 Think Tech Away, civil engagement lives here. Welcome back. This is the Cyber Underground. I'm your host, Dave Stevens, the Cyber Guy with me here. Andrew, the security guy. Hi, brother. Welcome back, brother. Thanks for having me. Oh, man. I like stopping here when I get a chance. So excited that you have your own show now every Friday, 10 a.m., when you can do it. Security matters. Security matters. Believe me. This is security. We love this. This is the other part of security. Yes. The deep dive into the binary edition. I don't want to talk about that. And when they do, they get all scared. Don't be afraid. We're going to talk about more stuff that could scare the piss out of you, unfortunately. Uh-oh. Everybody's got an Alexa? I don't. We had one for a long time. We thought, hey, this is really neat until I thought, hey, what's this thing really doing in the background? You know, it's connected to my Wi-Fi network. It has control over my speakers. It could talk to my TV. And there's more and more apps come out for it all the time because people keep doing the third-party apps. And we have an Alexa over here, but we're not going to turn it on right now. Alexa is not really a bad device for the intended purpose. She does exactly what she's supposed to do. She's a personal assistant. She can look up recipes for you, play music for you. That was a really neat one in the kitchen. You're cooking up some food. You say, hey, Alexa, play my playlist, and you got some great music. And it's a good speaker system. It works really well. You can have the Echo extensions in each room or buy another Alexa. It's a little more expensive that way. But it's kind of a centralized home as personal assistant. The problem is someone who wrote some code into Alexa that apparently not even Amazon was aware of. There's a little Easter egg in there and got caught this last week in Portland, Oregon. Someone said their conversation in their house was recorded. And the conversation was forwarded to somebody on their contacts list. Nice. Isn't that wonderful? Unbeknownst to them, of course. Unbeknownst. So the person that got the message said, why did you call me and give me this message? Yeah, they're talking about their flurry. You're getting some new flurry in the house. They thought it was a butt dial, right? It kind of sounds like that. I get a lot of those. That's kind of what Alexa. That's kind of what it was. But nobody was on the phone at the time. And it came from, of course, Alexa. This is disturbing. But for two reasons. One, if you can hack Alexa, which you probably can. It's an IoT device. And you can do this. That's disturbing enough. But if someone at Amazon actually wrote a subroutine to forward a recorded conversation to a contact number, that's going too far for a personal assistant. Really? I think you would want to do it. No. Wouldn't I say, Alexa, take a note, send that to Dave. And then say some stuff. Well, you might have a point there. Send that to Dave. I mean, it's a personal assistant. I mean, I might tell my personal assistant called Dave and tell him this. I'm just saying that. Make a good point. So the functionality maybe was not unreasonable to have in a personal assistant. Take a note, send it to somebody, and then they send it to somebody. Now, what I read was this. Alexa is supposed to ask you, did you say Dave Stevens? Well, confirm the action. Confirm that it asked for this contact. And then, did you want me to send this to Dave Stevens? So what I read was that that lady had a bunch of them in the house, and potentially one of them misunderstood. And said yes. And misunderstood her as saying these things. Now, I don't know if that's just Amazon's, you know, whatever. But that I think is a bigger problem because this stuff's so new. We sort of got a lack of intelligibility there. Right. Apparently there's no, what would you, you would call it like, you know how we deny all. So like say your location services on your phone, like I leave mine off, mostly to save battery. So then when I want to do something like open table, I got to go turn it on. So to me, restaurants in your area. Yeah. And so Alexa should be off from anything. Right. So that I actually have to go somehow, let it be able to forward messages. The problem is just having her plugged in right now. Right now you can see the little red ring around it and the red mute button. Supposedly it's muted. Right. But it's still listening. So it's still, it's just not responding. It's not going to respond. So the speaker works. It could be recording us right now. Yeah. Just like that paint that wall behind us can hear our sound waves. That speaker can hear those sound waves. So they're, you know, it's an interesting point. I don't think we've ever mentioned on the show that people can use low-powered lasers reflecting on a piece of glass. Sure. And the glass vibrates like an old-time speaker would. Yep. And because of the vibration and making the laser beam vibrate with the glass, you can actually interpret those sounds and hear recording from a laser beam on