Join Andreas Senie and special guest Dr. Darren Hayes, CEO of Code Detectives, as they discuss cybersecurity and dive deep into Computer Forensics and best practices for responding to cyber threats.
About Professor Darren Hayes
Dr. Hayes is the Founder and CEO of CODEDETECTIVES LLC. As a forensics examiner, he has worked on numerous cases involving digital evidence in both civil and criminal investigations. He has also been declared as an expert witness in U.S. federal court. For a number of years, Hayes served on the Board of the High Technology Crime Investigation Association (HTCIA) Northeast Chapter and was President in 2013.
Hayes frequently appears on television, including Bloomberg, MSNBC, The Street, Fox 5 News and has been quoted by CNN, The Guardian (UK), The Times (UK), Wall Street Journal, Financial Times, Forbes, Investor’s Business Daily, MarketWatch, CNBC, ABC News, Forensic Magazine, SC Magazine, PC Magazine, USA Today, Washington Post, New York Post, Daily News and Wired News to name but a few.
Sector Interviews are bonus episodes of CRECo.ai Real Estate Roundtable - Your comprehensive all-in-one view of what's happening across the real estate industry -- straight from some of the industry's earliest technology adopters and foremost experts.
Learn more about the general show at https://welcome.creco.ai/reroundtable
[00:00:00] Andreas Senie: Welcome back for another sector interview. I'm Andreas Senie, host of the CRECo.ai Roundtable and founder of the. Collaborative platform. Joining me today is none other than Dr. Darren Hayes, a leading expert in the field of digital forensics and cyber security. A good friend and advisor, long time co-host to the show.
Darren welcome. Looking forward to diving deep. For those of you tuning in for the first time, and I hope it's not your first time, Darren is one of the top 10 conf top 10 computer forensic professors by forensics college. He's commonly appearing a commonly appears on Ms. Nbc, cnn, Fox, Wall Street, everything everywhere.
Why does that all happen? Well, I think it has something to do with the fact that it's computer forensics. Right? What is computer forensics? Let's start there, Darren. Well, for the show, uh,
[00:01:06] Darren Hayes: first of all, great to be here. Thank you, Andreas. Uh, really appreciate the, the invitation. Um, so let's talk about computer forensics.
So the forensics part of it is means to make something admissible for court. It is a science, so we have to follow certain protocols. And it's different from computer security because we come in after something has gone wrong. So computer security is being proactive, protecting systems and computer forensic examiners come in and usually after a data breach or something has gone wrong, um, it can come into what's called e-discovery electronic discovery.
You know, maybe there's civil litigation between two sides, or the s e c has asked a publicly traded company for documentation, and a forensic examiner runs certain searches for a company. Um, but much of what we do, again relates to often network breaches. What happened, who was responsible, how to mitigate that risk and treat everything as.
What we're examining will one day end up in court and lead to a prosecution.
[00:02:24] Andreas Senie: So this is, this is the basically the birthplace of, of code detectives. You are the, the detective. So your CEO of co detectives, this is what you do privately. You go out, you work with companies and you examine all of their hardware.
You did. So for me, uh, worked with me at one point in the past. We're not gonna talk about when, where, or what given the environment, but it's a, it's a, it's a crazy world we live in. Every day we, we talk about ransomware or we hear about ransomware or Bitcoin or, or, or all of these things happening.
Victims, dark webs dark, a dark web full of our information. And you join us every month on our show, the the cracker round table, first Thursday of every month where we talk commercial, real estate, tech, technology, brokerage, government policy. And you don't. A lot, a lot of time when you probably have the most to say because cyber security, forensic analysis, our digital selves are, I mean, we live, exist and breathe online.
If I was offline for a day, I don't know what I would do. I mean, I know what I would do, but I have a recovery plan because I've worked with you and so forth. But what is the biggest thing you talk about on the show of being ransomware? What, what does that mean to the, to the everyday person? I mean, you hear about it, 70% of households have have been hacked.
I mean, is that ransomware or what? What does that really mean for everybody in the common day? Yes.
[00:03:57] Darren Hayes: Sure, Sure. So, so ransomware attacks have been on the increase year over year. And, uh, a number of years ago, this is not a recent report by the FBI stated that four thou, there's 4,000 ransomware attacks on a daily basis.
So, first of all, who's responsible? Um, well, Russia is, is a big proponent. Ransomware. It's a great way of raising cash because, uh, and we'll talk about what that ransomware attack is, but with so many sanctions, you know, Bitcoin is that imagery, cryptocurrency that can be easily exchanged for dollars or euros or whatever anybody needs.
