Many times it is less sophisticated than we think.
Rachel Tobac: Well, a lot of times we say it's a sophisticated actor and there's nothing that could have been done. Many times, it's less sophisticated than we think, and there's probably something that could have been done.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. This is Episode 112 for August 20, 2020. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Rachel Tobac from SocialProof - she has her insights on the recent Twitter hack.
Dave Bittner: All right, Joe. I am going to kick things off for us this week. And I have what I think is a really fascinating story. You and I have spoken many times about our frustration with robocallers (laughter).
Joe Carrigan: Yes.
Dave Bittner: You know, I think, like most of our listeners probably agree, I get more robocalls than real calls...
Joe Carrigan: Absolutely.
Dave Bittner: ...On my phone these days (laughter), right?
Joe Carrigan: It's terrible.
Dave Bittner: It is terrible. In fact, it's so bad, there's actually an app I use on my phone. I think it's called RoboKiller. And you know, I pay a couple bucks a month for this app. It's so worth it to me to have this app intercept my phone calls, you know, establish whether or not it's a hoax or not and then decide whether or not to alert me.
Dave Bittner: This comes from ZDNet, written by Catalin Cimpanu, and the title of the article is "A Simple Telephony Honeypot Receives 1.5 Million Robocalls Across 11 Months" (ph). And it's covering some research that some folks at North Carolina State University did. They presented it at - is it the USENIX conference? Is that how you pronounce it, Joe?
Joe Carrigan: USENIX. Yep, USENIX.
Dave Bittner: Yeah. They presented at that conference. And what these folks did was they set up over 66,000 telephone lines. And they had them active between March of 2019 and January of 2020. And over that period of time, they received over 1.4 million unsolicited calls. And there's some really interesting details about their research here. They got unsolicited calls even if they never made the phone number public via any source.
Joe Carrigan: Right.
Dave Bittner: So I suppose that points to the probability that many of these robodialers are just spinning up random numbers.
Joe Carrigan: Yeah. They're just dialing sequentially, right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Because there's only so many phone numbers, Dave (laughter).
Dave Bittner: Well, you know, and that's another thing that struck me about this story was how easy is it to just go get 66,000 telephone numbers (laughter), right?
Joe Carrigan: Yeah. That - I mean, even at the cheapest rate, that is a lot of money. You know, I'd like to know who funded this research (laughter).
Dave Bittner: It's an interesting paper. They said, on average, they received an unsolicited call every eight days or so.
Joe Carrigan: Per line.
Dave Bittner: Yeah. Most of the calls came in surges that they referred to as storms, which happened at regular intervals. And what they suspect is that the folks who are behind these robocalling campaigns - they are campaigns - they buy a certain number of robocalls. The campaign says a start point, a stop point, and it goes out en masse, you know, over that small period of time. So they tracked 650 storms over 11 months. Most of the storms were the same size, which is interesting.
Joe Carrigan: It is.
Dave Bittner: Another interesting point they made here was that many of the calls that they got - or a significant number of calls that they got were from people who were basically returning the call of the robocallers - in other words, of another robocalling operation - because the robocallers, they spoof phone numbers. They're not using their actual number as a caller ID. So I don't know if this ever happened to you - you're, you know, standing around, minding your own business. Your phone rings. You answer it, and the person on the other end says, did you call this number? (Laughter) You say, no, I didn't call this number.
Joe Carrigan: That hasn't happened to me in a number of years, but I think that has happened to me, like, once.
Dave Bittner: Yeah. Yeah. It's happened to me a few times. But I think you're right. It's been a while because I think these days, nobody answers their phone if it's not (laughter)...
Joe Carrigan: Right (laughter).
Dave Bittner: ...If it's not someone in your list of contacts. I know, for me, I don't answer the phone if it's not someone who - if their name doesn't come up, there's no way I'm answering that because...
Joe Carrigan: Right. You're going to have to leave a message. And if you don't leave a message, I'm not calling you back because that message is your opportunity to plead your case.
Dave Bittner: Right (laughter). Right, right. So they track over 2,600 robocalling campaigns, and they say the largest ones were promoting student loans, health insurance, Google search promotion services and Social Security scams - I guess no real surprises there.
Joe Carrigan: Right. You know, what it surprises me that it's missing is car warranty scams.
