Hacking Humans 12.17.20
Ep 128 | 12.17.20

Phishing lures that may be in your inbox soon, and how to deal "left of bang."

Transcript

Rebecca Mckeown: We are all overconfident in our ability to deal with things.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Carole Theriault returns. She's got a conversation with Rebecca McKeown. She's an independent chartered psychologist. She's worked with the U.K.'s Ministry of Defense. And she's been studying the psychology of cyber response. So we'll look forward to that later in the show. 

Dave Bittner: All right, Joe, let's kick things off with some stories this week. What do you have for us? 

Joe Carrigan: Dave, this week, I didn't want to go with just one story. I wanted to go and talk about phishing lures this week because some of these you will expect, and some of these you will not. These are phishing lures that we're talking about in terms of how these malicious actors get you to click on a phishing link and what kind of thing they're going to send you to get that interaction with you, to get whatever malicious software or whatever it is that they're going to do. 

Joe Carrigan: This is always the first kinetic action in any kind of attack after the research phase. And a lot of times, it's actually the first action. They just send out a spray-and-pray campaign, where it's just we're just going to send the email to everybody on this list and see how many people we get. It's a numbers game. 

Dave Bittner: Right. 

Joe Carrigan: So the first category I have here is holiday-themed phishing. That is going to be really big right now. Of course, it's going to come up in a couple of genres. You're going to find the incredible sales that are going to lead to fake websites. Like, we had that story a couple weeks ago about the kayak website... 

Dave Bittner: Right. 

Joe Carrigan: ...Well, where you could buy a kayak for very little money. And the scam was that they would charge your credit card the very little amount of money for a kayak and then send you some piece of garbage in the mail - a literal piece of trash... 

Dave Bittner: Right. 

Joe Carrigan: ...So that they had a tracking number and they could exist long enough to get the money and run. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: That was the plan. 

Dave Bittner: And the website was a - it looked like they actually scraped the real website and... 

Joe Carrigan: Exactly. 

Dave Bittner: ...Reposted it somewhere. 

Joe Carrigan: That's right. So those are out there. It's a real risk. 

Joe Carrigan: There's the package delivery scam because right about now, we are experiencing - all of us - massive amounts of deliveries because many of us celebrate holidays right around now that involve giving of gifts. So what better way to scam somebody who might be expecting a package than to send them a package email about, we couldn't deliver your package... 

Dave Bittner: Oh, right. Right. 

Joe Carrigan: ...And we're sending it back to the person who shipped it to us? 

Dave Bittner: Because these packages are time-sensitive this time of year. 

Joe Carrigan: Right, yeah. 

Dave Bittner: The last thing you want is somebody to - you know, your precious little snowflake of a child to go down on Christmas morning and find nothing underneath the tree. 

(LAUGHTER) 

Joe Carrigan: Yeah, like Harry Potter's cousin on his birthday. I can't remember the character's name, but... 

(LAUGHTER) 

Dave Bittner: Yeah. Right, right. 

Joe Carrigan: There's only 23. Last year, there was 24. 

Dave Bittner: Right. Yes, exactly. 

(LAUGHTER) 

Joe Carrigan: The other one that's big around holidays is charity phishing scams. The best thing to do to avoid those is just go directly to their website and give directly to them or write them a check and send it to them in the mail. 

Dave Bittner: Yeah, yeah. People are trying to tug at your heartstrings this time of year... 

Joe Carrigan: Right. 

Dave Bittner: ...'Cause they're - it's a tough time of year for a lot of people. And, of course, things are particularly tough this year... 

Joe Carrigan: Right. 

Dave Bittner: ...2020 being the year that it is. 

Joe Carrigan: And traditionally, this is the time of year when people do tend to give more money, so they're more willing to do this. Their generosity peaks around now. 

Dave Bittner: Yeah. 

Joe Carrigan: So beyond the holiday-themed phishing, there's also the always-present current events phishing. DomainTools has a story about phishing that uses current Caucasus conflicts between Armenia and Azerbaijan as a means of getting you to open up a malicious Excel document. 

Dave Bittner: But this must be targeted to specific people, right? This wouldn't work on me or you (laughter). 

Joe Carrigan: Right. Yeah, it wouldn't work on us here in America. 

