Friday, June 30, 2017

Youtube daily report Jun 30 2017

Hello tankers!

Today we'll be telling you about the solution to the critical error problem.

We'll also be telling you more about the matchmaking system,

and launching a contest with cool prizes.

Let's talk about critical errors

the problem that EVERY tanker has had AT LEAST once.

Two weeks ago we released an update

that was the result of a long time effort in this direction.

Maybe some of you remember the unexpected server reboots

where we had to roll back the release because it was decreasing FPS.

This week, we've released an update

that should fix the majority of critical errors in the game.

Of course, we'll be tracking our metrics very closely,

and if any issues pop up, we'll deal with them as fast as we can.

And now, a question for you:

Have you experienced a critical error between Wednesday and today?

Let us know in the special forum thread.

But please, be honest in your reports.

If you give us incorrect information, we can't continue to improve the situation.

We've received quite a few comments telling us,

"Don't implement the Matchmaking system.

It will ruin everything!!!"

However, these comments are due to a lack of understanding

of what the Matchmaking system REALLY is, and how it will work.

So let's discuss the details.

Right now, we have a battle list that consists of two different kinds of battles

PRO-battles, and what we can call "random" battles.

When you join a battle by clicking the "Battle" button,

it will have a fixed set of parameters such as battle length, team size and so on.

If you play Tanki just to relax,

and you want to jump right in without giving it too much though,

the "Battle" button is what you need.

PRO-battles allow you to customize battles as you please.

You can choose to play in an unusual map,

and even create a battle in it, if there isn't one.

And you can tweak lots of parameters

including battle time, supplies, format and so on.

The current system with the "Battle" button isn't perfect, but it works.

It's major flaw

and this is something that might surprise many tankers

is that the battles created by the Battle button, are also IN the battle list.

So the actual game problems, such as sabotage,

aren't being resolved, and the balance of battles can be wrong.

That's why we're working on the Matchmaking system.

Okay, so let's have a close look at what's coming.

The lobby screen will change.

There will still be the communicator panel.

However, the battle list and battle info panels will be removed,

and will be replaced by 6 buttons.

Here's what those buttons will do.

One is for playing a team battle,

where the matchmaking system will send you to a battle in CTF, CP, or TDM.

One is for playing Deathmatch, where you'll be sent to a random DM Battle.

Then there are buttons for CTF…

TDM… and CP

where the matchmaking system will send you to a battle in the respective mode.

The sixth button will send you to the familiar Battle list,

where you will be able to create a battle, or join an existing one.

This new battle list will differ from the current one in a few ways.

Players will be able to create and join battles, WITHOUT needing a PRO-pass.

In fact, we'll be removing the PRO-pass from the game.

Players will be able to name the battle they create.

So, the "From Dusk Till Dawn" and "Cedric drops the gold" battles will return.

There will also be a feature that is gonna upset some players

playing closed battles will not give you any experience points or battle funds.

It will be just like in Parkour mode.

If you're wondering why,

it's because our data shows that closed battles are often used for power-leveling.

And that's the reason behind this decision.

So, that's everything about the battle list.

Now, let's take a closer look at the remaining 5 buttons.

Choose the appropriate one.... and click.

This takes you to a special screen

while the server searches for other players who are also looking for a battle.

The system will give priority to players who are in the same rank.

If there aren't enough players in that rank,

the system will make the bracket progressively wider

until it has found enough tankers for the battle.

Once the system has found enough players,

the loading screen will appear, and the battle will be created.

If it is a DM battle, all the players will go straight to the battle.

If it's a team battle,

a team balancing system will first separate the tankers into teams,

trying to make them more or less equal,

and then it will send all the players to the battle.

Before the battle starts,

there will be a sentence on the screen saying "Preparing for battle",

and a timer counting down to zero.

During this period, the score cannot grow, and flags cannot be captured.

You'll be able to fire at your opponents,

but you won't gain anything from it, so it will be pointless to do so.

As soon as the timer hits zero,

all the players will respawn, and the battle will begin.

We made this time interval

to make sure that all players have time to join the battle.

You might be asking,

What if someone from my team wasn't able to join?

What if they got disconnected during the battle?

What if they leave?

Will my team end up playing short?

Of course not.

If someone leaves the battle for whatever reason,

the team balancer will immediately begin looking

for a substitute from among those players who are currently in the queue.

When the battle ends, the participants will get their reward

and return to the game lobby.

Wanna play more?

Just push the button!

Now, the big question about the Matchmaking system:

Of course you will!

You'll be able to do this by creating a battle group,

adding your friends to it,

and then pressing one of the team battle buttons.

You won't be able to play DM battles with your battle group.

As for your opponents,

the team balancer will find another group of players from the queue,

and place them in the enemy team.

So, let's sum things up.

Once the matchmaking system is implemented,

you will be playing in full battles regularly,

and earning a steady stream of crystals.

Picking battles from the battle list will be just like it is now

sometimes good... and sometimes bad.

The release is planned for the end of July or beginning of August.

Now, it's time to see what came out of last week's V-LOG challenge!

Last week we gave you a challenge on the Future map.

You had to jump from the roof...

and land in the yard of the house across the street…

on your tracks.

Well, someone tried to take the easy way out and do the challenge in low gravity mode.

Come on guys!

This challenge is a piece of cake on Space maps.

In fact, we didn't mention space mode

because it was pretty obvious that we wanted you to do it in regular mode.

Here are the names of the team members who finished the challenge first…

in normal mode.

Now, let's watch them do it.

Well done to the team.

They're getting 200 thousand crystals to split among themselves.

For next week, we're going back to the regular video of the week task.

We want you to shoot a frag-movie on Serpuhov.

Use the Red paint.

You all like contests, right?

What about contests with BIGGER prizes?

Yeah, I thought so.

Here's something you're going to enjoy.

It's a Tanki quiz.

It's not very difficult, but it will take quite some time.

The first player who can finish the quiz and answer all the questions correctly,

will get 10 gold boxes.

Anyone else who answers all the questions correctly,

will get one gold box.

But there's more!

