podcast

CEOs can be the weakest link.

Listener feedback on the "Can you hear me?" scam. Dave shares an ongoing Elon Musk Bitcoin giveaway scam. Joe describes the malicious use of a compromised DHL email address. This week's catch of the day comes from down under. (Apologies to the fine citizens of Australia.) Carole Theriault returns with an interview with MimeCast's Matthew Gardiner

Transcript

Matthew Gardiner: [00:00:00] It's not uncommon to hear a high-level executive sort of tell a mid-level IT person, you know, that's great for everybody else but not for me.

Dave Bittner: [00:00:10] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello there, Joe.

Joe Carrigan: [00:00:29] Hi, Dave.

Dave Bittner: [00:00:30] Later in the show, Carole Theriault returns. And she speaks with Matthew Gardiner from Mimecast about some of the threats that they've been seeing. But before we get into all of that, a quick word from our sponsors at KnowBe4.

Dave Bittner: [00:00:44] Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill, a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided. But a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate. But you know what we mean. Stay with us. And in a few minutes, we'll hear from our sponsors at KnowBe4 who have a different way of training.

Dave Bittner: [00:01:20] And we are back. Joe, before we get into our stories this week, we've got some follow-up. We actually had a couple of listeners write in in response to a passing reference we made about the Can You Hear Me? scam. Remember that.

Joe Carrigan: [00:01:31] Yes. I believe that was from the interview with Shannon.

Dave Bittner: [00:01:35] Yeah.

Joe Carrigan: [00:01:35] Right.

Dave Bittner: [00:01:35] Yeah. And so for those who aren't familiar with it, the Can You Hear Me? scam is where someone calls you, and they say, can you hear me? And allegedly, that's so that they can get a recording of you saying, yes, which they then use to authorize purchases on your credit card or so on and so forth.

Joe Carrigan: [00:01:53] Right.

Dave Bittner: [00:01:53] Well, it turns out that this one is actually unproven.

Joe Carrigan: [00:01:56] OK.

Dave Bittner: [00:01:56] And the folks over at Snopes did some investigating. And they couldn't find any instances of anyone actually falling victim of it. And they also said that in order to use this whole yes thing that they would already have to have lots of information about you anyway.

Joe Carrigan: [00:02:11] And that's good because there's not a lot of information about people out on the web. Right, Dave? (Laughter).

Dave Bittner: [00:02:15] Well, yeah. But the point is that, you know, banks and so forth...

Joe Carrigan: [00:02:17] Right.

Dave Bittner: [00:02:17] They don't keep a database of what your voice sounds like. So...

Joe Carrigan: [00:02:21] Correct.

Dave Bittner: [00:02:21] If they were looking for some sort of authorization just based on the word yes, well, the scammers could just say, yes. And - (laughter).

Joe Carrigan: [00:02:29] Right.

Dave Bittner: [00:02:29] So...

Joe Carrigan: [00:02:30] I see the point.

Dave Bittner: [00:02:30] Yeah. So thanks, everybody, for writing in about that. Keep us straight if we inadvertently pass along something that needs some attention. Thanks for writing in and keeping us honest here. So my story this week - this was sent in by one of our listeners. This is someone named Nevin. He sent it in via Twitter. And he keeps getting offers of free Bitcoin from Elon Musk.

Dave Bittner: [00:02:51] Now, we've spoken about offers like this - I believe previously from the pope. This is a straightforward kind of scam where someone claims to be someone famous and they offer up all sorts of riches. But first, you have to send them a few bucks...

Joe Carrigan: [00:03:03] Sure.

Dave Bittner: [00:03:03] ...To show your good faith.

Joe Carrigan: [00:03:05] Right.

Dave Bittner: [00:03:05] And, of course, then you never get the money promised to you. So this one reads - this is from Elon Musk, and there's a nice little picture of him there. And it says...

Joe Carrigan: [00:03:13] Right.

Dave Bittner: [00:03:13] I'm giving 10,000 Bitcoin to all community. I left the post of director at Tesla. Thank you all for your suppoot (ph).

Joe Carrigan: [00:03:22] Suppoot (laughter).

Dave Bittner: [00:03:22] I decided to make the biggest crypto giveaway in the world for all my readers who use Bitcoin. And then it has a link. And basically, it says that to verify your address, you have to send from .5 to five Bitcoin to the address below. And you'll get from five to 50 Bitcoin back.

Joe Carrigan: [00:03:39] Wow.

Dave Bittner: [00:03:39] That's big money.

Joe Carrigan: [00:03:40] 0.5 Bitcoin is what? $3,500 right now, right?

Dave Bittner: [00:03:43] Something like that, yeah.

Joe Carrigan: [00:03:44] Something like that.

Dave Bittner: [00:03:44] Yeah.

Joe Carrigan: [00:03:45] That's all you need to do is send him .5 Bitcoin.

Dave Bittner: [00:03:47] Right. So the thing about this is the Twitter account being used has a verified checkmark next to it. And what these crooks are doing is they're finding Twitter accounts that have credentials or they find ones that aren't being used. Somehow, they get control of them...

Joe Carrigan: [00:04:02] Right.

Dave Bittner: [00:04:02] ...Even though it's been verified. And then they change the username to Elon Musk. But the Twitter account name doesn't change.

Joe Carrigan: [00:04:09] Yeah, the Twitter handle stays the same.

