Telling the truth in a dishonest way.
Jayson E. Street: [00:00:00] There's more and more attacks going on from the technology side, from the computer side. But our one true defense is going to be actual humans being able to detect and actually respond to it quickly.
Dave Bittner: [00:00:12] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hi, Joe.
Joe Carrigan: [00:00:32] Hi, Dave.
Dave Bittner: [00:00:33] As always, we've got some interesting stories to share. And later in the show, we speak with Jayson E. Street. He's a VP of Information Security at SphereNY. He's also one of the authors of the book, "Dissecting the Hack: The Forbidden Network." He's a popular speaker. He's someone that, if you're in the social engineering world, chances are you know about Jayson Street. So we're looking forward to hearing from him. But first, a quick word from our sponsors at KnowBe4.
Unidentified Person: [00:01:01] Step right up, and take a chance. Yes, you there. Give it a try and win one for your little friend there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they, A, my late husband wished to share his oil fortune with you; or B, please read - important message from HR; or C, a delivery attempt was made; or D, take me to your leader? Stay with us, and we'll have the answer later. And it will come to you courtesy of our sponsors at KnowBe4, the security awareness experts who enable your employees to make smarter security decisions.
Dave Bittner: [00:01:41] And we are back. Joe, I'm going to lead things off this week. I've got a story. This comes from The Hollywood Reporter. This is written by Stephen Galloway. And the story is titled "Why Are So Many Wannabe Screenwriters Getting Scammed?". Now imagine, Joe, that you're an aspiring screenwriter.
Joe Carrigan: [00:01:58] OK.
Dave Bittner: [00:01:59] And you've got what you are sure is the next big Hollywood blockbuster. But the problem is you can't get the right people to read it.
Joe Carrigan: [00:02:06] Right.
Dave Bittner: [00:02:07] So out in Hollywood, there are these events that are called pitch fests. And at a pitch fest, you can go and basically pitch your project to someone who is saying that they are a studio bigwig.
Joe Carrigan: [00:02:21] So say I had a TV show...
Dave Bittner: [00:02:22] Right.
Joe Carrigan: [00:02:23] ...That I had an idea for.
Dave Bittner: [00:02:24] Yup.
Joe Carrigan: [00:02:24] And it's an animated series built around some guy's family and his cats...
Dave Bittner: [00:02:28] (Laughter).
Joe Carrigan: [00:02:28] ...And his dog.
Dave Bittner: [00:02:28] OK. (Laughter).
Joe Carrigan: [00:02:29] I would go out to this place...
Dave Bittner: [00:02:31] Right (laughter).
Joe Carrigan: [00:02:31] ...And I would pitch it, and show them my sizzle reel and read the treatment to them and all that. Right?
Dave Bittner: [00:02:35] I suppose you would wait in line to go pitch to each of these big Hollywood big-time folks who are...
Joe Carrigan: [00:02:41] These bigwigs.
Dave Bittner: [00:02:41] Yep, sitting there lighting cigars with hundred-dollar bills.
Joe Carrigan: [00:02:44] Yeah (laughter).
Dave Bittner: [00:02:45] And pitch your story. Well, it turns out that while many of these are legitimate, there are also many of them that are just scams.
Joe Carrigan: [00:02:53] Wow. Really?
Dave Bittner: [00:02:54] (Laughter) I know.
Joe Carrigan: [00:02:56] Who'd have thought?
Dave Bittner: [00:02:57] Yeah.
Joe Carrigan: [00:02:58] I mean, it's easy for us to sit here in our studio in Maryland and not empathize. Actually, I really do empathize with these people. These are creative people who are really looking to make it big, and they are prime targets for scammers simply because they have this vulnerability that they're looking for an opportunity to pitch their ideas to people who might produce them.
Dave Bittner: [00:03:18] Yeah. And they make a couple of examples here. There's a gentleman named Manny Fonseca who is an aspiring writer himself. He was at a social event out in Hollywood, and a producer came up to him, someone he was friendly with, and said, hey, how'd you like to make a hundred bucks this weekend? And he said, sure, I'd be up for that.