Dave Bittner: Oh, yeah.
Joe Carrigan: Because that's all...
Dave Bittner: Right.
Joe Carrigan: ...The robocalls I get.
Dave Bittner: That's interesting, yeah. I wonder if they've kicked up since these folks cut off this research in January.
Joe Carrigan: It could be.
Dave Bittner: I don't know. But the other interesting tidbit that - it goes counter to, I think, what I would have thought - is they found that answering calls does not necessarily increase the number of robocalls you receive.
Joe Carrigan: Really?
Dave Bittner: Yeah. I would have thought that if you answer a call, that that would go into some database where they'd say, hey, we got a hot one, you know (laughter)...
Joe Carrigan: This is a live number. People answer this phone number. Call.
Dave Bittner: Right. Exactly. But no, their data showed that doesn't really happen. So interesting story - we'll have a link to it in the show notes here. Again, the story's from ZDNet, and they have a link to the original research if you really want to dig into the details. I've reached out. I'm going to try to get one of the researchers from this team over for our "Research Saturday" show, so maybe we'll be able to dig into some of the details there. But I thought it was an interesting one.
Joe Carrigan: I agree. I think this is very interesting. I am going to go ahead and download this paper and take a look at it.
Dave Bittner: Yeah, yeah. All right. Well, that's what I have this week. Joe, what do you have for us?
Joe Carrigan: Dave, we're all familiar in the U.S. with HIPAA. And for our listeners that might not be familiar with it or might not be from the U.S., it stands for the Health Insurance Portability and Accountability Act. And it has some compliance requirements for data privacy and security. It is the driving data protection law in the U.S. for the medical industry. The enforcement power for this law resides with an organization called the Office of Civil Rights, and that is within the Department of Health and Human Services. Now, the Office of Civil Rights, or OCR, is issuing a warning right now because somebody is sending out postcards impersonating them. These postcards say they come from the secretary of compliance HIPAA compliance division, and there is no secretary of compliance for the HIPAA compliance division.
Dave Bittner: (Laughter) OK.
Joe Carrigan: It does not exist. But the cards inform the recipient that their organization is due for a mandatory risk assessment, and they contain a URL, a phone number and an email address for the recipients to set up such an assessment. Now, this is not how this works. The postcards lead to a non-governmental website and marketing consulting services. The URLs in the postcard lead to non-governmental websites that market consulting services. So I'm wondering if this is, like, some kind of misconceived marketing campaign that has turned into some kind of - possibly a federal crime, impersonating a federal officer.
Dave Bittner: Right. Like, it's a leads-generating kind of thing.
Joe Carrigan: Exactly. I can only find the front part of the postcard online. Nobody's posted anything with the URLs on it. They're all blacked out. The postcard does have a permit number on it - like, a first class mail permit number for bulk mailing. Now, that can be done by a bulk mailing service. There are people out there who provide this kind of service for marketing purposes. Like, if I wanted to send a bunch of mail to a bunch of different people, I could go to this company and say, here's what I want you to send. And they'd charge me some fee, and then they'd send it all out using their permit numbers. So it could be one of these. But the OCR, the Office of Civil Rights at Health and Human Services, is not taking this lightly. And they're saying that suspected incidences of individuals posing as federal law enforcement should be reported to the FBI.
Dave Bittner: Oh, my (laughter).
Joe Carrigan: So I want to stick with this story. I'm hoping that - if anybody has a copy of these postcards and you can send me a picture of it, I'd love to go to the URLs and see what they are, maybe reach out to somebody via email and see if I can get anybody to respond and see if I can find out what's going on here. But if this is just a marketing campaign that's gone awry, it's a terrible idea. But, you know, there's that little voice in the back of my head - the conspiracy theory guy, right?
Dave Bittner: (Laughter) Yes.
Joe Carrigan: We all have him. Some of us listen to him more than...
Dave Bittner: Some of us more than others.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: But we all have this speculative voice in the back of our head that says things like, you know, if I was a bad guy that wanted to get my hands on private health information, which is pretty valuable - I mean, it's more valuable than credit card information, right? If I wanted to get my hands on that, who would I target? Who would I con? I would send something to people who work with that on a daily basis. These postcards are actually being addressed to HIPAA privacy and security officers, and that is who I would target with this. If I was going to install malicious software on someone's computer - it doesn't say that's what's happening, but that is exactly the kind of thing I would do. Maybe I wouldn't be able to spend this kind of money because this is an expensive kind of attack.
