Hacking Humans 10.8.20
Ep 119 | 10.8.20

Don't click any button...even the 'No' button.


Caleb Barlow: The new thing to worry about isn't that they lock up your data. It's not that they release your data. It's they change your data.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week and, later in the show, my conversation with Caleb Barlow from CynergisTek. He's reacting to that recent story of the tragic death of a woman due to hospital ransomware. 

Dave Bittner: Joe, I'm going to kick things off for us this week. I've got a story about some adware that it seems has taken a turn for the even worse (laughter), if you will. 

Joe Carrigan: Yes. One of the things we often say in security is, don't ask how this could get worse because there's definitely a way this could get worse. 

Dave Bittner: Right, right. It could be worse. 

Joe Carrigan: Right, it's worse. 

Dave Bittner: So this is a - story comes from ZDNet. This is written by Catalin Cimpanu. The title of the article is "Linkury Adware Caught Distributing Full-Blown Malware." And the story here is that this thing called Linkury, which is an adware operation, they're mostly known for distributing this thing called the Safe Finder widget - the ironically named Safe Finder, which... 

Joe Carrigan: If you put safe in the name, people are more likely to agree to it. 

Dave Bittner: That's right. So this Safe Finder widget sells itself as being a way to securely search on the internet, but what it actually does is it installs adware on your computer, and it has the capability of doing other things. 

Joe Carrigan: Right. 

Dave Bittner: I will note that - I believe, as I've mentioned on our show a while back - I actually had found that my father had fallen victim to this. 

Joe Carrigan: Really? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: This specific strain of adware? 

Dave Bittner: I don't recall if it was actually Safe Finder, but it was the sort of thing that they're famous for. You know, if you brought up a new search, it - up popped a search window that bore a striking resemblance to Google Search. It had all the same colors, the same look and feel. But it wasn't Google. 

Joe Carrigan: Right. 

Dave Bittner: It was another organization, and they would pop up ads. And let me tell you, it was a pain in the butt to get off of his Mac. It did not want to let go. 

Joe Carrigan: I remember you talking about this. 

Dave Bittner: Yeah. I mean, it took some doing. So these folks are - have been up to similar things. And, you know, I guess in the realm of bad things you can have happen to your computer, adware is probably near the bottom. It's more of a nuisance than a real threat, right? 

Joe Carrigan: Right. 

Dave Bittner: I mean, they're just popping up ads, and that's how they make money. Well, it turns out that the folks who make this Safe Finder widget, these folks from Linkury, are up to no good. They're not just distributing that. They're distributing full-blown malware onto your system - stuff that can do key-logging, can look for information, copy it out of the system. Worth noting that this Linkury extension runs on Windows machines. It runs on Macs as well. It does everything it can. 

Joe Carrigan: So it's cross-platform, and it's malware distribution now. 

Dave Bittner: Yep. Also, it's pretty sneaky. Like, if you click through - you know, when a program pops up and it says, do you want to continue the installation, and it gives you a yes or no, if you say no, it installs anyway (laughter). 

Joe Carrigan: Right. The no - here's the thing that is true on the web, but it's also true to a lesser extent - but when you're talking about malicious software, software that's designed with malintent, just because that button says no on it doesn't mean that that's what's going to happen when you click on it. That event is defined in the code. And as the developer, you can have it do whatever you want whenever the user clicks no. 

Dave Bittner: Yeah. 

Joe Carrigan: You can even have it do whatever you want when the user clicks the exit - the little X up in the corner or the red dot. 

Dave Bittner: Right, right. 

Joe Carrigan: Maybe not the red dot with Apple. I shouldn't say that because I don't know that's the case with Apple. 

Dave Bittner: Yeah, yeah. I don't - I suspect it probably isn't, knowing what I know about how that works. 

Joe Carrigan: Right. 

Dave Bittner: But better safe than sorry. 

Joe Carrigan: Yup. 

Dave Bittner: And I - also, I think in terms of alerting your friends and family, your loved ones, all that sort of thing, that these sorts of things usually happen because someone will be minding their own business browsing on the web, and they'll get a pop-up message that says, oh, we've discovered that your computer is unsafe. You know, here's a - good news. Here's a way to fix it... 

Joe Carrigan: Right. 

Dave Bittner: ...By installing... 

Joe Carrigan: We got the problem for you. 

Dave Bittner: Yeah, by installing this little extension, you'll be able to be sure that you're only surfing to safe places. And that sounds good. 

Joe Carrigan: It's a typical con game, right? You have a problem. I have the solution. Let's get this fixed. 

Dave Bittner: Yeah. 

Joe Carrigan: I can help. 