Dave Bittner: [00:03:35] So this producer friend hired him to be a listener at one of these pitch fests. And what he said was - quoting him here - he said, "What I learned - and I know it because I was the one being sent to these things - is you're sitting there with no power. As an assistant at an agency, you're not allowed to sign people. And most of the time, you're talking to amateur writers who shouldn't be repped."
Joe Carrigan: [00:03:57] Right. So what's the point of having this event?
Dave Bittner: [00:03:59] The point of having this event is to make money.
Joe Carrigan: [00:04:01] OK.
Dave Bittner: [00:04:02] So they're charging these people up to thousands of dollars to get their scripts listened to. In fact, they talked to another gentleman, his name was Nick Iandolo. He was an aspiring writer from Boston. And he went to one of these pitch fests. He spent more than a thousand dollars on his ticket and his airfare to LA, and he decided that he was going to go back. Even though he hadn't gotten any bites on his idea, he says he had a family holiday adventure and a crime drama. And he says, I'm going to go to one of these, and I'm going to be an exhibitor. So not only can you be someone who goes and talks to these people, you can actually buy a booth at some of these things.
Joe Carrigan: [00:04:43] So nobody in real power shows up to them?
Dave Bittner: [00:04:46] Well, they make you think that there are people there. What happens is that well-named organizations - so you know, an executive who runs some sort of organization will say, we'll have representatives from our well-known Hollywood company at this pitch fest. But then the person they send is a low-level employee who doesn't have the authority to actually greenlight anything.
Joe Carrigan: [00:05:09] Right.
Dave Bittner: [00:05:09] So this person went. He bought a booth at one of these events. He had a book to sell as well.
Joe Carrigan: [00:05:15] Uh-huh.
Dave Bittner: [00:05:16] And he said he came away empty handed. He said, I didn't sell one book. I was like, my God, how is this possible? I spent a total of $6,000.
Joe Carrigan: [00:05:24] Wow.
Dave Bittner: [00:05:25] Yeah.
Joe Carrigan: [00:05:26] Six grand.
Dave Bittner: [00:05:26] Six grand. Now, there are other things, like writing competitions. Besides these events, there are people who will look at your script for a fee. There are some folks who - they charge between $45 and $2,000 to give you notes back on your script.
Joe Carrigan: [00:05:42] OK. Well, that's almost like an editing service, though. Right?
Dave Bittner: [00:05:45] It is. But here's the tricky thing about this, is that there are certainly plenty of people who are doing this legitimately...
Joe Carrigan: [00:05:52] Correct.
Dave Bittner: [00:05:52] ...And for all the right reasons. And it's perfectly legitimate for them to get paid for their time.
Joe Carrigan: [00:05:56] Right.
Dave Bittner: [00:05:56] The problem is, there is a whole lot of people who are also doing this just to make money, who are scammers...
Joe Carrigan: [00:06:03] Sure.
Dave Bittner: [00:06:03] ...Don't have the ability to move a project forward.
Joe Carrigan: [00:06:07] Right.
Dave Bittner: [00:06:07] And they're just robbing these people blind. When you get to the meat of it, the social engineering part of it, they're taking advantage of these people's innocence...
Joe Carrigan: [00:06:16] Yep.
Dave Bittner: [00:06:16] ...Of these people's hopes for fame and fortune.
Joe Carrigan: [00:06:20] And probably their inexperience, too.
Dave Bittner: [00:06:21] Right, exactly. They don't know how Hollywood works.
Joe Carrigan: [00:06:24] Yeah, I don't know how Hollywood works.
Dave Bittner: [00:06:25] No. Why would you?
Joe Carrigan: [00:06:26] Yeah, why would I? Exactly. I do have a degree in mass communication. So...
Dave Bittner: [00:06:30] As do I.
Joe Carrigan: [00:06:30] Yes.
