Hacking Humans 10.22.20
Ep 121 | 10.22.20

What is true and important versus what is the spin.


Bill Harrod: We do become exhausted from the messaging, and we get fatigued, and it's hard to know what is true and important versus what is the spin.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, I speak with Bill Harrod. He's the CTO of the federal division of MobileIron. And we're going to be talking about election disinformation campaigns. 

Dave Bittner: All right, Joe, let's jump in to some stories here. I'll kick things off for us this week. This is a story from ZDNet, written by Catalin Cimpanu for Zero Day. And it's titled "Bitcoin Wallet Update Trick Has Netted Criminals More Than $22 Million." 

Dave Bittner: Joe, have you ever had any cryptocurrency? Do you have any... 

Joe Carrigan: Oh, yes. 

Dave Bittner: Have you dabbled? 

Joe Carrigan: I have some cryptocurrency. I have dabbled. 

Dave Bittner: You do. 

Joe Carrigan: Yes. 

Dave Bittner: I have not yet dipped my toe in the cryptocurrency world, although I know plenty of folks who have. 

Joe Carrigan: One of my biggest regrets in life is when Bitcoin was four bucks, I said I should buy some of that, and I didn't. And then when Bitcoin went up to 25 bucks, I was like, maybe I should've bought it at four bucks and... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Maybe I should still buy some at five - the 25 bucks. Nah, 25 bucks... 

Dave Bittner: Yeah. 

Joe Carrigan: That's probably as high as it's going to go. 

Dave Bittner: (Laughter) Yeah, yeah. I remember there was - for a while, there was a website that tracked, if you had purchased Apple stock instead of Apple hardware, how you would've made out, you know, 'cause back... 

Joe Carrigan: Right. 

Dave Bittner: ...In the '90s, Apple had a $3,000 laptop computer that was a real - just a real dog. 

Joe Carrigan: Right. 

Dave Bittner: And if you'd purchased Apple stock back then, you know, the millions of dollars you'd... 


Dave Bittner: ...Have now instead of this dog of a laptop, you know, that's completely obsolete. But anyway, we digress. This story... 

Joe Carrigan: Yes. 

Dave Bittner: ...Is about some cybercriminal gangs who have stolen, again, more than $22 million from users of the Electrum wallet app. 

Joe Carrigan: Ah, OK. Now, the Electrum wallet app, I think, is a lightweight wallet that does not keep a full copy of the Bitcoin blockchain on it. So you could just install it and then use it to generate your private and public keys, but you don't have to actually download the entire blockchain, which is a very large amount of data these days. 

Dave Bittner: I'll bet (laughter). I'll bet. 

Dave Bittner: So it seems like what's happening is that these bad guys are taking advantage of, I suppose, what was a feature in the Electrum wallet, which was that it was a network of servers. So they called that ElectrumX. I guess it was a decentralized nature of Electrum which was a feature, but the bad guys have been able to take advantage of that because you don't have to be part of the Electrum organization to run an Electrum server. 

Dave Bittner: So you could spin up your own Electrum server, put it on the Electrum network. Let's call it that for - and I'm probably misusing the term, so I apologize in advance for those who are banging their head against the desk as I try to explain this. The result is that bad guys could spin up their own server. And when people would happen upon this server, they would ping the user with a security update request. 

Joe Carrigan: Ah. 

Dave Bittner: So you're a user of Electrum. You've fired up your version of the Electrum software. It reaches out to servers, and it happens upon one of these servers that is being run by the bad guys. And the bad guys see that you've logged on, and they pop up, and they - it's a message that says, security update required. 

Joe Carrigan: Right. 

Dave Bittner: In order to do the thing you want to do with your cryptocurrency, you must update your security software. And this is a good thing. We're looking out for your interests, right? (Laughter) It's a mandatory... 

Joe Carrigan: Yes, absolutely. 

Dave Bittner: Yeah. 

Joe Carrigan: That's, of course, what it says. 

Dave Bittner: Right. And so they require you to download some software. And you're thinking to yourself, all right, well, this seems reasonable. Everything seems on the up and up. I'm using my Electrum software. I've hit an Electrum server. So they're requesting me to download an update to the Electrum software. 

