Hacking Humans 6.4.20
Ep 101 | 6.4.20
Seniors and millennials more alike than people think.
Transcript

Paige Schaffer: [00:00:04] You know, we hear this generalization that seniors aren't as technically savvy as millennials a lot of the times, and it's just not true. 

Dave Bittner: [00:00:12]  Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:30]  Hi, Dave. 

Dave Bittner: [00:00:32]  We've got some good stories to share this week, and later in the show, my interview with Paige Schaffer. She's from Generali Global Assistance, and we're going to be talking about the digital habits of seniors and millennials and how they're being hit with some of the latest scams. 

Dave Bittner: [00:00:47]  So who's got the advantage in cybersecurity - the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor KnowBe4 that put it into perspective. 

Dave Bittner: [00:01:11]  Joe, before we dive into our stories this week, we've got some follow-up. What do we have? 

Joe Carrigan: [00:01:17]  So a listener, Shawn (ph), wrote in and said - (reading) hello. On your most recent episode, you stated that you have to call Apple in order to cancel a subscription. Although that is a viable option and recommended if you need a refund, you can go to the settings app and select Apple ID account at the top. And then from there, you can select your subscriptions, and you can easily cancel your subscriptions that you have through Apple. 

Dave Bittner: [00:01:41]  Yeah, that is true. And I'll also note that I've had good success just following up, sending an email to Apple about it. 

Joe Carrigan: [00:01:49]  Yeah. 

Dave Bittner: [00:01:49]  There was a subscription once that I inadvertently reupped for a magazine. 

Joe Carrigan: [00:01:54]  Yup. 

Dave Bittner: [00:01:54]  And no fuss, no muss, they canceled it, refunded it and I was on my way. So... 

Joe Carrigan: [00:01:59]  Well, very good. Apple does a good job with that, it sounds like. 

Dave Bittner: [00:02:02]  Yeah. It seems like in this case, they are kind of on top of it. So thanks to Shawn for writing it in. 

Joe Carrigan: [00:02:08]  Shawn does note that you have to be on iOS 12 or above. 

Dave Bittner: [00:02:11]  Yeah. 

Joe Carrigan: [00:02:11]  I'm not familiar with iOS versions, so I have no idea. 

Dave Bittner: [00:02:15]  (Laughter) I think he's right on with that. All right, well, let's move on to our stories for this week. I'll start things off for us. This is an interesting one. This is from the Naked Security blog over at Sophos, and it's written by Mark Stockley. It's titled "The Ransomware that Attacks You from Inside a Virtual Machine." Now, this, to me, is - this is fascinating. And, Joe, I'm going to ask for your help here as we go along because... 

Joe Carrigan: [00:02:39]  OK. 

Dave Bittner: [00:02:39]  ...You have a lot more experience and understanding of virtual machines than I do. I'd say I only have a passing knowledge of them. But this is a case where a malware group, the Ragnar Locker group, are using a virtual machine to basically hide their malware, when they trick you into downloading their malware. That installs a virtual machine on your computer. The malware runs from within that virtual machine and uses some of the functionality of that virtual machine to start encrypting your files for a ransomware attack. And because your computer, your main system, really just sees this virtual machine and doesn't, by default, think that there's anything wrong with a virtual machine running, well, that's how they get away with it. That's how they go undetected. Is my description accurate here? What's going on? Can you unpack for us what's going on behind the scenes here? 

Joe Carrigan: [00:03:38]  OK. So in virtual machine lingo, we have two different types of computers. We have the host computer, which is the physical computer that sits on your desk or in a server rack somewhere. That is the hardware. That is the actual computer, as you think of in a classic sense of a computer. And then we have the guest computer or the guest system, and that is not a physical computer; it is a virtualized computer. You can install an operating system on this virtual computer, and that operating system thinks it's on a real computer. It may actually be. Now modern operating systems are equipped to understand virtualization. 

Joe Carrigan: [00:04:14]  But the guest operating system is usually viewed as a kind of possibly hostile system. But the way Mark Stockley's describing it here is that the attackers have kind of flipped this around so that they're looking at the guest operating system as their safe operating system. And this is a very small operating system or virtual machine. It's about 100 - or 280 megabytes, and it's an old Windows XP virtual machine that runs on VirtualBox. So when you're tricked into downloading the malware - you still have to do that - it downloads a Windows MSI product, which is just a Microsoft installer. And what that installs is VirtualBox and this malicious VM. None of that will be caught by antivirus. 