Dave Bittner: [00:06:31] (Laughter).
Joe Carrigan: [00:06:31] You might think that I know how Hollywood works. But...
Dave Bittner: [00:06:33] And yet, here we are...
Joe Carrigan: [00:06:34] Yeah.
Dave Bittner: [00:06:34] ...On the East Coast...
Joe Carrigan: [00:06:35] On the East Coast.
Dave Bittner: [00:06:35] ...Both of us. Yeah.
Joe Carrigan: [00:06:36] Right. I don't know. I operate on this principle - if I were to develop something that I thought was worthy of publication or production, then there should be no need for me to pay somebody to look at it. Right? I should have what amounts to a business opportunity that, if it's good enough, should get attention from people who have the power to greenlight or produce something.
Dave Bittner: [00:07:02] Right.
Joe Carrigan: [00:07:02] Right. So the fact that I have something and people are saying, I'll look at it for 50 bucks or you can come pitch it to us for $1,000 - that says to me, I haven't done enough work on this. Right?
Dave Bittner: [00:07:15] Right.
Joe Carrigan: [00:07:16] That's my thinking on this.
Dave Bittner: [00:07:17] Yeah. And I think also what's problematic is that people will attract would-be writers to these events. So they'll have someone come. And they'll say, for $100, we will look at your script. And then they look at your script, which it turns out is horrible.
Joe Carrigan: [00:07:31] Right.
Dave Bittner: [00:07:31] There is no way that it'll ever be produced. But they say to you, hey, you know, this script has promise.
Joe Carrigan: [00:07:37] Right.
Dave Bittner: [00:07:37] For the low, low price of $1,000, we'll have one of our script doctors take a look at it and send you notes.
Joe Carrigan: [00:07:44] Yeah.
Dave Bittner: [00:07:45] Well now, they've set the hook, they've got your money, and they've given you a false sense of hope.
Joe Carrigan: [00:07:51] Right.
Dave Bittner: [00:07:52] And it's just not right.
Joe Carrigan: [00:07:53] And like you say, there are people in Hollywood who make their money doing this. Patton Oswalt...
Dave Bittner: [00:07:57] Yeah.
Joe Carrigan: [00:07:57] ...He's a stand-up comedian. But one of his big lines of business is he comes in and rewrites scripts and makes them funny.
Dave Bittner: [00:08:04] Right. Right. Carrie Fisher was well-known for her script doctoring abilities. This is people who have sort of grafted themselves onto what can be a legitimate service. And so the lesson here is, before you go to one of these things, do your homework...
Joe Carrigan: [00:08:19] Find out who's going to be there.
Dave Bittner: [00:08:20] ...Check it out. Make sure that even if it's a well-known agency, that it's people who can make decisions...
Joe Carrigan: [00:08:27] Right.
Dave Bittner: [00:08:27] ...That it's not just going to be low-level people. And do your homework. Make sure that you're not just throwing your money away.
Joe Carrigan: [00:08:32] Yeah.
Dave Bittner: [00:08:33] All right, Joe. That's what I've got this week. What do you have for us?
Joe Carrigan: [00:08:36] You know me, Dave.
Dave Bittner: [00:08:37] I do.
Joe Carrigan: [00:08:38] I have to go with the darkest story every week.
Dave Bittner: [00:08:40] (Laughing) Yeah. OK.
Joe Carrigan: [00:08:40] And this one involves murder.
Dave Bittner: [00:08:43] Murder?
Joe Carrigan: [00:08:44] Right.
Dave Bittner: [00:08:44] Oh, my.
Joe Carrigan: [00:08:45] This story comes from Jennings Brown over at Gizmodo.
Dave Bittner: [00:08:47] Uh-huh.
Joe Carrigan: [00:08:48] And it's a story about Roxanne Reed, who is a 55-year-old woman from Garner, N.C. She was caught up in a romance scam. She was catfished. Catfishing is kind of a new phenomenon that has risen out of the social media environment that we live in right now. What someone will do is they will set up a complete social media presence that is 100 percent fake, but it looks completely real.