Dave Bittner: And so you go and you do that. And, of course, the software that you update is not actually from Electrum. It is from the bad guys. And... 

Joe Carrigan: Right. 

Dave Bittner: ...Once you load up that software, it goes and steals all your bitcoin. 

Joe Carrigan: Right. And I'm looking at this heartbreaking message here from somebody that said, I installed an old version of Electrum that I had saved from when I last accessed my wallet in 2017. When attempting to send funds, I was prompted to do a security update. Upon downloading and installing it, my entire balance of 1,400 bitcoin was withdrawn to the scammer's address. That's a lot of money, Dave. 

Dave Bittner: (Laughter) It's $15.8 million. 

Joe Carrigan: Right. 

Dave Bittner: Oh, man, that hurts. 

Joe Carrigan: Yeah. This is terrible. 

Dave Bittner: Yeah. So the article says that this technique has been around for a couple of years, and the folks at Electrum have been trying to mitigate it. Recent versions of their software won't allow this to happen. I guess it's an issue with allowing HTML pop-ups within their software, so they've disallowed that. They've come up with a disallowing list for Electrum servers to block malicious servers on their network. 

Joe Carrigan: So they can find other malicious servers and tell the users about them. 

Dave Bittner: Yeah - or just have them not pop up, you know, so they won't be automatically connected to this Electrum web of computers. 

Joe Carrigan: Yeah. I'm not 100% familiar with the Electrum network or the Electrum wallet application. I've installed it and seen how it works and moved keys to it. But other than that, that's the limit of my experience. 

Dave Bittner: I guess I'm wondering, how would you prevent this? I guess keeping your software up to date, making sure that - but in this case - proactively keeping your software up to date. But this came from inside the house, right? (Laughter) Like, the... 

Joe Carrigan: Yeah, exactly. You're 100% correct. 

Dave Bittner: Yeah, the update notice came from inside the Electrum app itself. 

Joe Carrigan: Right. 

Dave Bittner: So you had every reason in the world to think that it was legit. 

Joe Carrigan: Yup. 

Dave Bittner: It's hard to imagine - I was going to say, you know, proactively, before you engage with the Electrum at all, go to their website, make sure you have downloaded the most recent version, and run that. 

Joe Carrigan: Right, absolutely. But the thing is, I'll bet this looked just like when you open Notepad++, it says, hey, there's a new package available. Would you like to download it? 

Dave Bittner: Right. 

Joe Carrigan: That is a very common workflow in software. 

Dave Bittner: Yeah. 

Joe Carrigan: I'll bet it looked exactly like that. 

Dave Bittner: Yeah, absolutely. I know, myself, I don't think twice if something from within the app pops up - an app that I've been using and trusting and... 

Joe Carrigan: Right. 

Dave Bittner: Well, I guess I'll think twice now. But... 


Dave Bittner: Ugh, another... 

Joe Carrigan: I'm off to the Notepad++ website and download my update, thank you very much. 

Dave Bittner: That is my story this week. Again, it's from ZDNet, and we'll have a link in the show notes. 

Dave Bittner: Joe, what do you have for us this week? 

Joe Carrigan: Dave, my story this week comes from Ionut Ilascu over at Bleeping Computer, and I hope I'm saying the name right. And if not, I apologize in advance, as I often do. 

Joe Carrigan: The story is about a company called Mitiga that does incident response and other things. And Mitiga investigated an incident at a U.S. company where a business email compromise scam cost this company $15 million. 

Dave Bittner: Wow. 

Joe Carrigan: And we don't know the name of the company, and that's probably because Mitiga doesn't discuss engagements like this. Ionut breaks this down into two phases. And there are actually, I think, more phases than this. 

Joe Carrigan: First, the actors selected their company, right? This is a process in and of itself. It's called reconnaissance. Part of any hack or any breach that's going to go down, these guys will target a company. And they probably went through a lot of work to figure out which company they were going to target and who they were going to target in that company. And that process involves a lot of open-source intelligence gathering and maybe even reaching out and talking to these people under some pretext - right? - which is just a lie that you tell people to get them to give you more information. 

