 Think Tech Hawaii, civil engagement lives here. Welcome back to the Cyber Underground. I bet you missed me. I missed you. I've been gone for a couple of weeks. I'm Dave, the Cyber Guy, your host of the Cyber Underground here every week on Fridays at 1 p.m. Hawaii Standard Time. And once again, I'm here with Hal, the networking guy. Welcome, buddy. Thanks for having me back here. Thanks for coming back. Need to tell the audience that we teach for Capulani Community College. And that's part of the University of Hawaii system. We're out there just about a little less than a mile from the White Sands of Waikiki Beach right down from the crater at Diamond Head. And the slopes of Diamond Head. Yeah, so we got a prime spot, Ocean View. But I know before you start hating us, we do work. We work hard. So that's why we're doing this show. Let's talk about some of the current events that's going on. We had the masterfully done Helsinki Conference this week. And Russian hacking has been at the top of everybody's list to talk about. And I thought, maybe why not take a different turn on this? I mean, everybody's talking about Russian hacking. There's also Chinese that hack us. And there's also North Koreans that hack us under the guise of what we call Hidden Cobra. That's their nickname, right? DHS calls them Hidden Cobra. But they've all got different motives, right? So let's examine the motives and the end game for these hacking attacks against the United States and try to examine, you know, how a hacker thinks. Because a lot of people want to get into hacking and they think it's just cool. But really, what's your end game? What do you want to do? But when you hack, there's a lot of barriers in between you and that skill set. So you have to work your way up to it. And when you work your way up to it, you can accidentally break some laws on the way. Or you can break them on purpose. Oh, purposely. Yeah, right? So you're going to have to have some ethical boundaries and decide who you are before you go into this. It's like giving somebody a loaded gun and saying, don't shoot anybody except for that guy over there. You know, it's a very focused topic. So let's examine that. Let's go over Russia now. The Russia hacks us and tried to get into our elections. And we already know they attacked our election voting machines in 20 states. And they're getting into the DNC emails. They sent out 29 spear phishing attacks, which was focused on people in the DNC. Only one of those addresses was actually valid, you know, occur an employee. And it turned out, I guess it was Podesta. And they got him on the first try. I gave up his password. Let's talk about what's Russia actually after? What do you think the middle in our elections is going to do for Russia? Well, I mean, it seems pretty clear that those attacks were meant to influence the election in some way. Many say that there's been kind of an ongoing grudge match between Hillary Clinton and Vladimir Putin. So the last person he wanted to see elected would have been Hillary Clinton. So maybe he was, you know, let's see if we can influence things against her, if we can make it tougher on Hillary. And I mean, it's just speculation, but that's what, you know, a lot of people seem to think the main motive probably was. A lot of social stuff, too, right? They added stuff to Facebook that was false, you know, fake memes and attacks and fake news articles that pointed you to fake news sites that actually looked like real news sites. And it was mostly anti-Hillary news. They went a lot of anti-Trump news items that they were pointing it to. And I think it did help the Republicans in that election. And I think the frightening thing after Helsinki is what I'm realizing is because of the way our president presented himself and did not address the elephant in the room, I think that that was a signal to Vladimir Putin and the Russians that Trump would like help again in the midterm elections coming up. And I'm hoping that's not going to happen, but we've already seen reports of three people running for Congress that have already been hacked. And the signature of the hacks have pointed back towards Russia. Yeah, it certainly doesn't seem like anything's happened that would deter them from continuing in these efforts, you know, to try to influence. And it may not be, you know, trying to influence things for one particular candidate. It might be just a kind of so disruption. I mean, if we're kind of chaotic and divided and disorganized, then it's like a zero-sum game. Russia feels stronger and, you know, more influential. So if they can just disrupt. Especially if we destabilize and try to dismantle NATO. Well, if we do something, you know, like that, absolutely. I think the instability, I think you've hit on a good topic here. Russia wants the instability because a House divided cannot stand, as Lincoln said. So it favors Russia to have us unstable. We are a weaker foe, so that helps secure Russia. And I get it, right? That doesn't seem to help China. I think it's the exact opposite of what China wants. We hold so much debt for China. We are in debt to China. We've borrowed so much from them that destabilizing the U.S. would actually harm China. I think the goal of most of the Chinese hacking is probably more espionage. They want to gain information, both about our government, about what our industries and different corporations are doing, but it doesn't seem, as you said, it doesn't seem like disrupting things would really favor them. They just want to kind of get a leg up some insider information and know what's going on and what's coming. We're at the corporate level. That makes sense because if we had, if God forbid China and America ever went to war, the first thing that would happen is China would lose all of its debt. America would just say, fine, we're at war. We absolve ourselves of all our debt. We owe you nothing. And China would just lose