Attila:
Appreciate it. Stay safe. There goes my tongue. It just got untied.
Matt:
That's why got to stop.
You're listening to the Cyber Secured Podcast. Helping you become safer in every way. Now your hosts, Matt and Attila.
Attila:
Well, welcome to the Cyber Security Podcast, Hawaii's number one cybersecurity podcast. Now, number one could be a little deceptive because I think we are the only cybersecurity podcast in Hawaii, but that still means that we are number one.
Matt:
So it's a technicality.
Attila:
We're going to hold on to that number for now. But anyways, I'm Attila.
Matt:
I'm Matt.
Attila:
And it's been a while since we've done another episode, mostly because everyone is getting hacked and we keep getting, I don't know, dragged into it.
Matt:
We're just busy.
Attila:
Busy guys
Matt:
Yeah. So the last time we chatted and we had an episode that we recorded, we just come back from DEF CON and kind of did a summary of all the things that we saw there. And, you know, life was already scary and it just got scarier in the cyber world. Just seeing what we saw. We know the stuff when we see it every day, but it's just different when you see it hands on.
Attila:
Yeah, people doing live hacks of critical infrastructure and things that you thought were safe are no longer safe. And I recommend you guys go back and listen to those episodes. They are pretty interesting. I think the big takeaway that we both got from DEF CON is that everything can be hacked with enough time, effort, energy, and resources. So have a good plan, have a good resilience plan.
Matt:
One of the things that I knew existed at DEF CON in one of the villages and actually came up, we were just talking about off the mic, but is, Auto hacking. Because you can get in cars. We'll get into it in a little bit. I was discussing this with Dylan. He didn't know much about it. But I definitely want to bring it up because it's a really, really interesting and kind of scary thing that's happening in Australia, I'm sure.
Attila:
Well, I mean, now that you've teased it, now we have to get
Matt:
Well, I wanted to recap first because what happened since our last podcast?
Attila:
Well, there's been some major companies that got compromised, ransomware. We've had to rebuild an entire network. Yeah, it was more than just our client, right? Yeah, yeah. There's been several companies we've had to help out with that. So we'll go into the anatomy of how these things happened in the real world. And how we were able to get things up and running. Some lessons learned along the way that maybe you as a listener can benefit from when you do your own incident response. But before we get into that, let's talk about the news, the exciting thing.
Australia.
Attila:
What happens down on
Matt:
Yeah, it was a random thing I saw on... YouTube and of course I get advertised all these videos on YouTube regarding cyber stuff just because it's what I'm interested in and so the algorithm feeds me. This one was kind of interesting. I didn't think too much of it just from the title but I decided to watch it and it was kind of mind-blowing because what they outlined is this new scheme that these thieves, that's the only way to describe it, these thieves are doing where they're stealing cars out of people's driveways.
Attila:
And what kind of cars? Because we did a few episodes a while back about the Kia Boys.
Matt:
Yeah. So it's not particular. The particular hack, the mechanism that they're using is not particular to any kind of vehicle except for maybe one.
Attila:
So Toyota's, Nissan's, American cars.
Matt:
Range Rover, BMW, Mercedes, Porsche, you name it.
Attila:
What do all these cars have in common?
Matt:
Yeah. Anybody that works, I'm going to butcher this a little bit because I don't know the super, super fine grain details of it. Just doing a real high level. But most vehicles operate with a thing called a cluster, an immobilizer, and a CAN bus system.
Attila:
So what's the cluster? That's like the instrument cluster?
Matt:
Yeah. So the instrument cluster that sits behind your steering wheel and that system interfaces with the computer system. I think that's also called the ECU or ECM. It feeds you information about your driving speed and your temperatures and all kinds of other stuff. All of those things, all of those electronics, I mean, our computers, our cars now essentially are driving around computers that control everything. And that system that they communicate, the channel that it communicates on is called the CAN bus system. CAN bus. Yeah. And... I looked it up. I don't know the exact date, but I think it was invented or created as a standard in the early 90s. I think it was 1991. The system was a boom for the auto industry because everyone was able to standardize how things talk to each other. Really cool idea and it was at the beginning, the forefront of computerization. Like everything else that was created around that time, there was no thought of security involved.
