Hacking Humans 7.16.20
Ep 107 | 7.16.20
A little dose of skepticism.
Transcript

Don MacLennan: That just little dose of skepticism and pausing a second or two to look at this request with a critical eye, sometimes that's all the difference in the world.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Don MacLennan. He's from Barracuda Networks. And we're going to be talking about brand impersonation. 

Dave Bittner: All right. Joe, before we dig into stories here, we've got a little bit of follow-up. One of our listeners wrote in, and they wrote, (reading) In regards to your fraudulent domain Privnotes, I don't know if you were aware of the site dnstwister.report. This site will take domains, twist them up to find look-alikes, then test to see if they exist and if they have an MX record. We use this to determine fraudulent domains for ourselves and third-party vendors so we don't end up surfing to or communicating with spoof domain. Once identified, they are blocked. 

Dave Bittner: I took a look at this, and it's pretty clever. I just loaded in the CyberWire. And sure enough, I found a website that is very close to the CyberWire. It's, like, the cy.berwire.com (laughter). 

Joe Carrigan: Really? 

Dave Bittner: Yeah. Yeah. But nothing active there. It was just parked. You know, there's no website, you know, spoofing our website or anything like that. But a little eye-opening that, you know - who knows? - maybe somebody was trying to play a joke or trying to, I don't know, grab some land. Who knows what? 

Joe Carrigan: Or they're preparing for something. 

Dave Bittner: Yeah. Right. So it's good to check. 

Joe Carrigan: Yeah, I'm going to check this out. 

Dave Bittner: Yeah. So it's dnstwister.report. It looks like an interesting site. 

Dave Bittner: All right. Well, I'll tell you what, Joe. I'm going to kick things off for us this week. This is a story that comes from the folks over at Bleeping Computer. It's written by Sergiu Gatlan. And it's titled "Microsoft Warns of Office 365 Phishing via Malicious OAuth Apps." Joe, do you have any familiarity with OAuth applications? 

Joe Carrigan: I do not, Dave. I wish I did. This is one of those areas of, you know, like, fleeting familiarity with me. 

Dave Bittner: Right. 

Joe Carrigan: I'm not really sure how it works. 

Dave Bittner: Right. Well, my understanding is that this is a way for you to basically use your Office 365 credentials. You can authorize a third-party app access to your office components. 

Joe Carrigan: Right. OK. 

Dave Bittner: So for example, this could be very useful. I've used this sort of thing for calendar apps. You know, we use an app to help people schedule interviews on the CyberWire. And in order to do that, this third-party calendar scheduling app basically has its hooks into my calendar, and they're allowed to communicate back and forth. So someone wants to schedule an interview with me, they can go in this calendar app, it can look at my calendar and see when I'm available, times I've set available, and so the scheduling can happen in an automated way. This is a very useful functionality here with a trusted third-party app. 

Dave Bittner: What they're talking about here is where the bad guys basically trick the user into providing a malicious app with access to the user's Office 365 components. 

Joe Carrigan: Yeah. 

Dave Bittner: And once they've fooled them into having that access, using that API to transfer the data back and forth, well, that's kind of the ballgame, right? (Laughter). 

Joe Carrigan: Yeah. They're in, right? 

Dave Bittner: Right. Right. They are inside the castle walls. They've traversed the moat. 

Joe Carrigan: Yep. 

Dave Bittner: They've jumped the fence. They've... 

(LAUGHTER) 

Dave Bittner: They've done all that. 

Joe Carrigan: They're sitting at the foot of your bed, Dave. 

(LAUGHTER) 

Dave Bittner: Yeah. Right. Exactly. Right. Exactly. Greetings, Mr. Bittner. 

Joe Carrigan: (Laughter). 

Dave Bittner: I suppose not surprising that this would be an avenue that the bad guys would try to pursue here. 

Joe Carrigan: No. They're going to do everything they can to get into this, to get into your accounts. 