Dave Bittner: Right. 

Joe Carrigan: But maybe if you live over in the Caucasus region or somewhere in the Mediterranean, you might be more concerned about it, right? 

Dave Bittner: Yeah. 

Joe Carrigan: They're definitely targeting a specific group of people when they're doing this. And they're sending these malicious pieces of software embedded in these documents out to people in that region. They may even have email lists that are targeted to that region. So they just go, OK, well, I only want to send this to people in that area, and that's where I'm going to send it. 

Dave Bittner: Right. 

Joe Carrigan: That way I'll increase my effectiveness, if you will. I would advise everybody to be on the lookout for COVID vaccine phishing emails because that's going to be happening here, particularly in the United States, very soon. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? You're going to be getting people who are going to try to scam you out of money. Hey, jump ahead in line for 200 bucks. Give me 200 bucks, and you can get your vaccine first. I don't think that's going to happen, so - in the real world. But people are going to scam you out of that thinking that it's going to happen. You can do it. 

Dave Bittner: Right. And - well, and taking advantage of so much uncertainty right now as... 

Joe Carrigan: Sure. 

Dave Bittner: ...This is rolled out. And, you know, we have an issue with just the way news is being delivered. You know, who can you trust, and who do people trust? 

Joe Carrigan: Right. 

Dave Bittner: So these scammers take advantage of all that. 

Joe Carrigan: Absolutely. And here's something interesting. INKY had a good story this week. INKY is an email filtering security company. They had a story about the election still being used, even with having the election, like, a month or two in the past, right? 

Dave Bittner: Yeah. 

Joe Carrigan: What they're doing is they're sending out malicious files that are disguised as evidence of election interference. So they're going after people who might believe that the election was interfered with, and they're saying, open this file up, and the file is, of course, malicious. So... 

Dave Bittner: Right. Let me let  you in on a little secret here, just between you and me. 

Joe Carrigan: Actually, that's a very good hook. It doesn't really matter who you're targeting. We had one a couple weeks ago where we talked about - something about the election, where it was - here's something about Trump, something like that. I can't remember what it was exactly. It was worded so it appealed to anybody that had any interest in the election. 

Dave Bittner: Right (laughter). It didn't matter if you loved him or you hated him. 

Joe Carrigan: Right. 

Dave Bittner: It was crafted in such a way to pique your interest either way (laughter). 

Joe Carrigan: Right. And, Dave, here's the easiest part of any security professional's job, and that is making predictions. 

Dave Bittner: (Laughter). 

Joe Carrigan: Because all you have to do is say something bad's going to happen... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And then when it happens, go - see, I was right. 

Dave Bittner: It's like being a weatherman. 

Joe Carrigan: Right, exactly. 

(LAUGHTER) 

Joe Carrigan: The two phishing lures that are going to be coming up soon, particularly after the holidays are over, are the tax-based phishing scams and the next round of stimulus check phishing scams. Those are both going to be big. As soon as there is a stimulus bill passed, look for those phishing emails. They're going to come out, and people are going to be trying to get your personal information, maybe even getting you to pay some kind of advance fee scam. It's all scams. 

Dave Bittner: Yeah. 

Joe Carrigan: It's all going to be scams. The tax-based phishing scams are going to be maybe threatening letters from the IRS telling you that your taxes are - have been noticed as fraudulent, and you have to pay a fee to get yourself from being arrested. That's not how that works, either. So just be mindful that these are what's going to happen. And that's kind of why I wanted to talk about this. This is always going to be the case. We are always going to have this kind of situation, where whatever the current situation is, somebody's going to be taking advantage of it. 

Dave Bittner: Yeah. Well, I think also it's a good reminder that as you are interacting with your friends and your family and your loved ones over the holidays, be it, you know, remotely or whoever you're getting together with - and we encourage you to do it remotely for safety's sake (laughter). 

Joe Carrigan: Right. 

Dave Bittner: But, you know, chances are you're going to be having phone calls. Maybe you're going to be having a video conference or something like that. This is a great conversation to have, just to remind everybody - hey, here are a couple of things to be mindful of. For those of you who are regular listeners to this show, you're going to be tuned into this stuff. But I think we have a responsibility to look out for our loved ones, our friends and family, to plant the seed with them to be a little skeptical about these things - something we can all do to try to make things better together. 

