Dave Bittner: [00:00:04] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:22] Hi, Dave.
Dave Bittner: [00:00:23] We've got some good stories to share this week. And later in the show, my conversation with Jonna Mendez. She's a retired CIA intelligence officer, and she is the former chief of disguise for the CIA - interesting conversation, for sure.
Dave Bittner: [00:00:40] Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill - a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says next slide. Well, OK, we exaggerate, but you know what we mean. Stay with us, and in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training.
Dave Bittner: [00:01:18] All right, Joe, we don't have any follow-up this week, so why don't we just jump right into our stories? You want to kick things off for us?
Joe Carrigan: [00:01:26] Dave, it's time for Joe's classic cons, part three.
Dave Bittner: [00:01:30] (Laughter) OK.
Joe Carrigan: [00:01:30] These are cons that are from the old days, or maybe now you might see them. They're not what you would consider internet scams. They're more like in-person scams, right? These are things that you should - but they're still social engineering...
Dave Bittner: [00:01:43] Yeah.
Joe Carrigan: [00:01:43] ...Which is very important. And the first one I have is the lottery scam. And this con requires some pretty good storytelling on the part of the scammer, and maybe an inside man would be helpful.
Joe Carrigan: [00:01:56] But here's what the scammer does. They approach somebody and they say, I've won the lottery, right? I've got this this lottery ticket, and it's - maybe I've won $1,000 from the lottery, right? Maybe it's a Pick 3. Maybe it's a fake Powerball ticket. It's a scam so the ticket's fake. And maybe I've picked out 6 of the 7 numbers, so I get $1,000. But I can't claim the cash because I owe money to the government, and they'll confiscate it. Or I'm an illegal immigrant, and when I go to claim the prize, I'm afraid I'll be deported, right? So they'll do this.
Joe Carrigan: [00:02:29] So what they'll do then is they'll say - and this is a very useful tool in conning - they'll say, does anybody have any options? What can we - how can we overcome this, right? So they'll, like, start brainstorming. At some point in time, they're going to have the victim of the scam verify the numbers. And in the old days, cons would provide forged newspapers as proof of the winning numbers, right? So they'd print up a fake newspaper, and they'd have the numbers in the newspaper. These days, they use a fake hotline or a website - right? - because anybody can set up a website. And if you set up a website that looks like a lottery website or you set up - a phone number is easy enough to set up with a Google Voice number. You can put a recording on that.
Dave Bittner: [00:03:08] Right.
Joe Carrigan: [00:03:10] And since the ticket is completely fake, the number and the website can be printed on the back of the ticket, right? Once the story is spun, the con offers to sell the ticket at a discount, right? And that's when the victim of the scam says, yeah, you know, it's going to pay out $1,000; I'll give you $750 for it, thinking that they're going to collect and make a profit of $250. But of course, the ticket is fake.
Joe Carrigan: [00:03:39] If necessary, there's an inside guy who says, you know, really, you should buy the ticket. It always - a lot of these - both of my scams today have the possibility of having a second person who looks like a bystander or maybe is inside with the victim. And of course, when you go to claim the winnings, the ticket is fake.
Joe Carrigan: [00:03:58] Now, here's what's interesting, Dave. My last job in what I described as my brief and failed sales career...
Dave Bittner: [00:04:05] (Laughter).
Joe Carrigan: [00:04:05] ...I was selling printers. And one of the printers - lines of printers that we sold, I think we had a couple from a company called Zebra. And they're actually still around, and they make these printers called direct thermal printers. And they're not that expensive.
Joe Carrigan: [00:04:21] And all you need is a direct thermal printer and a roll of direct thermal paper that looks like a lottery ticket paper and maybe even get some information printed on the back of that paper. And I'm sure you can order that probably online, have it printed up, or maybe you can actually steal some lottery paper from somebody because all these lottery vendors have rolls of those lottery ticket - those sheets. And those lottery tickets are printed out on direct thermal paper. So if I get another direct thermal printer and just run that paper through that printer, there's nothing to stop me from printing up lottery tickets. This is a scam I have the technical expertise to conduct, Dave.
Dave Bittner: [00:05:01] (Laughter).
Joe Carrigan: [00:05:01] But fortunately for the world, I'm not that good of a con man. I'd be like, hey, I have this fake lottery - I mean, lottery ticket, and...
Dave Bittner: [00:05:08] Right. Right.
Joe Carrigan: [00:05:09] It wouldn't go over well for me. I'm not that slick.
Dave Bittner: [00:05:13] (Laughter) And so - so as evidenced by your failed sales career.
Joe Carrigan: [00:05:17] Exactly. Yes. Good point.
Dave Bittner: [00:05:21] OK.
Joe Carrigan: [00:05:21] Now, the next one is called the flop - or as I like to call it, the men's soccer player.
Dave Bittner: [00:05:27] (Laughter) OK. Right. Of course.
