We follow up on critical feedback of last week's show. Dave describes how online extortionists have pivoted from sex to explosives. We've got an auto-responding catch of the day from one of Joe's colleagues. Guest is Sean Brooks, Director of the Citizen Clinic and a Research Fellow at the Center for Long-Term Cybersecurity at UC Berkeley. He shares their research into online attacks of politically vulnerable organizations.
From our EV certs follow-up:
Bomb threat catch of the day:
Sean Brooks interview:
Sean Brooks: [00:00:00] So there's a huge appetite for direct technical assistance to improve the stability and resilience of civil society's technical systems. And that demand is not necessarily being met.
Dave Bittner: [00:00:13] Hello everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm David Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:32] Hi, Dave.
Dave Bittner: [00:00:33] Later in the show, we've got my interview with Sean Brooks. He's the director of the Citizen Clinic. And he's a research fellow at the Center for Long-Term Cybersecurity at UC Berkeley. He's going to share some of the research they've been doing looking at some of the specific vulnerabilities of politically vulnerable organizations online - pretty interesting stuff. But before we jump into that, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:00:59] So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.
Dave Bittner: [00:01:26] And we are back. Joe, before we get into our stories for today, we've got some follow-up.
Joe Carrigan: [00:01:33] Yep.
Dave Bittner: [00:01:33] We've got someone who is not very happy with us - a...
Joe Carrigan: [00:01:36] Yes.
Dave Bittner: [00:01:36] ...Gentleman named Warren Meyers. This is following up on our interview last week when I spoke with Chris Bailey from Entrust Datacard, and we were talking about EV certs.
Joe Carrigan: [00:01:46] Right.
Dave Bittner: [00:01:47] And Chris was saying how they can help you make sure that you're not going to a lookalike site.
Joe Carrigan: [00:01:53] Correct.
Dave Bittner: [00:01:53] That is an extra level of certification.
Joe Carrigan: [00:01:55] That's right.
Dave Bittner: [00:01:56] So on Twitter, a gentleman named Warren Meyers sent us this feedback. He said, disappointed at misinformation about EV versus DV certs in today's "Hacking Humans" episode. I expect better from the CyberWire. And he said, Troy Hunt eloquently explained why EVs haven't had real value for a long time. And he links to an article by Troy Hunt. Of course, Troy Hunt is probably best known for running the Have You Been Pwned database.
Joe Carrigan: [00:02:22] That's a great service that Troy provides.
Dave Bittner: [00:02:24] A wonderful service for - well, for the world, really.
Joe Carrigan: [00:02:27] Right.
Dave Bittner: [00:02:27] So Troy's certainly respected. And Troy has posted - I guess it's best to label it an opinion piece because there certainly is strong opinions in it. And in this post - we'll have a link to it.
Joe Carrigan: [00:02:39] And I'll say Troy's points are valid.
Dave Bittner: [00:02:41] Yeah. The post is titled "Extended Validation Certificates are Dead."
Joe Carrigan: [00:02:45] I'm not going to agree with that statement. But I'm going to say a lot of the points he makes in the article are valid.
Dave Bittner: [00:02:50] OK. Well, let's walk through them...
Joe Carrigan: [00:02:51] OK.
Dave Bittner: [00:02:51] ...Because I want to make sure that, you know, we give people a fair understanding where we may have come up short or at least what some of the arguments are. Some people are saying that maybe EVs aren't worth it.
Joe Carrigan: [00:03:02] Right.
Dave Bittner: [00:03:02] So what does Troy have to say here?
Joe Carrigan: [00:03:03] So one of the first things he says is that the interface on - particularly on mobile devices - we've talked about this before is that the real estate on a mobile screen is prime real estate.
Dave Bittner: [00:03:12] Right.
Joe Carrigan: [00:03:13] So there's not necessarily the opportunity for the developers of these mobile sites to present you with the extended validation indicator.
Dave Bittner: [00:03:24] OK.
Joe Carrigan: [00:03:24] So they don't show it to you.
Dave Bittner: [00:03:27] Right.
Joe Carrigan: [00:03:27] Additionally, he says that the further iterations of Chrome will not even show you that on the desktop web browser.
Dave Bittner: [00:03:34] Right.