Dave Bittner: Yeah. The article recommends, of course, you know, vigilance, being very careful about who you grant this sort of access to. You can also go in and audit the apps that you have access to. You can go into your Microsoft account, and you can go into your preferences and take a look to see what other apps have access. And probably a good idea to go in there from time to time and make sure that who you think has access actually does have access... 

Joe Carrigan: Right. 

Dave Bittner: ...And that it's legit. 

Joe Carrigan: I think that's a good practice, just to go into any app you use for authentication. But yeah, do that audit. If you haven't done that in a while with Office 365 or with Google, I guess do a web search on how to do it and then go ahead and do that and make sure that who you think has access has access and nobody else. 

Dave Bittner: It also reminds me of, you know, how we talk about when mobile apps are loaded, and sometimes they will ask for way more permissions than an app of whatever nature it is really needs, you know? 

Joe Carrigan: Right. 

Dave Bittner: A flashlight app doesn't need to know my location, right? 

Joe Carrigan: No. No. 

Dave Bittner: (Laughter) A flashlight app doesn't need access to all of my contacts. 

Joe Carrigan: You know, I can't get Yahoo Mail - the Yahoo Mail app - to stop asking for access to my contacts. It does that every single time I open it up. 

Dave Bittner: I suppose a mail app - I could understand the rationale why it might want to have access to your contacts. But at the same time... 

Joe Carrigan: But I don't want it to. 

(LAUGHTER) 

Joe Carrigan: And it keeps asking. 

Dave Bittner: No means no. Right. 

Joe Carrigan: And I can't tell it to stop asking. 

Dave Bittner: I see. I see. There is no do-not-ask-again button. 

Joe Carrigan: Right. Exactly. It's very irritating. 

Dave Bittner: Yeah. Well, similarly, they're saying that if you have an app that's looking for access to your Microsoft Suite of tools, it will list what it wants to have access to. And if something seems out of bounds, that's another area where you can be vigilant. And that could possibly be a red flag that something... 

Joe Carrigan: Yep, yep. 

Dave Bittner: ...Something's up - doesn't require access to that. It's an interesting article here. We'll have a link to it from the folks over at BleepingComputer. It's a good one to look out for if you're using Office 365. And, of course, it's not just Office. Google's G Suite has similar functionality. So if you're - if that's the suite that you use for your Office apps, be vigilant over on that side, as well. All right. Well, that's my story this week. Joe, what do you have for us? 

Joe Carrigan: So my story comes from Abnormal Security. And they have found - this is also an Office 365 story. They've found a phishing campaign targeting Wells Fargo customers. And they have found that it has impacted 15,000 to 20,000 people. Now, I don't know if these are 15,000 to 20,000 Wells Fargo customers. But these are definitely Office 365 users. And what's going on is they send you an email. And the email reads, in order to protect your account from fraud and identity theft, we have sent your new security key. Failure to update your security key may result to temporary account suspension. Open the attachment and follow the instructions. P.S., open the attached calendar file using your mobile device. And then it's signed, Kristen Wood (ph) from Wells Fargo security team. And this is obviously not from Wells Fargo at all. 

Dave Bittner: Right. 

Joe Carrigan: The email address is not from a Wells Fargo domain. It is just a phishing email, like so many we've seen before. 

Dave Bittner: Yeah. 

Joe Carrigan: However, when you open this attachment, this attachment is actually a calendar notification, an ICS file - .ics file. So this then will essentially open in your calendar app. And once it's there, there's a link to a SharePoint site in the description of the meeting event. So the malicious link is embedded in the calendar application now. 

Dave Bittner: OK. 

Joe Carrigan: So let's say you're using Office 365. You're probably going to be using Outlook or something, some web application. You open this up. It puts the calendar event on your calendar. And it opens up, and you can then click on the SharePoint link, and then it actually takes you to a SharePoint site... 