Joe Carrigan: I think this is more of an ill-conceived marketing campaign than it is actually malicious, but it does have all the elements of a social engineering attack, and it would be remarkably effective. I mean, it's got the scare factor. You know, you've got the required risk assessment coming up, mandatory compliance with the HIPAA entity on the front of it. And it - oh, at the bottom - this is the best part of the postcard. It has a list of violation costs and fines - right? - including a penalty of $1.5 million per year for each violation...
Dave Bittner: Oh, my.
Joe Carrigan: ...Which is a very scary number indeed.
Dave Bittner: You know what? It reminds me - there's a similar thing that makes the rounds, and anybody who is a business owner has probably seen one. You get this scary letter saying that your trademarks are ready to expire...
Joe Carrigan: Right.
Dave Bittner: ...And that you need to renew your trademarks or else you'll forfeit them. And someone else can come take your trademark and that sort of thing. And it's very official-looking. Just like this, it looks like it's coming from a government agency. But if you read the fine print, it says it's not from a government agency. It's from a company who provides a service of renewing your trademark information, your registration, that sort of thing. But they charge quite a premium for it - you know, several times what it would cost you to just go to the U.S. Patent and Trademark Office and renew.
Joe Carrigan: Right.
Dave Bittner: So...
Joe Carrigan: Yeah.
Dave Bittner: Let's say if that was - I'm just making up numbers here. I would say if that was a couple hundred bucks, these folks charge a couple of thousand bucks.
Joe Carrigan: I used to get this for domain renewals for a business I had once. And, you know, our renewal was up, and that cost 20 bucks a year. And these people wanted to charge me, like, $300 to renew a domain.
Dave Bittner: Yeah. Yeah. So I think it's a case where they're - they can go through some public records and...
Joe Carrigan: Right.
Dave Bittner: ...Find out when things are getting ready to expire. And then they use that. And they try to scare you, and they also try to look very official. And this sort of reminds me of that, so it's something to be wary of.
Joe Carrigan: Yeah. Absolutely.
Dave Bittner: All right. Well, hopefully someone out there maybe has received one of these postcards. They can send us a picture of it, and we can do some follow-up.
Joe Carrigan: I would love to see it.
Dave Bittner: Maybe you can chase it down, right?
Joe Carrigan: Yeah, absolutely. Send it to me.
Dave Bittner: (Laughter) All right. Well, it's a good story, and as always, we'll have a link to it in the show notes. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: Joe, our Catch of the Day comes to us from our "Hacking Humans" editor Tom. He makes us sound great every week.
Joe Carrigan: He's a miracle worker, Dave.
Dave Bittner: He's a very patient man; isn't he?
Joe Carrigan: Yes.
Dave Bittner: (Laughter) It takes a lot of work to make this show sound as good as it does every week. And...
Joe Carrigan: Yeah. While you, Dave, are the podcasting professional who do not have any problem doing this, I do this once a week with you, and then...
Dave Bittner: (Laughter).
Joe Carrigan: And it shows, I think.
Dave Bittner: Yeah. Yeah, mostly what Tom has to edit out is the sound of him banging his head against his desk...
Joe Carrigan: Right (laughter).
Dave Bittner: ...As he listens to us every week. So Tom got himself a fun email here, and he asked for us to include it. It's a good one. So here it goes. (Reading) Are you dead or alive? From the Federal Bureau of Investigation J. Edgar Hoover Building office of the director Christopher A. Wray - notice. We use this opportunity to confirm from you if you really have sent to your doctor as a representative. However, we received an email from one doctor, Mrs. Veranke Betki (ph), yesterday who told us that she is your private doctor and next of kin and that you died of coronavirus recently.
Joe Carrigan: (Laughter).
Dave Bittner: (Reading) Her contact details are here. Please confirm this immediately that you are alive. Note that we are bound to recognize Dr. Mrs. Verani Betki's (ph) claim. If you fail to promptly respond, we decided to write your email. And if there's no reply to this message from you within 48 hours, it will be assumed that her information is correct. Then we shall work with your representative and do what she has requested. An irrevocable payment guarantee has been issued by the United Nations and the International Monetary Fund on your payment. However, we are happy to inform you that based on our recommendation and instructions, your complete compensation fund of U.S. $4 million dollars shall be released to you through a secured, certified mode of payment. This payment is to help you fight COVID-19 and stand on your feet again for a better future. You are advised to follow this instruction strictly. Contact our agent. Best regard, Christopher A. Wray, director, Federal Bureau of Investigation.