Attila:
Well, it's the 90s. The biggest security, well, what do we have at that time? It was more like kinetic security.
Matt:
Yeah, it was all physical and the world did not operate in a digital landscape. So if you wanted to break into a bank, you really had to do it at the front door or digging under the bank or something.
Attila:
Cause you find a vulnerability in a fax machine or something.
Matt:
Yeah, yeah. So this system has been around since then and I don't think it's really had too many iterations, too many changes. Industries like the auto industry, they rely on old legacy systems and they don't really change too much just because they got to keep moving right?
Attila:
Well, it's also safety, right? I mean, when you're talking about lives, like why would you change something that already works? It's a closed system, right? That's the thought process,
Matt:
right? Yeah. Yeah, let's get back to the exciting thing. What these guys are doing is they're just walking up into people's driveways. They're identifying, you know, really expensive cars or cars that they can sell for a good amount of the parts like, you know, Land Rover or Jeep or Toyota. And what I saw in the news article is they're drilling into the side of the vehicle and then they tap into a wire. They connect to it and they've got a little device that they connect to those wires. And that device taps into the CAN bus system. And they push a couple of buttons. The buttons are programmed to bypass the immobilizer, which is the system that detects whether the key that you have is valid or not. In the cases of these newer vehicles, they're all push-button start, right? So they don't even need a key.
Attila:
As long as they're within proximity. But it's bypassing all that
Matt:
It's bypassing all that anyways. And then so here's the craziest smart thing. You see in the security footage in this person's driveway, I think it was like the governor of this or the mayor of the city. The thieves aren't even worried. They're looking right into the security cameras, almost like they're waving to the camera. And what they do is they release the emergency brake. They have the vehicle slowly go down the driveway into the street. And once it's in the street, because it's far enough away from the house, they start the vehicle and they drive off.
Attila:
Oh, I see, so as to not alert the owners, right?
Matt:
Yeah, and so in the interview, the mayor is being interviewed. He talks about how he just got up that morning and walked out and realized his car was no longer there. There's other videos I've seen on YouTube where guys... It takes like 60 seconds. They walk up to a car on the street. They can either access the CAN bus system through the headlights or just drilling the hole like I saw in the news article. And they get in the CAN bus system, use their device, press a couple of buttons, and they drive off.
Attila:
So I'm sure we have a single point of failure, CAN bus. CAN bus is what everything goes through. All the security, all the... The engine started.
Matt:
All the communications, everything.
Attila:
All the communications goes to this CAN bus
And all you need to do is get to the CAN bus from any wire in the car.
Matt:
Yep.
Attila:
Wow. All right. And this is just happening in Australia or is this worldwide?
Matt:
I'm pretty sure it's worldwide, but it was... being discussed in the news there because they hit the mayor of a town.
Attila:
I bet Kia is sighing a huge sigh of relief on this one because for the longest time, they were the targets. Right, we're the Kia boys. Yeah, Kia boys are like, oh yeah, you can steal any Kia from the headlights. But now it's any car.
Matt:
Yeah. Well, any car except for
Matt:
don't have CAN bus, which includes Teslas.
Attila:
Oh, Teslas. So all electric cars?
Matt:
I don't know if all electric cars. From what my research showed, it looked like Tesla may be the only one, but it'd be interesting to look up Lucid.
Attila:
was thinking more of the other Kia electric cars or the Nissans.
Matt:
So I think that's a major difference between Tesla and other auto manufacturers with EVs. I think their EVs like Toyota and Kia and Hyundai, I think they still rely on the CAN bus system. Oh, I see. Because they adapted a gas-powered car with an electric motor. That's all there is to it. I mean, it's a really simple path of least resistance. Just build on the platform they already know. But Tesla built their system from the ground up. So Tesla's jumping up and down for joy. Yeah, because you don't have to worry about that. Yeah, so this was a really interesting one. And it highlights something that is not unique to cars. The computer industry, I think about 15 years ago, was going through this sort of issue where a lot of communications were all happening in the clear. And what we mean by in the clear is if you're looking at packets of information on the network or between devices, you can just see The text, the straight, you know, the password for something and the username, it's all human readable. Whereas now updated mechanisms for communication involves encryption. So when you see that data transfer through a network for authenticating to a server, going to a website, getting on your bank account, it's all gibberish because it's encrypted, end-to-end encryption.