Joe Carrigan: [00:05:29] Now, in older versions of the scam, the con usually had an old injury, and it was actually pretty dangerous. And what would happen is the con would step in front of a car and then flop onto the hood of the car. And then they would either demand compensation immediately or go to the hospital, and an examination would reveal the old injury, and the insurance company would pay out.
Joe Carrigan: [00:05:49] But today, there's a safer version of this con, right? So instead of getting hit - or maybe they maybe they get hit, but what they say is they are fine. The victim is fine, and they don't need any medical attention. But their computer, iPad or maybe a cellphone has been broken. You're glad that they're not injured. You, as the victim, are glad they're not injured. And you just pay - give them some money to compensate them for their damaged equipment. Now, the equipment was damaged before the incident, right? You can get this kind of equipment online cheap, right? If you - if somebody - a lot of people are selling broken cellphones. You can just go pay 10 bucks for a broken cellphone and then lay on top of someone's hood and go, oh, you broke my cellphone. That was a $300 cellphone. Somebody gives you 300 bucks, and you make 290 bucks, right? It's pretty...
Dave Bittner: [00:06:36] And you're thinking to yourself that you dodged a bullet here because they're not coming after you for medical expenses or some other long, drawn-out lawsuit.
Joe Carrigan: [00:06:47] Right. And now, there is - a lot of times, there's a second person involved in this scam as well. And they don't look like they're associated with the scammer, right? They look like they're just standing there, and they're a witness. So if you're sitting there hemming and hawing about paying for the damaged equipment, this bystander will come over and go, listen, man, you've got an opportunity here just to give this guy some cash and then walk away from this situation, right? So he'll kind of compel you. There are two things you can do to prevent yourself from getting scammed this way. No. 1 is do the Dave Bittner and get yourself a dashcam.
Dave Bittner: [00:07:20] (Laughter) Yes, yes, yes. That is correct. I do have a dashcam.
Joe Carrigan: [00:07:24] And it's - you love dashcam videos, right?
Dave Bittner: [00:07:27] I do, yeah. I'll admit it's a guilty pleasure of mine. I do enjoy watching dashcam videos.
Joe Carrigan: [00:07:32] I found one on YouTube from the "Today" show where it was a woman in the U.K., and this guy was on a motor scooter, a little scooter bike - right? - a motorized scooter. And he is in the street. And she stops. And he backs the scooter up into her car and then jumps on her hood, right?
Dave Bittner: [00:07:51] Oh, yeah.
Joe Carrigan: [00:07:51] And she gets out. She gets out, and then the bystander comes over and goes, hey, you crashed into that guy and starts putting the pressure on her. And she turns around and points to her car and says, I have a dashcam. And both the guys take off. They run.
Dave Bittner: [00:08:06] (Laughter).
Joe Carrigan: [00:08:07] Right?
Dave Bittner: [00:08:08] Yeah. You know, just - not to get too deep into the weeds here, but there's a whole genre of dashcam videos that are called brake check videos. And a lot of them have to do with - there's a version of this scam where someone's out, you know, they get themselves a, you know, a $50 car. They go out on the highway. They get in front of an 18-wheeler that can't stop very quickly. You know, they hit the brakes. The 18-wheeler taps them from behind and lawsuit.
Joe Carrigan: [00:08:35] Right.
Dave Bittner: [00:08:35] (Laughter) Yeah.
Joe Carrigan: [00:08:35] Yeah. A lot of times, they'll load that car up with people as well. And those people are being used by, you know, used - exploited, if you will. And they're being put in real serious danger, right?
Dave Bittner: [00:08:47] Yeah. Yeah.
Joe Carrigan: [00:08:48] So - and these guys have no compunction about doing that. They just - they - yeah, everybody, load up in that car, and then slam on their brakes in front of an 18-wheeler.
Dave Bittner: [00:08:56] Yeah. What could go wrong? Yeah (laughter).
Joe Carrigan: [00:08:59] Yeah, what kind of - these people are horrible people. The other...
Dave Bittner: [00:09:01] Drinks are on me. Yeah.
Joe Carrigan: [00:09:02] Yeah. The other thing you can do to prevent this is as soon as this happens and you think you're being scammed, insist upon calling an ambulance or police and filing a report. Say, no, this is not going down without this being officially documented. Yeah, it's OK. I'll risk having this mark on my insurance, particularly if you see something where it's obvious to you that these guys are trying to scam you. Usually when you insist upon calling the police, they'll leave because the police probably know who they are.
Dave Bittner: [00:09:31] Yeah. All right. Well, it's one to look out for. And as always, spread the word to your friends and family about this one. It seems like these sorts of things are proliferating. I suppose with fewer people being out and about at the moment, maybe people are taking a break from it. But...
Joe Carrigan: [00:09:50] Right.
Dave Bittner: [00:09:50] But who knows because you also have, you know, desperate times. People often stoop to these sorts of things when desperate times come upon them.
Joe Carrigan: [00:10:00] Yeah.