Dave Bittner: [00:04:59]  That's the thing - right? - is that this... 

Joe Carrigan: [00:05:00]  Right. 

Dave Bittner: [00:05:00]  ...Is how they're getting around antivirus. Now, my understanding is that - and I believe you've talked about on this show - how, quite often, you'll spin up a virtual machine when there's something suspicious that you want to run... 

Joe Carrigan: [00:05:12]  Yup. 

Dave Bittner: [00:05:12]  ...To protect your system from something you suspect might be suspicious. Right? 

Joe Carrigan: [00:05:17]  Absolutely. And that's a good way to do it. But what this does is there is a feature that you can enable that allows the virtual machine to write to the files on your host machine. So the guest can actually manipulate files on the host machine. And since this is essentially just ransomware, if I have this guest system configured that it can read and write files on the host, then when the host sees that these files are being changed, it sees they're being changed by a process from VirtualBox, which is a known, good process. So from the host's perspective, nothing bad is going on, even though these files are being encrypted. 

Dave Bittner: [00:05:55]  So everything that's going on within that virtual machine to the main machine is sort of being hidden behind this VirtualBox process. That's all the main machine sees is that virtual boxes is... 

Joe Carrigan: [00:06:08]  Right. That's exactly right. 

Dave Bittner: [00:06:08]  ...Doing these things and it says, well, VirtualBox is legit. So no problems here. 

Joe Carrigan: [00:06:13]  That's right. Because if you think of it this way, the only thing the main machine knows about is VirtualBox. It doesn't know what's going on inside that. It doesn't really know that there's a whole other operating system in there. There's no cognizance of that. All the software is all smoke and mirrors and a ruse that's an interface to the CPU so we can get our work done faster, right? 

Dave Bittner: [00:06:33]  Right. Right. 

Joe Carrigan: [00:06:34]  At the base level, that's what all this is. So yeah, this is essentially a little compartment that the operating system looks at as VirtualBox or if you were using something else. But the reason they're using VirtualBox is because it's free and open source. 

Dave Bittner: [00:06:49]  I see. So I suppose, in terms of protecting yourself against this, you really have to prevent the initial infection, right? 

Joe Carrigan: [00:06:56]  Yeah, prevent the initial infection. Don't install the MSI. You can prevent this by setting policies that prevent users from installing software, even if it is good software, without the interaction of an administrator. You know, but if you get targeted with this at home - this is one of the big things that I've been saying a lot - that usually when you're at home, on your home machine, you are the administrator of that machine. If you get tricked into downloading this virtual environment and the VM, you're going to be hosed on this one. 

Dave Bittner: [00:07:23]  Yeah. Well, it's really fascinating the way they kind of flip the script on this. 

Joe Carrigan: [00:07:26]  It's a very innovative attack. I'm almost impressed. 

Dave Bittner: [00:07:32]  (Laughter) Fair enough. All right. Well, that's my story this week. What do you have for us, Joe? 

Joe Carrigan: [00:07:37]  Dave, this week my story comes from Dr. Fahim Abbasi at Trustwave. It's a blog post called " Phishing in a Bucket: Utilizing Google Firebase Storage." Now, do you know what Firebase is, Dave? 

Dave Bittner: [00:07:48]  I do not. 

Joe Carrigan: [00:07:49]  I didn't know. I had to look it up. It's essentially a cloud-based service from Google that is back-end as a service. The target market for Firebase is mobile app developers, and it provides them with all the infrastructure they need for mobile apps. So, you know, when you have a mobile app a lot of that data is stored not on your phone but in the cloud, right? And that way, if you lose your phone or you get a new phone, all that data is still available if you reinstall the app. 

Joe Carrigan: [00:08:19]  There's a legitimate reason to have this data in the cloud, and there's a legitimate reason to have these services because this Firebase service makes it really easy for an app developer to just stand up the back-end database. They don't have to build the infrastructure. The infrastructure is already there. They can use it. But guess what, Dave? It's like a hammer. 