One randomly-chosen player from among those who solve the quiz,

will be getting an awesome mechanical keyboard the BlackWidow V2 Chroma from Razer.

And now, something to think about.

We'll be choosing a winner

from among those who have answered all of the questions correctly.

This means that the fewer players there are with all the correct answers,

the bigger the chances of winning.

So, think twice before sharing the correct answers with other players.

We'll be announcing the results next Friday.

The link to the quiz, is in the V-LOG's description.

Also, next Friday,

we still haven't decided whether we'll be having a V-LOG or a live stream.

We'll keep you posted.

That's it for today guys!

Subscribe to our channel and press the bell button

to always get notifications about our new videos and contest results.

A week ago,

two Strikers fired their salvos at Wasp on the Space map.

You had to guess where the tank would stop.

The correct answer is — zone B.

Here are our winners!

Remember, to participate in the Question of the Week,

you need to use the special form.

The link to it, is in the V-LOG's description.

You'll need to enter your answer… and your nickname.

We randomly choose 20 winners from among those who answer correctly.

Now, here's the new question!

For more infomation >> Tanki Online V-LOG: Episode 138 - Duration: 9:15.

-------------------------------------------

RUSSIA NEWS - PRELIMINARY DESIGN FOR FIFTH-GENERATION NON-NUCLEAR SUBMARINE COMPLETED - Duration: 1:54.

For more infomation >> RUSSIA NEWS - PRELIMINARY DESIGN FOR FIFTH-GENERATION NON-NUCLEAR SUBMARINE COMPLETED - Duration: 1:54.

-------------------------------------------

Peugeot 208 1.2 VTI 82 PK 5-DEURS NAVIGATIE - Duration: 0:53.

For more infomation >> Peugeot 208 1.2 VTI 82 PK 5-DEURS NAVIGATIE - Duration: 0:53.

-------------------------------------------

Ultime notizie: Domenica In riparte con Pippo Baudo: ecco le anticipazioni e gli ospiti| K.N.B.T - Duration: 2:48.

For more infomation >> Ultime notizie: Domenica In riparte con Pippo Baudo: ecco le anticipazioni e gli ospiti| K.N.B.T - Duration: 2:48.

-------------------------------------------

White Skin Cleansing Acne With Just One "Damaged" Cream - Duration: 3:48.

For more infomation >> White Skin Cleansing Acne With Just One "Damaged" Cream - Duration: 3:48.

-------------------------------------------

Citroën Xsara Picasso 2.0I-16V DIFFÉRENCE - Duration: 0:59.

For more infomation >> Citroën Xsara Picasso 2.0I-16V DIFFÉRENCE - Duration: 0:59.

-------------------------------------------

SKAM // Smells Like Teen Spirit // Season 1 Trailer - Duration: 1:56.

For more infomation >> SKAM // Smells Like Teen Spirit // Season 1 Trailer - Duration: 1:56.

-------------------------------------------

POP LATINO MIX 2017 - Daddy Yankee, Maluma, Shakira, CNCO, Nicky Jam, J Balvin, Wisin - Duration: 1:01:40.

Don't forget to SUBSCRIBE, like, comment and share the mix if you enjoy it!

For more infomation >> POP LATINO MIX 2017 - Daddy Yankee, Maluma, Shakira, CNCO, Nicky Jam, J Balvin, Wisin - Duration: 1:01:40.

-------------------------------------------

J Balvin , Willy William, Daddy Yankee, Enrique Iglesias, Nicky Jam, Farruko - POP LATINO MIX 2017 - Duration: 1:01:01.

Don't forget to SUBSCRIBE, like, comment and share the mix if you enjoy it!

For more infomation >> J Balvin , Willy William, Daddy Yankee, Enrique Iglesias, Nicky Jam, Farruko - POP LATINO MIX 2017 - Duration: 1:01:01.

-------------------------------------------

Kamen Rider Blade THEME SONG /仮面ライダー剣 OP cover by atsuki - Duration: 4:35.

Tatta hitorikiri kimi no sonzai ga Itsuka sekai no subete kaeru darou

Koko ni aru mo no wa kibou? zetsubou? Round Zero hajimatteru

Shiranai to iu tsumi to shirisugiru wana Ugokenaku naru mae ni ugokidasou

Kaze ni mekurareta card Uranau you ni warau

Mayounai hazu mo nai soredemo ashita wo sagase

Mekurumeku unmei Koware sou na jidai ni

Kirifuda wa kimi no naka... togisumasareta yuuki ni shite BLADE BRAVE

Arashi sugisatte asa ga kuru basho Nanimo kawaranai hodo odayaka demo...

Chizu mo tokei sae imi wo motanai Round Zero arukidashita

Nani ga shinpo shitatoshite kawaranai mo no Taisetsu na kotoba dake katare your mind

Koware sou na mirai wo Mamoru no wa dare na no?

Mushinai de torimidashite jibun ni tadori tsukeba ii

Kono sekai no Mystery Tokiakasareru toki

Dare datte taisetsu na kotae wo mitsukeru tame no message BLADE BRAVE

Shiranai to iu tsumi to shirisugiru wana Ugokenaku naru mae ni ugokidasou

Kaze ni mekurareta card Uranau you ni warau

Mayounai hazu mo nai soredemo ashita wo sagase

Mekurumeku unmei Koware sou na jidai ni

Kirifuda wa kimi no naka... togisumasareta yuuki ni shite BLADE BRAVE

BLADE BRAVE BLADE BLADE BRAVE BLADE

For more infomation >> Kamen Rider Blade THEME SONG /仮面ライダー剣 OP cover by atsuki - Duration: 4:35.

-------------------------------------------

ULTRASEVEN THEME SONG /ウルトラセブン OP cover by atsuki - Duration: 2:44.

Sebun Sebun, Sebun Sebun Sebun Sebun Sebun Sebun Sebun Sebun

Harukana hoshi ga furusato da

Urutora sebun faitaa sebun

Urutora sebun sebun sebun

Susume! gniga no hatemademo Urutora ai de Spark!