Dave Bittner: [00:04:11] Right. And this has nothing to do with Elon Musk - the Twitter handle.

Joe Carrigan: [00:04:14] Right.

Dave Bittner: [00:04:14] And then they promote the tweet, so they're actually putting in some money to put this scam out here. Now...

Joe Carrigan: [00:04:20] They promote it.

Dave Bittner: [00:04:21] They promote it.

Joe Carrigan: [00:04:21] And Twitter lets that happen.

Dave Bittner: [00:04:23] Well, that's what I want to get to. I don't understand why Twitter can't do a better job of filtering this. I mean, this is a well-known scam. So to me, computers are pretty good at filtering things (laughter).

Joe Carrigan: [00:04:35] Yeah, they're very good at that, actually.

Dave Bittner: [00:04:37] So if someone puts in a username of Elon Musk...

Joe Carrigan: [00:04:41] Right.

Dave Bittner: [00:04:41] ...And starts sending out promoted tweets...

Joe Carrigan: [00:04:44] Right.

Dave Bittner: [00:04:44] ...Under that name, you'd think that there would be some way that Twitter could automatically flag that for review.

Joe Carrigan: [00:04:49] Correct.

Dave Bittner: [00:04:50] That should go to the top of the list of things that need to be flagged...

Joe Carrigan: [00:04:54] Any time...

Dave Bittner: [00:04:54] ...For review.

Joe Carrigan: [00:04:55] Any time a verified user changes their Twitter handle or their display name, that should be investigated.

Dave Bittner: [00:05:00] I agree.

Joe Carrigan: [00:05:01] A human should look at that...

Dave Bittner: [00:05:01] I agree. But...

Joe Carrigan: [00:05:02] ...Because what's the purpose of having a verified Twitter handle?

Dave Bittner: [00:05:05] You are who you say you are.

Joe Carrigan: [00:05:06] Correct.

Dave Bittner: [00:05:07] Yeah.

Joe Carrigan: [00:05:07] So you already don't have an interest in changing your display name or your Twitter handle.

Dave Bittner: [00:05:12] No. And you have to send in substantial documentation to get that checkmark. I have tried and haven't been able to get it.

Joe Carrigan: [00:05:19] I am also considering trying it for one of my accounts. But...

Dave Bittner: [00:05:23] Yeah. You're not going to like it. I'm warning you.

Joe Carrigan: [00:05:24] (Laughter).

Dave Bittner: [00:05:25] The things that they want you to send in, you are not going to like it. Anyway, this scam has already earned over $180,000 in Bitcoin.

Joe Carrigan: [00:05:33] Wow, so people are actually sending money to the Bitcoin addresses.

Dave Bittner: [00:05:36] They are - taking advantage of the familiarity people have with Elon Musk. And everybody knows he's a rich guy. So...

Joe Carrigan: [00:05:43] Right.

Dave Bittner: [00:05:43] A hundred-eighty grand, though - that's no small potatoes.

Joe Carrigan: [00:05:46] No. That's somebody having a very good payday.

Dave Bittner: [00:05:47] Yeah, so thanks for sending this in - obviously, one to look out for. You know, I doubt many of our listeners would fall for this sort of thing, but make sure you spread the word to your friends and family, and make sure they're aware of this.

Joe Carrigan: [00:06:00] Right.

Dave Bittner: [00:06:00] So that's what I've got. Joe, what's your story this week?

Joe Carrigan: [00:06:02] So, Dave, Halloween was a couple weeks ago, right?

Dave Bittner: [00:06:05] Yes, it was.

Joe Carrigan: [00:06:05] So here in America, you know what it's time to start thinking about? It's Christmastime, right?

Dave Bittner: [00:06:09] No, no, no, no. It is time for Thanksgiving. It is Thanksgiving time. It is not time for Christmas yet.

Joe Carrigan: [00:06:17] Not according to the retailers, Dave.

Dave Bittner: [00:06:19] Oh, I know.

Joe Carrigan: [00:06:20] So actually, this one comes from Alice Woods over at 2-spyware.com.

Dave Bittner: [00:06:24] OK.

Joe Carrigan: [00:06:24] And she's talking about a MailGuard report. Now MailGuard is an Australian email filtering company. And it says that scammers have already started spreading fake emails that mimic DHL notifications about shipped goods.

Dave Bittner: [00:06:38] Oh, the shipping company DHL, OK.

Joe Carrigan: [00:06:40] Right. The international shipping company DHL.

Dave Bittner: [00:06:41] Right, right.

Joe Carrigan: [00:06:42] I am so leery of these kind of scams that one time I actually ordered something from Europe and actually got a legitimate DHL notification.

Dave Bittner: [00:06:49] Right.

Joe Carrigan: [00:06:49] I was terrified to click on the link.

(LAUGHTER)

Joe Carrigan: [00:06:54] Then when I got home, my package of stuff was there. And I was like, oh, it must've been real. But I didn't click on the link.

Joe Carrigan: [00:07:00] The scam was noticed towards the end of December, when Australians' email inboxes were flooded with messages containing tracking numbers or various links and attachments and suggestions that users look at their tracking numbers on websites and other things. The subject line of these emails read, DHL Shipment AWB, and contained a number, of course, that looked just like a tracking number.

Dave Bittner: [00:07:21] Right.