0:08:39:(LAUGHTER) 

Joe Carrigan: [00:08:42]  And you can - like I say, a tool can be used for good or evil, and this one is being abused by phishers. There's a quote in the article from Dr. Abbasi that says, “in effect, actors leverage the repute and services of Google Cloud's infrastructure to host their phishing credential harvesting pages.” 

Joe Carrigan: [00:09:00]  So in other words, they're going to send you a phishing email, and the link is going to be a Google link. The links are all going to go to firebasestorage.googleapis.com, which is a legitimate Google link, right? In the article, there are some pictures of webpages that look very convincing. These are just credential harvesting webpages. They're trying to get, like, your Microsoft Office credentials or your Microsoft Outlook web credentials. 

Joe Carrigan: [00:09:26]  There's one in here called Roundcube, which is an email service. We receive phishing emails at Hopkins that have links to these Roundcube landing pages. We received a couple of them a couple of weeks ago, and I was working with our IT team to investigate that. 

Joe Carrigan: [00:09:41]  And then there's one here that's Bank of America. Interesting - only the Bank of America page is listed as an unsafe webpage by the browser. Most of them are not listed that way, probably because they haven't been noticed as malicious webpages yet. I did a little bit of poking around on the Firebase webpage, and there are what looked like trial - you can get a trial. It says try our database service; try these different products. 

Joe Carrigan: [00:10:05]  So I suspect these phishing pages are costing the attackers very little to nothing to start up. And because these phishing campaigns don't generally run for more than two or three days before the website gets flagged as malicious, it's easy for me to create a Google account, say, hey, I want to try something new, and then just upload my phishing kit and then send out the emails and collect the credentials from this site. 

Dave Bittner: [00:10:27]  Yeah. And I wonder what's going on behind the scenes at Google to track these things down and shut them down. Obviously, that's in Google's interest to do so. 

Joe Carrigan: [00:10:35]  It is. It is. Because the last thing they want is for their API's domain to be flagged as malicious in products like Trustwave's products. They don't want that. I know that that's probably not how that works, right? Trustwave probably investigates each and every link and finds out whether or not they're malicious. It doesn't just go, well, Google API is a malicious domain. That's probably not what they do, right? 

Dave Bittner: [00:10:58]  Yeah (laughter). 

Joe Carrigan: [00:10:58]  I mean, Google doesn't want this running because it's a damage to its reputation, and it's a harm to the internet in general. 

Dave Bittner: [00:11:04]  Yeah. Yeah, that's interesting. Boy, it reminds me of the old days - you know, the early days of the internet and email, you know, back in the '90s. I remember it was pretty easy to get your domain blacklisted. If somebody was spoofing, you know, emails from your domain, you could find yourself blacklisted. 

Joe Carrigan: [00:11:19]  Yeah. 

Dave Bittner: [00:11:19]  And all of a sudden, whole swaths of people couldn't get email from you anymore. It was a pretty big hammer they were using back then. And obviously, it's gotten... 

Joe Carrigan: [00:11:27]  Yeah, and not an effective hammer. Well, I mean, a very effective hammer. It stops the spammer, but it's not an efficient hammer, you know. 

Dave Bittner: [00:11:33]  Yeah. 

Joe Carrigan: [00:11:34]  When all you have is a hammer, everything looks like a nail. 

Dave Bittner: [00:11:37]  (Laughter) It's gotten a lot better since then. But I remember one time, an organization I worked with got - spontaneously or so it seemed, got their domain on a bunch of blacklists, and it was a bad couple days trying to, you know, make your case to get it unblacklisted. 

Joe Carrigan: [00:11:52]  In those days, all someone had to do was send out emails with your domain as the return address, and that would get you blacklisted. 

Dave Bittner: [00:11:58]  That's right. 

Joe Carrigan: [00:11:58]  It's crazy. 

Dave Bittner: [00:11:59]  Good times, good times. 

0:12:00:(LAUGHTER) 

Joe Carrigan: [00:12:02]  Those were back in the days when you'd ask somebody for their email and they'd go, what? 

Dave Bittner: [00:12:06]  (Laughter) Yeah, right. I don't have one, yeah. 

Joe Carrigan: [00:12:08]  What is an email? 

Dave Bittner: [00:12:08]  I'm not doing that (laughter). 

