podcast

Images are the language of the brain.

Dave outlines a church donation scam. Joe shares reporting from Ars Technica on romance scams coming out of Africa. The catch of the day is courtesy of London comedian James Veitch Our guest is Garry Berman from Cyberman Security who's developed a cyber security comic book series to help raise awareness.

Links to this week's stories:

Transcript

Gary Berman: [00:00:00] Images are the language of the brain. 

Dave Bittner: [00:00:04]  Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:23]  Hi, Dave. 

Dave Bittner: [00:00:23]  We've got some good stories to share this week. And later in the show, we're joined by Gary Berman. He's from an organization called CyberMan Security. He's got an interesting origin story on how he came to set his sights on helping people be safer online. But first, a word from our sponsors at KnowBe4. 

Dave Bittner: [00:00:43]  So who's got the advantage in cybersecurity - the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us and we'll have some insights from our sponsor KnowBe4 that puts it all into perspective. 

Dave Bittner: [00:01:04]  And we are back. Joe, I'm going to kick things off for us this week. My story comes from a listener named Kevin. He works in tech, but he's also treasurer of a small church in Silicon Valley. And he recently thwarted an attempted scam at his church where someone was sending some emails pretending to be the pastor, and they were asking church staff to make payments. 

Joe Carrigan: [00:01:26]  We've seen this before. 

Dave Bittner: [00:01:27]  We have indeed. And so as one of the organization's tech guys, he decided he was going to follow up with a note to the congregation about some of the scams that target houses of worship. 

Joe Carrigan: [00:01:39]  Right. 

Dave Bittner: [00:01:39]  And when he was doing his research, he came across a particular donation scam that he sent in to us. 

Joe Carrigan: [00:01:45]  OK. 

Dave Bittner: [00:01:45]  So this is from a website called churchlawandtax.com, written by two gentlemen, Mike Batts and Danny Johnson, and it's called "What to Know About a New Donation Scam." And this is how it works. Imagine that you are working at the church. Let's say you are, for example, the church treasurer, minding your own business. And you get a call from someone who's a member of the church. And they call and they say that they recently made a donation to the church in the amount of $5,000. 

Joe Carrigan: [00:02:13]  Right. 

Dave Bittner: [00:02:14]  But they made a mistake. They did it online, and they meant for it to be $50. 

Joe Carrigan: [00:02:19]  Right. 

Dave Bittner: [00:02:19]  And this person pleads for a refund for the difference. He says he's on a fixed income, and this $5,000 is going to be hard for him. And, of course, you want to do the right thing. You want to help this person out. 

Joe Carrigan: [00:02:31]  Sure. 

Dave Bittner: [00:02:31]  He's a member of your church. So you go and you refund the difference. 

Joe Carrigan: [00:02:36]  Well, the first thing I'd do is check for a $5,000 donation from this guy. 

Dave Bittner: [00:02:39]  You are absolutely correct. And when you do that, you see that, yes, indeed there was a $5,000 donation from this person... 

Joe Carrigan: [00:02:46]  OK. 

Dave Bittner: [00:02:46]  ...A new donor. 

Joe Carrigan: [00:02:47]  OK. 

Dave Bittner: [00:02:47]  So you go through and you refund the difference - so in this case, $4,950. You refund... 

Joe Carrigan: [00:02:54]  Right. 

Dave Bittner: [00:02:54]  ...And you think your job is done here, and off you go. 

Joe Carrigan: [00:02:57]  That's right. 

Dave Bittner: [00:02:58]  Well, a couple days later, you get a notice from the bank that the original $5,000 gift from this person was rejected due to insufficient funds in the account, so the original gift of $5,000 is debited from your organization's account as a chargeback. You try to call this person back. 

Joe Carrigan: [00:03:16]  And there's nobody there. 

Dave Bittner: [00:03:17]  There's nobody there - not a working number. And so at the end of the day, you've been scammed. You issued a refund for $4,950... 

Joe Carrigan: [00:03:26]  Right. 

Dave Bittner: [00:03:27]  ...Out of a $5,000 contribution that you never actually got. 

Joe Carrigan: [00:03:30]  That's right. 

