Hacking Humans 7.23.20
Ep 108 | 7.23.20

Never think of security as a destination.


Richard Torres: The trick to stay ahead of this is to never think of security as a destination. It's always a journey.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Richard Torres. He's from a company called Syntax, and they've been tracking phishing attacks, and they have seen a 350% increase during COVID-19. That's part of our conversation. Lots to talk about with him, so we'll look forward to that. 

Dave Bittner: Joe, I'm going to kick things off this week. This was a new one for me. 

Joe Carrigan: OK. 

Dave Bittner: This was courtesy of a Twitter user. His name is Oliver Hough. I want to say his last name is pronounced how (ph). It's H-O-U-G-H. I apologize, Oliver, if I got that wrong. I like in his Twitter description, he describes himself as an Internet dumpster diver. Sounds like my kind of guy. 

Joe Carrigan: Yeah, that sounds interesting. 

Dave Bittner: (Laughter) But one thing he highlighted on his Twitter feed was, evidently, there are just rampant, over on YouTube, scams involving livestreams and gift card scams. So here's the way it works. I actually have brought up a YouTube livestream. And Oliver points out in his Twitter feed that all you have to do is go over to YouTube, search for giveaway and apply a filter that only shows you livestreams, and you will see dozens, if not hundreds, if not thousands, of livestreams that are taking part in this scam. 

Dave Bittner: So that's what I did. I went over there and brought up a livestream. And this livestream is a bunch of people playing a first-person shooter. I don't know what it is. I don't recognize it. Joe, perhaps you do. I put a link in the... 

Joe Carrigan: I'm look - oh, this is Fortnite. They're playing Fortnite. 

Dave Bittner: They're playing Fortnite. All right. I should've known that (laughter). 

Joe Carrigan: 'Cause there's a guy on his hands and knees. They're playing - they're also playing in team mode because there's a guy on his hands and knees waiting to be healed by a teammate. 

Dave Bittner: I see. All right, so they're playing Fortnite. But over in the chat window, it says, hey, guys. Make sure to go here and get your free gift cards. And the web address for free gift cards is gamingcodes.online. 

Joe Carrigan: I see that. That's the sponsors. 

Dave Bittner: Well, that's what they say. 

Joe Carrigan: OK. It says on behalf of our sponsors. 

Dave Bittner: Right. So what they're saying is, hey, everybody. Good news. Because all you people are watching this livestream - and livestreams of gaming is very popular. It's a popular pastime for the kids today, so I'm told. So when you go to gamingcodes.online, you are presented with the image of - sort of a cartoon image of - looks like a guy in a trench coat who is there to - you know, like the old stereotype of the guy who sort of opens up his raincoat and he's got a bunch of watches inside. 

Joe Carrigan: You need a watch? 

Dave Bittner: Right, exactly. It's that guy. 

Joe Carrigan: Right (laughter). 

Dave Bittner: Which, you know, I don't know about you, but to me, that might be a little bit of a red flag that this is the kind of - if they're bragging about this being the kind of commerce that they're doing here, but all right. You go to this site. There's this figure here, this cartoon. You scroll down, and it offers you a whole selection of different kinds of gift cards that you can choose from. And it says, we generate these codes for these gift cards. So just for fun, I selected an Apple gift card. And then you can select what value Apple gift card you want. So you can get a $25 gift card, a $50 gift card or a $100 gift card. I'm not a particularly greedy person, so I selected a $25 gift card (laughter). 

Joe Carrigan: OK. 

Dave Bittner: So what happens next - so let's say you select I want a $25 Apple iTunes gift card, right? 

Joe Carrigan: Right. 

Dave Bittner: Up pops a screen that shows you a very compelling animation, let's say. And it says, you know, part one - generating codes. Part two - randomizing codes. 

Joe Carrigan: Right. 

Dave Bittner: Part three - checking codes. And these numbers are going by, and they're cycling through very quickly. And it has the, you know, the Apple logo. And it says, you know, we generate these codes. They're useful codes. They are guaranteed to work. Blah, blah, blah, blah, blah, blah, blah. Right? So you're getting sucked in here. 