Joe Carrigan: [00:03:34] And he's pointed out correctly that the extended validation interface on Chrome used to be a green interface that would tell you the name of the company. And now it's down to a gray interface. Previously, you and I have talked about this where Chrome has - I - we may have talked about it on the CyberWire instead of on this show. The Chrome developers are changing the interface so that security should be just the standard. And when something's not secure, that's when they'll change the interface to make you aware of it.
Dave Bittner: [00:04:01] Right. Right. Yep.
Joe Carrigan: [00:04:01] OK. But the question is, what are we validating here?
Dave Bittner: [00:04:04] Right.
Joe Carrigan: [00:04:04] We've discussed this before - the lock icon. If it's just the lock icon right now, what that means is that the site you're talking to is using a TLS certificate to encrypt the traffic between the two of you.
Dave Bittner: [00:04:18] Right. And that's what we're talking about when we say a DV cert.
Joe Carrigan: [00:04:20] Correct.
Dave Bittner: [00:04:21] Yeah.
Joe Carrigan: [00:04:21] And if you have an extended validation cert, then they're actually showing you that extended validation cert information in the browser. And in the future, they're just going to show you the lock again. OK? And that's kind of the crux of Troy's argument from reading this article is that because browser interfaces don't display the information in a consistent way that the certs don't have value.
Dave Bittner: [00:04:43] I think he's also making the point that because you have to pay for them, that it might not be worth the money.
Joe Carrigan: [00:04:48] OK. What does it cost? What does it cost?
Dave Bittner: [00:04:51] A few hundred bucks.
Joe Carrigan: [00:04:51] It's a couple hundred dollars.
Dave Bittner: [00:04:52] Yeah. I think it cost us a few hundred bucks to get ours for the CyberWire.
Joe Carrigan: [00:04:55] I think that's worth the money. My opinion is that's worth the money.
Dave Bittner: [00:04:58] Yeah. This strikes me as being - I guess where I take issue is this notion that they're completely worthless.
Joe Carrigan: [00:05:04] Right, exactly. And we certainly never say that there is some kind of silver bullet for security. There isn't. This - and EV certs are no exception.
Dave Bittner: [00:05:14] Yeah.
Joe Carrigan: [00:05:15] They are another tool in your toolbox that you can use to verify yourself. Now, a couple of things - number one, just because something doesn't have universal value doesn't mean it doesn't have value, OK? And the fact that these web browser designers are taking away these interfaces does not mean that at some point in time in the future, they won't be putting them back.
Dave Bittner: [00:05:34] Well, these EV certs have been around for nearly a decade, right?
Joe Carrigan: [00:05:37] Yes.
Dave Bittner: [00:05:37] Yeah. Yeah, that's the other thing. I mean, it strikes me as - it's that old saying, don't let the perfect be the enemy of the good.
Joe Carrigan: [00:05:44] I agree 100 percent.
Dave Bittner: [00:05:45] Yeah.
Joe Carrigan: [00:05:45] So this reminds me of people who say that SMS two-factor authentication is worthless. SMS two-factor authentication does have its vulnerabilities. Someone can do do a sim swap. If they have enough information about you to call your mobile provider...
Dave Bittner: [00:05:58] Right.
Joe Carrigan: [00:05:58] They can convince them to change your number to a different SIM or if they're well-equipped, they can intercept your text messages.
Dave Bittner: [00:06:05] But its better than...
Joe Carrigan: [00:06:06] But it's...
Dave Bittner: [00:06:06] ...Not having anything.
Joe Carrigan: [00:06:07] It's exponentially better than nothing.
Dave Bittner: [00:06:08] Right.
Joe Carrigan: [00:06:09] It's way better than nothing.
Dave Bittner: [00:06:10] Yeah. Look, there are some good points that folks have made here. I'm glad that people pointed this out to us. We will have a link to Troy Hunt's article. I did reach back out to Chris Bailey from last week. And he said he certainly respects Troy. And Troy's entitled to his opinion. But, you know, there's a lot of data about, particularly, the DV certificates, about how many of those are being used in phishing attempts.
Joe Carrigan: [00:06:32] He sent us a link to an article, which we should probably also put in the show notes, from the Certificate Authority Security Council...
Dave Bittner: [00:06:38] Yeah.