glass. That's why. From miles away. That's why secure places have double-pane glass. I think from outer space they can do that too. From outer satellites. From satellites they have lasers that can do that. I haven't heard that. I think they can zoom in right on your windshield. And when you're in there singing in your car in traffic, they find out if you can carry a freaking tune or not. I don't know. You've got to sing it flat. Yeah. This is disturbing that it's only been recognized in Alexa. But I think, by the way audience, I'm pointing to Alexa who's down here if you're wondering what I'm pointing to. It just looks like I'm pointing off camera. There's actually an Alexa right there. This is the only device we know of right now. Google Home. Wouldn't they all do that? We don't know yet, do we? No one's been caught. Aren't they all like PAs? They're supposed to be. Yeah. No one's been caught doing this. And I'm like, again, I think that functionality is required in a PA. But I do think that there should, I mean it shouldn't be happening if you don't know it does it. Like maybe there's no education. Yeah. And we were even saying, I think on previous episodes, you should presume that everyone's listening. Just like when you have your camera on, you better presume everyone in the world's watching. Yeah. Because potentially, if you're hacked, they are. Yeah. And you should never send new pictures of yourself to someone because they live forever somewhere. Yeah. So you know. You gotta be really confident of what you got. To put that out there. And what you say if you have Alexa in your house. That's true. I mean imagine, it's a cool spy device if you think about it. People weren't thinking in those terms. And for it to forward a message out. I mean if it took that for the world to understand that was possible. I presumed it does it. I just didn't. I don't think I've ever tried to send a message. We think different people. I had one at home. We gave them out to all of our employees. A Google home. Google something. You gave them. You run a security company. I know. You had it for like Christmas. I thought it was cool. I don't know what they did with them. Maybe they all threw them a brick them. I don't know. No. They're all running their whole house. And now everyone's Google. Yeah. It's a little thing. So we had one at home. I mean you know. And the same thing. Like you tell it to play some music. That's the ball we ever do it. I don't know what it does now. Is it convenient? So apparently Alexa you can give her your credit card. And say. No. I don't think I'd advise that. Oh Lord. I wouldn't do that. That's the functionality. Yeah. It goes pretty deep. It's a real PA. With some artificial intelligence. I don't think I'd give it a credit card. I mean it's a lot of boring plans. I mean it could forward out your credit card information to somebody. That's not a good idea. You know if you had a human PA. A lot of these mistakes can happen too. Not a new story. I trust him less. You trust him less less. Just do it yourself ladies and gentlemen. Just don't. Yeah when it comes to your money. I mean credit cards. You know like your bank accounts a different animal. So we have Google home. We have Alexa. We have our phones. I always. Cheer you up. to put the little cover on your camera, on the laptop. You can buy the little sliders. I give those out too. Yeah, we give those out and we got to buy some more. We ran out. Everybody loves them, right? I would advise even on your phones, put one of those little sliders on there. Because one of the most popular Android hacks is to get your location by taking pictures over and over and over again and they can find out where you are. And Robbie. Right. Well, for me, they look at the inside of my pocket 90% of the time. Do you have an Android phone? I don't. I wonder why. Yeah. You know, again, the only problem I have with Android phone is that when you need updates, you have to wait for that vendor's build of Android, the operating system. Samsung's got to make one. LG's got to make one. Is that what runs this? Alexa, is that an Android? You know what? I don't know. I think it is, actually. It's Java-based. So it's probably Android. Some Android of their own. It's an Android derivative. So it's an interesting point and I think it's worth sharing with people. I really do. I mean, I just think it's important that they understand that that's not a trusted device. What is? I mean, our TVs can be hacked. What is a trusted, now there's an episode question. What can we actually trust at the device? Because you can't trust your employees because they'll open the email links. You can't even trust your C-suite because they won't take the cybersecurity training seriously and they'll open their email links. Yeah, they will every time. You can trust Dave because he's here teaching. You can trust me because I'm here teaching and preaching and learning. But you know what the limitation of trust is? What about the stuff we don't know? The unknowns. The zero-day. The zero-day stuff that always gets through because