We've got a great one for you all today. With the recent hack of the Colonial Pipeline, we figured we'd pull this one out of the archives to go over cyber terrorism and cyber security a little bit more.
This podcast was recorded right before March of 2020 and it's amazing how much our expert predicted and how many cyber security threats there are in the world we live in today.
Check it out below!
If you like the Practical Prepper podcast, click here for exclusive access to a 25% off discount code on Valley Food Storage!
Hey guys. This is Joe. It has been a while since we've been together, but I wanted to say just when 2021 came around, and we thought craziness was behind us, this week lit me up with the images of people filling laundry baskets full of gasoline due to cyber terrorism. If you can imagine trying to carry gasoline in a grocery store bag, because it's the only way to try to get your car to move again. Man, just when stuff was getting back, sort of the normal, this happens. I could not help, but pull out of the archives, a recording that we did in January of 2020. Right before everything shifted directly off the rails, we had a chance to sit down with a cyber terrorism expert, an asset to the intelligence agencies who is going to eerily predict exactly what happened.
And even at the end of the interview that we did then going to say, "Hey, 2020 is going to be a rip-roaring adventure." And never were more spot-on words of what we saw happen through the pandemic and now through what have with the recent cyber terrorism attacks during that time when we've all been idle. Listen to this. You're going to love this.
Joe: Hey guys, it's Joe Borowski here. Today we're taping with a gentleman who you may have heard on the podcast before. He's someone who, if you don't know him, there's probably a reason for that. He tries to make sure that his identity is protected, and that's why we're here today and some of the work that he does, it's imperative. So for his safety and for our safety to really, when you think about it. But what we're going to do today is talk all about cyber terrorism. So we've come to this offsite location where we've got complete control of the situation. Lighting and sound and all that. The sound seems a little bit off if you're listening to this on a podcast. It's because we are in a sub-basement of basically our little own black site here where we're off the grid out of the way. So you may hear the clicking and banging of the pipes in the background but stick with us. We just wanted to make sure that we could talk as freely as we wanted about cyber terrorism without giving away any of his information. But we'll go and start our conversation here with a friend of mine who we'll just call Andy today. So, Andy, how are you?
Andy: I'm good. How are you?
Joe: I'm good. Thank you for doing this again. If people didn't hear the last podcast, it was pretty awesome as one that I have gone back and listened to, and I think this really builds on it, which people are afraid or people are not afraid, and they should be in my opinion of some scary that's going on right now. That's where I thought it's good time to bring it in. We were sharing an article around the top hacks of 2019 top hacks, but the most creative ways that hackers are doing things today. I thought we talked about that, but maybe before that, what's happening in the world today, that current event wise are things that we probably should talk about first.
Andy: So we've got the big three recently, starting off the year. We've got the Iranian issues and then the cyber attacks that come from that or the plan perceived cyber attacks that come from that, we've got the FBI Apple cell phone password cracking thing that's going on right now, and then the third thing is yesterday... We've got the NSA towed windows that they need to release a patch for a big crypto malware thing they had going on and why the NSA does that. There's only three reasons the NSA does things like that. One is because they're tired of using it, Two, they caught someone else using it inside 549, and the third thing would be somebody else was using it outside of that and they just wanted to patch all the government computers.
Joe: So tell me about, for the people who aren't super into this stuff, how often does the NSA reach out to a private company and go fix these pop-ups of cyber terrorism?
Andy: Not often, that's why it's such a big deal. Normally they don't do this, and they don't do it as publicly as they did.
Joe: Okay. So that's a sign, especially around these Windows machines there, and we're watching Microsoft prices continue to plummet. I don't know that it's necessarily correlated to this, or just the way that Macs have taken off, but there are definitely some vulnerabilities there. The vulnerabilities are still there for the Macs too. Don't assume you have a Mac and you're safe from cyber terrorism, but in this particular instance, it was interesting to me to see that pop up in my newsfeed where the NSA is like, "Nah, you got to fix some stuff." And you're right. They're either tired of babysitting that particular vulnerability or there's something else too.
Andy: Yeah. Exactly, and I mean, I don't know if they're saying it in the news, but the DOD and most of the government had this patch two or three weeks ago. So the NSA did a slow walk the dog on this one, but at the end of the day, this is not something they give out freely or often. So there's a cool backstory to it. Some might say it has something to do with cyber terrorism from Iran. I don't know. That's a guess on my part.
