Karim Hijazi (@karimhijazi) is the founder, chairman, and CEO of cyber intelligence company Prevailion, and creator and host of The Introverted Iconoclast podcast.
What We Discuss with Karim Hijazi:
- How vulnerable is the Internet and how much of our current infrastructure would suffer if it were to go down tomorrow?
- What are the biggest threats to the security of your privacy, your bank account, your company, and your country?
- How cyber warfare can lead to kinetic (i.e., real) warfare with physical consequences.
- Why the current efforts of companies and governments to mitigate digital security risks are woefully insufficient.
- What are our best practices for staying as safe from cyber attacks as possible?
- And much more…
Like this show? Please leave us a review here — even one sentence helps! Consider including your Twitter handle so we can thank you personally!
As the founder, chairman, and CEO of cyber intelligence company Prevailion, and creator and host of The Introverted Iconoclast podcast, Karim Hijazi is one of the most skilled cybersecurity professionals in the game. In fact, he’s so skilled that criminals and even nation-states want him dead or at least out of commission.
On this episode, we explore the infrastructural weaknesses that make the United States extremely vulnerable to the whims of nationalist and mercenary hackers working for our enemies, how cyber warfare can lead to kinetic warfare that destroys property and people in the real world, why sometimes the best defense is a potent offense, and much more. Listen, learn, and try not to panic!
Please Scroll Down for Featured Resources and Transcript!
Please note that some of the links on this page (books, movies, music, etc.) lead to affiliate programs for which The Jordan Harbinger Show receives compensation. It’s just one of the ways we keep the lights on around here. Thank you for your support!
Sign up for Six-Minute Networking — our free networking and relationship development mini course — at jordanharbinger.com/course!
This Episode Is Sponsored By:
- TextExpander: Get 20% off your first year
- Peloton: Learn more at onepeloton.com
- Squarespace: Go to squarespace.com/jordan to save 10% off your first purchase of a website or domain
- Progressive: Get a free online quote at progressive.com
Miss the show we did with award-winning cybersecurity journalist Nicole Perlroth? Catch up with episode 542: Nicole Perlroth | Who’s Winning the Cyberweapons Arms Race? here!
Thanks, Karim Hijazi!
If you enjoyed this session with Karim Hijazi, let him know by clicking on the link below and sending him a quick shout out on Twitter:
Click here to thank Karim Hijazi on Twitter!
Click here to let Jordan know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at email@example.com.
Resources from This Episode:
- The Introverted Iconoclast Podcast
- A Next-Generation Cyber Intelligence Company | Prevailion
- Karim Hijazi | Twitter
- Karim Hijazi | LinkedIn
- How Enemies Infiltrate and Wait | Prevailion
- The Ransomware Nightmare | Prevailion
- Discovery of the Metulji Botnet | CNN
- Storm Botnet | Wikipedia
- The Facebook Outage Wasn’t a DDoS Attack, But it Shines the Light on Digital Resilience Planning | A10 Networks
- Hacks, Scams, and Attacks: Blockchain’s 2017 Disasters | CoinDesk
- Oliver Bullough | Why Thieves and Crooks Rule the World | Jordan Harbinger
- A Close Look at Russia’s Ghostwriter Campaign | Dark Reading
- Julian Assange Accused of Conspiring With Anonymous Hackers | Time
- Anonymous and the Zetas Cartel Declare a Truce | The Atlantic
- First Malware-Driven Power Outage Reported in Ukraine | Security News
- What is a Computer Worm and How Does it Work? | Eye On Tech
- Russia Perfected Its Cyberwarfare In Ukraine — America Could Pay The Price | NBC News
- A Timeline of Russian Cyberattacks on Ukraine | WIRED
- What is NotPetya? 5 Fast Facts | Security Encyclopedia
- The Rise of “EoC” – Evidence of Compromise | LinkedIn
- Fight Club | Prime Video
- Nicole Perlroth | Who’s Winning the Cyberweapons Arms Race? | Jordan Harbinger
- New Cybersecurity Advisory on Protecting Cleared Defense Contractor Networks Against Years-Long Activity by Russian State-Sponsored Actors | CISA
- Richard Clarke | Defending Ourselves in the Age of Cyber Threats | Jordan Harbinger
- Karim Hijazi Discusses Second Solar Wind Hack | Fox Business
- The Dawn of Kinetic Cyber | Center for Secure Information Systems
- Hackers | Prime Video
- New Dangers of Working from Home: Cybersecurity Risks | Forbes
- Is Using a VPN Safe? | Forbes Advisor
- Belarus Hackers Attack Train Systems to Disrupt Russian Troops | Railway Technology
- The Art of War by Sun Tzu | Amazon
- How Russia’s War against Ukraine Could Make the Chip Shortage Worse | Vox
- Karim Hijazi Talks Colonial Pipeline Response | Fox Business
- Crackers Set Sights on Iraq | WIRED
- Bernie Madoff | Investopedia
- Inventing Anna | Netflix
- How Significant Is Russia’s Partial Ban from SWIFT? | The New Yorker
- LulzSec | Wikipedia
- Pegasus (Spyware) | Wikipedia
647: Karim Hijazi | When Cyber War Goes Kinetic
[00:00:00] Jordan Harbinger: Coming up next on The Jordan Harbinger Show.
[00:00:02] Karim Hijazi: Let's face the music now, guys, we're really in a position that's really, really precarious because there is a grenade under the bed and there was a string going out the window. And it's just a matter of pulling it. Imagine if we're really up for the end of the movie Fight Club, if you've ever seen the end of that, where literally the entire system goes down. That's not too far off from a cyber perspective, sadly.
[00:00:25] Jordan Harbinger: Welcome to the show. I'm Jordan Harbinger. On The Jordan Harbinger Show, we decode the stories, secrets, and skills of the world's most fascinating people. We have in-depth conversations with scientists and entrepreneurs, spies and psychologists, even the occasional Emmy-nominated comedian, mafia enforcer, former Jihadi, or a gold smuggler. And each episode turns our guests' wisdom into practical advice. You can use to build a deeper understanding of how the world works and become a better critical thinker.
[00:00:51] If you're new to the show, or you want to tell your friends about it — and thank you very much for doing that — I suggest our episode starter packs. These are collections of our favorite episodes, organized by topic to help new listeners get a taste of everything that we do here on this show — topics like persuasion and influence, disinformation and cyber warfare, China and North Korea, crime and cults, and more. Just visit jordanharbinger.com/start or take a look in your Spotify app to get started.
[00:01:16] Today, a good friend of mine and a dangerous man, Karim Hijazi. He won't say this, but I will. He is one of the most skilled cyber security professionals in the game. In fact, he's so skilled that criminals and even nation states want him dead, or at least out of commission. Today on the show, we'll explore some of the biggest threats to the security of your privacy, your bank, your company, and even the country you live in. And we'll uncover what companies and governments are doing to combat this. And spoiler alert, not nearly enough. Also how cyber warfare can lead to kinetic warfare? In other words, how, what starts off as a hack can end up killing people and destroying huge, expensive things that we kind of need like seaports, electrical grids, and water systems. Last but not least, should we be hacking back at Russia and other countries intent on doing us harm? Why or why not? A scary but fascinating episode here with Karim Hijazi. Here we go.
[00:02:09] Interesting place to start because sort of just bantering pre-show but you were saying, "Yeah, what if the Internet goes down, it's going to change this business," but that's kind of like saying "Wouldn't a missile strike on the United States change this business?" Yeah, it would change everything because even people — I was talking to a buddy of mine who does like construction of things. And he's like, "Well, I don't need the Internet." And I go, "Well, how do people pay you?" "Oh, they wire me the money or I have like a Stripe account." I'm like, "Hello, all of this banking, payment systems, everything is reliant upon the Internet." And yeah, look, I could record phone interviews or something like that, which wouldn't be ideal, but that's the least of our concerns if the Internet goes down.
[00:02:49] Karim Hijazi: Well, phone systems go through the Internet now.
[00:02:51] Jordan Harbinger: Of course. Yeah.
[00:02:52] Karim Hijazi: They've done away with it. Everything is reliant on it. It's the most cost-effective. So they've sort of gone the most cost-effective route. And now, here we are potentially hobbled by that entirely. So that whole idea of that cloud infrastructure we were talking about before the show, if they all go down in unison and in symphony, we've got a massive problem on our hands. Not just because databases aren't accessible, that's not a geeky problem.
[00:03:14] This is an issue of medical records, water treatment facilities. Critical infrastructure rely on cloud infrastructure at this point. Yeah. I mean, I know I'm sounding a little silly here, you know, podcasting dies, oh god, you know, we're going to freak out. That's like the least of our worries. You're absolutely right.
[00:03:30] The screenshot I was going to send you last night prior to this, because I was like, "Look at this, Jordan," and I didn't. I figured we'd talk about it because who knows? We might be days away from something that feels more kinetic in terms of the attacks and everything that we've been sort of talking about for a few weeks now. And what everyone's been waiting and pending situation's going to be with Ukraine and Russia. So pretty terrifying.
[00:03:51] Jordan Harbinger: Yeah. We'll get to that in a bit. I want to back up a little, because as I'm doing prep for our interview, there's a few — you're on MSNBC and Fox and CNN all the time because of your work at Prevailion and your previous company. And I think it was you or a newscaster that said something like there's nation states that want you gone because of what you're doing. So why are you so dangerous to nation states and hacker groups?
[00:04:17] Karim Hijazi: Yeah, it's an interesting reason. My career has taken a lot of twists and turns, but it ultimately landed with my last company where I figured out a way with the team to be clear. So I'm not taking credit alone here. They're wanted dead as well. That we could take over part of the infrastructure that the adversary set up and in doing so we can see what they see, which is in turn the victims, right? And now, we can deliver that intelligence to the victims directly and we can help remediate the problem. So we, essentially, thwart the efforts of the adversary rather than try to be defensive. Most cybersecurity for all these years has been essentially to build some bigger, thicker, taller wall, build a castle-moat strategy to the problem.
[00:04:58] My strategy was more on the offensive side of the equation, which is how about we go and insert ourselves into the communication channels of these bad guys and collect exactly what they're doing, what they're planning on doing. And by definition, I'm messing with their money, right? So it always comes down to that. I think every interview you ever do with anyone in these lines of work, if you're messing with someone's money, they want you dead typically. And now we're at a level with cyber where the money is so huge and impact on it can be pretty dramatic to the outcome of what these guys are expecting and these are big syndicates now. We certainly ruffled some feathers.
[00:05:35] And now, I've started a second company that does that in a more extended capacity where I can actually deliver intelligence on the supply chain risk. So I can help an organization preemptively, not even get compromised if they'll take the intelligence that I have around their partner ecosystems. So I'm kind of one step ahead of these bad guys, which really irritates them because they're so used to being ahead. I mean, Jordan, the asymmetric nature of bad guys is that they can always try fail, try again, and you know, fail again, and then finally get it right. Security, we essentially can never mess up. If you mess up once, it's all over.
[00:06:09] Jordan Harbinger: Right. They have to get lucky one time and you almost have to be consistently lucky. It's like the reverse of a police officer. My cop friends used to say, "Criminals have to be lucky every day, but I only have to get lucky once."
[00:06:21] Karim Hijazi: Yep.
[00:06:21] Jordan Harbinger: And that's how people get caught. It's kind of the opposite with security. Like you have to consistently keep people out of the castle. I love these explainer videos. This almost sounds like a corporate interview the way I'm about to do it, but I swear it's not.
[00:06:32] So Prevailion that the software and the company that you run now, the demo of it was really cool. And the explainer videos that I saw in some of the screenshots and stuff that I've seen, hopefully, I'm allowed to talk about that—
[00:06:43] Karim Hijazi: oh, yeah, absolutely.
[00:06:44] Jordan Harbinger: —were really interesting where like, you know, normally it's funny, there's this newscaster on, I forget what channel it was, MSNBC or something. He's like, "Well, aren't the companies in a better position to see what's on their network." And it's like, "No, what I'm doing is—" and I'm going to defer to you to explain this in a second here.