Um, we've seen ransomware used. Hackers to make money, but also terrorism. There's links there. Um, we've seen recently a hacker group that was arrested or a person perpetrating ransomware attacks, and we also have people in the United States who are initiating ransomware attacks. Many of of these attacks.
you know, relate to, um, political conflict. So there's been this political conflict that's been going on with Ukraine for many, many years. Uh, definitely predates the Biden administration and, and it was definitely very active in the Trump administration where we had a number of different cyber attacks, which include ransomware and some of this malware just goes across the internet that proliferates and ends up.
Western Europe in the United States and across the globe. So ransomware is, is basically malware that infects your network and encrypts all your files. You get this really devastating message saying everything is locked down in your, on your computer. You need to pay a ran. And this ransom is generally in cryptocurrency, usually in Bitcoin, and it's usually on a per host basis.
And then if you don't pay the ransom within say, 24 hours, that ransom continually increases.
[00:06:13] Andreas Senie: Well, and even if you do pay the ransom, as I understand it, it's been reported, there's only a 40% chance of those that pay, actually get their date, unlock. So the, just like, if, you know, unlike when you steal someone's child, you know, you may, and I don't know the odds there.
Let me back up. kid. It's a, it's akin to kidnapping. There's no guarantee you're gonna get your data back. Worse. What? With ransomware, who knows what else they can do with their data? Think, give it back to you. Can't they resell it? I mean, when you're sitting there in that position and that, and you're, it's, is it, is it just as scary as it is in the movie?
Where, where you're, where you're at the hospital and all the screens go black and you can't get your patient files, and then God only knows what happens to those files. Cuz then they're, they're all over the dark web. Is that what we're saying? That, that, that the movies are in actuality the reality of it all.
[00:07:07] Darren Hayes: Yeah, so, so it's a big problem because yeah, you, you, you can lose your data twice, so to speak. So if you pay the ransom, they know you're good for another attack. And so companies have been hit multiple times cuz they know you'll pay up. The other problem is that they're not just locking files, unlocking them when you pay the ransom and walking away.
They certainly got copies of all your inform. So personal details of your customers, your employees intellectual property, and that can be sold on, on the dark web or even the clear web. And so, you know, there, there's double, triple, quadruple, you know, ransomware attacks and uh, and companies again, yeah, they don't always get their money back, but I think the big message is, Think about contacting the FBI because we saw with Colonial Pipeline, for example, they got the FBI involved and were able to recoup some of that ransom that they paid at.
[00:08:07] Andreas Senie: as, as a, as a company, as a real estate company's investor, uh, developer, lender, broker, we have a, we're, we're, we're sending contracts, we're, we're moving deals around tenant information, inventory, uh, work orders. Um, and not just that we're, we're, we're today installing all of these devices. Can, is ransomware targeted specifically through computers?
Is it also affect mobile? Does it affect my, my smart thermostat? I mean, how does it get in to your computer? How, where's the entry point?
[00:08:41] Darren Hayes: Sure. So with a, with a lot of, um, ransomware attacks and with most types of malware, the point of, of entry is usually in an email and there's a link that somebody clicks on.
And if you're in a company, for example, with, you know, I heard the, the head of the FAA one time say, You know, what keeps me up at night is, you know, more than 41,000 employees and worrying about whether they click on a link and. A lot of this through a fishing link, and so that's why going through and doing.
Test, um, fishing campaigns in your company periodically is really, really important. And what, when you mentioned before about kind of how impactful these are, you know, I used this analogy, I know I've used it before, but when you think about a hospital in London that with stood uh, World War II bombings, Blitz Creek, and continued operations and helping patients, That shut down with the ransomware attack.
You know, people on their way to Surger were stopped, surgeries were stopped midway. Um, and we know of at least one person who died as a result of this ransomware attack. So if we think about the real estate in industry, you know, how would you plan if all the computers in your company went down? We've seen it happen with Sony.
We've seen it happen in Saudi Arabia with an energy company called Aramco. 30,000 computers were, were rendered useless after a cyber attack. This is the kind of planning you have to do today. If you're reduced to pen and paper, you have no access to your computers. What do you do? How do you continue your business?
And having that business continuity plan is really, really important. And ransomware adds a new dimension.
[00:10:38] Andreas Senie: Well, and it's not just ran somewhere, right? So there are men in the middle attacks and then, and opportunities where people are sitting in your networks. Understand. So using, let's, let's go down the real estate example.
The majority of our artisans, uh, C-suite, real estate, all over the us. Uh, we're, we are bidding on a project. Let's say we are sending financial information cuz we were trying to close out a transaction, closing on a big deal. Here's the pierce closing paperwork. How does a man in the middle attack work?
What is that?