Joe Carrigan: [00:06:38] ...Who are, I guess - it's a council of people who sell these certificates. But some of the data they showed was that there are twice as many certificates for spoofing sites as there are for legitimate sites.
Dave Bittner: [00:06:49] Right - of the DV type...
Joe Carrigan: [00:06:51] Right.
Dave Bittner: [00:06:51] ...DV certificates.
Joe Carrigan: [00:06:52] Exactly.
Dave Bittner: [00:06:52] Yeah.
Joe Carrigan: [00:06:52] So what that means is for every certificate that Amazon has, there are two spoofing sites out there with certificates that are not extended validation certificates.
Dave Bittner: [00:07:01] Yeah. There's more to this story than we had shared in our last episode. So for that, we apologize. Like I said, we'll have links to Troy Hunt's story, so please do check that out. Make up your own mind. See if you agree with Troy. Does he make a good case for it or do you agree with our guest last week, Chris Bailey, that EVs still have value? So again, thanks to Warren Meyers for bringing this up and continuing the conversation. We always appreciate it when people bring these sorts of things to our attention.
Joe Carrigan: [00:07:30] Yep.
Dave Bittner: [00:07:31] We want to get these things right. We want to do our best. And if we come up short, we want you to let us know.
Joe Carrigan: [00:07:35] And truth emerges from the clash of ideas.
Dave Bittner: [00:07:37] There you go (laughter). All right. Let's move on to our next story here. Joe, this was sent in by a listener. I was originally going to make this one our Catch of the Day. But the more I thought about it, there's really nothing funny about it. This builds off of some of the sextortion scams that...
Joe Carrigan: [00:07:53] Oh.
Dave Bittner: [00:07:53] ...We've been talking about recently. But these folks take it to the next level by switching gears and making it a bomb threat.
Joe Carrigan: [00:08:00] Great.
Dave Bittner: [00:08:01] Here's the crux of it. I'll read the email that's been going around. It says - the title of the email is, Your Building is Under my Control. It says, good day. There is the explosive device, hexogen, in the building where your business is located. My recruited person constructed a bomb according to my guide. It is compact and hidden very carefully. It is impossible to destroy the structure of the building of my bomb. But in case of its detonation, you will get many victims. And it goes on.
Dave Bittner: [00:08:28] Basically, what they're demanding is $20,000 in bitcoin. They include a bitcoin address. And it's the standard thing here. If you don't do this, we will blow up the building. People will die. I'm monitoring my bitcoin wallet. I guess there is one sort of funny thing in this in that it's so absurd. The last thing in the email says, if the explosive device blows up and the authorities see this email, we are not terrorists and do not assume any liability for explosions in other buildings.
Joe Carrigan: [00:08:56] (Laughter).
Dave Bittner: [00:09:00] What? Yeah.
Joe Carrigan: [00:09:03] Oh, OK. Good (laughter).
Dave Bittner: [00:09:03] Right.
Joe Carrigan: [00:09:03] That's a load off my mind. I'm glad I'm not dealing with terrorists.
Dave Bittner: [00:09:06] Yeah, so obviously, despicable.
Joe Carrigan: [00:09:09] Yeah, absolutely.
Dave Bittner: [00:09:10] This is making the rounds. I did a little digging this morning as we go to record this. It's getting quite a bit of notice, making its way around the world. It seems to be fairly widespread. People are...
Joe Carrigan: [00:09:18] Yeah, it was in The Wall Street Journal this morning.
Dave Bittner: [00:09:20] People are getting it all over the world. They seem to be sending these out from captured email addresses. So they've taken over someone else's account, and that's how they're sending it out, hoping that they're not going to be traced back to them.
Joe Carrigan: [00:09:31] Right.
Dave Bittner: [00:09:31] They don't seem to be making much money. People are not falling for it.
Joe Carrigan: [00:09:34] Good.
Dave Bittner: [00:09:34] People have been watching the bitcoin address and - doesn't seem like people are going for it, which is interesting from a social engineering point of view in that we saw the sextortion ones were getting a lot of money.
Joe Carrigan: [00:09:45] Yes.
Dave Bittner: [00:09:45] Is this a bridge too far? Is this so extreme that they think it's absurd?