Dave Bittner: All right. 

Joe Carrigan: ...To see the document. And then in that document, it says click here to secure your account, which is a link to a malicious site. That is the phishing page. And then they - where they ask you the standard information - they want to know your username, your password, your four digit card PIN, your email address. And then they have... 

Dave Bittner: Your blood type (laughter). 

Joe Carrigan: Right. Well, they're asking for account number one, account number two, account number three. And then they ask not only for your email address, but for your email password. 

Dave Bittner: OK. Very good, very good (laughter). 

Joe Carrigan: So first off, Wells Fargo is never going to need your PIN to get into a webpage. They're going to need your username and your password. If you have two-factor authentication set up with them, I know that you can do the SMS setup with them. You can also request an RSA token. But you have to pay for that to happen. They don't just send you a new one. And you can get a time-based password token from Wells Fargo, as well as many other banks. This is obviously just a phishing site just to collect these credentials and then turn around and sell them. 

Dave Bittner: Right. But - so help me understand a couple things. Why do you suppose they want you to open it on your mobile device - the calendar link? 

Joe Carrigan: That's a good question. I would imagine that the calendar link is probably tailored for being exploited on a mobile device, that they're taking advantage of the little amount of real estate you have on a mobile device, and they're saying, go ahead and just open it here, and don't worry about the man behind the curtain. Don't worry about the weird addresses and things like that. And those kind of things are a lot less apparent on a mobile device than they are on a desktop computer. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: But there's no reason you can't open it on your desktop computer and do the same thing, even if it were legitimate, right? You'd have no problem doing that on your desktop with a legitimate or even this fraudulent email and calendar invite. 

Dave Bittner: And do we suppose it's coming through within that calendar invite to just sort of hide it, have another layer of obfuscation to try to get it past your - any software you might have looking for this sort of thing? 

Joe Carrigan: So yeah, Dave. I think that's exactly what's happening here. They're putting the malicious link one step away from just looking at the email. They're putting an attachment in. The attachment might look innocuous. You know, the URL in the attachment, in the ICS is going to go to a Google APIs page, where they're hosting this phishing landing page. So that's not going to get caught by a lot of these scanning engines until that specific page has been caught by the scanning and has been added to the scanning engine's signatures files, right? 

Dave Bittner: Right. 

Joe Carrigan: Or whatever it is they use their matching - however they pattern match. I don't know, man. You - I don't think you can really stop these kind of things from coming in. You just have to be be vigilant. This is something that we're going to have to rely on people to not fall for. You know, why does Wells Fargo need more than my username and password? They're asking for more here. And again, check the URL. You're not on the Wells Fargo page when you're looking at this URL. You're on the Google APIs page. And there's no reason for you to ever enter your Wells Fargo username and password on a site that isn't wellsfargo.com. 

Dave Bittner: Yeah. You know, it's interesting, though, because I could see somebody looking at that URL and saying, OK, well, that's reasonable for a big company like Wells Fargo to be hosting their site on a big company like Google. 

Joe Carrigan: I agree with you 100% that that is a reasonable thing for people to think. There's probably some kind of education gap out there that needs to be filled - that, hopefully, we're filling some small part of that... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: ...But that is such a great point. Why wouldn't Wells Fargo work with Google to host their services? 

Dave Bittner: Yeah. 

Joe Carrigan: But they don't. I mean, they might work with Google to host services, but those services are going to be hosted at a wellsfargo.com domain. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: It's always going to say that in the URL bar. 

Dave Bittner: Yeah. All right. Well, it's yet another thing to keep an eye out on. Good story, as always. Let's move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: Our Catch of the Day comes to us from a listener named Tim (ph) - good friend of the show. He sent this in, and it comes from someone who claims their name is Danell Regna Harrison (ph) from the entrepreneurship at American Century Investments. Joe, I suppose I will play the part of Danell. And you can play the part of our listener Tim here, who... 