Joe Carrigan: Dave...
Dave Bittner: Wow.
Joe Carrigan: This is fantastic. I love this.
Dave Bittner: (Laughter).
Joe Carrigan: I love this Catch of the Day. You know...
Dave Bittner: Yeah.
Joe Carrigan: Four million dollars would help us all fight the coronavirus a little bit better.
Dave Bittner: Yeah. Four million bucks - I could build a bunker and just...
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: Yeah. Who needs masks...
Dave Bittner: Yeah.
Joe Carrigan: ...When you have $4 million and enough...
Dave Bittner: Right.
Joe Carrigan: ...To go buy some land so that you don't...
Dave Bittner: Well...
Joe Carrigan: ...Get anybody within 100 feet of you?
Dave Bittner: I'll make - yeah. I'll make masks out of hundred-dollar bills.
(LAUGHTER)
Joe Carrigan: I love this. It starts off with someone says you're dead. It's a whole coronavirus, COVID-19 scam...
Dave Bittner: Yeah.
Joe Carrigan: ...That is just another Nigerian prince scam. You know, we have $4 million for you waiting. And then...
Dave Bittner: Right.
Joe Carrigan: They're going to charge you all kinds of fees, and you're never going to see that.
Dave Bittner: It's sort of grafted on to a standard - I mean, you know, the United Nations, the Monetary Fund, the $4 million...
Joe Carrigan: Right. Yeah.
Dave Bittner: All those elements existed before COVID. It's like they've sort of taken a little from column A and a little from column B. You even got the FBI in here, you know?
Joe Carrigan: Right.
Dave Bittner: It's just something for everyone here. So...
Joe Carrigan: It's great. The reason they do these preposterous emails is because they're looking for the people that will fall for it. They're looking for the people that will believe this email and respond to it. That is a person who's more likely to fall for the advance fee scams.
Dave Bittner: Yeah.
Joe Carrigan: So...
Dave Bittner: Yeah, absolutely.
Joe Carrigan: It's like a self-selecting sample.
Dave Bittner: Right. Right. Well, our editor Tom did not fall for it.
Joe Carrigan: No.
Dave Bittner: But we're grateful that he sent it to us, and that was a lot of fun. So that is this week's Catch of the Day.
Dave Bittner: Joe, it is very exciting to have Rachel Tobac back on the show.
Joe Carrigan: It is indeed.
Dave Bittner: Yeah. She's just a great guest. She - of course, she heads up a company called SocialProof, and she is a multi-time winner of Social Engineering Capture the Flag competitions.
Joe Carrigan: Yeah, Rachel is the real deal when it comes to social engineering. She is...
Dave Bittner: Yeah, absolutely.
Joe Carrigan: ...Amazingly talented at this. She is a master of the art.
Dave Bittner: Yeah, absolutely. So I reached out to her recently to get her insights on the recent Twitter hack, and she was gracious enough to come on and share her thoughts. Here's my conversation with Rachel Tobac.
Rachel Tobac: It came to my attention maybe an hour into the attack. I checked out my Twitter, and I saw former President Barack Obama had tweeted out a link to a bitcoin opportunity - is the way that he positioned it - where he said that he would double your money. And I'm thinking to myself, that's unlikely. I don't think that that's - I don't think former President Barack Obama is going to double my money. And then I saw that Elon Musk had tweeted it out, too, and I was like, OK. That's really strange. And people were starting to tweet things like, oh, none of them had MFA on their accounts, or an API was breached, or - just so many different things, so many different options were out there. And I'm thinking to myself, there is no way that former President Barack Obama and Elon Musk both do not have hardware MFA on their accounts. Like, that is just so unlikely. So using Occam's razor, I deduced a couple of predictions.
Dave Bittner: Where did you begin? I mean, what were your first suppositions of what might be going on?