Joe Carrigan: Right. 

Dave Bittner: They're taking your time. They're building the anticipation, right? The title, by the way, is Gift Card Rebel. So... 

Joe Carrigan: Why would anybody rebel against gift cards? 

Dave Bittner: Yeah (laughter). So what it does is then it generates a gift card code, but it Xs out the last four digits. 

Joe Carrigan: Oh. 

Dave Bittner: So, Joe, we are getting so close to having our free iTunes gift card here, right? 

Joe Carrigan: Yes. 

Dave Bittner: What do you think is left to do? The final step just to get our gift card - any guesses? 

Joe Carrigan: Payment card information. 

Dave Bittner: Well, you're close. We have to verify that we're a human by performing an act. 

Joe Carrigan: Is it a CAPTCHA? 

Dave Bittner: There is a CAPTCHA. 

Joe Carrigan: OK. 

Dave Bittner: But beyond the CAPTCHA, basically, you have to verify you're a human by, you know, signing up for a free subscription. 

Joe Carrigan: Oh, OK. They're gathering emails for spam addresses - for spam lists. 

Dave Bittner: Yes. It is an affiliate scam. 

Joe Carrigan: Right. 

Dave Bittner: Yes. So basically, what these folks are doing is funneling people towards affiliate sign-ups. And they get - who knows? - fraction of a penny or whatever for every person who signs up. But that's how they profit. And there are tools. Evidently, there's a tool called Nightbot, which is a tool that it populates your chat windows in things like YouTube with whatever you want it to, so it can keep that chat window refreshed with, hey, check out our gaming codes website, and it just keeps that at the top. So when people come and they join this livestream, they keep seeing that, and it seems fresh and it seems new. And as Oliver Hough points out, basically, you - this thing's on autopilot. You download a long stream. You livestream it, play it back, livestream it. It doesn't even have to be yours, right? It could be someone else's gaming stream. 

Joe Carrigan: That was my question, is, where are they getting the content here? Because these guys actually have their livestreams, right? This doesn't look like something these guys do. They have other ways of monetizing this other than scamming people. And as you said before, there - my son watches a lot of streaming of games. But not just that, but he'll watch replays of games, like, on YouTube. I would rather just play the game. I don't like watching other people play video games that I can play just as well. 

Dave Bittner: Yeah. So Oliver points out that you download a stream, you configure one of these automatic chatbot things to populate the chat window with the links, start the stream playing, and then basically sit back and watch the affiliate money roll in as people get funneled towards the affiliate. And I guess it adds up. And YouTube enables this for free, right? 

Joe Carrigan: Right. 

Dave Bittner: Doesn't seem like they're shutting them down or isn't able to shut them down quickly enough. Technically, I don't know, is this a violation of YouTube's terms of service? I don't know. 

Joe Carrigan: I'll tell you where it is a violation, is if they're using content that isn't theirs, they're stealing someone else's content. 

Dave Bittner: Yeah. 

Joe Carrigan: So yeah, YouTube could shut them down on those grounds, but the people who own the content would probably have to complain about it. 

Dave Bittner: Right. Right. Well, obviously, the bottom line is there are no gift cards (laughter). 

Joe Carrigan: Right. Absolutely not. 

Dave Bittner: You can jump through all the hoops. I stopped going down this path at the point where the jig was up and they said, you need to do these things in order to verify that you're a human, because at that point, I knew exactly what the scam was. But they will keep asking you to jump through hoops. They will say, oh, one more thing. While you're here, you know, hey, how about double or nothing? If you do this other thing, we'll double the amount on your gift card. And they just lead you along, lead you along as they generate their affiliate money, and it's all a big scam. There is no gift card. There's no money. They're just wasting your time, and they're making money on their end. 

Joe Carrigan: Yep. There is money. It's just not your money. 

Dave Bittner: Correct (laughter). Correct. 

Joe Carrigan: Somebody else is getting it. 

Dave Bittner: Someone else is getting that money. So that was new to me. I wasn't aware that they were making use of YouTube streams to funnel people towards these affiliate things. So heads up there. Our thanks to Oliver Hough for pointing that out on Twitter. That's an interesting one. 

