland, naval attacks and satellite attacks and bombs, but this little stuff where someone can sneak in and turn off the water. And how long can a city last without water? Not a long time, right? So when these little attacks come up, it's a big thing to me. And we have a new North Korea attack. And North Korea, according to the DHS, they call them Hidden Cobra, because they have to nickname everything. It has to be a cool name. It has to be a cool one, yeah. There's no hidden tulip. Yeah, my code name is Dave. It's Dave. So they have a new one called Type Frame. Now, they had an evil one called Bankshot a little while ago, if you remember this one, and it was aptly named. Bankshot was a proxy service. They had installed it in your network. It would not do anything to your network. It would not damage anything. It wasn't malicious. It would just sit there and be a relay for messages that they wanted to send and receive. So you couldn't track their other activities. And it was kind of hard to find, actually. You had to have a signature. You had to go hunt for it. You had to do deep scans in your network. Now they have this one called Type Frame. Right now, it's a Windows 32 executable. A couple of DLLs, which are Dynamic Link Libraries, the files that end in .dll that are Windows files. And there's a macro virus in a Windows MS Word file. In a Word file? Yeah. So let's talk about Type Frame. What have you learned about Type Frame so far, reading the notifications? Type Frame, yeah. This is from the same group that brought you Want to Cry and the Sony attack in 2014. And this, again, this is a pretty sophisticated piece of software. It can do, it has multiple capabilities. It can install RAT or remote access. Remote access Trojan, which can be used, again, as to take over a device to add it to a botnet. So it has a lot of similar capabilities to what we talked about with VPN filter. From what I had read, this was targeted more, not so much at consumer sites like the VPN filter was, it's more targeted at industrial types of sites. It was looking for certain protocols that are usually associated with more industrial control. But that's really more scary, because as you said, that means this is something that, you know, could be possibly used to turn off water, to mess with nuclear plants to turn off. The industrial control system is called SCADA, System Control and Data Acquisition Modules. They're the human interface between us and very primitive machines like valves that open and close, heat sensors that will tell you when something's too hot, the speed of a motor. So Stuxnet was one of these viruses. Stuxnet, yeah. We went in, in Austin, Israel. We created a virus to go into the nuclear reactors in Iran and spin them up so fast that the motors melted, because they're stepper motors and the more steps per second you program into them, the faster they rotate. So that's one of the malicious things you could do if you took over SCADA systems. You could also stop water flow, overload water flow, create too much pressure. You could do the same to natural gas, which could create havoc. Yes. You could do all kinds of evil stuff with electricity, because electricity, if there's a one-off anywhere in that circuit, you're going to get some bad reactions. So one of those things, the electricity one I'd like to talk about for a second, because this is kind of a concern to me. I know that just a few years ago, most of the eastern seaboard went down because of a couple of power ballasts went out in I think the Ohio region, and that was part of the Virginia grid. And that one blackout, because electricity is in a circuit, that was the interruption in the circuit that caused everybody else to go down and there was no backup. It shocked me that our electrical grid is at such a primitive stage at this day and age that Virginia, the Washington D.C. area could go down. There's some important places of Virginia. Yeah, that's somewhat important. I would say there's a few people there that might run the country from time to time. And I would think that there's kind of a lot of important computer stuff going on over there. I would think so. Yeah, and I would imagine everyone's got generators, but only for a little while, and this was a couple of days. I think it was a tree. It wasn't an attack that they know of, it was just a tree. But these control systems that can be hacked now can be used to turn off electrical grids. And think about a city with no electricity. I don't think I can imagine that. I mean, not during my entire lifetime have I lived without electricity. Have you? Except when you're camping? Yeah, and even then, you usually have your cell phone with you or something. Even when we were kids, we had flashlights with the car. I mean, I experienced like a 13-hour blackout here on Oahu shortly after I moved out here. Oh, the O6 Quake. And there was pretty eye-opening. I mean, there was no cell phone service. There were no elevators to get to my 36th floor condo. There were no electric pumps to pump the water up so I could have water for toilet and shower. Yeah. It was quite eye-opening as to how fragile some of these things are. People don't realize that. High-rise building and you don't have electricity, you got no water. And out here, no AC, open the windows and pray for a wind. Yeah, and it gets pretty miserable sometimes. That could be a big imposition, right? And also, if you turn off the water, I would imagine a civilization would just fall apart immediately within a day if people are fighting over water. Well, people can probably survive a few days without food, but how long can you survive without water? It's three to seven days without actually having a drink of water. And out here, even worth because it's humid and we sweat, so we would last even less time. It's not a very long period of time. Whereas with food, I think the maximum you can go is almost 90 days without food. But who said it? Che Guevara said, every society is only nine meals away from a revolution. I believe that was his quote. And I totally believe it. I mean, you take away food for three days. And people are going to get pretty unhappy. They're going to get pretty unhappy. I guess the counter to that is if you took away all the water, they're not really going to be fighting much after a couple of days because they're going to drop like flies. So, you know, well, I guess there's good news on that front. That's morbid. Okay, let's get away from that. So what can you do to protect yourself? I've got a list of stuff we're going to go over here. This is kind of common sense stuff, right? So when you're going over your home network or your business network, these are the kind of things you should do anyway. Anyway, yeah. To protect, there's any type of malware. Right. So let's just talk about antivirus, which it's not just antivirus anymore, right? What should I be installing to protect myself now? Antivirus, but with firewall and with web protection. A real robust antivirus that looks for more than just file signatures somewhere on your hard drive. So any of the major antivirus companies. But one of the most important things to do that people don't always realize is that you have to continually update that antivirus. The way that it works is it has a signature for every known malware file. And if you're not updating, then you're not getting the new signatures. That means the newest malware, you're still vulnerable. So it's very important to make sure that you keep it updated all the time. And that's one of the things where our tax dollars are playing on our favor here. NSA, DHS, FBI, they're all collecting the signatures from these malware. You can sign up for us-cert, the computer emergency readiness team for the United States. And they give you emails and send you all these alerts and signatures. NSA has this in regard with the FBI and Consumer Affairs has this. This is our tax dollars at work. We have one minute left. We're not going to be able to get through this. Okay, so we update your viruses, your virus signatures, update your system. So the software, update Windows, Mac, firmware, right? And use strong passwords. Yes, that's key. Strong passwords. Eliminate any unnecessary services, things that you don't- Right, or software you didn't want to install, don't install that stuff. Oh, and if you have multiple users on your system, limit what they can do. Yeah, don't make everybody administrate. Yeah, just make them users. Don't let them install stuff, then it's going to surprise you. We're going to have to get back to the rest of this list some other time. Let's do a quick plug for Capilani Community College. We're going to have a wetwear Wednesday, a mixer for all the software and IT people on Halloween. On Halloween. On Halloween, it's going to be great. We're going to keep up with that. And we got the cybersecurity program starting up in fall again. We're doing all our cybersecurity classes. And our ethical hacking class is going to be doing an actual penetration test. So hopefully someone's listening out there. We'll sign up for one of those classes. I'll just give more students involved. And you'll be teaching the cybersecurity fundamentals and networking. We're going to have a great time. Thanks for being here. Welcome to it. Thanks for joining us. And we'll see you next time on Cyber Underground. Until then, stay safe.