Sebun sebun sebun Sebun sebun sebun

Moroboshi dan no na wo karite

Urutora sebun hiirou sebun

Urutora sebun sebun sebun

Taose! hi wo haku daikaijyuu Urutora biimu de Strike!

Sebun Sebun Sebun Sebun Sebun Sebun

Mirakuruman No Nambaa Da

Urutora sebun, Es Da Sebun

Urutora sebun, Sebun Sebun

Mamore Bokura No Shiawase wo Urutora Hoku De, Attack!

For more infomation >> ULTRASEVEN THEME SONG /ウルトラセブン OP cover by atsuki - Duration: 2:44.

-------------------------------------------

Cyberattacks: The Weapon of Choice of Criminals, Terrorists and Spies - Duration: 49:02.

- Hello everyone

and thank you for joining us.

Tonight we're gonna learn that increased

reliance on the internet exposes us to threats

such as identity theft

and malware outbreaks

along with software and business attacks

which ultimately affect us all.

Tonight's speaker is William Ebersole

known by everyone as Billy.

I've known Billy for 15 years

and he has been a friend

to the Pennsylvania College of Technology

and has provided support

and guidance for our students.

Billy has been a special agent

along with the Federal Bureau of Investigation

for over 21 years.

He served in the Newark

and Philadelphia field offices

and has completed multiple overseas assignments.

Billy is a member of the Child Exploitation Task Force

for north central Pennsylvania.

He is also our local InfraGard coordinator

which is an FBI alliance

with academia

and private industry

designed to promote cybersecurity awareness.

Billy is a licensed attorney and CPA,

a certified fraud examiner,

and is now teaching at Penn College

as an adjunct instructor

in accounting department.

Billy frequently presents on behalf

of the FBI on topics such as

active shooter, weapons of mass destruction,

and cybersecurity.

Tonight's presentation will raise awareness

of the need to maintain sound cyber

security practices at home

and at work.

Let's welcome Billy.

(applause)

- Good evening everyone

and thank you.

Tonight we're gonna talk about cybersecurity.

And it's an important topic to me

for a variety of reasons.

Not just because of my position with the FBI

but also because I had my records

breached a couple years ago

through a hack on the office

of personnel management.

Now, before we get into the presentation proper,

I require because of my position to make

a couple disclaimers.

One of which is tonight we're gonna talk

about my opinions,

not the FBI's opinions

or the US government.

And number two,

tonight we're gonna talk about

a couple different hacks

from different countries.

And by no means do we mean to imply

that one particular country, ethnic group,

or religious group is responsible

solely for criminal activity.

It's something that affects us all

to include everyone here in the United States.

Now, we're gonna talk about why cybersecurity

is important.

We're gonna talk about the areas that we're vulnerable

and then we're gonna talk about

what we can do to protect ourselves.

And as we'll see,

it doesn't have to be a technical resolution.

In fact, I'm not a technical person.

We'll have a discussion about some behavior

modifications called cyber hygiene

and that'll help us be safe

in a computing environment.

Now, as I said a couple minutes ago,

my records were hacked.

It was personally identifiable information

that was compromised, PII.

And Professor Bock had talked about that

in her Colloquia

and how it's important.

When we talk about PII

we talk about our name,

our date of birth,

our social security number,

and other unique identifiers.

And we use this information

to file our taxes,

we use it to get loans,

we use it sometimes for healthcare treatment,

and we use it for travel.

And when that information gets compromised,

it could potentially affect us

in all of those arenas.

So, after my records were hacked,

I thought well let me embark

on some kind of journey

to figure out what I can do

to protect my records

and ultimately what I can do

to help protect the community

in my position with the Bureau.

Now, those of you who are in the 50 something

generation should remember that iconic

early 1980s movie called War Games.

And who could forget that digitized voice

that came across the screen

and said shall we play a game?

Now, that's Hollywood's depiction

from many years ago

of a hacker.

And within that depiction we have

a high school student who inadvertently

triggers some events that might lead

to global thermal nuclear war

between the US and Russia.

And he did it with only a few keystrokes.

And that's the representation of Hollywood

which is not accurate.

As I began my journey,

I found a very good book

called Cybersecurity

and Cyberwar

What Everyone Needs to Know

and it's by PW Singer

and Alan Friedman.

And that's gonna bring up some very important

points in our discussion tonight.

The most salient point that Singer

and Friedman brought up for me

was that safe computing is more about

a behavioral change than implementation

of new and sophisticated technology.

So, before we get into the presentation,

we have to kind of define a couple of items

that we think are important.

And the first one is the internet of things.

And that is the term that applies to the billions

of consumer devices that are hooked up to the internet.

For example, a security camera in your home

is hooked up to your smartphone.

Or perhaps your refrigerator has

a camera inside it

and while you're shopping you can check

on your smartphone to see what kind

of groceries you need

and what kind of groceries you

don't have in your refrigerator.

These consumer devices are built

with efficiency in mind.

They're not built with safety

and security in mind.

The more devices that we have hooked

up to the internet,

the more cybersecurity incidents we're gonna happen.

When you connect to the internet

we refer to that as an attack surface.

And everywhere that you have an attack surface

is somewhere a hacker can penetrate.

And so, we want to talk about minimizing

our attack surfaces out there.

Now, the internet of things has done

an awful lot of good

and I don't mean to cast aspersions on it.

It's done a tremendous amount of good

in the area of medical technology

and it helps our physicians

and other medical professionals

take care of us from a distance.

But there's been a lot of phobia

in that area

and that phobia hit a high point

back in 2007 when then vice president

Dick Cheney had the wifi on his pacemaker

turned off because he was afraid

a hacker could get in

and alter the pacing of his pacemaker

and potentially get patient information.

Now, thankfully the Food and Drug Administration,

the medical profession,

and private industry

has done a lot to help minimize that type

of risk in the medical area.

But there's another area with

the internet of things that I want to talk about.

And I think it's important to us

in the Marcellus Shale region.

And that is a SCADA system,

supervisory control and data acquisition system.

These are computers that form part

of what we call a cyber physical system.