[00:07:00] Karim Hijazi: Sure.
[00:07:00] Jordan Harbinger: But what you're looking for is not something installed on the computer, like an antivirus software would, you're actually looking on the web for the pings that malware sends to control servers. So you're looking for the smoke from the fire. You're not looking for the fire. So if they hide the fire and they hide the heat, right? They're hiding the virus and the malware inside the system, they can do a literally perfect job of that. The problem is that software has to go, "By the way, I'm still over here in case you want to send me any instructions." And it has to do that at some point. And you're looking for those signals.
[00:07:33] Karim Hijazi: That's right.
[00:07:33] Jordan Harbinger: And when you get those signals, now you go, "Oh, okay. This is not only infected with malware. We get that. But it's also reaching out to this server. And so let's go into that server and see what's going on." And the net server has logs of everything it's received from all its bots, right? from botnets.
[00:07:49] Karim Hijazi: Yep.
[00:07:49] Jordan Harbinger: And you can see everyone who's infected on the whole freaking Internet, which is insane.
[00:07:54] Karim Hijazi: That's right. And you know, I liken this. I'm a big cold war, '80s buff. And what I find really interesting is when you start to parallelize old school espionage tactics. So let's use something appropriate for today's world, Russian spy, physical human spy, makes his way into the US through a false identity, gets a job at the White House through a variety of social engineering tactics and falsified information, and is actually allowed into the offices. They're now able to steal things, but what they have to be able to do is call back to their handler, to use kind of an espionage term. That spy is a malware today. That handler is the command-and-control environment, literally. And that's another word they took from the military for cybersecurity.
[00:08:36] What we're doing at Prevailion is we're taking over the phone at the Kremlin that he's going to be calling from the White House. And so when we pick up that phone call from that spy in the White House, we're like, "So where are you? You're in the Oval Office. Got it, okay. Call me back. Give me a call in a few minutes." And we get them to call back over and over and over to where we can then indicate to the White House that there's a spy over the Oval Office. Go get it.
[00:08:59] So that's the equivalency on a human level that we're doing now. And now this happens at machine speed, right? So the problem is everything's gotten super time compressed for speed and the ability for a cybersecurity professional to really zero-in on that very quickly on the inside. Basically, someone has to stumble across the fact that someone falsified documents or the malware was clicked and phishing emails, in equivalency, now that takes a long time if ever to ever happen.
[00:09:24] The only way to catch it to your point is that Achilles heel of it communicating out. That communication need by that spy is how we catch them. And they really can't do without it. So it's not like these guys are like, "Oh, darn it, Karim and Prevailion forgot a way to get us." They're always going to have to use that. They're always going to have to have some means of communication with the outside world to complete their objective.
[00:09:44] Jordan Harbinger: Yeah, that was my next question is what if they just stopped the pings, but not quite that simple.
[00:09:47] Karim Hijazi: Right.
[00:09:48] Jordan Harbinger: It's kind of like saying, "Well, what if we just take the wheels off the car? Now what, smart guy?
[00:09:51] Karim Hijazi: Yeah.
[00:09:51] Jordan Harbinger: Yeah.
[00:09:51] Karim Hijazi: Exactly.
[00:09:52] Jordan Harbinger: Okay. Got you.
[00:09:53] Karim Hijazi: You know, you're zeroing exactly the issue here that, you know, everyone asks the same question, which is, "Why aren't they going to figure this out and work around it?" There's conceivably some workarounds, but here's the reason they have to communicate with the outside world. When you break into a household, you need to get out of the house with your stolen goods to make it a fruitful effort, right?
[00:10:11] Jordan Harbinger: Mm-hmm.
[00:10:11] Karim Hijazi: So there's that obvious situation, which is if they're stealing material or intellectual property or they're encrypting something on the network, like in the ransomware situations, they've got to be able to either steal that information for extortion reasons or whatever the case may be.
[00:10:24] But the second reason why is that unlike the human spy analogy, think like the Mission Impossible movies where Tom Cruise could constantly put that mask on and change his face to any kind of spy he wanted to be. That's what malware is able to do electronically. It can change its shape. It's called polymorphism. And it literally can download a new version of itself and completely avoid detection. Because I think everyone knows what an antivirus is by now. What? 30, 40 years later.
[00:10:50] Jordan Harbinger: Sure.
[00:10:51] Karim Hijazi: Antivirus relies on signatures. It's the equivalency of a bouncer at a club, looking at you and looking at your ID saying, "Okay, I guess, this is who you are. You're allowed in." If I can change my identification or ID, off I go. I'm able to persist in these environments without ever getting caught, which is really fascinating.
[00:11:07] Jordan Harbinger: You don't want to put too many bells and whistles and backup plans on to these things, right? Because then it becomes easier to detect. You don't want to have it, "Oh, what? I'll also pings using the cellular network. Okay. So now, if I find a cell signal, I find this otherwise invisible thing." That's not going to work in every situation.
[00:11:22] Karim Hijazi: You're right. Yep. Too many modes of communication or an overabundance of communication if the cadence is really high, the frequency is really high, these are all like triggers that we'll look for to identify it, right? And that's typically what someone would do on the inside of a network. For us though, I don't care if it calls out once a month or every six months, frankly, as long as it calls back to its home base, if you will, which is what I've infiltrated, I'm able to see it. And that's what gives us the advantage over others.
[00:11:48] Jordan Harbinger: At one point you discovered the largest botnet in history, and I thought it was interesting that it had a Slovenian name. By the way, Slovenia is such a lovely place. I don't know if you've ever been there. Former Yugoslavia—
[00:12:00] Karim Hijazi: It's absolutely gorgeous.
[00:12:00] Jordan Harbinger: Kind of relatively untouched by the war. You don't think of that as, "Oh, this is where a bunch of criminal masterminds live," right? Like Yugoslavia maybe, yeah, but you normally, when you think criminal masterminds of former Yugoslavia, I like to give the credit to the Serbs, the Bosnians, you know, like these are like some crafty sort of guys that have also been through a lot of stuff and countries that are torn by war, often have like higher levels of organized crime, Slovenia, it's almost like they dodged most of the bullets, literally. I guess the thing is they have tons of talent in that area of the world. And so you're going to have a criminal element that says, "Why am I earning money? And then getting screwed over by trying to buy imports in euros when I can just steal tons of money and live well.
[00:12:42] Karim Hijazi: That's exactly the reason. They're really talented, I have to say. I mean, it was interesting because it was called Metulji, which was this word, which is Slovenian for butterfly. And it was a take on the formerly largest botnet ever. We call it Mariposa, which is Spanish for butterfly. And so we sort of said, "All right, well, we'll just kind of put a spin on it and call it that."
[00:13:01] But yeah, it was fascinating. It was absolutely everywhere. That was way back when, I mean, I think this was 2011 or so, and this gives you a sense that this has been going on for a very˚ long time. This whole idea of proliferating out and infecting machines that are not yours to become zombies, to work at your disposal. This has been going on forever, even before it was a mainstream issue with commercial entities that were worried about it.
[00:13:24] The government had concerns. They were worried about things like Storm bot. Storm bot was this big horrifying concept of a denial-of-service attack thing that could take down the Pentagon or take down satellite systems. Here we are. We're literally in the throes of it today. Everything they worried about 20 years ago has manifested.
[00:13:42] Jordan Harbinger: So a botnet, you sort of explained it, is when other computers are taken over by essentially like a virus or malware. And then they reach out at the same time. So you're talking about maybe millions or at least hundreds of thousands of different machines.
[00:13:53] Karim Hijazi: Right.
[00:13:54] Jordan Harbinger: They might all reach out to, let's say one server at one time, and they're just hammering it with a hundred thousand connections a minute or whatever. And that will slow down a major website. Like we're using Zoom. Let's say they're all trying to connect to every single port on Zoom all at the same time. Now, us, legitimate zoom users can never get on because there's way too much traffic and the traffic is bad and it's confusing the Zoom server and causing it to work extra hard. And it just can't scale up to service that many zombie computers at once. And you could do that again, Pentagon or some other super important thing like banks—
[00:14:29] Karim Hijazi: Mm-hmm.
[00:14:29] Jordan Harbinger: This can happen to banks. And then you can't use the banking computers anymore. I think Facebook went through one of these a couple of years ago where they were down for a while because of this or something similar to this.
[00:14:39] Karim Hijazi: Yeah. They go through this every few months.
[00:14:43] Jordan Harbinger: Okay.
[00:14:43] Karim Hijazi: You know? Yeah. Like, I mean, DDoS attacks are sort of a perpetual persistent thing across everything. It's whenever they get lucky and they are able to achieve it. Because what you can do to essentially stifle these things is to limit communications from a set of IP addresses that things are coming from, right? But they're getting clever, right? The bad guys are always — it's a chess game. It's a perpetual one-upmanship of what I can do next.
[00:15:05] And they're going to say, "Oh, you're going to block a set of IPs I'm coming from. Fair enough. I'm going to start flexing those. I'm going to start attacking you from within your own environment. I'm going to send, I'm going to get legitimate Facebook users, machines infected." And someone that would come to Facebook, normally, I'm going to have that be the source of the attack. Facebook is an example, right? Of course, this could be anyone. They have a very challenging situation of, "Oh god, am I blocking a legitimate request? Or am I stopping a bad guy that's actually taken over a legitimate environment?"
[00:15:34] The bad guys have a very, again to use the term again, asymmetric advantage to the good guys, because they can lurk within good infrastructure and do some serious damage and then services that rely on their constituents and people that will actually log in and see things. And you want users on, they can't differentiate what's malicious and what's benign. So that gets to be really hard.
[00:15:56] Jordan Harbinger: You mentioned that there's a lot of money in this. Do you have any concept of how much some of these criminal groups are making with cyber attacks?
[00:16:04] Karim Hijazi: To give you a scale, it used to be in the hundreds of thousands of dollars a year in maybe the early two 2000s, I would say.
[00:16:11] Jordan Harbinger: Okay.
[00:16:12] Karim Hijazi: Botnets amped that up to millions. And I'm being very broad. I mean, there's all kinds of ways they're making money. They're either stealing information and brokering out on the dark web. they're stealing credit card information and doing fraud. They're using cycles of the machine to mine crypto. I mean, there's any number of things that these botnets could be used for.
[00:16:30] Today, with the ransomware scourge, we're talking billions. So we're really at a threshold of it eclipse just about every other type of crime out there, because it's so easy. And the thing is technology like ransomware and other types of technology are force multipliers. You build it once, use it many times. Think about an old bank robber, like the risk you take robbing a bank physically with a gun and a mask and maybe you get one vault when you can literally go in with the same malware. And it's incredible. So the reservoir groups are oligarchs now, man, literally.
[00:17:02] Jordan Harbinger: Oh, so those people have done so well that they've become oligarchs where it's like, "Okay, now I have a billion dollars. It's all stolen. It's in cryptocurrencies. So now, I'm laundering it through 50 countries.
[00:17:13] Karim Hijazi: Right.
[00:17:14] Jordan Harbinger: Remember during 2017, when all these shady crypto exchanges popped up and they were in like Ukraine and Moldova and stuff.
[00:17:20] Karim Hijazi: Mm-hmm.
[00:17:21] Jordan Harbinger: Now, some of that was legitimate entrepreneurship where these people were like, "Hey, I understand this and I can make tons of money in Bitcoin. And then I don't have to worry about my totally unreliable, local corrupt banks."
[00:17:33] Karim Hijazi: Right.
[00:17:33] Jordan Harbinger: But some of that, I couldn't help but think, if these guys are stealing millions and tens of millions in Bitcoin, the best way to launder it would be to have a crypto business that you could just keep your Bitcoin in there, mix it with a bunch of legitimate people and then connect it with foreign banks and then have people withdraw it as cash anywhere in the world. And so it has just made money laundering so easy in huge amounts.