Dave Bittner: [00:09:11] Right.
Joe Carrigan: [00:09:11] You know, you'll have a Facebook profile with 125 friends - you know, not too many, not too few. You'll have statuses that you post. You'll have pictures up. But it will be fake...
Dave Bittner: [00:09:22] Right.
Joe Carrigan: [00:09:22] ...Or a fake profile. So Roxanne's family became concerned when she was sending money to a scammer, and they notified the police. And they shared with the police Roxanne's text message exchange with the scammer.
Dave Bittner: [00:09:34] So her family and friends, they suspected that this was not good.
Joe Carrigan: [00:09:38] Right. They knew something was up.
Dave Bittner: [00:09:40] OK.
Joe Carrigan: [00:09:40] So they involved the police, local law enforcement. And in the messages, Roxanne explained how she would kill her 88-year-old mother, Emma...
Dave Bittner: [00:09:49] Oh, my.
Joe Carrigan: [00:09:49] ...With whom she lived so that Roxanne could get more money to send the scammer.
Dave Bittner: [00:09:54] To get the insurance money.
Joe Carrigan: [00:09:56] I would imagine that there was some insurance money.
Dave Bittner: [00:09:57] Or the estate or...
Joe Carrigan: [00:09:58] Or the estate or something. Actually, I don't know if there's life insurance on 88-year-old people that pays out in huge amounts. That's...
Dave Bittner: [00:10:05] Yeah. But still...
Joe Carrigan: [00:10:07] ...Probably difficult to acquire...
Dave Bittner: [00:10:08] Yeah.
Joe Carrigan: [00:10:09] ...Or at least expensive.
Dave Bittner: [00:10:09] Uh-huh.
Joe Carrigan: [00:10:10] So the police go through the messages, and they realize there's enough evidence in the messages - the text message exchange to charge Roxanne with felony conspiracy to commit murder. You know, they look at this, and they see that Emma is in danger. So they take immediate action to ensure Emma's safety.
Dave Bittner: [00:10:24] So this woman is so wrapped up in this romance...
Joe Carrigan: [00:10:28] In this catfishing scam...
Dave Bittner: [00:10:29] Yeah.
Joe Carrigan: [00:10:29] ...That she's ready to kill her own mother.
Dave Bittner: [00:10:31] For money...
Joe Carrigan: [00:10:31] For money.
Dave Bittner: [00:10:31] ...To send money to this Romeo.
Joe Carrigan: [00:10:34] This Romeo. This Romeo has a name. Right? Court documents show that his name is Scott Humpal.
Dave Bittner: [00:10:39] OK.
Joe Carrigan: [00:10:40] Who is Scott Humpal? - you ask.
Dave Bittner: [00:10:41] Yeah, I do.
Joe Carrigan: [00:10:42] He's a physical therapist in Texas who had his identity stolen. Right? And his name has been used in other scams. But this is the first time, he thinks, it has been used in a scam that involved murder. So yeah, I mean, fortunately Emma's safe, which is good. So...
Dave Bittner: [00:10:54] Now, did the police come knocking on Scott's door and say - hey, what's...
Joe Carrigan: [00:10:59] I don't think the police did because these police are in North Carolina. The story doesn't really tell that. But Scott is in Texas. And the information from Scott comes from a local news affiliate that reached out to Scott. And he said, "I feel like I'm in a soap opera," which is...
Dave Bittner: [00:11:14] Oh, my goodness.
Joe Carrigan: [00:11:15] ...His quote. He's probably been called multiple times by law enforcement because his identity has been used in multiple scams.
Dave Bittner: [00:11:21] Right.
Joe Carrigan: [00:11:21] So he's probably not at all unfamiliar with this. But still, it's got to be terrible to be Scott right now.
Dave Bittner: [00:11:27] Well, it's got to be even worse to be Roxanne's...