Dave Bittner: Interesting article. If you want the details here, of course, we'll have the link in the show notes. But I think the bottom line here is to spread the word that these sorts of things are out there. You know, we all know who those vulnerable folks are in our lives. Just remind them that if they get those sorts of pop-ups, they - just don't install anything. Just always say no to installing those sorts of free things that say they're going to help protect your computer. Most of the time - I'd say the vast majority of the time, they're up to no good. 

Joe Carrigan: Right. Remember the Brian Krebs rule. If you didn't ask for it, don't install it. 

Dave Bittner: Good advice. 

Joe Carrigan: Yep. 

Dave Bittner: All right. Well, that's what I have this week. Joe, what do you have for us? 

Joe Carrigan: Dave, my story comes from Luke Leal at Sucuri. It's a blog post they have. And someone is trying to phish AT&T employees and contractors and resellers and government people as well. They have a landing page that looks identical to the AT&T login page, and they are looking for usernames and passwords, including one-time passwords. 

Joe Carrigan: OK, now these one-time passwords are like a multifactor authentication, but sometimes it can be used just as the password. You use a - like a PIN and then a time-based password code... 

Dave Bittner: Right. 

Joe Carrigan: ...That shows up either on a device or on an application. Once the user enters their username and their one-time password or their password in this phishing site, the credentials are sent off via a telegram API to someone who then uses them to log in, right? 

Joe Carrigan: Now, here's the thing. They have to do it quickly because these are time-based passwords, so they have to almost instantaneously respond. So I'm betting that there's some kind of automation on the back end of this that just goes ahead and logs in and gives the attacker access to the AT&T account. 

Joe Carrigan: This is really dangerous because they're going after AT&T and they're phishing the employees. They're probably trying to gain access to the internal systems of AT&T, probably so they can do things like SIM swaps, which would further allow them to intercept SMS codes directly without having to socially engineer them with a landing page like this. 

Joe Carrigan: There's no information in the story about whether these people have been successful. There's also no indication about how they're distributing phishing emails or trying to get people to come to the page. What's interesting is that over at Sucuri, they have found this page and that they've highlighted it, and that's good work that they're doing. 

Joe Carrigan: But I wanted to talk a little bit about multifactor authentication or about these time-based passwords. In multifactor authentication or other means of authentication beyond username and password, there are two levels that we talk about. I talk about there being four different types of it, but really, three of those types get grouped into one level, and that's the one-time password type, right? So this is a code that you were either sent via SMS, which is the least secure method. You can have a software token generated like Google Authenticator or Microsoft Authenticator, or you can have a hard token, like RSA SecurID or HID's ActivID. 

Joe Carrigan: The soft tokens and hard tokens use pretty much the same underlying technology. The difference is that, presumably, the hard token was assembled and taken care of in a secure facility and distributed to you without anybody else intercepting it. With a soft token, the seed for the number generator has to be sent across the internet somehow, and that connection is usually secure, but if it's not secure, someone can intercept it. 

Joe Carrigan: So these are all the different one-time passwords, and they're pretty secure. They're better than nothing, but they can absolutely be socially engineered out of you using this technique that these attackers are either using or planning to use right here. This is exactly why they are not the best at protecting you and protecting your account from takeover. 

Joe Carrigan: The other level is encryption, some kind of built-in encryption infrastructure. For example, there's the Universal Two-Factor, which is developed by the FIDO Alliance, and YubiKey is one of the products. This is actually a physical token that you hold in your hands that has very little user interface. It's not a really technically difficult thing to do. It's - you stick this thing in your USB port, and when the light comes on and the website tells you or whatever service it is tells you to click it, you just touch a button on the front of the device, and that's it. And it does a challenge-response, which is a cryptographic way of making sure that nothing is being replayed and that you have the proper keys to authenticate yourself. 

Joe Carrigan: There is another one called SQRL that was developed by Steve Gibson that's very similar. It uses public-key encryption and zero-knowledge proofs. And actually, SQRL might actually get rid of not only passwords, but also usernames. And you just become a key identity on the internet. And if your public key is stolen, no big deal - right? - because that's a public key. Anybody can see it. 

Joe Carrigan: Your private keys, just like with the Universal Two-Factor, those are the keys to the kingdom, and those are fairly easy to keep private. Particularly with the example of the Universal Two-Factor device, when you pull that thing out, those keys are now physically disconnected from your computer. They're air-gapped. 

Joe Carrigan: I'd like to see more websites use Universal Two-Factor or SQRL to authenticate the users. But once again, we're seeing why the one-time passwords here are not the best form of multifactor authentication. I'm going to say this again. If they're the only thing that's available to you, use it. 