[00:17:57] Karim Hijazi: Right.
[00:17:57] Jordan Harbinger: And I know that people are worried about Bitcoin getting around the sanctions in Russia and things like that. I don't think the volume is there to run a whole country, but certainly these big criminals could be multi, multimillionaires, if not billionaires, at that point, with the amount of cryptocurrency that they're able to steal and regular currency for that matter, that they're able to steal—
[00:18:17] Karim Hijazi: Right.
[00:18:17] Jordan Harbinger: —and ransom from small businesses. And we'll talk about some of these ransomware attacks in a second, but I want to go back to the nation states that want you dead because it's a cheerful topic. Now, there's nation states and there's cyber militias, right? So like hacktivists or just criminal groups that are maybe sanctioned by nation states. Can you tell us about the difference between these groups? Because we have the NSA here in the United States, they're constrained by laws and things like that. But then we have groups like Anonymous that are not, they've nothing to do with the government, but it seems like in foreign countries, especially like Russia, you have these groups, but they're also sort of, maybe kind of FSB related to Putin or at least given his godfather like blessing to operate.
[00:18:58] Karim Hijazi: Absolutely correct. So that's what's fascinating. There's a lot of gray areas and there's a lot of cross pollination between these groups, especially over there. So I'll start in reverse to your question. Without question, Russia, we're almost certain that operatives that work within the intelligence services like GRU or FSB or SVR, there are two, one's military intelligence, the other one's the espionage division. It's almost clear now that their tactics and methods are identical to what we're seeing with some of these cyber crime groups that are really prolific.
[00:19:29] So they're probably moonlighting. They're probably doing their day job in the government. They do what they need to do for Putin. And then they go do what they need to do from a cyber theft perspective or cyber crime perspective. Not all of them, I don't want to suggest that this is like universal because you can go onto Instagram and Twitter and find these guys in there, like in mink coats on a yacht in Saint-Tropez and Cap D'antibes, and you name it.
[00:19:53] Jordan Harbinger: It's funny because you're not kidding about this, right? Like, so—
[00:19:55] Karim Hijazi: No.
[00:19:56] Jordan Harbinger: So another guest on the show, he exposes British real estate. He wrote a book about this, his name's Oliver Bullough. He wrote a book about how basically a lot of these properties in London are owned by oligarchs and African strongmen and dictators and things like that. But he talked about how he did an exposé with Vice, where he found a bunch of oligarchs' kids on Instagram. And he said, "Look, man, it's really not hard to do because it's a small enough group of people, you know their names, all you have to do is search. And they did this whole exposé and Vice couldn't air the documentary because — I can't remember who it was, Abramovich or one of the oligarchs was like, "I will sue everyone that works there. Even if I lose, I'm just going to file a thousand lawsuits."
[00:20:38] Karim Hijazi: Right.
[00:20:38] Jordan Harbinger: "If you do this and I'm going to ruin your lives, all of you. So just don't do it." And Vice, which normally doesn't shy away from stuff like that, was like, "We literally can't afford to fight this rich, crooked mafioso. So we're just not going to air this." And yes, the photos that I saw were like a weird guy sitting on a really ugly, gaudy-colored Lamborghini, that's on a dock next to a yacht and he's wearing a mink coat and like a crown. And you're just thinking—
[00:21:05] Karim Hijazi: Yeah.
[00:21:06] Jordan Harbinger: —this is a guy who, the more money he has, the bigger of a dipsh*t he becomes, which is, you know, to be fair, a lot of people are like that, but just ridiculous.
[00:21:15] Karim Hijazi: Yeah, absolutely. And I'm not suggesting that those individuals weren't formally Russian-trained operatives—
[00:21:22] Jordan Harbinger: Sure.
[00:21:22] Karim Hijazi: —in some capacity, perhaps they're former, perhaps they're not former. Right. You know, anyone's guests there. But yes, so to answer your question, the nation-state actors that we're referring to are typically people that are commissioned, trained, and bankrolled by a nation state, a country with an objective that is generally not financially driven, right? They're usually trying to gather intelligence or they're doing influence campaigns. Like we've seen plenty, as of late there's, you know, we watched the whole 2016 situation with GRU and the Russians. And then more recently we watched interference with the German elections, same group, by the way.
[00:21:57] Jordan Harbinger: Uh-hu.
[00:21:57] Karim Hijazi: And now we're seeing the same group actively create disinformation campaigns with this mess going on with Ukraine and Russia. So that's part of the objectives. Now, the financially motivated side of it. I think we all feel like this is wink, wink, nod, nod by Putin that yeah, go do that. It creates more havoc. No problem. Is he setting government initiatives out for things like harvesting cash? Probably not. I don't doubt that he's probably benefiting from it in some capacity, again, outside of just the disruption.
[00:22:27] Now the hacktivist stuff, just to kind of pivot to that, that's an entirely different sort of segment of the problem. And I say that because I know a lot of people are very, they're lauding the efforts of Anonymous recently with some of what they put out on Twitter.
[00:22:39] Jordan Harbinger: And who's Anonymous for people who aren't really in this sector?
[00:22:43] Karim Hijazi: So Anonymous is a hacktivist collective or hacker collective. That seems to be leaderless. It seems to be this sort of general nebulous group of people. They're most notably identified by this Guy Fawkes mask they have on when they broadcast their wins. They've been around for a long time, rose to fame right around the Anonymous-WikiLeaks mass with Juliana Assange back in 2010. They sort of came to his defense in the name of free speech and whatnot, but they've kind of splintered off into various groups. As you know, Jordan, I had my tussle with a subset of those guys, which we can talk about—
[00:23:15] Jordan Harbinger: Yeah.
[00:23:16] Karim Hijazi: Which was fascinating and irritating at the same time, but they're back. Here they are. And the problem with that, that's probably the most dangerous contingent because they're not really armed with the right intelligence to really know the ramifications of their attacks. And in many cases like — this has nothing to do with what's going on with Ukraine and Russia — was in 2012, I may be getting the date wrong, give or take a year, but Anonymous went after a border patrol group out of Arizona, I believe. And they exposed long-term culverts to the cartels and all those people got killed. Like they were absolutely summarily dispatched after that was disclosed. And it's like, what are you doing? You know, like, what was the point of that? That was a flagrant murder for all intents and purposes done by way of cyber means. And it kind of came in and went from the headlines because it was sort of this obscure thing, but those are the kinds of things that can ramificate into horrible, right? Kind of like what we talked about with the Russia stuff, which we'll get into.
[00:24:14] Jordan Harbinger: Yeah. This whole thing is quite fascinating because there's a lot of folks — it's hard to, I have to phrase this the right way — but like, there are hacktivist groups and hacker groups in Ukraine, and I'm helping them find people who are capable of running defensive operations, like looking and Ukrainian computers from malware, things that you might know a lot about over at Prevailion.
[00:24:34] Karim Hijazi: Right.
[00:24:35] Jordan Harbinger: And some folks are like, "Yeah, I want to take down a Russian satellite." And it's like, whoa, there's a lot of concerns that go with this that are not good. And in fact, we can talk about that right now. You know, it's all fun and games until — I think one of the recent concerns is what happens if someone shuts down a Russian satellite network?
[00:24:54] Well, if the satellites are designed to see incoming nuclear missiles, and those are shut down, does that look like, "Oh, those hackers are out it again. Darn, you Western hackers," or does it look like the NSA shut down the nuclear detection system so that we can send nukes over to Russia? And then if that's what that looks like, what is Russia's response? Launching nukes in return.
[00:25:16] Karim Hijazi: Right.
[00:25:16] Jordan Harbinger: So that could be really, really, really bad if this ill-conceived plan to give Putin a black eye or a blind eye for even an hour looks instead like a nuclear attack from the United States. I mean, this could trigger— I hate to be hyperbolic on the show, but it could trigger at least World War III, but also just a massive amount of millions of dead people/Armageddon, right?
[00:25:39] Karim Hijazi: I totally agree. And we've been talking about people that may be physically hands on keyboard, trying to break into places, unknowingly, maybe best intentioned, but then they do something like you just mentioned. There's something else that's even more sinister and a little bit ominous, which is — and again, I'm doing my best to not be hyperbolic here as well — but this is real.
[00:25:58] 2015, for those folks that don't know, the Russia, Ukrainian cyber debacle has been brewing forever. I mean, this is why for us, this is not new. We've just been kind of holding our breath. In fact, right now we're still just waiting for the other shoe to drop. We're sort of saying, "Okay, we saw the test run. What's going to really happen now?"
[00:26:16] And that test run back in 2015, was these exact groups that you were asking me about these Russian nation-state groups like GRU and SVR, the guys that love me. That were doing a test on the Ukrainian infrastructure back then, and what they were able to do was they deployed a piece of malware that was literally very similar to what we're hearing today. It was Wiper malware, it was called Killdisc. And then, it subsequently took down the power stations in Ukraine.
[00:26:45] The problem with it was they didn't design it to stay. They designed it to proliferate and laterally move through the network. And the problem is it's not like a missile. A missile has a target, it blows up, it's done. It doesn't get up and go to the next target. Malware does, right? What I really, really worried about among my peers is a wormable threat and a worm, for those that are somewhat familiar and it sounds like what it is. It worms its way through networks. It goes from Jordan's computer to my computer, to my wife's computer, to my kids, and then all my kids' friends and then their parents. And it just finds its way through the network by default. And that's exactly what happened in 2015.
[00:27:21] Jordan Harbinger: That was Sandworm, right? Where Russia turned off the power—
[00:27:24] Karim Hijazi: Right.
[00:27:24] Jordan Harbinger: And dramatic and they show — we'll put a video in the show notes. There's a cool animation where essentially the workers at this power plant were watching somebody controlling their screen and just flipping all the breakers. And these breakers weren't like lights in living room, the breakers were lights in Kyiv, lights in Chernobyl, lights in Odesa. And it was just cut, cut, cut, cut, cut. And they just cut off all the power—
[00:27:47] Karim Hijazi: Yeah.
[00:27:47] Jordan Harbinger: —to regions at a time. And then they said, "Oh, that worked." And then they improved on that software. And unfortunately, the United States didn't do anything because we were distracted by other hacking against DNC computers and other leaks that were being done by—
[00:28:02] Karim Hijazi: Right.
[00:28:03] Jordan Harbinger: I think the same group or very similar groups were doing the same thing. And we just sort of missed the opportunity, the Obama administration, I would say, missed the opportunity to say, "Hey, this is not good." I mean, I don't know exactly what they did diplomatically, but it obviously wasn't enough.
[00:28:15] Karim Hijazi: Right.
[00:28:16] Jordan Harbinger: Because it led to the other thing that you're mentioning, which was, I believe called NotPetya.
[00:28:20] Karim Hijazi: Right.
[00:28:20] Jordan Harbinger: That shut down airports, banks, railways, government installations, hospitals. And then like you said, it wormed over to FedEx, Merck, and Maersk, which are like these massive, massive organizations that had a lot to do with shipping and 20 percent of the entire global shipping. Operation just 20 percent of global shipping froze on the spot and took weeks to recover and caused over $10 billion in damage. And that was the accidental part—
[00:28:47] Karim Hijazi: Yep.
[00:28:48] Jordan Harbinger: Causing 10 billion. Imagine if they actually got 80 percent of global shipping to freeze on the spot that might take months to recover.
[00:28:55] Karim Hijazi: Exactly.
[00:28:56] Jordan Harbinger: No reason to think that this is over and especially now with the Russian military doing so poorly and Ukraine, cyber is kind of, they're good at that.
[00:29:03] Karim Hijazi: Right.
[00:29:03] Jordan Harbinger: They're obviously not good at invasion convoy and things like that. Not to make light of it, but cyber is something that they don't get holed up in the woods and get their tanks stuck with no gas in the mud and then leave. Right?