Dave Bittner: [00:03:31]  So these fraudsters are taking advantage of, I guess, some of the built-in delays and peculiarities of the banking system. 

Joe Carrigan: [00:03:40]  Right, and the good nature of people who tend to run churches. 

Dave Bittner: [00:03:43]  Right. 

Joe Carrigan: [00:03:43]  Right. 

Dave Bittner: [00:03:44]  Exactly. 

Joe Carrigan: [00:03:44]  So I guess the only way to avoid this kind of scam when you see this happening is to say, we'll happily refund you the money once it's cleared our accounts. And you wait for the couple of days. 

Dave Bittner: [00:03:55]  One of the things that the authors of this article point out - and they are attorneys. They work for a law firm called Batts Morrison Wales & Lee, a law firm out of Orlando, and they make a point that nonprofit organizations are not at liberty to simply refund contributions upon a donor's request. He says, imagine a donor giving a large gift, the organization using the gift to pay for a significant initiative... 

Joe Carrigan: [00:04:20]  Right. 

Dave Bittner: [00:04:21]  ...And the donor subsequently asking for a refund. Once you get that donation, there has to be a deliberate process by which the refund is granted. They make the suggestion that maybe there should be a committee or something like that, even though, obviously, in this case, they're just trying to do the right thing and... 

Joe Carrigan: [00:04:37]  Right. 

Dave Bittner: [00:04:37]  ...Trying to help someone out who, from their point of view, made an honest mistake. You've got to slow down. How many times do we say that? 

Joe Carrigan: [00:04:43]  A lot. 

Dave Bittner: [00:04:43]  Slow down. 

Joe Carrigan: [00:04:44]  We say that a lot. Slow down. 

Dave Bittner: [00:04:45]  Slow down. 

Joe Carrigan: [00:04:46]  That's one of the tactics of these scammers - is to try to make it urgent and to short-circuit your thinking and to get you to react without going through the proper processes. 

Dave Bittner: [00:04:54]  Yeah. So that's my story. Thanks, Kevin, for sending that in to us. Joe, what do you have this week? 

Joe Carrigan: [00:04:59]  I have a story from Sean Gallagher at Ars Technica. And recently, Twitter's security team has been tracking a large number of fraudulent accounts coming out of Africa, and a lot of them are romance scammers. So there are thousands of accounts involved in the ongoing campaign. Many of these accounts have been suspended by Twitter 'cause Twitter, you know, kind of looks out for these things. 

Dave Bittner: [00:05:21]  Right. 

Joe Carrigan: [00:05:21]  But that doesn't put a dent in their activity. They just go set up a new account, and they run new scams. And Sean has been gathering some anecdotal data from a number of such accounts as they've attempted to lure him in for these attacks, right? These scammers follow an easy-to-spot pattern if you're familiar with it, but the scale of these efforts goes far beyond what you'd expect in recognizable cons. And it suggests that there's a high level of sophistication going on here. Sean says getting in touch with these fake accounts isn't hard. He gets about three direct message requests per week, and they start with a simple hi. They claim to be, of course, women because he is a man... 

Dave Bittner: [00:05:57]  Right. 

Joe Carrigan: [00:05:57]  ...And that is the assumption - that he's going to be interested in women. 

Dave Bittner: [00:06:00]  Yeah. 

Joe Carrigan: [00:06:00]  And they just want to chat and make friends. He says what's interesting about this is they're often slow-moving. So unlike the scam we heard about earlier where people are trying to get you to move fast, these guys are trying to get you to move slow. But Sean thinks this is probably because the people on the other end are involved in a large number of scams - that they can't pay attention to everybody at the same time, so they're twitching off. And they follow this familiar process we've seen before where they harvest images from various social media sites, and then they create a persona that's believable. This image-harvesting, where they take people's real images, has happened to a French guy so much that there's a Facebook page that is all of the scams that have used his images, right? And you look at the Facebook page, and the guy is a very good-looking guy. I imagine that they use his images because they are effective. Sometimes, they set up the account with the same name as the person from whom they stole the images. And Sean confronted one of these scammers and said, hey, you have this account over here as well. The scammer said something very clever. They said, oh, that was an account that was set up by my ex-husband, which is interesting - right? - 'cause that's plausible. 