[00:11:11] Darren Hayes: So a man in the middle attack, uh, for example, happens when somebody intercepts your communications. So, you know, using wifi in a public space is one of those vulnerable areas where somebody can capture your login and password to a system. You're at Starbucks, for example, so that's a big problem.
The big, the big thing that, that is a real concern today that, that I talk about when I'm at these presentations is, you know, third party risk and fourth party risk. And in the real estate industry, when you think about how many suppliers, third parties, fourth parties you're interacting with, you no longer have to be just concerned.
Your security and defenses, you have to think about your third parties and so you, you interact with so many other vendors, What are their security policies and validating those people. So you know, when you're vetting a new vendor and looking at their risk, you're talking also about IT risk, you know?
Tell me about the people who work in your IT security. Do you have blue team and red team exercises? Um, how often do you have cyber security training? Do you have, does your company have any certifications in terms of, of cyber security? Iso, for example. And so these are questions that you, you need to ask, not just can they fulfill their promise with delivering something to you.
You know, we know now, especially with state sponsored attacks that. Third parties are a big target for the hackers, for the bad guys, um, because getting into one of these third party providers gives them credentials and access to maybe hundreds of different companies, and one of yours could be one of those companies.
[00:13:10] Andreas Senie: Absolutely. So, The, I think back on our conversation in 2019, and I forgot what company it was. Oh, I, No, I remember. No, it was, It was ways, right? And it was incredibly intrusive and it was all types of data. It's the same concept once you have something on your phone where you're using something, if that's something.
That something can be a point of entry. So although email is the, the, the most highly used route of attack through those links, can I be texted a bad link? I can get it through text, I can get it through an in, in-app messaging. There are other hooks. Is that, is that an accurate statement to just give, give access to these bad actors?
[00:13:55] Darren Hayes: Yeah, so, so the, there, there's, you know, Pegasis one and two and developed by NSO out of, out of Israel, for example, that, you know, was, could be installed on people's phones. It was purchased by some governments. It was used to infiltrate, uh, investigative journalists on their phones. So it's really, really important to make sure that you.
Your operating system, whether it's iPhone or or Android, keep that operating system up to date because they're more conscientious of these types of more sophisticated apps that run in stealth mode, meaning there's no icon. It's very difficult to identify that there's, there's malware actually on your device, but also you gotta think about apps that you're going to give, um, certain permissions.
And so you've got to think about how if you enable location services and a lot of these mobile applications, that it's very easy to track where somebody is throughout the day. You know, and people use this to track, you know, senior executives, csu, you know, where they're going throughout the day, based on Twitter, based on Instagram, based on other things that they're using, and also of
[00:15:13] Andreas Senie: your Instagram examples, photos.
[00:15:16] Darren Hayes: Yes, Yes, yes. A and, and the other thing is when you connect with somebody using social media, it's easy for somebody to, to gather information about you as well. So we did some experimentation with dating apps, for example, like Tinder is really, really popular with, uh, the next generation. And we can see that when you connect with someone.
Meaning somebody swipes right on your profile and you've swiped right on their profile. There's an exchange of that information and I can find out somebody's Spotify playlist. I can get access to their Instagram account that was marked private. I can get Facebook information, I can get a lot of third party information.
And so that reminds us. When you're logging in, don't use third party login credentials. What I mean by that is if you can log in to a website using your Google, your LinkedIn, your Facebook credentials, don't use those. Use the email address on the login that, and the password that you registered for that account with because you're suddenly sharing more information.
Lots of different other social media services when you decide to log in with different credentials.
[00:16:37] Andreas Senie: There was a, there was a statement you said to me years ago, you know, the easier it is, the more trouble it can bring you, uh, when it comes to logging into tech or use of tech. Um, and so now I've got a physical key.
I've got a digital key. But you, you said two things there. You said the next generation. One question I wanna put a flag in is I hear from the next generation all the time that I've got a vpn. I'm fine. I'm covered. I don't need to worry about anything. So let's put a flag on that one. And then the second, uh, thing I want to see or win on, What about apple's?
You know, Apple's got this new security, marketing, big, big marketing going out with, uh, they're gonna hide my email and forward that and log through Apple. Is that a, is that the best way? Sounds like, because that's using your email, but mask. In, in such a way, or no? Is that a trap for the
[00:17:32] Darren Hayes: future? Yes. No, no.
Apple is is pretty good with security and, and it definitely is good to hide your email when possible. Um, you know, they, they have developed more secure communications for, for you using, you know, a VPN type service. VPNs are definitely more secure, better. But then you've gotta remember that there's people who profile individuals and when, when somebody's on social media and they're talking about a brand new car that daddy bought them and you know where they're going for dinner, and it's diff, it's very easy for somebody to quickly determine, Hey, this person has money and there are good target for me if I'm a hack.