Joe Carrigan: [00:12:10]  Right. 

Dave Bittner: [00:12:11]  All right. Those are our stories for this week. It is time to move on to our Catch of the Day. 

0:12:16:(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: [00:12:20]  Joe, you got our Catch of the Day this week. What do you have for us? 

Joe Carrigan: [00:12:23]  This Catch of the Day comes from my daughter, Kayla (ph). And she received an email from "Apple." And I'm using air quotes. Our listeners can't see that. You can't even see it, Dave, 'cause we're doing this remotely thanks to COVID-19. 

Dave Bittner: [00:12:33]  I cannot (laughter). 

Joe Carrigan: [00:12:35]  This email is just an image, and it comes from this really sketchy email address that has, like, four domains in it. This thing is longer than my first email that I got in college, speaking of old email addresses and asking people if they knew it. But the message reads - dear clients, your Apple ID has just been used to purchase Hulu - Stream TV Shows & Movies from the App Store on a computer or device that has never been associated with your Apple ID. And then it has a date, and it has a device, and it has an operating system version. And it says, if you did not make this purchase or you believe an unauthorized person has accessed your account, please find the document attached to cancel your purchase without delay - Apple Store. Right? 

Joe Carrigan: [00:13:14]  And that's all in one image. And there was also a PDF attached. And I uploaded the PDF to VirusTotal, and VirusTotal said the PDF was clean. And I previewed it in a browser. And the only thing that stood out to me was that all of the links - OK? And in this PDF, there was an order number that was a link. There was a text that said report a problem. There's a link and some kind of short privacy statement; visit the Apple Store link, manage your password preferences link; summary Apple ID; terms of service; privacy policy and even the copyright reserved link all went to the same destination, every single one of them. That's nine links. And they all went to the same destination, which was some Iranian link shortening service. So it had - it was a link shortening service that ends in the .ir domain, which is Iran. 

Dave Bittner: [00:14:03]  OK. 

Joe Carrigan: [00:14:04]  And if you click on the link, Google and Chrome both warn you that this is a phishing site. I mean, and there is no mistaking that warning. It is a big red page that comes up and says, this site is not safe. 

Dave Bittner: [00:14:14]  (Laughter) Go back. 

Joe Carrigan: [00:14:14]  Don't go here. 

Dave Bittner: [00:14:18]  Right. 

Joe Carrigan: [00:14:18]  So by the time I got this and looked at it, the phishing campaign had already been busted. But why I like this Catch of the Day is the way they're trying to catch people - the lure they're using is all the same in all of these different links. It's - every single link went to the same URL. 

Dave Bittner: [00:14:33]  And the image that they send out looks legitimate. I mean, it's got a... 

Joe Carrigan: [00:14:37]  It does. 

Dave Bittner: [00:14:37]  It looks like something you'd expect to see from Apple. It's - falls into their design style even. 

Joe Carrigan: [00:14:43]  Right. And the only thing that's weird is it says at the top, dear clients. If it had someone's name up top, then it would be more believable. But because it says dear clients, that's kind of the tip-off. Also, I imagine that it's kind of difficult to build an image for each person you're going to send an email to. 

Dave Bittner: [00:14:59]  All right. That's an interesting one, and that is our Catch of the Day. 

Dave Bittner: [00:15:04]  Now let's return to our sponsor's question about the attacker's advantage. Why do the experts think this is so? It's not like a military operation, where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost, and the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a failure rate of over 10%. That sounds pretty good. Who wouldn't want to bat nearly .900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and may be out of business. The last line of defense is your human firewall. You can test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest. 

Dave Bittner: [00:16:05]  Joe, I recently had the pleasure of speaking with Paige Schaffer. She is from Generali Global Assistance. And they recently published a white paper that was looking at the digital habits of seniors and millennials and doing some comparisons between those two groups - really interesting stuff. Here's my conversation with Paige Schaffer. 

Paige Schaffer: [00:16:23]  We're thinking there were broad stereotypes for each of - seniors and millennials. And while there are some stereotypes, we had a hunch that both of these groups were more alike than people think. So we commissioned the survey. And we polled about 1,500 seniors and 1,500 millennials and came back with a lot of data and were able to parse out and make some important insights. And we discovered that they're a lot more alike than maybe we suspected. And you know, some of the information that we learned could be helpful to various institutions - financial, insurance and allowing folks to reach their target audiences better. 