Dave Bittner: [00:07:09]  Yeah. 

Joe Carrigan: [00:07:09]  Sean does something very clever here. He sends this person a bit.ly link which leads to a web page that Sean controls, and that means that Sean has access to all the log files. And he finds out the person is in - take a guess. 

Dave Bittner: [00:07:22]  Oh, I'm going to go out on a limb here. Let me just take a wild guess here and say Nigeria. 

Joe Carrigan: [00:07:29]  Ding, ding, ding, ding - Nigeria. 

Dave Bittner: [00:07:30]  Wow. 

Joe Carrigan: [00:07:31]  Right. He has some pictures in the article of multiple conversations, and it's really good. But it's interesting to watch this. And of course, there are the standard signs that we've talked about a number of times here, but people need to always be aware of this. So if you're a new listener to the show, look for these signs on a Twitter account that is talking to you about just wanting to be friends. They'll have a limited number of social media posts - OK? - on any platform that they have. So on Twitter, they'll have, like, maybe just a couple of retweets. They'll tweet out the photos that they've stolen from the other person. It won't look exactly right. It'll be a relatively new account. That's another key indicator. They'll have very few followers, and many of their followers will be other scam accounts or other people that they're trying to scam, which is an interesting dynamic here. And finally, the most telling tale that you're dealing with a scammer is they will try to move the conversation off of Twitter because they know that Twitter is gunning for these accounts, and they know that their account is going to be shut down. 

Dave Bittner: [00:08:26]  Oh, interesting. Yeah. 

Joe Carrigan: [00:08:26]  So they'll take it to another place where the account is less likely get shut down because it's not really a social media account. And in Sean's case, they always wanted to move the discussion to either Google Hangouts or to WhatsApp. That should be a huge red flag whenever you're dealing with somebody on social media who is indicating to you that they want a deeper relationship. If they want to move it off the site, chances are that they're afraid that their account's going to get shut down because the hosting site is going to realize this is a nefarious account. And this happens a lot on dating apps. It happens on Facebook. It happens, of course, on Twitter, like we're talking about. But it will not happen on sites that are not necessarily social media, like WhatsApp, which is a secure communications app, and Hangouts, for which the user just needs a Google account. 

Dave Bittner: [00:09:09]  To move your conversation to somewhere else should be a red flag, so... 

Joe Carrigan: [00:09:14]  Absolutely. I agree with that 100%. 

Dave Bittner: [00:09:16]  All right. It's time to move on to our Catch of the Day. 

0:09:20:(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: [00:09:23]  Joe, a listener sent this to us. This is actually about a London-based comedian. His name is James Veitch, and he spent a couple of years replying to spam emails. And he compiled the conversations into a book, which you can find on Amazon. We'll have a link to the book in the show notes. And this is one of the exchanges that James had with one of the Nigerian scammers. Joe, I'm going to ask you to play the part of the Nigerian, and I will play the part of James. It sounds a little like this. 

Joe Carrigan: [00:09:56]  (Reading) Dear friend, my name is John Kelly. I am 59 years old man. I am in a hospital in Dubai. Recently, my doctor told me that I would not last for the next six months due to my cancer problem, cancer of the lever. 

Joe Carrigan: [00:10:12]  I hate when my lever gets cancer. 

Dave Bittner: [00:10:13]  Yeah, it's bad. 

Joe Carrigan: [00:10:14]  (Reading) I am giving my money away because of my health condition and the fact that my second wife is a terrifying woman to deal with. Marrying her was the only mistake I made in my life. She is currently managing my company here, but I know what she's capable of. She has sold her soul to the devil, and I do not want her to come near my money. Regards, John Kelly. 

Dave Bittner: [00:10:35]  (Reading) John, I'm so sorry to hear of this. Cancer of the lever can be deadly. Your second wife sounds awful. How did she sell her soul to the devil? Are you sure it's your lever and not your second wife poisoning you? Make sure to check your food before you eat it. James. 