Joe Carrigan: Dave, I couldn't have said it better myself. 

Dave Bittner: All right. My story this week is from a gentleman named Matthias Wilson, and he put together a blog post here that is a lot of fun. It's called "How to Troll a Nigerian Prince." This is right up our alley. 

(LAUGHTER) 

Joe Carrigan: Yes, it is. 

Dave Bittner: I'm going to quote some of the things in his blog here. He says, boy, am I lucky. 

Joe Carrigan: (Laughter). 

Dave Bittner: Steven Richards, a regional director for UBS Bank, just informed me that I am entitled to over 16 million pounds. Steven sent me the information in German from a Hotmail account, as he explained that he was doing this without the knowledge of his employer. All right? So already we've got a secret - you know, just between you and me. 

Joe Carrigan: Right? Yeah, keep this on the down low. 

Dave Bittner: (Laughter) Yeah. Matthias says, at first I was devastated. Losing relatives is always hard, and I didn't even know them. 

(LAUGHTER) 

Dave Bittner: The story was that someone had passed away. What's interesting here is that he knew that at some point he was going to have to show some identification. This was a payment scam. This is an advance payment scam. 

Joe Carrigan: Right. 

Dave Bittner: And Matthias, he knew it was an advance payment scam, but he wanted to play along as far as he could. We've talked about these things before, but there's some interesting little twists to this one. He knew he was going to have to present an ID at some point, so he Googled pictures of German IDs until he found one that might do the job (laughter). I never really thought about this, but, yeah, you can just Google for IDs, and you'll get a lot of them. 

Joe Carrigan: Sure. 

Dave Bittner: Because people post pictures of their IDs (laughter). They're not hard to come up with. 

Joe Carrigan: I don't understand why people do that. But... 

Dave Bittner: So he got a phone number from this person. He was going to play along with the scam. Matthias opened a Protonmail account in the name of the ID that he found online, the German ID that he found online, who was named Thomas. So he decided to call the scammer. He called the scammer. It was a virtual phone number that was registered in the U.K. And so he called up. And wouldn't you know it - the scammer didn't sound British at all. 

Joe Carrigan: No. 

Dave Bittner: He had a thick African accent. Imagine that. 

(LAUGHTER) 

Dave Bittner: Matthias gave Thomas a thick German accent, and he said that he'd need to send a letter - the scammer said that Matthias will have to send a letter to UBS, the bank, making his claim to the 16 million pounds. And he gave him an email address, and of course, the email address was not a real UBS bank email address. But it was one that at first glance you could think was one. It's info@ubsinvestmentremittdept.com. 

Joe Carrigan: Right. 

Dave Bittner: Right. 

Joe Carrigan: And that is something we see frequently, where these guys go out and they register these domains that are, like, copycat domains. 

Dave Bittner: Yeah. So he sends an email off requesting the 16 million pounds. He gets a letter back that says, we require the following information from you. And it's all the usual things - all his bank account information, along with his ID. So what Matthias does next is he looks up online, again, he finds some fake banking information - evidently, easy to look up. 

(LAUGHTER) 

Dave Bittner: Banking information that was used in another scam. Boy, Google is - you can just find anything these days. So he cooks up a fake form, sends it back to him with fake banking information, sends a fake payment receipt and strings this scammer along. Now, he decides to take it to the next level, and he decides to send the scammer an email from Interpol. 

Joe Carrigan: (Laughter). 

Dave Bittner: Interpol is European law enforcement. 

Joe Carrigan: It's not just the EU, either. It's a lot of countries. 

Dave Bittner: Yeah, I think it's a consortium. Yeah, it's - yeah. So he finds an online service that allows you to spoof email from anyone. 

(LAUGHTER) 

Dave Bittner: And so he cooks up an email from Interpol claiming that this character that he's cooked up, this German named Thomas, has been arrested for bank scamming (laughter). 

Joe Carrigan: Now, a little note to our listeners - that may not be legal... 

(LAUGHTER) 

Dave Bittner: No, it's... 

Joe Carrigan: ...To do - to send the email as Interpol. 