Dave Bittner: Yeah. 

Joe Carrigan: But you still have to make sure that you're on the right webpage when you're submitting this information because if someone collects this information from you and they are fast enough, they can log in to your account with that information and take over control. 

Dave Bittner: Way better than nothing, right? 

Joe Carrigan: Right. 

Dave Bittner: I mean, way better than nothing. 

Joe Carrigan: Absolutely. 

Dave Bittner: All of these are way better than nothing. 

Joe Carrigan: Way better than a password. 

Dave Bittner: Yeah, yeah. You know what strikes me about this is that - you know, in my own life, in my own using of multifactor authentication, where I can use it, I do use it. And thanks to things like using a password manager, which I know you're a big fan of - actually, you're one of the ones who turned me on to it from the outset. You've been using them way before I was. It strikes me that there are a couple of ways that dealing with these multifactor keys can work. You know, as you say, for example, the simplest one is somebody sends you a text message with a six-digit code. You enter that code in either a webpage or on your mobile device or something like that, and that's the second factor. 

Joe Carrigan: Right. 

Dave Bittner: Well, as this story points out, there are weaknesses to that because if someone is using social engineering and you're on a different page than the one you think they are, they can just get that code, and then they can log in. 

Joe Carrigan: Right. 

Dave Bittner: What strikes me is that, you know, some of the other tools that I use - for example, the password manager that I use built into it has the option of - you know, something will just pop up on my phone and say, hey; is this you? Did you just request this? 

Joe Carrigan: Right. 

Dave Bittner: And all I have to do is click yes. There's no code number. You know, it's the fact that I'm the one holding my phone that has already been, you know, authorized as a secure device. That it is in my hand - that's what does the authorization. So there's no code exchanged. I'm not putting anything into a website, into a form or anything like that. It's using the fact that it knows that phone is mine. I'm the one who has it, and it's in my hand. That's the second factor. And that strikes me as a different thing that it's - I love it because it's so simple. And it takes away this thing that you're describing here, where someone can get your second factor code by fooling you. 

Joe Carrigan: Right. Well, if you think about the workflow of this attack, I log into what I think is an AT&T webpage, right? Let's say AT&T had a similar app on my phone. I go ahead, and I log in. I enter my one-time password. The attacker goes ahead, and they log into my account. On my phone, I see a thing that says, was this you? And I say, well, yeah, that was me because - you know. But it's still vulnerable to the exact same social engineering attack. 

Dave Bittner: Right. 

Joe Carrigan: Again, it is another good version of multifactor authentication. It's one that I didn't list in my list. It would be, you know, the device that you have. That's pretty good. But I think it's still susceptible to a social engineering attack particularly if you were expecting to have logged into a service. 

Dave Bittner: Yeah. Well, as we always say, you know, constant vigilance, right? 

Joe Carrigan: Constant vigilance. 

Dave Bittner: Constant vigilance. But if you have the opportunity to use multifactor, use it. If something... 

Joe Carrigan: Use it. 

Dave Bittner: ...Is important to you, use it. 

Joe Carrigan: I'm not... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Disparaging multifactor. I'm not disparaging the soft tokens or the hard tokens as being exponentially better than having nothing at all - just a username and password. A username and password is so easy to brute force. Particularly if you don't practice good password hygiene, you're pretty much pwned (ph) out of the box, I guess. 

Dave Bittner: Yeah. All right. It's a good story, and, of course, we'll have links to it in our show notes. But now it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Jack (ph). He was interacting with a scammer on OfferUp - which is a, you know, sell-your-stuff service - who claimed to have an RTX 3080 for sale... 

Dave Bittner: What's that? 

Joe Carrigan: ...For 750 bucks. Oh, Dave, you don't know what an RTX 3080 - that is the latest in video graphics card... 

Dave Bittner: Oh, OK. 

Joe Carrigan: ...That came out earlier in September. 

Dave Bittner: (Laughter) I see. 

Joe Carrigan: The retail price is $700, but you cannot find them anywhere unless... 

Dave Bittner: Oh. 

Joe Carrigan: ...You go to eBay and you're willing to pay somewhere between $1,600 and $1,800. 

Dave Bittner: Oh, wow. 

Joe Carrigan: Right? So these things... 

Dave Bittner: So if you're a gamer... 

Joe Carrigan: Yep. 

Dave Bittner: ...This is an object of your desire. 

Joe Carrigan: If you were looking for a new graphics card, the 3080 is a good price point at $700. And somebody is selling it to you for just $50 over retail. How generous of them. 

Dave Bittner: Right. Sure. 