[00:29:15] Karim Hijazi: Exactly. They don't need to deploy the proverbial cyber threat. It's been deployed. Back to square one in our conversation, I see that deployment. I see that pre-established plumbing by these adversaries in the environments that we have in country and our allies. And I'm watching it communicate out, like that spy calling back to headquarters to a handler saying, "Hey, I'm here whenever you need me." And I've actually watched a shift in the communication. I've seen it decline and spread the pattern out to be wider because they know that security professionals are getting more vigilant. So they're saying, "Let's programmatic control over this to where it goes a little bit dark and it goes to ground until we need it."
[00:29:57] So that's what's menacing here is that we're sort of, to your point about the NotPetya, the switches being flipped, we're literally waiting for that. We're waiting for them to flip a switch and say, "Okay, let's turn that access on that we have." Now don't get me wrong. We as a country, have those implants there as well. And this is exactly where there's this sort of stalemate high noon kind of situation of who's going to pull the switch first.
[00:30:23] Jordan Harbinger: You're listening to The Jordan Harbinger Show with our guest Karim Hijazi. We'll be right back.
[00:30:28] This episode is sponsored in part by TextExpander. People always think the messages they receive from me are actually from a robot and not actually from me. Y'all have been shocked to find out I am personally responding to thousands of messages and yes, it really is me. I don't have a life, but my secret weapon that I'm sharing with all of you is actually called TextExpander. Our entire team uses it. It is like keyboard shortcuts on fire. I know what you're thinking and all I can copy and paste, or I have something like that on my phone. No TextExpander is much more powerful than that. You can customize message templates. You can fill in a name or do drop downs of different message options, depending on the message you want to send. In the past month that saved me, literally, like five or six hours of typing it. It actually will track this for you. A listener wrote to me after hearing me talk about TextExpander saying she tried it. And she was able to improve her team's everyday operations by implementing TextExpander in their customer service center, as well as their engineering team. So she got major props within the company and saved a ton of time.
[00:31:23] Jen Harbinger: Try it for free and see how you can increase your productivity with TextExpander. Our listeners get 20 percent off your first year. Visit textexpander.com/jordan to learn more about TextExpander.
[00:31:34] Jordan Harbinger: This episode is also sponsored by Peloton. Adding new things to my workout routine keeps it fresh. Plus it keeps me motivated. Peloton is pushing you further with so much new on the Peloton bike and Peloton bike plus. New classes, new music to jam to new ways to keep your workouts fun. Boxing is what's up right here, for me, anyway, Peloton is stepping into the ring. No gloves needed. If you've never boxed before and you know, you'd want to do it without other people punching you back, which frankly is more fun then these classes will have you working up a sweat while working on the fundamentals of form, footwork, and fun combos that will keep you on your toes. I often discover new music through Peloton. They've got pop and rock and hip hop, but my thing is EDM because I'm a rave kid from the '90s, who's never going to grow up. And it's easier to stick to your goals when you find your workouts interesting, or when you keep them interesting. De-stress from a long day, with 30 minutes of strength and 20 minutes of cardio, or do a quick 15-minute total body class before work. And let's admit it, what's before work? We're on Zoom calls these days. Do one while you're working. Why not? That'd be a change. Keep your fitness fresh with bike workouts, yoga, meditation, dance, cardio, and more.
[00:32:34] Jen Harbinger: Visit onepeloton.com to learn more. That's O-N-E-P-E-L-O-T-O-N.com.
[00:32:41] Jordan Harbinger: If you're wondering how I managed to book all these great authors, thinkers, and creators every single week, it's because of my network. I'm teaching you how to build your network for free over at jordanharbinger.com/course. Now, the course is about improving your networking and connection skills, but also about inspiring others to develop a personal and professional relationship with you. It'll make you a better networker, a better connector, and most importantly of all, a better thinker. That's all at jordanharbinger.com/course. And by the way, most of the guests you hear on the show, they already subscribe and contribute to the course. So come join us, you'll be in smart company where you belong.
[00:33:15] Now, back to my conversation with Karim Hijazi.
[00:33:19] Let me put it this way, I don't want Moscow's water system to get polluted and dirty and poison and kill people.
[00:33:24] Karim Hijazi: Right.
[00:33:25] Jordan Harbinger: But I also really don't want that to happen to the Los Angeles or the New York City water system, getting poisoned and killing people. It doesn't make me feel better that we can also kill innocent people in Russia if they kill innocent people in the United States. Like that doesn't make me feel better at all.
[00:33:39] Karim Hijazi: Right.
[00:33:39] Jordan Harbinger: And the fact that the switches are already implanted in these systems, that should scare everyone. Because I think a lot of people, and I think you might've said this during an interview, people think we're vulnerable, but what they don't realize is we're already compromised. We're not just vulnerable. This is already installed. The grenade is already under your bed. It's not that someone could theoretically put one there. It's already there. The string is already going from the pin out the window. You're just waiting for somebody to yank on it, but nobody's listening to the call or very few people are heating the call.
[00:34:09] Karim Hijazi: That's it. That's it because it's a mashup of snake oil by other security organizations that say, "No, no, we've got it covered. We've defended you adequately." And I'm not picking on those companies. I'm just saying that let's face the music now, guys. We're really in a position that's really, really precarious because to your point, that analogy is fantastic. There is a grenade under the bed and there was a string going out the window. And it's just a matter of pulling it. Now, whether that string-pull opens up another door, or whether that string-pull does something like Wiper malware, where it gets rid of the entirety of our records for something.
[00:34:42] Imagine if we're really up for the end of the movie Fight Club, if we've ever seen the end of that, where literally the entire system goes down, that's not too far off from a cyber perspective sadly. I know I've spent the last 15 minutes being foreboding and ominous and terrifying, but that's — you know, I've been very measured on this until now, because I think we're really at an inflection point with this situation with Ukraine that it'll escalate and it has almost nothing to do with them. We're going to either see co-tailors, like other nation-state actors, like the Iranians or, you know, nation-state groups or the Chinese groups or the North Koreans. What better time, Jordan, than now to go act on something and just point the Russians?
[00:35:17] Jordan Harbinger: Sure.
[00:35:18] Karim Hijazi: It's like cyber looting is literally what the equivalency is.
[00:35:21] Jordan Harbinger: Oh, that's interesting. Yeah. I've got friends in big tech companies. I was going to name it, I almost did. I've got friends who are the head of security for, let's say, it's a phone operating system that everyone uses, who uses a certain brand of phone. A friend of mine is in their security department and I said, "Oh, so what's going on?" And he's like, "I'm slammed because countries that I can't name that you maybe just did name are always trying to break into these phones." Because imagine if you get a foothold inside a new operating system, that's going to be installed on hundreds of millions of people's phones at all levels. And then you can control them and you can use them at any time. And that stuff is terrifying. And I kind of want to talk about the capabilities of those in a bit.
[00:36:03] But Nicole Perlroth, you probably know, on this show, episode 542, she talked about the cyber pandemic, just waiting to be activated. It's like what you were saying. I think something like 80 to 90 percent of companies are compromised by malware at some point, not the whole company, maybe, but that's a lot eight to nine out of 10 companies have malware that is possibly wormable to the rest of the company. And that is extremely bad news if we're talking about systems getting infected because of course, even if 80 percent of those companies were sort of not banking and not hospitals and not really important records, what if 80 to 90 percent of the businesses suddenly started having cyber issues all at once. It would take years to recover that because all the professionals who do that are going to be, they can have an 18-month waiting list just to take a look at the problem that you have, if this gets activated all at once.
[00:36:54] Karim Hijazi: Absolutely. And I know Nicole touched on this in the past too, whether it was her writings or the interview with you perhaps, there's even greater problems around critical infrastructure. Who was I talking to? It might've been someone in CISA within our government that actually, you know, they're in charge of that critical infrastructure security. It's a 50-year project, Jordan, to get us back into a position where that infrastructure has been retooled and rehabilitated to not being hackable.
[00:37:18] I'll tell you, you know, I've lived all over the world. I've been able to see a lot of infrastructure. I've seen refineries, I've seen operational control panels of different things at places like that. Today, like no kidding, today, we're talking, we're still seeing machines in there running control panel systems that are running on Windows XP or Windows ME.
[00:37:40] Jordan Harbinger: Like 20 years ago.
[00:37:41] Karim Hijazi: They're not even supported by Microsoft anymore. And so like there's not even an update going to them to protect them anymore. They're literally just jettisoned infrastructure, old sunset software that frankly they can't swap away from because the control panel systems and the operational technology and SCADA systems is what they're called in, you know, big factory environments run on that operating system and they can't be upgraded.
[00:38:04] Literally, the amount of times we like catch that exact side with my team and I, and the hands up in the air, like, I guess we'll just hope because it's gotten to that point. And here we are, again at that precipice of something to where they could flip a switch on something like that. And it's a cascading effect. Whether by design or by accident, a wormable event or a malicious hacktivist group that thinks they're doing something and they actually miss target something and it bounces right back and it comes at us in the states. I mean, dude—
[00:38:32] Jordan Harbinger: Oh, man.
[00:38:32] Karim Hijazi: It's an endless amount of scenarios that kind of keep us up at night.
[00:38:36] Jordan Harbinger: I would imagine. Yeah, I remember Richard Clarke on this show a long time ago, talking about, he was talking about going and touring this amazing sort of like underground bunker type place, this is episode 240 of the show, where like you have to go in this area, that's almost always flooded and then open up this hatch and then you go down underneath the ground on a ladder or a stairway and you walk into this computer control room and the guy's showing Richard Clarke and he's saying, "Yeah, this is so secure. Nobody can get in here." And he goes, "Well, how do you get in here? I noticed this is flooded. And you know, you're always pumping the water out and what happens if you need to get in?" And the guy goes, "Don't worry. We actually hooked it up to the phone line so we can just dial-in from home." And Richard's like, "So you've got an underground bunker."
[00:39:21] Imagine what kind of critical infrastructure is in an underground bunker. And then imagine that somebody just plugged that into the open Internet using a computer system that was never designed to be connected to the Internet. So it has absolutely no security other than like type in your password and a lock over the keyboard or something, thinking that that's going to be enough to keep out people. This is like drilling a hole in the hull of a ship so that you can pull your luggage directly into your state room instead of going up and down the stairs. Right?
[00:39:48] Karim Hijazi: That's perfect.
[00:39:49] Jordan Harbinger: You're just making this thing that was relatively secure because you'd have to break in there with military weaponry, at which point someone's hitting an off switch.
[00:39:57] Karim Hijazi: Yeah.
[00:39:58] Jordan Harbinger: Then they're like, "No, don't worry. I can log in from my PalmPilot, because I just plugged a phone line into this thing, using some radio shack sh*t.
[00:40:04] Karim Hijazi: It's mind blowing. I mean, in this day and age, right? Where we're still under this assumption that things have been secured and there's this overarching faith. And I'm not trying to pick on our government in any way. This is an insurmountable problem for even just the government to handle. The only way to manage this as a public private cooperation of some kind over a very long period of time. It's not like, "Oh, if we decide to cooperate, it's going to be fixed. It's going to huge amounts of effort. The continuation of the issue is that, that story is fantastic from Richard Clarke because — let me put it this way. Even if they didn't have that bloody phone line set up, I guarantee you, there's probably some system in there running some update to a server that is not protected. So they'll use a supply chain attack to get in through there.
[00:40:48] So even if there wasn't the phone line, there's probably some kind of like, have you ever looked at your Mac or any kind of laptop or your phone? Do you know how many times that thing calls out to the Internet without you doing a thing? Like it just sits there.
[00:41:00] Jordan Harbinger: I'm sure all the time, yeah.
[00:41:02] Karim Hijazi: In your business, you know, not necessarily podcasting, but if you have an ad on your web site. That ad server that serves that ad to that website is a completely different server than your server. And if that gets compromised, that's a doorway right into your environment. So the interconnectivity of the world today is absolutely impossible to navigate. And if you're a determined adversary, you'll find a way in.