Dave Bittner: Probably not. There was an interesting twist on that that we'll get to in a second. 

Joe Carrigan: OK. 

Dave Bittner: So he calls up the scammer as if he is the person from Interpol. 

Joe Carrigan: Right. 

Dave Bittner: And then he hands the phone over to Thomas, who is also him. 

Joe Carrigan: Right. 

Dave Bittner: But he's playing both roles. He's a guy after my own heart here, Joe. He's playing all these roles. 

Joe Carrigan: This is great. I love this story, Dave. 

Dave Bittner: Yeah. And he hands the phone over to the fake character, Thomas. Thomas is crying because he's been arrested. 

Joe Carrigan: (Laughter). 

Dave Bittner: And the scammer is going - is buying all of this - hook, line and sinker. And the scammer is mad at Thomas for getting himself in trouble, right? 

Joe Carrigan: It's funny the scammer's mad and not scared. 

Dave Bittner: Well, yeah. And isn't that interesting? I think probably because the scammer's halfway around the world. 

Joe Carrigan: Right. He feels outside of the reach of Interpol. 

Dave Bittner: Exactly. What are they going to do? How often does a Nigerian scammer get busted? 

Joe Carrigan: I don't know. 

Dave Bittner: Rarely happens (laughter). 

Joe Carrigan: By the rate at which they continue to scam, I would say the bust rate is very low. 

Dave Bittner: So it goes on. Now, the interesting little twist to the end here is that, eventually, the scammer is on to him. The scammer figures out there's something going on. He stops replying to his emails. So a couple days after that, Matthias goes to log on to the original Protonmail account that he created to kind of be the foundation for all of this stuff. And according to the Protonmail team, someone reported his account and provided them with messages as evidence that the email account was being used for the purpose of an advanced fee scam. (Laughter) So it sounds like the Nigerian - and perhaps in a fit of frustration - reported the account, which was, I suppose, all he could do (laughter). 

Joe Carrigan: Yeah. Right. You know, the - I'll extract my vengeance by shutting this guy's email down. 

Dave Bittner: Right. And he did. 

Joe Carrigan: Yeah. 

Dave Bittner: So it's a fun story. A couple of interesting little twists here, things that I don't think we've seen before or have thought about, really. I mean, it follows the pattern of an advanced fee scam. And also, it's not atypical of the types of things that happen when somebody is leading one of these people on. 

Joe Carrigan: Right. 

Dave Bittner: And of course, you and I enjoy this very much because there's nothing we like better than wasting scammers' time, right? Which - (laughter). 

Joe Carrigan: Absolutely. Yeah, it's one of my favorite things to read about. 

Dave Bittner: There's a lot more details to it than we had time to cover here, so we'll have a link to the whole story in the show notes. It's a fun read. And hats off to Matthias for wasting the time of a Nigerian prince scammer. 

Dave Bittner: All right, Joe. It is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from a listener named Christian (ph). And Christian got an email that is a typical email, but I'm just going to go ahead and have you read this. It's pretty good. 

Dave Bittner: Good afternoon. I'm Miss Grace Wilson, a member of Roman Catholic Church, a true born-again Christian and a widow. I lost my beloved husband eight years ago. Thereafter, life seems to be unfair to me, suffering from cancer. I'm writing this message to you from Catholic Public Hospital, South Scotland, London, where I was admitted for over 11 months now as a result of cancer of uterus, which I don't know if I can survive it because my doctor recommended me for a surgery, which is coming up soon. He made it clear to me that is the only solution to my illness. And I've thought about the deposit my late husband made with North United States for the purpose of charity, and I decided to establish a communication with you to help me and distribute this donation to the orphans, motherless babies, less privileged children and widows like me. 

Joe Carrigan: (Laughter). 

Dave Bittner: That's why I came to you, to make sure that this charity work must be accomplished to fulfill my late husband's wish. I will patiently wait for your response through my private email address - Miss Grace Wilson. 

Joe Carrigan: So many great things about this one, Dave. 

(LAUGHTER) 

Joe Carrigan: First sentence - I'm a member of the Roman Catholic Church, a true born-again Christian. 

Dave Bittner: (Laughter). 