Joe: All right. We were talking a little bit about the iPhones, right? And being able to get some encrypted information off of those. We'll talk about creative cyber terrorism, about FaceTime and listening in and things like that. But as far as you were mentioning San Bernardino and Apple's like, "No, we're not going to give you the information." So if I have an iPhone, am I safe with Apple or not?
Andy: So essentially what's going on right now, as I understand it is the Pensacola Naval Air Station shooting. The shooter was a Saudi Arabian pilot candidate or pilot cadet or something. So they're trying to get into his iPhone. Here's what Apple gave to the fence. They said, "You can have everything in the cloud. You can have all the metadata that we have." However, they won't access to things that are on the phone, and to do that, then they have to break the password and Apple said, "We're not going to give you the way to brute force the password or to break the back door open. We'll give you everything else and we'll give it to you freely. However, the stuff that's on the phone, not on the cloud, not the metadata that we can track, that's just on the phone and it is what it is.
Joe: Yeah. You're on your own.
Andy: You're on your own with cyber security. The government's gone to other companies in the past to combat cyber terrorism like the Israeli security firms for the San Bernardino shooter and they brute force that. There are ways to do it. It's very intricate, difficult to do. I've heard different ways to do it and I think part of it is you have to submerge one of the chips in some chemical. I don't know. It's very intricate. I have no idea how it works. I'm not even going to try to make that up, but yeah.
Joe: Right. So for someone who is a private citizen and is worried about the government interfering with their cyber security, is an iPhone a good vehicle to be able to keep your information private?
Andy: Yes, iPhone is the most secure out of all the major phone companies out there. Android's very customizable, not the most secure because the Google play store doesn't have the same security measures that the Apple store does. I know a lot of people say, "Always go with Apple, always go with an iPhone." Because things like this, they'll keep your information secure from cyber terrorism. Also, don't use face ID, use a pin because I think the general rule of thumb is they need you alive to put a pin in the phone.They don't need you alive use your facial ID. And that's a guess, I don't know, but that's the going assumption. I can guarantee they need me alive to get a six-digit pin out of me.
Joe: And we'll talk about fingerprint identification briefly later. That was the iPhone 8. Used your thumbprint piece of it. You can definitely just take foam and you can get into that thing, right? I mean, that's not a problem. At least facial recognition, there's something to do with the retina. I don't understand a lot. Way over my head. But I know you have to have your eyes open, at least whether you're dead or alive. I don't know if that works, but that was the big thing people were talking about. I'm going to check my boyfriend's iPhone while he's sleeping. And it doesn't work like that. That's the phone [crosstalk 00:08:21].
Andy: Yeah. So that if you're cheating your girl can't go through your texts. That's great. I mean, maybe if somebody holds your eyes open, I don't know. We have to test this. Someone has to test this for the sake of cyber security. Not me.
Joe: All right. I've got some interns coming in that we'll work with and see how we can get these things open. No. But so iPhone was the other one. You had a third one you said that was cyber terrorism from Iran.
Andy: So the Iranian missile, all that political stuff, take it back a notch. The planned response from Homeland security and Cisco was they expect that Iranian cyber terrorism will drastically spike. And then they were saying that they were going to go through a different Shamoon and different techniques that they normally use. So if you follow the MITRE ATT&CK framework which is just Google MITRE ATT&CK framework, it's how you figure out all the national state cyber security risks. They have TTPs for all of them in there. It's a great database, like Wikipedia for bad guy TTPs. Most people use it. It's great, but they figured that they would track Iranian cyber security threats through that and that's how they would deal with it.
Andy: However, in December, what you saw was there were different cyber terrorism organizations from Russia that were going backdooring through Iranian IPs. Apparently, the reports say it was unknown to the Iranians. I mean, give or take on that one that's the dealer's choice, but they were going through the Iranian IPs and attacking American IPs. So if you're planning on defending against cyber terrorism from Iran, you also probably need to plan on defending against cyber terrorism from Russia if those IPs are pinging your servers or whatnot.
Joe: In this particular case, and I'm not that savvy on it, but the way that the bad actors that are Iranian act and programming act is going to be different than the way that a Russian might do that. Just a different mind frame or code set, or...