[00:41:24] Jordan Harbinger: Yeah.
[00:41:24] Karim Hijazi: That's the part that makes this possible.
[00:41:26] Jordan Harbinger: Every week or so I get this update, like, "Your site has been updated to the newest version of WordPress," or whatever, right?
[00:41:31] Karim Hijazi: Right.
[00:41:31] Jordan Harbinger: And what happens if somebody just compromises the WordPress update server, then 10 bajillion websites all update their newest version of WordPress that has a backdoor for the FSB or for Iranian secret services to go and turn the site off or scramble all the data and get rid of it and stop the backups, things like that.
[00:41:50] And you mentioned before that attribution is tough.
[00:41:53] Karim Hijazi: Yeah.
[00:41:53] Jordan Harbinger: Right. So Russia might get access to something, get the information it needs, and then hand it off to China or to Iran to do something. And that makes finding out who's doing this stuff really, really hard. And you're right. I think a lot of groups would be super active right now.
[00:42:08] You and I were talking about a social engineering attack that was happening on me as a result of me talking about this Ukrainian cyber defense issue. I said, "Why do they always pick an Asian female as the icon?" And my wife said, "Oh, it's probably because they know you're married to an Asian. So they think you're like, all one of those like white dudes who only likes Asian women," which by the way, I am not, for the record.
[00:42:29] And I thought that was an interesting thing. You said, "Hey man, they might just be doing that because then you'll say, 'Oh, Chinese intelligence is attacking me again,' because they've done that before," because I talk negatively about the Chinese Communist Party on this podcast a lot at the time. And so then I'll just say, "Ah, the Chinese are at it again. The Chinese intelligence service from the CCP." Meanwhile, yeah, it could be the Russians just going, "Hey, we don't really need a lot of cover." It could be anybody posing as Russia now and then just saying, "Hey, look, now that these guys are in the crosshairs, Iran could be posing as Russia. China could be posing as Russia to infiltrate these systems."
[00:43:06] And then you're right. The US or the West isn't going to do anything because we are already on tilt, trying not to start World War III with tactical nukes. So it's a really good umbrella to get under if you're a cyber criminal, just pretend you're the Russian GRU or SVR. And you're virtually consequence free.
[00:43:23] Karim Hijazi: Absolutely.
[00:43:23] Jordan Harbinger: Even if you get caught.
[00:43:25] Karim Hijazi: Let's not forget there's cooperation between nation-state actors that have concerted or, you know, unified effort against the West. So for example, Solar Wind, everyone remembers that recently, not recently, but what? Now, a year and a half ago.
[00:43:37] Jordan Harbinger: This is a big hack, yeah?
[00:43:39] Karim Hijazi: Yeah, big hack, most notably a supply chain hack. Again, I used that term earlier. And what that is is, by definition, you get into a single organization that has massive amounts of links and connectivity to many, many other organizations, preferably your actual targets, right? So you just get into this other organization with arguably weaker, operational security or controls or teams to protect it.
[00:44:05] And then you can just ride on, into that trusted channel of connectivity into these other targets. And that's exactly what happened at SolarWinds. SolarWinds is a company out of Texas that provides management software for thousands of companies. You know, when you start thinking about this from an adversary perspective, that's the perfect target.
[00:44:24] But what's fascinating and what probably wasn't really hitting the headlines as much was that when we were all looking at it and the term we use in the industry is TTP, which is Tactics, Techniques, and Procedures. So literally, these are the methods that we look at to define who it might be to your point about attribution. It doesn't always work because a lot of actors have the very same tactics and methods, but in this particular case, there were two distinct things that were really, really interesting. One was exquisitely written, call it malware because they actually signed the malware with a legitimate certificate. So it looked like it was part of the software. It was really, really intense and it was Mandiant that actually found it. And they got actually compromised in the process too.
[00:45:06] So this is a very, very well-known cybersecurity firm, just got bought by Google, like a week ago. That was compromised. They were very clear about their disclosure on it. They did the right thing, but they're like, "Look, we got attacked and we got compromised. This is the information we know about this." And by the way, this cleanup on this is still going on. We're far from like contending with this thing being done with.
[00:45:29] But I wanted to share the last little bit here, which makes it interesting. And it ties to your point here. So this was probably all signs lead to a Russian-written piece of software, but then the access and then the loitering and bull in a China shop activities within some of these environments, it looks like another nation state, less capable.
[00:45:49] Jordan Harbinger: Huh.
[00:45:50] Karim Hijazi: So it almost looks like there was initial access facilitated by one, and then a subsequent actor given, who knows? Maybe they paid for the access or they were just giving it so they can rifle through it and ransack the place and sort of hide the efforts of the much more sophisticated cat burglar.
[00:46:05] Jordan Harbinger: This is interesting, right? So let's use an actual burglary kind of scenario. This is kind of like I break into your house and I steal a bunch of stuff. And then I go, "You know, there's probably fingerprints somewhere in there. I was in there for like three hours cleaning the place out. I'm just going to burn your house down, but I don't have any gasoline. So here's what I'm going to do. I'm going to pay a bunch of kids that are playing down this, a hundred bucks. And I'm going to say, you should have a party in here and break is much sh*t as you can," because you know, this person is — they're awful. "And I'm giving you guys a thousand bucks, just break everything in here and throw it all over the place and film it and put it on TikTok.
[00:46:42] Karim Hijazi: Yep.
[00:46:43] Jordan Harbinger: So now everyone goes, "Oh, these kids broke into this house and they just smash everything and they probably stole some stuff. And look, there's fingerprints. Yeah, but it's all in broken stuff. And it's from these kids." Meanwhile, "I've got all of your valuables. No one's looking for me."
[00:46:56] Karim Hijazi: That's it.
[00:46:57] Jordan Harbinger: Right, because I've covered my tracks. Yeah, that's sorta what that sounds like.
[00:47:00] Karim Hijazi: Yeah, exactly. So the kids got to steal other stuff in there, right? And literally in this particular scenario, what seems like lesser capable nation-state stole the red-teaming tools out of Mandiant and what those tools are tools that companies use to try to emulate the way a hacker would attack your company so they can prep you for how it would happen if it really happened to you.
[00:47:23] So we're certain that it wasn't something like the Russians that would have stolen that. They already know all that. Like they're literally, they're being copied to build these red-teaming tools. The last thing they're going to go get is that, but for lesser capable ones, that's a dream. Now, they've got all the tools that let them know exactly what they need to not do going forward. They could just completely shift their tactics and be more effective going forward.
[00:47:46] Jordan Harbinger: Oh, man.
[00:47:47] Karim Hijazi: So yeah, really, really something. And we're not talking that long ago. I mean, a year and a half ago to where we are today, are those tools now being employed, meaning reverse engineered essentially by these adversaries so that now we have to redefine our playbook for identifying attacks and how they're going to come about because essentially, yeah, I mean the word playbooks really, really appropriate. If you get the other team's playbook, you're going to win the game. You know every move they're going to make and you've got a whole means to win.
[00:48:13] Jordan Harbinger: Now, these cyber attacks can become kinetic. Escalation can be pretty quick. Like imagine if hackers get a oil finery in Louisiana to explode, that's the same as flying over it with an airplane and dropping a bomb on it, right? It may sound or feel less aggressive, but it's really not. If your whole point is to release a bunch of toxic gas and kill people in a small town or to cause something to overheat and then cause a massive fire that ends up killing 64 people. You may as well have walked up to it and lobbed a grenade in the tank here.
[00:48:43] And that kind of thing can go wrong. You mentioned it's like a baby with a gun. A lot of times these hacking groups, they might even be teenagers or like, "Oh man, we got into British petroleum and now we can control the boats." Going back to the OG hackers movie from the '90s, right? His whole thing was he was going to tip over an oil tanker or something like that by flooding it. You could end up doing something like that by accident.
[00:49:07] Karim Hijazi: That's absolutely correct. And I think what's fascinating about this is that, that goes back to what we were talking about with this Russian situation. You brought up the whole concept of taking down a satellite, those systems that run those environments are not uniquely built for those systems. Like in other words, the satellite control systems aren't just like satellite control systems. You could build a malware that will infect something that was intended to stop a railway that will find its way, unfortunately, into a satellite environment. So there's that kind of concern too, which is that you might build something thinking that you've got something that's only purpose-built for your target, but it just proliferates all these other things.
[00:49:46] So to your point about shifting something cyber into kinetic, you brought it up a little earlier and I want to kind of go back to it. Water treatment is the one that really freaks me out.
[00:49:56] Jordan Harbinger: Yeah.
[00:49:56] Karim Hijazi: Because all you need to do is change levels. You don't need a break, anything, you just change the pH levels or the potability of some sort of gray water, and you've got mass dysentery, and now you got people flooding into the hospitals. And if you really want to be a prick, now you turn off the power grids or you start attacking power grids. And now you've got mass chaos. And that's actually what I think everyone was worried might happen in the Ukraine that they were going to make life so miserable that people would just sort of be like, "Okay, we give up." Now, that didn't happen. Not really sure why.
[00:50:26] Jordan Harbinger: It's because Ukrainians can survive on a diet of cigarettes and bathtub vodka. And I say that as a compliment. I spent a summer in Ukraine and it's like, talk about a group of people that you don't want to try and wear down through hardship. They've already been through the hardship Olympics by being part of the Soviet Union and on the edge of that, and then having 2014 happened, and now this. This is like, I won't say, it's just another day and Ukraine, it certainly isn't, but these are some of the toughest people on earth. I think we're seeing that firsthand now. So they definitely expected them to cave, but I'm not entirely sure why that was a losing bet.
[00:51:01] Karim Hijazi: Yeah, absolutely. I won't beat this to death because I've shared it at a number of other places with conversations. But I do want to just at least highlight this, that everyone that kind of thought we were going to see the Die Hard movie, you know, that whole like fire sale thing, "Oh, everything goes down at once." Well, you know, let's not forget that this is all visualized in retrospect with cyber. Because people usually think there's some sort of malfunction and there it's user error and that easily happens for days before they assume it's malware or some sort of hacker. So we may find the stories manifest here in the next few months about what really happened and what really was the Russians in there, or some sort of hacktivists or loyalist group to Russia affecting things but it's going to be a little while. I don't think we're going to see it in real-time.
[00:51:40] Jordan Harbinger: It seems like a lot of the work-from-home environment is going to increase vulnerability inside, especially Western companies, US companies, right? Because people will say things — who told me this the other day? I was talking to a friend. I was like, "Oh yeah, aren't you worried about your systems?" And they said, "Well, you know, we have to use this VPN." And I'm like, "So you're using a piece of software that cuts through all the other security software on your network. You know, it would be one thing if you had to be in the office to use the network, but now, no, you get to be from home." And so the company says, "Well, we can install this and we're kind of fine." Meanwhile, they can't deploy new security stuff and then train the entire 5,000-person company on how to use it. So most people are just making their system available from the outside and using a VPN and kind of calling it a day.
[00:52:26] Karim Hijazi: Yeah.
[00:52:26] Jordan Harbinger: And that just means that anybody can access that whole network and that they don't have to steal a laptop to do it. They just have to get some credentials and use a VPN.
[00:52:34] Karim Hijazi: Yeah, you know what I call a VPN and it's not to criticize it as a technology because it has a purpose. Right? It certainly has its utility, but there's this sort of catch-all idea that it's securing you like your friend's side with all due respect to him. But what I call a VPN, it's a cyber hypodermic needle to the organization. Literally to your point, exactly right, it cuts through all of the security of the org because it's a trusted channel in. And so to use the hypodermic needle analogy, which is pretty visceral, and if you have a syringe with tainted, you know, payload in it and you literally shovel that through.
[00:53:06] So like my kids' home network is not my own home network. I literally have it segregated. So all the Xbox garbage and all the other computers that they're using are cesspools of malware. I can't afford a risk to have that bounce into my laptop and then use that as the VPN access to my corporate environment.