And so that's, that's, that's really important to think about is the, so social media is the greatest way to profile an individual.
[00:18:25] Andreas Senie: And so when you say profile as an example, so that, so, so let's run a use case. A hacker sees you to go, you standing in front of your new Porsche, Life is good, you're in Miami, and a and a hacker identifies you.
Or, or there are even, are the bots crawling the web, looking, reading for these images, identifying targets. Uh, and then what happens? What do they, what happens next once they find a target?
[00:18:51] Darren Hayes: Sure. Uh, uh, well, a big thing, first of all, is people rob your home while you're not there. , you know, and they, they work out where you are.
And, and, and zillow.com is a great way to identify, you know, entry points and, you know, other people in the area. Um, you know, you could use Google Street View to see a, a closer view of the neighborhood. Um, you know, Zillow tells you how much that house is worth, approximately, whether it's worth robbing, basically in the mind of, of, you know, the bad guy and, you know, it, it's just, it's just very easy.
I mean, you could pay 25 to $50 to get a full background check on somebody, run their credit report, see how many bank accounts they have, how much, many, much they have in assets. Um, you know, unfortunately in this day and age, it's, it's easy to get that inform.
[00:19:48] Andreas Senie: Well, so let's flip the coin here. So the hackers on Instagram, he, he knows I'm out to dinner cuz I, cause I'm posting on Instagram how great my life is with all these filters and I'm not home.
So now he's robbing my house. But isn't technology also, haven't there been advances in technology for the police in that? Well, that ha, that criminal, that burglar was in my home. He probably brought, brought a phone with. Or even a car, Anything newer than 2017 telematics, they know the cars are there. So what are, what are some of those advancements?
Cause you, you scared everybody off the call already. They're shutting down their social media. Restless, speak . What are some of the things that the police and the government are, are people like you are doing to, to help us?
[00:20:32] Darren Hayes: Sure, Sure. So, so the, the reason I really got into forensics originally was because, actually, first of all, one of the misconceptions about digital forensics is that it's, it's all cyber, it's it's related to computer crime, and that's not really what it's about.
Because as you mentioned, you know, Every crime, you know, involves like a cell phone. And so a lot of, again, the reason I got into this was because, uh, this evidence is used, you know, child abductions, child exploitation investigations. In fact, there's, there's lots of law enforcement agencies where maybe 60% of their time is actually looking at, uh, child exploitation investigations.
Um, and so there, there are, you know, The good thing about all of this information being out there is it's also great for, for catching the bad guy. And so the bad guy with their, their phone, um, you know, they also have a car as you mentioned, and that car, uh, most cars today have a sim card that has service provided by at and t, and so that car is also pinging towers and, and giving a good idea of where that person is going or where they.
um, even a lot of tires on vehicles today have an R F I D chip and they communicate with, with other vehicles, and so that's very, very useful. We have a number of, of, uh, states in the US who are using digital license plates. California is one of those states, and this is rapidly changing. Uh, these digital license plates connect with your phone.
They have a built in modem, R F I D tag. Uh, Bluetooth. What, I'm
[00:22:19] Andreas Senie: sorry. What is the point of the digital license plate?
[00:22:23] Darren Hayes: So, so the digital license plate, um, helps law enforcement because when they stop you, they can quickly identify, Oh, it's,
[00:22:30] Andreas Senie: it's not something I would lie. It, it's just there. It's, it's it's built into the license plate, you're saying?
[00:22:37] Darren Hayes: just like a big different type of license plate? Yes. Digital, it's connected to your phone, and law enforcement can quickly determine if that person's driver's license that that is handed over, matches up with that, that, uh, license plate. And it's very easy to see if this is a stolen vehicle. So even, even with, you know, the new technology that we have today and that the great advances in gps, there's still thousands and thousands of cars.
that are many of them going to West Africa today. Uh, many high end cars, for example, that are being shipped out because first thing they'll do is rip out those GPS systems and they'll put them in a container and, and they'll be shipped off to places like Angola for example. And, um, and so, you know, the digital license plate is one of those features that may prevent this type of.
[00:23:35] Andreas Senie: Wow. So that, that I, I had no clue that that was something. The, the, what I found incredibly interesting was when, uh, if you have, if you've ever been pulled over, I've been told when the cop comes up behind you, he actually puts his thumb down on your trunk. You may have never noticed, but the purpose was he's leaving his DNA on your car.
It's, this is a done on purpose. And I, someone told me, a police officer friend said, There are a bunch of these little things they. But this is the future of that. These, these, uh, the techno, the technology to track and, and do things in such a way that I should feel safer. But at what point is it more big brother?