Joe Carrigan: Once they had selected their company, they spent about two weeks trying to gain access to email accounts in the victim company's system. Once they had that - and it's amazing that they were persistent. Think about all the scams we talk about - right? - where people are trying to just get access to, like, cloud (ph) - their email accounts. But this is actually somebody who's targeting you, and they're going to be persistent. They're going to try every day, two or three times a day to get you to click on a link. And it took them two weeks, but eventually they got into somebody's email account. 

Joe Carrigan: And once they were in there, they spent another week collecting information and identifying an opportunity. To ensure they stayed in the loop, the attackers set up forwarding rules that sent messages to another Microsoft 365 email address. And they had those email addresses with similar domains they had registered, right? 

Joe Carrigan: So we've seen this before where, like, a .mil address will be spoofed by using the Mali top-level domain, which is .ml. You will put a c and an l next to each other if you want to replace a d. You'll use a 1 instead of an l. These are common tricks because when you look at the URL quickly, it'll look like the actual URL that you're supposed to go to. 

Joe Carrigan: And we've even talked about this in graphic design as well. The one that comes to mind is the Skerple pen. If you look up Skerple, S-K-E-R-P-L-E, that logo looks surprisingly like Sharpie. 

Dave Bittner: (Laughter). 

Joe Carrigan: Right? 

Dave Bittner: Right, right, right, right, right. 

Joe Carrigan: It's very easy to fool the eye on these things. And that's what they are - they're knockoff Sharpie pens. But it's not hard to do it, and it's really easy to fool people. 

Joe Carrigan: Then, while they were sitting there, they waited for the exact right time to strike. And when they struck, they took over a conversation using these fake domains and provided scam details for a money transfer. 

Joe Carrigan: Now, once this transfer had taken place, they knew they had to buy themselves some time because you can claw back these wire transfers. If you say, hey, this was a fraudulent wire transfer, that immediately puts a stop on it, right? And then the banks freeze the accounts and go, well, let's sort this out, right? And that's the last thing scammers want, is for somebody to sort something out. 

Dave Bittner: Right. 

Joe Carrigan: So what they did was they took all the emails that came in regarding this transaction and sent it to a hidden folder on the victim's account. And this kept this person unaware of the problem for two weeks. And that was enough time for them to totally move the money and get it out of the United States. 

Dave Bittner: Wow. 

Joe Carrigan: Yeah. 

Dave Bittner: My configuration of my own email... 

Joe Carrigan: Right. 

Dave Bittner: And I'm thinking, how often do I go and look at my forwarding rules? How often do I - you know, I'm reminded of that line in "Shawshank Redemption." You know, how often do you look at another man's shoes? You know, like, I... 

Joe Carrigan: Right. 

Dave Bittner: You know, it would be easy for someone to sneak something in there and certainly be in there for a while before I... 

Joe Carrigan: Right. 

Dave Bittner: ...Noticed something was amiss. 

Joe Carrigan: Absolutely. Mitiga has some recommendations on how to protect yourself. And one of them is to block auto-forwarding rules on your cloud email server or any email servers, right? I really like this idea not just to prevent scams, but there's a lot of information that gets sent around on email that can be proprietary. 

Joe Carrigan: It can be regulatory. If you're a publicly traded company, like with Sarbanes-Oxley, you have to maintain all of your email records. And if that email transaction goes off-system - like, if you have employees sending their email automatically to their own private Gmail or Yahoo address, you are actually suffering some form of a data breach every time they do that, I think. 

Joe Carrigan: So there's a really good reason to not allow your employees to auto-forward all the email that comes into their system off your system. Keep that stuff on your system. Keep control of it. There are smart business reasons and regulatory reasons to do it. 

Joe Carrigan: Another thing they say is block legacy protocols that can be used to circumvent multifactor authentication - these are things like POP and IMAP - and use a more modern protocol for your email access. 

Joe Carrigan: The other thing, of course - enable alerts for suspicious activity and review controls for wire transfers. This is something - whenever you have a wire transfer, particularly a $15 million wire transfer... 

Dave Bittner: (Laugher) Yeah. 