Andy: Yeah. Just conventionally different malware, different things. Just because there have been things that have been attributed to cyber terrorism from Iran for so long from forensic investigators that again if you go to the MITRE ATT&CK framework, they have lists of stuff that the Iranians use to break cyber security. So you can defend against that. You can put signatures in there and you can be like, "All right. If I detect this, then I know to do this." But then if you're not up to that and you're not prepared for the Russian alternatives to that, then you might be caught unaware.
Joe: Absolutely. You've got a Russian cyber security hack coming through, an Iranian machine or address that is going to throw you for a loop because you didn't necessarily plan on that. And if I'm Russia I would rather... I mean, you're going to pin it on the most obvious target right now which is everybody's looking at cyber terrorism from Iran. So I have seen some stuff about Iran and hacking into the power grids and trying some attempts on that. Should we be concerned about things like cyber terrorism against nuclear reactors, them taking one over, or things like a power grid or things like water supplies or systems?
Andy: I think that's the new thing. So SCADA and all the industrial controls, that's the new front in cyber security, as far as the Homeland security and the DOD and all the big government organizations go because there's just not enough people with that skill set to cover down on all of the infrastructures we have in the country. There are not enough people doing it. And it's the next big opening that someone can take advantage of.
Joe: Sure. As the internet of things becomes more popular, and we start to connect our daily lives to the internet, so will cyber terrorism. It's got to open us up for more vulnerabilities there too, I would assume. Almost everybody's houses are being controlled the way that a hospital was controlled 20 years ago, the way that a military base was controlled 30 years ago. As it all becomes interconnected, I am not the guy that's going to set the best fence around my particular situation. So I'm creating cyber security vulnerabilities for myself, which I assume creates cyber security vulnerabilities back into the main hub again. The more tentacles you have out there, the more entry paths you have, right?
Andy: Oh yeah. Definitely. You've seen the nanny cam video of some guy getting into the nanny cam and talking to the kids like he's a demon.
Joe: That's crazy.
Andy: And some little girl playroom... It came out a couple of months ago, but it was, it was scary for parents to see that.
Joe: Yeah. Absolutely. Yeah. Anytime somebody can get in. I think that's a good segue into the 2019 cyber security hacks and I'll tee it up with a snooping around one. We've got a 14-year-old Fortnite player Grant Thompson who ends up winning the hacking award here for the best client-side bug to find the pony here. Tell me what you know about this. He's FaceTiming his friends playing Fortnite.
Andy: Yes. It was actually a pretty simple thing to do because it was the FaceTime group chat. And when the FaceTime group chat came out, I was using it, other people were using it because it was a great way to have conference calls on your phone where you didn't need a Google Hangout or another app, like a Skype app or something like that. I think a lot of people found a flaw but just didn't know what they found. You would have a three-way call, somebody's call would drop, but then you'd still hear them or see like a gray screen for their cameras on them, but you could still hear what they were doing and they were still on the call. And then you'd have to drop a whole call and text them and be like, "Hey."
Joe: So to the average person, I mean, they eventually fixed it. I always thought...
Andy: They still never brought it back live. They still never brought the FaceTime group chat back live because of the obvious cyber terrorism threat.
Joe: See, that's something that... because I used it a couple of times and I'm like, "Man, I cannot use this again." I guess I never caught onto the fact that this was the reason why that it went down and never came back. But it was crazy to me that we've got just kids finding these vulnerabilities, and imagine somebody listening... Now, you probably knew the person was listening in. You could probably see that they were on the call or they were on the call. So it wasn't like somebody strange got into your group chat and did that, but I have definitely hung out with a group of girls and one girl goes away, the others start talking about the other ones and that is not a good thing when you're on a group conversation like this and you're chatting around and you can still hear somebody else or vice versa. I thought it was funny that the mom decided the best path to fix this was to just tweet Apple, not call them.
Andy: She's like, "I just got an idea. There's a huge vulnerability. We should use Twitter to solve cyber terrorism." So funny story about Twitter. Hey, that's the best way to get information out there to Apple. So I was on a call with Homeland recently. It was an unclassified call, not a big deal. There were people from all over the country there. There was a question and answer period at the end of it, and one of the guys from somewhere on the West Coast, the first thing he brought up to a senior intelligence official was, "Hey, what Twitter feeds do you follow to get real-time information?" I personally thought it was the dumbest thing I've ever heard my entire life. I mean, it was worth a good laugh for sure. The guy plugged his own Twitter and said, "Yeah, just follow me," whatever, whatever, and then moved on. But Hey, Twitter is how a lot of people are getting real-time information and how people are talking straight to the top of the chain of all these companies that they deal with.