Attila:
For now.
Matt:
Well, yeah, I mean, until-
Attila:
Until Quantum kicks in.
Matt:
kicks in, yeah. But yeah, this was a crazy one. I posted it on our Slack channel, and it was just mind-blowing to me. I had known about the CAN bus system for a while because I did some work on an old vehicle I wanted to put a new cluster in. I had no idea that it communicated in the clear, and it was so easy to manipulate with a device like a Raspberry Pi. I don't know if that's what they're using, but they're using something similar.
Attila:
Well, to be fair, I mean, there's consumer demand. That's the reason all these computers exist. I mean, if you kind of rewind, you know, back 30 years, that's when the computer started kicking in because it was all about fuel economy, how do we get better instrumentation, right? How do we better troubleshoot vehicles from a mechanic standpoint so we can actually detect faults? Right, right.
Matt:
And that's exactly what that system is for You plug into the OBD port, And the CAN bus system will tell you all the different faults in the vehicle and what you need to fix or replace.
Attila:
So then we get back to maybe the irony of the original 1960s cars prior to computers would probably be a safer bet, an old truck from 50 years ago. Right. But may not have been so interested in fuel economy and that kind of stuff at the time.
Matt:
Yeah, it's a trade-off. And that's what happens when you try to build convenience into how you operate with things is there's going to be some possible security trade-offs. And you have to kind of have a larger view of how you interact with things because sometimes you make something convenient. It also means bad guys can get in easily.
Attila:
You know, there's a movie we saw recently, Morgan Freeman, where he's like the head of like some crime syndicate. It's kind of cheesy. Okay. And the premise is that a solar flare came and fried everyone's electronics. Okay. And I think the only cars that were able to function were very old cars. Very old, yeah. That didn't have computers in them. Right. So yeah, I guess of a view of a dystopian future, it's either solar flares or cyber criminals that are going to take us out. So yeah. Or AI. Yeah, AI is a huge conversation. Matt and I kind of talk about this pretty regularly, about the direction that AI is going. Because like everyone who's a professional, we use AI. There's no secret behind that. This voice is not AI voice. Matt's voice is not an AI voice, but... We can. If we wanted to, yeah. We can. It can be done. And it can help leapfrog and accelerate something that you already know how to do. If you can already write well, it'll allow you to write better. But you have to be able to write well.
Matt:
Yeah. It's definitely gotten to a point where AI writing is pretty good, like just a few months ago. And even since we had our last episode... AI has improved dramatically. It's scary how quickly it's moving.
Attila:
We're talking about AGI, and that's generalized intelligence. It's supposed to come within two years. It's supposed to solve all of humankind's problems, climate change, whatever it is. But one different podcast I was listening to, they were talking about AI, and they said, you know, this is starting to sound familiar. Sam Allman goes up there and says, AI will solve all of our problems, just give me money. Sounds a little familiar. This sounds a lot like religion or a snake oil salesman or any other kind of person who comes up and makes a promise in exchange for money. Like, oh, here's your blessed handkerchief. Here's your new GPT-6, right? That'll solve all your problems. So it's hard to say, but I know we got a little off topic with this one, but AI is certainly making our lives both more difficult and easier. And I guess from a cyber crime perspective, AI has made employee security awareness training for employees, right? The ability to identify malicious email is a whole lot harder.
Matt:
I've seen stuff come across my desk that I couldn't tell. I wasn't sure if it was legitimate or not. And then it turned out the email was legitimate, even though it looked suspicious. but yeah we're seeing more and more breaches into people's email accounts and and phishing from their accounts going out to people that they're connected to or even people that are not
Attila:
well the one that we're working on in the next room right now like like literally as we're recording this that business email compromise i mean that those emails looked legit yeah very well Highly intelligently crafted.
Matt:
I wasn't around for our client that we did the remediation for when they first came to us. Was that through an email compromise? Is that how they got in?