Joe Carrigan: [00:09:51] Yeah. I think that may be a good point or that because the sextortion one - this is obviously a variant of the sextortion email. Now...
Dave Bittner: [00:09:59] Yeah.
Joe Carrigan: [00:09:59] I'll tell you my wife got one of those sextortion emails and forwarded it to me. And I looked at the bitcoin address on some website that tracks this. And nobody had sent that address any money. Zero bitcoin had been put into it. So...
Dave Bittner: [00:10:11] Yeah. I know some of them did, though. I know - we saw...
Joe Carrigan: [00:10:14] Early on, yes.
Dave Bittner: [00:10:14] Yeah.
Joe Carrigan: [00:10:15] Some of them did, exactly.
Dave Bittner: [00:10:16] Yeah.
Joe Carrigan: [00:10:16] This was a fairly recent development that my wife received this email.
Dave Bittner: [00:10:19] Gotcha.
Joe Carrigan: [00:10:19] You know, it was within the past couple of weeks. And she was like, what is this?
Dave Bittner: [00:10:22] So maybe that one ran its course.
Joe Carrigan: [00:10:24] Yeah, I think that one's run its course. So I think people have kind of been inoculated against this kind of thing. So I'm glad to see that these bomb threats are not getting the kind of traction that the early sextortion ones...
Dave Bittner: [00:10:33] Yeah, yeah. The other thing, though, that I think makes this particularly despicable is that there have been organizations who have shut down out of an abundance of...
Joe Carrigan: [00:10:43] Yeah, out of an abundance of caution,
Dave Bittner: [00:10:44] ...Of caution.
Joe Carrigan: [00:10:44] They've evacuated the building.
Dave Bittner: [00:10:45] They've evacuated buildings.
Joe Carrigan: [00:10:46] They probably called in the bomb squad.
Dave Bittner: [00:10:47] Yeah.
Joe Carrigan: [00:10:47] That is just a huge waste of resources.
Dave Bittner: [00:10:49] Right. For the bad guys, boy, one way to catch the attention of international law enforcement agencies...
Joe Carrigan: [00:10:56] Right.
Dave Bittner: [00:10:56] ...Is by threatening the loss of life and property.
Joe Carrigan: [00:10:59] Yeah.
Dave Bittner: [00:11:00] So while I could see law enforcement, you know, taking, perhaps, a lesser notice of somebody being scammed out of a sextortion thing, they can't really ignore this one (laughter).
Joe Carrigan: [00:11:10] No, this one's going to - this one's going to require a lot of attention.
Dave Bittner: [00:11:13] Yeah.
Joe Carrigan: [00:11:13] And hopefully, they'll resolve this one.
Dave Bittner: [00:11:15] Yeah. It's an interesting evolution. And hopefully, they'll nip this one in the bud and - particularly, if they don't make any money off of it. Hopefully, it's not one we'll see a repeat of.
Joe Carrigan: [00:11:23] Right.
Dave Bittner: [00:11:24] All right, Joe, it's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:31] Joe, you've got our Catch of the Day this week. What do we got?
Joe Carrigan: [00:11:34] Dave, this one comes from one of my co-workers. We'll call him Sean.
Dave Bittner: [00:11:36] OK.
Joe Carrigan: [00:11:37] He received an email and noticed the message was inauthentic right away because it wasn't coming from the proper email address. Gmail has a relatively new feature that lets you have automated responses. I have Gmail. And when I receive an email, I have, like, three responses at the bottom. I can just click on those buttons, and it will automatically reply with that response.
Dave Bittner: [00:11:55] Oh, OK. Right.
Joe Carrigan: [00:11:55] So sometimes, the response is, hey, that sounds great or, no, I can't make it - those kind of things.
Dave Bittner: [00:12:00] So on-the-fly quick responses.
Joe Carrigan: [00:12:01] On-the-fly quick responses with the click of a button. So Sean says to himself, I wonder what will happen if I respond to this scammer with nothing but these automated replies.
Dave Bittner: [00:12:10] OK (laughter).
Joe Carrigan: [00:12:11] Now I have this written out here like a script. Do you want to be the scammer, or do you want to be Sean?
Dave Bittner: [00:12:15] I'll be the scammer.
Joe Carrigan: [00:12:16] OK.