Rachel Tobac: Well, I started from my position. So I started thinking, what would I have done as an attacker? And what I would have done as an attacker is I probably would have just tried to gain access to their accounts by leveraging some sort of, like, internal access panel, an admin panel or god mode we sometimes call it at a company. And a lot of times, I do that when I'm hacking just by calling customer support. So I might call customer support, gain access to their credentials and just log in and then change the things that I want to change on the backend myself. So that was a prediction that I made, and folks were like, I don't know. I think it was probably an API thing. And I was like, maybe, but I don't know. The simplest explanation is sometimes the easiest, and it's just what the attacker does.
Dave Bittner: So as time went on and we started to get more information about this and as Twitter themselves started to be able to wrap their hands around what was going on, what was revealed? What turned out to be the case here?
Rachel Tobac: Well, it turned out that my prediction had some merit. It turned out that a individual - I believe he was 17 years old, so he was a minor at the time of the attack, at least - he ended up calling a Twitter employee and customer support and pretended to be a tech support individual at the company. So he pretended that he worked at Twitter as well and, by just pretending to be tech support, ended up getting access to their username and password. My guess is they likely phished out, like, a 2FA cred or a code or something like that, but we don't have confirmation on exactly what they did there to bypass MFA. Twitter does hold the claim that they have MFA on those accounts, so my guess is it probably wasn't hardware, probably not a YubiKey. And then from there, they got logged into the account, and they performed those password reset flows where they were able to take control of the accounts by changing the email address on the admin panel.
Dave Bittner: And how has Twitter responded to this? Which sort of lessons do you think they've learned on the inside?
Rachael Tobac: Twitter has actually been amazing in their response. I personally was very impressed because they were very transparent with what happened. They were transparent about the methodology that the attacker used, which we very rarely see in these data breaches. And they were very transparent about the fact that they made a mistake, that - I think it was over 1,500 people - more than 1,000 Twitter employees and contractors had access to the internal tools to change those user account settings.
Rachael Tobac: And a lot of companies wouldn't admit that, you know? They'd say, well, you know, it's unlikely, but it happened. But Twitter is really taking ownership and saying, yeah. We think too many people had access at the admin level, and we're going to change that. And we're going to update the way that we do our security. Now, of course, they're not going to tell us exactly the nitty-gritty of what they're going to do, but my guess is they're probably going to move to hardware authentication for MFA rather than maybe a two-factor code that can be phished.
Dave Bittner: Now, one thing that struck me while I was watching all of this sort of play out in real time is that you were one of a handful of voices of reason on social media - and I'm thinking of Twitter in particular - who were saying, folks, let's - you know, let's back up. Let's let the information come in here. Let's not get ahead of ourselves. And I was hoping you could provide some insights into that approach, into how you approach an event like this when it's happening in real time, when, you know, emotions are high. Everybody wants to sort of jump into the fray. How do you hang back and allow, as you say, you know, Occam's razor to sort of take the lead in the way you approach things?
Rachael Tobac: I would say some folks would probably disagree with you and think that I jumped in too fast. But I think the big difference between what I was doing and what we might have been seeing online is that I was making predictions, hypotheses, and really being clear with the fact that we do not currently know the answers, but we can predict. We can make some hypotheses based on our knowledge of how attackers think. So I was trying to be really, really clear with folks, especially the media who was reaching out to me, that we do not know what happened. We can't say what happened with any level of certainty, but we can guess, with an educated background, of what we think might have happened to inform some of the communication that's going out and maybe quell some of the panic.
Rachael Tobac: The big things that I was getting asked - like, I did, I think, 20 different media interviews on the 15 of July - is, is this a nation-state actor? Like, are they trying to take over our politicians? Are they going to disrupt our election? Is all of our money stolen? Like, all of these really intense things - and just to be able to say - listen. We don't know if it was a nation-state actor. Signs are pointing to probably not. You know, if I were a nation-state actor, would I blow this exploit, this amazing admin panel exploit, on a bitcoin scam? Probably not. I would probably wait until the election and then call off the election from a politician's account, right?
Rachael Tobac: I would probably - if I were a real malicious person, I'd probably try and start World War III. I would take over accounts for, you know, leaders across the world and have them fight with each other and really escalate that. If I were really malicious, that's probably what I would do. Now, of course, it's malicious to take over accounts, but it's not that level of maliciousness where they're trying to incite violence or war. It's just, I'm looking to get some money quick. That points to more teenager behavior, and there were a couple other things that showed that it was more in the teenager direction rather than the APT direction.