Joe Carrigan: This is a chat in the OfferUp chat interface where this person is trying to get Jack to pay for the ad. Why don't you play the part of the scammer, and I will play the part of Jack? 

Dave Bittner: All right, here we go. (Reading) Well, hey there. Do you have CashApp? 

Joe Carrigan: (Reading) Not using CashApp. There's no buyer protection. 

Dave Bittner: (Reading) They have buyer protection. I can send you the article. 

Joe Carrigan: And he sends a link that goes to - that's a redirect link from OfferUp. And then, of course, OfferUp immediately says, be careful when opening websites that strangers send you, which is great security on OfferUp's part. Thank you for that, OfferUp. That's good. And Jack says, (reading) sure. 

Dave Bittner: (Reading) Read it. It's the official website. 

Joe Carrigan: Jack says, (reading) can you send me an invoice? 

Dave Bittner: (Reading) What do you mean - like, proof you paid for it? 

Joe Carrigan: (Reading) That is the process. I would rather use PayPal with invoice, and if you want, I'll pay the fee for you using PayPal. 

Dave Bittner: (Reading) Send the money. I send invoice. Then I'll ship it with one to two day. 

Joe Carrigan: (Reading) On PayPal? 

Dave Bittner: (Reading) CashApp. I'll cut you $25 off. 

Joe Carrigan: (Reading) No. Again, I'll pay the extra fee they charge you. CashApp does not have buyer protection. 

Joe Carrigan: And then the attacker - this malicious actor sends the link again, and Jack responds. (Reading) The article you sent is for use of CashApp debit card transactions. 

Dave Bittner: (Reading) Read this. It's from the official website. Yeah, you will pay with a debit card, right? It's like how credit card companies offer protection. CashApp will provide it for debit cards. 

Joe Carrigan: (Reading) Again, I will pay you the extra 3% charge with PayPal. 

Dave Bittner: (Reading) Seven-twenty, CashApp. You get protected. I get protected. People on PayPal can just say the item didn't arrive, and PayPal always sides with the buyer - not trying to lose $750. 

Joe Carrigan: (Reading) Again, CashApp does not have buyer protection. A CashApp money transfer is transferred from a CashApp account. 

Dave Bittner: (Reading) CashApp does. There's literally a refund button. 

Joe Carrigan: (Reading) Yeah, the refund button is for the receiver of the funds. I can request a refund, but you would have to approve it. 

Dave Bittner: (Reading) How about you place a deposit for this card, maybe 40%? And then once you get the card, you pay the rest. 

Joe Carrigan: (Reading) Again, I'll pay the extra on PayPal. Or you can update the amount via this app, and I'll pay that. 

Dave Bittner: (Reading) Hey, man – 40% or nothing. Not doing PayPal. 

Dave Bittner: (Reading) Forty percent of what? 

Joe Carrigan: (Reading) Pay three hundred dollars. Once you get the card, pay the rest. 

Joe Carrigan: (Reading) Have a great life, scammer. And that's where it ends. 

Dave Bittner: Hey diddly do. 

Joe Carrigan: That's a good voice. I like it. So thank you, Jack, for sending that in. That was a great Catch of the Day. 

Dave Bittner: Yeah, that's a good one. So, I mean, what do we think is going on here? Just a straightforward kind of take the money and run? 

Joe Carrigan: Exactly. This is a take the money and run scam. There is no graphics card that someone selling you for $750. If they wanted to sell it, they would sell it on eBay for the $1,600 that other people are charging on eBay and probably getting. Me - what I would do is I would be buying - if I really wanted a GTX - or not GTX - RTX 3080, I would wait until it was available from a reseller, you know, like Amazon or NewEgg or Best Buy or something... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Before I would pay somebody else for it. What these people are doing is they're scalping these video cards, essentially, just like we used to do with concert tickets - or they used to. I never did that. 

Dave Bittner: (Laughter). 

Joe Carrigan: I never scalped concert tickets. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: But... 

Dave Bittner: Video cards are the new currency, right? 

Joe Carrigan: Right, exactly. They're the new concert tickets. 

Dave Bittner: All the kids are using it. Yeah. All right, well, that is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Caleb Barlow. He is the CEO at CynergisTek. He's a regular guest over on the CyberWire. His company deals with a lot of security of places like hospitals. And so when we had this story come by about the tragic death of a woman over in Germany due to a hospital getting ransomware - it's the story of - she was redirected to another hospital. And in the time it took for her to get to the other hospital, they were not able to save her. I wanted to get Caleb's take on it. This is a world that he's familiar with. Here's my conversation with Caleb Barlow. 