wholesale because that, just the interest alone on that debt is a large volume of the gross domestic product, right? So I don't think China wants that. So it seems like the two people attacking us, the two major powers, not mentioning North Korea yet, they're against each other. In a way, yeah. They certainly have different goals. Different goals, right? So it's a mindset. So that's a nation state goal, right? And North Korea really can't get him, Fatty Kim, the third thing. I can't nail him down yet. He seems to have different goals at different times, but I think all he really wanted was to be recognized as a world leader with the rest of the world leaders. And NATO and everybody else kept thinking, no, no, we'll let him play on his own because he's guilty of so many human rights violations. In fact, the latest research on human slavery that happens worldwide, the latest information says most of it happens in North Korea, right? Which that's terrible. And I agree we shouldn't really recognize that leader as a leader because he's abusing his power so horribly. So I think his goal was just to instill fear and gain knowledge about weapons systems and advance his nuclear weapons program. So we would take him serious. Mission accomplished, thanks again to our new presidential administration that validated everything that he wanted. So different goals. Let's go down a level and talk about hackers at, so China does this as a corporate thing most of the time. I mean, they've stolen weapons secrets before, we know that. But it's more of a corporate thing. But oh, we should talk about this. I just read they now have an aircraft and you could recognize it by the symbol on the tail, but you can Google this as aircraft that has a small laser that will fire a laser beam at the optics of spy satellites to blind satellites. So when they want everything in a certain area to be completely off the grid, they can launch this aircraft and have several of these lasers. And it knows where the satellites are because they're in clear view, right? And just fires this laser beam into the optics of those satellites and blinds whoever like the United States is observing. So they actually have weapons, which is like an anti-weapon, focused just on blinding us. That's a big investment. I mean, this was a huge aircraft. And so they're serious about blinding us. But that makes sense because we have a satellite system where we can view almost any square inch of almost anywhere on the planet. So it makes sense if you wanted to delay some kind of response or hide an action that you might want to. You might want to just blind somebody for a little while? Yeah, it makes sense. That along with network hacking and some kind of a radio dampening, you could effectively be invisible for a little while, right? But most of it, like you said, is corporate espionage. And I think it comes down to intellectual property. And it comes down to getting a monetary edge or a business edge, right? Because they compete with us so heavily. Let's talk about within just the United States. Corporate espionage can be enormous. I mean, we've had US companies suing each other for decades now over patent infringements. And you wonder, how could they have gotten that technology? Because when you look at the actual patent from the patent office, yes, I'm an enormous geek. And I've read the patents from the patent office. Guilty. Anyway, you read the patents and it doesn't have that much information. It's just a basic outline, right? I couldn't build you an iPhone from the patents. That was just the technology, the patented piece of their technology, right? But then some comes up with their Android phone. And remarkably, it's got almost all the features that the iPhone has. Well, it's exactly like it. So of course, Apple and Samsung go to war. But that's corporate espionage. And there's dozens of ways you can get into a corporation. But that's one of the motivations. So a corporation would have to hire a hacker to infiltrate another company, either by networking or getting hired there. Or they might be able to find an insider. An insider. Oh, the inside man is a bad attack. Somebody who's willing, oh, another paycheck? Great, I'll just double up. Most spies in America are made that way. The worst one, I think, and I can't remember his name down, had big classes. It was in the 80s. If you remember this person sold out his entire CIA team in Russia, got them all arrested, and made several hundred thousand dollars while doing it. They caught him, of course. He's serving, I believe, a life sentence or several in a row. Because all those people that were caught were killed. So the inside man, that's the most devastating attack. I hate to say. Which brings us to one of those security principles that we're always preaching. Least privilege. Give them what they need to do to get their job done, and nothing more. And the insider threat, which is one of the biggest threats that you have to worry about. Mitigating that threat is almost impossible sometimes. I mean, how do you know? You have to do some serious research. And I think that's why security clearances take so long for a DOD. Background checks, job rotation, mandatory vacations, all those type of things are all meant to try to mitigate that insider threat. Right, job rotations, I think, people fail to do quite often. People put someone in a job, and they get really good at that job, and they leave them there because they don't want to disrupt the business. And it's a double-edged sword. You get the efficiency of that one person, but if that person turns because of an inside man, or just gets sick, or gets a better job, you lose. You don't have anyone cross-trained to do that job. So job rotation, I think, is a good point. Thanks for bringing that up. Let's talk about motivations of people getting into the field of hacking and what they'd want to do with their newfound skill