Joe: I was never huge on Twitter. I have accounts there. I don't really read it every day, but I'm also older than most of the kids that are probably doing that too. But I was thinking it was starting to get sunset for other products, but everywhere I hear now, it's almost like there's a resurgence and people are still using it as a tool. Maybe it's not going by the wayside as I thought. I thought it was going to sunset fast.
Andy: Now Twitter is the way for real-time information on cyber terrorism.
Joe: So we've got the number two kinda cyber terrorism attack, the noise hack. So this is Matthew Wixey. So he figures out how to hack into speakers, Bluetooth, basically anything that's Bluetooth and just basically blows your ears off. Makes it intolerable high pitch sounds. Almost sounds like something that's a weapon that you can use.
Andy: Yeah. Sounds like what the Russians and Cubans were doing to the Cuban embassy in Havana a few years ago. A bunch of state department people had to leave because they had a lot of ear problems because they were just bombarding the place with a subsonic dog whistle. People didn't understand what they were hearing, but they just had hearing problems, and then later on come to find out it was Russians and Cubans doing that just to mess with people to keep them off balance. I don't know whether you want to call it cyber terrorism or not.
Joe: Well, I could definitely see if there's a space that I wanted to get into if I could just crank a frequency to make everybody go out, all of a sudden the doors are open and I can go in.
Andy: It's a perfect distraction. It's a great way, I mean, even if you wanted to go and get on Cuba, you remember how they tried to kill Fidel Castro in the '60s or something with a poison cigar. This is one of those things too. You call somebody, they answer the phone and you're just... I don't know how high you need a pitch to start hurting them. You can really, really hurt them. I don't even know if a speaker would be able to do that, but it might be a possibility. I don't know.
Joe: The bigger question. They said that they didn't test it on human ears, but they did notice that the frequency was so high. The vibration speakers were so high, it actually melted some of the speakers. So when you're thinking about how a pitch like that, I mean, if it's vibrating your eardrum in the same way... if it's creating enough heat to melt that way, the same way your eardrum receives it. So it's definitely dangerous. We can all say it's annoying. But it could be dangerous to fatal. This is one of those things, and I have no idea how to even protect from something like this because Bluetooth is everywhere.
Andy: If you want to have the best cyber security and protect yourself from cyber terrorism, turn off your Bluetooth in airports, your WI-FI in airports. Don't trust WI-FI ports or connections that you're aren't verified in airports in general. Don't do that.
Joe: How do we travel in an airport? What's the best way do you connect?
Andy: I don't.
Joe: You don't. Just shut it down.
Andy: I use just my 3G, 4G, 5G, whatever. I don't use WI-FI. I don't get on WI-FI networks that I don't know.
Joe: Tether to something that's yours for the best cyber security.
Andy: Keep the Bluetooth off, which is difficult now because you have Bluetooth headphones, like the AirPods and stuff, which are great. They're great headphones, but you just run that cyber terrorism risk. There are other ways to do stuff, I'm sure.
Joe: I've got, number three is the prying eye. So there's a cyber terrorism group called Consequences, I understand. I'm not too familiar with them, but they were finding and then dropping in on conference calls, basically web chats, Cisco, Webex, Zoom. They're able to connect to all of them. I know Cisco and Zoom has fixed their cyber security. I don't know if Webex has fixed it, but I know those two for sure have. And again, it's not like you didn't know. If you turn the announcements on in the conference call, you're going to see something that's there. But if you have a conference call and it's, "Hey, we're IBM. We're going to review our stock portfolio for the company." And there are 300 people that are all on a Webex. One more listening ear that can do some inside trading real quick can easily drop in and do those sort of things. It was interesting. You've been on hundreds of hundreds of these Webexes or any of these other ones. Some of the bigger ones, I don't even look at the list because it's just so fricking huge.
Andy: Or they don't publish a list of cyber terrorism or the list is that they just don't publish and only the administrators have access to it or something like that.
Joe: That's right. You can set it to like a presentation mode or something and nobody can see anything, right? Those are interesting vulnerabilities and this person can now see you and hear everything that's going on. So I'm sure the government is going to use something other than Webex for their classified briefing, but you never know.
Andy: Cisco is a huge government contractor. Cisco telepresence and everything like that.
Joe: Probably hence why Cisco was one of the ones that fix it extremely fast and response is...