Joe Carrigan: [00:07:21] It's fake. They also provided in this fake email some links where the alleged tracking information could be viewed. And when the user clicks on the provided link, the traffic is directed to a page that suggests people enter their email address or other information. Of course, the scam is to collect users' information.

Joe Carrigan: [00:07:38] So here's the interesting part about this. The sender is actually a DHL email address that looks like it's been compromised.

Dave Bittner: [00:07:46] Really?

Joe Carrigan: [00:07:47] Right. So they got some business email compromise going on in here. I would like to think, although I don't know, that MailGuard notified DHL of this vulnerability and that DHL has fixed it. But I don't have that information. But I'm going to assume that MailGuard is an ethical company and that they've done this...

Dave Bittner: [00:08:00] Yeah.

Joe Carrigan: [00:08:00] ...And that DHL is taking care of their customers.

Dave Bittner: [00:08:02] So actually coming from a legitimate...

Joe Carrigan: [00:08:04] Right.

Dave Bittner: [00:08:05] From inside the house, so inside DHL.

Joe Carrigan: [00:08:07] Exactly. So they've gotten hold of - they've done some business email compromise, and they've used that email address to send out a bunch of these - a bunch of these messages...

Dave Bittner: [00:08:15] Right.

Joe Carrigan: [00:08:15] ...That link to malicious sites and to harvest people's credentials, right? Now, there's all kinds of things that you can do with these kind of emails. You can send them to a site that just collects their DHL login credentials. Now, that might not seem like a big deal. So what, somebody gets my DHL tracking email? Well, what if you reuse the password, Dave, like I always tell you not to do?

Dave Bittner: [00:08:36] Right.

Joe Carrigan: [00:08:36] But - and that's also your email address and your password to your PayPal account. Well, that's a problem. That's really the goal of these credential-harvesting things...

Dave Bittner: [00:08:44] Yeah.

Joe Carrigan: [00:08:44] ...Is to not just compromise the one site, but then to move on to other sites that might have potential value.

Dave Bittner: [00:08:49] Yeah, and maybe even sell those credentials.

Joe Carrigan: [00:08:51] Oh, absolutely.

Dave Bittner: [00:08:52] Yeah.

Joe Carrigan: [00:08:52] These credentials have value on the black market.

Dave Bittner: [00:08:55] Yeah. Well, so how do you look out for this? I mean, you've got a legit DHL email. Do you do like you did and just never trust anybody?

Joe Carrigan: [00:09:04] That's what you do, Dave.

Dave Bittner: [00:09:05] (Laughter) I see.

Joe Carrigan: [00:09:06] You've got to make sure you're going to the right website, and not just making sure that the website is secure in terms of TLS because it's easy to obtain a TLS certificate, and the website will look like it's secure, even though it's not a bona fide website. So you got to watch the domain, watch the certificate, see who it is certifying. Make sure that it's DHL.

Joe Carrigan: [00:09:25] Particularly with DHL, because they are such a large international shipper, they're going to be a big target for this kind of thing. So take the extra steps and just make sure. If it's any shipping company sending you information, verify that you're on the right address. You know, hover over the link to see where it's taking you.

Joe Carrigan: [00:09:41] What I do, and this is me being uber-paranoid, Dave.

Dave Bittner: [00:09:44] You?

Joe Carrigan: [00:09:45] Me, yeah. I will right-click on the link, copy link location and paste it into a text editor and read it.

Dave Bittner: [00:09:51] OK.

Joe Carrigan: [00:09:51] That's what I do. I know what URL strings look like, though. The layperson may not know what a URL string - a query string looks like.

Dave Bittner: [00:09:58] Yeah.

Joe Carrigan: [00:09:58] But if nothing else, just make sure it's going to the proper domain.

Dave Bittner: [00:10:01] Right. And as I say, if you're - if it's a question, just don't click the link. Go to the domain independently.

Joe Carrigan: [00:10:08] Agreed.

Dave Bittner: [00:10:09] If it's DHL, go to DHL...

Joe Carrigan: [00:10:10] That's a great way to get around it.

Dave Bittner: [00:10:10] ...On your own without the link...

Joe Carrigan: [00:10:12] Yep. And then answer...

Dave Bittner: [00:10:12] ...And track it from there.

Joe Carrigan: [00:10:14] Yeah. Copy the tracking number because the tracking number is probably not a link, right?

Dave Bittner: [00:10:17] Right.

Joe Carrigan: [00:10:17] So you can just copy the tracking number into their site. And, lo and behold, you'll have all the tracking information, or you'll get a message that says, this is an invalid tracking number.

Dave Bittner: [00:10:24] Right. All right, it's a good story, but it's time to move on to our Catch of the Day.

Joe Carrigan: [00:10:29] Favorite part.

(SOUNDBITE OF REELING IN FISHING LINE)

Dave Bittner: [00:10:34] All right, Joe, we got a good one this week. This is from a gentleman who goes by the name Slab (ph).

Joe Carrigan: [00:10:39] Is that his hacker name?

Dave Bittner: [00:10:40] That is a nickname, I believe. And he is from Australia. And he wrote us, and he said, hi there, guys. Slab from Australia here. My daughter and I love your show and listen every week. Justin from OLD dropped your podcast on one of his episodes. I have no idea what that is, but I'll have to find out.

Joe Carrigan: [00:10:56] OK.

Dave Bittner: [00:10:56] I really look forward to Thursdays in Australia as I listen to your poddy (ph) - I think that's Australian for podcast, Joe...