Joe Carrigan: [00:10:51]  (Reading) Dear James Veitch, I am delighted to read your email. I trust in you based on the information from you. My wife is a very wicked woman who want me death so that she can inherit my wealth. I am praying to God to extend my life. John Kelly. 

Dave Bittner: [00:11:06]  (Reading) John, I had an idea while I was in the bath this morning. When you sit down to dinner, say, look over there, or something. And when she's looking in the other direction, switch plates with her. That way, if she's poisoned your food, she'll be eating it. James. 

Joe Carrigan: [00:11:21]  (Reading) I feel sad whenever I talk about her. I need your sincere assistant to help me to move and invest the sum of $9 million. Our business discussion will remain strictly confidential, and my wife can never know about it. 

Dave Bittner: [00:11:35]  (Reading) John, forget what I said before. Don't do the plate switcheroo. She's crafty. She might have anticipated the plate-switching and already switched them, so don't switch the plates - James. 

Joe Carrigan: [00:11:46]  (Reading) Dear James Veitch, thank you for your kind advice. But I will also wish to remind you that I can only allow for 10 minutes by the doctor to check my email. The funds are currently deposited with a private security company. Your duty is to contact the company as my representative, arrange with them, and finalize the funds into your account - John Kelly. 

Dave Bittner: [00:12:09]  (Reading) I've had another bath, and I think you should switch the plates. Hear me out. I think that she will have anticipated our anticipation and will give you the poison. Of course, it's quite possible that she might anticipate this, though. Basically, I'm confused. 

Joe Carrigan: [00:12:23]  (Reading) James Veitch, you must inform me your readiness to allow me introduce you officially to the company as my financial investment representative. I wait for your approval. 

Dave Bittner: [00:12:34]  (Reading) Of course - happy to help. Let me know the deets. Meanwhile, my wife has been acting very strangely the last few months. I'm concerned she might be wanting me death, too. It could be she's annoyed at the number of baths I've been taking. What are your top 10 signs that your wife has become evil and wants your wealth? 

Joe Carrigan: [00:12:51]  (Reading) James Veitch, I am going on a cancer surgery operation today. Contact my lawyer with libbertylawfirm@hotmail.co.uk. Tell him I have willed 9.2M to you for the good work of the god. There might be a small processing fee. 

Dave Bittner: [00:13:10]  (Reading) Dear Libberty Law, John's having the op today. Just in case things go pear-shaped, he's willed 9.2M to me to spend as frivolously as possible. Can you get in touch and let me know how I can best receive the money? I've run up a sizable water bill that I need to pay off ASAP. All the best, James. 

Joe Carrigan: [00:13:27]  This email comes from Libberty Law, re: beneficiary for Mr. John Kelly estate. (Reading) Our client Mr. John Kelly has asked that we provide legal services on your behalf as his beneficiary in respect of funds $9.2 million. We will require your personal information to prepare the required documents. Please send to this office the following details - full names, contact address, occupation, monthly salary, income, marital status, telephone fax number and mobile phone number. I await your reply. Regards, Barr Libberty Moore. 

Dave Bittner: [00:14:01]  (Reading) Dear Libberty Law, yes, I am to be the beneficiary for John's estate. Here are the details you asked for. Full name, Alistair James Veitch. Occupation, hedge fund manager. Monthly salary income, 40,000 pounds. Mobile phone number, I don't trust the damn things. How can I get this money? I'm so anxious to get a hold of it I might just do something rash. 

Joe Carrigan: [00:14:24]  (Reading) Dear James Veitch, we could not respond to your email yesterday because of the news of John Kelly's death that reached us yesterday from the Dubai Mortality and Death Records Agency. John Kelly passed out in the early hours of yesterday, and his remains have been deposited in a mortuary and will be buried on Monday next week in Dubai. Get back to me so that I can instruct you on how you can send $900 to the court for them to issue the above required documents for submission to the ING Bank for release of the funds to you. The Bible made us understand that blessed is the hand that gives. 