And by that I mean,

you have a computer that controls

a physical process.

So, you will see SCADA systems

on nuclear plants,

on dams,

on the electric grid,

and even on pipelines.

Now, with regard to a SCADA system,

they're particularly vulnerable.

One of the reasons is,

many folks who implement them

in private industry don't change

the default passwords

that they get from the manufacturer.

That vulnerability is so notorious

that in January of 2016,

a team of Russian scientists published

the top 100 passwords for SCADA systems

on the internet in the hopes

of getting the manufacturers

and other members of private industry

to change those passwords.

Another reason these are more vulnerable

is because more often now

they're hooked up to the internet of things.

So that the remote pipelines can

transmit data to a host system

perhaps say down in Houston Texas.

And finally,

many of these systems are designed

to last for a long time.

And what happens when you have a particular

system for a long time?

You have to replace various component parts.

And unfortunately,

the component parts aren't always compatible.

They're not always from the same manufacturer.

So, what happens is,

the inability to do a blanket

or comprehensive patch or update

to the security of any particular system.

And we'll talk about pipelines a little

bit more in the presentation.

Now, I want to talk about the internet.

And frequently you will see the internet

depicted as an iceberg.

On the top, on the surface,

is what we call the surface web.

That's where we go.

We use Google and other types of search engines.

So, if we wanted to look up Penn College,

we can do a Google search for Penn College

and that web page's index

so that Google could pick it up.

Underneath the surface web,

it's estimated that the internet

is about 500 times as big.

Part of that is the deep web.

And there's not anything necessarily bad

about the deep web.

It's just set apart,

it's a little bit different to get to,

you use a different type of search engine.

And it's where academics

or private industry

or maybe even the government

store voluminous amounts of records.

A subset of the deep web

is called the dark web.

And for government agents,

that's where we have a concern.

It's estimated that about 80% of the traffic

going to the dark web

is comprised of pedophiles.

And that has our attention.

Now, the deep web

and the dark web are a little bit different.

You get to them in a different area.

But for tonight's discussion,

we'll consider it somewhat of a subset

of the deep web.

Now, we have Bitcoin

and there's been a lot about Bitcoin in the news.

It's a type of cyber or cryptocurrency.

And I wanted to explain that term

for a minute.

This may seem foreign

but Bitcoin and other cyber currencies are digital.

They don't have tangible form like a $5 bill

or a quarter.

It might seem odd to us

but we've been using that form of currency

for a long time.

If you go to a hotel

and you stay a couple nights,

you get hotel points.

And perhaps after a year or two

you might build enough nights

to get a free night's stay

at whatever chain you choose.

Those hotel points have some type of value

from an economic perspective

but they're not necessarily something

you would trade each

and every day in normal locations.

With regard to Bitcoins,

they're entirely digital.

And it's part of a process.

They're created through a mining process

in a volunteer network of computers

and they're being used more and more

somewhat here in the United States.

But by design,

they're made to be secret.

It's very difficult to detect

the origin and transactions

in Bitcoins cause they don't go through banks

like a normal financial transaction would.

And there's a reason why our folks

on the dark web will use cryptocurrency

like Bitcoins.

And this is an example of a ransomware message.

This is a message you might get

on your computer screen if you've been compromised.

And basically the attacker is telling you

if you don't pay us,

in this case $200,

we're gonna encrypt all your files

and you won't be able to decrypt them.

Now, it purports to be from the FBI

and it's telling you that we've identified

child pornography on your computer

as well as some other types of unpleasantries.

I can assure you, number one, the FBI,

if we suspect you have child porn

on your computer,

we won't be emailing you about it,

we will be showing up at your residence.

And number two,

if we suspect you have child porn,

we will not be asking you to pay

the paltry sum of $200.

There'll be much more significant consequences.

But this is a message you will see on your computer

screen if you're hacked.

And what the folks want to do

many times is have you pay in Bitcoin

because it's a little bit more difficult

to track the finances when the payment's

made in Bitcoin on the internet.

Not only are computers susceptible to ransomware

but also smartphones

and potentially smart TVs

which would be a very big tragedy

in my household.

Another thing we want to look at

is what's called advanced persistent threat.

Unlike what we saw in the movie War Games,

an APT is gonna be state sponsored

or state acknowledged, state supported.

Or it will be part of a very sophisticated

criminal ring.

Advanced persistent threats are not

your high school hackers.

They are folks who are focused.

They're not going into a system willy nilly

and trying to take all kinds of records.

They're going in for a very precise reason

and we'll talk in a minute.

I think a lot of that is financial in nature.

They are persistent which means they maintain

their presence in your system

for a long time.

We have seen APTs last in a system

for over four years.

They're motivation,

it could be the gathering of intelligence.

Not just say military intelligence

but from our perspective financial intelligence.

And finally,

are these folks sophisticated?

The folks who use the advanced

persistent threat malware?

Well sometimes they are but not always.

Time after time,

one of the most significant

and successful techniques is spearfishing.

And that's where you get that unsolicited email

which says perhaps you're getting some free software

or maybe the answers to your test,

or some free music

and all you gotta do is click

on this document.

And when you click on that document

a file begins to execute

and your computer is now compromised.

This is one of the single most successful

techniques in the hackers quiver.

And the reason why is because it works.

These folks are very good at crafting

the email and getting your attention

and not appearing to be hackers.

Now, we want to talk about the onion router.

As I said before,

the dark web is accessed a little bit differently

than you would do a Google search

or go to the deep web.

And one of the ways you can access it

is through the onion router.

And that's basically free software

that you can download from the Tor project

install it and you can go

and communicate through a volunteer network

of computers.

You're not gonna be communicating

through particularly like a server here

as we have in Penn College.

That communication that you will use is encrypted.

And it's encrypted like an onion.

There's multiple layers

and as the communication goes

from computer to computer to computer

it is slowly removed

hence the analogy towards an onion.

Now, Tor itself isn't all that bad.

It was developed by the United States Navy

and it was given an award a couple years ago

for outstanding free software

because it facilitated the communication

of over 20 million people who live

in repressive countries

and don't have access to the internet

like we have here in the United States.