Joe Carrigan: [00:11:02] I hope so.

Dave Bittner: [00:11:03] ...Yeah - on the way...

(LAUGHTER)

Dave Bittner: [00:11:04] ...On the way home from work.

Dave Bittner: [00:11:06] I recently had a friend contact request me via Facebook. I was already friends with him, and I thought that he must have cleared his account and was starting again. The profile pic was the same and had very few friends at the time I was requested. I checked out his name after I went through the conversation and found that he had two profiles.

Joe Carrigan: [00:11:23] Aha.

Dave Bittner: [00:11:24] The conversation took place over four days with no contact from me for three of those days in between. All right, so, Joe, Slab sent us a transcript of the text message exchange that he had with the scammer. And I thought it'd be fun for you and I to read through them, but read through them using ridiculous Australian accents.

Joe Carrigan: [00:11:43] Oh, my Australian accent's terrible. This is going to be hilarious.

Dave Bittner: [00:11:46] Good. All right. I will begin.

Dave Bittner: [00:11:49] Hello, mate, how are you doing?

Joe Carrigan: [00:11:51] Hi, Dale. How you been?

Dave Bittner: [00:11:52] Well, I'm also doing pretty good. I got some news to share with you, and I don't think you've heard it.

Joe Carrigan: [00:11:58] Go for it.

Dave Bittner: [00:11:58] I was wondering if you heard about the Bill and Melinda Gates Foundation program ongoing now.

Joe Carrigan: [00:12:04] That I have.

Dave Bittner: [00:12:05] Oh, I thought you had heard about it already. It's a new program. They're helping the young, old, retired citizen workers and non-workers, disabled or non-disabled. You can use the Bill and Melinda Gates fund offer to pay your bills - college, school, medical expenses, business costs or even personal use.

Joe Carrigan: [00:12:20] OK.

Dave Bittner: [00:12:21] It's an amazing program. I got $160,000 from them after I applied for the program, and it was granted to me.

Joe Carrigan: [00:12:28] Nice.

Dave Bittner: [00:12:29] You can also apply just like I did.

Joe Carrigan: [00:12:32] That's awesome. How do I go about doing that?

Dave Bittner: [00:12:35] That wasn't the least bit Australian, Joe.

Joe Carrigan: [00:12:37] Sorry.

Dave Bittner: [00:12:38] That is agent contact link to message me through Facebook. Text him and let him know you're ready to claim your winnings. They work 24 hours a day, so you'll surely reach him right now. Text him up now and let him know. I'll give you his contact now that you're ready to claim your winning grant. Text him up now and let him know if you're able to reach him. OK.

Joe Carrigan: [00:12:57] What did you claim it for?

Dave Bittner: [00:12:58] Once you apply and you are eligible, you have to claim your winning with the UPS delivery company for your delivery once shipping clearance and insurance fee are paid.

Joe Carrigan: [00:13:07] How much should I claim? What did you claim for?

Dave Bittner: [00:13:10] You can't claim any amount, varies from $80,000. So I choose to claim $160,000 and pay $2,000 for my shipping clearance and insurance.

Joe Carrigan: [00:13:21] Wow. That's amazing. Can I borrow 2k so I can claim, and when I get my 160k, I'll send it back?

Dave Bittner: [00:13:28] I quickly paid off some medical and other bill and have the rest fixed. I can only help with $1,000.

Joe Carrigan: [00:13:35] 2k and I'm in. Thanks so much. This is fantastic. Thank you so much for your help.

Dave Bittner: [00:13:39] Text the agent now.

Joe Carrigan: [00:13:40] Actually, I can send you my bitcoin address, and you can send it there.

Dave Bittner: [00:13:44] I will talk to the agent myself because I still have their info to make payment. Let me know at the point of your payment.

Joe Carrigan: [00:13:51] OK. Send the money to this address.

Joe Carrigan: [00:13:53] And then he lists the bitcoin address in Base58.

Joe Carrigan: [00:13:56] I will send you the money when I have received $1,000. Thanks again. You're my best friend. Bitcoin.

Dave Bittner: [00:14:02] OK.

Joe Carrigan: [00:14:04] Thanks again, friend. I'm still waiting for the transfer. Dale, you have my number. Please call to discuss further.

Dave Bittner: [00:14:09] And after that, there was nothing.

Joe Carrigan: [00:14:11] I think I was doing the part of Slab?

Dave Bittner: [00:14:15] Yeah, you were doing the part of Slab. So Slab played along here.

Joe Carrigan: [00:14:19] That's great work, Slab.

Dave Bittner: [00:14:20] Yeah, excellent. Nice job, Slab.

Joe Carrigan: [00:14:22] I apologize for our terrible, terrible, terrible Australian accents. I want to talk about...

Dave Bittner: [00:14:28] I thought mine was pretty much dead-on. I don't know. Maybe Slab will let us know.

Joe Carrigan: [00:14:32] Mine was awful. I'll tell you that right now. I want to focus on one of the things this scammer said in this. He said, they're helping with the young, old, retired citizens, workers, non-workers, disabled, non-disabled. You can use the money. OK. So...

Dave Bittner: [00:14:46] Everybody.

Joe Carrigan: [00:14:47] Everybody, right? He tries to list a bunch of features that will include 100 percent of the population. Are you young or old? Yes. I'm one of those two things. Are you retired or citizens working or non-working? I have to be one of those three things.