Joe Carrigan: All right. 

Dave Bittner: ...Received this message. I'll get things started. (Reading) Hi. 

Joe Carrigan: (Reading) Hi, Danielle. How's it going? Your business title makes me think you're going to try to spam me. Please tell me that's not the case. 

Dave Bittner: (Reading) I am good. And you? 

Joe Carrigan: He sends one of my favorite emoticons. It's just the angry eyes with the straight face (laughter). 

Dave Bittner: (Reading) This is how it works. You invest with my broker company, and my company uses it for business transactions for a week. Then the profits the company gains will be divided with you, and you get to earn big - up to five times your investment. 

Joe Carrigan: (Reading) Wow. Five times my investment in one week - astonishing. 

Dave Bittner: (Reading) I will trade on your behalf as your account manager while you monitor your trade account. Then after seven days of trade, you get your profit. But note that 20% would be deducted automatically from your profit as commission at the end of the trade. 

Joe Carrigan: (Reading) So I invest $50, and in one week, you would give me back $250. Then I invest that $250, and you give me $1,250. I let it ride, and by the third week, I have $6,250. And at the end of the first month, I could have $31,250. And by the end of the second month - four more weeks of septupling - I would have $19,531,250 all from an initial investment of $50. So if that's the case, why haven't you done this if, within two months, you could be a multi-decamillionaire? In fact, just one week further past the end of your second month, you'd have nearly $100 million. So perhaps you can explain to me how this isn't a scam. Oh, I see. It's because you've said up to. Hey; tell you what - if you invest with me, I'll give you returns of up to 500 times your investment. 

Dave Bittner: (Reading) Believe it. There's no existing company in this world that doesn't have a single complaint. Lots of business establishments over the internet have been attacked by nasty feedbacks and negative comments simply because it involves the customers' money or that they are not satisfied with the service that the company offers. 

Joe Carrigan: (Reading) To help with whatever you're shilling for, I'll multiply their potential returns by a hundred. So invest your money with me instead. Quit your job, and live the lifestyle of up to a queen. 

Dave Bittner: (Reading) Forex trading - this is kind of trading whereby a trader place investment on the price movement of an underlying asset either up or down for a short period of time. It has been placed as one of the most profitable online work from home. 

Joe Carrigan: (Reading) I know what forex trading is, and that isn't what forex trading is - I mean, not specifically. You know what forex is short for, don't you? It's foreign exchange. You just explained investing in general, not forex investing. I sort of get the sense that you don't actually know what you're talking about. Did you steal this account from some legitimate person to use it to spam people, or did you make this account with a fake name and profile picture from scratch? How long do you reckon before you get banned and disappear with any money you get from people naive enough to not see through your obvious copypasta scam? Thirty-two total connections - I'm guessing you made this account recently. Couldn't even be bothered to use a credential stuffing attack to hijack a legitimate account - that's just lazy, chum. 

Dave Bittner: (Laughter) And it ends there. Right. Well, thanks to friend of the show Tim for sending that in - pretty straightforward what's going on here, Joe. Don't you think? 

Joe Carrigan: Yeah. It's a scam. It's absolutely a scam. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's one of those - you know, it's not an advance fee scam. It's a money multiplying scam. These are coming up more and more lately, where somebody says, you know, you give me 50 bucks, and I'll give you 250 bucks at the end of the week. Yeah, it's almost like a pyramid scam without the pyramid, you know? It's... 

Dave Bittner: Yeah. We've also seen examples of this where, like, if you signed up for this, they would have an online account for you. And it would appear that you were receiving great returns... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Right up until the moment you try to withdraw them (laughter). And then you realize there isn't actually anything there, that it's just all on paper and it's just a scam. So... 

Joe Carrigan: There's no there there. 

Dave Bittner: Even if they hook you - no. There's no there there at all. Looks like Tim had their number from the get-go, so good for him... 