Joe Carrigan: Now, I don't know how many Roman Catholics describe themselves as born-again Christians. It seems to be here - at least here in America, those two groups of people are two distinctly different groups of people... 

Dave Bittner: That's right (laughter). 

Joe Carrigan: ...Who don't describe themselves as both those things. 

Dave Bittner: No. Like oil and water, they do not mix (laughter). 

Joe Carrigan: Right. Exactly. Yeah. Writing from Catholic Public Hospital South Scotland, London. Last time I checked, London was in England... 

(LAUGHTER) 

Joe Carrigan: Not Scotland, unless they moved it to South Scotland. 

Dave Bittner: I don't know. Well, who knows? Maybe there is a South Scotland, London. And it's just - we're just - who knows? Maybe - I'm sure a listener will let us know if there's a region of London... 

Joe Carrigan: ...Called South Scotland. 

Dave Bittner: Well, like Little Italy or, you know... 

Joe Carrigan: Right. 

Dave Bittner: ...Chinatown. 

Joe Carrigan: That's a good point. Maybe because London is south of Scotland, maybe there is, like, a Scottish neighbourhood that's South Scotland in London. I don't know. 

Dave Bittner: I don't know. We - you know, us Americans are known for our knowledge of geography outside of the U.S. So, you know... 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Well, I don't know about neighborhoods in London. There is - I like this north United States. What is that? 

Dave Bittner: I don't know. 

Joe Carrigan: You know, that country doesn't exist, at least not yet anyway. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I love this. It's a great one. Thank you for sending it in, Christian. 

Dave Bittner: Yep, that is a good one. And that is our Catch of the Day. 

Dave Bittner: Joe, it's great to have Carole Theriault back on the show. 

Joe Carrigan: It is. 

Dave Bittner: Always great when she joins us, always good stuff. And this week, she's got a conversation with Rebecca McKeown. She is an independent chartered psychologist, and she has experience researching and evaluating learning and development across the Ministry of Defence over in the U.K. And lately, she's been studying the psychology of cyber response. Here's Carole Theriault speaking with Rebecca McKeown. 

Carole Theriault: "Hacking Human" listeners, we have Rebecca McKeown. Now, she is a chartered psychologist and a visiting lecturer at Cranfield University. And we're going to talk a bit about how we react in crises and how we can maybe be more effective than a headless chicken in the next one. So first, a very warm welcome to "Hacking Humans," Rebecca. 

Rebecca Mckeown: Hi. Thank you. 

Carole Theriault: Now, you're a psychologist who also has experience with the Ministry of Defence. Is that right? 

Rebecca Mckeown: That's correct, yes. 

Carole Theriault: OK, so what can you tell us? Just give us a little bit of insight on what you do. 

Rebecca Mckeown: I mean, most of my career as a psychologist is spent doing research for the Ministry of Defence into learning and development, education and really how people learn, putting that together with how - my knowledge from psychology point of view as to how the brain works. 

Carole Theriault: Yeah. 

Rebecca Mckeown: If you design learning around how the brain works, then, you know, things might be a bit more successful. 

Carole Theriault: OK, well, that is a perfect segue. So I have no idea how the brain works. But I know that when there's a crisis in my life or at my work, it changes dramatically in my head. So what can you tell me about that? 

Rebecca Mckeown: (Laughter) Yeah, sure. There's this - a very small part of the brain called the amygdala, and that is responsible for an awful lot of trouble. It's one of these things that soon as that picks upon a message that's there's some sort of threat coming in, it sends a chemical reaction through the central nervous system to the adrenal gland, and that produces adrenaline. So as soon as that adrenaline kicks in, what happens is your body's now in fight mode or flight, depending on how it goes. And your perception of everything that's going on around you narrows. So it's called cognitive narrowing. So as soon as adrenaline starts to flow, what your brain is doing is cutting out all of the unnecessary noise that comes into it from everything else and focuses you very narrowly on the threat that you need to work on. Now, in the olden days, that was - we were running away from a saber-toothed tiger. Nowadays, it could be anything. And a cyberattack is exactly that. There has to be some sort of physiological reaction when the penny drops that something really bad is going on. 

Carole Theriault: Basically, it's like an emergency. And we hyperfocus on - OK, that makes perfect sense to me. So is there drawbacks to having that? 