Joe Carrigan: ...There should be people on the phone going, hey, do you have the money? Did you get it? 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I'm going to send you the money now, and here's where I'm going to send it. This is $15 million. This is not... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Chump change. 

Dave Bittner: I am about to press the button. 

Joe Carrigan: Right, exactly. And I'm going to... 

Dave Bittner: Wow. 

Joe Carrigan: ...Verbally verify to you the money - the account that I'm going to send it to. And that could've prevented the entire issue here. 

Dave Bittner: Wow, $15 million. 

Joe Carrigan: Yeah. 

Dave Bittner: I mean, that could kill a company. I mean... 

Joe Carrigan: It could - absolutely could kill a company. That's amazing. That's a big pile of money. It depends on how big this company is. I get the impression that the company is pretty big, so maybe it won't kill them, but it's going to be damaging. Fifteen million dollars is a lot of money. I hope they are insured for that money. 

Dave Bittner: Yeah, yeah. I think the other thing it points out is the professionalism with which these scammers are operating now, that, you know, a $15 million payoff - that is totally worth their time to spend weeks... 

Joe Carrigan: Right. 

Dave Bittner: ...Or months or even years... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...Trying to - doing their homework to wait for just the right moment, as they did in this case. 

Joe Carrigan: Yep. 

Dave Bittner: It's quite a payday. All right, interesting story. And as always, we'll have a link in the show notes. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Reddit and Reddit user kevinrogers94. He has a great conversation on some messaging platform. I don't know. Somebody was trying to reach out to him to perform a gift card scam or a money transfer fee scam. You play the part of the scammer, and I'll play the part of Kevin Rogers. 

Dave Bittner: All right. 

Dave Bittner: Hello. How are you doing today? 

Joe Carrigan: Doing good - you? 

Dave Bittner: Nice to hear back from you. I'm doing just fine, kicking back, taking life one day at a time. And how is everyone doing? 

Joe Carrigan: OK, so because Dave is doing his great voice, I should tell everybody that the picture that Kevin is receiving is a very pretty young woman. So let's continue. 

Joe Carrigan: Everyone's doing good - same old stuff. Just went kayaking with Geoff on Sunday. 

Dave Bittner: Really happy to hear from you. We're doing wonderful. Well, do you receive any call or text from the CSBG? Do they contact you? 

Joe Carrigan: Yes, they did. 

Dave Bittner: Oh, really? Is the goal of the Community Services Block Grant help old, youth and retire in society - is the reduction of poverty for support COVID-19. Have you heard from them? 

Joe Carrigan: Yes, I did hear from them. 

Dave Bittner: You have got your winning money package delivery to you yet? 

Joe Carrigan: Yup, I got my money package delivered yesterday. 

Dave Bittner: How much you won from the program? 

Joe Carrigan: Fifty-thousand credits. 

Dave Bittner: Really? 

Joe Carrigan: Yes, really. You should apply for it, too. 

Dave Bittner: Have apply, too, but I'm looking for money to pay my delivery fees. Can you help me out since you have got your deliver to you? 

Joe Carrigan: They're making you pay a delivery fee? I didn't have to pay a delivery fee. Maybe you should contact them about that. 

Dave Bittner: That's what they ask from me before getting my winning package delivery to me. Can you assist me with $500? Then one I got the money deliver to me, I will pay you back. 

Joe Carrigan: But they didn't ask me for it. I think someone might be trying to scam you. Are you sure you applied to the correct program? 

Dave Bittner: Oh, no. It real and legit. 

Joe Carrigan: Oh, OK. Well, you send me $50 for the transfer fee, and I'll send you the 500. 

Dave Bittner: I really broke. I don't have any money. Please help me use the money getting gift cards, OK? Are you there? 

Joe Carrigan: I only have 500 left because I spent the rest on nitrous oxide, so I can't pay for the transfer fee. 

Dave Bittner: OK. Help me use the $500 or $400 to purchase gift card. I will be glad if you can do this for me. 

Joe Carrigan: OK, but if I do this for you, then you have to do something for me. 

Dave Bittner: OK. What do you want me to do in return? 