Cuz what he just said to me between the cars, tires, license plate license, When am I not being. When I'm in a affair day back over my head. Sure. .
[00:24:30] Darren Hayes: Well, well, the, the first thing that they'll probably do is run, when they run that license plate, see if there's any wants or warrants. So is that person wanted for example?
Um, But there, there's other technology that's been developed in policing, For example, you know, rather than speeding down the highway, trying to chase this guy at, at a hundred miles an hour, you know, there's a dart that you could shoot now at a car and that will will have a GPS tracker. Um, so, so I would say that, you know, there, there's been, for example, stories about OnStar, um, and when you have OnStar and your.
GM vehicle. You know, even when you stop paying for the service, apparently they're still tracking everywhere you go, that kinda thing. Um, but law enforcement are actually very confined to what they can search and what they can do. So if, if you are, you're stopped by the police, they can just ask for your phone and, and, uh, image that phone and get your information, right?
They have to either have a warrant to search your car or they see something that's in, in plain view. Uh, so, but also, Um, there's very strict guidelines. There has to be probable cause for, for law enforcement to be able to get access to the inside of your vehicle or your car. There has to be a reason for this.
The, there has, there isn't any reason for Google and Facebook collecting. And a huge amount of data on you on a daily basis, and you, you don't have to have an iPhone to be tracked by Google, right? You're, you know, 90 or devices, probably 95 plus percent of people have some kind of Google app on their iPhone that they're using to track you.
Throughout the day. Oh, my
[00:26:16] Andreas Senie: favorite is when you're talking with your spouse or in your home about a product. And then it, So next time you log into Amazon, what do you see Suggested discounted all the time. Um, and so, I mean, they're always tracking, but you had said something to me, but you know, many years ago, if, if law enforcement can do it, so can a sophisticated criminal and, and a state sponsored.
So, I mean, what are the likelihood, what's the likelihood in for the different people out there, C-Suite, um, everyday, uh, professors. I mean, what are, what are the risk categories?
[00:26:55] Darren Hayes: Yeah, so, so as I mentioned before, you know, like in tes is one of those services where you can go on and you can request a report background check on somebody, right?
But you can also get lots of information from many other sources out there. So, um, you just gotta pay a little bit of money. Those Skippy Spokeo. People, all these companies provide a lot of information, background information on people. The, the credit reporting agencies, they have their own services. You know, you have, uh, TransUnion for example, provide a lot of background information about individuals.
Sson Reuters Clear, for example, um, Roo. Many other companies, basically, it's very easy to determine right down to whether somebody is lefthanded or right-handed. Do they have a pet? Do they not have a pet, Um, assets that they have under, under management? You know, how many kids they have. And so this information, you know, it's like the wild west in the US because, you know, in other places maybe.
The European Union, for example, with gdpr, the General Data Protection Regulation, there's, there's big limitations on what you. Retain on an individual, what you can collect, for example, uh, at the beginning, but what you can retain and how long you can retain that information. Now, states have been changing the laws.
You know, unfortunately in New York State, um, the state legislature did not approve a privacy bill, which would've helped a lot of consumers. A lot of people have been trying to emulate. What California has with the California Consumer Privacy Act, for example, where there's limitations on the amount of information that you can collect, but it's really difficult.
Basically impossible to get privacy legislation passed at the federal level because we know how good these companies are with lobbying on Congress Capital Hill to make sure that privacy legislation doesn't get passed.
[00:29:06] Andreas Senie: Well, and so So you brought up an interesting point, the what can we do as individuals to protect ourselves?
What are our rights? So GDPR you brought. Uh, overseas, we have a right to be forgotten, a right to delete our information. We, the consumer has all of these rights to, to stop being surveilled. Let's, let's, let's say it that way, almost surveilled. And here in the US we're, we're, we're way behind California.
Washington has, has passed something. California. There are, I think about eight states last I, I read, uh, making strides in this area. Something as simple as the, the double opt in for email. You know, you can't just reach out to me, scrape my information from the web, but what can we do or what should people be doing?
On a day to day as they, as they prepare for the future, do the rights be forgotten? May not be there, but what are some best practices as we go forward, uh, ahead of the privacy laws? Because yes, regulation is coming, the regulation is slow, let's be honest, and we're not gonna move to Europe. Not, Well, you might move to Europe.
Um, I know you like visiting the UK on occasion. .
[00:30:20] Darren Hayes: Yeah. So, so there's lots of things you can do. Um, First of all, know what information is out there about you. Like go to a website like have I been pawned? For example? Example, P W N E D, and see if what, Put in your email address, see what? Breaches you have been a part of.