Dave Bittner: [00:15:01] Yeah. Well, brilliant on Slab's part to try to get this guy on the hook for $2,000, whatever. Way to turn it around. So nice to have some fun with him there.

Joe Carrigan: [00:15:11] Absolutely. Good work.

Dave Bittner: [00:15:12] And thanks for being a good sport as we had fun with your nationality.

Joe Carrigan: [00:15:15] And thank you for listening. I hope you continue to listen, despite our terrible Australian accents.

Dave Bittner: [00:15:20] That's right. I hope everybody had a good laugh. All right. Well, thanks, Slab from Australia. That is our Catch of the Day.

Dave Bittner: [00:15:25] Coming up next, we've got Carole Theriault with her interview with Matt Gardiner from MimeCast. But first, a few words from our sponsors, KnowBe4.

Dave Bittner: [00:15:36] And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school Security Awareness Training. They've got the world's largest Security Awareness Training library, and its content is always fresh. KnowBe4 delivers interactive engaging training on-demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing real-world proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's is weekly Cyberheist News. We read it, and we think you'll find it valuable too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:16:37] And we are back. Joe, it's great to have our U.K. correspondent Carole Theriault join us once again. This week, she's got a conversation with Matthew Gardiner from MimeCast. Let's have a listen.

Carol Theriault: [00:16:47] Well, Dave, Mimecast released a report called "The State of Email Security." Inside this report, there were loads of juicy insights on how organizations cope with this onslaught of threats. For example, are you surprised that 50 percent said that phishing had increased or that almost 9 out of 10 organizations encountered threats borne by careless behavior? Even more interesting than that is that nearly 40 percent said that the organization's weak link was the CEO - yeah, the CEO, the head honcho, arguably one of the people with the most to lose if the firm takes a public beating for his security practices.

Carol Theriault: [00:17:25] Plus, isn't this the person with the final say on the cybersecurity budget? I just wanted to understand a bit more about how these CEOs increase cybersecurity risk rather than minimize it. And I reached out to MimeCast's Matthew Gardiner for the lowdown.

Carol Theriault: [00:17:40] Matthew, thank you so much for chatting with "Hacking Humans." Now, perhaps you can tell me a bit about the environment. You guys did some research. So what threats are hammering at the door and disrupting our networks?

Matthew Gardiner: [00:17:51] You know, in the last couple of years, obviously, ransomware has become a hot commodity. Most cyberattackers are money-oriented. You know, you might read about, you know, nation-states or, you know, other actors. But, you know, I think the general takeaway I would give to the audience is that, you know, it's like 99 out of 100 are in it for the money. And so anything that can be monetized, and obviously ransomware is sort of a classic now, is where most of the attacks are focused.

Carol Theriault: [00:18:16] So you're saying most of it is money-driven. And where are the weak points? So why are we still having this problem 20 years on?

Matthew Gardiner: [00:18:23] Well, I mean, yeah. Our tech environment is more complicated. Attackers are more sophisticated. And, you know, the human, you know, which is apropos to this podcast, continues to be a weak link.

Matthew Gardiner: [00:18:37] So that's why you have things like phishing and, you know, drive-by downloads and those sorts of things - is that it's the user, in many cases, quote, "inviting" the attacker in. And that's really hard to overcome.

Carol Theriault: [00:18:50] Now, that's interesting. Do users do this, do you think, through ignorance, or is it just disregard for the rules? Or is it mostly malicious behavior?

Matthew Gardiner: [00:19:00] You know, there's - we have a group that we call the compromised insider, which is sort of a - you know, they're just sort of naively doing what the attacker wants them to do. And then there's - there is an element of careless, where they should have known better but didn't. And so it's a little blurry, obviously, there.

Matthew Gardiner: [00:19:17] But at the end of the day, people are busy. You know, they're not technical. You know, they don't know what a domain or a URL - or how to look at a URL and figure out that it's...

Carol Theriault: [00:19:25] Yeah. They got their own problems, don't they (laughter)?

Matthew Gardiner: [00:19:28] Exactly, exactly. And so attackers know that. And they jump right in. And, you know, they don't have to be successful all the time. They just have to be successful enough to make money.

Carol Theriault: [00:19:39] It's true. A lot of people in our industry often go, oh, how could the user be so silly, falling for that? It's like, well, 'cause it's not their focus. They're not thinking about it every day. They're kind of using the tool the way you might use your car.

Matthew Gardiner: [00:19:50] Yeah. We may look at the URL in an address bar, but, you know, most of the world doesn't know a domain from a - their left elbow.

Carol Theriault: [00:19:58] According to your research, 90 percent of global orgs have seen phishing attacks increase over the past year instead of decreasing.

Matthew Gardiner: [00:20:07] Yup.

Carol Theriault: [00:20:07] So obviously, you're thinking that's the money that's incentivizing that growth.

Matthew Gardiner: [00:20:10] Absolutely. It's actually kind of hard to hack - you know, to literally, technically hack an organization that has some security controls. It's much easier to send in a request via email and have the user, essentially, invite them in, or do something, you know, in response to, you know, an email that says, please change your wiring instructions for our account, and pretends to be one of your vendors or customers. There's nothing malicious, necessarily, in it. It's the - purely socially engineered.

Carol Theriault: [00:20:40] Right.