Joe Carrigan: At exactly 8 p.m. tonight, I need you to hack into the security system of the National Archives Museum and shut it down. I'm going to steal the Declaration of Independence. It has a map on the back of it that leads to treasure worth hundreds of millions of dollars. If you do this, I will send you the $500 tonight, and I will also split the treasure with you. 

Dave Bittner: What do you mean by that? 

Joe Carrigan: I just told you. I can't repeat it for security reasons. 

Dave Bittner: I can't do that for you. Thanks. 

Joe Carrigan: Can you do something else for me, then? 

Dave Bittner: What's that? 

Joe Carrigan: I've always thought you were beautiful, and I'm pretty horny. Can you send me a picture of your boobs? 

Dave Bittner: Send me the gift card, and then I will show it to you, OK? 

Joe Carrigan: No, I'm not stupid. Boobs first. 

Dave Bittner: OK, hold on. Thanks. 

Joe Carrigan: So you don't want the money? I already bought the gift cards, but I guess I can return them. 

Dave Bittner: OK. 

Joe Carrigan: (Laughter) That's it. I think that's the end of the scam. 

Dave Bittner: No boobs. 

Joe Carrigan: If I can make one note to Kevin, if you have someone who's impersonating a woman, there's a good chance they have pictures of boobs. 


Dave Bittner: That's true because that's not exactly something that's hard to find on the internet. 

Joe Carrigan: Right. (Laughter) Exactly. 

Dave Bittner: Oh, gosh, if only - oh, my plan broke down because I couldn't find a picture on the internet (laughter). 

Joe Carrigan: (Laughter) Where am I going to get a picture of this? 

Dave Bittner: Right. Oh, man. Oh, gosh. Oh, that's pretty funny. 

Joe Carrigan: The whole "National Treasure" line is great (laughter) - breaking into the bank - or breaking into... 

Dave Bittner: Yeah, I guess the scammer hasn't seen that movie. 

Joe Carrigan: No, they haven't. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's a good point 'cause... 

Dave Bittner: Yeah. 

Joe Carrigan: ...They didn't even catch on. They didn't - like, what do you mean by that? 

Dave Bittner: No. 

Joe Carrigan: They didn't go, OK, Nic, I understand you're on to me. Goodbye. 

Dave Bittner: No, no. And this - I mean, you know, look; this scammer is probably in some sort of call center and has a dozen different chat windows open at the same time... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...And is just bouncing between them, so... 

Joe Carrigan: That is exactly what's happening. 

Dave Bittner: Yeah. The best you can do is try to take up their time and slow them down. 

Joe Carrigan: That's right. 

Dave Bittner: All right, well, that is our Catch of the Day. 

Joe Carrigan: Thank you, Kevin. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Bill Harrod. He is the chief technology officer of the federal division of a company called MobileIron, a security company. And he has some expertise when it comes to election disinformation operations, and that was the focus of our conversation - certainly timely (laughter). 

Joe Carrigan: Right. 

Dave Bittner: Here's my conversation with Bill Harrod from MobileIron. 

Bill Harrod: We see so much disinformation, we tend to get somewhat numb. And I think we overlook or we miss a lot of it. I really think we go back to childhood - the Aesop's fable about the boy who cried wolf, I think, is the first disinformation that we're exposed to. And the moral of the story - it really comes down to a lack of credibility and that we begin not to trust what we hear. And I think that's become a real challenge. 

Bill Harrod: I don't think we've seen as much overt disinformation as we might've thought six or nine months ago. And I think that the social media platforms and the media in general is trying to do a better job of identifying what is clearly false. But I think we begin to overlook or just become desensitized to disinformation. 

Dave Bittner: You know, I have to say personally that I find - I think like a lot of people, I've found the past - I don't know - couple of years, but certainly as we get closer to the election, to be kind of exhausting when it comes to this sort of thing because you just don't know what to believe. I like to think of myself as an appropriately skeptical person. I look at things and try to analyze them and use logic to figure out, you know, if something might be true or not. 

Dave Bittner: But it just feels like we're being bombarded from so many sides right now. I think to your point, it's really easy to throw your hands up and say, I'm out of here. I just don't know what to make of things. 