Joe Carrigan: Yes, it is. That's new. I haven't seen it before. 

Dave Bittner: Yeah, me neither. Me neither. So that's my story. What do you have for us this week, Joe? 

Joe Carrigan: Dave, I really wanted to talk about the Twitter hack that happened last week, but as of this recording, there is not enough information out there to tell me how this happened and what happened. So maybe next week we'll have more information and we can have a better talk. But we all know why it happened, right? Say it with me, Dave. Money. 

Dave Bittner: Money (laughter). 

Joe Carrigan: Right. These guys made $100,000 in bitcoin. Anyway, my story today comes from the Great White North, Dave. 

Dave Bittner: Take off, eh? 

Joe Carrigan: Yeah, hoser. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's from Tarnjit Parmar at Vancouver's News 1311. And for our younger listeners, that's an AM radio station. And he's talking about Vancouver Coastal Health warning people of a scam where someone is impersonating a hospital employee. Someone is spoofing the number of a hospital in their system. It's called Squamish General Hospital. And they've been calling people and asking for information, including their full name, their social insurance number and their date of birth, right? 

Dave Bittner: OK. 

Joe Carrigan: But they're calling from the number of Squamish General Hospital, or they appear to be, right? So they're spoofing the number. 

Dave Bittner: Wow. Yeah. 

Joe Carrigan: And VCH, Vancouver Coastal Health, is saying - they have a quote in this article that says, if you receive an unexpected call from Squamish General Hospital, please don't provide any personal information. No one from the hospital would ask for detailed identification information such as your social insurance number over the phone. 

Joe Carrigan: And then they do a really good thing here. They say, contact Squamish General Hospital - and they give the phone number - if you receive a similar call to check its legitimacy, which is a great thing to do, right? We say this a lot. When you receive a call and someone's asking for information on an inbound call, say, I'm going to call you right back, and call them at a published number. 

Joe Carrigan: By the way, they say the RCMP have been notified of that. That's the Royal Canadian Mounted Police. I just envision someone going into their office on a horse every day. 

Dave Bittner: (Laughter) Those very nice red uniforms that they have. 

Joe Carrigan: Those uniforms are beautiful. I love them. 

Dave Bittner: Yeah, they look sharp (laughter). 

Joe Carrigan: They do. But this leads me to another concern. We live in Maryland. You and I both live here in Maryland. Dave, have you seen the ads on TV that say answer the call, and it shows a cellphone that says MD COVID on the front of it? 

Dave Bittner: Yes, I have. 

Joe Carrigan: OK. That is a contact tracing program that we have here in Maryland that - every state needs to be running this. It's an important thing. But I saw this, and the first thing I thought is, somebody's going to get scammed by somebody spoofing that number, right? 

Joe Carrigan: So I went to the webpage today and did a little bit of nosing around. The webpage has a lot of good information on it. It has a section on the on the webpage that says, what kinds of questions might a contact tracer ask me? And the very next section, which I think is actually more important, says, what kind of questions will a contact tracer never ask, right? And in here, they say - Maryland has done a really good job on this website. They say, a contract investigator will never ask you for your Social Security number, financial or bank information, personal details unrelated to COVID-19. They will not ask you for photographs or videos of any kind. 

Joe Carrigan: I would never have thought to tell somebody they're not going to ask you for that. I will from now on because that is a great piece of information. Remember a couple months ago we had that story about the woman who got scammed out of sending pictures of her breasts for what she thought was a research project? Turned out to be just some pervert with a hacked Facebook account. They will never ask you for passwords or money or payment. 

Joe Carrigan: This is really great. All this information is really great here. I have three problems with the website in the ad, though. And if someone from the Maryland government is listening, feel free to contact me about this. First thing is the television ad has to have some kind of anti-scam component. Go check our website to make sure it's not a scam or something or, you know, we'll never ask you for this kind of information. The ads could be longer and cover that because there's a lot of people out there that are just going to see the ad. They're not going to go to the webpage - maybe even referring them to the webpage for scam prevention. 