Dave Bittner: [00:10:00] My story this week, it actually comes from Twitter. It comes from a gentleman named Aaron Gyes (ph). I believe I have his last name right. It's - could be a tricky one. But he tweeted - actually did a video capture of a series of scammy incidents that popped up on his iPhone. And, Joe, I know you're an Android guy. I suspect that there's probably a similar version of this that pops up on the Android site, and this is - or on an Android device. This is actually scammy in two parts. So let's walk through this together. The first thing that happens is you're browsing along. You're, you know, surfing the web, minding your own business. You go to a site, and up pops a pop-up that takes over the entire screen, right?
Joe Carrigan: [00:10:46] From the web browser.
Dave Bittner: [00:10:47] And this - on your web browser. You're in your web browser. This pops up and takes over the entire screen. It says, your iPhone may be hacked due to recent surfing on suspicious sites. So this is your fault, right?
Joe Carrigan: [00:10:57] Right. Exactly.
Dave Bittner: [00:10:58] Your personal data on this iPhone may be stolen via hidden scripts by cybercriminals. In case it happens, they can access all other Apple devices linked to this Apple ID and are vulnerable. Your devices may be blocked today if no action is taken. Install the most trusted cybersecurity application and activate for free to protect your Apple ID credentials and your iCloud data from loss. And next to this message, it has a picture of the icon that Apple uses for system updates. So that makes it look more official.
Joe Carrigan: [00:11:29] Right.
Dave Bittner: [00:11:29] And there's a countdown clock at the bottom...
Joe Carrigan: [00:11:32] (Laughter) Yeah. I noticed that. It looks like...
Dave Bittner: [00:11:33] ...For no reason whatsoever. It's, like, counting down from, you know, a minute. I don't know what's going to happen if you don't do - go in, you know, in time. Your mobile device is going to burst into flames, or...
Joe Carrigan: [00:11:42] Right. Well, this is part of the pressure, Dave. They - you better do it now.
Dave Bittner: [00:11:46] Right. Right. Exactly. So that's part one. And this - first of all, this type of thing makes my blood boil. When I...
Joe Carrigan: [00:11:53] Yeah.
Dave Bittner: [00:11:55] This is one of the worst things about modern life online are these horrible ads. And they sneak their way into these ad server companies, you know, that - I mean, nobody wants these, right? The people who are serving the ads, the people who are hosting the websites, everybody agrees these are bad. But these bad actors manage to sneak their way through and end up on some of these ad-serving platforms.
Joe Carrigan: [00:12:19] My question is why can't the browser manufacturers make it so that my browser can't involuntarily go full screen?
Dave Bittner: [00:12:26] I don't know. It's a good question. I don't know.
Joe Carrigan: [00:12:28] Maybe they have done that. I don't know. This does still have the URL up top.
Dave Bittner: [00:12:33] Yep. OK, so you click the link because you don't want your phone to burst into flames.
Joe Carrigan: [00:12:39] Right.
Dave Bittner: [00:12:39] And it takes you to an app called Ad Security Center. And this is an app you can download, and it's listed as free...
Joe Carrigan: [00:12:49] Right.
Dave Bittner: [00:12:51] ...With paid options. There are things you can pay for, but the app itself is free.
Joe Carrigan: [00:12:58] And it says the most trusted ad blocker in the world.
Dave Bittner: [00:13:01] Right. Now...
Joe Carrigan: [00:13:02] And then underneath, there's two speech clouds - no ads, cool.
Dave Bittner: [00:13:06] Right. Now, it is rated 4.1 out of 5 on the app store, but if you go and look at the reviews, the reviews are pretty evenly split between five-star reviews and one-star reviews, right?
Joe Carrigan: [00:13:23] (Laughter) Right.
Dave Bittner: [00:13:23] And many of the five-star reviews are, suspiciously, written in Russian. How about that?
Joe Carrigan: [00:13:28] Oh, are they also suspiciously similar?
Dave Bittner: [00:13:31] They are. And the bad reviews are also very similar. Basically, they say things like, this app is a scam.
Joe Carrigan: [00:13:38] (Laughter) Right.
Dave Bittner: [00:13:40] This app just takes your money. So this app is that type of app that is referred to as fleeceware.
Joe Carrigan: [00:13:46] Fleeceware, yep.
Dave Bittner: [00:13:47] Because it fleeces you out of your money. And the way it works is you get a free three-day trial of this app, and then after three days, it automatically starts billing you. I believe it's $10 a week.
Joe Carrigan: [00:14:02] Through your Apple account.
Dave Bittner: [00:14:03] Through your Apple account, right?
Joe Carrigan: [00:14:05] Right. Yeah.
Dave Bittner: [00:14:05] You start getting billed 10 bucks a week for this app.
Joe Carrigan: [00:14:09] Yep. Yep.
Dave Bittner: [00:14:10] Which is excessive (laughter). It's $500 a year.
Joe Carrigan: [00:14:16] That's ridiculous.
Dave Bittner: [00:14:17] It is ridiculous.
Joe Carrigan: [00:14:18] And the three-day trial period is also ridiculous because that doesn't give you enough time to cancel, right?