Bill Harrod: I think that's absolutely right, Dave. And I think we do see a lot of fatigue around the messaging so that we don't really know what to believe or how much veracity to put in what we're being told or what we hear. 

Bill Harrod: And we've become so tribalized, so divided that confirmational bias begins to just become the sound chamber in which people live, right? So if you're watching some news network versus another news network, then basically, you're hearing what you expect to hear. And we do become exhausted from the messaging, and we get fatigued, and it's hard to know what is true and important versus what is the spin. 

Dave Bittner: Have you all seen any evidence that the bad guys, the scammers out there, are taking advantage of this mental state that so many of us find ourselves in? 

Bill Harrod: What we do see - at MobileIron, we see a lot of attempts to capitalize on whatever is in the news and whatever is being sensationalized as a way of becoming either a part of the scam or as a way of getting people to click on a link or a scam, a malicious QR code. And the results can be quite devastating if people don't have the appropriate security controls to detect malicious code and have ways of anti-phishing detection or mitigating those sorts of attacks. 

Bill Harrod: We do see a lot of scams. It started with some of the early COVID scams and has now become a part of the email barrage that people see around sensational headlines, particularly relating to the election. 

Dave Bittner: Do you have any advice or tips for folks to kind of combat this? I mean, if you see this sort of thing spreading, how can you do your part to try to nip it? 

Bill Harrod: Because of how widespread and how fast the attacks replicate, it's hard to get in front of them once they're out and detected. And it's really hard for individuals to be able to identify what is suspicious or malicious until after they've already clicked on it or gone to the link. 

Bill Harrod: And so I think what we see is the ways to avoid it, the ways to combat it really are to have some effective controls on your devices, to have something with a malicious threat detection and an anti-phishing capability on the device and then to be able to provide some feedback both to the platform on which it has come from - so whether it be one of the social media platforms - or to be able to send out a note to people that you're aware of and say, look; I've seen this. It is particularly risky. Don't click on this. It's not a high-value protection, but it does help. 

Bill Harrod: And I think we saw that particularly with some of the ransomware attacks, where information-sharing communities - the ISACs, for example - they do have notifications that go out and say, this is the indicators of threat, this is what to look out for, and this is what the ransomware payload may come disguised as. 

Dave Bittner: As we look farther out, you know, past this year's round of elections, do you have any sense for how we might do a better job of getting these sorts of things under control? Just where do we need to head? 

Bill Harrod: So I think what we're going to find is that more and more, there is a need for people to have the ability to know what is safe and what is true. And whether that is coming back to trusted media - you know, large media organizations and the fact-checkers - or whether it's looking at more elaborate quarantining of email coming in and having people then select what they're actually going to look at rather than have so much of it dump into their email inbox and have people scroll through it and select something that may be malicious without really considering it - so I think those are some things. 

Bill Harrod: I think a widespread integration of a platform with some anti-phishing in particular - phishing has been one of the most significant attack vectors that we have seen, particularly since the COVID pandemic started and everybody went to telework. The phishing schemes have become quite sophisticated and quite frequent. 

Dave Bittner: How much of this do you suppose rests on the platform providers - you know, the Facebooks of the world, the YouTubes, Twitters, who are - you know, their algorithms are guiding people towards things. Do they bear some of the responsibility here? 

Bill Harrod: Well, absolutely, I think, Dave. So they bear some of the responsibility. I think they are guiding some of it. And I think they are not detecting a lot of it. They obviously are in a position where they need to both make money and provide a service, and sometimes those things run counter to each other. So I think Facebook and Twitter and some of the other social media platforms can do a better job of screening and detecting and being proactive about pulling information. 

Bill Harrod: I have heard that just in the last couple of days, as there's been more scrutiny on the monopolistic practices of some of the platforms, that some of the platforms are beginning to take more action against known disinformation campaigns or disinformation providers. So we see things like Facebook is taking down more QAnon accounts, and Twitter is being more selective in what they allow or don't allow and in pulling tweets down. 

Bill Harrod: So I think they do take some responsibility. I think some of the net vendors can also provide some assistance in this, right? So if we think of the infrastructure providers - AT&T and Verizon and T-Mobile - that they could provide some capability to filter some of that as well. 