Joe Carrigan: There needs to be a link at the top of the front page of coronavirus.maryland.gov that takes you directly to the contact tracing page. There is no such link when I looked at it. I couldn't clearly see it, but that link needs to be big and at the top. And you click on it, and you go to this this page, which is actually coronavirus.maryland.gov/pages/contact-tracing. That's too long of a URL to give somebody. Put a link on the front page of coronavirus.maryland.gov. 

Joe Carrigan: There's another section on the website that says, how do I know the call is from a contact tracer and not a scam? Is there a way to verify who is calling? And the very last phrase of this section says, there will also be a list of phone numbers that you will be given to verify the caller's identity. That's unacceptable, OK? They have a number on here. That's good, but they need to have that list of phone numbers on this webpage because if I'm a scammer, I'm going to say, I'm calling from the COVID contact tracing program. And if you want to verify, here's the number, right? I'm just going to give you my phone number again. 

Dave Bittner: Right. 

Joe Carrigan: So you call me back. 

Dave Bittner: Right. 

Joe Carrigan: And now you think that you've called Maryland state government, and you've just called the scammer again. So, I mean, I think Maryland has done a really good job here. I was actually pleasantly surprised to see this, but I think they could do a little bit more. 

Dave Bittner: You know, the other thing that strikes me about this is that - here we are, all the way in the year that we're in, you know, 2020 and counting. And it is still so easy to spoof an incoming phone number. It's absurd to me. 

Joe Carrigan: That is a systemic problem that needs to be fixed. And I'm not familiar enough with the phone system to know what that is, but there has to be some way to fix this. 

Dave Bittner: Yeah. 

Joe Carrigan: You're absolutely right. 

Dave Bittner: Yeah. 

Joe Carrigan: These systems weren't designed with security in mind. Caller ID was designed on an old system where you had physical control of the phone that you were calling from. 

Dave Bittner: Right. 

Joe Carrigan: And it was a piece of hardware that was attached to a line into a phone building. There was no concept of the idea of voiceover IP when caller ID was designed. 

Dave Bittner: Yeah, it just - it blows my mind that this is something we're still dealing with even... 

Joe Carrigan: Yeah. 

Dave Bittner: ...As we transition to - as we cut off our landlines, it's still an issue. 

Joe Carrigan: Yeah, it is. 

Dave Bittner: It's just bizarre. All right, well, it's an interesting story. It is time to move on to our Catch of the Day. 


Dave Bittner: Our Catch of the Day comes from Cellar Door Games. Joe, is it a company you're familiar with? 

Joe Carrigan: I'm not familiar with this game company. It's a small, independent game company. 

Dave Bittner: OK. 

Joe Carrigan: Someone is impersonating them in an attempt to get your banking information, and they are targeting, Dave, podcasters. 

Dave Bittner: Those monsters (laughter). 

Joe Carrigan: People like us. 

Dave Bittner: They're coming after us? 

Joe Carrigan: They're coming after us, Dave. They're trying to get our... 

Dave Bittner: Now it's personal. 

Joe Carrigan: Yeah, that's right. 

Dave Bittner: (Laughter) All right, well, let me read - this is something that they saw posted on social media. Looks like it's something that was, I suppose, posted on Twitter, yes? 

Joe Carrigan: Yes, it was. 

Dave Bittner: It goes like this. It's posted from someone claiming to be from Cellar Door Games, going by the name Julia Luj. And it says, hello. I'm the manager of Cellar Door Games. Our project Rogue Legacy 2 is an action indie game in which the player gets into the exciting world of adventure in which he has to fight with the bosses in order to survive, settle down and start a family or continue his journey. Here, everyone is unique, individual characters with their own characteristics and abilities. The start of our game is very soon, and we want people to know about our game before its release. You can see our website on the internet. For a video that is more than 30 seconds, we will pay you 500 U.S. dollars. If you are interested, let me know. Regards, Julia. 

Joe Carrigan: Cellar Door Games has done a great job here, Dave. They have this big picture of it that they've taken, and it says the top, not us, with a big, red circle around Julia's name. And then down at the bottom, it says in big, white letters, this is a scam, on a black background. So... 

Dave Bittner: (Laughter) So they're reposting that on their own website... 