Dave Bittner: [00:12:16] All right. Here we go.
Joe Carrigan: [00:12:17] Here's how it goes.
Dave Bittner: [00:12:18] It goes like this.
Dave Bittner: [00:12:19] Are you available on campus?
Joe Carrigan: [00:12:21] Yes. What's up?
Dave Bittner: [00:12:22] I'm in a meeting right now, and that's why I'm contacting you through here. I should've called you, but phone is not allowed to be used during the meeting. I don't know when the meeting will be rounding off, and I want you to help me out on something very important right away.
Joe Carrigan: [00:12:34] OK. No problem.
Dave Bittner: [00:12:35] I need you to help me get iTunes gift cards from the store. I will reimburse you back when I get back to the office.
Joe Carrigan: [00:12:42] OK. I will.
Dave Bittner: [00:12:43] I need to send it to someone, and it is very important. I'm still in a meeting, and I need to get it sent right away. It's one of my best friend's son's birthdays. The amount I need you to get right now is $500. Five by $100 I'll be reimbursing back to you. I need physical cards, which you are going to get from the store. When you get them, scratch it and take pictures of the cards and attach it to this email. Then send it to me here, OK?
Joe Carrigan: [00:13:06] Thank you. I will do that. And then Sean sent another message that says, where do I get them?
Dave Bittner: [00:13:11] At the store.
Joe Carrigan: [00:13:11] I'm here.
Dave Bittner: [00:13:12] Are you at the store now?
Joe Carrigan: [00:13:13] Yes, I'm here.
Dave Bittner: [00:13:14] The amount I need you to get right now is $500. I'll be reimbursing back to you. I need physical cards, which you are going to get from the store. When you get them, scratch it and take pictures of the cards and attach it to this email. Then send it to me here, OK?
Joe Carrigan: [00:13:26] Thank you. I will do that.
Dave Bittner: [00:13:27] OK. Have you get it?
Joe Carrigan: [00:13:28] No, I didn't get it.
Dave Bittner: [00:13:30] I am in need of if right away. Let me know if you are able to get this done.
Joe Carrigan: [00:13:33] Yes, I can help you.
Dave Bittner: [00:13:35] Are you get it done now?
Joe Carrigan: [00:13:36] Yes, it's done.
Dave Bittner: [00:13:37] Send it to me, please.
Joe Carrigan: [00:13:38] Did you get it?
Dave Bittner: [00:13:38] No.
Joe Carrigan: [00:13:39] Why?
Dave Bittner: [00:13:39] Have not seen any image.
Joe Carrigan: [00:13:41] I just resent it.
Dave Bittner: [00:13:42] How much did you get?
Joe Carrigan: [00:13:43] I'll have to look.
Dave Bittner: [00:13:44] OK. You just need to take a picture of it, please. Are you here with me?
Joe Carrigan: [00:13:47] Yes, I'm here.
Dave Bittner: [00:13:48] Help me with the card.
Joe Carrigan: [00:13:49] What do you need?
Dave Bittner: [00:13:49] I need the iTunes cards.
Joe Carrigan: [00:13:51] How many do you need?
Dave Bittner: [00:13:52] Five hundred dollars. Are you with please?
Joe Carrigan: [00:13:54] No. Why?
Dave Bittner: [00:13:55] So you can help me out of this.
Joe Carrigan: [00:13:56] Yeah, I can.
Dave Bittner: [00:13:57] OK, what is going on?
Joe Carrigan: [00:13:59] Nothing much. You?
Dave Bittner: [00:14:00] What of $100 iTunes cards?
Joe Carrigan: [00:14:02] What do you mean?
Dave Bittner: [00:14:03] About the cards.
Joe Carrigan: [00:14:04] I have them.
Dave Bittner: [00:14:04] OK. You can write it out for me.
Joe Carrigan: [00:14:06] No, I can't.
Dave Bittner: [00:14:07] OK, taking care of yourself.
Joe Carrigan: [00:14:09] No, I can't.
Dave Bittner: [00:14:10] And that's where it ends.
Joe Carrigan: [00:14:12] This is so brilliant.
Dave Bittner: [00:14:15] One of the things I love about this is that really all it took on Sean's part was just...
Joe Carrigan: [00:14:18] Pushing a button.