Joe Carrigan: Yep. 

Dave Bittner: ...For, I suppose, leading them along and wasting some of their time. And... 

Joe Carrigan: Yes. Thanks, Tim. 

Dave Bittner: Thanks to Tim. Thanks for sharing that with us so we can help spread the word about it. And that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Don MacLennan. He's from Barracuda Networks. And our conversation touched on brand impersonation, which has been, like so many things, amplified during the COVID-19 pandemic... 

Joe Carrigan: Yeah. 

Dave Bittner: ...As bad guys try to get out there and do the things they do. Here's my conversation with Don MacLennan. 

Don MacLennan: Yeah. I think there's some, you know, underlying principles that exist with every attack that uses the email channel, you know, that the bad guys utilize. And that's to say that they're very much rooted in principles of deception, including legitimacy. And this particular attack does a lot to establish legitimacy in the email content that an individual would be receiving as a target. And so what I mean by legitimacy would be - in the past, you might see a form-based attack where you or I would get a phishing email. We'd be asked to click here to do something, right? So we're clicking on some link inside the body of that email, and then we're taken to a webpage. And the webpage might ask us, for example, to log in. And maybe the webpage looks identical to a login page for a service that we're used to using all the time. Maybe it's Microsoft Outlook. Maybe it's a file sync and share system. In the past, that login page might be hosted on a domain and a server that's within the bad guys' control, right? So if you looked at the URL, for example, it's probably a nonsensical URL. Sometimes they take the time to make that URL look like a legitimate variant of a company you and I would like or know. And so we'd seen those types of form-based attacks in the past, and they end up being credential harvesting, right? If you or I get deceived into putting our username and password into that form, then the bad guys got it, and they're going to begin to exploit that by trying to log in to these accounts instead of us. 

Don MacLennan: So what we saw recently is a little different variation of that insofar as form-based attacks where the bad guys weren't hosting those forms to dupe you and me into giving up our credentials on their own infrastructure. They started using infrastructures of legitimate vendors. So, for example, where we saw it happen disproportionately was in Microsoft and Google products because those products have the ability to publish a form, right? If you were collaborating, for example, you know, in and around Google Drive, there's a bunch of sharing options where you can host forms and collect information. So said another way, the bad guys had their own accounts inside of these legitimate online services. And so the form was being hosted on what to you and I would look like a legitimate Google domain because, in that respect, it kind of is. But the form still did what the bad guy was trying to do, which is trick you and me into giving up our credentials. So usually to the naked eye, you or I might spot a domain and say, you know what? I don't really trust that domain if we bothered to look. What was nasty about these attacks is when we checked for the domain that we were navigating to - in other words, where was that form being hosted - we'd see a variant of Google or Microsoft in which case we'd feel at ease. 

Dave Bittner: Yeah, that's fascinating. And they can host the HTML there, so when they guide you there, you click on that link, you go to this page, and, to you, it looks like the legit site. 

Don MacLennan: Yeah. Well, it is a legit site. It's an illegitimate form - right? 

Dave Bittner: (Laughter) Right, right. 

Don MacLennan: ...On an otherwise legitimate site and inside it an otherwise legitimate product and service that, you know, we might be interacting with all the time. And so, you know, this legitimacy tactic tends to also work on domains that are really familiar to you and me, right? Like, we might be interacting with a Google or a Microsoft product all the time. So they'll tend to pick the ones that are more popular as opposed to those that might be a little more esoteric. 

Dave Bittner: Now, does this also help them get by some of the automated detection that folks might have installed on their systems? 

Don MacLennan: Yeah. I mean, these are layers of an onion - right? - that comprise our bases of defense. But those traditional layers of domain reputation, to your question, those would be irrelevant because it passes the sniff test to being on a legit domain. So you got to look at kind of a little bit deeper into what is this form actually doing? And you get into very different types of machine learning models in order to spot these anomalies when you're otherwise working with a legit domain. 