But to a federal agent,

Tor suggests the presence

of something potentially nefarious.

Not always,

but sometimes it could lead,

for example,

to a pedophile.

It could lead,

for example,

to a person who's buying drugs

on the internet.

And one of the famous cases,

which was originally worked in this area,

was called silk road.

And the investigative task force

was down in Baltimore area.

Basically a young man put up

a marketplace on the dark web

and in about a year and a half

almost two years he serviced

over 100,000 customers.

Folks went there to buy drugs and poisons,

to get murder for hire,

they bought prepackaged malware

that they could use against someone.

And after a period of time,

the entire government at all levels

came together and took down the silk road.

Silk road was accessed using the Tor browser.

Now, when we talk about cyber crime,

we look at the computer in one of two manners.

Number one,

the computer is the instrument

of the attack.

Or number two,

the computer is the victim of the attack.

In recent memory,

our most significant cyber crime case was Target.

Over 100 million people had their personally

identifiable information compromised.

40 million debits and credit cards

were compromised.

Some incredible litigation

in a variety of venues.

What most folks didn't realize

is Target wasn't the initial point of compromise.

There was an HVAC company here in Pennsylvania

and unfortunately an employee

unwittingly opened up on a spearfishing email

and that released the virus.

This HVAC company was providing

climate control services for all

the stores nationwide.

And the attackers were able basically

to get into the Target system

through a back door.

Now, Target went out

and had Verizon the phone company do a study.

And Verizon does an awful lot

with data breach investigations.

And Verizon found a number of issues

but two of which are important tonight

because they come under the rubric

of cyber hygiene.

They found that Target was using

weak or default passwords.

And another issue they found

was that Target wasn't updating

their security software.

And we're gonna talk about the importance

of that in a minute.

But another researcher found that Target

put an awful lot of information online

to help the vendors

with the best of intentions.

But that the attackers were able

to use that information

and learn about Target's internal systems.

When we had the Colloquia,

The Good, the Bad, the Ugly Social Media,

one of the lessons that we learned

was sometimes we put too much information online.

So, as we talk about cybersecurity

and the need for passwords

and patching,

we also want to be very considerate

as to how much information we put online.

And remember that that stuff stays online forever.

Now, when we talk about terrorism

we talk about the use or threatened use

of force to advance some type of social, political,

or religious agenda.

Most folks,

when they talk about terrorism,

what comes to mind is some kind of violent action,

an explosion, a shooting, a sniper,

things along those lines.

In Bruce Willis' movie Live Free or Die Hard,

some of the opening scenes depicted

a terrorist group that wanted to eliminate

a particular victim so they rigged

the victim's computer

to blow up once log in credentials were entered

and ultimately the victim was killed.

Thankfully Singer and Friedman have pointed

out that no one has died from a terrorist

attack directly linked to a computer.

Now, Doctor Sinclair, in her Colloquia,

talked about social media

being used to facilitate propaganda

for terrorists groups.

I want to talk tonight about facilitation

and about planning as aspects of terrorism.

Ardit Ferizi is a very unfortunate case

and it's a very recent case.

At 21 years of age,

he hacked into a US base server.

It was for a retail outlet

and Ferizi got the personally identifiable information

of 1300 government employees.

Employees of both the civilian

and military side of the government.

Ferizi got this information,

he put it on the line

and he sent it to Junaid Hussain

who was an ISIS recruiter over

in the United Kingdom.

And basically they put it online

as a cyber hit list

or these are the targets that some

folks may want to take advantage of.

The personally identifiable information

was the government employee's name,

potentially addresses,

and other relevant data.

Fortunately, it was taken down

and Ferizi was arrested.

This past September,

very unfortunately,

Ferizi was given 20 years in jail

as a 21 year old man.

So, he has the best part of his life

he'll be spending behind bars

in a federal situation, a federal prison.

Hussain was subsequently killed

in an air strike.

Out of that investigation,

one of these postings was developed.

And it's public source information

and I wanted to bring it to our attention.

"We are in your emails

"and your computer systems

"watching and recording your every move.

"We have your names and addresses.

"We're in your emails

"and your social media account."

And, again, this is an admonishment

from a prior Colloquia,

The Good, the Bad, and the Ugly.

We are putting way too much information online.

In fact, in 2003 US forces were covered

in Al Qaeda training manual.

And within that training manual,

there were indications to new adherents

that 80% of what you will need

to effectuate an attack

you can find lawfully online.

You don't need to hack in to get it.

Now, another area that we want to talk about

is our infrastructure.

And this comes under the rubric

of terrorism and planning.

Singer and Friedman noted that between

2011 and 2013 there was a 1700% increase

in the scanning of the computer systems

associated with our critical infrastructure

like pipelines,

and the water companies,

and the electrical grid.

And the scanning is nothing more

than a digital attempt

to identify vulnerabilities

in someone else's system.

In the Marcellus Shale region,

we have 17 pipeline projects

that will be completed within

the next year or two.

Approximately 17 and a half billion

cubic feet of natural gas

will be moved every day

from this region

to local power plants,

to ships where it's gonna be taken overseas.

And a significant cyber attack

or an attack that will shut down

an entire company's traffic

will cost an approximate $8.5 million per day.

Now, I don't mean to imply

that what we have to worry about here

is a physical assault on the pipeline.

But about 50% of the cyber attacks

in the energy arena target the SCADA systems.

And what's significant about the SCADA systems?

Well, it could be a back door

into your information technology systems.

And that's where the attackers can get

what I call intellectual property.

The vendor list,

a significant process,

a customer list.

This is information that is very important

to our private industry counterparts.

I didn't want to cause too much unrest

when I talked about the pipelines

and I thought we would look at a rather

heinous example where some hackers hit

an electric grid.

This was in December of 2015.

In fact, it was December 23 of 2015.

Hackers hit three electric companies

in the Ukraine.

The result of the hack affected 225,000 people,

spread out over about two dozen substations.

So, basically over 200,000 people

were without power for a couple days.