Joe Carrigan: [00:11:29] Roxanne.
Dave Bittner: [00:11:30] ...Mom, Emma.
Joe Carrigan: [00:11:31] Well, yeah, Roxanne or Roxanne's mom.
Dave Bittner: [00:11:32] I mean, talk about a family falling apart...
Joe Carrigan: [00:11:34] Right.
Dave Bittner: [00:11:34] ...And just tragedy. That something could get to this point...
Joe Carrigan: [00:11:38] Right.
Dave Bittner: [00:11:38] ...That someone could be led down a path - now, we don't know anything about Roxanne. We don't know anything about her family situation.
Joe Carrigan: [00:11:44] Yeah. We're speculating.
Dave Bittner: [00:11:44] But just trying to imagine someone being led down this path by scammers and the scammers going along with it, even to the point of...
Joe Carrigan: [00:11:54] Right.
Dave Bittner: [00:11:54] ...Being so greedy that someone says, hey, here's an idea of how I can send you some more money.
Joe Carrigan: [00:11:58] Dave, I have a little voice...
Dave Bittner: [00:11:59] ...I'm going to kill somebody.
Joe Carrigan: [00:12:01] I have a little voice in the back of my head, a little evil voice. And sometimes that little evil voice is like, you could scam people...
Dave Bittner: [00:12:06] Right.
Joe Carrigan: [00:12:07] ...Or you could do this. I don't think that I could actually bring myself - even if I was scamming people, I don't think that I could bring myself to let somebody kill somebody else, you know? If somebody said, hey, if I kill my mom, you'll get more money, I'd be like - OK, this has gone too far.
Dave Bittner: [00:12:20] Yeah. We're done here.
Dave Bittner: [00:12:21] Yeah.
Joe Carrigan: [00:12:22] I mean - but I have a sense of decency. These scammers don't have that. This guy - or girl, whoever it was, was completely willing to let this woman go through with a plan to kill her mother to get money. She probably would not have gotten the money. Right?
Dave Bittner: [00:12:36] Right. Right.
Joe Carrigan: [00:12:37] She probably would have been arrested when she killed her mother. The police say the evidence was that she was going to conduct the act. So I don't know what Roxanne's background is. But maybe she thinks, I've watched all these "CSI Miami" shows. I know how to beat the forensics experts.
Dave Bittner: [00:12:50] Right. I will outsmart the police.
Joe Carrigan: [00:12:51] Right.
Dave Bittner: [00:12:52] Yeah, unlikely.
Joe Carrigan: [00:12:53] She won't. It's very difficult to get away with murder.
Dave Bittner: [00:12:56] Yeah - or so I've heard.
Joe Carrigan: [00:12:58] Right.
Dave Bittner: [00:12:58] Well Joe, with that, let's move on to our Catch of the Day.
Joe Carrigan: [00:13:01] All right.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:13:05] All right, Joe, so we had a listener named Rory (ph) send in this week's Catch of the Day. And I have to say, this is a doozy.
Joe Carrigan: [00:13:12] OK.
Dave Bittner: [00:13:12] Now, for our listeners, Joe and I usually review the things we're going to talk about before we sit down to record here.
Joe Carrigan: [00:13:19] But today...
Dave Bittner: [00:13:20] Today I have saved this one (laughing) because I want everyone to hear Joe's reaction to this one in real time.
Joe Carrigan: [00:13:27] All right. I am ready for this, Dave.
Dave Bittner: [00:13:29] This is a letter from Barclays - financial organization.
Joe Carrigan: [00:13:34] They're an insurance company, right?
Dave Bittner: [00:13:35] Yes. This is a letter that someone received in the mail.
Joe Carrigan: [00:13:37] OK. So this is a physical phishing attempt.
Dave Bittner: [00:13:39] A physical letter...
Joe Carrigan: [00:13:41] Physical letter.
Dave Bittner: [00:13:41] ...Sent in the mail. It says, important notice - debit card safety recall. Dear costumer...