That's, that's one of those things. Uh, run your credit report, see if any of your information has been changed. Cuz bad guys do do that. Um, it's, it's especially problematic for kids because a lot of, uh, juveniles, their, their social security number is being used for fraud. They only realize that when they go to apply for a college, Hey, my information has changed.
Yeah. Yeah. So we don't, we don't think about checking our, our children's credit report. Um, misinformation can be a good thing. Putting out information that's, that's maybe not accurate about yourself to throw, throw people off like Andreas the, uh, sky diver who goes to Malibu all the time, and, uh, you know, just different things.
That muddy the water is a little bit about who you are. Um, a lot of people are big fans of, of putting on LinkedIn, the conferences that they're at and information about where they are. Um, and that gives away information. People talk about projects that they work together on, especially in it that helps people understand what kind of systems you're running.
People talk about. Problems that they're having with their, their network, uh, types of systems that gives a away information about what you're using. Um, job, uh, openings. People put all information out there about, you know, experience needed in this type of software and this type of hardware that tells the bad guy about what you've got running on your network.
Um, there, you know, as I mentioned before, keeping your, your operating system. Dated both your computer and your phones, keeping your apps updated as much as possible. Um, thinking about old fashioned verification techniques, like actually picking up a phone and asking somebody, Did you send this information to me?
Please verify this. You know, this is a really, really good. , um, for those people out there, you know, from a a corporate perspective, an enterprise perspective, continually testing employees, sending out, you know, fishing type experiments and that kind of thing is really, really important. Um, But knowing really what information is out there about you not having your location services on when possible, um, not connecting your, your phone and your contacts with too many things.
I mean, I, I use. Signal, for example, for more encrypted communications. But at the same time, I don't, I wouldn't let Signal or, or WhatsApp have access to my contacts. It is easy for a, uh, a company to write a piece of code that would pull down all your contacts. From that application. So try to limit the permissions that you give to all of these applications as well.
That's, that's another piece of advice that
[00:33:39] Andreas Senie: I would give. That's the big, that's really the biggest one, is limit limit, um, service area limit, the, the, the amount of exposure anything has and, and the amount of connectivity it has with other things or possible. I mean, that's something you and I have talked about for years, so as.
the cyber criminals are, are becoming boulder and, and they're becoming it's state sponsored. Uh, there's been a lot of talk, especially with what's happened in Ukraine, and I want to touch on this, uh, prior to talking specifically about real estate development projects and the new tech that putting into these buildings.
What, what is digital warfare? I mean, we've heard about it. What is, what is Russia doing in Ukraine? Digital. As, what is that cyber attack? What does that digital warfare really mean and and what is the cascading effect here? Cause the butterfly flops, it swings in Australia. There's a tornado in China, right?
There is an. If you would.
[00:34:39] Darren Hayes: Yeah, absolutely. So, so, you know, we, we think that the war in Ukraine began less than a year ago, and that's really not the truth at all. I mean, it, it began a number of years ago, probably back in two, 2015, 2016, with a number of difference or attacks. One of those attacks that didn't really make headline news was black energy.
Which was a piece of malware that was used by the Russians to take down the power grid for about 700,000 Ukrainians. And so we, we've seen these types of attacks. So for example, with the Russian incursion in, in Ceia, Georgia, for example. , we saw denial of service attacks against, uh, the president's website and against attacks against other ministers in government.
And so a lot of these former Soviet countries, um, continually suffer many of these attacks. I think that we also need to think about, you know, political events and how they may impact us here in the us So being a supporter of of Ukraine. In this war and other native countries, you know, are more susceptible to cyber attacks from Russia.
Um, and one of the reasons is it, it's, it's difficult and, and this is a big, you know, discussion in the US government is what, how big does a cyber attack have to get before you actually. You know, make some kind of kinetic warfare before you launch an actual attack. Attack. We know that these cyber attacks can take down, you know, energy companies already and you know, if one of those attacks impacted the us you know, at what point would we actually launch a similar attack.
We know, for example, when Sony was attacked by, um, North Korea, there was. An executive order that was issued to take down the electrical grid, the, the internet in North Korea, uh, I think it was 24 hours and one second after that attack happened. And so we do have a lot of cyber capabilities. It's not like we're always on the defense and that put North Korea on notice that, you know, anything you can do, we can do better.
Um, and. , but we've seen these cyber attacks state sponsored more and more. Um, Iran launched a tax on the banks and the banking system here in the US after they got caught off from Swift, which is the payment system, interbank payment system. And so a lot of these political events are also tied to, um, cyber attack and corporations.
[00:37:35] Andreas Senie: So, and, and then bringing that full circle now to the micro level, here we are in commercial real estate. Logistically, how small an incursion or how small an event is an event that would need your services or would, would cause an audit is some, is is employee access at. Um, I wanna say outpost, but that's the wrong term.