What made this attack even more heinous

was the attackers followed up

with a second cyber attack.

And what they did was a distributed denial of service

attack on the electric companies phone system.

So, what that meant is they had a network

of computers sending meaningless data

to the phones for all the electric companies involved.

So, any time you called after your power went out,

you would get a busy signal.

And that caused a lot of anxiety.

But then again after two or three days

it was up and running.

And thankfully our private industry counterparts

prepare for this type of activity each

and every day.

Now, when we talk about cyber espionage,

what we're talking about is using a computer

to unlawfully gain the intellectual property

of someone else.

Now, we talked about Verizon

and Verizon did a study of the 2015 hacks

and they published this study in 2016.

And what Verizon found was over 80%

of the confirmed attacks in 2015

had some type of financial

or economic espionage motive.

And they also found out that 83%

of the hacks in 2015 could have been prevented

by employing a patch which

was readily available at the time of the hack.

And about 60% of the attacks

involved a default, a weak, or stolen password.

Now, when we talk about hackers who are interested

in the energy arena,

what comes to mind is the night dragon malware.

And this is just a graphic representation.

But the night dragon was designed years ago

to penetrate financial institutions

and steal financial information.

But the developers of night dragon realized

it was like a Swiss army knife.

It had multiple uses,

it could work in multiple arenas.

The night dragon is a thief.

The night dragon is not a destroyer.

You deploy night dragon

to develop information

not to shut down someone's computer,

not to shut down their network,

and not to deface their website.

The night dragon is credited

with stealing billions of dollars

in intellectual property

from the Defense Department,

the defense industry,

IT industry,

and also the energy industry.

Now, we've talked about some of the threats.

Whether it's a crime,

a terrorist group,

or a spy.

And in particular,

I think the areas we want to be concerned about

are protecting our infrastructure

and also protecting our company's

intellectual property.

Because they work hard

and their efforts are certainly part

of our national security fabric.

I'm not a technical person.

But there are ways we're gonna talk about

called cyber hygiene that will help us

protect a wide variety of our resources

from some of the threats we talked about tonight.

Number one, passwords.

We want to have strong passwords.

And notice I didn't say long passwords.

Cause you know what happens when people

have long passwords?

They write 'em down.

And then they get the yellow sticky note syndrome.

That means they have a fabulous password

that's on a yellow sticky note

which is posted on their monitor

and everyone can see it.

So, you want to avoid the long passwords

but you want to have a strong password.

Which means you use uppercase, lowercase,

maybe a number or two,

and you also want to use a special sign

like a pound sign or a dollar sign.

And you want to change your passwords frequently.

The NSA recommends that we change passwords

about every 90 days

and that we don't use the same password

in a two year period

or a three year period of time.

Now, another thing you want to do with your network

is count your devices.

So, if you go home tonight

and you have your own little network,

and you know you have a laptop,

an iPad, a wireless computer,

you want to go in and check your network

to make sure that you just have three devices.

And that you don't have a neighbor

or someone driving by using your wifi.

If you have an extra device,

you have an extra attack surface.

And really this is an issue

for the least common denominator.

So, whichever device has the least security

that's the device that'll get compromised.

So, you would hope that your network

is secure but maybe that person

from the neighborhood who's invading

your network doesn't have the same level

of security as you do.

And another thing you want to do

is configure your devices.

So, when you buy that new router,

you come home,

you change the default password.

And make sure that you have a unique password

because these folks know the technology

and they know the manufacturing passwords

that are installed.

You also want to limit what you put

on the internet.

As I said a couple times,

and as was discussed in a prior Colloquia,

we want to make sure that what's out there

is an accurate representation

and cannot be used against us.

And, in particular,

social media.

Another thing we want to do is watch our children.

I am convinced that anyone under the age of 18

should not be alone with a computational device.

As Professor Bock said,

I'm part of the child exploitation task force.

We deal with online predators

and these subjects are as savvy

and as manipulative as any serial

killer I've ever come across.

They are master manipulators

of circumstance and people.

And we don't want our children exposed to that.

Another thing we want to do is update and patch.

And you see there a quick message on the screen

that it's time to update your phone.

That's a very frustrating message to get

especially when you're trying to dial

make a quick call

and get done with your business.

There is a reason why software manufacturers do patching.

When a software manufacturer identifies

what's called a zero day exploit,

where it's a defect in the software

that has not been known before,

the software manufacturer wants to protect you.

So, they develop a patch

and they get it out right away.

And the reason why they want it out right away,

is because the bad guys,

the hackers,

are looking for zero day exploits.

Which they will take advantage of

or they will sell on the dark web

to someone else to take advantage of.

And finally,

what we want to do is repeat.

We want to do all of these steps

over and over again.

Having a secure network tonight,

does not guarantee next month

that you'll have a secure network.

So, you want to make sure

you update your patch,

you change your passwords,

and you follow good computational practices.

Now, I did a little research quick

to find the top passwords for 2016.

With the idea we want to avoid all

of those in 2017.

Because they're already well known

in the hacking community.

And I put a couple of these here tonight

to talk about 'em real quick.

Number one, password.

Or any logical combination thereof,

like password1234, password6789.

Definitely one you want to avoid.

Number two, 123456,

or any logical combination thereof, like 654321.

Another one, letmein.

Way overused in 2016.

My personal favorite,

trustno1.

And finally, gwerty.

Anybody know where that password comes from?

(inaudible)

The text on the top part

of the keyboard with your left hand.

Now, Singer and Friedman talked about

the value of information sharing.

In 2008, there was a study where a number

of IT security firms came in

and looked at a number of banks.

In particular, the bank's exposure

to spearfishing emails.

And at the end of the study,

the IT firms concluded that if they were able

to share all of their information

with all of the banks,

they would have collectively saved about $330 million.

And that is just in the arena

of dealing with spearfishing emails.

Now, here at Penn College,

we host InfraGard

which is our form,

on the federal government level,

of sharing information.

We have manufacturers,

we have healthcare,

all the aspects of private industry,

the banking industry,

and also the government.