you've never encountered it before. How do you defend? And so how? We would all probably fall for that one. Now historically, throughout the history of humankind, zero days have been out. I mean, you can go back to the days when cannons appeared in warfare. No one had ever seen those before. And the person that had cannons won all the battles because no one had any defense for cannons until they got their cannons. So you've got to go back in history and find out. This is a repeating event. So we learn from history. If people came out with all kinds of new weapons and won wars, cyber is no different. We're going to keep inventing new weapons. And the people that have the more resources available in the most time and the most money and the most people, they're going to be the ones to create the most tools in the United States, North Korea, Russia, China. Or the most dedicated, like somebody that just sits there and really figures how to hack your Alexa. Yeah. Like me. 12, 14 hours a day and they get paid for it. Yeah. Like you and I, we have to do banking and go speaking and teach. And but these guys can just. We don't have time. We don't have time. They got all the time in the world. So do you think that the manufacturer was remiss in sharing the full capabilities of that device? I know. You're like, Amazon maybe didn't even know this was doing this and you know, this might have been a feature that they didn't tell anybody about. And I agree with you that the feature is functional and useful. But when a user does not know the ramification of the usage of that feature, and it sounds like the confirmations might not have been there. I mean, yeah, some didn't have some didn't work right. There's two big bugs there that I would look at an user is a bug. It's a feature. Yeah. The user is a bug. The problem always lies between the chair and the keyboard. Right. That's the keyboard. Yeah. It's always between the chair and the keyboard. That's me, by the way. That's where I'm always between the chair and the keyboard. The problems are human. And then that's again with Cybertron. So again, humans, humans not sharing the manufacturer, not sharing this information properly. And then the human getting it, trusting it too much or not understanding its capabilities, not asking the questions. I don't know why you have them in all the rooms of your house. I guess, I guess if you're, I guess you have like an automated house and stuff that'd be cool. I don't know. You need to have an automated house. But we had the same thing with smart TVs just a little while ago. We found out that they can be hacked. Oh, yeah. Yeah. A lot of them are job based. Got a microprocessor. And they have a camera and they can listen to your voice commands so they can spy on you. Yep. And they are. And you can have one in every room of the house. You think you're watching a movie. The movie's watching you. The movie's watching you. How's that? Like, Alexa, you think you're talking to Alexa. Alexa's talking to you or talking to all your friends about you don't even know. That's ridiculous, right? Yeah. I don't know. What I love is I love the voice interface. I think the voice interface is going to solve a lot of problems for us, you know, as an analytical tool, as a research tool. It'd be interesting if just the ability for just data to capture all the stuff that we've talked about, right? And then categorize it and put it on the list and make sense of it because we oftentimes ramble on about all kinds of stuff. You know, I don't know what all the ground we cover in the show, but it's a lot of words. You know, I can't recall them all. Can you? We're going to show. But hopefully AI can. Yeah. Whoa. This show. No, I took notes. So, I think there's some power there and I believe that interface, this is a great example of how much work that we still need to do culturally and in the analytics side to play with it, right? Because we've got to figure out how is it, because it's not a human. It doesn't say, Dave, you really want me to send that check, right? It really doesn't pause you and stop you. It doesn't have context. It just acts. And so we've got to probably work on that a little bit because. It'd be nice if it said something like, you already did this, so you're going to send them another payment? Yeah, exactly. It'd be cool. Yeah, like a real person. And you know, in a security world, this is a thing that's coming because we want that minority report idea, right? When we're doing research, trying to research an incident real quickly, find a missing child at the mall or whatever it may be. And so we need voice command. They're looking at that to be a part of our future. And to me, this is a good evidence of, you know, how some of the evolution that still needs to occur before that's going to be resilient enough to be useful. That's been happening in technology from time immemorial. We created cars and they went over 50 miles an hour. We still didn't have seatbelts. Because the users just weren't aware. You don't have seatbelts. No, but I have this chime in my