Caleb Barlow: Cybersecurity professionals are always focused on these kind of marquee events where kinetic impact comes into play. We always say kinetic impact, so it sounds fancy. But look. I mean, this is a very tragic event. Like, literally, someone died. And they died because the hospital they were headed to was locked up with ransomware, and they had to divert patients. And we can talk a little bit about why they had to divert patients. 

Caleb Barlow: But I think the fundamental thing we have to understand here is in emergency medicine, there's this concept called the golden hour. And the idea is that an emergency medical professional - their prima-facie duty is to get a patient to a higher level of care, i.e. a hospital or a trauma center or a stroke unit or whatever it is they need in under one hour from the time they dialed 911. And when you get in the way of that - statistically speaking - you break that golden hour - the death rate grows dramatically. And, unfortunately, that's exactly what we saw in this case. 

Dave Bittner: Now, this is your world, you know, securing medical facilities, medical systems. I mean, that is the center of your bull's eye. And I'm wondering, can you provide us with some insights as to what goes on within a hospital, within an emergency facility when they find themselves in a situation with ransomware? 

Caleb Barlow: It is my world on two fronts, Dave. On one front, I'm the CEO of a company that focuses on protecting about a thousand hospitals in the United States. On the other hand - and this is probably a little less known - I literally grew up in a fire station at a very young age. I was an EMT by the age of 18. I had a 15-year career working EMS. So this hits very close to home. And, you know, the thing you have to understand in an emergency medical situation is you're responding because something has gone very wrong. Like, it's the worst day in someone's life and you show up at the door, and it's your job to try to fix it or at least reduce the risk of that. So one of the primary things you're looking at is, how fast can I get this individual to a higher level of care, whatever that is that they need? And, of course, when something stands in the way, that's a problem. Well, what's really going on in the hospital? Well, think about what happens. You know, many of your listeners have probably been to the hospital or doctor's office at one point or another. The first thing that happens is you show up and triage, right? What's your ailment? What's happening? And they're asking questions like, what's your medical history? Do you have any... 

Dave Bittner: What's your insurance? 

Joe Carrigan: Well, yeah, what's your insurance comes in. 

Dave Bittner: (Laughter). 

Caleb Barlow: But also, Dave, probably more importantly, what are your allergies? You know, has this ever happened before? Oh, this is your third heart attack, Mr. Bittner. 

Dave Bittner: Sure, sure. 

Caleb Barlow: Well, you know, that plays directly into the treatment because there's a lot of aggressive treatments you can do that if there's contraindications, could kill somebody. So what a hospital does when they're locked up with ransomware - they can't access their medical records. There are no paper records anymore. They can't see what drugs you're on. They can't - you know, medications your on. They don't know if you have any allergies. And not only that, their process slows down because all the documentation, all the patient routing, the flow is all done electronically. So the safest thing for them to do is start to divert patients and start to shut down non-emergency care. And that's exactly what happened in this case. They started diverting their ER, which, by the way, there are procedures in place to do. You know, ERs divert all the time, but usually due to patient load not - or, you know, a mass casualty incident, not because they're locked up with ransomware. 

Dave Bittner: You know, it strikes me - and I've never really thought about it this way. But a team of people at a hospital, a group of people who are used to having grace under pressure, who are used to being, you know, cool characters when things are against them, are they, perhaps, better equipped than your average person to deal with a ransomware attack because they're less likely to panic? 

Caleb Barlow: Well, you and I have talked many times about crisis decision-making and how different that is from normal boardroom decision-making. I will tell you - and I know this from years of working in a cyber range - there are two roles that are just incredibly adept at dealing with crisis situations, health care workers and people that have had past military experience. So yes, health care workers are very good at working in a crisis, right? You know, that's what happened here - crisis situation in Hospital A, let's move people to Hospital B. 

Caleb Barlow: In fact, I was talking with some clients that were telling me about a situation where a hospital was locked up with ransomware. And, of course, there's surgeries going on. Remember, hospitals are 24 by 7 operations. So there's literally patients on the table in the middle of a surgical procedure, and they couldn't access data, also - and everything locks up. Their comms go down. The systems they're working on go down. 

Caleb Barlow: Now, again, most doctors understand what to do in that situation, right? Stop moving forward. Start making sure that you can protect that patient and you're not going to cause any harm. And one of the questions that kind of came out of this discussion was, how many close calls have there been that we haven't heard about as hospitals are continually getting locked up with ransomware? This just happened to be one where it was kind of a confirmed death. 

Dave Bittner: How is this different from, say, a power outage or a natural disaster that could interrupt a hospital's ability to do the work they do? 

Caleb Barlow: It isn't any different at all other than it's totally avoidable. 