At a branch office in Alaska, he gets hacked and he has, he's got ransomware on his personal computer that he also brings to work. Is that enough of a red flag? When do you, when do you escalate or when do you call in the big guns like yourself, co detectives or, or how do you report?
[00:38:14] Darren Hayes: Yeah, I, I think, I think the big challenge is, uh, the false positives.
Uh, you know, we, we get a lot of alerts that are not really cyber attacks. Um, and the other thing is that companies are, are hacked on a daily basis. I mean, Department of Homeland Security is, you know, suffers millions of cyber attacks on a daily basis, you know, and the, the big challenge for. For organizations is prioritizing those attacks.
Okay? And the problem as well is that one attack can lead to more than a year of an of an investigation. Companies really don't know when they've been breached. And sometimes they're informed by the FBI or gchq, Hey, we found your information on another server. You know, you've been breached. And companies don't know when they've been breached.
They don't know what information is being exfiltrated taken out of the company, cuz they're very good about encrypting that information when they take your intellectual property out of your organization. So, So that's a big problem. Again, back to back to your point about, you know, escalating and prioritizing that you definitely need to think about forensic people and not just at the last minute shop around.
Find out what services somebody can provide. You find out about their experience, and we often think about security people and protecting the systems, but we don't think about when something goes wrong. Do we have some kind of agreement with a forensic firm that they will come in and this is their price for investigating this Because even the high tech companies have those types of contracts.
They don't have people waiting in case something goes wrong in case they have a serious state sponsored attack. They also have contracts in place. Forensic firms to bring those people in, um, because they know something is gonna happen. Everybody is gonna be breached at some point or another. It's gonna happen.
Um, but again, companies need to think about things such as, you know, and, and I spoke to a, a friend of mine who works for a company, and basically what they do is they have a service where they email employees and they tell them, This is a report on you and all your information that's been compromised and is out there for sale on the web, and that's very impactful rather than, you know, the, from the top down saying, you know, your, your personal information can be easily compromised.
Make sure you change your passwords regularly. Make sure you have a different. Password for your personal accounts than you do for your work accounts? You know, I think it's a pretty good idea when you have employees who are emailed directly and saying, Here's your profile. This is what's being compromised.
This is what's out there on the web about you. And suddenly people start to think about passwords differently, changing maybe their email addresses, that kind of thing. I, I would say, I don't know why it hasn't been a trend before. I don't see it as a trend. You know, corporations thinking about making email addresses difficult, just as difficult as passwords.
Why can't we have some kind of mix of alpha numeric numbers rather than just first initial, last name and somebody trying lots and lots of different combinations to get into that?
[00:41:59] Andreas Senie: Well, it's, so, at least for commercial real estate, we've relied so heavily on email as an industry for years, and I have noticed probably two to three years ago, one year prior to Covid, what Covid is such a brainwash, right?
Uh, at conferences, you know, if you need someone, you get their email, but if you go to their website, all of a sudden you, there's no email on the website. It's. And they started to mask that email. They started to pull it off the web because they realized that, wait a minute, one, we're tired of being spammed, and two, maybe there's a security issue here, so giving out less information is better.
Um, so I couldn't agree more on that front.
[00:42:42] Darren Hayes: But also masking, masking your, uh, your phone number as. You know, having a, a Google Voice number and then you know, your most trusted people you give out your real number to. And, uh, I think Google Voice is a, is a great way of doing that. But also a lot of companies have invested heavily in threat intelligence.
Yep. And that's a little bit different from from security because it's also kind of doing a temperature check on how people feel about your company. Are there any particular threats to your company? So for example, pharmaceutical companies monitor, you know, Um, these PETA activists or whatever, animal rights activists and, and so forth who, who have launched cyber attacks in the past.
But also you've gotta think about, you know, and I've seen this on LinkedIn so many times, people talking about first. Day, day on the job, I just got hired and they're right there and they've got a picture of their, their ID or they're holding up their ID and stuff. And that's a great thing for hackers to see out there.
So having that threat intelligence component. It's a little bit different from traditional security, but lets you be able to see potential threats and many people who used to work in the investigative world, um, work in those kinds of areas. So
[00:44:04] Andreas Senie: it's, it is very much like the evolution of, uh, You know, college recruiters, right?
They, they now go in and they look at your Facebook, they'll go through your pictures, they'll make sure that you have a good moral fiber, I think is the term. Um, so the same is true now at the company level. Companies need to investigate or go through their employees digital footprint, you're saying, right?