car. It was the annoying chime. Yeah, until they regulated, right? Manufacturers wouldn't do it. They had to regulate that. Well, to get seatbelts. The argument at first was seatbelts caused death because they would trap you in your car at the wrong time. Oh, and you're burning. That was the manufacturer's argument until about Ralph Nader's time when we had some significant seatbelts. Crash dummies. The crash test dummies. They figured it out. That's my family. They figured out that you'd live. Only when they get in the car with you. When we come back, we're going to talk about a new hack that you cannot defend against, but there is a way you can get out of it. So it's against your networking devices. So until then, we're going to take a little break, pay a few bills, and be back in a minute. Until then, stay safe. Aloha. My name is Mark Shklav. I am the host of Think Tech Hawaii's Law Across the Sea. Law Across the Sea comes on every other Monday at 11 a.m. Please join us. I like to bring in guests that talk about all types of things that come across the sea to Hawaii, not just law, love, people, ideas, history. Please join us for Law Across the Sea. Aloha. Hello, everyone. I'm DeSoto Brown, the co-host of Human Humane Architecture, which is seen on Think Tech Hawaii every other Tuesday at 4 p.m. And with the show's host, Martin Despang, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. So join us for Human Humane Architecture every other Tuesday at 4 p.m. on Think Tech Hawaii. Welcome back at Cyber Underground. I'm Dave Stevens. I'm here with Andrew, the cyber guy. And we're going to travel this summer. Everybody always travels a little bit this summer. You travel a lot. I'm traveling. And we have a few safety tips to give you from both ends of the spectrum, your security manners and cyber underground. You're always traveling with your smartphone. People forget your smartphone. Nowadays, it is basically a full-fledged computer. It is everything that your computer can do, your phone can do, and sometimes better, actually, which is unfortunate. The apps are getting powerful. Yeah, the processors, and there's a lot more memory, and they're a lot faster. But they communicate with everything, right? So the first thing I tell people, I know Bluetooth is convenient, turn it off. But turn it off if you're not using it. There's Bluetooth hacks all the time. And people can, well, when Bluetooth first came out, I could stand in line at the airport and actually pair my phone with anybody else. If they had it turned on. If they had it turned on, and there was no security at first. Now at least there's a pin verification, but there are hacks. There's blue snarling and a couple of other blue attacks. I won't go into them, but that's a problem. So turn off your Bluetooth. Turn off your Wi-Fi? This is a Bluetooth connected device. I turn off my Bluetooth when I'm at places like Def Con and stuff like that. You have to. You have to. Don't use a public Wi-Fi if you don't have to. Yeah, and keep it off. Don't walk around with it on, because if somebody happens to have something that you, and you shouldn't automatically connect to it anyway, you obviously have that box unchecked. Yeah. But if you're walking around and you've been on the Jimbo network, and somebody just happens to have the Jimbo network, your phone will connect to the thing. Right. Potentially. Potentially. Automatic connection could be a problem too. Some people feel a sense of safety when they install a VPN app on their phone, right? So the unfortunate thing about the VPN app is you wander from place to place, and if you have that automatic setting on, it's dropping your cell connection. It's creating a Wi-Fi on the public Wi-Fi. You go into Starbucks, McDonald's, and you get on your cell connection again. And it's always continuously changing networks, and every time it does, your VPN has to be re-initiated. Sometimes it can't do that fast enough, and if you're doing your banking during that transitional minute, you're wide open. You can be sniffed. You can be sniffed, and that's not that hard to do. We've proven it. At Starbucks, you pop up in your laptop, put in a wireless scanner, put it in promiscuous mode, use Wireshark, and then it's the Wild West. People can read your packets, so that's a very legitimate... There's people paid to do that, so just trust that's real. Yeah, so also... So don't use public Wi-Fi, especially while you travel. Don't fall for the email. You should always use trusted Wi-Fi. Trusted Wi-Fi. Yeah, like your home. Trusted Wi-Fi would be like my home. My employer has a trusted Wi-Fi, so that's a secure one. But that checkbox you were talking about, they automatically connect. Turn that off. Don't ever use that. I always ask, do you want me to connect to this? And if you say, no, you'll stay in your cell carrier. Cell carriers aren't perfect, but they're miles ahead in security. And if you are a criminal, boomerangs got your cell phone too, so don't worry about that. Now, there are devices that can fake cell carrier towers, right? Yeah. I always