Dave Bittner: [00:14:59]  (Reading) Dear Libberty Moore, I am so sorry to hear that John Kelly has passed out. Do you mind my asking whether it was peaceful? It seems like I was talking to him only yesterday. It's a shocking and entirely unexpected development. Begin with the wife. If you ask me, there's something not quite right about her. Meanwhile, I'm ready to receive the $9.2 million. I'm so happy to do this. I'm reminded of Psalms 13 verses 3 and 4, where the Lord says bring unto me the $9.2 million in non-sequential bills. Please begin the transfer as soon as possible as I'm a bit impecunious just this minute. 

Joe Carrigan: [00:15:35]  (Reading) Dear James Veitch, he died of complications resulting from the operation. May his gentle soul rest in peace. You can send the payment for them to release the funds to you. 

Dave Bittner: [00:15:45]  (Reading) This must be hitting you hard then. How are you holding up? I've been thinking it over, and I couldn't in all honesty accept this money without knowing a bit more about John Kelly. Where is his funeral going to take place? I'm thinking of going. 

Joe Carrigan: [00:15:57]  (Reading) We categorically stated that his remains would be buried on Monday in Dubai, which is today. Thank you very much for your concern about my personal well-being, and how are you and your family doing? I hope great. May John Kelly's gentle soul rest in peace. Yes, of a truth, his death is hitting me hard. And I am being able to hold up because of the actualization of his dreams that is near completion due to your kindness to assist him. 

Dave Bittner: [00:16:24]  (Reading) Dear Libberty, I live in London, you see. So I thought I'd just pop around and give you the $900 in person. Be good to meet up anyway and chew the fat. I stopped by your corporate offices in North London, only I couldn't find an office there, just a cul-de-sac. What's the deal? All the best, James. 

Dave Bittner: [00:16:43]  And that's the end. 

Joe Carrigan: [00:16:44]  So James Veitch does this a lot with these guys. 

Dave Bittner: [00:16:47]  Yeah. 

Joe Carrigan: [00:16:48]  And he has a TED Talk that's very funny, and he's very funny, I think. 

Dave Bittner: [00:16:53]  Yeah, definitely worth checking out. 

Joe Carrigan: [00:16:54]  Yeah, definitely worth checking out. 

Dave Bittner: [00:16:55]  We'll have a couple of links to his book and his TED Talk so you can see more of James. So that is our "Catch of the Day." Coming up next, we've got my interview with Gary Berman. He has started an organization called CyberMan Security. And they are involved in trying to make the world a little safer for folks of all walks of life. We're going to speak to Gary in just a few minutes. 

Dave Bittner: [00:17:17]  But first, a message from our sponsors at KnowBe4. 

Dave Bittner: [00:17:22]  Now let's return to our sponsor's question about the attacker's advantage. Why did the experts think this is so? It's not like a military operation, where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5% failure rate. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest. 

Dave Bittner: [00:18:22]  So, Joe, I recently had the pleasure of speaking with Gary Berman. He has started a really interesting company and project called CyberMan Security. They're publishing comic books, graphic novels, putting them online and also in print. And he's got an interesting story about how he got into all this. Here's my discussion with Gary Berman. 

Gary Berman: [00:18:40]  I was the CEO of a marketing communications company 18 years ago that I'd started with my wife. Things were going really well. We were fortunate to sell 49% of it to one of the largest marketing companies in the world, and everything was going great. And unfortunately, then I suffered a serious injury. I was playing in a Jewish basketball league. I just blew out my knee, which resulted in complications. And I almost died. So I was out of my own marketing company for about nine or 10 months, during which time, unbeknownst to me or my wife, my right-hand person and a tech contractor and a couple other people essentially cloned my company. And they spoofed our website. They redirected incoming phone calls from our, you know, company to a company they had set up. They had, amongst other things pertaining to hacking humans and social engineering, they pretended to be whistleblowers, called my biggest clients like General Motors, AT&T, Procter and Gamble saying that I was under investigation for fraud within my data collection facility, and that I was under investigation by the FBI and to cease all communications with me. 

Gary Berman: [00:19:52]  I'm making a very long story short. I lost several million dollars, and I had to lay off about a hundred people. After about five years trying to keep things going, the whole time, this kind of technology net was evidently, you know, over my work. And the FBI at first referred to it as an economic crime, which it was. But then it turned into something else. Along the lines, perhaps, it's referred to as cyberstalking because after I closed the company, fast forward to about three years ago, as wages to provide for my family, my wife and I decided I would try to get back into the industry that I had left, you know, 10 years earlier. And I was quickly invited to give a keynote speech. 