[00:53:25] Now, most average into people aren't going to necessarily split their networks up. And even if you do, there's no guarantee, especially with Apple and other solutions, you know, I'm not picking on Apple, but this whole like universal connectivity that my iPad talks to my laptop that talks to my phone with that convenience comes access to the adversary.
[00:53:42] Jordan Harbinger: Yeah.
[00:53:42] Karim Hijazi: And I think that that's what people forget about a lot.
[00:53:44] Jordan Harbinger: Yeah. Isn't that called Bonjour? Bonjour, right? They creates like an ad hoc network and I've heard that you just see it pop up sometimes if you're a Mac user and I'm like, "What is that?" I know it's some sort of networking protocol. And then a couple of hacker friends of mine were talking about Bonjour payloads and I'm like, "Oh yeah, that thing that's always running in the background like that's my phone, talk to — I'm like, all you have to do is find me when I'm out, dump something onto my phone. I just bring that home." It's like a badass TV. It's just bringing home to my whole family.
[00:54:14] Karim Hijazi: Yeah. I'm sorry. I'm laughing because that TV analogy comes up fortnightly at the company because it's so parallelized, man. I mean, my god, you know, the promiscuous nature of your devices, literally, is what that is.
[00:54:28] Jordan Harbinger: Man, I worry about — you mentioned supply chain attacks. That's a totally different kind of supply chain, but now that we're actually talking about the real supply chain because of the shortages we have in the shipping debacle. And what was that ship that got caught in the Suez Canal and stuff? Right?
[00:54:42] Karim Hijazi: Oh, yeah.
[00:54:43] Jordan Harbinger: You could shut down the shipping. We mentioned that attack before, not just critical infrastructure, but what if we know that ports are the bottleneck in shipping and that they're way behind. That was the thing with the shortage a few weeks ago, or a few months ago, maybe still is going on.
[00:54:57] Karim Hijazi: Right.
[00:54:58] Jordan Harbinger: You could just target something like that. Some sort of bottleneck in the supply chain and then it's like, well, I guess, technically that might be considered critical infrastructure, but all you have to do is go after a few different small systems. You don't really have to shut off the water and the power and the shipping and the blah, blah, you really just have to make it really hard for a country, especially one that's maybe in a conflict to get goods and services into the ports. And then they are super, super screwed. Everything has to be done manually.
[00:55:26] Karim Hijazi: Yeah.
[00:55:26] Jordan Harbinger: I've read an article about those hackers in Belarus, shutting down the automatic train switches to stop Russian troops from deploying quickly. And this is a country that's probably very used to manually switching trains. I mean, it's Belarus. They probably just got automatic switching sometime shortly in the '90s. I mean, the guys that are working on these trains probably really know what they're doing and they're nowhere near as fast as the computers.
[00:55:48] Karim Hijazi: Right.
[00:55:48] Jordan Harbinger: And switching the trains. And so you really just have to attack a few sort of bottlenecks in the whole supply chain or something very, very critical can go down in the middle of a war like they're in now.
[00:56:00] Karim Hijazi: Right, yeah. No, you're right. It's a cascading effect. And then let's not forget the rules of war, conventional ones, meaning the ones that go back to some zoo level stuff, right? Those principles are still very viable today for cyber. So for example, if you're going to go and impact, like you said, we keep talking about critical infrastructure, but this could be logistics as well. Like you said, why not wait until there's a really serious, deep freeze about to happen in the winter or let's wait till the hottest day in the summer, that's projected to actually impact something. That's got already immense amounts of pressure on it from environmental reasons or natural reasons.
[00:56:32] So those are things that are being looked at by these groups. They're not one dimensional in their approach. They're not like, oh, we're going to go hack it. It's literally, "What confluence of events can I kick off and instigate to really facilitate a nightmare scenario?" And that's exactly what you're talking about. If you get the right shipment to be stifled, that'll create a massive cascading effect.
[00:56:53] Like for example, now neon is being, there's a shortage of Dionne because that was a huge product of Ukraine. And that's a key component of microchip semiconductor development.
[00:57:02] Jordan Harbinger: The actual gas in neon?
[00:57:03] Karim Hijazi: Yep.
[00:57:03] Jordan Harbinger: Oh, okay. Did not know that.
[00:57:05] Karim Hijazi: Not only do we have a semiconductor problem before this, now we got another ingredient that's actually going to be a shortage around. So maybe we can expect our Teslas to be delayed longer and more laptops to be delayed and everything else that uses a chip.
[00:57:18] Jordan Harbinger: Geez. I've been waiting forever for this new car. They said March. Now it says July.
[00:57:22] Karim Hijazi: There you go.
[00:57:23] Jordan Harbinger: But you know, at a high-quality problem.
[00:57:27] This is The Jordan Harbinger Show with our guest Karim Hijazi. We'll be right back.
[00:57:32] This episode is sponsored in part by Squarespace. People spend most of their time these days on the Internet, buying products and using services. If you don't own a website, you might be losing a lot of potential customers online and, of course, missing the key to growing your business, many fold. So what is stopping you from building yours? I get it. It can be complicated. It looks like a lot of work, probably really expensive. You don't have any idea where to start. Don't be a disgrace, try Squarespace. You don't have to know the first thing about tech or the intricacies of web design, because Squarespace covers all that. You can focus on the things that are important to you, like selling. Squarespace has all the tools you need to get your online business off the ground. You can even generate revenue through gated members-only content, manage your members, send email communication, leverage audience insights, all-in-one, easy-to-use platform, add online booking and scheduling, connect your social media accounts to your website, create email campaigns all with Squarespace's tools. And these examples don't even scratch the surface of what you can do on Squarespace. Give it a try for free at squarespace.com/jordan. That's squarespace.com/jordan. Use code JORDAN to save 10 percent off your first purchase of a website or domain.
[00:58:40] This episode is also sponsored by Progressive. Progressive helps you get a great rate on car insurance even if it's not with them. They have a nifty comparison tool that puts rates side by side. You choose a rate and coverage that works for you. So let's say you're interested in lowering your rate on your car insurance, visit progressive.com to get a quote with all the coverage you want. You'll see Progressive's rate and then their tool will provide options from other companies, all lined up and easy to compare. All you have to do is choose the rate and coverage as you like. Progressive gives you options so you can make the best choice for you. You could be looking forward to saving money in the very near future. More money for maybe a pair of noise- canceling headphones, an Instapot, more puzzles, whatever brings you joy. Get a quote firstname.lastname@example.org. It's one small step you can do today that could make a big impact on your budget tomorrow.
[00:59:22] Jen Harbinger: Progressive Casualty Insurance Company and affiliates. Comparison rates not available in all states or situations. Prices vary based on how you buy.
[00:59:29] Jordan Harbinger: I just want to say thank you so much for listening to, and of course, for supporting this show. Your support of the sponsors and the advertisers is what keeps us going. All those deals and discount codes and clunky URLs. They're all in one place. We put them all on one page. jordanharbinger.com/deals is where you can find them. Please consider supporting those who make this show possible.
[00:59:50] Now for the rest of my conversation with Karim Hijazi.
[00:59:54] It's so hard to complain about anything now because I'm like, "Well, our country is safe and secure. I don't have to worry about my kids drinking, clean water, or getting bombed, you know, or anything like that." And I talked to people in Ukraine on WhatsApp and it's like, it's just hell on earth in so many places. So I feel like such an a-hole being like, "My Tesla is going to be three months late." It's like, "Shut up, Jordan, you prick," you know?
[01:00:19] Speaking of critical infrastructure, ransomware, we kind of touched on that before, hospitals, fuel infrastructure. That Colonial Pipeline hack that happened where they wanted to ransom the data. That type of thing seems like we're in the early days, right? They can get in there—
[01:00:34] Karim Hijazi: Oh, yeah.
[01:00:35] Jordan Harbinger: —encrypt computers, they can sell the data if they get good corporate data. They don't just have to ransom it. They could sell it on the dark web. They could go into social security systems or medical records and things like that. That stuff freaks me out. And I talk with executive friends and they go, "Well, we have a lot of backups." I'm like, "Well, what happens if they've freaking encrypt the backups or turn them off? Are you going to notice? You know, you're going to notice. How often do you check your backups? Or if they get them both on the same day, what are you going to do? You backup a bunch of encrypted stuff." Like I assume you're looking at this and not super satisfied with the solutions that these companies are coming up with.
[01:01:08] Karim Hijazi: No, because I'm hearing exactly what you just said. I'm hearing that, "Well, we have remediation and business continuity plans in place," and I'm like, that's the first thing the adversary is going to go after is your business continuity plan. They're going to deploy something to do reconnaissance in your environment. They're going to find the backups and they're going to encrypt the backups before they encrypt anything else. That's the whole point. They don't want you to have a remediation plan. They want you to be able to bow down to their ask of money so they can give you a decryption key that won't work properly.
[01:01:34] But let me tell you what's even more ridiculous about that Colonial Pipeline situation. This one statement will kind of really lay the foundation that this is never going to go away. Colonial was not actually literally hacked like no hacker pounded on the door somewhere until they finally got their way in. They found stolen VPN credentials to get into the organization on the dark web.
[01:01:58] Jordan Harbinger: Wow.
[01:01:58] Karim Hijazi: So they started on the dark web and they probably ended on the dark web. They stole information to get in that allowed them to steal information and then extort them for money to then sell back out on that dark web again. So it's endless. You know human behavior is that one piece of the equation that, you know, very well, we both do that is eternally hackable. Machines, I mean, you know, inevitably they'll come a time where we get a pretty good handle on how to make them pretty hard to get into. Like, we can make the machine pretty binary about what it arrives at, but the minute a user gives authorization to something to run, you know, all bets are off.
[01:02:32] Like at that point, that malware is functioning like a legitimate piece of software in the company. So this is what I think people misrepresent a lot that they think hackers have this like malicious virus. That's a scourge and it's going to be identified within the network because we're still living in the antivirus days. And those states are gone. Now, this stuff runs like it's meant to run in the organization because the users allow it to and give it authorization.
[01:02:54] Jordan Harbinger: That's interesting. The social engineering angle, you and I have spoken about this. In fact, now it's probably a good time to discuss this. We don't have to do a whole show on it here because you know, for time, but—
[01:03:02] Karim Hijazi: Sure.
[01:03:02] Jordan Harbinger: When I was young, I was also like hacktivist, right? I was like, "I'm going to help these groups." I wasn't a capable hacker or anything, but I was in the IRC channel. We call it #Phreak, so hashtag really Phreak, P-H-R-E-A-K.
[01:03:15] Karim Hijazi: I remember that.
[01:03:16] Jordan Harbinger: Right. So I lived in that channel, man, all day and all night I was in there. And one of the things that they were talking about was there's an old phone company that probably doesn't exist anymore, called MCI. They probably became AT&T or something like that later on, you know, merged or whatever.
[01:03:30] Karim Hijazi: WorldCom.
[01:03:30] Jordan Harbinger: WorldCom. Okay.
[01:03:31] Karim Hijazi: Well, the WorldCom got bought by AT&T, I think, but yeah, MCI, WorldCom. I'll never forget that. I think it was the same channel with you.
[01:03:37] Jordan Harbinger: Yeah, we probably weren't the same channel. It's funny. So MCI was running phone exchanges, so phone systems in Iraq. And the guys were like, "Hey, we should shut this thing down because, of course, the United States is going to take out actual like microwave command-and-control." That was part of the thing because I think Saddam had used microwaves above ground to signal to radar stations in missile defense and stuff like that. And somehow these guys knew that.
[01:04:04] And so what they did was they said, well, they're going to default to landline phones. A lot of those are buried. A lot of times military doesn't take out phone lines because of civilian infrastructure, et cetera. And also it's a big, big, big network. You'd have to take out a lot of phone lines. So we were like, "We can totally just take down the phone exchange." Because if it phreakers, which are like phone hackers, for those who don't. If we know anything, it's how phone systems work and how to screw them up. Especially old ones that are in a foreign country that are not maintained well and have old software and old systems.