Joe Carrigan: [00:13:47] (Laughter).
Dave Bittner: [00:13:50] ...Many of our bank costumers have reported that their debit cards have caught fire while they are in wallets and purses.
Joe Carrigan: [00:13:57] (Laughter).
Dave Bittner: [00:13:58] And so as a precushion, we are issuing an urgent safety recall. This is a matter of the upper-most emergency, as your card could create a pocket fire at any given moment, burning your legs and stomach terribly.
Joe Carrigan: [00:14:11] (Laughter) I love the term pocket fire.
Dave Bittner: [00:14:13] (Laughter) This is because (laughter) - this is because of a fault in the factory process at our debit card factory in Molton Keynes (ph). Therefore, for your own safety and verification, please complete the bottom of this form and return it with your debit card to the safety manager at the following address.
Dave Bittner: [00:14:30] And then it has a thing where there's also a place to put your PIN number.
Dave Bittner: [00:14:32] Really?
Dave Bittner: [00:14:33] And at the bottom it says, important - the PIN number is for verification porpoises only...
Joe Carrigan: [00:14:39] (Laughter).
Dave Bittner: [00:14:39] ...And will be destroyed immediately upon a - space - rival.
Joe Carrigan: [00:14:44] I just imagine that they have a bunch of porpoises...
Dave Bittner: [00:14:47] Yeah.
Joe Carrigan: [00:14:47] ...That receive these things and verify. (Imitating porpoise squeaking).
Dave Bittner: [00:14:50] Yeah. Your private details will not be compromised at any time.
Joe Carrigan: [00:14:54] Whew, well that's a relief.
Dave Bittner: [00:14:58] (Laughter) It's so...
Joe Carrigan: [00:14:58] I'm so glad they told me my private details will not be compromised.
Dave Bittner: [00:15:01] Right (laughter). So imagine a room full of porpoises...
Dave Bittner: [00:15:05] ...Tossing around exploding debit cards...
Dave Bittner: [00:15:10] ...Right? - (laughter) putting out the fire with the mists coming out of their blowholes.
Joe Carrigan: [00:15:16] This one blew up.
Dave Bittner: [00:15:22] Yeah (laughter).
Joe Carrigan: [00:15:22] (Imitating explosion, porpoise squeaks).
Dave Bittner: [00:15:22] Yeah. Oh, God. It's so good.
Joe Carrigan: [00:15:24] This is awesome. Rory, this is the best.
Dave Bittner: [00:15:28] (Laughter) Rory wins...
Joe Carrigan: [00:15:29] Yes.
Dave Bittner: [00:15:29] ...So far. This is the winner. So - I mean, it's got something for everyone - misspellings, the implausibility of - of course, first of all, there's nothing in a debit card that could spontaneously burst into flames.
Joe Carrigan: [00:15:42] Right. It's - the chip - but the thing is, most consumers don't know that.
Dave Bittner: [00:15:47] I guess.
Joe Carrigan: [00:15:47] The chip is an electronic circuit, but it's not powered until you plug it in.
Dave Bittner: [00:15:51] Yeah.
Joe Carrigan: [00:15:51] Right? And that's where the problem with all these - like, the Samsung phones that were blowing up a while ago, their problem came from the battery.
Dave Bittner: [00:15:57] Right.
Joe Carrigan: [00:15:57] It was the battery that was bad. And there's no battery in these chips.
Dave Bittner: [00:16:00] Right. This one is pretty straightforward. But as as Rory pointed out, the person who sent this to us, he could imagine perhaps an elderly person doesn't understand the technology...
Joe Carrigan: [00:16:10] Right.
Dave Bittner: [00:16:10] ...That this is a safety issue.
Joe Carrigan: [00:16:12] I will bet...
Dave Bittner: [00:16:12] I don't want to be set on fire by my - or have my purse explode.
Joe Carrigan: [00:16:16] I will bet that they got returned ATM cards with PINs.