Dave Bittner: Yeah. Yeah. I'll bet. One of the variants that you highlight here allows them to get access to people's accounts without having their passwords. Can you describe to us what's going on with that one? 

Don MacLennan: If you've ever given an application permission to access another application on your behalf, that's more or less what this is, right? So you and I might be users of LinkedIn or a social network like Facebook. And from time to time, some other application wants to go in there and access our information - right? - might want to connect to our contact data, for example. 

Dave Bittner: Right. 

Don MacLennan: And so basically we're authorizing an application to access our account on our behalf as opposed to another person. So there's a set of APIs and services that enable this application-to-application integration to happen when you and I give permission. That's an analogous way to explain what's happening in Microsoft and Google is they've got these APIs that allow other apps to authenticate into your account on these services. And when you do so, if you recall having ever done it, it's sort of a allow-or-deny type of button that the user would click, right? In other words, if we are being targeted by this email, we click through, we would just say allow or deny. And if we thought it was a legitimate request, we'd probably say allow, in which case now we've given somebody else access to our account without you or I ever having given up our username and password because it's a different method of authentication or authorization into that account than logging in, right? 

Don MacLennan: And so that was kind of nasty because we, again, might think that's kind of innocuous because we never did give up our username and password - right? - whereas as consumers and employees, we're really conditioned to protect those things. And so it doesn't hit our radar when we allow a system to talk to other systems, so to speak. 

Dave Bittner: And you point out that in this case, even two-factor authentication isn't going to protect you. 

Don MacLennan: Nope because we're already authenticated. You and I have already logged into this site, right? And now we're granting access as an authenticated user to some other app to access our account. Two-factor deals with you and I successfully authenticating originally. In other words, it's a supplement to our username and password. It's the second factor. But we're already in. We're already in, and now we're granting access to something else. So it's a step down the chain, which makes it, you know, very clever but also very hard for the user to detect. 

Dave Bittner: What are your recommendations for protecting against these sorts of things? 

Don MacLennan: There's no silver bullet. There's a lot of things that companies should do together. An example would be user awareness training, right? I mean, our employees are one of our best lines of defense. So we got to treat them to be a little bit skeptical. We have to treat them to slow down a little bit and really understand, you know, why and how this access is being requested if it's coming out of the blue from somebody they've never interacted with before or for some reason they're not previously aware of, right? That just a little dose of skepticism and pausing a second or two to look at this request with a critical eye, sometimes that's all the difference in the world, right? So our own people are a critical component of this. 

Don MacLennan: And then, of course, we should never forget the basic hygiene, right? Yes, there absolutely should be two-factor authentication. Customers should be wary of allowing other applications to access their account, which is an administrator configuration setting often, right? In other words, if I'm the admin of a Google account and my employees are using Google Drive, as an admin I have control of certain policy settings that would block third-party apps from ever accessing my account in the first place. 

Don MacLennan: So there's administration policies that can be implemented that also will limit - right? - the scope of these types of risks. But, of course, a Google account or an Office 365 account, they might come in a default state where that setting is on; in other words, it's available. So they have to be a little bit vigilant and kind of go through and look at these policies and make sure they turn off what they don't need to have. So you know, it kind of fits the general hygiene of least-privileged access, right? Applications shouldn't be talking to applications except when you have a specific need. 

Dave Bittner: Yeah. It's interesting about how, really, so much of what we're describing here is finding ways to get people to slow down and take a second look, you know, be extra careful before you click on something. And that little pause, like you say, can be all the difference in the world. 

Don MacLennan: It absolutely can. We would like to think our technologies are incredibly valuable and incredibly effective in protecting customers. And in many respects, they are. But they're not perfect. You know, it's why we have this principle of defense and depth, right? We know that there are layers of protection that need to exist, and employees are part of the layer. 

Dave Bittner: All right. Joe, what do you think? 