Joe Carrigan: Yeah. 

Dave Bittner: ...To point out to their fans... 

Joe Carrigan: Right. 

Dave Bittner: ...That this is not them. 

Joe Carrigan: That's right - and people, probably, who are not fans because this is a small, independent game company, right? So if you're a podcaster or a video podcaster or whatever - live streamer - and you get this offer for 30 seconds for 500 U.S. dollars, that'd be hard to walk away from. Yeah, I could see where this hook would be - or this phish would be alluring. 

Dave Bittner: Yeah, sure. Play a game. You know, make a little commercial - 500 bucks. 

Joe Carrigan: Yeah. 

Dave Bittner: That's worth my time. 

Joe Carrigan: Sure. 

Dave Bittner: Absolutely. All right, well, that's an interesting one for sure. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Richard Torres. He's from a company called Syntax, and they've been tracking a dramatic increase in phishing attacks as we've been making our way through the COVID-19 pandemic. Here's my conversation with Richard Torres. 

Richard Torres: When you look at the way cyberattacks happen, they tend to happen in waves. And it's very much like the market is changing. People are getting interested in different types of vulnerabilities. And when I say people, I mean your professional hackers, the folks that look at the internet and look at the worldwide web and the cyber universe as a playground. And they try to determine, what's the newest, most exciting way for me to wreak havoc with some of these companies and, additionally, a way to make some pretty decent revenue if I'm a pretty good hacker or a pretty good pirate? 

Richard Torres: And with ransomware, it's essentially taken a kidnapping model and applied some cryptography to it. I'm going to lock down all your data after I've taken a piece of it just to prove to you that I was there and say, look what I got. This is some sensitive information that I'm pretty sure you don't want let out and you certainly don't want some of your customers to know that was let out. And then I'm going to lock the rest of it down, and I'm going to hold you ransom and say, for X number of bitcoin, I'll give you the keys. And I'll let you decrypt all your data and use it again. Oh, and I promise I won't share any of this private information with the outside world. 

Richard Torres: What's changed recently is if you say - what's changed the last 10 years, 20 years is our dependence on data, our dependence on sending data from one place to the other to do business. Instead of holding it all internally, we're now putting it in the cloud and we're sharing it with other groups. 

Richard Torres: But now, with the pandemic, we're locked down, and folks are staying at home instead of sitting in their offices. So what that tends to change is people's behaviors and their focus on security. It's easy to walk into your office when you have a - you have to badge the door, and you have to be sure that you're following the rules because there are people in the office that are going to hold you to account and certain things you won't put on your computer screen because you're at work. All those things have changed. Let's face it. We're in our pajamas a lot more now than we are in our office attire, right? 

Dave Bittner: Right. Let's dig into some of the things that you and your team have been tracking here. What have you seen in terms of the increase in phishing attacks? 

Richard Torres: Now that there's a lot more focus on working from home and trying to get people to improve some of those behaviors that could lead to falling for some of these phishing attempts, we're trying to create a lot more awareness of what phishing attempts look like, not just what they can do, because to the layperson, understanding exactly what it can do isn't as important as understanding how to respond when I see it or how to identify it when it hits my inbox. 

Richard Torres: So we focused a lot, and we're tracking performance in terms of how many of these links are people clicking on. We've deployed some tools that actually send out phishing campaigns that we ourselves control. And we look at how many people will open the email, how many will actually click on the links, and then how many will actually enter their credentials, believing that the link they're at is a legitimate site. 

Richard Torres: Benefit of doing this is I can actually track specific behaviors. I can actually narrow it down to specific people in specific departments. And then we provide the training and the education necessary. So the tool gives us the ability to kind of test how well our awareness campaign is working. So that's one of the things we're tracking very, very closely. 

Richard Torres: In addition, we're looking at - you know, we watch all the news and all of the cyber geeks out there that are posting information about new threats and new trends in phishing. We sit down probably once, sometimes twice a week, and we discuss these new trends and how they could apply to our teams, to our environments, to our company and try to get ahead. We try to create that awareness that this type of activity is going on, in particular with COVID. 