Dave Bittner: [00:14:24] Yeah. Yeah.
Joe Carrigan: [00:14:24] There may be something in the T and Cs that say - terms and conditions - that say you have to let us know within, you know, 48 hours that you have - you want to cancel. Well, that means you have 24 hours to evaluate the product and decide you don't want it, right?
Dave Bittner: [00:14:41] Yeah.
Joe Carrigan: [00:14:41] And there's no way to opt out of paying this, right? There's no way to say, yeah, I want to go ahead and do this. You have to enter your - payment information is actually already entered because it's in the the Apple App Store or the Google Play store if they have something similar there.
Dave Bittner: [00:14:55] Right.
Joe Carrigan: [00:14:57] And you're just hosed. Then you have to call Apple. And you know, one of my big concerns about fleeceware is that there is no financial incentive for Apple or Google to remove these from their app store because they take a pretty big cut of those in-app purchases like this.
Dave Bittner: [00:15:13] Right. Right. Right.
Joe Carrigan: [00:15:15] And that needs to be addressed.
Dave Bittner: [00:15:17] Well, I mean, I'll say - I mean, to their credit, I think of the app stores out there, Apple does a good faith job of trying to clear out these sorts of things. I think you're right that they have...
Joe Carrigan: [00:15:29] A conflict of interest.
Dave Bittner: [00:15:30] They are incentivized not to.
Joe Carrigan: [00:15:32] Right.
Dave Bittner: [00:15:34] And there have been occasions where, for example, I - there was a time when I had inadvertently subscribed or renewed a subscription to a magazine that I was no longer interested in, and I dropped a note to Apple on the App Store. And I got a note back within a few hours that said, yep, no problem. Here - you know, refund. No worries. If you have any more trouble, please let us know. So at least in that case, Apple was responsive. But, you know, even if you - I would imagine there are a lot of people who - they get billed their first round, their first $10...
Joe Carrigan: [00:16:05] Right.
Dave Bittner: [00:16:05] Right? And they spot it. You know, they get a bill from Apple or whatever, and they go, whoa, wait a minute. They disconnect. They remove the app. But they don't go through the hassle of asking for a refund. They just figure, oh, gosh, I got scammed.
Joe Carrigan: [00:16:20] Right.
Dave Bittner: [00:16:21] I'm out $10. You know, not the end of the world.
Joe Carrigan: [00:16:24] Yeah.
Dave Bittner: [00:16:24] And so these scammy fleeceware folks profit.
Joe Carrigan: [00:16:28] Right. Oh, absolutely. I'm sure that happens at least 50% of the time. That's me just taking a wild guess. But, you know, I'm sure that happens frequently, just as you're speculating.
Dave Bittner: [00:16:37] So I think the lesson here is if you find yourself with one of these apps - you know, it's that whole too-good-to-be-true kind of thing - make sure that you look at the terms and conditions to see what they're going to be billing you. And if they're going to start auto-billing you anything, especially if it's on a weekly basis...
Joe Carrigan: [00:16:54] Right.
Dave Bittner: [00:16:54] ...Delete that app right away. Just get rid of it.
Joe Carrigan: [00:16:57] Yeah. A weekly basis is - a couple of things here. There's the old Krebs on Security line. If you didn't ask for it, don't install it. Right? This is just something that came up on your web browser. Don't do it. Don't install it.
Joe Carrigan: [00:17:08] And then, I like to say - this is the Joe Carrigan line - look at the reviews. And then look at the one-star reviews. That's how I judge a product, whether it's on Amazon or anyplace. I look at the one-star reviews and I see what they say. Right? And I compare them to, like, the four-star and the three-star reviews. And if I see, like, three-star reviews that say this product's OK, or if I see four-star reviews that say there's - here are some things wrong with the product. Then I see one-star reviews that say mine was broken. Right? Then I say, OK, go ahead and buy the product. But if I see one-star reviews that say this is a scam - right? - and here's why it's a scam.
Dave Bittner: [00:17:45] (Laughter) Right. Right.
Joe Carrigan: [00:17:46] Or this is a complete load of garbage. Don't buy this product at all. Then I don't buy the product, and I look for something else. That's how I make my purchasing decision. I absolutely do not take five-star reviews into account because you can't trust them. Because nobody pays for anything less than a five-star review. Right?
Dave Bittner: [00:18:04] Yeah. Yeah.
Joe Carrigan: [00:18:04] So they go out and they buy the five-star reviews. They don't buy four-star reviews; they buy five-star reviews.
Dave Bittner: [00:18:09] Right.
Joe Carrigan: [00:18:09] So read the other reviews. Actually, it's less reading.
Dave Bittner: [00:18:12] Yeah. Yeah. That is my story for this week. We'll have a link to that Twitter feed if you want to check out the video that really lays out exactly what happened here. And thanks to Aaron Gyes for posting that on Twitter. I think that's a good, useful sharing of information for everybody to check out. It is time to move on to our Catch of the Day.