Dave Bittner: [00:17:04]  Well, let's go through some of the results together. What were some of the key findings here? 

Paige Schaffer: [00:17:08]  Well, there were several insights that we learned. If you think about folks connecting to IoT devices, 21% of seniors and 22% of millennials are connecting to seven-plus Wi-Fi-acceptable devices on a weekly basis. But most are connecting to five or less. And unsurprisingly, millennials led the way in terms of digital service adoption with one exception. A couple of percent difference where seniors are concerned in that seniors say that they shop online versus millennials 87% to 85%. And across the generations, the biggest gap in digital service use is seen in ride-sharing apps. So obviously, millennials are more hip to take an Uber or a Lyft. So 37% of millennials did, and 15% of seniors. You know, a little bit of a variance there. Some of it's - you know, we hear this generalization that seniors aren't as technically savvy as millennials a lot of the times, and it's just not true. In fact, today's seniors play a big part in bringing technology into the household. And I think that's why we're seeing such similar uses in IoT devices, where many people wrongly assume that millennials use at a much higher rate. 

Dave Bittner: [00:18:29]  Yeah. It's really - it's interesting to me because I think there's this popular perception in a lot of people's minds - and I'll put myself in the category of making this mistake of kind of - when you say senior, you know, picturing in my mind, you know, someone like Granny from the old Tweety Bird cartoons, you know, this old lady. And that's simply not the case anymore, you know? Seniors these days are, you know, living active lives. And part of that is being a part of the digital economy. 

Paige Schaffer: [00:18:57]  Yeah. And I would say the retirement age is much later now. And until all of this craziness started recently, you know, I think you have longer time in the workplace, more hip, more healthy. And so you're absolutely right. You know, when I think about myself, I'm mid-50s, and AARP's found me. And I don't consider myself there yet. 

Dave Bittner: [00:19:18]  Right. 

Paige Schaffer: [00:19:20]  (Laughter) But I feel a long way from that. If you think about it, the internet and all of the technology came into play in - what? - the late '80s, early '90s. And now it's been several years. And so people are kind of used to and hip to the technology but regardless of their age range. 

Dave Bittner: [00:19:38]  Were there any particular surprises that came out of the survey, things that came up that perhaps you didn't expect? 

Paige Schaffer: [00:19:43]  So we looked at a number of different areas. We looked at areas of how people store their - you know, if they use password protectors. And 40% of seniors store their information on paper locked in a home office. And a greater number - 40% of millennials use an online password storage system. So I think this might be a little bit more generational. That's not terribly surprising. 

Paige Schaffer: [00:20:08]  What was interesting to me is, across generations, a similar number have a few different passwords that they rotate between accounts so that there's no need to store them. And actually, seniors have a leg up on millennials regarding password reuse in that 45% of seniors use the same password across zero to one account while only 31% of millennials can say the same. They are using the same passwords across two to three. 

Paige Schaffer: [00:20:35]  So I don't know if it's a laziness factor or because of speed at which millennials are plowing through information and stuff they're using the same passwords. But that's not a great habit to have. And so regardless, you know, we obviously recommend that you're using different passwords and you use a password protector where you can. But seniors seem to be doing a little bit better where password guarding is concerned. 

Paige Schaffer: [00:20:58]  Some of the other information that was interesting - social media usage between the generations show the greatest disparity. So with a full half of millennials, 49% have chosen the highest privacy settings possible, only 30% of seniors have done the same. So while 42% of millennials say they're extremely likely or likely to share their location and away-from-home status when they are out, only 14% of seniors practice this habit. So you know, we think that seniors are making the right choice in sharing less on social media, but it also could be kind of a lack of awareness where privacy settings are concerned. So that was kind of an interesting finding. 

Paige Schaffer: [00:21:45]  The thing that was most shocking to me is an alarming number of both seniors and millennials are sharing their bank account information with others outside of their spouses. And I was really surprised about this. So a whopping 56% of millennials allow either parents, siblings, close friends or another familiar relative to access their banking information, where 19% of seniors allow their parents, siblings, close friends, other familiar relative to access their banking information. So almost 1 in 2 of seniors and 1 in 3 millennials say no one else has access to their information. So you know, over half of the millennials and roughly 1 in 5 seniors share their banking information with at least one family member or friend outside. And unfortunately, this tracks with Javelin's findings in their 2018 fraud study, where fraud rate jumped 15%. So keeping this information private is really one of the best ways to avoid financial fraud. 