say slingshot. Slingshot. Yeah, on a boomerang. That was the one unfortunate jewel that leaked out. That's what I say. If you are a criminal, don't trust that your cell carrier is your cell carrier. Well, that's a couple of ways to do it. Give advice to criminals as well as the good guys. Well, you're a good guy. Thanks for doing that. In case they didn't know. In case they didn't know. In case they didn't know the whole ecosystem. All the stakeholders. All the stakeholders. All the stakeholders. Support them all, damn it. That's the hacker mentality, right, Decibey? The last thing is don't fall for the phishing scam. So phishing emails are huge, and especially the spear phishing ones. And I use this example. I like when you're traveling. I'm a gamer. People know I'm a gamer. I was a Sony hack couple of them. And my information from my PS4 registration got out. And I was spear phished saying, thank you for buying this game. If you didn't buy this game, click here. And I looked that way. Oh my God, no, I didn't buy this $60 game. You almost clicked it. I almost clicked it. But then I looked, and the only thing that stopped me, I'm telling you, the only thing that stopped me was Halo. It's a Microsoft game. I'm making it for PS4, and I don't have an Xbox. So I went, wait, I want to buy that. That was a pretty good spear fish, but not good enough. Pretty good spear fish. I mean, it looked legit. And it almost got me in there. And those things, your phone's not immune. Those, they call them drive-bys, where you go to a website, and you don't know the codes downloaded to your phone. You can also get a text message with malware embedded in like a TIF file, which is a graphics file. It's an image file. And when your computer, your smartphone renders that image, so you can see it, it's actually running the code that's embedded within it. So it's executed. And then once it's on there, people can remotely attack your phone. Android's most susceptible to this, but iPhone is also susceptible. Now the thing that makes iPhone different is they have sandboxing of applications. So if someone hacks into your instant message with an image, they don't have access to your email or your web browser. Just your IM stuff. Just your IM stuff. But if they hack your browser, they can sit there and wait for you to go onto your bank account through a browser. And a lot of people do that because they didn't download their app for their OO. Really? So, and they can. Yeah, those apps are in containers. That's a good thing about that. Now the one, people attack the Wi-Fi, not the Wi-Fi, the browser the most on phones because they want to use that to build up the hits on their website, right? They're having you go visit their websites that they support. And that raises the ratings and of course makes them money. Every click means a couple of cents. I didn't even know that's just a remote money maker. Nefarious. And I know they're trying to put some mining malware and stuff on phones too now. Oh, to mine Bitcoin because you're a processor and if you do a broad spectrum of all these processes all working in consort, then you can actually mine Bitcoin. Yeah. So if your phone starts running out of power, it may be doing something. But we're talking about specifically when you're traveling. When you travel. You're super vulnerable when you're traveling. So if you can, our friends Rodney, some of these guys, they all carry a burner phone. They don't even write. So when they travel, they use an old, non-smart phone. Yeah, when I used to go to Japan, Hong Kong, and mainland China, I had an old flip phone, an Okia flip phone. And I'm telling you, it was from the 90s. But it worked great. And they're hard to get now. They're really hard to get. And people like them. And it only does that one CDMA frequency in that country. And you can only be on their network. And you can't get hacked. And it phones or texts. That's it. That's it. That's all it does. So it's a good way to do it. When you're traveling. It's a little bit more expensive for the calling because you can't use your plan, right? But it's better than risking you. So if you're not a confident user or if you're a, what is it like when you're just not responsible? If you're not a responsible user, your phone, or if you don't know what he's been telling you for the last five minutes, it don't make sense. And you understand it. Leave your phone home. You probably shouldn't take it when you travel. No. Yeah. Leave it home. And definitely stay off networks. And definitely don't go to your bank account. Just don't do any of that stuff when you're traveling, right? Just use it to call people if you have an emergency. Otherwise, you're on vacation for God's sakes. Put your phone down. People think they're safe when they plug into the Ethernet port in the hotel room. Oh, Lord. No. And it's the same thing. It's not trusted. If you do that and you're doing, like if you, you have to do something on your, like your bank website. And you're plugged into the Ethernet port. At least make sure you have HTTPS. Yeah. But I mean, you should have a VPN for that. Very, very least. And then a VPN would actually be better than that. There's services you can buy. It starts from $1.50 a month and goes on up. But again, some, you think you're doing well. But Australia, the government did a study of the VPN services offered in that country. 