Gary Berman: [00:20:33]  It went great. All these people came up, saying, Gary, where have you been, you know? Can we submit a proposal to you? And I came home with a stack of business cards and fell into my wife's arms in tears, you know, of gratitude. And the next day, the hacks started. You know, boom, boom, boom, boom, boom, you know, starting with hacking my LinkedIn account, Google two-factor authentication, Norton VPN, 36 people listening to my OnStar account in my car. There were actually 19 attack vectors. Over time, they made up various explanations like, oh, we had just decided to start our own company. But I had - they were on my salary for at least two years while this was happening. So I later learned every morning they were having what I referred to as parking lot summits. So about four of them would get together and go over their production for the day, you know, for the research that we were putting out. Come into my office, do their work, and do just a tiny bit of, kind of, our core company work and eventually siphoned off everything. 

Dave Bittner: [00:21:32]  Wow. 

Gary Berman: [00:21:33]  What the comic has done, I needed to find a way to shine the light because kind of unable to receive justice due to the difficulty of attribution. I took a quote from Justice Brandeis who once famously said sunlight is the best disinfectant. And so I started trying to listen and learn, you know, about cybersecurity. And right away, I knew that, you know, this is way beyond me, and there's no way I'm going to get my CISSP or have a 20 year career, you know? I was 60 years old at the time trying to learn about an industry that I knew nothing about. And so I bought a book called "Cybersecurity for Dummies." You know those yellow books with a black stripe on them, "For Dummies?" 

Dave Bittner: [00:22:13]  Yeah. Yeah, absolutely. 

Gary Berman: [00:22:14]  So I thought, OK, perfect. So I got the book. And 10 pages in, Dave, I was lost. And I knew there had to be a better way. So - but I had no idea about that or how to do it or what it was. And so I decided to listen and learn. I happened to see "Spider-Man," and I thought, hey, what about comics - superhero comics? Find a way to distill complicated cybersecurity or technology information into something that's approachable to 99.9% of all people who are online who are not in cybersecurity, you know... 

Dave Bittner: [00:22:48]  Right. 

Gary Berman: [00:22:48]  ...Or technology. And so I put a little prototype, you know, of the cover of a comic on my LinkedIn page. And I decided to invite CSOs. So one at a time, I just, you know, looked up CSO by title, and I started inviting them to connect with me. And I asked them to please send me blinded, real-life stories of cybercrime answering three questions - what happened, what were the consequences, and most importantly, what were the lessons learned - for possible inclusion into, you know, comics. And as of the morning, I have over 21,900 connections. 

Dave Bittner: [00:23:24]  Hmm. 

Gary Berman: [00:23:25]  That's what I said because I thought, why not try to learn from the people who had been in the industry longest and who are the innovators? And I've been the beneficiary of this incredible generosity of time and wisdom and skills and connections within the cybersecurity ecosystem. And at - last year at DEF CON, when I released our first comic, I signed 3,250 copies. 

Dave Bittner: [00:23:50]  Wow. 

Garry Berman: [00:23:51]  Yeah. 

Dave Bittner: [00:23:51]  You know, it strikes me that one of the great things about comics and graphic novels is how - the wide array of folks that they appeal to. 

Garry Berman: [00:24:01]  Yeah, that's a great analysis, and it's the epicenter. It's the secret sauce because images are the language of the brain. So if you study, like, memory, which I had to learn about - if you studied the Marvel way, which I had to learn about from Stan Lee - rest in peace - images are how the brain recalls things. And so the second sort of underpinning of what you just said is because the overwhelming majority of people in this ecosystem - I'm referring now just to cybersecurity for a moment, or technology - come from a tech background. That's how their brains are wired, and that does make complete sense. Everyone uses their brain. What I'm appealing to is their heart and storytelling. 