Dave Bittner: [00:14:18] ...Tapping the screen - right - to just string him along.
Joe Carrigan: [00:14:22] Sean sent me the entire email conversation, and the time stamps are, like, four hours long.
Dave Bittner: [00:14:28] (Laughter).
Joe Carrigan: [00:14:28] This went on for four hours.
Dave Bittner: [00:14:29] Right.
Joe Carrigan: [00:14:30] This is positively brilliant. Good work, Sean.
Dave Bittner: [00:14:33] Yeah, nice. Wasting the time of a scammer...
Joe Carrigan: [00:14:35] Scam baiting is...
Dave Bittner: [00:14:36] All right.
Joe Carrigan: [00:14:36] ...Great fun.
Dave Bittner: [00:14:37] Well done, Sean. And that is our Catch of the Day. Coming up next, we've got my interview with Sean Brooks. He's the director of the Citizen Clinic, and he's a research fellow at the Center for Long-Term Cybersecurity at UC Berkeley. We're going to be talking about some of the work they've done looking at politically vulnerable organizations online. But before we jump into that, a quick word from our sponsors at KnowBe4.
Dave Bittner: [00:15:00] And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course. But they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call SMiShing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:15:48] Joe, we are back. I recently had the pleasure of talking to Sean Brooks. He's the director of the Citizen Clinic at UC Berkeley. They recently published some research looking at politically vulnerable organizations. And it turns out that they are particularly vulnerable to social engineering scams. Interesting stuff. So here's my conversation with Sean Brooks.
Sean Brooks: [00:16:08] One of the things that we noticed as we reviewed many years of documented reports and attacks on civil society organizations and as we spoke to members of targeted politically vulnerable organizations and communities themselves was that the general concerns about what types of cyberattacks they'll face are not things that are highly sophisticated zero day malware attacks. Certainly, we have seen that in the wild. Organizations like Citizen Lab at University of Toronto have done some incredible research exposing some very, very technically sophisticated attacks on civil society organizations. But generally if you want to attack a nonprofit or a member of one of these politically vulnerable groups, you don't need a million dollar zero to exploit - to accomplish your goals.
Sean Brooks: [00:16:56] So what we tend to see is a lot of phishing attacks - things that exploit low technical sophistication. Attacks - because most of the systems that civil society organizations rely upon are often out-of-date. They don't have advanced authentication mechanisms. They share a lot of accounts across a number of people within the organization - lots of sort of violations of cybersecurity best practices that you see better adopted in the private sector and in government. And that's because these organizations are significantly budget constrained, right? So all of their systems have to be mission-oriented, and cybersecurity is generally seen in civil society much like it was in the private sector 10 years ago. It's just sort of a cost center.
Sean Brooks: [00:17:38] And a lot of these politically vulnerable organizations don't quite know how to make the connection between their mission priorities and spending on sort of the overhead and infrastructure that really is required for cybersecurity. So a lot of the attacks that we see, therefore, are sort of low technical sophistication. But we do see some very high social engineering sophistication, in fact much higher often than you'll see deployed against harder targets in the private sector or in government. And that's because in many instances, the attackers often belong to the security services of a government or the intelligence organizations within a government - bodies that are much more sophisticated in their practices around developing manipulation of targets.
Sean Brooks: [00:18:29] So you see - when you have a giant intelligence body targeting a small nonprofit, it's not necessarily surprising that they would use a phishing attack that contains a lot of highly targeted details about that individual's personal life, whether it be their families or their colleagues or their work schedules.
Dave Bittner: [00:18:48] Yeah. It seems like it's not really a fair fight - the resources that both sides bring to bear.
Sean Brooks: [00:18:54] Certainly not. And that was one of the core motivations for this research, which is if these attacks are becoming more common and if we consider in a world of what many members of civil society have called closing spaces or the increasing number of authoritarian regimes and more frequent repressions of free speech around the world, then the scope of the concern becomes the health of global civil society. And if this asymmetry between the attackers and the targets is maintained, what does that mean about the ability of civil society to operate online? And the internet has been an incredible tool for nonprofits. Certainly, you know, in - everything I've just said might lead you to believe that advocacy organizations and activists and human rights defenders - these organizations are not necessarily sophisticated users of the internet. But I think the opposite is true.