Dave Bittner: Interesting. Let's come at this from another direction. I mean, we have the folks who did this. We have the ransomware criminals here. I would hazard to say that they did not start their day with the intention to cause loss of life. What is your take on that side of it? 

Caleb Barlow: Well, interestingly enough - and this is another fascinating part of this story, Dave - we actually know what the reaction was because the police actually contacted them and said, hey, you've actually hit a hospital here. I don't know if they told them there had been a death at that point in time. They probably didn't know. But it appears that the bad guys were actually targeting a different entity versus the hospital. And once they found out it was a hospital, they then immediately provided the decryption key. So again, one of the things we have to realize is that there are humans on the other side. I think it's somewhat rare, but occasionally you do see some empathy here. 

Caleb Barlow: Now, the other thing we have to look at is, remember, ransomware has really elevated over the course of the last year. It's gone from, you know, a few hundred dollars someone was asking in bitcoin to, nowadays, these ransom demands are in the millions. But also, you know, we're seeing the corresponding extortion. If you don't pay by a certain time, we'll release some scandalous emails from your CEO and a whole bunch of other data. 

Caleb Barlow: This is just going to continue to get worse. And what I keep cautioning people on is the new thing to worry about isn't that they lock up your data, it's not that they release your data, it's they change your data. And I don't think most security systems are monitoring what appears to be legitimate access to data if somebody changed it. And that's the thing. That's the thing we really need to prevent against. And there are ways to prevent this. 

Dave Bittner: Yeah. I agree with you that - it's interesting to me that that has not really been breached yet, that we haven't seen that - and particularly in a medical situation, we haven't seen the threat of data merely being changed, that we can't rely on it. Right now, we're thinking that if we get our data restored, if we get that decryption key, the data we're going to get back is the same thing that we had before. But, boy, that adds a whole nother level of uncertainty to things, doesn't it? 

Caleb Barlow: Well, I think what we suddenly have to realize - and we're seeing this dialogue really occur today on kind of the election security front, right, where we get into trust, we get into manipulation, we get into fake data, you know, deep fakes - all that kind of stuff. But imagine if I change data in the supply chain. Imagine if I change data in a health care record. All of a sudden, I break all of the trust in that system. I don't have to change all of the data. I just have to show I can change one record, and no one can trust any of the data. And un (ph) - you know, as a society, especially as an open society, we've become not only dependent but so trustworthy of the data we get from our bank, from our supply chains, from our doctor that if there's any indication that that might not be real, that we might not be able to trust it, then things break down in a rather significant way. And that can not only be lucrative for the organized criminal actor, but that can also be a very interesting ploy for a nation-state actor. 

Dave Bittner: What about this notion that not only should we not pay the ransomware criminals, but that we should be forbidden to do so? 

Caleb Barlow: Well, I got to tell you - and OK, this is a personal opinion. This isn't an opinion of my employer or anything like that. But I will tell you, my personal opinion has started to really change on this. When this first started, these ransomware demands were like $500. And I would tell clients all the time, look; you know, the - law enforcement's going to recommend you don't pay it. It's 500 bucks. Pay it. Move on. It's just - you know, worst-case scenario, you're losing 500 bucks. 

Dave Bittner: Yeah. 

Caleb Barlow: And I was saying the same thing when it was 10,000. And you would occasionally find me saying the same thing when it was 100,000. Well, now it's in the millions. Now these are real numbers. But what we also have to realize now is there's kinetic implications. And this is becoming rampant. This isn't an occasional issue. This is going to happen to everybody. The only way to stop this - and I'm a firm believer in the way to stop cybercrime is to change the economics for the bad guys. Well, unfortunately, the only way to change the economics for the bad guys is to forbid paying a ransom. And if we move to that as a society where, you know, I guess to a certain degree, you criminalize it... 

Dave Bittner: Right. 

Caleb Barlow: ...What's the point of ransomware, then, if nobody's going to pay? 

Dave Bittner: What about the fact that this is occurring over international lines? Does that change the equation? Are we starting to talk about kinetic responses to some of these things? 

Caleb Barlow: Well, look. You know, if you talk, especially with, you know, government folks - and I think, you know, various military operators have been asking the question for years of, what is the bright line from a cyber perspective that warrants a kinetic, i.e., military response? That's always an interesting question to ask. But actually, isn't that what makes the the cyber domain such a valuable domain for a foreign adversary? - is that as long as they operate well below that bright line, whatever it is, there generally isn't a kinetic response. And, you know, yeah, the day may come where bad things happen bad enough that a military somewhere responds in a kinetic action. But there are a bunch of challenges with that. Like, you know, we all know how difficult attribution is. What if you're wrong, right? But again, more importantly, probably the way to fix this isn't force on force. This is not a normal military-type operation where it's an arms race. The way to fix this is changing the economics. And those economics can be changed not only for the criminal actor but the nation-state actor, as well. Again, why I think I'm coming back to - and I'm not saying I'm all there yet, but maybe it's time to stop paying the ransom. 