sets. Some people want to make money. Whether they do it legally or illegally, there are people who want to become activists online. Hacktivists. Yes. They call it hacktivists. Hacktivists, yeah. And hack for cause that they're trying to promote. Right. Then, I mean, there's cybercriminals online. There's skipkitties. There's a whole range of explosives. Let's talk more about those right after the break. We got to pay some bills, and we'll be right back until then. Stay safe. Hello, everyone. I'm DeSoto Brown, the co-host of Human Humane Architecture, which is seen on Think Tech Hawaii every other Tuesday at 4 PM. And with the show's host, Martin Desbang, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. So join us for Human Humane Architecture every other Tuesday at 4 PM on Think Tech Hawaii. Hi, everyone. I'm Andrea Gabrieli, the host for Young Talent's Making Way here on Think Tech Hawaii. We talk every Tuesday at 11 AM about things that matters to tech, matter to science, to the people of Hawaii with some extraordinary guests, the students of our schools who are participating in science fair. So Young Talent's Making Way every Tuesday at 11 AM only on Think Tech Hawaii. Mahalo. Welcome back. Hope you enjoyed the break. I did. It's always my favorite part of the show. Not really. I hate pausing, but it's a good time for us to sync up. We were just talking about the different types of hackers. We get the hacktivists. We get the cybercriminals. We got script kiddies. Let's describe the script kiddies. So script kiddies are what we call hackers who really have a kind of low skill level. And so they find scripts that other people have written and they run those scripts against your systems, against your networks. And they can exploit low hanging fruit. If you have a well harder network, probably can't get too far just as a script kiddie. But I'd be surprised how many networks do have vulnerabilities for which there have been published exploits and scripts that you don't need any real skill level to be able to use. You just execute them. Yeah, we should warn our audience. So these scripts, if you get them from a reputable place like exploit-db.com by Offensive Security, those are good scripts. They've been validated and they're not going to do any harm. However, there are scripts that you can download that you think are working but are actually working against you and that can actually damage your machine and expose you to WAC and open up a command line on your machine for somebody else and let somebody in on a back door. So careful where you get these things. It's script kiddies, K-I-D-D-I-E-S, not like a kitten. Not like cats. Not like kids, like script kiddies. So if you're a script kiddie, download them from a reputable place like offensivesecurity.com has great stuff. And by the way, shout out to all of the offensive security guys. I'm going through your OSCP course right now. Fantastic stuff. I'm absolutely in love with it. Good job. So let's get back to hackers. So quick mention, Russian hackers attacking the US probably got into that field because they wanted a good job. This was available. And Russia trains them for free, right? Problem there. We all do that. All our countries do that. We train professionals. But when they turn, we get Snowden, right? Because Snowden was trained working for the NSA on contract He was working for Verizon at the time, right? With contract with the NSA. Had all his clearances and was trained at least to the level where he could escalate privileges and create other accounts to gather information. And then he air gapped his way out. He had a USB drive where he put all these files on and he walked right out with it. Unbelievable, right? So these skill sets, and I have these apprehensions too. We train our kids to do this. And then we send them on to UH West that does the full ISA program and gives them even more skills. What are your feelings about those kids taking the easy path and feeling that draw of money and going down to ransomware or cyber crime? Well, there's always that fear that some of our students are going to take the dock side. I think for the most part, our students understand the ethical issues, especially professional ethics. Once you've done that, once you've gone down that dock path, there's really no coming back. If you're working as a security professional for a company or for some government agency or whatever it is, they expect you to maintain the highest professional ethical standards. And once you deviate from that, there's really no going back. And it gets easier. And you're not going to be employed in that field anymore. You're going to be stuck with a dock side that's going to be the only side that you're going to be allowed to play with. You still get work, but probably not working for the people that you like to work for. I really think the majority of our students have the right motivations that they want to do good. They don't want to use their powers for evil. From Spider-Man, with great power comes great responsibility. Great responsibility. I love that line. And it applies to what we teach our students. And when they came out on the other side with a skill set, they have to decide, am I going to take that job and work for somebody else? Or am I going to run my own business? You can do that. But when someone comes to you and says, hey, I need you to run these websites on the dark web, you have to make a choice. I mean, you'll have the skill set to be able to do it. And it's good money. But let's go through who you work for when you do those skills and you work for those kind of people. So you might work for organized crime. And I have to emphasize. Let's go out to the audience. There we are. I have to emphasize, when you do these dark skills for these dark people, organized crime, so forth, you're committing a crime. You do it well. You'll get a pat on the back. You'll make some good