Andy: Cisco has a lot of good patches. They're pretty on top of their stuff. I'm not too familiar with it, but everything I've seen, they're really on top of their stuff. This is a great example of potential corporate espionage. I mean, there are companies out there that do that. There are whole divisions in companies, bigger companies, new corporate espionage, corporate intelligence, business intelligence, a version of any of those things that fight cyber terrorism. And this is how you do it. You just jump in on conference calls and find ways. I mean, they give you the upper hand.
Joe: What is Siemens going to come out with next month? And if I can get into their conference call and I'm IBM, then I can figure out what their new launch is and I maybe am able to market on it, or at least put a defensive maneuver in place that's going to really upset the Apple cart there for them.
Andy: Yeah, exactly.
Joe: Building a worm. So at first I'm like this, I guess that doesn't really apply to me. But the idea of taking over controls of a building and not only the controls of the building... Great. So you took over a thermostat or an air duct control, and then I started to think about, but now I can also take over unlocking and locking of doors. I can also take over cameras that are going to, like when you hit the button, you walk up to a school and all of a sudden the camera turns on. I can now watch traffic coming in through all of those controls. There are all these different things that I just didn't think about how the controls in a building are wired. This is one of the ways that cyber terrorism can really mess with everybody. And I just don't know that that's always IT's number one concern is, has the HPAC been hacked?
Andy: Yeah. So this comes down to everybody go home and just go to Shodan, shodan.io and it'll bring up all kinds of internet of things devices that are unlocked or show open ports. You might be able to find cameras that are accessible via the web and things like that. Also, be aware there's a lot of honeypots on there that people set up. So if it looks too good to be true, it is too good to be true. So just go check that out. You can just browse that for hours and just see cameras and whatnot on the internet and so can any cyber terrorism threat. Another thing is, let's say we take over the HVAC, right? So server farms right now are huge targets. Let's say Ireland, for example, there's a lot of server farms because there's a lot of lands out there and it's also a great tax saving.
Joe: Yeah. And their intellectual property law is lock solid for cyber security. It's the opposite of opening up a patent in China, right?
Andy: Oh yeah. They'll keep your stuff on lock for sure. So you have a discrete server firm, you don't want people to know where it is because you know it's always going to be under attack physically and otherwise. Let's say I can find a way to find it because I go to Google Maps and I look, and I see all these air conditioners on top of a building. So I have a giant building in the middle of nowhere and the entire roof is covered with AC units and I go, "Oh, that's interesting. Why do we have all these AC units?" It's because we have to keep all the servers cool because servers generate a lot of heat and you have to keep that entire building in a certain temperature to make them run well. So let's say I take care of the HVAC on that. What do I do? I just turn it off. I just turn it off and let you deal with this. That’s what the top experts on cyber terrorism do as well. Leave it off for like five hours and servers are going to have a lot of problems. They're going to be popping warnings all over the place. You're going to see the incident responders come in and have to deal with what they're going to do. And then you warn their TTPs that way, but just way to do it, right? Just another attack surface that you have to be cognizant of.
Joe: Yeah. Denver hit me. I've lost servers on projects when I was in it doing stuff and the AC unit would go out, but the server was running in Phoenix, that's a bad thing. So I definitely have lived that before. And if you're months of work in and you're hosted on a single server, a single set of arrays there, and they are down, you have to start all over from scratch. So from a corporate espionage standpoint, just merely melting, melting you down can put you way behind us, whatever our company is going forward, right?
Andy: Yeah, exactly.
Joe: Yeah. It is probably. In the IT companies I've worked for, I don't even know if HPAC and Doors and stuff like that were even on their roadmap for testing.
Andy: I've seen both. I've seen larger companies that have that all on lockdown and they are like 100% aware of it and other companies that just don't have the manpower or the personpower to do it.
Joe: But when Honeywell or Johnson Controls or one of those guys puts a new release out, how many IT departments are going to go, "Oh, we should probably validate this before we do the update to prevent any possible cyber terrorism."
Andy: There are so many people that don't patch on time and they just don't want to patch things. For example, the new patch that came out yesterday to combat cyber terrorism, that the NSA told everybody to patch it yourself. There are already stories of major companies saying, "Hey, how do I mitigate this instead of patching it, because I don't want to take the server offline and hurt my cyber security. Pull this down to patch or this, that, or the other."
Joe: Or take weeks of vetting the new version before you put the patch in place because we don't know what else is coming with the patch, right?