Attila:
That one was not. But I mean, that's a ransomware scenario.
Matt:
Yeah, but I know that can happen.
I know having your email compromised can lead to remote access into a network and being able to get to the systems, the domain controller, and then
Attila:
Yeah, it's the traversal, right? So it's the network traversal that, you know, let's just talk about attack vectors in the first place. So this big project that we've been working on, the attack factor was not email, right? Okay. But most of the ones we, I mean, the ones we've seen just in the past month, I mean, we probably get, I don't know, maybe a dozen a week. Like there's a lot of them. And most of them are email. Yep. And they're well-crafted and they leapfrog, right? So- For example, we'll talk about this one from the law office, right? So we have a client, they use an attorney. A lot of businesses use attorneys, we use attorneys, everyone uses attorneys. There's just no way around it. The world is legal. And the attorney's email was compromised and he didn't know it. And it stayed compromised for who knows how long, months, and the bad guys just sit there and watch. They say, oh, what's going on here? And an email comes in from this well-known, trusted client. And so they start to see that there's communication going back and forth, the bad guys. They keep watching. They finally say, look, this is a perfect time to strike. There's an opportunity here to collect on an invoice. So they reach out to the client in a well-crafted way using an AI that's been trained on the language, rhythm, cadence, expressions, terminology used by this attorney over time so that when an email does come from the bad guy that's kind of nudged in between regular communications, it doesn't stand out at all. And it's only until after they trick the recipient into sending funds elsewhere that some time goes by and it's too much time to do anything really with your bank. And money disappears. The smallest amount of money I've seen personally, just firsthand, is roughly 15,000. The most we've seen is about 830,000. Big range. But most companies can absorb a $15,000, $20,000 hit. Less companies can absorb the $800,000. And we're seeing, using AI, companies that are being hit with, what was it, $250 million, I think was the one from earlier this year, yeah it took it took them a year to to you know train the ai engines on the appropriate members of the board and then create a fake zoom call and get get the recipient to actually go through the process of wiring that money up but that that money disappeared so we're talking hundreds of millions of dollars ai is no small threat um now on our side as network defenders we're also using ai to do a better job.
Matt:
Yeah, it helps usspeed up our analysis of networks, of vulnerabilities, of just where a client sits in their security health.
Attila:
And better advice. I mean, we can say, look, you need to patch this thing up. we can tell you how, or we can have AI maybe go out and research your individual specific hardware devices and tell you exactly how to patch those things individually.
Matt:
Yeah, and it's already identified vulnerabilities and things that I was assessing that I actually wasn't even aware of or even understood. It saw things that were considered critical, and I had to go and research and be like, oh, that's a thing I had no clue.
Attila:
Yeah. And I think that's a great lesson for anyone who wants to get into cyber. If someone calls themselves an expert, that means they probably think that they know everything there is to know about every vulnerability there is. And run is all I can say. There is always something new to learn. But having some good foundations, good place to start. A lot of candidates try to come work for us. So we talk to a lot of people. I talk to a lot of people. And where things start to fall apart in our conversations is when there's a clear lack of understanding of the foundations. Yeah, fundamentals. Yeah. How can you understand DNS poisoning if you don't understand how DNS works? How can you understand someone's going through your network if you don't understand what a VLAN is? Just basic, basic stuff. What is a port forward? Let's just talk real fast. So anyone who's listening to this podcast is applying. IP filter port forward. What is that? What is that? Why is it good to use a VPN? Why is it bad to use a VPN? What circumstances would you use a VPN at all? This is basic, basic things.