Dave Bittner: I want to try to sort of bring it home for everyone. I often think about, as one of the people in my own family who has, I guess, an above average understanding of a lot of this and certainly engagement with all of this, I try to imagine, you know, sitting around the dinner table with my parents, my children, you know, my loved ones and trying to give them the information they need to be informed when it comes to these sorts of things. And I wonder from that point of view, in terms of, you know, protecting our friends and family, our loved ones, do you have any advice there? 

Bill Harrod: So, Dave, I think you probably have a significant level of understanding on much of this and are probably smarter for most of it than many people are. And I think it is a challenge to be able to say to somebody, you know, be aware of this, look out for that. There are real challenges. 

Bill Harrod: I think QR codes is something that we are seeing become a significant threat vector and something that you can't look at and know whether it's safe or not. You can scan a QR code, and if it's malicious, it can write and send an email or place a phone call from your device or even initiate a payment many times without your ever being aware of it. So I think QR codes are something that we can talk to our loved ones about - being careful about where the QR code comes from and making sure that it is a safe and reliable source for the QR code. 

Bill Harrod: Obviously, the thing that we go back to is something that we have talked about for years, and that is if you get an email and the link sounds too good to be true, then it probably is. 

Bill Harrod: And then the phishing attempts - you know, so if - again, it comes back to good understanding and good hygiene, right? Don't give up personal information. Don't give up accounts or passwords or financial or personal data. 

Dave Bittner: All right, Joe. What do you think? 

Joe Carrigan: That was a good interview. I like hearing what Bill had to say. One of the things that he said early on that struck me was, we have become desensitized to disinformation. And you were telling Bill how you are fatigued. I will tell you I am also fatigued. I'm tired of this, Dave. 


Dave Bittner: Yeah, I think we all are. 

Joe Carrigan: Right. 

Dave Bittner: We are - collectively, aren't we all? We just want to return to some sort of sense of normalcy (laughter). 

Joe Carrigan: Yes. 

Joe Carrigan: One of the biggest parts of this problem is that we have become very tribalized. And the confirmation bias that we seek in our news is a huge problem. And it's hard for us to know what's true anymore, particularly because of that confirmation bias. And Bill does a really good job of telling people what is going to happen to you on social media. 

Joe Carrigan: You're going to wind up in this echo chamber. You're going to wind up ideologically isolated. You're not going to hear opposing viewpoints. That only leads to, essentially, radicalization. I think it's a dangerous situation. 

Joe Carrigan: This is why I always harp and say, don't get your political news from Facebook or Twitter. 

Dave Bittner: Right. 

Joe Carrigan: These attacks - he says they do move very quickly, and they're difficult to identify. And by the time you do identify them, it's too late. This is how they work. They're very temporary. 

Joe Carrigan: We talked a couple weeks ago about a disinformation organization on Facebook that got taken down. That organization was up for a year. Finding these inauthentic accounts is difficult for the social networks to do. It might be easier for Twitter to do it because they can spot, like, big rises in bot accounts. But Facebook, it's a lot more difficult, I think. 

Dave Bittner: I sound like a broken record, but my response to this is, if you say, well, we can't shut this stuff down at the scale we're operating, my response is, well, maybe then you shouldn't be operating at that scale. 

Joe Carrigan: Right, and I agree. I don't think that Facebook and Twitter are doing a good job with disinformation, and that's exactly what your point is. 

Joe Carrigan: Interesting that Bill has talked about how the QR codes attacks are becoming more prevalent. This is - again, I recommend getting a QR code proofreader, essentially. There's little apps you can get on your phone that tell you whether or not the QR code is malicious or not before you go to it. Don't just scan a QR code with your camera. You have no idea what that's going to do. 

Dave Bittner: Right. You need to pre-detonate it. 

Joe Carrigan: Right, exactly. 


Dave Bittner: Yeah, yeah. 

Joe Carrigan: So when you hear that little (imitating explosion) - you know, ooh, glad I didn't run that on my camera. 

Dave Bittner: Right. Right. All right, well, again, our thanks to Bill Harrod from MobileIron for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.