 This is Stink Tech, Hawaii. Community Matters here. Welcome to the Cyber Underground. I'm your host Dave Stevens. Welcome back. Thanks for joining us again. We have some great guests, a co-host today. We're from the ISC squared in Hawaii, and we're going to be talking about the Equifax hack, and we're going to do a couple of rants on that. But first, we're going to talk to one of the business leaders here in the community. It does a lot of contracting, a lot of cybersecurity, has a lot of community outreach as Booz Allen Hamilton. And with us today, lead scientist and data analyst, Chalmer Lowe from Booz Allen. Welcome, man. Good to have you aboard. Appreciate the chance to be here. Excited. Where are you from? How'd you get here? What's your history? Okay. Originally, it came from the east coast, transferred to Hawaii about three years ago. I was requested by Booz Allen Hamilton to come out here and work on one of the teams that's located down here. You're new to the islands? Okay. So totally new to the island. Soon as I got here on the island, I looked around for people like myself, people who had a cybersecurity background and or who had kind of a programming slash data analysis background. Found a number of those folks in the community, but I found kind of an opening, a gap, I guess you could say, in particularly the programming community related to Python, which is strongly used for data analysis. So I founded an organization out here called Pi Hawaii and we do a lot of community outreach, trying to help people understand the benefits and the usefulness of Python to solve problems, to automate work, and to do data analysis. Well, that's great. And you worked for Booz Allen. So tell us a little bit about Booz Allen Hamilton, EAH. Booz Allen Hamilton, it's a consulting and technology firm. Been around for about 100 years now, a little over 100 years. Got a strong position in several different markets, cybersecurity being one of them, analysis, solutions, engineering, defense, and the commercial market. Myself, I've done work for Booz Allen Hamilton in the commercial market, working with financial organizations to help them evaluate their cybersecurity posture and or respond to things. I've also worked in the government sector and a variety of other areas of Booz Allen Hamilton, predominantly focused on data analysis and mentoring and coaching folks on how to use Python to solve data analysis challenges. So why Python? What is about Python? I have to emphasize this is P-Y-T-H-O-N. P-Y, so Pi Day is P-Y Day, right? So tell us a little bit about Python. Python is programming language. It is an incredibly powerful language from the standpoint of you can do a wide variety of things with Python. It runs much of the foundation behind Google, YouTube, Facebook, Twitter, LinkedIn. I mean, the heavyweights in the social media world are relying on Python to run much of their infrastructure. If you've seen Big Hero 6, you've seen Star Wars, all those computer-generated graphics, that all resides on an underlayment of Python. It's installed by default on just about every Linux and Unix system out there. So if you want to use Python, it's available for you. It's also installed on Macs, right? Right, because Mac has a BSD Unix, I guess, mutation. It's called Darwin. That's their distro, and that's underneath the fancy GUI. So Macs got that by default. Absolutely. And Python is by design intended to be easy to read, easy to write, and easy to understand. I'll give you one example. In the UK in the last year, the BBC has released a product called MicroBit. It's a small piece of hardware. It runs Python on it, and that was distributed to all of the 11-year-old students in the UK. A million students in the UK are studying Python and making MicroBits, turn lights on, run motors, detect things. The MicroBit's got an accelerometer in it, and a compass, and it's got buttons, and it's got a little LED display. And these kids are just tearing it up with Python, right? At the age of 11. Cool and scary. Simultaneously. Absolutely. But that's a symbiotic relationship. We've got to deal with that. We've got to educate our kids, and then hope they don't go nuts, right? Okay, yeah, let's talk about hats. We've got white hat, gray hat, black hat, and we want them to stay white hat, ethical hacking at the best, right? And I don't want them to wander off with the situational morals thing, right? So tell us a little bit more about what you do to get this into the community. So in the community, I do several things with Python, and I do a variety of things also with cybersecurity. So I kind of cover both of those issues. With Python, I said I run Pi Hawaii. Boozell and Hamilton has been a long-term sponsor of that. And we have meetings every two weeks, and we, as a community service, offer up beginner sessions and advanced sessions and puzzle solving sessions. All at the same time, or do you? We do them all in the same time frame. So that way the new folks who've never played will start to see a little bit of the art of the possible when they see what we demo and show to the advanced students. And then when we, as a group, solve puzzles, we talk about how do we solve a puzzle? And we write the code on the screen. Everybody gets to see it run. We make the puzzle work, and we get an answer. And then we walk through how do we improve this? How do we make the code more efficient? How do we make it take up less space on the screen in terms of reducing the number of lines of code? How do we simplify it so it's easier to read, easier to understand? Those kinds of things. So you're a true programmer, and I know this because I came from 20 years of