0:18:32:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:18:39] Our Catch of the Day this week comes from Tom Chivers on Twitter. He is @TomChivers. And this is a letter, and it's pretty ominous here, Joe. Do you want me to read it, or do you...
Joe Carrigan: [00:18:50] Yep.
Dave Bittner: [00:18:51] ...Want to take a shot at it?
Joe Carrigan: [00:18:52] Dave, why don't you read it, and I'll do some commenting on the in-between because this does have some broken English, and nobody gets through broken English like you do, Dave.
Dave Bittner: [00:19:02] (Laughter) All right. Well, this one's pretty dark. So let me see. How - what's a good voice for this one? Let's try this. (Reading) I am pleased to inform you that we have been paid to assassinate you by someone close to you sincerely.
Joe Carrigan: [00:19:14] Pleased to inform you that we have been paid to assassinate you. Pleased - that's good.
Dave Bittner: [00:19:19] (Reading) I want you to listen very carefully about your safety. And do not, I repeat, do not try in any way doing anything funny, in other words, trying to inform any security agent, because this is our business. We know how to do it best.
Joe Carrigan: [00:19:34] I like that he repeats in text.
Dave Bittner: [00:19:37] (Reading) We have our network all over the world. In order not to endanger your life, the more you are advice to cooperate with us to know if we can change our initial plan to assassinate you.
Joe Carrigan: [00:19:49] Oh, there's an opportunity here for me.
Dave Bittner: [00:19:51] (Reading) Once you are in receipt of this message, I will like you to get back to us immediately as delay is dangerous.
Joe Carrigan: [00:19:58] There's the immediate call to action.
Dave Bittner: [00:20:00] (Reading) I wait to hear from you on this matter within the next 24 hours, and that is if you appreciate and love your existence.
Joe Carrigan: [00:20:08] (Laughter) Appreciate and love your existence with the artificial time constraint.
Dave Bittner: [00:20:11] (Reading) Please do not in any way communicate this or discuss this with anybody because you wouldn't know whom you were talking with. Reply to this message now. Our watchdog are on you. Do not make any mistake. God be with you. Good luck.
Joe Carrigan: [00:20:26] (Laughter) And finally, the attempt to isolate you and the appeal to religion as well.
Dave Bittner: [00:20:30] (Laughter).
Joe Carrigan: [00:20:30] This had a lot of the features in here. I love this message.
Dave Bittner: [00:20:34] Yeah.
Joe Carrigan: [00:20:35] I mean, it is dark. You're right. It's dark. But it's textbook.
Dave Bittner: [00:20:38] Yeah. Yeah.
Joe Carrigan: [00:20:39] And of course it's fake. They're just trying to get...
Dave Bittner: [00:20:43] (Laughter).
Joe Carrigan: [00:20:43] ...You to send them money to not kill you, which they're not going to do anyway.
Dave Bittner: [00:20:45] Yeah. Boy, the threat of assassination, that is just putting it all out there, isn't it?
Joe Carrigan: [00:20:50] Yeah. It's bold, you know? It's - and this is something that absolutely gets your attention.
Dave Bittner: [00:20:57] It's kind of like how we talk about how there's this filtration thing here because you're either going to get two reactions to this. Either someone's going to do a spit take and laugh out loud at this...
Joe Carrigan: [00:21:07] (Laughter) Right.
Dave Bittner: [00:21:07] ...Because it's so absurd, or they're going to be absolutely terrified by it. There's - I suspect there's very little middle ground here. And so that filtration thing happens. And if they get you, boy, they've got a hot one on the line.
Joe Carrigan: [00:21:20] That's right. And then they're going to extract money from you, and they're going to keep extracting money from you...
Dave Bittner: [00:21:25] Yeah.
Joe Carrigan: [00:21:25] ...Until there's no more money to extract.
Dave Bittner: [00:21:27] Yep. That's right. That's right. All right. Well, that is our Catch of the Day. We want to thank Tom Chivers for sharing that on Twitter. And, of course, if you have a Catch of the Day, we would love to hear about it. You can send it to us at firstname.lastname@example.org.
Joe Carrigan: [00:21:44] Or you can hit us up on Twitter. I am @JTCarrigan, and Dave is @bittner with two T's.
Dave Bittner: [00:21:52] And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally. KnowBe4 delivers convincing real-world proven templates, 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's Weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:22:53] Joe, I recently had the pleasure of speaking with Jonna Mendez. She is a retired CIA intelligence officer. She is also the former chief of disguise for the CIA, and, boy, has she led an interesting life as you might imagine - just a delight to talk to her. Here's my conversation with Jonna Mendez.