Dave Bittner: [00:22:53]  Yeah, that's interesting 'cause, again, I think there's this perception, whether it's an incorrect stereotype or not, you know, to think of the millennials as being the oversharers. 

Paige Schaffer: [00:23:04]  That's right. It's pretty interesting. I thought another thing that was interesting is that seniors, they seem to be making a more concerted effort to understand identity theft and fraud. But not enough of either seniors or millennials are taking enough action to prevent. So while 35% of seniors feel they have a solid foundation and knowledge - and 28% feel the same as millennials. And while there's the seeking out of information, for both generations, it seems there's a gap in having access to trustworthy sources of identity theft protection. So one, it's either overwhelming for people, or two, you know, they're not sure who to trust. These organizations have a vested and real interest in their customers' financial well-being. If you think about banks and insurance organizations, they're the top two that are most trusted by these groups. 

Dave Bittner: [00:24:03]  You know, for those of us who sit in the middle - as a Gen Xer myself - and has both senior parents who I'm looking out for but also kids who are millennials, are there any takeaways here for advice for making sure that those folks on either side of us are staying safe? 

Paige Schaffer: [00:24:22]  I would say the thing that unites is that consumers across all age groups want identity protection from a company that they know and trust. And the financial institutions and insurance companies are positioned really well with this regard. Among seniors, 84% believe that financial institutions are doing all they can to protect their data, 82% believe that insurance companies are doing all they can. And the numbers are very similar across millennials. Eighty percent believe that financial institutions are doing all they can, and 88% believe that insurance companies are doing all they can. So with the high confidence in these types of organizations, it's surprising that more are not offering identity protection. 

Paige Schaffer: [00:25:08]  We happen to have a number of - we're a business-to-business organization and many of our clients are both financial institutions and banks. And they do very well in that they are, by and large, very trusted brands and people follow them. And whether they have had their auto insurance with them for years or whether they've been banking with them for years and see continued improvements in security, it would make sense that folks are buying through those channels. 

Paige Schaffer: [00:25:37]  It's just really important that you've got an organization, whether you're going directly to an identity protection company or buying through a business that sells identity protection, that you've got, you know, a robust offering that looks at phishing, that monitors your information out on the dark web, that monitors your credit, that offers some insurance, checks keylogging and malware and all of those things. So, look; I think technology is an awesome thing and it's going to get better and better. And it's just a matter of kind of protecting your lifestyle and having another technology or group that - you know, an expert group that you can call if something goes south. 

Paige Schaffer: [00:26:19]  It's interesting where seniors - and maybe it's a time factor, if you consider folks who are retired - that they have more time to look into information, but it's very good to educate yourself, you know? Read and listen to podcasts, such as yourself, to hear what's going on out there so you can be aware and hip to the many frauds out there. And I would say unfortunately and tragically, through this COVID thing, it's no different. There's a lot of fraud out there that people are perpetrating, whether it's selling bogus medical equipment online, et cetera, or claiming to be the government bailout sending a check and then saying they've overpaid, please send money - the difference - back. There's lots of stuff out there, so education is critical, and make yourself aware. 

Dave Bittner: [00:27:07]  All right. Joe, what do you think? 

Joe Carrigan: [00:27:09]  I think this is a very good topic for research. I think that there is a lot of these preconceived notions that we have that are not true, right? The general gist of things is that seniors don't get technology and they're not going to be as savvy with it. I find it interesting that between seniors and millennials, everybody connects to about - or uses seven different Wi-Fi devices throughout the day. That's more than I use in terms of Wi-Fi-connected devices. I use, essentially, my phone and sometimes, right now, my Chromebook. So that's two. Everything else is generally hardwired to my network. I do use a lot of stuff hardwired to the network (laughter). 

Dave Bittner: [00:27:47]  You're an edge case, Joe. You're an edge case (laughter). 