Dave Bittner: Until we get to that point, what are your recommendations? What - in your opinion, what are the priorities people need to take in terms of protecting themselves from this sort of thing? 

Caleb Barlow: Two key things. First of all, you've got to have a detailed security assessment that specifically looks at your susceptibility to ransomware. So this goes well beyond kind of a standard NIST assessment but looks at things like lateral movement and privilege escalation. And what's your susceptibility to that? Because if you remove those capabilities from your system or make them harder, the odds of having a devastating ransomware incident go down significantly. The second thing is having a run book for ransomware. And I'll tell you, you know, a lot of people think they have one. Go ask this afternoon to see it. If you don't see it within an hour, you don't have a ransomware run book. 

Dave Bittner: (Laughter). And practice like you play, right? 

Caleb Barlow: Absolutely. You know, I mean, immersive exercises - walk through this the whole way. And whatever you do, do not assume your insurance company is going to have all the answers for you because at the end of the day, when you're breached, your insurance company is looking out for one thing, which is, how much are they going to have to pay? They're not looking out for what's going to be the best thing for your business. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Very interesting interview. It's always great to hear Caleb. I always like to hear what Caleb has to say. One of the things that he talks about first off is the golden hour. I didn't know that there was actually a time period called the golden hour where you have a lot worse outcomes after that hour. I did know sooner is better, obviously, right? And this case does hit home for me, as I talked about, I think, on the CyberWire last week. Had this happened to the hospital my wife went to last year, she might not have survived. 

Dave Bittner: Yeah. 

Joe Carrigan: It was fortunate that she - that we live as close as we do to a hospital. And I would like to know how many close calls, like Caleb was talking about, there have been due to ransomware attacks. When you asked about how the ransomware attack is different from a power outage - and Caleb said it isn't very different except that it's avoidable. I would say this. You can plan for a power outage with backup power that comes online and provides some form of emergency power into a hospital. And these are usually massive diesel generators. But there are power backup solutions. 

Dave Bittner: Right. 

Joe Carrigan: And what if we looked at medical records the same way? And I'm just spit balling here. And maybe there are some systems like this out there already. But what if there was, like, an air-gapped record system that was off until there was a ransomware attack? And then you could turn it on, and you could have access to the medical records unencrypted. They might be a little bit out of date because it was not on or even connected. You'd have to sneakernet the data over to the air-gap system. But would that work? I don't know. Maybe it would. Maybe it wouldn't. 

Dave Bittner: Yeah. 

Joe Carrigan: Maybe it'd be cost prohibitive - a lot of things. 

Dave Bittner: I've thought about that - having just basically a parallel system running that is somehow isolated from the real one. In the same way that a generator kicks in automatically, you know, if if your main system goes down, could you automatically switch over? 

Joe Carrigan: Right. 

Dave Bittner: I would just imagine that in a system as complex as a hospital with as many things that are going on and the myriad of places where ransomware could hit a hospital... 

Joe Carrigan: Right. 

Dave Bittner: ...Just the complexity of it would be difficult to manage. 

Joe Carrigan: It is very complex. 

Dave Bittner: But who knows? (Laughter). 

Joe Carrigan: You got a lot of health care sensors that feed data directly into these systems. 

Dave Bittner: Yeah. 

Joe Carrigan: This is just an idea I have. Maybe somebody's already out there thinking about this. And maybe somebody else has already done it. I don't know. Caleb points out that there was some empathy on the part of these attackers. When they found out that they were in a hospital, they immediately coughed up the keys and disappeared. I think that is going to be rare. There are a lot of ransomware people that deliberately go after hospitals because of the nature of the data being so absolutely life-and-death important to people. The hospital was lucky that this was not a scam, you know, one where they just go in and destroy your data and then say, give us money, and we'll give you the encryption keys. Then they take the money and run. That's a lot easier to carry out than actually a ransomware attack. Caleb is right about the coming storm with data corruption. One of our instructors, Dr. Avi Rubin, has been saying this for a couple of years now. How much more terrifying is it if health care records are changed? That to me is is a horrifying idea. And Caleb talks about the loss of trust and how much of an impact that could have. The integrity of this data in all of these systems, not just in health care but in any other system - just flipping bits in data can have devastating consequences. 