programming. It's never done. Yeah, it's never done. It's never done. You're always coming back. I can make it better. I can make it better. I was drinking a beer when I did that one. I can make it better. That's the problem with coding. But it's great. You put in critical analysis, critical thinking in there, so you're solving a problem. You're kind of taking a word problem, putting it into code. And that's what happens in the real world, right? You go out there and you get a job. Someone says, I need to solve this problem. I don't know code. How do I solve this problem? I need to do x. And you say, hey, I know Python. It's right here. Let's do it. And that's what you teach people, right? You have a couple of events coming up. You want to talk about that? Sure. So in terms of cybersecurity, the kinds of things that I like to be engaged in, I like to work with folks and engage their minds. So Booz Allen Hamilton is sponsoring a couple of events that are really geared toward helping people learn and helping people to grow their skills. The first one is going to be a cyber networking and hacker trivia night. We're going to put on this hacker trivia event, try and get folks from across the cybersecurity community, both folks who are new to that community and folks who are gray beards and have a strong understanding, trying to get them all in a room, they'll socialize, and we're going to present them with hacker trivia questions, right? Things focused on the entire spectrum of cybersecurity skills, whether it be forensics, reverse engineering, malware, the history of cybersecurity. You go all the way back to freaking. It's far back as we can. It's technology too. Okay, cool. Captain Crunch whistles and stuff. So we've got all these questions, and you can get together in teams of up to six, and we can help you form a team at the event. If you don't have one, if you've got a group of folks you want to come with, that's fine too. And you basically compete for props and prizes and bragging rights. So that's going to be on the 11th of October. Another event that I run out here, it's focused on Python. We've got a Python programming competition. It's kind of a capture the flag style of event. And we present puzzles to folks, much like the ones that we solve at Pi Hawaii, and we just cut them loose. Pizza's on the table and a bunch of red bulls and monsters, and you have three hours. Oh, that's all I'm having. Yeah. You have three hours. You solve as many of these puzzles as you possibly can, get as many points as you can. And that'll be on, I think, the 13th of October. And then on the 14th, and this is more cybersecurity related, we're going to do almost an identical thing. We're going to have a capture the flag. I throw a bunch of puzzles out there, but they're puzzles focused on forensics or reversing or malware engineering. And you have to solve these puzzles and get those points. And again, there's going to be plenty of plenty of food, plenty of stuff to keep you keep you alert. We've got a good sponsor, Booz Allen. Yeah, Booz Allen. They've been very generous to try and, you know, set these things up. We want to have folks in the community who are cognizant of cybersecurity risks and able to support the community in protecting ourselves from these cybersecurity risks. Without a good talent pool, right? We are all at risk. That's a philosophy. Now, if I was listening to the show, because we do podcast also, so we don't have any visuals, but if you could tell people where to go to see all this information on a website and maybe get in on a mailing list so you can find out when the events are coming in, when you blast those out to people. Gotcha. Tell you what, I will possible send you several URLs because they are posted on Eventbrite. But once you sent me this morning. Yeah. Okay, I got those. Is there possibly the Booz Allen Hamilton website has these links? Booz Allen corporate website doesn't have these links, but we will get you something. Okay, we need to sponsor you a website. Yeah. You have a Chalmer Low, Booz Allen Hamilton, Python, Cyber Security website. Absolutely. That's what we need because this is good stuff. You're getting out there in the community. Can you give us some examples of people that you've had on these events that have actually gone on to support the community doing these activities? Cyber, Python? So I'll give you an example of one thing that we did this summer. It's not quite folks have come out of these events, but it's something that Booz Allen was engaged in. We had 12 interns from UH Manoa and from West Oahu Common. They worked at Booz Allen Hamilton over the summer. So just so the folks out there who are not in Hawaii know, both of those universities are four-year institutions. One's research-based, one is applied-based, and they're both part of the University of Hawaii system, and they're at opposite ends of Oahu, right? UH West is out in the Kapolei area. UH Manoa is the first UH that we had, and it's out here in the Honolulu area. So just so you know where they're coming from. You took from those two, and you said you had another intern from someplace else, Toledo, Ohio? Yeah, we had a young lady, Ashley, she came and joined us from Toledo, Ohio. A woman in cyber. Good, thank God. Absolutely. And actually, in our interns, we had a total of, I think, four women in our intern program this year, which is pretty good. 33%. Yeah. I mean, that's pretty good. Wow, that's awesome. So when I first started, maybe it was like 0.01% or something? Yeah. So these interns were with us for about 10 weeks over the course of the summer, and they were part of what we call a Booz Allen summer games, and Booz