Jonna Mendez: [00:23:13] The career journey was not a straight line at all. That's probably true for so many people. I came out of Wichita, Kansas. I was in college. I went to Europe to be in my best friend's wedding. And basically, I never went home. That's when I flew the nest. I decided I wanted to stay in Europe. And I knew I had to find a job, so I ended up just blind-calling a bunch of banks, American banks, in Frankfurt, Germany, seeing if anybody needed this young American woman who didn't speak German. And oddly, Chase Manhattan Bank did. They said, come on in. Talk to us. You have a work permit? No. Speak German? No. You ever worked in a bank? No. And they hired me. And through the bank, I met a group of young Americans. There was an enormous American presence back then in Germany, military. And these young people said they were with that military group, but they were not. They were CIA, kind of the very young, professional group. And I became friendly with them and knew them for years, and I ended up marrying one of them. That was my first husband, John Goeser.
Dave Bittner: [00:24:34] And what era are we talking about? What years is this?
Jonna Mendez: [00:24:36] This was in the late '60s, early '70s. And the thing I had going on was an abiding interest in photography.
Dave Bittner: [00:24:48] Is this the sort of thing that we often see in movies with folks with, you know, small cameras that they've hidden somewhere, pulling them out and taking photos of documents while they've snuck into a room - that sort of thing?
Jonna Mendez: [00:25:03] It was - I think it was better than that.
Dave Bittner: [00:25:05] (Laughter).
Jonna Mendez: [00:25:06] Our cameras were so small we could put them in key fobs or Bic lighters. My tiny cameras, the best of them went into expensive fountain pens. So if you imagine, you could be sitting at your desk with your fountain pen. These things were silent. It was one motion. You didn't need two hands. You just needed to tap the top of your pen. You'd take a picture. If your boss walked out, it still worked as a pen. You could make a note. You could put it in your pocket, drop it in your purse, go to lunch with it. It was an amazing tool, that camera. It was called the Tropel.
Jonna Mendez: [00:25:46] And, arguably, more significant intelligence was collected with that pen than almost any other device that we had, including our satellite systems, because what we were looking for was the plans and intentions of our enemy, and while the satellites brought back volumes and volumes of information, they were always talking about today. This is what's there today. This is what it looks like today. We wanted to know tomorrow plans and intentions.
Jonna Mendez: [00:26:21] And so, you know, getting the documents coming out of the - getting the minutes of the meeting or the agenda for the meeting, that's what we were after. Could imagine today, if we were working today, we'd be looking to try and find out what Kim Jong Un - the plans he has for that nuclear arsenal, what Mr. Putin has in mind for our next election. I mean, those are the questions of the day.
Dave Bittner: [00:26:50] Now, how did that beginning with photography lead to disguises?
Jonna Mendez: [00:26:56] Well, it didn't. I was having a fairly wonderful career. It was a traveling job. I mean, I was everywhere. These operations were all over the globe. But I spent two months one summer in the Middle East. Actually, I was in the subcontinent. And I just fell in love with the culture, everything - the people, the food, just all of it. And I came back to Washington and said I'd like an assignment in that part of the world. And they said there's nothing coming open for photography. There's a job for disguise coming open in a couple of years. And I changed my career track. I said make me - let's make me a disguise officer. I really want to do this. And that's the path that took me into disguise.
Jonna Mendez: [00:27:51] It's a little farfetched, but I was all excited. I had just discovered that I could actually control my career instead of sitting back and waiting to see what they had in mind, that I could step forward and make some suggestions. And it worked.
Dave Bittner: [00:28:08] Can you give us some insights? What goes into that side of things? What makes for a good disguise? How does that work when you're trying to disguise yourself and appear like someone else or blend into the background?
Jonna Mendez: [00:28:22] Well, it's just totally dependent. It's situational. It's all over the place - what you think you need, maybe what you actually do need. Can we make it? Can you wear it? Will the climate allow it? So you'd sit down with each person that would approach the disguise branch and you'd go through a vetting process, a requirement definition, find out what it was that they needed to accomplish.
Jonna Mendez: [00:28:56] When we were putting these things together, we were referring back to some colleagues, some professional colleagues, out in LA, in the makeup departments and the special effects departments. One of them was named John Chambers. He was responsible for the early beginnings of a lot of our techniques. He and Tony sat down, and Chambers said, you know, you call it an operation; we call it a performance, more or less talking about deception and illusion and a little bit of magic. He said, you know, the first part of planning it, you have to know, what's the stage? Where are you going to conduct this thing? Where is this deception going to take place? Because a lot depends on that.
Jonna Mendez: [00:29:42] And the other part of it is, who's your audience? Who are you actually trying to fool? Is it someone in a car behind you? Is it the gate guard where you have to go in and out of the embassy proper? Or is it a video camera in a parking garage? So figure out who your audience is, what your stage is. And then you start understanding what you can get away with.
Jonna Mendez: [00:30:05] So we always had in our mind that these were officers who were going to go out and meet someone. And the person they met was going to write a memo for the record that said I met with this person Tuesday afternoon, and this is what he looked like. This is what he said his name was, and this is what he looked like. He was married or he wasn't married. He smoked; he didn't smoke. He wore too much cologne, he didn't wear - you know. And everything in that memo, for the record, should be wrong. That was our goal. The color of his eyes - there wasn't much we couldn't change. Although, I always had to point out to them that it was an additive process, always. So we couldn't make people shorter. We could always make them taller. Couldn't make them thinner, but we could make them look heavier. We could make them look older. It's very hard to make them look younger. And, you know, a lot of the women might not be happy when we finished with them because they usually did not look better.