[01:04:36] So we decided to take down the MCI phone system in Iraq and you'd say, "Wow, I bet that was a rush." Yeah, it was, it definitely was. And you'd think that that kind of thing would be harder to do today, but I think more vectors than ever are out there. You know, like back then, we had hackers that were getting access points and dialing into Iraqi phones from their modems and things like that. We tricked people. I literally, I remember I called repeatedly on a line. I used my modem to make the phone call sound really distorted. You know, how you could talk through your modem and it would sound like crap, right? It would be like a PC speaker.
[01:05:12] Karim Hijazi: Mm-hmm.
[01:05:13] Jordan Harbinger: I'd create a bunch of static. So they didn't know that I was a kid and I may or may not have pretended to be a woman because I was like 14 years old. By the way, it's easier to make your voice higher when you're 14 than to make it lower, just in case anyone's wondering. And you know, I get a hold of these like telco guys in Iraq, okay. That are just beyond stoked that an American woman from New Jersey or whatever is calling.
[01:05:38] Karim Hijazi: That's amazing.
[01:05:39] Jordan Harbinger: "You know, this is Janice from New Jersey. I want to make sure your MCI service isn't interrupted if we can, during the conflict and you know, blah, blah, blah. We just need X, Y, and Z." I may or may not have been like, you know, Janice from Jersey Shore chewing some gum. Right? You could literally say something like I'm returning a call from Colonel Hamza's office. Right? Because Hamza happened to be one, a super common name, but also my buddy was Lebanese and that was like his uncle's name. And I grew up in Detroit. So I knew tons of Arabic dudes from Lebanon and half of them were named Hamza or something along those lines. And I was like, all right, this is Arabic sounding. That was the logic.
[01:06:13] And you could get them to be like, "Oh yeah. When you go to this, you have to type in this MCI 1, 2, 3, 4, and the password is also MCI 1, 2, 3, 4, and then you put the Hamza at the end or something like that. You know, you put Muhammad at the end," and they would just tell us like how to log in. "You have to Telnet," which I don't know if that still exists. "You have to Telnet to this area and you could log in. And that's the administrative thing. If you need to look at our configurations," and I'd be in there and I'm like, "Okay, so here's how they shut things down. Here's how they reroute things."
[01:06:45] And we just caused absolute hell in those phone systems. And we would get control of like all of Baghdad's phone systems.
[01:06:53] Karim Hijazi: That's amazing.
[01:06:54] Jordan Harbinger: And we would route them. So they couldn't call, you know, domestically, they could only call outside or they could only call MCI numbers. We would change things during the conflict. So they, if they had it figured out, we would just change it an hour and a half later. Like social engineering is the most dangerous because you don't need special software.
[01:07:10] Karim Hijazi: It is.
[01:07:10] Jordan Harbinger: You just don't.
[01:07:11] Karim Hijazi: Hacking still relies heavily on that piece. So really, frankly, an influence operation that we were talking about earlier, that's nothing more than a social engineering effort, but by way of like a phishing email or something else. It's really still getting the user to do something that you need them to do by convincing them in some fashion, right? It's not always so slick. It's not always so covert. Certainly, once you have that initial vector of access, off you go. Yeah, now you can deploy anything you want. Now, that's when the malware really comes in, but the first stages of this are very much still old school, getting a user to actually click on something.
[01:07:47] And now phishing, you know, is the big vector of attack these days, right? And when Microsoft Exchange servers got hacked by the Chinese group, that Nobelium group, which was in the news a while ago, I really was like, "Oh crap, this is going to get really hairy quick," because if you can get people's email servers, now I can send an email as Jordan Harbinger from jordanharbinger.com, without it being misspelled or some sort of spoofed version of it. It's literally coming from your server.
[01:08:16] And if I'm really good, I'm going to read everything you've ever written for the last six months. So I can get your tone and your cadence on how you write. And maybe even some of the nicknames you have with friends of yours. And they're going to open, they're going to read that email and they're going to do whatever you sort of ask them to do because it's coming from you. No software in the world is going to be able to identify it as fraudulent because it passes all this stuff tested. It's coming from Jordan. And that's absolutely possible today.
[01:08:39] So if you lay all the groundwork for the parameter to be that it is legitimate. And then you're really skilled at creating the content, like what you were doing, that's really formidable. And that's what these guys are being trained to do. And so, yeah, there is no technical solution to this, you know, I'm the guy that tries to build the technical solutions. I'm the guy that does the intel to identify where these things are. And I can be the first person to say that there's probably never going to be a fix that just works.
[01:09:06] Jordan Harbinger: Yeah.
[01:09:06] Karim Hijazi: It's going to be a training issue.
[01:09:08] Jordan Harbinger: The joke is always, there's no patch for stupidity, but here's the thing.
[01:09:11] Karim Hijazi: Right.
[01:09:11] Jordan Harbinger: These people aren't stupid. You know, maybe if they're getting tricked by a 14-year-old, who's pretending to be a woman calling from New Jersey, they're a little bit naive, but this is like early '90s, so forgivable.
[01:09:21] Karim Hijazi: Right.
[01:09:21] Jordan Harbinger: But people get conned all the time.
[01:09:24] Karim Hijazi: Right.
[01:09:24] Jordan Harbinger: I mean, if you don't believe it, look at Bernie Madoff who conned like billions of dollars out of people you see, Inventing Anna on Netflix and you think, "How can these people be so dumb?" And the truth is if you work hard enough on somebody and you build rapport and you build trust and you're s˚killed con artist, you can get people to do things and especially if they kind of don't really care and they kind of don't think that what they're giving you is that important. And they're relatively convinced and they want something from you that they think you can give them.
[01:09:49] I mean, all of these switches are hardwired into us as humans. And it's very rare that someone's going to be able to turn all of them off. Training or not, you know, there's a reason that people break training protocol and get busted sleeping with spies because those spies are pushing all the right levers and buttons. And those people will do something they know was wrong. That's why background checks, see if you have drug addiction or gambling debt or other sort of issues like that, because those are vectors that work like every damn time. Right?
[01:10:17] Karim Hijazi: Yep.
[01:10:18] Jordan Harbinger: And they will never stop working. So the best thing to do is make sure that that person is not in a position to divulge or screw anything up.
[01:10:25] What do you think of Russia being removed from SWIFT? You know, the banking system.
[01:10:29] Karim Hijazi: Yeah.
[01:10:30] Jordan Harbinger: Can you tell us what SWIFT is? I think a lot of people don't even know.
[01:10:33] Karim Hijazi: No, absolutely. So SWIFT is literally the banking communication network. It was built a very long time ago with no security in mind to begin with, I might add, and it was intended for various banks all over the world to communicate with each other and all of the transactions that you do, whether it's a deposit or withdrawal or wire, all those go through that network. So it's sort of this private, bit of a silly analogy, but it's sort of a private Internet within the Internet for the banks, right?
[01:10:59] And what they're threatening to do, they being us, is take Russia off of it. Now, Iran has been off of it for a while. I think they've been off of it for eight to 10 years now as part of the sanctions against Iran. Now, here's where I really hope that the decision to do this has been really, really thought through by a variety of professionals, including cybersecurity and intelligence and geopolitical analysts. Because Jordan, I don't believe that there are that many folks that have that set of talent all in one. And you're getting a lot of contradictions and a lot of contrary ideas around things.
[01:11:35] It's kind of like the movies where you get that like four-star general that wants to hit the nuke button quick. Like, "Let's take them out, you know?" And then you got this very reserved hero of the movie, that's like, "Wait, but you know, that'll cause this," and that's exactly what's happening here.
[01:11:48] So to answer your question, if you take Russia off something like SWIFT, which you can do, you can pull them off and essentially de-pair them from it. What I think might happen, and again, this is a conjecture, but it is a very likely scenario, they're not going to have any reservations about attacking it because they were benefiting from it before. And everyone's kind of betting that they don't have an alternative. Well, we all know now the intelligence community is well aware of it, that they have an alternative with China. China's built a very similar system privately that Russia can absolutely link into. And yeah, is it perfect? No. Is it eating hot dogs for the year to survive? Maybe, but it's survival and it's probably more than survival.
[01:12:28] China's a massive economy. You know, we can't forget who we're dealing with here. This is again, highly, had hotly debated that all these sanctions are going to destroy the Russian economy. I'm not as sold on that. I need more convincing because I think there's a lot of alternatives they have there that they've already sort of figured out well in advance of the situation.
[01:12:48] But yeah, the fear, very plainly, and I'll let you go and kind of drill it down into this, they will have no compunction to take it down and work in symphony with someone like Iran to go after it. Because if they're not benefiting from it, why let us have it to function freely? And if they do that well, you know, you go to the bank and things aren't going to work. What are you going to do?
[01:13:07] Jordan Harbinger: Yeah. Yeah. They're going to have to secure SWIFT and it's going to be a major target, right? I mean, it's just so important and now there's no collateral damage that they care about.
[01:13:17] Karim Hijazi: Right.
[01:13:17] Jordan Harbinger: Maybe it have been tougher for them to attack because well, then we can't use it and we rely on this, but yeah, if you're forcing them to go and create a way around it and bypass it, even if that bypass is less efficient, it's kind of like, "Well, if we can't use it, then we're just going to make it impossible for you to use to why not?"
[01:13:32] Karim Hijazi: Yeah.
[01:13:33] Jordan Harbinger: That's no good.
[01:13:34] Karim Hijazi: And now's not the time to go fix it. Not when we've made the threat that we're going to take them off of and be like, "All right, let's get to work to make sure this doesn't get hacked." It's like, no, that should have started about 10 years ago.
[01:13:43] Jordan Harbinger: Oh man.
[01:13:44] Karim Hijazi: So the same as a critical infrastructure problem, we can't start retooling when we're under attack. It's not going to work.
[01:13:49] Jordan Harbinger: Yeah. That's a good point. I mean, all of those vulnerabilities were probably in there forever, anyways.
[01:13:54] Karim Hijazi: Yep.
[01:13:55] Jordan Harbinger: I want to be conscious of your time here, but I do have to hear about how this offshoot of Anonymous went after you and why, because you're making friends out there, man. You know, you got nation states and cyber militias that don't like you, I think that's a good place to close is why you're such a thorn in their side. What's going on?
[01:14:10] Karim Hijazi: Yeah. You know, and I definitely am not stopping, I guess I just glutton for punishment with this kind of thing. But LulzSec was an interesting group. Now, I'm certainly not the only one that they went after. They went after Sony. They went after the CIA. I think PBS was another target of theirs at one point. And this is in the 2011 or so timeframe. And they also went after Stratfor if you remember that. That was a really interesting situation. Stratfor was a strategic intelligence company that got attacked by them. It's a whole other ball of wax off to share with you at some point, Jordan. It's pretty interesting.
[01:14:40] But ultimately in 2011, I was doing what I do best, which is take down or infiltrate infrastructure that adversaries set up. And I did it fairly indiscriminately. So like, I wasn't as targeted as I am now where it's like, I'm going after a very specific, you know, nation-state actor. Back then, if I found a piece of malware that had a command-and-control capability, it was fair game for me to go after. So we ended up inadvertently taking down the denial-of-service attack botnets on Sony that this group set up.
[01:15:14] So they were probably sitting back in their chairs, probably watching Sony flounder with this denial-of-service attack. And all of a sudden, it went off and they're like, "What? Who turned it off? You know, who unplugged this thing?" And they went and they found that we had actually taken over the single command-and-control domain that was associated with that threat that they were using or that denial-of-service attack. I basically drew their fire. And there's a very involved story on how they got my credentials to come at me, but what's most disturbing about it was they actually got them from something called InfraGard in Atlanta.