Matthew Gardiner: [00:20:41] And so you hit a busy person that is in the accounts payable department, and if it's related to a project or a vendor that they'd normally do business with, they might not think twice. And that's - you know, part of the problem is not thinking twice.

Carol Theriault: [00:20:55] Yeah. It's like they're getting us in our weakest spot. We're really busy at work. We're distracted. We have too many messages and emails and phone calls to return. And one of these things slips through a net. And, you know, if we're not trained, I guess, or don't know to look for them, we're sitting ducks.

Matthew Gardiner: [00:21:10] Yeah. And, you know, like anything, more training and understanding, obviously, and more caution amongst users is a good thing. There is - you know, there's tech you can use to help filter out these, you know, malicious requests. And then you shouldn't really have a business process that has a single point of failure, you know? So you always should have some sort of...

Carol Theriault: [00:21:28] Yeah.

Matthew Gardiner: [00:21:29] ...Control - complementary control.

Carol Theriault: [00:21:31] Some redundancy as well, I guess.

Matthew Gardiner: [00:21:33] Exactly, exactly. And a lot of companies don't have all those three things going well.

Carol Theriault: [00:21:38] Oh, really? Is that right? So one of them is always weak? It's, like, 2 out of 3 rather than 3 out of 3? Is that what you see?

Matthew Gardiner: [00:21:43] Well, maybe 3 of the 3 are weak.

Carol Theriault: [00:21:45] (Laughter).

Matthew Gardiner: [00:21:46] They're not using tech. The users don't necessarily know - aren't discerning. And, you know, the business process has a single point of failure. And so they're the ones that - they get breached or lose money or get into the news.

Carol Theriault: [00:21:59] So what I found really interesting about the research that Mimecast put out was that CEOs are often seen as a weak link in security. So something like 40 percent of your respondents said they saw their CEO as a cybersecurity weak link. That's huge.

Matthew Gardiner: [00:22:16] You know, in some ways, I mean, having been in security for more than 15 years, I think that's probably progress.

Carol Theriault: [00:22:23] (Laughter).

Matthew Gardiner: [00:22:24] That 40 percent would've been much higher years ago. It feels bad. And, obviously, 40 percent is still a large number. You know, the reason that CEOs are, quote, "the weak link" is, A, they're useful in a fraud. So they're, you know, a figure of authority.

Carol Theriault: [00:22:40] Yeah.

Matthew Gardiner: [00:22:40] So if you're going to - if you're going to impersonate somebody at a company, CEOs are a pretty good choice, maybe the CFO, or there's a couple other people, depending on what you're trying to do. So if you get a, in quote, "get an email from the CEO," you're much more likely to go, whoa, wait a second, you know? I got to take this seriously. I'm going to act accordingly, you know, quickly, perhaps.

Matthew Gardiner: [00:22:58] But then, they're also, on the flip side, a point of attack. So if you're an attacker and you can get into the CEO's account or onto their machine, you're into the flow of the most sensitive data or information at a company.

Carol Theriault: [00:23:11] Yeah. That makes total sense, right? They're the big kahuna. They're the big fish.

Matthew Gardiner: [00:23:14] Exactly. So it's a double-edged sword with them. And then you throw in the issue of, like, a lot of CEOs are not technical. They didn't come from, you know, IT or whatever - security. There's a tendency, although I think it's slowly being drained out, but there's a tendency for them to, oh, security is IT's problem, like there's some magical tech that will make us, you know, eliminate all risk - where the more mature CEOs, you know, view cybersecurity as a risk. And they treat it as a business risk, and they invest accordingly.

Carol Theriault: [00:23:43] Just between you and me and our lovely listeners here, do you think there's an element of the, I'm the head honcho, I do what I want, attitude in some CEOs?

Matthew Gardiner: [00:23:53] Absolutely. I mean...

Carol Theriault: [00:23:54] And it's your job to protect me, you know...

Matthew Gardiner: [00:23:56] Exactly.

Carol Theriault: [00:23:57] ...No matter what I do.

Matthew Gardiner: [00:23:58] Yeah. And that whole thing of security is an IT problem not a business problem - you know, they're busy people too usually. And so security control, not always but often, can be seen as getting in the way of doing business. And so it's not uncommon to hear a high-level executive sort of tell a mid-level IT person, you know, that's great for everybody else but not for me.

Carol Theriault: [00:24:22] I can tell you a number of shareholders would not have happy faces if there was a breach at a company. And, you know, the CEO was like, well, it's not my fault. It's the IT guy's fault.

Matthew Gardiner: [00:24:34] Right.

Carol Theriault: [00:24:34] I don't know if that would fly very high.

Matthew Gardiner: [00:24:35] The world's become more sensitive to the reality. And so I think that's maybe why it's only 40 percent of people think their CEO undervalues the role of email and security.

Carol Theriault: [00:24:45] Now, you had a story about what happened with a CEO.

Matthew Gardiner: [00:24:48] Yeah, it's a classic fun one. So any security person always loves it when they're attacked by a very weak attacker because then you can have sort of sport with them. So a very simple case, I got an email - well, I didn't get the email actually because our system filtered it. But I went into the back of our email security system and pulled the email out. And basically it was our CEO - not really - asking me that he had a really important thing for me to do.