Joe Carrigan: [00:27:49]  Yes, I am. I am definitely an edge case in this scenario, so nobody should be basing any research on me. I'm too many standard deviations away from the mean. 

Joe Carrigan: [00:27:59]  Ride-sharing apps - I think this is interesting. You know, I have a story about this. We went to a family wedding a couple of years ago. One of my cousins was getting married. And my parents were there, and they had bussing service from the reception back to the hotel so that nobody had to drink and drive. It was - you know, it's all great. We were bussed from the church to the reception area, and then we were going to be bussed from the reception area back to the hotel. And my father was like, I'm done, I want to go home. And the only way we had to get them home was get an Uber. They had never taken an Uber before. So I summoned an Uber with my app, and I said, you know, take them back to the hotel. And the Uber showed up. My parents were taken back to the hotel. Everything all went off fine. And my mom was like, this is great. I've got to get this app. 

0:28:38:(LAUGHTER) 

Joe Carrigan: [00:28:42]  It's funny that older people don't use the ride-sharing apps as much as younger people do. Many times when I travel now, I don't even rent a car anymore because it's more cost-effective for me to just use a ride-sharing app. 

Dave Bittner: [00:28:53]  Yeah. There is a service called GoGo Grandparent, I believe it's called. 

Joe Carrigan: [00:28:57]  Oh, yeah. 

Dave Bittner: [00:28:57]  And my in-laws use it, and it's basically a human middleman between them and a ride-sharing app like Uber. And basically, it makes it so that they don't have to have the app. They can call someone, and that person they call has a prearranged, you know, deal with the ride-sharing company, and they basically order the ride (laughter) and make it happen. And they charge a little extra. But another interesting component of it is that you can set it so that any time a ride is ordered, someone else gets notified. So in this case, my wife gets notified when her parents are taking a ride-sharing app. So - and that's opt-in, you know. 

Joe Carrigan: [00:29:39]  That sounds like an excellent service. 

Dave Bittner: [00:29:41]  Yeah. They choose to have that happen. But if you want an extra little bit of assurance or just being able to know where people are - you know, Mom's on her way to the doctor or the grocery store or whatever - you can dial that in. So interesting that someone has seen an opportunity to take advantage of what could be some people's reticence to use technology, and they're stepping in and kind of providing that middleman component. 

Joe Carrigan: [00:30:06]  Yeah, if there's a market for them, that's great. They also add more value by providing the notification to someone else, which is... 

Dave Bittner: [00:30:12]  Right. 

Joe Carrigan: [00:30:12]  I think it's a fantastic service. Paige makes a really good point in here. I don't feel as old as I am, Dave. 

Dave Bittner: [00:30:17]  (Laughter). 

Joe Carrigan: [00:30:21]  I don't feel like I'm in my 50s. And I don't know what effect that has on me in terms of, like, technology and things like that, but I still love picking up new technology. Again, maybe this is me being an edge case, but I do sometimes feel it, like when I have to look at Facebook, right? And when I have to get on Facebook - I hate Facebook. I wish I could do what Dave Bittner did and just get rid of it, you know. 

Dave Bittner: [00:30:42]  (Laughter). 

Joe Carrigan: [00:30:44]  You've told me that you've been happier with this, but I have so much communication happening with so much family on that medium that I can't just walk away from it. I'm kind of... 

Dave Bittner: [00:30:53]  Yeah, I understand. 

Joe Carrigan: [00:30:53]  They've got me, Dave. They've got me in those family handcuffs. 

Dave Bittner: [00:30:55]  I understand. 

Joe Carrigan: [00:30:56]  So that's how I feel kind of old man-y. It's good to know that password use isn't going away, that millennials are still practicing that. Good job, guys, though use a password manager. Everybody should use a password manager until such a time as we have something that replaces passwords, which I think is coming sooner than we think. 

Joe Carrigan: [00:31:16]  Privacy settings on social media - I thought it was interesting that fewer older people had their privacy settings set to the most strict privacy settings than the younger people. The younger people do that, and I think that's good. I think older people should probably also do that as well. Forty-two percent of millennials versus 14% of seniors will tell people that they're away from home. I think there is more to that than younger people being stupid here. I think younger people actually have a lower risk of telling people that they're away. They may live in a situation where just because they're away, that doesn't mean their house is empty, right? They're more likely to have roommates or more likely to still live with their parents, whereas seniors almost always live by themselves. You know, they're empty nesters or they're - you know, it's just, you know, just one or two people living in a house. And if they say, I'm out of town, that essentially sends a signal - this house is empty; come rob it, right? 