Dave Bittner: [00:16:20] Yeah.
Joe Carrigan: [00:16:21] I'll bet this worked.
Dave Bittner: [00:16:22] I'll bet it did. That's a good one, though.
Joe Carrigan: [00:16:24] It is awesome.
Dave Bittner: [00:16:25] (Laughter) Well, thank you, Rory. And for everyone else listening, we would love to hear about your Catch of the Days. Send them in to us. The contact information is on the CyberWire website, so check that out. As you can tell, we really enjoy reading these.
Joe Carrigan: [00:16:40] Yes, we do.
Dave Bittner: [00:16:40] And that is our Catch of the Day. All right, Joe. When we come back, we're going to hear my interview with Jayson E. Street. He's the VP of information security at SphereNY. But first, a message from the folks at KnowBe4.
Unidentified Person: [00:16:58] And what about the biggest tastiest piece of phish bait out there? If you said, A, my late husband wish to share his oil fortune with you, you've just swallowed a Nigerian prince scam. But most people don't. If you chose door B, please read - important message from HR - well, you're getting warmer. But that one was only No. 10 on the list. But pat yourself on the back if you picked C, a delivery attempt was made. That one, according to the experts at KnowBe4 was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked D, take me to your leader? No, sorry. That's what space aliens say. But it's unlikely you'll need that one unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing's twists and turns, the New-school Security Awareness Training from our sponsors KnowBe4 can help. That's knowbe4.com/phishtest.
Dave Bittner: [00:18:02] And we are back. Joe, recently, I had the pleasure of speaking with Jayson E. Street. As I said, He's the VP of information security at SphereNY. But he is perhaps best known as being a very popular speaker, a keynote speaker at places like DEF CON and DerbyCon. You can find a lot of his stuff on YouTube as well. He is quite the social engineering expert, and so it was a real treat to talk to him. Here's my conversation with Jayson E. Street.
Jayson E. Street: [00:18:28] What I do is security awareness engagement. So I try to physically compromise a location to steal data or actual equipment that could be damaging to the company. And then I use that information and that exercise to better educate the employees of the dangers of letting people like me inside their facilities.
Dave Bittner: [00:18:48] So what does a typical engagement look like? And do they set boundaries for you?
Jayson E. Street: [00:18:52] I've been lucky. A lot of mine have not set a lot of scope. It's like a - a scope of work is very important in this (unintelligible) because you're dealing with real-life consequences with people and locations. I've done ones where the scope was so much where they said that I couldn't lie to the cleaning crew because they weren't an employee of the actual company. And so they literally said - it's like I couldn't lie to the person. But if they could let me in, they'd let me in. But I couldn't lie to them to let me in. And I got in. I told them the complete truth in a dishonest way and still got in. And then there's others that are, like - no, just whatever, just YOLO, go in, and see what you can do, which are always fun.
Dave Bittner: [00:19:30] What are some things that are off limits?
Jayson E. Street: [00:19:32] Targeting executives - it's like following them to their house and trying to go into their wireless network and try to go through their garbage. I've only been able to do that once. Most people don't usually want that kind of adversarial relationship. But attackers will do stuff like that. In the U.S., there are still bank managers that are being followed home, kidnapped, held overnight so they could open up the bank so it can be robbed in the morning. These aren't, like, outlandish scenarios. These are things that people will do because there's millions of dollars on the line.
Dave Bittner: [00:20:02] And what would you say your success rate is?
Jayson E. Street: [00:20:04] I would say, on every engagement, when it comes to actual compromising at least one of the facilities and also educating the people there, it's 100 percent.
Dave Bittner: [00:20:14] And what are some of the most common mistakes you see people using when they're trying to protect themselves against these sorts of things?