Dave Bittner: [00:31:05] I'm curious. With your expertise in disguises, did that make it so that you had better skills at spotting someone who was in disguise?
Jonna Mendez: [00:31:14] I don't know that I would spot someone who was in disguise, but I wasn't walking around looking for people in disguise. But if I was looking for a specific kind of person, I might be able to find them in a crowd that they didn't belong in. I used to laugh and say, you know, don't walk by me wearing a toupee because (laughter) my head will swivel. They're always kind of awful, and I can see them a mile away. It wasn't that I could see people in disguise. It was the other half of the coin.
Jonna Mendez: [00:31:51] When I lived in the Far East, our visitors would arrive in the middle of the night 'cause the big flights from America - they would come into these desert-like conditions in the cool of the night. It was better timing for the plane. And I would have to go out to an airport and watch a 747 unload, and I'd be looking for a CIA officer who was coming to visit us who had never been there before. I'd never seen his picture. I knew his name. I didn't know anything about him, but I had to find him in that crowd, and I always found him 'cause there was a profile that I could see of a CIA officer - how they dress, the kind of things they carry, the kinds of bags they use - just the whole package, I could see it. I never missed my man.
Dave Bittner: [00:32:47] Now, you have a story that you share about being in disguise in the Oval Office.
Jonna Mendez: [00:32:54] I do. We had - coming out of Los Angeles, coming out of the creative studios in the movie industry out there, John Chambers caught our eye partly because he had done the "Planet of the Apes" masks and we were really interested in them. We didn't want to make apes. But the way - if you ever saw the movies, the way that he fit the eyes to those characters, there was an animation in there. I mean, they were very human. They expressed a lot of emotion. And we thought, you know, that's a beginning of something that might be useful to us.
Jonna Mendez: [00:33:31] And this is my husband Tony Mendez. So he started a program. Let's make believable animated masks that fit so closely, that track our muscular movements that we could actually have a conversation with someone and they wouldn't know that we had on a mask. It had to go on quickly, I mean, less than 10 seconds. It had to come off just as fast, couldn't leave any residue. In Hollywood, it takes hours to get out of some of that stuff. We had seconds. And about 10 years after we went into that program, we started producing what we called semi-automated masks, SAMs, full-face masks that would only fit you. No one - they were made just for you. And it was a huge breakthrough. It allowed us to change everything. We could change your ethnicity. We could change your gender. We could put another face on you that would animate. So it was really quite a big deal.
Jonna Mendez: [00:34:37] Well, I showed it to my boss, and he said, let's show it to the head of CIA, Judge Webster. And he said, let's take it to the White House. And I said, I don't think I can wear this to the White House. This turns me into an African American male. And while it looks really good, it's a proof of concept. If we're going to go to the White House, we need something that I can actually talk in. So he said, make another one. So we did. We made a second one. The second one, I was younger. I was prettier. I loved this mask.
Dave Bittner: [00:35:11] (Laughter).
Jonna Mendez: [00:35:14] I think about it sometimes. Anyway, it was every bit as good as the first one. It was actually a little bit better. I told the judge - I said, I have no idea. I don't have anything that goes with this. He said, don't - you're with me. Don't worry about it. So we went to the White House, and we met with President George H.W. Bush and a roomful of luminaries - Bob Gates, John Sununu, Brent Scowcroft. The vice president wasn't there. He was late. He came tiptoeing in and missed the whole thing.
Jonna Mendez: [00:35:48] But, you know, President Bush had been head of CIA, and we had given him some disguised materials more than once for various things that he was doing. So I took him some pictures of himself to remind him what he had done. I said, so I brought the latest and greatest new product here today to show you. And he's looking around my chair like, where's your bag? He said, where is it? I said, I'm wearing it. It's a full-face mask. I'm going to take it off now, and I'll show you how it works. And I start to take it off, and he says, no, no, no. Leave it on. And he got up and walked over and looked at it more closely, really scrutinized it. Now, if you do that, you know what you're looking at, you can kind of start seeing it. He went back, sat down, said, take it off, and I did.
Jonna Mendez: [00:36:38] So I'm holding it up in the air so he can see that it's like a feather. It's lighter than air. And there's a photographer in the room. I think with a lot of these meetings, they're always in there. So I hear her going, you know, (imitating camera). She's walking around and taking pictures. I was the first one to brief the president. I was the first one to leave. So I went out into the secretary's office. That dog that they had - Millie and her puppies - they were out there. So I was playing with the puppies. And the photographer came out. And she came over and said, what was that? What did you do? And I said, I can't tell you. It's classified.
Dave Bittner: [00:37:18] (Laughter).