Joe Carrigan: Interesting interview, Dave. It's always going to be an arms race with these guys, and they are going to get more and more creative. And I like what Don says here - this is just a deception disguised as legitimacy. And that is - that's a great way to say so much of what we talk about here. It's deception disguised as legitimacy. It's a clever attack. I've never used Google Forms to set up a form. But, as was on my story today, you can make it look however you want, right? 

Dave Bittner: Right. 

Joe Carrigan: And so there's nothing stopping you from making it look like a Google login page (laughter). So you go to Google Forms, to a Google Forms API or Google API - or whatever. And it can look just like the Google login page, but you're not actually at the login page. This is a very concerning type of attack because it's going to be very difficult to make the distinction between the legitimate and the illegitimate pages. 

Dave Bittner: Right, because the URL looks legit. 

Joe Carrigan: Right, it does. 

Dave Bittner: And also your - the software that you may have trying to flag this sort of thing may not notice it. I suppose a good password manager probably would. 

Joe Carrigan: Yeah. A good password manager would do that. If you have an integrated password manager into your web browser that - not the web browser's default password manager, but the password manager that integrates with your web browser, like... 

Dave Bittner: Yeah. 

Joe Carrigan: ...1Password, LastPass. 

Dave Bittner: Yeah. 

Joe Carrigan: There's a number of them out there like this - not to endorse any one of them in particular. But, yeah, you're right. If you set this up on a legitimate domain, the machine learning may not initially see it. It's within the training of that model to say, yeah, this looks good. And it might even look good to the machine learning... 

Dave Bittner: Right. 

Joe Carrigan: ...Which is another reason why it's so terribly, terribly dangerous, I think. We talked about this earlier today. But I rarely allow an app to access my Google account in order to do things. I don't even like asking one of my main accounts - using one of my main accounts, like my Google account or my LinkedIn account or my Facebook account, as a third-party authentication tool. 

Dave Bittner: Yeah. 

Joe Carrigan: I think the only way I do that is I use - for Bitly, which is a link-shortening service, I use my Twitter authentication. And that's it. That's all I do. I never log into any place with anything else. And the reason I'm OK with that is because all those shortened links, I'm going to post them on Twitter. So there's kind of that commonality. And I don't know if maybe I'm - if I'm being naive here about thinking that that commonality makes it OK, or maybe I'm being too paranoid that this really is OK. I don't think it's OK. I always set up a new username and password for all these sites that I need and don't piggyback off that single sign-on thing. I just don't like using it, you know, because if somebody compromises that single sign-on root account, then they have access to a lot of stuff for somebody who's using that as a means of authentication. 

Dave Bittner: Well, and in Facebook's example, they can use it as a way to enhance their ability to follow you around the web and track what you're up to. 

Joe Carrigan: Absolutely. That's another great comment, is that they - these sites (laughter) who say they behave ethically, but we rarely actually see them doing that. 

(LAUGHTER) 

Joe Carrigan: Well - can use it to exploit you, the user. Remember - if you're not paying for something online, you're the product, right? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: One of the things on all these cloud service apps, like G Suite and Office 365, is that the default settings are going to be the death of us, you know? I shouldn't be able to, by default, allow another application to access these. That should be something that, by default, I can't do. And I think that these large cloud providers have to move to that direction to make the default settings the most secure settings and then make it so an administrator has to explicitly make it possible for someone to make this mistake. 

Dave Bittner: The challenge there is friction, right? They don't want to... 

Joe Carrigan: Yeah. Yeah, they don't want to increase friction. 

Dave Bittner: That's the hard part to balance with all this. 

Joe Carrigan: It is. 

Dave Bittner: And the bad guys take advantage of that. All right. Well, our thanks again to Don MacLennan for joining us - again, from Barracuda Networks. We appreciate him taking the time. And, of course, we want to thank all of you for listening. That is our show. 

Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.