Matthew Gardiner: [00:25:17] And I basically responded like, oh, Peter, how can I help you? And he responded back, well, I need iTunes cards. I'm like, oh, really? Is this for a customer event or a partner thing you're doing? Yes, it's for that. And, you know, I'm actually - I need it right now. And then, of course, I respond, oh, you know, should I use the corporate card? And what expense code should I use when I submit the expense? He goes, yes, you should use the corporate card. And, you know, I was just going on and on and on - you know, the longer it could go, the better. And unfortunately yesterday, my last response bounced.

Carol Theriault: [00:25:53] So he figured it out?

Matthew Gardiner: [00:25:56] No, his email was taken down.

Carol Theriault: [00:25:58] Ah, there you go.

Matthew Gardiner: [00:26:00] So it's - you know, that happens. It's obviously a completely obvious attack. I mean, if we didn't have an email security system, I wouldn't have fallen for it anyway. But, you know, you make that a little more sophisticated, and you hide - instead of just doing display name, which is all he did. He just made his display name Peter Bauer.

Carol Theriault: [00:26:19] Yeah.

Matthew Gardiner: [00:26:20] Instead, you know, you could register a similar domain. And you could - you know, you could put a link to some, you know, malicious site that he wanted me to go to - none of the things this guy did. You go from something that should be catchable by a person. At the other end of the spectrum, there are malicious attacks that essentially have no chance to be detected by an average user but have a chance to be detected by tech.

Carol Theriault: [00:26:44] So when a malicious attack is targeting a C-level or a CEO person, I guess they obviously tailor their message appropriately. So they would talk about investments or share opportunities or new board members or something like that.

Matthew Gardiner: [00:27:01] Or we met at this event, and, you know, you presented at this thing and...

Carol Theriault: [00:27:05] Yeah.

Matthew Gardiner: [00:27:05] You know, just, you know, literally someone - it could be completely legit. Someone could have been reaching out. And, you know, they take advantage of all that information.

Carol Theriault: [00:27:14] Now, what advice do you have for the C-suite? So I'm going to guess that most CEOs won't really be thinking about the fact that they're actually increasing - you know, dramatically, I bet, in some cases - the risk or the exposure to risk that a company's facing. What kind of things would you say watch out for?

Matthew Gardiner: [00:27:34] Well, I mean, I hope they take a risk-based approach, first of all. I mean, it's IT's job to protect this. It's like anything in business. There's risk of doing business on the internet of course. So you have to sort of weight those out and then also realize that there are - there's information data systems and people that are more attractive than others - certain hackers.

Matthew Gardiner: [00:27:58] And so one of the things you should do is - your executives are generally more public - easy to find out where they are, what they do, you know, where they went to school, all that kind of stuff. That's actually possible for pretty much anybody. But it's even easier with them. So you should put, you know, more monitoring and controls around the executives in particular - be a little bit more protective of them. There's a number of other things. But that's sort of a starter for it.

Carol Theriault: [00:28:23] And I guess from the IT standpoint, you know, having to deal with the CEO being a bit flagrant with security must be really frustrating. So I'm wondering - like, I guess, you'd have to sort of impose controls, like multifactor authentication or different ways to kind of have tech in place to just have a tertiary hurdle for the bad guys to get over.

Matthew Gardiner: [00:28:49] Yeah, absolutely. I mean, you want technical controls. You want, you know, awareness training that everyone would take, including the C-level folks. And you want, you know, the classic triumvirate - the business process to be no single point of failure. But on your point of the CEO, a good CEO would say, I'm like everybody else. I should be beholden to the security controls that everybody else is - and probably even some more - but at least what everybody else is.

Carol Theriault: [00:29:14] Right.

Matthew Gardiner: [00:29:15] But it is - you know, if you've been a low-level, mid-level IT or security person, and your CEO is like, I need blah...

Carol Theriault: [00:29:21] Yeah.

Matthew Gardiner: [00:29:22] ...You're lower down the organization. It's hard to push back. So - which is why you sort of need the board of directors, who of course the CEO works for, to have a - kind of a security or risk management function on it. And then have, you know, cybersecurity controls be part of the risk management that they perform. And thus, it - you know, it sort of - the tone at the top that the CEO is responsible for everyone below, and then - and sets the tone at the top and also should have the same rules, or even tighter ones actually, than - as everybody else.

Matthew Gardiner: [00:29:57] And then it becomes the cultural change. You know, the acceptance of these controls, you know, will go up. But it's definitely - it's not easy if you have somebody in that 40 percent that, you know, doesn't value security as much as they should.

Carol Theriault: [00:30:12] So education for CEOs, don't think that you're above it because actually you're a prime target, is what we're saying here.

Matthew Gardiner: [00:30:19] For sure.

Carol Theriault: [00:30:20] Because you have so much access to all the systems, you know, if they get your email. And how embarrassing when you have to announce this, basically make it public, that you may have been breached, and it was your accounts that did it. You know, it came through your account when there's an investigation.

Matthew Gardiner: [00:30:35] Yeah. Yeah. For sure.

Carol Theriault: [00:30:35] Thank you so much, Matthew. This has been really enlightening.

Matthew Gardiner: [00:30:38] My pleasure.

Carol Theriault: [00:30:38] And I hope that there are CEOs out there who are listening to this who are thinking, maybe I should take heed (laughter).

Matthew Gardiner: [00:30:45] Yeah. The understanding and awareness is much higher than it's ever been, but it's still complex. And that's, you know, sort of the frustrating part of security. There is no absolute answer. You just got to improve in all the three areas, you know - the tech, the people and the business processes - and make it all risk-based.