And we are having a security seminar June 2

here at the student servicing center.

And I would encourage all of you

if you have information

or you want to learn about this arena,

to come out on June 2

where will openly discuss issues.

A lot of times folks are a little bit

concerned about sharing security issues

with the government

because they don't want to get into trouble.

But this forum here

which is facilitated by Penn College,

is very useful

and it's a non-judgemental forum.

And it's also a great way

to meet a potential new employer.

Now training is another thing

that Friedman and Singer brought out.

And I've been very lucky over the past several years

not only to be part of the accounting department,

but also to be part of the IT department

on their advisory board.

We have a wonderful information security

assurance program and our students

are graduating getting tremendous jobs.

They're some of the best equipped

in the arena

and that is something for this school

to be very proud of.

It is projected by the year 2020

that we will need 1.4 million students

who are technically competent

in the arena of cybersecurity.

However, only about 400,000 of those graduates

will meet that standard.

And what does that say to me?

Well, the rest of us,

we need to engage in a little bit of cross training.

So, whatever our major is,

whatever our background is,

whether we're in school or out of school,

we need to learn some of the basics

about cyber hygiene.

Protecting our passwords,

updating our passwords,

and making sure that we employ those patches.

Now, as I transition into the next part

of the presentation,

I just wanted to let you know my references here

are posted they're part of the PowerPoint.

It was a very interesting study

for me to engage in

and if any of you especially the students

want to follow this type of academic pursuit,

certainly feel free to access these resources.

(applause)

- On the subject of password requirements,

do you feel that websites that require certain

links or certain characters in their passwords

are causing more of a problem with security

since they're expecting those characters

for those websites' passwords?

- Well, that's kind of a broad question.

We'd have to look at the individual websites

and don't forget in my capacity

I can't say what's a good practice

or not a good practice per say officially.

But I think it's up to the individual website

and how they implement that protocol.

- Can you speak specifically to a cyber hygiene

in light of the current precedence

on leaks of domestic intelligence programs?

- Well, I don't know that both would be related.

Cyber hygiene is going to prevent someone

from accessing your information.

When you're talking about that other area

with leaks and all of that,

that's a little bit far afield because

you're talking about an intent.

And that becomes a crime.

And in addition to that,

if there's something that's pending investigation,

or prosecution I wouldn't be able to talk about it.

But I see the cyber hygiene as something

that we can all use to protect ourselves.

When it comes to the leaks,

that's another arena because you stepped

over a criminal line there.

- You talked about like a joint effort

to close down the silk road.

And you also talked about the protection

of children over the internet

which I completely agree with.

Current statistics show like over 52%

of men currently watch pornography.

Why hasn't there been like a co-joint effort

to at least a percentage of pornography websites

by the US government?

- Well, the US government would investigate

acts of a criminal nature.

And pornography is not considered a crime

in and of itself.

The depiction of minors in bondage,

being tortured,

in sexually explicit positions,

being raped,

that is considered a crime in this country

and that's where our resources are directed.

- A pattern that I've noticed

is that a lot of people with social media

are putting updates as to what they're doing

every three to five minutes it seems like.

And generally speaking I'm always trying

to tell friends of mine that they need

to stop doing that.

Is there any advice that you have that

I could offer to them to try

and convince them to stop giving so much information?

- With regard to social media,

you have to remember,

number one it's out there

and it's gonna be out there forever.

Even if you think it's deleted.

Number two,

all of us will go on to apply for jobs.

And more and more not just in the government

but private industry

is looking into social media

before they hire someone

or before they promote someone

to a key position.

So, you want to make sure

that you present the most professional

image of yourself on social media.

I know Congress is looking to pass legislation

for any federal agent who keeps

a security clearance every five years you have

to turn over your social media

log in credentials

and our security squad will take

a look at it to make sure that

you've engaged in proper activity.

So, I would say from an economic standpoint,

you want to make sure you're

a viable candidate for employment.

Cause it's a tough market.

Don't let something crazy on social media

knock you out of the picture.

- Sidebar, in addition you also want

to take a close look at the privacy policies

of that site.

And check through what you want released

to the public.

So, that's something else you can do

and also it's good to try to educate your friends

cause that's another job we want you to do

is share this information

to your friends and family.

- So, there are children who have grown up

their entire life being online.

So, it's just kind of accepted

for them to do whatever.

Do you think schools should have a more active

role in telling them how much

it will impact them later on in life?

- Yeah, I think schools should.

And I can tell you,

I had an eye opener about a month ago

with my son.

We were talking to him about internet safety

and I think it was in the context of Minecraft

or something like that,

and he told my wife,

I'm not putting my date of birth in there,

I'm changing it by a year

and a month.

And this is someone in elementary school.

So, I think our schools are realizing

the importance of that.

And giving the kids some of the tools

they need to stay safe.

- What would be your response

to someone who says I have nothing

to hide and therefore they don't

use strong cyber hygiene?

- Well, that would be a mistake.

And it's also job security for myself

and Professor Bock.

It's not what you want to hide,

it's what you want to protect.

So, if they get ahold of your name,

your date of birth,

and your social security number,

they're gonna go out

and take out credit cards in your name.

They're gonna take out student loans in your name.

They're gonna travel in your name.

They may commit a crime in your name

and then the local police department

issues an arrest warrant in your name.

And if you get caught running through

a traffic light or a stop sign

it will take someone like me

a day or two to straighten out

what should be in your name

and what should be in the criminal's name.

And that typically is a day or two

while someone's in jail.

So, I would say even if you don't think

you have anything to lose,

your credit, your credit score is invaluable.

Protect it.

- So, I wanted to ask since you were talking

about the dark net and everything,

and you were discussing about how silk road

was closed down.

But there have been many reiterations

of silk road ever since the main one was shut down

and there's also tons of other illicit

marketplaces on the dark net,

such as assassinations, drugs,

child pornography, things like that.

Basically what I wanted to ask is

do you think it's at all possible

that all of this could be eradicated?

Or will there always be something

of this type existing online

just because of the anonymity provided

by Tor and just how difficult

it is to track these individuals down?