Richard Torres: There are all kinds of campaigns right now being launched by folks like the Lazarus Group out of North Korea, for example. They send out fake emails that pose as actual government agencies that oversee things like emergency financial relief. Well, if you have a small business or you believe you're eligible for some sort of financial relief, that topic may be very interesting to you. I can sort of lean on that focus you have right now on our recovering economy or on your own financial needs by saying there's coronavirus pandemic relief available to you from this department. And it looks very official, so it draws your attention. 

Dave Bittner: Is that sort of the flavor of the month these days? Is that what they've shifted their focus to to take advantage of people's anxiety when it comes to COVID? 

Richard Torres: It absolutely is. It absolutely is. In fact, the biggest shift went from the old Nigerian banking scam - the Nigerian prince has money for you, and you just give him your banking information - to now, here's a link that will take you to someplace that can get you a free coronavirus testing kit, or your local hospital is offering free coronavirus testing. If you sign up here, you get on the waiting list - things of that nature. So now people are using that because they know that's where we're focused. 

Richard Torres: And it looks - again, it looks innocent enough, and it looks very official. So we click on the link, even if it's just out of curiosity. And without knowing it, now we are attached to a bad IP somewhere and we're downloading malware. Or worse, it looks even more official, and I now have to put in some personal information to maybe purchase my 99 cent coronavirus family testing kit, and I'm giving them all my information, including a credit card. 

Dave Bittner: Now, from your experience with the testing that you do, the messages that you send out, what is effective messaging? In other words, if I'm a company and I want to equip my employees to be able to detect these sorts of things, to not fall for these sorts of things, what is the effective way for me to put that message out to train them? What's the difference between success and failure when it comes to this? 

Richard Torres: You know, Dave, that's a really important distinction that you make there because there's two parts of this. There's the education part, which is making sure that your folks are aware that it's happening, aware that they are being targeted. You don't want them to ever feel like they are behind a protected firewall where this couldn't happen to them. So being sure that they're aware that they are being targeted and giving them enough information so they can identify what phishing looks like. It could be very, very innocent. It doesn't have all kinds of bells and whistles on it. 

Richard Torres: And you go back to, if you are not expecting this type of email or to hear from this particular person or this particular group, you should question it. So reinforcing that from the top down and making sure that it's part of routine conversations, not just one memo a month, is extremely important so that it stays in the forefront of their mind. 

Richard Torres: Now, the other part of that, Dave, is making sure you have the right tools in place because there are very good tools out there that any company can reasonably afford. You know, KnowBe4, INKY, Clearedin, Barracuda - all of these provide different levels of service. And what they will do is they'll screen some of those incoming emails. And if something doesn't look quite right, if there are links that don't appear right, they have this knowledge base built in, and it will highlight those links. And some of these tools will actually quarantine any attachments or block those links altogether. So that is kind of putting technology on the forefront. And in the background, now I'm educating the users. So where the technology may fail, I have defense in depth. Now I have someone who's smart enough to recognize what could be phishing attempts and the forms that they could possibly take. 

Dave Bittner: I suppose there's a company culture component to this as well - letting your employees know that, you know, nobody's position is so insignificant that they couldn't be a target, that defending the company is everyone's job. 

Richard Torres: David, that's exactly right. And I have to say, from the C-suite down, this is a topic of conversation that comes up frequently. And it's extremely important that that conversation starts at the top because we look to our leaders in our organization to help us identify what's most critical, what's most important, what is the true company's focus. And they're shifting the culture now to help people recognize that everyone is susceptible to this. 

Richard Torres: We actually had an incident about a year ago where our chief operating officer came to us and says, I was this close to clicking on that link, and then something in my gut said, I better check with security first. And it turns out it was a whaling campaign, where they were going after the highest levels first to try to get their credentials, and from there, now they can pose as the C-level, the CEO, COO, CFO and start sending emails using their accounts. So it's extremely important that those of us that work down in the trenches day to day are hearing from the very top leaders that this is their focus as well. 

Dave Bittner: Do you suppose that the word is getting out? Are we getting better at this? Do you think we're gaining ground or treading water? How do you suppose we're doing? 