Sean Brooks: [00:19:48] These organizations have done incredible things to pursue their mission and amplify the magnitude of their message by using the internet and reaching a global community of individuals and communities interested in things like defending human rights or environmentalism, what have you. But that embracing of the internet as a critical function to pursue their mission has opened them up for a whole new host of attacks. And it is very hard for them to build in both the organizational capacity, in terms of skills and knowledge and practices, as well as the costs associated with securing their systems in a way that repels these attackers.
Dave Bittner: [00:20:32] So what are some of the take-homes from the report? What recommendations do you make? How can these organizations do a better job, and how can the rest of society step up to make sure that they're getting the attention they deserve?
Sean Brooks: [00:20:45] I think there's a couple of big learnings that we had from the report. One is that there is an entire ecosystem that has sprung up to support civil society organizations against online attacks. And the mechanisms by which these assistance organizations operate are pretty varied. We see a lot of concentration in advocacy and legal support for these organizations. So organizations that you're probably familiar with - like the Electronic Frontier Foundation, the ACLU, Amnesty International - all have major support mechanisms that advocate for policies and legal protections for organizations and individuals that might be targeted online for political purposes.
Sean Brooks: [00:21:24] There's also an increasing number of reduced price or free services being made available from the advocacy community or from large companies. Google's Project Shield, Cloudflare's Project Galileo. The CrowdStrike Foundation is making their antimalware and threat intelligence services available for nonprofits. So we see an increasing number of cybersecurity services available at prices that are more affordable for nonprofits. We also see an increasing amount of data being available from research institutions about just trying to expose the nature of these attacks.
Sean Brooks: [00:21:59] But one of the weakest forms of assistance that is available - and by weakest I mean one of the least available forms of service - is sort of direct technical assistance. So in many of these civil society organizations that are being attacked, many don't have any technical staff on board. And if they do, the odds that they have a - any background in cybersecurity specifically are very, very low. I think the average nonprofit - and that includes things like hospitals - needs, I think, something like 14 staff members before they get one technical staff member. And only one individual within the broader IT skillset in the world has any cybersecurity knowledge at all. So the odds that you get someone on staff in your small nonprofit that knows anything about defending systems against sophisticated technical attacks is pretty low. So there's a huge appetite for direct technical assistance to improve the stability and resilience of civil societies' technical systems. And that demand is not necessarily being met.
Sean Brooks: [00:23:02] Organizations like Access Now and Front Line Defenders, Tactical Tech - a number of organizations have set up emergency support systems. So if your organization is under attack right now, they can come in and help resolve some of your systems. But getting sort of the longer term support that exists over many years - a real partnership that can help your organization build up its own capacity to be resilient against cyberattacks is pretty hard to find.
Dave Bittner: [00:23:31] Yeah, it's interesting. I mean, it strikes me as being kind of like, you know, treating illness in the emergency room rather than having ongoing access to good medical services.
Sean Brooks: [00:23:41] That's exactly right. So one of our key recommendations from the report is that new models to build on the existing community of assistance are needed to improve not only the broader awareness within the community of these issues because working with a small NGO is not like working with a client in the private sector or a large government agency. The recommendations that you would make are not the same, even if the attack vectors look very similar.
Sean Brooks: [00:24:09] And I can give kind of an example about that. Nonprofits don't necessarily have a robust risk management process in place like you would expect from, again, a government agency or a large company. Therefore, their ability to consider these issues systemically and therefore make purchasing and funding decisions about them in a way that is highly risk-oriented is lessened. So a big part of the capacity that the assistance community needs to bring to the table is helping these organizations prioritize.
Sean Brooks: [00:24:37] And that prioritization process needs to take into account the core mission of a nonprofit because if you make a recommendation to a civil society organization that, hey, you're at risk for targeted cyberattacks, all of your staff members should take their personal information off the internet so that it's harder to find them. Well, if part of the core services that this nonprofit provides is direct individual outreach to a vulnerable community, then that staff needs to be available and, in many cases, needs to be personally available because of the trust networks that civil society relies on to operate.
Sean Brooks: [00:25:12] So if cybersecurity professionals are not understanding the nuances of civil society's work and particularly work with politically vulnerable organizations and populations, then they're not going to be able to provide the most practical advice to organizations that are going to be really restrained in the amount of time, energy and money they can spend on cybersecurity issues.