Rebecca Mckeown: There is two sides to everything. I mean, very positive thing because you don't need to be distracted by much. 

Carole Theriault: Quite. 

Rebecca Mckeown: So you do need to focus in order to deal with this crisis. However, it also means that because you are so narrowly focused, you are also missing a whole load of information. 

Carole Theriault: Right. 

Rebecca Mckeown: And that causes the brain - we call it cognitive biases. So because the brain's a limited capacity information processer - you have so much information coming in - it chooses what you're going to pay attention to. And that kind of is a bit of an issue, really, because it might not choose what you need to focus on. So it's really about once you understand how the brain works and how those biases can come into your ways of thinking, you can then sort of try to to train for that. It's not something that you can do overnight. Training is lifelong learning. But certain skills place into that. So you can actually learn to recognize when these things are happening. You know then to switch your mindset to a more flexible one instead of that hyperfocus. 

Carole Theriault: If we understand what's happening, we then can counter our brain's immediate kind of automatic, practically, reaction to make sure that we're encompassing everything we need to do in order to safeguard a particular situation. 

Rebecca Mckeown: Yes, you can do exactly that. I think the biggest point to learn is that a lot of people think about learning, and they think in terms of training events. 

Carole Theriault: What does that mean, training events? 

Rebecca Mckeown: A training event. You go on a course, or you log onto an online course. You go to a classroom. 

Carole Theriault: Right. 

Rebecca Mckeown: Somebody comes in. They they PowerPoint you to death. You maybe do a little test, and off you go again. 

Carole Theriault: Yeah. And you don't remember anything a week later. 

Rebecca Mckeown: Yeah. And that type of learning is great. I mean, for example, with - the military use that type of training to learn to operate an SA80 gun. Well, that's not something you want people to learn by error. You know, the chaos will ensue. 

Carole Theriault: Yeah. 

Rebecca Mckeown: But with more sort of things that are more psychologically focused, it needs to be a very gradual process. 

Carole Theriault: Yeah. 

Rebecca Mckeown: This phrase unconscious bias - it's unconscious, so you can't know that it's happening. So it's learning to understand sort of patterns. In military terms, we call it left of bang. 

Carole Theriault: Left of bang. 

Rebecca Mckeown: Left of bang. What happens before it all kicks off? What are those cues? So you have something happening. Is this malware? Where is it? What are the command and control server domains? Is it advanced, persistent threat? There's a whole load of information that's coming into the brain. Based on experience, you'll say, all of these things indicate that it's X type of attack. Now, that's what we call attribution bias. So, you know, you can sort it into your memory banks. And what you've done is decide you're going to attribute the cause to this particular thing. 

Carole Theriault: Yeah. And you're limited by your knowledge, of course. Got you. 

Rebecca Mckeown: And you're limited by your logic and your background and your experience, which is a good thing about it. Anyway, once you've attributed it to something, what you do then is called confirmation bias. So you are then looking for evidence to support your theory. And you kind of don't necessarily - your brain is so busy looking for that, it doesn't necessarily take on things that are going to contradict your view. 

Carole Theriault: OK. 

Rebecca Mckeown: There's another bias called availability bias. So, for example, post-WannaCry, that was in the news. It was just everywhere. And people were talking about it. So because that sort of thing is available to your memory, it pops out fast. It might actually not be relevant at all. So that's an availability bias. The information is the most recent you've been talking about because memory works on primacy, recency and unusual things. So it's whatever happens the first time you came across it, whatever's most recent or any unusual events, everything else becomes an amorphous sort of blob of memory. 

Carole Theriault: The next time I speak at a conference, I'm never going to go in the middle, always first or last. Got you. 

Rebecca Mckeown: (Laughter) Exactly that. 

Carole Theriault: OK, that's a good trick to learn. 

(LAUGHTER) 

Rebecca Mckeown: The one final one - that we are all overconfident in our ability to deal with things. 

Carole Theriault: Really? 

Rebecca Mckeown: Especially when you start to use... 

Carole Theriault: I thought you were going to say especially men. 