- I don't think we'll ever eradicate it all.

I think we can give best efforts

and typically law enforcement resources

are directed at the worst offenders.

And with silk road,

the founder was Ross Ulbricht

who had some connection to this area years ago.

But there was some murder for hire

allegations that surfaced rather quickly

and that's what caught

the government's attention very quickly.

So, certain websites

and certain marketplaces will garner

the government's attention

a whole lot quicker than others.

- Alright, so you talk a lot about

our government doing things for this and that.

What are other large countries

and states doing to help with this?

And is there any enemy states that

we're working against on this topic?

- Well, that's a very good question

and we do have quite a few partnerships out there.

The United Kingdom is a tremendous ally.

I have worked personally with various

governments over in Eastern Europe

because a lot of that comes

from that particular region.

If you look online

and you Google search the term hackerville

that will take you to a very specific

town in Romania where they just

do incredible amounts of targeting

in particular US interests.

We do get cooperation from a wide variety

of governments and that's consistent

with any other criminal enforcement.

Whether it's drugs, terrorism,

or the hacking,

it's dependent on a government by government basis.

And yes, some do cooperate more than others.

- You talk a little about the dark web

and policing things on there

and I understand a little of the operations

involved in that are involving multiple countries

and things that are pretty much globally illegal

but what do you do about things are legal

in other countries?

For instance,

where it's hosted but not in America?

- Well, you're gonna be judged by the laws

of this country if you are in this country

and you're engaging in activities that will

not be legal in this country.

For example,

we will have folks that travel

to certain countries

to engage in with sex with minors overseas.

That is specifically illegal,

Congress has passed statues

and it is enforced.

So, even though you haven't committed

the conduct here,

Congress has realized your activity

is extremely problematic

and they will not tolerate it.

So, there might be specific statutes

that address a variety of concerns.

But also we're gonna be looking

at what you're doing on US soil, as well.

- In the context of default passwords

and usernames from vendors,

do you think vendors are doing enough

to inform users that they have to change

their usernames and passwords?

Or do you feel like they're actually

educating their users enough

or do you think that falls onto the consumer?

- I think there should be more vendor education.

I think Professor Bock agrees.

- We were just,

when he showed that 10 top passwords,

if you were just to go home

and Google default passwords,

nothing fancy,

you'll see lists of default passwords

for all types of devices

that are used in networking,

home devices, routers, switches.

So, they're out there

and there's no big secret.

So, it's a good question.

- Any other questions?

- How do you feel about Anonymous?

- How do I feel about Anonymous?

It's job security for me

and many of my coworkers.

I do not agree with any vigilante.

At the time where we distrust our government

and we take law enforcement action into our own hands

we get a corrupted result.

So, I would disagree with vigilantism.

- Thanks, Billy.

Appreciate the time.

Want to offer another idea with regards

to cyber hygiene.

We can take the time and the effort

to put in good strong passwords

but we don't aways know what the websites'

and the different locations that we're going to

actually or how they use that material.

So, one of the things that I've gotten

in the habit of doing

is I use a neutral password

that I know is a temporary password

and I will immediately request a return on

my forgot my account.

And I see if they send it back

to me in clear text.

Because if they're sending my password

back to me in clear text,

they're probably abusing

the rest of my private information, as well.

And I don't walk away from those sites,

I run.

So, take a look at how you have

to reset a password

and that will often give you

an idea of how that website

is manipulating your own data

or their data that they're using.

- Very good.

- In terms of the OPM breach,

I had my PII compromised, as well.

Have we seen the,

it was supposed Chinese hack,

have we seen them use any

of the PII gathered in that breach?

- Thankfully I have not seen it.

There are some movements where

they've allegedly arrested some.

I'm not familiar with that aspect of the case.

But when you compromise that volume

of data the next logical question becomes

how do you use it?

How do you exploit it?

Are you capable of exploiting it?

So, I think there might be some success

with the exploitation

but the follow up

and the ability to use it

in a logical manner might be

hampered somewhat there.

That's my own suspicion.

- They offer a little identity theft

protection on the back end.

Still offer that I know of.

So, but you should be vigilant, too,

and check your credit scores

and some other things

that you can see in the background

to see if things have changed.

- So, I'm not sure if this is directly connected

but what are your thoughts on SJ Res 34?

The bill signed today by Trump

allowing ISPs,

they no longer need consent to sell consumer data

or browser history.

- That would be a little bit frustrating.

I was not aware that passed.

But it would be frustrating

and it may be in contravention

of other federal statutes,

like Gramm-Leach-Bliley

where financial institutions have

to have your permission to do it.

So, we'll see how far that goes.

- Just to touch up on that, too,

because I was reading about this

this morning.

I think the issue for Congress

with that was their argument was that FCC

overstepped their authority when they

tried to institute the rules.

So, that Congress' argument was that that

has to happen through Congress.

- Separation of powers argument.

- Yep.

- So, it's great to have difficult passwords

and numerous passwords

but there's so many websites out there

nowadays it's hard to remember those.

So, I've started using a password manager.

What are your thoughts on that?

Cause while it uses a very strong password

to access the manager,

and they're stored supposedly securely,

it does put all your eggs in one basket.

- It does seem like a very good idea.

It's recommended by a wide variety of folks.

It's something I may implement

on my end, as well.

- So, following up with Brad there,

and using a password locker,

I've came into the use of,

I have one or two or three very secure passwords

and then I add in kind of an encrypted

form of the website that I'm on.

So, for example,

for Facebook,

I might take out all the vowels

and use my secure password.

- Not anymore.

- That wasn't what I use,

but that was just an example.

Would you condone that type

of password protection?

- That sounds pretty good.

But one thing I'll tell you watch

is make sure you're not mixing.

So, if you have passwords for work

keep them separate for personal passwords.

So that if you have a compromise at work

your personal info is not compromised.

So, just near the (inaudible),

keep 'em separate.

- Again, I'd like to give Billy

a round of applause

for a wonderful job.

(applause)

No comments:

Post a Comment