Andy: Yeah. But at the same time, I mean, if you keep your systems patched and up to date, you're leaps and bounds ahead of other cyber security. The idea that I need to wait to test this, it's not like buying new technology where you're like, "Oh, I got to wait. I don't want to be the first person in line to get this. I want to be the 100th so I know you can work the bugs out." Just take the patch. If they're offering a big patch, you probably want to keep your systems patched espically for protection against cyber terrorism. Let the patch happen, you'll deal with the residual stuff later. You're going to have to fix different systems, things that you just forgot about, that are going to come offline because you patch this thing. It'll keep you on your toes and it'll keep you working.
Joe: So our listening audience is all over the spectrum from folks that are just homesteaders are off the grid. Don't care one lick about cyber terrorism because they're not going to even have a computer to the other side of things of people who are going, "The NSA just told us to update all of our software across the board." If I'm a little more on the tinfoil hat side of things, am I concerned that the NSA is trying to get something in, on all of our computers so they can snoop more and do their own version of cyber terrorism?
Andy: Hey, I don't know. It could be. Very well could be. You might be on to something, but I'll say this, there's an entire internet out there of just people that are testing this, that are testing the exploit especially cyber terrorism cells. There was a guy who already Rickrolled the NSA. He used the crypto thing. I don't even know how to explain what it does, but essentially it makes it so certificates are trusted.
Joe: We're talking about cryptocurrency.
Andy: No, no, no, not cryptocurrency. Not at all. It's cryptography. But so what it does is it does something with... So when you go to a website, you get a certificate that says there's a trusted site. Essentially, it spoofs that via cryptography and I am speaking out of my ass on this one when it comes to cyber terrorism. I guess there was already somebody that just Rickrolled the NSA, or I don't know, you got to-
Joe: Admit it through. Yeah.
Andy: ... yeah, but there's an entirely open-source network of people out there showing you what this exploit can do for cyber terrorism and saying, "Here, this is a bad thing. You should patch this for your cyber security. Don't trust the NSA saying patch it. Trust all the other independent people who did not trust big government.
Joe: Sure. That makes a lot of sense.
Andy: Yeah. Just trust them, go to GitHub where it's all open source and you can read everything and do it that way. Trust the hundreds of people or thousands of people that are telling you to do it. But if the NSA is doing that, then Hey, you broke it here first.
Joe: Yeah. It's exclusive. Code injection attacks. I had to make sure I understood what that meant before we talked, but this was done on a Mac. So we always think of Mac as being super secure, but there were people putting these code injection cyber terrorism attacks. What does that even mean for people who don't...
Andy: Yeah, this Mac attack, it wasn't really like a... That's neither here nor there. When you say code injection, the immediate thing that pops into my mind is SQL injection and that's not what this was at all. So SQL injections, web stuff, basically what he did was he found a misconfiguration that's not really an exploit. He didn't have to create some dramatic exploit because there was a problem that they could patch. This is just him finding a way.
Joe: A little logic error somewhere.
Andy: Essentially. I didn't dive into the weeds on this, but it's essentially just finding a way in that you can't patch because it's just Mac works.
Joe: Well, and the takeaway from this one to me is everything in my life is Mac. I've gotten off the PC piece, but you're not safe from cyber terrorism just because you're on a Mac. I think you pointed this out in our last conversation. There are just more people working on PCs for a longer period of time and they do have highly customizable systems that allow you to do a little more with them. Allow more nooks and crannies to hide stuff on a PC than probably on a Mac.
Andy: Yeah. I mean, so most companies use windows and that's just the way it is. So there's more surface for certain cyber terrorism groups to attack because it's windows. If the DOD ever switches to Macs, then people are going to get... they're going to start finding ways to exploit Macs a lot easier.
Joe: Yeah. Do you think it will happen?
Joe: I think they're just too invested in old systems that...
Andy: Windows 10, I mean, it's a good system. As you said, it's very customizable. It's easy for people to use. They know it. They don't have to learn another system. For example, everybody uses Excel, right? You use Excel on a Mac and then use Excel on a Windows PC. Excel on a Mac is terrible. It's just hard to use. So you just have to use it on a Windows PC.
Joe: I actually dual boot my PC sometimes still that I can go in which dual boot is listening. But basically, what I mean is I have a PC. I emulate on my Mac so that I can run certain programs that only run on PCs.