Dave Bittner: I think it's a really important point that you bring up here - and you've said it a couple times - and that's the willingness to say, I don't know. And I think that's something that - particularly online, that impulse is not often rewarded.
Rachael Tobac: (Laughter) Yeah. I think we saw a lot of people try and say, like, oh, I think I know what happened, or, we know what happened. They really don't. Even now we only can go off of what Twitter admits happened, and even that might not be correct. And so we have to say that Twitter claims this happened. It's just, like, that type of language is really important to be clear on. A lot of times we just don't know the answer. We can make hypotheses. We have reporting, but we are only reading those claims. We don't know for sure.
Dave Bittner: You know, looking back, now that we've had some time to sort of have this event settle in, do you have any thoughts on how it informs things as we go forward, any lessons learned here?
Rachael Tobac: Oh, yeah. Absolutely. There's so many lessons that I think we've learned, and I think some of the big things are that we can't just stop insider threats or social engineering with training alone. So many people are like, see? This really goes to show how much training we need. And that doesn't solve the issue in and of itself. There are so many things that we need. We need to make sure that we have protocols in place - you know, maybe, like, two eyes or four eyes to make sure that two people are able to make that request before it goes through. Like, for instance, can you imagine if you had to get two Twitter employees to say, sure, we'll change the email on former President Barack Obama's account before actually having it go through?
Rachael Tobac: We need so many more technical tools. Like, we need endpoint management. We need to make sure that, like, if you get access to the credentials, do you have a trusted device that's logging in with those credentials? I, as an attacker, probably shouldn't be able to use the credentials to log in. And things like IP restrictions are really tough under COVID-19, but those types of things can really be useful when people are working on their home networks.
Rachael Tobac: And in addition to that, we have to make sure that we're treating people well and paying them well because, you know, if you have an insider threat and they're - you know, they're handing out their credentials like candy or they're being bribed, it's important to make sure that we don't just try and put technical tools in place, but we have to also have the human tools. They have the money that they need, so they're not interested in a bribe. Something like that is useful, too.
Dave Bittner: Was it surprising to you that there weren't more of these sorts of things in place from the get-go?
Rachel Tobac: Well, I'm just going to say exactly what we've been talking about. We don't know if they weren't in place at the get-go.
Dave Bittner: Good point.
Rachel Tobac: Yeah, we don't know. It's very possible that they were doing all of the suggestions that I recommended, and it still didn't work. So I can't really comment to that, but I can say that we know many organizations out there do not take these steps. They might not have hardware MFA. They might not have social engineering training with up-to-date examples of how exactly it happens, not just over email but also over the phone, which is a big limitation of a lot of trainings now, and also making sure that we have all of the technical tools to backup if a person inevitably makes a mistake, which is, of course, bound to happen. Twitter might have been doing this. They might not have. But we do know that it's a learning point for every organization, regardless of whether or not they're currently doing it. So just keep it up.
Rachel Tobac: The one thing that I think is interesting that people haven't talked about a whole lot is the whole nation-state actor thing. There is a big joke going out - around on Twitter that was APT - in this specific scenario, stands for APTeen. In this case - that is true. I want to make sure I can attribute that, but I don't know who started the joke because it just got copied a bunch.
Dave Bittner: Right.
Rachel Tobac: But yes, in this case, it was not - you know, we don't know for sure, but the main actor was just a Florida teenager, right? It's not North Korea. It wasn't China or anything like that. So while it's possible they could have had involvement, we don't know that yet. And I do think it's really interesting because a lot of people were like, you know, who else would go after politicians' accounts? It's got to be a nation-state actor. And I said, well, let's look at the details here. We do have some screenshots from an individual who received DMs from Geert Wilders compromised account, the politician from the Netherlands. And we saw some really interesting things and we did some Google Translate to find out that the DMs that that young woman received said, hey, what's your Snapchat? What's up? You're hot.
Dave Bittner: (Laughter).
Rachel Tobac: Does that sound like a nation-state actor? Maybe. Is it more likely that it's a teenager who thinks somebody is attractive and wants access to their Snapchat username? Yeah, that sounds more likely to me.
Dave Bittner: (Laughter).