Garry Berman: [00:24:45]  So it's not even so much that using, you know, graphic novels or images by themselves are compelling enough to occupy the space in someone's brain or their heart and then serve as a basis for a change in behavior. It's that the stories are so interesting, you know, in their real life. And people go, I learned something from this that I didn't know before, and I'm grateful for it. And I'll pass it on to my kids. And in about two weeks or so, in partnership with NICE - the National Initiative for Cybersecurity Education - they're sending out, you know, our comics to 200,000 people in the federal government, which is unbelievable. 

Dave Bittner: [00:25:27]  One of the things that strikes me about the work you're doing, as I look through your gallery of heroes and villains, is there's a lot of diversity there, which is great... 

Garry Berman: [00:25:38]  Yes. 

Dave Bittner: [00:25:38]  ...That the fact that there's a print version of this - the kid can take this home who might not have access to a computer at home. 

Garry Berman: [00:25:44]  That ties into something else that we just listened and learned about, you know, and that is, you know, the only people that really like change, you know, are babies with wet diapers, you know? So most of us have trouble with that, you know? So if you think about, like, security awareness or training, you know, at a corporation, it's great for what it is - you know, PowerPoint and things like that. Diversity - very intentional for us because we listened and learned a lot of times on your show - you know, you sponsor this great conference for women and all that. So on purpose, half our characters are women, and half of them are Hispanic or African American or Asian. We have a veteran - disabled veteran because we know that this is an opportunity to amplify the importance of diversity within the cybersecurity ecosystem and to encourage the next generation of people in university or young adults to pursue careers in cybersecurity and then even younger. We want real diverse people and opinions and life skills, taking STEM courses. So we're actually, in our own little way, you know, amplifying all the stuff you do. 

Dave Bittner: [00:26:50]  And I have to say that one of the things that I really appreciate about the work you're doing is that in a field that is so technical and is so often, you know, ones and zeros and charts and graphs and statistics - that you're coming at this problem - this very real problem - from an emotional side... 

Garry Berman: [00:27:10]  Yes. 

Dave Bittner: [00:27:10]  ...Through the power of storytelling. And that is really a powerful way to connect with people and really influence them. 

Garry Berman: [00:27:17]  I learned this from the legacy of this guy named Joseph Campbell. He wrote, amongst other things, this thing called the monomyth. And basically, he's a mythologist, and he studied cultures and storytelling all the way back to ancient Greece and things. And you know, it turns out we all have just kind of one story, you know, and he calls it the hero's journey. And you have it. All your listeners have it. And it's unique and special, you know? And people feel passionate about their own journeys. And, you know, so our mission is to unleash that power for good. 

Dave Bittner: [00:27:51]  Joe, what do you think? Interesting guy, huh? 

Joe Carrigan: [00:27:53]  Interesting guy. I can't imagine having to go through that... 

Dave Bittner: [00:27:55]  Yeah. 

Joe Carrigan: [00:27:55]  ...What he went through to wind up where he is. It's a very interesting story - unfortunate. 

Dave Bittner: [00:27:59]  Yeah. 

Joe Carrigan: [00:28:00]  One of the things he said that always rings true with me is that change is difficult to implement. You know, he says the only people that like change are babies with full diapers. 

Dave Bittner: [00:28:07]  Right. 

Joe Carrigan: [00:28:08]  I think what he's doing is important work to get more people interested in the field, to understand it. I like all the different villains that he has. Those are kind of funny. The heroes are - and the artwork in the comic book looks pretty good. So I think this is good. I think it's a medium that a lot of people are familiar with and that it will be approachable. We'll see how it works. 

Dave Bittner: [00:28:25]  Yeah. I like that it's a fresh approach to something. Obviously, people are saying that we need as much help in this area as possible. 

Joe Carrigan: [00:28:33]  Right. 

Dave Bittner: [00:28:33]  So for somebody to come at this from a different direction, a bit of thinking outside of the box - I think that's great. We'll have a link where you can check it out in the show notes, of course. Our thanks to Garry Berman for joining us. 

Dave Bittner: [00:28:45]  That is our podcast. Of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. 

Dave Bittner: [00:29:02]  Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:29:09]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik; technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:29:28]  And I'm Joe Carrigan. 

Dave Bittner: [00:29:29]  Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
KnowBe4 Logo
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music
Follow the CyberWire