Richard Torres: Well, it sort of feels like that one step forward, two steps back sometimes because just as we're becoming accustomed to the type of attacks that we're seeing and we feel like we're getting our arms around it, the hackers are going to find different ways of coming at us. They're going to try to be creative and keep changing up their game a bit so that, no matter how comfortable we get, we're always just one click away from falling victim to ransomware or some other sort of attack. 

Richard Torres: We are getting people more focused. And, really, from working from home, I think people are starting to get the message because companies are focusing on getting you cybersecure at home and understanding that you are vulnerable and what some of those vulnerabilities are. But the trick to stay ahead of this is to never think of security as a destination; it's always a journey. You're always personally growing and trying to learn what the adversaries are doing. You have to understand the environment you're working in and that it's always changing. 

Dave Bittner: All right. Joe, what do you think? 

Joe Carrigan: Dave, that was a great interview. I like the way Richard thinks about malicious actors, right? He calls ransomware a kidnapping model, which is great. We have a professor, Tim Leschke, who teaches forensics, and he says that computers do not provide people ways to commit new crimes; they just provide new ways for people to commit old crimes. And while I would say that there is a big difference between kidnapping and encrypting data, it is the same business model. You've taken something desirable away, and you're going to charge to give it back unharmed, right? It's the exact same thing. 

Dave Bittner: Interesting. 

Joe Carrigan: Richard makes a really good point in this interview - that is, to the end user, impact is not as important as how to identify the phish. And that is a very good observation and one that kind of, you know, caught me as something I need to talk about more, right? Because we're talking to the general public. It's really not important to them what the impact is. What's much more important is they're the first line of defense every - in every situation. In their own personal situation and in a corporate situation, they need to be aware of what a phish looks like more than they need to know how bad it's going to get when they click the link, right? I think that was a good observation. The attackers are always getting more sophisticated, and going with COVID phishes is nothing new. But we still see the Nigerian prince scams, right? So we get the worst of both worlds. 


Joe Carrigan: We don't lose those less-sophisticated attacks just because more advanced ones are coming along. 

Dave Bittner: Yeah, the internet just keeps on giving, doesn't it? 

Joe Carrigan: Right. Yeah. That's right. 

Dave Bittner: (Laughter). 

Joe Carrigan: One of the points he makes is, don't feel like you're protected behind a firewall, right? This is a holdover from the old days of infosec. Dave, did you ever work at a company that didn't have a firewall on it? We all know - don't feel like you're inside the walls and moat of a castle and feel like you're perfectly protected. These guys come in - email - I've said this before. Anybody can send you an email at all. It's one of the few services on the internet that you just receive stuff to your box, right? 

Dave Bittner: (Laughter) Right, right, right. Your castle wall and moat doesn't do you much good because dragons can fly. 

Joe Carrigan: Right. Exactly. That's a great way to say it. 


Joe Carrigan: It is everybody's responsibility, and it does start at the top. And I love Richard's story from the COO, that the guy was almost caught with the phishing email - the whaling email, actually. There was something in his gut that made him say, something's up here, and he called security. I think this COO should be speaking at every one of the CIOs or CISOs talks where he's addressing the people and telling his story about how he almost got caught. 

Joe Carrigan: I think that's a great story, you know, 'cause it happens to everyone. There's nothing different about any of the people from the outside perspective. I mean, yes, if you're higher up in the chain, you're probably going to be more targeted. But if you're lower down in the chain, you're still going to be targeted. 

Dave Bittner: Yeah, what a great sign of leadership - to demonstrate - you know, admit your own vulnerability... 

Joe Carrigan: Oh, absolutely. 

Dave Bittner: ...And use that as a learning lesson for the whole team. 

Joe Carrigan: Absolutely. I agree 100%. And I love this. I love what he says towards the end of the interview - never think of security as a destination; it is always a journey. You are never going to get too secure, right? It's like in life - you're never going to become perfect, right? You're just going to get better. That's what we all need to understand about cybersecurity and any kind of security, is we're not going to be perfect, but we are going to get better. 

Dave Bittner: Yeah. All right. Well, our thanks to Richard Torres from Syntax for joining us. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.