money. However, what you may not know is you just became a liability to that criminal. So as soon as somebody says there's a connection between you and the person that hired you, you're probably not going to be around very long. These are people that don't think twice about killing people. If they're going to do human trafficking, if they're stealing millions upon millions of dollars and they're doing ransomware, it's a very good chance that you're taking the chance that you're putting your life on the line. And being off the grid electronically doesn't mean they can't find you. And you're taking a big chance. My students brought up, what if I stole $40 million and I could get away with it in one big hit and just go away and live on the beach forever? My response was, I don't think anybody that has $40 million would let that go. If you took $40 million, it's probably worth the investment to buy a hitman to go get you and bring back what's ever left, right? Or anybody who knows that you have the $40 million, even if you didn't steal it from them. That's right. That's right. They'll turn you in. They may want the $40 million. That's right. So you're not only at risk from other evil doers, but you're also at risk. If you get caught, you're likely to spend a lot of time in jail. Those punishments are increasing. And remember in the late 80s, early 90s, when we really didn't have the Digital Rights Act that we have now inscribed and codified into federal law, the punishments were just a slap on the wrist. They were pathetic. And now we're seeing some people do some serious jail time. And I'm happy because that's a deterrent. That's my way of thinking. What do you think about that? Big penalties for cyber crime. Yeah. Well, certainly the environment for a while where there was a little cooperation internationally on it. And they were using obsolete wiretap laws to prosecute people. And so they weren't doing, as you said, very much time seemed not equitable with the actual crime. Because it can cause a lot of damage. I mean, hacking costs billions and billions of dollars and causes a lot of damage, too. So I was reading the latest statistics in 2017. The average United States breach of a company, the average was $7.91 million per breach. That's the average. If you're a small or medium-sized company, you're out of business. No one's got that war chest. It was a small or medium-sized business. If you've got more than $10 million in the bank, you're a big business. No one's got that kind of money. So one breach, you're done. That's a lot of damage. So the time kind of needs to fit the crime. So it definitely needed to be in case where they needed to have stronger penalties and stronger laws. So maybe the people doing these and getting into the dark side starting out, maybe we just need to tell them it's not just about shutting down the banking system and giving everyone a fresh start. And I've heard that before. What if we just melt the whole system and start fresh? Well, that's great. But if you look, your parents have got a retirement savings. You just blew away. And somebody else is going to lose their house. And somebody might be in another country, and all of a sudden they have access to no funds. You just melted the whole thing down and you trapped a lot of people in some really bad situations. You've physically hurt people. If somebody needed money for emergency medical treatment, now they don't have any. And the hospital is not going to say, we'll give you a heart surgery for free. You've hurt a lot of people. And you've hurt a company. And it's not just the company. You get mad. Say we got mad at all I'm going to pick on Amazon for a while. We want to take Jeff Bezos down because we don't like Jeff Bezos for some reason. Jeff, I love you, man. I'm just using you as an example. Sorry, you were an easy target. So don't come after me. I love you. So we want to take on Jeff Bezos. And we just ruin the company. How many people work for that company? Do you also just trashed? No more. No more, right? You took out the whole company and everybody that supplies them, all the people that sell them products, probably the truck drivers even, you've hurt just the collateral damage is remarkable. What other factors can we think of that? We need to tell people, hey, when you hack, this is what you're really doing. Yeah, well, when you're not only exposing yourself to criminal issues, but let's say that you hack into someone's system and you expose information about them. You might be saying them up for who knows what kind of embarrassment or something if this information now becomes public because of your hack. Oh, how many allies were ruined because of Ashley Madison? Yeah. Not that I have a whole bunch of sympathy there. However, it wasn't their business to do that. And they really trashed a lot of lives. And yeah, if someone gets a list of email addresses and that becomes public, then now my email address is known and I can get spearfishing attacks on me. So I can be exposed to. Yeah, you're right. So these things can kind of snowball. With our last 30 seconds, let's talk up our program, our IT and cybersecurity program at Cappy Island Community College. Once you guys come out there, we're starting up this August again. Come out and get a cybersecurity certificate and start building on your associates and IT and maybe move on to a bachelor's degree someday. And we teach the first two years at Cappy Island Community College. Come out there and Alan and I will get you up to speed. And I hope to see you there. Please come join us. It's a really inexpensive and great way to get your career started. And right now, cybersecurity unemployment rate, 0%. And that's only because it can't be negative. All right, thanks for joining me, man. Come back next week and see the Cyber Underground. I'm Dave and I love it that you came to see me again till we see each other again. Please stay safe.