Dave Bittner: [00:32:07]  (Laughter). 

Joe Carrigan: [00:32:08]  If you're a millennial, that doesn't send the same message. Hey, I'm out of town. Does that mean I should go rob your house? Well, not if you don't want to contend with my roommates. They're still at home, or my parents are still at home. This doesn't strike me as the big revelation that Paige seemed to be thinking it was. I think there's lower risk to millennials saying I'm out of town. 

Joe Carrigan: [00:32:29]  She talked about having access to banking information outside of a spousal relationship. We actually still have access to our children's banking information - actually, my wife does. And that's because those accounts were started as child accounts at the same institution that we had and we still use. And we're still financially bound to our children through things like auto insurance and car payments. 

Dave Bittner: [00:32:50]  Yeah. 

Joe Carrigan: [00:32:51]  They have to make those payments every week, and it's just easier for us to move that money from their account to our account and then make the payments. It makes sense to me that more millennials have people outside of a spousal relationship with access to their bank accounts as well. I was surprised by the number of seniors that let that happen. I don't think that's good. I don't have anybody outside of my spousal relationship that has access to any of my accounts. 

Dave Bittner: [00:33:15]  Yeah. I have access to my parents' accounts. I guess my parents have let me know how to have access to their accounts. In other words, if something were to happen to my parents, I know where everything is. I know - you know, I'm a signatory on enough things that transitions could be made and those sorts of things could happen. But it's not an active, day-to-day kind of thing or anything like that. 

Dave Bittner: [00:33:39]  I think it's interesting - you know, getting back to the granny thing, I think it's interesting that people are staying youthful a lot longer. 

Joe Carrigan: [00:33:48]  Yeah. 

Dave Bittner: [00:33:49]  So the perceptions have changed. You know, it used to be that people in their 60s - you know, they'd retire, and, you know, they had a lot more miles on them than we do. And there's a lot of reasons for that. 

Joe Carrigan: [00:33:59]  Right, right. 

Dave Bittner: [00:34:00]  But I think it's also important for folks like you and I to remember that we are in the grandparent zone, right? We are old enough. Our children are old enough that it would not be surprising for us to be grandparents, and certainly there are plenty of people that we've gone to school with, that we grew up with who are grandparents. 

Joe Carrigan: [00:34:17]  Yeah. 

Dave Bittner: [00:34:18]  And I have to say it was a very strange feeling, the first close friend I had who I went - grew up and went through high school with - when she became a grandparent, I was like, what? 

Joe Carrigan: [00:34:27]  Yeah. 

Dave Bittner: [00:34:28]  But we're still young (laughter). 

Joe Carrigan: [00:34:31]  My daughter is going to be getting married soon. You're right. Shortly after that, I expect to be a grandparent. So that's, like, on the very near horizon to me. 

Dave Bittner: [00:34:39]  (Laughter). 

Joe Carrigan: [00:34:43]  I think about this every now and then, Dave. 

Dave Bittner: [00:34:44]  (Laughter). 

Joe Carrigan: [00:34:45]  It's kind of like, you know, I don't know. Am I ready for this? I don't know. I was... 

Dave Bittner: [00:34:50]  Yeah, well, you don't have a choice, do you? Time marches on. 

Joe Carrigan: [00:34:52]  I don't have a choice. Yeah, I'd better be ready for it. That's all there is to it. 

Dave Bittner: [00:34:57]  (Laughter) That's right. Well, we'll leave it there. 

Joe Carrigan: [00:34:58]  Yep. 

Dave Bittner: [00:34:58]  We'll leave it there, as Joe and I get a little introspective about the march of time. 

Joe Carrigan: [00:35:05]  Yeah. 

Dave Bittner: [00:35:06]  We want to thank all of you for listening to our show. That is our show for this week. 

Dave Bittner: [00:35:12]  We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:35:20]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:35:34]  And I'm Joe Carrigan. 

Dave Bittner: [00:35:35]  Thanks for listening.