(LAUGHTER) 

Rebecca Mckeown: No, no, no. Damn. It's just somebody who's experienced - you know your stuff. I know my stuff. I miss things because I'm primarily a human being rather than a psychologist, you know? So... 

Carole Theriault: Right. And then people are kind of like, excuse me, I think you'll find - you're like, nope, I know exactly. I've been here before. Thank you very much, little Tim. 

Rebecca Mckeown: That, yeah. 

Carole Theriault: Right. So OK. So we have all these biases, and they all make sense to me. I can see how I'd have all these. How can I counter them to help me get through it now that I'm aware of them? 

Rebecca Mckeown: Right. Well, this is where the training comes in. You have a mental model of the way the world works, cyber events particularly. And every experience you have matches into that, so you build up that experience. As I said, that makes you super, super effective. To counteract that, you need to have enhanced thinking skills, which are called metacognition. 

Carole Theriault: It's, like, super, hyperaware. 

Rebecca Mckeown: Super, hyperaware. 

Carole Theriault: OK. 

Rebecca Mckeown: It's kind of like - there's two elements to it. There's enhanced learning. So that's sort of doing lots of different scenarios. So with the immersive crisis simulator, there are a countless number of scenarios you can use. You keep training with those. Then what you do is you learn to recognize patterns. And it's not patterns of the information on the surface. It's those subtle, little cues. 

Carole Theriault: Right. 

Rebecca Mckeown: So it's the underlying patterns beneath that. And you also then learn to sort of slow down that thinking slightly to counteract the bias by considering alternatives. So if you train by different scenarios, pattern recognition, looking at alternatives, you become more experienced in that flexibility of thinking, which counteracts the focus thinking. 

Carole Theriault: Yes. So you're saying train your brain or train your experiences. 

Rebecca Mckeown: Yeah. Yeah. Then you've got this metacognitive skills. And, basically, it's so simple. It's plan, monitor, evaluate, reflect. It's a little cylce that you just go around, but you have to build that into the training and learning process. So for example, with the military, you have what's called an after-action review. What was supposed to happen? What actually happened? What could we have done better? What went wrong? That type of thing. But if you include - right, so what cues did we look at in the first place? How did we act to that? Did we challenge that thinking? So it's about amending that slightly to look at the psychological patterns and the ways of thinking. And then you learn from that. So the next time round, you plan. You monitor how it goes afterwards. You evaluate. So after the second one, yeah, well, actually, I think we were a bit quicker then. It was - it felt a little bit easier. And then you sort of reflect on that. That's the defer (ph) to the easier bit. Yeah, because actually, do you know what? I don't feel as bad afterwards. It made me feel better because I felt more in control. You're building up that automatic way of responding in a different way. So you have the experience thing, but you also then have this wonderful flexibility to know, well, actually, hang on a minute. I need to have a think about this. Something has told me this could be different. 

Carole Theriault: Well, Rebecca McKeown, you have given us a lot to think about. 

Rebecca Mckeown: I'm so sorry (laughter). 

Carole Theriault: So, no, it's wonderful. And I can tell you're just a huge mine of information that could help our industry. 

Carole Theriault: So this is Rebecca McKeown, a chartered psychologist and a visiting lecturer at Cranfield University who also has experience in the Ministry of Defense. Thank you so much for coming on "Hacking Humans." 

Rebecca Mckeown: You're welcome. It's been an absolute pleasure. Thank you. 

Carole Theriault: Oh, pleasure's all mine. This is Carole Theriault for "Hacking Humans." 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Great interview. I love that interview, Dave. I get the distinct feeling that we do not have enough psychologists in the field of cybersecurity. I think we need more people from the field of psychology involved in our field. And I think we need to do more research in this field. This is not just a technical field. There is a huge human component to this, and industrial psychology is a perfect fit for cybersecurity. 

Joe Carrigan: When there is a crisis - Rebecca talks about the chain of events that starts in the amygdala whenever there's a crisis, and that fires off adrenal glands. Then you experience this thing called cognitive narrowing, and that's the hyper focus. Other things in your view, they disappear. And this is the short-circuiting we've been talking about on this show for 2 1/2 years, right? 

Dave Bittner: Right. 