Rachel Tobac: And so we just kind of have to use Occam's razor here to think about - you know, a lot of people were like, well, that could be a false flag. And, sure, it could be a false flag, of course. As an attacker, I could take the time to DM people and ask them for their Snapchat and tell them that I think they're attractive. Of course, that's possible. But what is more likely? What's more likely is that that individual was a teenager, wanted access to their Snapchat and knew they had about 10 minutes on the account before it was going to get shut down, so they went ahead and did that. I probably wouldn't spend my time planting false flags. So, yes, again, it's possible but unlikely. And we just have to move forward with that.
Dave Bittner: I wonder sometimes if we've got a little bit of that boy crying wolf situation here in infosec in general where, you know, we see it play out so many times. A breach occurs and the PR folks from whatever company got breached say we're convinced that this was a sophisticated actor who, you know, this - it's sort of back to your point about a nation-state, you know, and there was nothing that could be done due to the sophistication of this actor, you know, and OK. Like, again, it may be but probably not, you know? And so I think we've just - I mean, am I off base here that we've gotten to the point where when we hear organizations say that, I think - for me personally, I kind of roll my eyes a little bit and say, OK, I understand. You're trying to provide cover. You're trying to, you know, make it seem - you're putting the best face on this. You're spinning this, that there was, you know, no way anybody could have defended against this. But really?
Rachel Tobac: Yeah. Yeah. We hear that a lot. That's like a knee-jerk first reaction is the word sophisticated is used in almost every press release - a sophisticated actor. I think we saw that in the case of the Twitter announcement as well - a coordinated, sophisticated social engineering attack. And while it was coordinated - they did likely coordinate on Discord from what we're seeing - it doesn't necessarily mean it's sophisticated. Social engineering somebody and calling to gain access to credentials while pretexting or pretending to be IT support, I wouldn't call that sophisticated. The things that I do are interesting, but I wouldn't say they're so hard that the average person couldn't do them. We do know that it's possible to defend against this stuff, too. We need to have least privilege. That means limited admin access. We need to have software to detect aberrant behavior. You know, if you're changing 15-plus emails on an admin panel in two minutes when you're really supposed to be doing that maybe once a day, then that's probably going to raise some red flags, and it probably should have sooner. We need to audit who has access. We need, you know, four eyes or two-person sign off. We have to treat people well and fairly. So while a lot of times we say it's a sophisticated actor and there's nothing that could have been done, many times it's less sophisticated than we think. And there's probably something that could've been done.
Dave Bittner: All right. Joe, what do you think?
Joe Carrigan: Again, I love having Rachel on the show.
Dave Bittner: Yeah.
Joe Carrigan: I am a huge fan of hers. She provides some unique insight into this Twitter hack. And one of the things I really like about her approach is she takes this approach of we don't really know what happened and when media companies are calling you, it takes a lot of mental discipline to not be speculative, right?
Dave Bittner: To not be the expert who has the absolute definitive answer.
Joe Carrigan: Exactly. It takes a lot of restraint, I'm going to say, to say we don't exactly know what happened here. And I think that that's right, and I think that Rachel handled this exactly right. And that's why I didn't cover this story until The Wall Street Journal put that story out there in last week's episode. I really wanted to discuss this story because I knew there had to be some kind of social engineering portion to it or there probably was some kind of social engineering portion to it. I wanted to know how they did it, but we just didn't have the information.
Joe Carrigan: I think that Rachel's guess on what the MFA on the internal account that was accessed was not software - you know, when she talks about - that somebody social engineered the multifactor authentication token out of somebody, that that means it wasn't a hardware token, that's correct. I think that's right because The Wall Street Journal article I talked about last week mentioned that the 17-year-old kid did a SIM swapping attack, which says to me - and this is, again, speculation, but what I think that probably was was this person got some login credentials but then encountered two-factor authentication via SMS and then switched the SIM so they could get that SMS code sent to their phone. And then once they got that, they were in. They were able to establish a foothold.
Joe Carrigan: Also she makes a great point here about what if this wasn't just this 17-year-old kid? What if it was a nation-state actor? What kind of havoc could they have wreaked? What could they have done? The speculation that it was a nation-state actor when they're operating a bitcoin scam and they're sending direct messages to get people's Snapchats, that doesn't seem like - I agree with Rachel 100%. That does not seem like something a nation-state actor would do. A nation-state actor would realize the opportunity that they had here. And like I said last week, I think this kid blew his opportunity when he did this bitcoin scam. But at the same point, I'm glad he did because that's what got him caught and that's what let's Twitter go through and do an audit of their security policies.