18% of them did not encrypt the web traffic. Ah. Wow. I don't know. So the Australian officials could read it. They have a back door. Yeah. I don't know. Okay. Let's talk about this. VPN filters. VPN filter. This is another attack. Nasty little tool. From what I've read. It's probably state sponsored. I saw USRT put this out, huh? USRT and InfraGuard both put out. This is VPN filter. It affects the following systems. I'm going to read them now. Linksys, Microtik, Netgear, and TP-Link, as well as QNAP, NAS devices, Network Attacks, storages. And routers. And routers. So you got to be careful of this. Now, apparently it's a three-stage attack, but the first one is what we're going to talk about today because it's the one you can use to get rid of it. The first one is a persistent, even if you reboot the device, it stays in the main memory. So the only way to clear this thing out is to reset your device to the factory default. Now, in the back of most of these consumer systems, they have a little paperclip hole in the back. You stick a paperclip in, hold that out for 30 seconds with the power on. And then you power it off for 30 seconds and power it back on. What you've done is you reset the firmware to factory defaults. Then when you pull the plug, you let the capacitors drain out so the energy is all gone and the memory, the fresh memory clears. So your volatile memory is clear. Then you plug it back in and then you have to reset all your settings. No, first go download the most recent firmware for the most. Then reset all your settings. We should mention that. If you know how to do firmware... Update. Go do it. Now, most modern Wi-Fi routers have a web interface that you can log in locally from your little home network and they have a little button, Update Firmware. Yes. So if you're going to do that, I will tell you this much because I have multiple people on my network and if I click that Update button and my wife's on her VPN, I'm going to hear about it. Go around and ask people. Do it when everybody's on. You're selling the real world. You kick everyone off the network first, especially because you're going to reset the router, which is going to be defaulted, which is a problem. So there's a process involved here. So if you're home, if this is your home device, which is kind of, these are basically consumer-grade type of devices available at Best Buy. You probably have one or two or some of these. I don't know what all you guys are doing at home, but blow it away. Yeah, blow it away. Reset. Get the latest firmware. Close all the ports. Go back, read the manual, understand what it does if you never did the first time. Get it right. And there's other tricks to use. I mean, you should always have Mac white listing. So get the Mac address of all your devices. Put the Mac addresses on there. Definitely use Mac filtering. Turn off the external ports so you can't get to it from the outside. You're never going to need to remote into your router. You're not a big administrator at your house. Get your home. What's the default that Linksys has? Remote management through WAN? Yeah, disable all that stuff. You don't need anything ever from outside coming in. Set up a DMZ, put the garbage on the DMZ, your TVs and all that crap. Don't put that on the network with your banking and your workstation. Most routers have a guest network. You can put all your TVs and all that. You can put that on your guest network and then have computers. Your safe stuff should be on your primary network. Right. You don't have to let your guests on that. Use the guest network because they bring it in garbage into your house. That's right. Unless it's Dave. Now let me go through the list one more time before we're out of here. Linksys, Microtik, Netgear, TP-Link and QNAP. Now these are only the ones that we've discovered so far. Cisco says there's none of their devices affected. Don't know. But Linksys is actually a Cisco consumer grade product. Yeah. I know Asus is not on the list, but it might come up. Now there's some sophisticated products out there, but it might come up in the future. Yeah, this thing may be still hunting for victims. So we don't know. Actually, this is an extension from March. The first notifications of this came out in March. It was state sponsored in March and it's been going on. Now it's heavily researched as a three-stage attack. I hear Ukraine is really vulnerable. Ukraine has been covered. I haven't seen machines just crushed. We're not to that stage yet, thankfully. Okay, you want to wrap it up with a security matters plug? Security matters every Friday, 10 a.m. We're talking physical security because security matters. All right. All right, everybody. Thanks for joining us. We'll see you next week. Until then, stay safe.