Jonna Mendez: [00:37:19] So I get this look. I said, but you photographed it, you know? It's there. It took 10 years for me to get the picture. And after 10 years, they sent me the picture, and they have - I'm holding the mask up in the air. That's the one they chose to send me. And they airbrushed the mask out. So I have a picture here in my office at home of me sitting in front of the president of the United States with my hand in the air...
Dave Bittner: [00:37:48] Holding nothing.
Jonna Mendez: [00:37:49] ...Holding nothing.
Dave Bittner: [00:37:50] (Laughter).
Jonna Mendez: [00:37:51] People that come through say - up until about two years ago, we did not talk about masks. This is a fairly recent understanding that, yes, we can have these conversations. But all these years, I haven't been able to. And people would say, what were you telling him? That you would - that's just so odd. And I would say, I can't remember. I was really into some story. I don't remember. But they airbrushed the mask out.
Dave Bittner: [00:38:22] That's fascinating.
Jonna Mendez: [00:38:23] We didn't make it to show to the White House. That was an add-on at the very end, and it was fun. And then after that, we have seen the Bushes over the years. You know, you live in Washington, D.C., and there's always a ballroom somewhere and these big, round tables. And he was famous - President Bush was famous for names and faces. That was one of his abiding skills. He never forgot a face. And sometimes, I would look across a couple of tables, and I'd see him between two people, and he'd be wagging his finger at me. I see you. I remember...
Dave Bittner: [00:39:03] (Laughter).
Jonna Mendez: [00:39:03] I remember your face. It was so funny. He did that twice.
Dave Bittner: [00:39:14] All right, Joe, what do you think?
Joe Carrigan: [00:39:16] That is a fascinating story, Dave. That is a - that's one of the most interesting interviews we've had on here. I don't have a lot of comments about this. I think the story speaks for itself. I do like how she calls the office the Q office - right? - like...
Dave Bittner: [00:39:30] Right.
Joe Carrigan: [00:39:30] ..."James Bond."
Dave Bittner: [00:39:30] (Laughter) Right.
Joe Carrigan: [00:39:33] The tale about the mask and building a mask is - I mean, it - her whole story makes me want to just see if I can do something like this and fool my friends - you know? - if I can pull this off. One of the things that I really liked about her story was the way she said they tested the disguise, where they would put somebody in the disguise, and then they'd take them to an agent who would then do a report on them. And if everything in that report was wrong about the person they were interviewing, then the disguise was deemed a success. That's very interesting. I mean, that's a really good test of a disguise, I think.
Dave Bittner: [00:40:09] Yeah, yeah.
Joe Carrigan: [00:40:11] I'm very disappointed that she can't make me look thinner, but she could...
Dave Bittner: [00:40:14] (Laughter).
Joe Carrigan: [00:40:15] ...Make me look fatter. Well, I can make me look fatter, too. I just need a couple of weeks of pizza, and then...
Dave Bittner: [00:40:24] (Laughter).
Joe Carrigan: [00:40:24] One of the interesting things that I thought she said was that when they were building a disguise for someone, they considered the audience. And that is a key important point that applies to everything that we talk about on this show. These - every scammer considers their audience, whether their audience is every person in the world and they're just trying to filter down their audience or whether their audience is one person. They are considering their audience, and that's something that's very important for everyone to remember about these malicious actors and anybody that's trying to - even a salesperson, right? A good salesperson considers their audience.
Joe Carrigan: [00:41:02] I like her story about when she would go to the airport to meet the CIA agent. That kind of reminds me of the old DEF CON competition they used to have, Spot the Fed, right?
Dave Bittner: [00:41:10] (Laughter) Right.
Joe Carrigan: [00:41:12] And this was at the DEF CON conference. They don't do it anymore because now so many feds go to DEF CON that it - and they do it openly. But...
Dave Bittner: [00:41:18] Yeah.
Joe Carrigan: [00:41:19] ...You know, they used to go - they used to have a competition where if you could identify a federal agent and that federal agent would say, yes, I'm a federal agent and you were the first person to do that, you could win a prize, right?
Dave Bittner: [00:41:32] (Laughter) Right.
Joe Carrigan: [00:41:32] And they have stopped doing that, obviously. But it was a...
Dave Bittner: [00:41:35] Yeah.
Joe Carrigan: [00:41:35] It was a fun competition. I've never been to DEF CON, but the idea is hilarious.
Dave Bittner: [00:41:40] Yeah, yeah. Well, thanks so much to Jonna Mendez for joining us. It was a real joy to get to talk to her. If you'd like to check out some more of her stories, she is co-author of a book called "The Moscow Rules," along with her husband, Antonio Mendez. Had lots of stories about the things that they were up to back during the Cold War, and quite a page turner. So check that out if it's something you're interested in. And, of course, our thanks to Jonna Mendez for joining us. And our thanks to all of you for listening to us. That is our show.
Dave Bittner: [00:42:16] And, of course, we want to thank our sponsors, KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:42:40] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:42:53] And I'm Joe Carrigan.
Dave Bittner: [00:42:55] Thanks for listening.