Dave Bittner: In a way, they dodged a bullet.
Joe Carrigan: Yeah, exactly. They dodged a bullet. They got out of this really potentially devastating hack with just a little bit of embarrassment for a bitcoin scam. Not - that is the exact - you're exactly right. They dodged a bullet. I'll come back to multifactor authentication in a second. But I like - she uses the term Occam's razor a lot, which is a very old philosophical technique. I like to refer to it as the Scott Adams which is more likely test. I can't remember which one of his books he talks about that in. Scott Adams is the author of "Dilbert," but he's also written a number of books where he talks about organizational philosophy. And he's not necessarily an expert in this. And when Scott Adams is talking about it, he says it's the which is more likely test. Is it more likely that A has happened or more likely that B has happened?
Joe Carrigan: In this case, when - what Rachel's talking about here, is it more likely that this is a 17-year-old kid asking some girl on Twitter for her Snapchat address or is it more likely that it's a nation-state actor? If you look at a lot of things that way where you have - where you're missing information, it really helps you get a handle on it. And you can start acting in accordance. But, you know, remember, you don't have all the information, so don't act too rashly.
Joe Carrigan: Now, back to the levels of multifactor authentication. I like to talk about multifactor authentication. I say that's the one thing you should put on all your accounts if you can. If it's offered by the service that you're logging into, do it. Use any level of multifactor authentication they offer because any is better than none. When I'm giving talks, I talk about four types of multifactor authentication from least secure to most secure. And the least secure version is SMS texting. Those are just text messages you get. And they are the least secure for exactly what happened at Twitter here. Somebody at Twitter had their SIM swapped out, and somebody got access. And here we see a failure of SMS texting. But if it's the only thing that's available, you should still use it.
Joe Carrigan: More secure than that, there are two of them I kind of group together, and they are the one-time passwords or time-based password codes or time-based codes. I can't remember what the acronym is right now. But the first one is one where you get a seed displayed on a webpage, and then you can take a picture of it with an app like Google Authenticator or Microsoft has one. And that generates a one-time password or a time-based password code rather so that you have to enter, like, a six-digit code once you enter your username and password. It's more secure if you can actually get a device that has that. There are a number of manufacturers out there like RSA that have the little tokens that you've seen that show you a number, and that's all you see is the number. And those are about the same level of security.
Joe Carrigan: I say the little pieces of hardware that display the number to you are slightly more secure than the app on your phone simply because that seed has never really been transmitted across the internet. It's been done presumably at some other location in a more secure environment than you may have. I would say they're about the same level. And then finally the most secure level is using a hardware token like a YubiKey that Rachel mentions. I have a couple of those. They're great. I want to make sure that I say this to everybody. Don't buy one YubiKey. Buy two. And keep one of them...
Dave Bittner: It's a pair, a matched pair.
Joe Carrigan: Right. Set up your two-factor authentication with both of them wherever possible, and then put one of them in a safe place because if you lose the other one, if you lose the one that you carry around with you - I keep one on my backpack. If I lose that, I still have access to all my passwords and all my accounts because I have a backup hardware token. A lot of cloud services offer their own solution as well. Those may just be rebranded YubiKeys. Who knows? But the hardware token - the physical hardware token that you plug into your USB port and take with you is the single best way to protect yourself. It makes it very, very, very difficult for someone to break into your account.
Dave Bittner: Yeah. And they're pretty easy to use. I mean, they are - (laughter) this may sound like faint praise, but they're only occasionally a royal pain in the butt (laughter).
Joe Carrigan: Right. They are remarkably easy to use.
Dave Bittner: All right. Well, again, we appreciate Rachel Tobac coming on the show. She...
Joe Carrigan: Yeah, it's always great to have Rachel on.
Dave Bittner: Yeah. The name of her company is SocialProof, and she does a lot of security training and just a great person to have out there fighting the good fight when it comes to these sorts of things. So, again, Rachel, thanks for taking the time for us.
Dave Bittner: That is our show. We want to thank all of you for listening. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.