Andy: Yeah. Or if anybody else listening wants to do it, if you don't want to go through the process of dual-booting, you can just go to vmware.com and just install a virtual machine which will help you combat cyber terrorism. Microsoft gives you free Windows 10 virtual machines, and you can do anything you want on there. You can even play Windows video games on there that you can't get on Macs, stuff like...
Joe: Xbox, right?
Andy: Exactly. You can do all that stuff on your Mac.
Joe: I like it. All right. Boeing 787. This one scares me. I don't know if I should or shouldn't.
Andy: It shouldn't scare you. It shouldn't scare you at all.
Joe: It sounded like they found a cyber terrorism vulnerability in Boeing. They would let them take over flight controls.
Andy: No, this shouldn't scare you at all. This guy said he could do something that he's never proven he could do and his logic is, "Well, they're not giving me a 737 to play with. So here's the way and anyone that's listening, go...
Joe: [crosstalk 00:31:04] commercial jetliner. I don't know.
Andy: Yeah, anybody that's listening, go watch this year's DEF CON talks on YouTube, just DEF CON Aviation Village because DEF CON started doing this for aviation and maritime. And there's a lot of great speakers and they go into great detail on how, when you're flying in a plane, the WI-FI access you have in a plane has absolutely no way to connect to the plane's system, the avionics, the pilot controls. There is no way to save physically going into the cockpit and plugging your computer into it like a box of the pilot’s feet plugging it in via USB. There's absolutely no way that those systems can talk to each other meaning it’s safe from cyber terrorism for now.
Joe: You need a physical connection.
Andy: Yes. Exactly. And they build it by design. There's so much redundancy and there are so many levels that keep those systems apart. There's no way for you to, I don't know, it might be American, but they use the tablet. There are tablets in the back of the headrests and they're like Windows tablets and they just find a way to network together to give them the in-flight entertainment system. There is no way for any cyber terrorism to get from that to the plane's in-flight controls. Same thing with the WI-FI. There's no way to do that. There are ways and as a matter of fact, again, the same thing that the NSA dropped, this vulnerability does apply to people who are flying because it can generate trusted certificates and apparently, one of the groups of people that would be vulnerable to this are people using WI-FI on flights. Because if another person is using WI-FI on a flight, they can, I don't know.
Joe: Because you're all on one local network therefore you can see who else was on that local network and present a certificate to get into somebody else's company.
Andy: Exactly. Apparently, I mean...
Joe: Whatever movie they're watching, I guess.
Andy: Yeah, it popped up on a slide I was in, so there are my two cents on that one, but no, there's no reason to worry about cyber terrorism here. However, there are other things that you can do to plains that have been proven. So essentially, ILS like instrument landing systems, There's a wave, I forget what university it was. It might've been Carnegie Mellon because that sounds right in my head right now. So ILS, instrument landing systems, they proved that cyber terrorism cells can hijack ILS to tell planes that landing angle and stuff is off and they're at the wrong altitude and this, that, and the other. And the way it was explained to me was, so ILS works like this there's transmitters and receivers on runways, and they send things to planes as they're going to land.
Andy: And it says, if you put it on that, it'll automatically send data and it'll say, "Hey, you need to go 15 degrees down. You need to go 15 degrees up," or whatever. Your speed needs to be this XYZ. The way you spoof that is you say, Hey, you need to do a 30 degree down angle for this landing. So great. You need to do a nose dive straight into the ground. However, most pilots know that that's just not how it works. So even with that ILS spoofing, there's pilots in the plane and they'll they'll fix that. But this still poses a great cyber security problem if cyber terrorism cells start doing this.
Joe: I mean, I've done a lot of flights, but I have had one flight that had the landing system and they forgot to put the landing gear down.
Andy: Wait, what?
Joe: As the flight is the flight came in, the plane took off. On that landing approach, got to the runway and then almost did like a touch and go, I guess if you had wheels, but we came back around and as we were coming back around, you hear the doors open and the landing gear come down and then we landed. So those systems can come in handy too.
Andy: Yeah. Were the pilots asleep? What airline do you fly, man? I've never flown that. Is that spirit? Is that what it is?
Joe: That's the space what you end up as you're flying.
Andy: Just jump on the wing and here you go. Okay.