Carol Theriault: [00:31:07] This was Carole Theriault for the CyberWire's "Hacking Humans."

Dave Bittner: [00:31:11] Joe, what do you think?

Joe Carrigan: [00:31:12] I think that was an excellent interview.

Dave Bittner: [00:31:13] Yeah.

Joe Carrigan: [00:31:14] Matthew said something that resonated with me because I mentioned this in - earlier on (laughter) in the podcast today, that many people may not know what a domain is and how to verify a domain.

Dave Bittner: [00:31:23] Right.

Joe Carrigan: [00:31:24] So next week, I think I'm going to talk about that - how to make sure that a link in a - in an email is a valid link or a legitimate link.

Dave Bittner: [00:31:31] Yeah. Right. Right. Some of the things to look out for.

Joe Carrigan: [00:31:32] Correct.

Dave Bittner: [00:31:33] Yeah.

Joe Carrigan: [00:31:33] So I really like his discussion on why CEOs are the weakest link or why 40 percent of people say they are. They are a person in authority. If I can compromise the CEO of a company, then I have the keys to the kingdom.

Dave Bittner: [00:31:46] Right.

Joe Carrigan: [00:31:46] That's great.

Dave Bittner: [00:31:47] (Laughter).

Joe Carrigan: [00:31:48] So - I mean, from an attacker perspective, not great from a humanitarian or other (laughter) one's perspective.

Dave Bittner: [00:31:54] Yeah. Yeah.

Joe Carrigan: [00:31:54] But CEOs may not be too technical, right?

Dave Bittner: [00:31:57] That's true

Joe Carrigan: [00:31:58] They may come from a business background. These companies that get established by technical people, one of the things that happens when they get venture capital funding is they get removed from the CEO position, and someone who is good at managing a business is put in.

Dave Bittner: [00:32:09] Right.

Joe Carrigan: [00:32:10] Right? So the technical person is no longer the CEO. And that is probably OK, right? But the CEO needs to have some kind of understanding. What really struck me is when Matthew was talking about how many CEOs may think that security is an IT problem and not a business problem. And this reminds me of two separate quotes from Bruce Schneier, world-renowned security expert.

Dave Bittner: [00:32:32] Yeah.

Joe Carrigan: [00:32:32] And the first one is security is a process, not a product. OK? So there's no product that IT is going to have that's going to secure your business. And any process is going to involve you, the CEO. And the other quote from Bruce Schneier is if you think technology can solve your security problems, then you don't understand the problems, and you don't understand the technology. So CEOs should be aware of that.

Dave Bittner: [00:32:56] Yeah.

Joe Carrigan: [00:32:57] They should absolutely be aware of that. And they should be thinking about if they have this mindset, then they really need to re-evaluate and understand what the risk is and what the problem is.

Dave Bittner: [00:33:07] Yeah. You know, it's been my experience too, working with various CEOs, that in a lot of cases they're kind of coddled.

Joe Carrigan: [00:33:15] Right. Yeah.

Dave Bittner: [00:33:15] You know, they have people working around them and making - because their time is so valuable that they have people just taking care of all of the little things of the day to day so that they can use their time, you know, the way that it's best used. But that...

Joe Carrigan: [00:33:29] And their time is valuable.

Dave Bittner: [00:33:30] Yes, and that is absolutely true.

Joe Carrigan: [00:33:32] Right.

Dave Bittner: [00:33:32] But it can lead to a sort of - I guess a learned helplessness (laughter).

Joe Carrigan: [00:33:37] A shortcutting of the processes.

Dave Bittner: [00:33:39] Right. Right. And like Matthew said, sometimes you have CEOs who say, I'm not going to do that. I don't have time for that.

Joe Carrigan: [00:33:44] No, you...

Dave Bittner: [00:33:45] I - you know, I don't have time for that. And, well...

Joe Carrigan: [00:33:46] You should not be violating the security process.

Dave Bittner: [00:33:48] Right. Right. Well, if you don't have time for that, do you have time to stand in front of the press and tell everyone why...

Joe Carrigan: [00:33:54] Right.

Dave Bittner: [00:33:55] ...All of your users' personal information has been breached?

Joe Carrigan: [00:33:58] Right, exactly.

Dave Bittner: [00:33:58] Because that's (laughter) where you could end up.

Joe Carrigan: [00:34:00] That's what's going to happen next.

Dave Bittner: [00:34:02] Yeah.

Joe Carrigan: [00:34:02] So I have a friend who used to say when we were working together - he would say that as you move up the corporate structure, your permission should become more and more restrictive. Unfortunately, that's never what happens. But it is what kind of should happen. Maybe the CEO is too busy to worry about these things. Well, maybe the CEO should have somebody, an assistant, who goes through their email who is astute at these kind of things. Those kind of checks can really go a long way to save the CEO time and to provide protection.

Dave Bittner: [00:34:25] Yeah. Some real live human filtering.

Joe Carrigan: [00:34:28] Exactly.

Dave Bittner: [00:34:30] Yeah. All right. Well, that is our podcast. And we want to thank our sponsors, KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:34:59] The "Hacking Humans" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:35:15] And I'm Joe Carrigan.

Dave Bittner: [00:35:16] Thanks for listening.

Copyright © 2018 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4 Logo
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music
Follow the CyberWire