Allen, you know, our desire to have interns come and work for us cost us to put together the summer games type activities. The interns worked together. They created individual projects that were focused on our customers' needs, and then we flew all of these intern teams back to Virginia, and they competed. They gave presentations on all their projects, and the two teams that we had out here in Hawaii did really, really well. One of those teams, our cyber team, actually made it into the finals out of about 80 different teams. Oh, wow, that's great. So we were pretty excited. Yeah, that's exciting. University of Hawaii was representing. Nice that we can represent. You know, most people write us off. That's right. It's hard to believe, but this little tiny state in the middle of the Pacific is actually on the forefront of some really dangerous stuff. You know, we have some enemies on the Pacific Rim here that we have to be cognizant of, and there's a ton of military presence out on these islands. So this kind of stuff, cybersecurity, we're at the vanguard of the assault if something should happen. We need to know what's going on, and this is really helping. Thank you. What else can you tell us before we go to commercial? We had a couple of minutes here. Give us some more info. One more item that's coming up in early October to be on, I think, Tuesday the 4th of October. Here in Hawaii, University of Hawaii and the Hawaii Business Round Table host a conference every year called Future Focus. I think this is like the sixth or eighth year that they've done this. And at Future Focus, they look at items that are going to impact Hawaii and the Pacific for years to come. And every year, they have something associated with cyber. And this year, again, they're going to have cyber. And part of what they're offering at this particular conference is they are hosting the kickoff of an organization that's going to be hopefully prominent and powerful in Hawaii called Cyber Hawaii. Cyber Hawaii is essentially the local chapter of an organization called CyberUSA. And CyberUSA's mission is to improve community engagement, bring together educational resources, and improve the understanding of cyber and the resilience to cyber attack to members of the business and public and private communities. Build that awareness, maybe make a cyber network of these folks so they can talk to each other, which is an important point. When you put somebody in, okay, let's be real, when we do our jobs, we're in a windowless room with 66 degrees, you know, we're usually alone, right? You got to get those people talking to other folks, right? Because that's when you share information. Hey, I saw this open source program has a hole in it. Be sure to patch before this date or whatever. And that can prevent bad things from happening. Cisco has a system that automatically shares. But even though those networking, that environment is sharing information, you still need the people. And you can learn things. You get blinders on a lot of times, where you think you're the only one trying to resolve this issue. And then you reach out to talk to some people, and all of a sudden you go, oh, yeah, I'm doing the same thing. And then you start building the synergy. But there's also, among companies, there's also a fear of sharing things as well, because you have reputations to protect them. Sure. And proprietary information, maybe. So trying to get past that is a challenge as well. So we're going to go to commercial, but we're going to come back. That's a great segue into what we're going to rant about in just a minute. That's what we're here for. Hope people are sharing more than Equifax did. Obviously, there wasn't a network to support those folks, but mistakes happen, and we're going to rant. We're going to go to commercial, pay some bills. We'll be right back. Stay safe. Ted Rawson here, folks. You're a host on where the drone leads our weekly show at noon on Thursdays here on Think Deck. When we talk about drones, anything to do about drones, drones, remotely piloted aircraft, unmanned air christmas, whatever you want to call them, emerging into Hawaii's economy, educational framework, and our public life. We talk about things associated with the use, the misuse, technology, engineering, legislation with local experts as well as people from across the country. Please join us noon on Thursdays and catch the latest on what's taking place in the world of drones that might affect you. Hello, everyone. I'm DeSoto Brown, the co-host of Human Humane Architecture, which is seen on Think Deck, Hawaii, every other Tuesday at 4pm. With the show's host, Martin Desbang, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. Join us for Human Humane Architecture every other Tuesday at 4pm on Think Deck, Hawaii. Welcome back to the Cyber Underground. Again, I'm your host, Dave Stevens, and we're about to talk about the Equifax hack. If you haven't heard about it, you should crawl out of that cave you're in because everybody heard about it. In fact, at 143 million people in the United States, that's basically the adult population of the United States of America, and we're going to talk about how Equifax is handling that situation right now with Jeff Milford, the president of the ISC2 chapter here in Hawaii, and Chalmer Lowe, lead scientist data analyst for a Booz Allen Hamilton. Welcome back, guys. Thank you. I'm going to give it to you, man. Okay. This just in. Okay. It's not 143 million. And how many? It's 200 million. Oh, we haven't had, how many people do we have in the U.S.? That's, that's like everybody. Yeah, well, that's according to Visa and MasterCard. They sent out a not public