Matt:
You got to understand that stuff. Then the fundamentals can help outline and inform your understanding of the vulnerabilities that pop up. Like today, I was reading about a major vulnerability with React. I don't know if you guys know what React is, but a lot of the infrastructure of the internet web pages are built on this fundamental system that Facebook created years ago. They released it to open source and it's so powerful and so useful that many websites and companies like Walmart, Walmart's website is designed in React. I don't know how it works. I don't use it. Personally, I have designed things using React with AI. It is really cool what it can do. This vulnerability came out is a level 10 critical CVE vulnerability. Now, I don't see those very often. No. No, that's bad. No, it's really bad. That allows for RCE. And RCE means remote code execution. Remote code. So when you interact with a website, when you interact with your phone, when you interact with anything that's a computer, there is a back end that... has what we call command line, where you can enter individual commands. Websites will primarily, a lot of times, run on Linux computers in various kinds of environments, sometimes using Docker, hypervisors. All that stuff, for the most part, is protected. The people that design the software for WordPress or whatever platform you're using, Squarespace or Wix, whatever, they don't want anybody to have access to the command line of the system that's hosting that website. That's just devastating. And in the past... When websites or database systems forms were not very easily secured, you could actually do some stuff to be able to get to that command line, and then you could wreak havoc on the server, or just have all kinds
Attila:
of... Yeah, rm-f. See what happens.
Matt:
Yeah, so this vulnerability allows for remote code execution, rm-f. rm-f is remove, basically folders remove everything. And that's bad. That's really bad. But it goes further than just rm-f. Bad guys that know what they're doing will get into a server and then they'll start pulling out credit card data and user information. And then it turns into a big... dump on the internet, and we're probably going to see that. However, luckily, the silver lining with this vulnerability that I saw this morning is that this was discovered by a security researcher. It wasn't something that, at least from the article I read, has been seen in the wild.
Attila:
Yeah, you know, these CVEs, when they get to level 10, I suspect that they've already notified Facebook of this, and Facebook released some sort of fix right? Yeah.
Matt:
That’s what this article is about. It's an awareness to let folks like us that are possibly handling clients with sites that are written with React to get them to run these patches. And that's what we're paid for. People that design websites or design web apps, they're not always security oriented. And in fact, I listened to a podcast recently where they were talking to a security. I think she's actually the head of security now for a particular organization. But she used to be a programmer. So she can identify very quickly and easily when she sees logs that have possible penetration that they're writing stuff in code to be able to try and get into a server.
Attila:
Well, that's what AI was originally designed for. Deal with all these frigging logs, right? Because they're anonymous. Right. Look for anonymous activity in this log. Here you go. Yeah. 50 gigs. Knock yourself out. Yeah. Any human would just tear their hair out trying to figure it out.
Matt:
Oh yeah, it's insane trying to look through all the logs and identify, because it's not human readable. It's for the computer. So, yeah, the... You know, space for cybersecurity and where we exist, it's primarily for this function to help, you know, augment the people that are creating the apps and creating the environments where people can work and money is made. You know, we're here to inform and keep people safe.
Attila:
Hopefully. But those are some definitely some new hacks and, you know. We see these things so often, and most vulnerabilities, most CVEs, they're difficult for most people to understand. So like, you know, for example, like, oh, it's Atlassian, you know, Compromise is available or this Oracle. It doesn't touch most people. But I think things like this really do. The ability for their vehicle to be stolen from their driveway by anyone with probably $20 worth of equipment for your information to be stolen from Walmart's website. Another CB10 that I saw recently was in the air traffic control system and the weather system. No kidding. Yeah, it's like CV10, we have no fix. It's a live system that needs to operate 24-7. It provides weather data to the planes in the air. That's so scary. All they recommended was, hey, look, segment this from the rest of your network because we can't stop them. That's how serious and critical it is. And many of the things that we, the deeper you get, the more you realize that our entire society is kind of held together by a lot of trust. And, you know, we can only hope that if these bad guys are inside of a critical system where human life could be affected, they don't pull the trigger. Right. Please don't shut off our water, guys, if you are listening. But we are out of time for this episode. We're going to have to save this anatomy of the hack for the next one. So we're going to do at least this one. We went over some current current vulnerabilities that people might be interested in. And so I'm glad we at least got some time to go through that. So stay tuned for the next episode.
Matt:
Thank you for listening, guys.
Attila:
Appreciate it. Stay safe. There goes my tongue. It just got untied.
Matt:
That's why got to stop.
I'm Matt.
Attila:
I'm Attila. Stay safe out there. Have a good one, guys.
This episode was brought to you by Cypac. To learn more about keeping your business safe from threat, crime and disaster, visit Cypac.com.