And to have somebody do that and point things out, uh, because there is a risk. And, and you know, when we're talking commercial, develop, That hospital you mentioned one person died. Commercial development today is all about smart buildings. It's about, you know, automatic doors, automatic lights, automatic heat shut, the, you know, the HVAC off.
I mean, it's, it's all relative, which is why I'm so glad you're on the show every month to bring it full center because people need to understand that, that this. The invention of this made it all, and the interconnectivity of it all made it all relative. And I always love when you bring up the fact that, by the way, guys, they break into your house because yes, it's the, your valuables are physical as well as digital, more digital in some cases.
So as, uh, as an ongoing trend, that's what you're seeing. You're seeing more companies masking information. Maybe we'll mask emails one day. Um, I haven't. , Well, they, I guess companies did mask phone numbers. You had the switchboard right call into a switchboard instead of a direct line. That, that seems to be coming more often.
Uh, the case in large companies once again, Uh, but not the email address. That's an interesting one. We'll have to wait and see. So with that being said, Well, there's one takeaway, and I know we've got the show coming up on the, uh, first Thursday of the month. Next week, 6:00 PM Eastern. I'm j Avie back with the group.
What's the one big takeaway over the last year as, as everybody returns to work in, in today's world, you're all over the world. What, what, what, what's the big takeaway
[00:46:07] Darren Hayes: for regardless? Oh, there's so many big takeaways. Uh, it, it's, there's a problem. Yeah, I, I really, I really think that, so, so for, for corporations, first of all, there, there is this, this move to include somebody with cyber security experience on your board of directors.
You know, there are is some legislation out there such as New York State Department of Financial Services Part 500, which basically says that your board of directors is also on the hook for reviewing and approving your cybersecurity. Right. So that's for the financial services, but I think there is going to be this continued trend on having somebody who knows about cyber security be able to review what on your board of directors, review what you're actually doing.
I cannot say enough about having a third party come in and review. your network defenses, but also physical defenses. And I really think that this is often, you know how the term cybersecurity leads us asray because we're thinking about everything in a cyber world, but we forget that there are just as many people being profiled.
By somebody. There is somebody behind this who targets individuals. You know, the other thing as well is that, that these third parties who, who can do an evaluation on your company, they have a very different perspective on you. Um, cyber, cyber attacks are sometimes just like. You know, your car parked at the train station, right?
And the guy walking along and, and checking the doors to see which cars somebody forgot to, to lock, right? And this is the way that a lot of cyber intruders work as well. So, so think about those drive-bys or, or people walking around looking for your defenses. Uh, your vulnerabilities in defenses and there's tools out there such as MX Toolbox, for example, where I can passively look at a website and see what vulnerabilities are being flagged about your company.
You know, I can look at LinkedIn, I can see, you know, tech forms. I can look at job postings very easily. Profile technologies that you're using on your network. And then there's websites I can do, like Ex Exploit database will tell me all of vulnerabilities associated with all of those systems that you're running in your company.
So think about somebody who could do this kind of assessment and see how they, how much they could profile about your company, your technology, and the people in your company.
[00:48:44] Andreas Senie: Wow. I. Code detectives your company does, do you do those assessments?
[00:48:50] Darren Hayes: We do those. We work on, uh, post breach also investigations.
Yeah, absolutely. Security. Yep.
[00:48:59] Andreas Senie: So if, if they wanna reach you, um, they can certainly reach you and Mr. Mendo is back to he'll throw up your contact information for those that want it. There you are. They can send you an email. They can reach out to co detectives. Although we did not, uh, obviscate that.
[00:49:15] Darren Hayes: That's okay.
I trust you.
[00:49:19] Andreas Senie: Okay. We trust our listeners too. Cause Yeah, , that all being said, um, I want to thank you. This, this was, this was incredibly insightful. I know we don't get a lot of, uh, big opportunity to talk deeply about tech and intrusions and, and the world of it, but it's, it's all interconnected and that's what the show's about to our listen.
Don't forget to tune in first Thursday of every month, Thursday, 6:00 PM anywhere you get your audio and everywhere you get your social media live. 6:00 PM next Thursday. You can even ask that Alexa device that's listening to all your shopping needs to for the correct AI round table, and you can tune in that way.
Darren, Dr. Darren Hayes, I wanna thank you for all the expertise bring to the table and everything you do for the industry. I mean, you are, you're literally on the forefront of, of so many big things that most people think don't happen. And I was one of 'em, and I got hacked years ago, and, and you, you, you gave me a sanity check and you said, No, it's okay.
This is what we're gonna do. The takeaway is get somebody in your organization. Get it. Darren Hayes, if you can find one like him cuz there's only one like him. Um, working. Uh, and tune it to the correct way on round table. Next week. Thank you all. Mr. Mendoza, if you'd lead us out.