[01:15:49] And InfraGard is the FBI. So it's an FBI private sector, cooperation environment, and LulzSec literally went into that database. They hacked into that to get my credentials from there that allowed them to get to me. This didn't really hit the news quite as loudly as the other stuff did, but which was really disconcerting because I was like, these are credentials I use specifically for that. That means they got them from there, which is concerning.
[01:16:12] I didn't know who I was dealing with in the beginning. And the way they made themselves known to me was a very cryptic email that I got from them at like two in the morning, mid-May of 2011. And the mail literally had one of my passwords in the subject line. And this one line email of, "We should talk," period. And I was like, "Oh man, this is either a bunch of kids or it's a buddy that's gone too far with a joke or it's something real." You know something like your password, it's never cool. I mean, you know, we could prank each other all day long, Jordan, but the last thing I'm going to do is pull all of your passwords in an email, man. That's not cool.
[01:16:49] Jordan Harbinger: Yeah.
[01:16:50] Karim Hijazi: So it was one of those things where I was like, this is going a little too far. So I replied with, "What do you want to talk about?" And they came back around and indicated that they had already infiltrated our systems and they had gotten a hold of certain information that they were going to disclose to the media and share like that they hacked us and this and that. And they would only withhold that doxing effort — and doxing is that whole sharing of your information publicly to kind of disgrace you or humiliate you in some way — if I shared the, well, one gave them back the access to that DDoSs threat, but then more importantly, they realize what we were doing. And they're like, "Wow. If we actually get this company to give us access to all the other botnets that they've actually got control of, we can really, really be powerful." So they tried to extort me for that and then threatened that if I called law enforcement or the intelligence community, they would release the information. So I did, I called everyone I knew.
[01:17:40] Jordan Harbinger: Yeah. Because I was going to say, if you get hacked, what do you do? You have to call the FBI or something.
[01:17:45] Karim Hijazi: Exactly. And it's really interesting because there is no phone number to call. It's interesting. You know, you think about this and I had to face that, which is "Crap, people call me for this. Who am I going to call?" Right? Like, wait a second.
[01:17:57] Jordan Harbinger: Yeah.
[01:17:57] Karim Hijazi: Why does this work? And I did, I called law enforcement and you know, it took me forever to get to the right layers within the FBI. The intelligence committee was tracking these guys for reasons that had to do with more with the WikiLeaks mass and whatnot. And ultimately, I was instructed to keep the communication flowing with the individual that was at the helm of this who turned out to be the head of LulzSec. And our information eventually got translated back through the right channels to the IC. And they found him and got him and he was arrested. I think he served time and a variety of other things, but there's a deeper, darker part of this that had to do with them using information.
[01:18:32] To your point about taking something that should have been just a cyber attack to something more kinetic, I had worked with a company called Palantir and MIT on this think tank project, well in advance of this attack by these guys. And they use that report to WordSmith and construct this narrative that I was some sort of deep, dark secret government guy doing offensive operations against the Middle East. And this is right when the Arab Spring was going on. So there was a lot of tension and, you know, people were ready to fly off the handle. And I don't think my name falls flat on anyone. It's pretty bloody Arabic to begin with, right?
[01:19:09] Jordan Harbinger: Right.
[01:19:09] Karim Hijazi: It was like, great. And so I had all of these Libyan-separatists types that were threatening me that were going to come out and kill me and my family. And so I did, I'm one of the few people that's probably been victimized from a cyber perspective that moves squarely into something that could have been physical. I have thankfully lived through it, helped get these guys nabbed. And the good news is that my firm was ultimately acquired shortly thereafter by a company called Mandiant, which has been the news recently. One hell of a story, Jordan.
[01:19:37] Jordan Harbinger: Yeah. That's really scary. Are you worried about anything like that happening now? Because like I said, you know, these nation states are, they don't like you and they're far more capable than some ass kids who got into your email and maybe your company. I mean, these are, you've seen what happened to Sergei Skripal in the UK where they were like, "Oh, let's just poison this guy and do it on video and get away with it."
[01:19:56] Karim Hijazi: Right.
[01:19:57] Jordan Harbinger: You know, are you worried about something like that?
[01:19:58] Karim Hijazi: Yeah, I mean, I definitely think that the job comes with its inherent risks. It's sort of one of these unfortunate situations where I have to sort of temper my risks of averseness to what I'm actually doing. And I think as I get older, I sort of rethink how I would actually do things better because you can only obfuscate yourself so much. When you're running a company that's privately funded and needs to be out in the public, you need to share what you're able to know.
[01:20:22] I mean, there's so many other stories that I could share with you. I mean, I literally shared with the media information about actual organizations in the US that were compromised and even the media shied away from sharing that information because they were scared of the repercussions from those organizations. That blowback, not just the adversaries, being mad at you, but the companies that don't want to be disgraced or see their stock dip, because the information we share could impact people's reputation, people meaning companies, you know, large public sector firms that bride the market heavily. And if there's anything that sort of impacts their shareholder or stakeholder confidence, that's disruptive.
[01:21:01] So yeah, speaking of making friends everywhere, it's not just those guys, it's even some of the companies I'm trying to help that actually get very upset with me.
[01:21:08] Jordan Harbinger: Right. So your customers are also—
[01:21:10] Karim Hijazi: Yeah.
[01:21:10] Jordan Harbinger: This is such a complicated relationship. Your customers, like, "Thanks for this, by the way, don't tell anyone or we're going to sue you into oblivion," right?
[01:21:17] Karim Hijazi: Yeah, exactly. Exactly. You know, I think this may be the last time I do this type of stuff, but who knows what's next. It'll be interesting to see what happens.
[01:21:26] Jordan Harbinger: Well, I'd ask you what keeps you up at night, but I think we covered it, you know, critical infrastructure being totally unprotected. I mean, we talked about a lot of things that are certainly going to keep me up at night for at least a week. So yeah, maybe we have that covered already. What do you think?
[01:21:38] Karim Hijazi: Fairly certain. Yeah, there's probably a slew of other things, but frankly they all dovetail into the fact that I'm either pissing someone off or a country off or an intelligence agency off or a large multinational organization with likely their own henchmen. So you know, take your pick.
[01:21:52] Jordan Harbinger: Well, it's good to be your friend. And I say that now, you know, not having to Dodge bullets, cyber, or otherwise while sitting next to you. But you know, I'm glad to know you because—
[01:22:01] Karim Hijazi: Thanks, Jordan.
[01:22:02] Jordan Harbinger: —I feel like I'm slightly less safe for that. But on the other hand, that you're an interesting guy and that's the spice of life.
[01:22:08] Karim Hijazi: Appreciate it, Jordan. Same here, man.
[01:22:11] Jordan Harbinger: You're about to hear a preview of The Jordan Harbinger Show about how you can be affected by ransomware and cyber attacks on the rise now, all over the world.
[01:22:18] Nicole Perlroth: We still don't know just how deep the Russians are into our government systems. So it's going to be at least a year or more before we can stand up and confidently say we've eradicated Russian hackers from nuclear labs, the Department of Homeland Security, the Treasury, the Justice Department.
[01:22:39] How do you trust that any of the software you're using is secure and not a Russian Trojan wars? We live in the glassiest of glasshouses. That makes escalation, you know, that much more of a risk. We're getting close enough that I think we're going to see a cyber attack within the next four years even, that causes substantial loss of life.
[01:23:01] Jordan Harbinger: For more with Nicole Perlroth on what the US should do to push back against cyber warfare, check out episode 542 on The Jordan Harbinger Show.
[01:23:13] Man, we could've gone on for a long time. Pegasus, the spyware that's in your phone that can take over your camera and take over the microphone and hear and see what you're doing. I mean, all of this stuff is terrifying, but there are other things that are even worse and more terrifying and even more invasive, which is absolutely incredible.
[01:23:30] Basically, people in Russia and Iran are watching you in the shower. If you take your phone in the shower, like everyone else to listen to this podcast, maybe if you are soaping up right now, somebody could be watching you. Just saying that, it's not me. Don't worry. I won't subject myself to that, but no promises. It could be one of Putin's cronies. So hopefully, you've been working out..
[01:23:48] Also, of course, I asked Karim about encryption and he told me encryption really, for the most part, it's only good for data at rest or in transit. The minute we need to read it or hear it or play it, it is, of course, decrypted. And then it's available to prying eyes and ears, likely some form of malware. So all those encrypted messaging apps and all that stuff. Great, unless something is monitoring what goes onto your screen or looking at your screen or listening to the things that you play. So all these encryption plays are great, but really they don't necessarily stop a dedicated actor from trying to see what you are doing or typing or listening to. It's great if you want to stop data and transit from being intercepted by somebody like Facebook or whatever, but it's not going to help if you are really up to something and the state doesn't want you to do that.
[01:24:32] Back in the '90, the government and military, they had a program called Tempest. And I can't remember exactly how this worked, but it was able to grab the thermal emanations off of a screen. Remember those green monitors that everybody had back in the day? It could see your screen through walls. And if something like that exists for modern screens, and let's be honest, of course, it does, then all those encryption apps and those encrypted chats and all that stuff just is useless if somebody outside is grabbing what you are literally seeing on the screen. And remember it doesn't have to be a camera, it can go through walls and go through you. It can just be a sensor that can read things that are on a screen. Absolutely incredible.
[01:25:06] By the way, a bit of a special announcement here. If you know anyone who is an experienced cybersecurity professional and/or a very capable computer or IT professional, not the kid who set up your AOL email account, but a legit expert and they'd like to help Ukraine remotely. There are some groups out there who may be interesting to you. I'd encourage you to take a look. I may be able to help guide you here a bit as well. The best groups are going to be helping in the cyber defense arena. This is nonviolent stuff. You're not going to be blowing up a chemical plant or a reactor. You're not going to be poisoning a water system or something horrible that harm civilians. You're going to be a, let's say making invasion, logistics that much slower and more difficult.
[01:25:45] And I am not affiliated with any particular group. I'm simply offering some advice here for those who keep asking. Now in a group such as this, you'd be reverse-engineering new malware and threats, working on identification of unpatched and vulnerable systems and identification of supply chain, organization, that kind of thing. So again, I'm happy to help guide you if you're rooting for the underdog. A lot of these groups are trying to make the world a safer place by buying some time for Ukraine and for the military there. This is a humanitarian effort.
[01:26:13] Again, I have nothing to do with these groups other than helping to spread the word like any other journalist and trying to save the lives of people on the ground. And of course, I wouldn't want you to do anything illegal. I've got a reputation to uphold here. If there's anything you know about me, it's that I am on the right side of the law at all times. Am I right? If that interests you go ahead and reach out to me. And maybe I can point you to the right place.
[01:26:33] Thanks to Karim for doing the show today. Everything Karim Hijazi will be linked up at jordanharbinger.com. Please use our website links if you buy the book. It does help support the show. Transcripts are in the show notes as well. Videos are on YouTube. Advertisers' deals and discount codes are all at jordanharbinger.com/deals. Please consider supporting those who support this show. I'm at @JordanHarbinger on both Twitter and Instagram, or you can connect with me there on LinkedIn.
[01:26:58] I'm teaching you how to connect with amazing people and manage your relationships for professional reasons, of course, using software, systems, and tiny habits. That's our Six-Minute Networking course. That course is free. It always will be free. It's over at jordanharbinger.com/course. Dig the well before you get thirsty. Build those relationships before you need them. Most of the guests on the show subscribe to the course. Come join us, you'll be in smart company where you.
[01:27:22] The show is created in association with PodcastOne. My team is Jen Harbinger, Jase Sanderson, Robert Fogarty, Millie Ocampo, Ian Baird, Josh Ballard, and Gabriel Mizrahi. Remember, we rise by lifting others. The fee for this show is that you share it with friends when you find something useful or interesting. If you know somebody who's into the cybersecurity thing or just interested in hacks and what might come of a cyber war, share this episode with them. The greatest compliment you can give us is to share the show with those you care about. In the meantime, do your best to apply what you hear on the show, so you can live what you listen, and we'll see you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.