Joe Carrigan: Whenever somebody gets in your face with an email that's very threatening or a phone call that's very threatening, these scammers do exactly this. They're actually - this is the physiological response they're trying to enact in your body to get you to go along with them, to arrive at what you hope will be a solution but is actually just a scam. 

Joe Carrigan: So it doesn't just happen in a situation like when you're responding to a cyber event. It happens in a lot of things. And Rebecca's exactly right. This is an evolutionary defense that we have that has protected us against - I think she used saber-toothed tigers as an example... 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: ...Which is exactly right. But, you know, you think about not even just saber-toothed tigers. Have you ever been chased by a dog when you were a kid? 

Dave Bittner: Yeah, yeah. I think about things like when you're, you know, taking a walk and you accidentally come across a snake or something. You know, it's like... 

Joe Carrigan: Right. 

Dave Bittner: ...Some sort of unexpected - or it could be a deer or just any unexpected wildlife. 

Joe Carrigan: Right. 

Dave Bittner: It surprises you. 

Joe Carrigan: Yeah. 

Dave Bittner: You know, I think that causes that flushed feeling that flows through you, where all of a sudden, you (imitating screaming). 

(LAUGHTER) 

Dave Bittner: It might be running in the other direction. 

Joe Carrigan: Right. That response will help you survive, but that response will also do you a disservice in certain situations, like responding to a cyber event or while you're being scammed. 

Joe Carrigan: I like what Rebecca says about training being lifelong learning. You must always be able to adapt, and not just in terms of cybersecurity, but I firmly believe you have to be able to adapt and develop new skills in everything, and that benefits you immensely. The idea that you're ever done learning - if you're of that mindset, I think it's beneficial for you just to get out of that mindset and to always be trying to learn new things. 

Dave Bittner: You can't just rest on your laurels, you know? You've got to - even just staying current requires effort... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Because these - you know, these things evolve. And so to protect yourself from the day-to-day things that are out there trying to take advantage of you, you've got to keep up. 

Joe Carrigan: Something I found very interesting in this interview was that she said, we're all overconfident in our ability to deal with things. And that to me is fascinating because I don't think of myself as overconfident in my ability to deal with things, but I'll bet I am. 

Dave Bittner: (Laughter). 

Joe Carrigan: You know, that sounds like me, you know? 

(LAUGHTER) 

Dave Bittner: Go on, Joe. Go on. 

Joe Carrigan: Even as she's saying it, I'm going through this process - but, yeah, but I think of myself as adaptable, and I can handle this. And I think that just speaks to the fact that what we need is this level of experience that she's talking about in order to get through these events. Maybe as I'm looking at this as a man in his 50s thinking, you know, I have enough life experience to understand and calmly handle things, and maybe I do, but who knows? I mean, it's never really been tested, right? 

Dave Bittner: Right, right. 

Joe Carrigan: Or at least not... 

Dave Bittner: Joe, you're overconfident. You don't know me. 

Joe Carrigan: Right, exactly. 

(LAUGHTER) 

Joe Carrigan: And she talks about a lot of biases. We have so many biases. And controlling for those can be difficult. 

Dave Bittner: Yeah. 

Joe Carrigan: One of the things that she says towards the end of the interview is plan, monitor, evaluate and reflect, and whatever process you have, make sure that you're doing that deliberately. Make sure that you're thinking about this process. 

Joe Carrigan: So let's say you're using the plan, monitor, evaluate, reflect that Rebecca talks about. Make sure that you're doing that - you're thinking about that as you're doing it. Like, OK, let's plan for the event. A couple weeks ago, we had somebody who - one of our guests said that - just pick up a newspaper, look at a story and say, how would we handle this if this was us, which I think was a great idea. Monitor what you're doing, evaluate how well it works, and then reflect upon it and put that back into your process. Do those things deliberately. Whenever an event is over, do a post-mortem and say, what worked and what didn't? 

Dave Bittner: Right. 

Joe Carrigan: And be as frank about it as you can. And be open to revising the process. Don't take ownership of a process that you developed. It's not your child. It's just a process that's flawed. It's OK to update these things. 

Dave Bittner: Yeah. All right, well, again, our thanks to Rebecca McKeown and Carole Theriault for bringing us that interview. Always a pleasure to have her on the show, looking forward to having her back again soon. 

Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.