announcement, and if you follow security, Brian Krebs is the guy who stays on top of all this stuff. This is KrebsOnSecurity.org, right? KrebsOnSecurity, the guy. Or is it .com? I think it's .com. It's KrebsOnSecurity. KrebsOnSecurity, Brian Krebs. So what he was reporting, and this, this is a pattern that just drives me wild, because you get the announcement that says, we may have been hacked. Really, you may have been hacked. You wouldn't be announcing it if you hadn't been hacked. This is beyond possible. And then the numbers are always going to change for every breach. And if, listen, listen to the timeline. This is, this is what kills you. Okay. So on March 7th, there was a zero day exploit, which means the vendor doesn't know that there's a security bug in their software. Well, zero day means nobody should know about it. Except the hacker. Right. So there's no signature for a virus scanner to catch this. Right. It's, and it was seen in the wild on March 7th. Oh, so this has been observed. Yeah. On March 7th. On March 7th. It has to do with Apache struts for their web software. So this is a website software made by Apache, which is an open source tool. So open source means it's free to the general public. There's a community supporting it. Community supported. But it's free and you can use it. And this is protecting all of our credit information. That's the gate to all of our data. Yeah. In their defense, the very next day, they released a patch. March 8th. There was a patch available. So the community really supports, right? They support, the community supports Apache said, oh, a zero day. We're going to take care of that. They did within 24 hours. Right. Okay. So according to Equifax, which of course we can believe them, mid-May, sometime in mid-May was when the theft occurred. They didn't discover it until July 19th, which again follows the pattern of these breaches. Right. They didn't announce that they had been hacked until September 7th. What did, are they doing damage control? Are they trying to figure out how much, I guess they're trying to figure out how much was taken? Right. So this is the incident response process. How much, how much trouble. Something occurred. What do we do now? And they got to go through their process, right? I think they're supposed to notify people before this. So they should have done their due diligence. And their executives should not have been selling stock in the meantime, which happened. $2 million worth of stock. And the defense for that was, well, we wouldn't do anything that obvious. I mean, it looks like insider trading. Yeah, exactly. That's because it is. It looks like a duck sometimes. That's a duck. Exactly. Of course it was. Yeah. Well, we're not going to burn all of our stock, just, you know, $2 million between the three of us. I haven't checked on the stock, but I know right after this was announced to the public, the stock tanked 13%. So those people that sold some stock saved some serious money. Sure they did. And the SEC is interested already, and I've already read that a New York law firm is investigating this. So those three people, I think it's only three are being investigated already. Thank God someone's picking up the blinders and they're looking. Finally, maybe something's going to come of this because they're not regulated. I was reading the argument being made that, well, you can't penalize them because then that makes the other two companies targets. Really? They're already targets. Yeah. And this is the keys to the kingdom. So we should reiterate, this is the top three vendors in their industry for credit monitoring and risk management of users. All of our personal information. And we don't sign up for it. No. We go to apply for a loan or credit card or something, and all of our information gets sent to them. We have no choice. We can't opt out. They're the cornerstone to one of the trust factors in our financial economy and our well being here in the United States. And one of them, 33% of this trust has just been removed. And basically every adult in the United States has been affected. And I think they actually handle multinationals. So there's a lot more people out there. I can't believe that the executives of this company will let this happen. Okay. It's one thing to be breached. It's another thing not to let people know right away. It's another thing totally to sell your stock before you announce. Then what did they do when they actually announced? They charged people for the credit freeze. And then they're surprised that people rose up. They got out the pitch for it. Let's discuss the credit freeze. The credit freeze is what is that and why is that a good thing to do now that we've been hacked and we know our data is going right? That's at least a proactive step you can take to freeze your report so that somebody in theory can't see your credit report. If a lender comes to them, your credit report doesn't exist. It's frozen. They can't use it to open an account or get a loan or something like that. You can do this over the phone. Or you can do it online if their servers are responsive again. They kind of had a little trouble with the response time. Some of the people on the phones, I think they had to put a bunch of people that weren't used to being customer support on the phones too because there were a lot of stories going around. I would imagine the call volume went way above that. What also went missing is the credit card data, the name, and the expiration date. Right there, putting a credit freeze on is good, but if this starts getting sold on the dark web, people are still going to be able to buy things, buy and give certificates. Monitor