Joe: I've got one left. I was trying to lower the ring. I tried to wrap my head around this. So people are worried about cyber terrorism have talked about the iPhone 8, you got a little fingerprint thing on there, but then somebody goes and steals my fingerprint off my coffee mug and goes and gets into my, whatever, a building, you watch all the Mission Impossible ones where they're doing fingerprint scanning, they get into rooms and stuff. Cyber Terroism Cells are going to steal my fingerprint, like on a mission, impossible and put it on something. And was a problem so they came up with a fake finger-
Andy: On a ring.
Joe: On a ring.
Andy: Fake finger in ring. Alright. So Kaspersky Labs, which for the last, I don't know, probably five or six years has been associated with Russian intelligence and Russian cyber terrorism. And they're on a lot of lists for United States vendors and they can't use them if they want to do business with the US government. So take that for what you will, but Kaspersky has got an interesting past. I don't know all the stories, you just Google it and read the news on them. But Kaspersky came out with this. I have no idea what they're trying to do. You wear a finger on your finger, on a ring, as a UBT for two-factor authentication or something like that.
Joe: Right. It's got some sort of ability in it to keep a digital fingerprint and then I'm, "But then just take the ring off and give it to somebody else."
Andy: Exactly. Yeah. I think this is just one more of those things where like, Oh, this is a great idea. Let's try this. Oh, this is dumb and cyber terrorism will exploite this, let's throw this away. I don't even know how this... This is last on the list of the greatest 2019 hacks just due to absurdity.
Joe: For a reason. Yeah. It was the list of creative hacks. So it definitely is creative of the cyber terrorism cells.
Andy: Yeah. If I see a guy with a finger on his finger, I'm walking the other way.
Joe: Yeah, like pulling a fire alarm. I don't know. Don't pull fire alarms.
Andy: Don't wear fingers around on your finger. That's like Angelina Jolie wearing a vial of blood - what was that?
Joe: Yeah. Oh, man. You're taking me back now.
Andy: I don't know. Whatever his name is...
Joe: Billy Bob.
Andy: Billy Bob. There you go.
Joe: That's it. Man, we came to it and finally made it. All right. Yeah. That's really weird. But no, there are just weird things that are... That was one that I'm like, I don't even get it why that's a cool thing. But I thought I'd ask anyway. Anything else that you think is on the horizon this year? Any more incoming cyber terrorism threats to cyber security? Things that you're like, "I'm going to keep a deeper ear in this area or that area," that strikes you, or is it business as usual? They get the same nation, states, and suspects that are out there and they're doing the same stuff just they keep trying to find new ways to do it.
Andy: I think we're seeing new ways to do it and if January is any indication of how the year is going to go, then we're off to a great start. It's going to be a rip-roaring adventure in 2020 when it comes to cyber terrorism. The same thing as always, check out Have I Been Pwned? Check out DeHashed, look up your emails on there. If you want to try to get some secure email go to ProtonMail, check out 33Mail, Blur, just good things to keep your identity low key and off the grid. One thing caught me off guard, I will say this. I was driving on the Turnpike recently and for all these tinfoil hats off the radar guys and gals, they made it where in order to pay tolls on the Turnpike, you don't go through a station and pay tolls anymore. They automatically get your license plate and send you a bill. You don't have the option of doing it anymore. This caught me off guard and could be a huge cyber terrorism risk.
Andy: So if you want to live off the grid, don't take the Turnpike because they're going to mail things to your home record and you're going to have to pay via whatever means. I mean, and the deal is, this is a third-party company that's doing this for the state. So they have your databases or they have your database, your license, your identification, all this stuff and you have to assume, as soon as they're not meeting their revenue goals from the Turnpike, they're going to start selling that information the same way every other company sells your information.
Andy: If you build a database, you sell access to that database. There are even companies out there that are just smaller companies that tell you, "Hey, put your email in here if you want free updates." What they do is they take that email list and then they sell it to other companies to use for marketing purposes. So if you use the Turnpike, they're just going to make you pay this bill online because they're just going to bill you anyway. It really caught me off guard actually. I just saw it a couple of weeks ago. Yeah.
Joe: And then additionally, you can't stop it necessarily, but you can't insure it. I insure my house so that it doesn't catch on fire and hopefully it doesn't, but this is another thing, another piece that I just feel confident in ensuring as well. So I'll add that on because I think it's a pretty good deal. As always, man, this is awesome, and thank you for coming to our little black site here today to do this. We want to make sure that everything was good and that your anonymity was retained here. Thank you again.
Andy: Thank you. I love being here.