Dave Bittner: Yeah. I hear people, you know, sort of - we try to find the humorous side of some of these things sometimes. And people talk about how - you know, why couldn't they go after the college loan data? Why couldn't they go after the data with the records of my mortgage? 

Joe Carrigan: Right. 

Dave Bittner: If you're going to wipe something out (laughter)... 

Joe Carrigan: Help me out. 

Dave Bittner: Do the world a favor. 


Joe Carrigan: I'm sure there's plenty of backups of that data, though, Dave. 

Dave Bittner: Exactly. Well, exactly. Right? Yeah, exactly (laughter). They plan to pay (ph) a paper trail for sure. 

Joe Carrigan: Outlawing payment of ransom is something we should discuss, I think. I think it's time to have that discussion as a, you know, cybersecurity community, and then as society at large. This would change the economics of it. And I think it makes a good case for the problem going away. If we make it illegal for you to pay a ransom to a ransomware criminal, then their economic incentive drops off sharply because now not only have I lost my data as the victim of the attack. If I try to get it back, I'm committing a crime that may have very severe penalties, more than the cost of just recovering or paying the ransom. 

Dave Bittner: Right. Right. 

Joe Carrigan: You know, there may even be prison time involved. None of this legislation has been written yet. So, you know, I don't know anybody that's going to go to jail for the sake of their company's data. Nobody's going to fall on that sword, right? 

Dave Bittner: Yeah. 

Joe Carrigan: They're going to not pay the ransom. They're going to recover, or the company will shut down, which is actually something that very frequently happens, especially with small and mid-sized businesses. I like Caleb's plan of action. Assess your vulnerability. Have a plan, which he calls a run book. Practice the plan. And update the plan. When you have these tabletop exercises for a ransomware attack, the first thing you should do is, OK, where's the plan? I like what Caleb says. If you don't have your hands on that plan in an hour, you don't have a plan. 

Dave Bittner: (Laughter). 

Joe Carrigan: I think you should have your hands on that plan sooner than an hour. You should know where that plan is. That plan should be on a shelf printed out somewhere, not on your computer - (laughter) right? - because those are all going to be locked up. It should be something that's printed out. It should be part of your business continuity plan. And you have to have those exercises and find out where the weaknesses are in it. Of course, when you finally have that ransomware attack, that plan is going to be of some use. There are going to be some things that you did not anticipate. But it's important to have that plan. I can't remember who it was that said the plan is useless, but planning is indispensable. No plan survives contact with the enemy. 

Dave Bittner: Yeah, that one I know (laughter). 

Joe Carrigan: Yeah, military. Finally, the one thing that Caleb said that's absolutely right is insurance is a way to offload risk. Your insurance company is kind of a partner with you up until the time that you experience an event because their goal is to lower the probability of you getting a ransomware attack. Once the ransomware attack has happened, the insurance company is now interested in their own their own interest in how much they're going to pay. At that point in time, they might not be that helpful in the situation. So if you're looking for someone to help you with this, you should probably have a computer emergency response team. There are vendors out there that will will provide those. And you can pay a retainer fee. And if something happens, they'll send people over to your site to help you recover quickly. 

Dave Bittner: I think a potential part that the insurance companies have to play in this is setting standards. 

Joe Carrigan: Yes. 

Dave Bittner: In the same way that, you know, if you want to get insurance on your commercial building, you'd better have sprinklers and fire extinguishers and exit stairways and all that sort of stuff. 

Joe Carrigan: Absolutely. 

Dave Bittner: Insurance companies could - and they are - saying, hey, if you want to buy insurance from us, you need to have these things in place. You need to have backups. These are the standards we demand. And, you know, maybe you'll get a discount. Or maybe we won't cover you unless you have these things in place. 

Joe Carrigan: That's right. 

Dave Bittner: So I think there's a positive influence from that direction, something we've seen in other types of business. 

Joe Carrigan: Don't mistake what I'm saying to be disparaging of insurance companies. They do provide a real service that people are willing to pay for. And you're absolutely right. You know, no insurance company is going to insure a building with - what's it called? Knob-and-rail rail wiring? 

Dave Bittner: (Laughter) Right, right, right, right. 

Joe Carrigan: That's a fire hazard waiting to happen. 

Dave Bittner: Look it up, yeah. (Laughter). 

Joe Carrigan: You know, it's... 

Dave Bittner: Yeah, look it up (laughter). 

Joe Carrigan: Right. 

Dave Bittner: Yeah. All right. Well, again, our thanks to Caleb Barlow for taking the time and jumping on the line on such short notice. He's a great partner over on the CyberWire. We appreciate that from him. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the start-up Studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.