your credit report, your statements. This also can happen using a debit card, credit debit, where it takes money right out of your bank account. Monitor your bank account because they can rip money right out of there too. If you let it go on for too long, the chances of you getting that money back are just nil. One of the people pointed out, what I've traditionally done is once a year, you can go get your three credit reports from annual credit report topic, which somebody said, well, I get mine at one every four months, which is a really good idea because that's a closer monitoring of your financial situation. But Brian Krebs again pointed out that annualcreditreport.com, guess what software it uses? A patch history. It's been patched since... I hope so. Because that's the one that the government recommends. Well, basically it's the only one you can go to for your free credit report. So we should emphasize, I think, that there's two types of people in countries and in companies. There's the people that run the country or the company and the people that work there. So the people that work at Equifax are probably really good folks. People that are running Equifax should be fired, in my opinion. What's something lawyers that advised them to circle the wagon to charge people? That was wrong. That should not have happened. They should have supported the people that, you know, if you're going to get hacked, at least do the right thing. Don't try to charge money. And going to tell us about the terms of service, if you signed up for the free credit monitoring service, the terms of service... Oh, yeah. You waive your legal rights. Hidden in that language, yeah. You waive the right... That everybody reads, of course. Yeah. Oh, yeah. That's the best sleeping pill ever. Read the terms of service or something. Yeah, sign up for our free credit monitoring and, oh, by the way, you've signed away your rights completely. What do you think about this? I mean, it's pretty crazy. And you mentioned this is kind of international, right? So there were customers in Canada and in the UK affected, I believe, if I understand it correctly. The response time from the Apache Foundation, which runs just about all of the Internet, was top notch. 24 hours or so. They have this patch available. But part of the due diligence for any given company is to ensure that you are attempting to look for the patches, apply the patches, etc. And that is a process. Don't get me wrong, because when a patch comes out, you don't want it to break everything you're running. So you've got to do some testing. You've got to do due diligence and then apply the patches. It doesn't sound like that occurred here, right? Well, there also doesn't seem to be layers. You're supposed to do defense and depth. You're supposed to layer your security. This is one hack that got the keys to the kingdom. Unencrypted database. Unencrypted data. Probably some easy username and password to manage also. Admin, admin. Admin, admin. What about DLP? Where's the data loss prevention? Credit card numbers follow a certain format. They're 16 digits. Unless the hacker was so... Wow, I don't want to come up with that idea. Unless they chunked it somehow and then reassembled it later to slip it past some kind of DLP. But all these things exist now. These aren't future technologies to protect us. And you get these guys that are paid millions of dollars a year. Look at the target breach. For one of $500,000 worth of gear, they actually had in place, but they were outsourcing the log reads. And they were warned that people were eating the logs that was outsourced. They were telling them, hey, look, there's something bad here going on. And nobody pays attention and nobody pays for it except for us. We aren't customers anymore. A long time ago, I saw something at the phone company when I was working there. Used to say, today's customer service depends on you, as the employees came into work. A little big brother, but still nice reminder. And it changed. And it started saying today's stock price depends on you. And these companies don't see us as customers. They see us as wallets. Well, we changed the culture in this country. We went from protecting the stakeholders, which includes the employees, to protecting only the shareholders, which is what Equifax was doing today. So in the last minute, you guys have any last second rands? Give me 20 seconds of a rant. One thing about the Equifax item is we're not customers of Equifax. We are their product. They gather data about us, and then they use that to help other folks make decisions about our lives. Should I get a loan? Should I not get a loan? Should I be allowed to rent, not rent? We are Equifax's product. I didn't sign up to be in Equifax's database, but I'm the guy who's going to pay for it. And this is a big failure. Yeah, this is a bad one. Jeff? And if you're ever going to be active politically, start writing people about this. Let Congress, senators, people like that know that you're upset with this, that it's time to put an end to it. Put some laws in place. Start regulating them. At least put penalties in place so it becomes very expensive for companies to be exposed like this. So let me take my last 20 seconds on. Here's my rant. I know that businesses don't want to be regulated. They want government out of their space, right? But if that's going to occur, then they have to be more responsible and more ethical. So if you want to not be regulated, you have to do it right. Otherwise, Uncle Sam's going to come in. That's it. Thank you, everybody. We're out of time. Come back next week. We'll have some great stuff for you. Until then, stay safe.