Dave Bittner: [00:25:34] And what are you all doing there at Citizen Clinic? Describe to me your efforts there.
Sean Brooks: [00:25:38] So the Citizen Clinic came out of this research as our attempt to address some of these issues. The Citizen Clinic is a course we're offering at UC Berkeley that takes in master's students, Ph.D. students and even a couple of exceptional undergrads to provide cybersecurity to these politically vulnerable organizations. We accept students from any program at UC Berkeley as long as they have a demonstrated interest because we - as I mentioned, understanding the context in which our clients work in is a critical part in being able to support their security.
Sean Brooks: [00:26:12] So we have students from the Berkeley public policy program, the law program, computer science and engineering as well as anthropology and sociology. We're looking at getting students in from the journalism school, the language programs. We need everybody. And the goal is to get these students mixed into interdisciplinary teams so that they can understand the context of the client organizations that we work with and provide them technical cybersecurity assessments, recommendations and then help deploy some of the technical controls and policy controls that they think are most needed by our clients.
Sean Brooks: [00:26:47] And then we work with our client organizations not just over the course of one semester but many years with student teams passing off the work to one another and students. Some students will stay with the class multiple semesters and will have a relationship with our clients hopefully over the long term to provide them true capacity-building services and not just one-off - hey, we're going to set up multifactor authentication this time, but we want to come back in six months and say, hey, we did this deployment of MFA to all your staff. How's it going? Did people keep it turned on for critical accounts? As you've adopted new technology services, have you continued to adopt strong authentication measures, things like that.
Dave Bittner: [00:27:29] Joe, what do you think?
Joe Carrigan: [00:27:30] Well, Dave, again, we're seeing that the most cost-effective targets of these organizations are the people that rarely do you see million-dollar exploits, zero-day exploits being used on a nonprofit organization.
Dave Bittner: [00:27:40] Right.
Joe Carrigan: [00:27:41] It's just easier to call in or send an email in with some malicious software or a phishing attack and get into the network.
Dave Bittner: [00:27:48] Yeah, interesting that the way these organizations tend to be organized...
Joe Carrigan: [00:27:52] Right.
Dave Bittner: [00:27:52] ...That they don't have the technical sophistication that perhaps other organizations do.
Joe Carrigan: [00:27:56] Right. Well, economics, again, are at the root of the problem.
Dave Bittner: [00:27:59] Right.
Joe Carrigan: [00:27:59] These organizations have very limited resources, and thus they feel they need to spend all their money for tech budgets on tools that actually help them accomplish their mission.
Dave Bittner: [00:28:07] Yeah.
Joe Carrigan: [00:28:08] That's a good takeaway point. And I mean, obviously, they should be spending some kind of money on security. But you know, I understand their predicament. Their resources are very limited. Their resources are coming from, a lot of times, from charitable organizations - charitable donations, rather...
Dave Bittner: [00:28:24] Right.
Joe Carrigan: [00:28:24] ...Or maybe from government funding or something. And they have to be accountable to their donors and their funders. So if you want to give money to a nonprofit, you can go out and look on all these charity rating websites that tell you how many pennies from every dollar make it to the end recipient. And spending money on security will lower that number, and that's not good for a nonprofit. So I understand their position.
Dave Bittner: [00:28:43] Seems like there's an educational component where we need to get the word out to the funders...
Joe Carrigan: [00:28:47] Right.
Dave Bittner: [00:28:48] ...That money spent on cybersecurity might be money well spent...
Joe Carrigan: [00:28:51] Right, exactly.
Dave Bittner: [00:28:51] ...They shouldn't hold that against an organization.
Joe Carrigan: [00:28:54] Yeah, especially if they're keeping all kinds of personal data, particularly on vulnerable populations.
Dave Bittner: [00:28:57] That's a really good point. All right. Well, again, thanks to Sean Brooks for joining us. We'll have a link to the work that they're doing in the show notes if you want to check that out. Thanks to all of you for listening.
Dave Bittner: [00:29:08] And of course, thanks to our sponsors KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:29:24] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:29:32] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:49] And I'm Joe Carrigan.
Dave Bittner: [00:29:50] Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.