Jayson E. Street: [00:20:20] Self-doubt. The biggest threat to any enterprise is human nature, wanting to think that something bad's not really happening, and self-doubt and intimidation of not wanting to be the one to cause a problem or to interrupt someone or to ask someone what they're doing or appearing to be rude, trying to find out why someone's where they're not supposed to be. Most people that see me or catch me in a server room or in a hallway or someplace I'm not supposed to be - they give me this look like, this doesn't seem right. He doesn't look like he's supposed to be here. And then they're just going about their business - instead of questioning it, instead of going and saying, maybe something bad is going on; maybe he's not supposed to be here.
Dave Bittner: [00:21:03] Now, what about the proliferation of technology? I'm thinking about, you know, there are video cameras everywhere now. And now we're seeing more and more cases of things like facial recognition being brought online. Would those sorts of things slow you down?
Jayson E. Street: [00:21:16] I don't think so because there's so much way that you can alter your body. I mean, there's things that - just putting a pebble in your shoe and changing the way that you do your gait - it's like - the way you walk. I'll grow goatees sometimes and change the way my hair looks. I've dyed my hair once for a job because they actually used my videos as training material. So I put on a goatee. I had a different kind of glasses. I dyed my hair black. It's like with bluish highlights a little bit because I like to come with warning labels. I like to be something off. I still managed to get in and get through everything. So yeah, there can be a problem with cameras. You can still change your identity. It's like - it's very easy to change your gender from a video footage point of view. Yeah, there's a lot of different things that you can do to fool cameras to make it look like you're somebody else.
Dave Bittner: [00:22:04] Do you have recommendations for - what's a non-confrontational way to make sure that you're checking people out?
Jayson E. Street: [00:22:09] One of the key things - and it's surprising how many companies don't have this. One of the key things that they can do to better protect their companies is create a help line. Create an extension number on their phones that someone answers from information security or even the help desk than can then route it to security that they can call. And make sure every employee knows it. It's like, make sure that there is a email address that is always answered timely by information security. So if someone sees something suspicious on an email or they see something suspicious online or they possibly get compromised, they can contact information security. If they see someone in their facility, if they see someone that doesn't look right and they don't feel comfortable questioning them and second-questioning them, then they can go and actually go and do the thing by calling security.
Jayson E. Street: [00:22:59] I got caught once. It was a great thing, where it's like I tailgated a woman into the building - into the secured facility. It's like I went right behind her. And I went into a couple offices, compromised them. I started talking to another lady down the hallway. And I could have gone out the hallway and escaped, but then I realized what was going on. She knew she'd done something wrong, and she was talking to someone about it. And they were willing to call security. And I was like, this isn't great teachable moment. It's like - so instead of just escaping and getting the victory, I kept going down the hallway, even said hello to them as I walked by. It's like - and then security showed up. And that was a better outcome and a better product for the client because they got to actually see what happens when something goes wrong. It's like - when something goes right - they got to see an employee actually make good on their mistake and actually make the place more secure.
Jayson E. Street: [00:23:53] So we've got to empower employees that not only are they supposed to report these kind of things, they're encouraged to report these kind of issues. And one of the ways that I think to do the encouragement part of it is gamify it. It's like, any person that reports of suspicious activity or reports someone tailgating or reports a suspicious email, they get entered into a drawing every quarter. And so there's, like, a prize, you know, like a gift card or a Starbucks card or whatever. Every quarter, every person that enters - they can enter as many times as they want. But the prize stays the same. So it's good on the budget, and the executives will like that. But it gets a lot more participation of the employees because it gamifies the whole security awareness thing.
Dave Bittner: [00:24:34] Yeah. And I guess it sort of flips it, where, rather than people being afraid of being embarrassed for making a false report, you're incentivizing them to reach out even if nothing comes of it.
Jayson E. Street: [00:24:43] Exactly. And that's the key point. It's like, yeah, there are going to be a small pool of people that are going to do a lot of false positives where it's like, oh, I thought this was suspicious, and it was just a spam email. And you know what? That's OK because at least they're paying attention.
Jayson E. Street: [00:24:58] It's, like - so even when they're trying to gamify the gamification, it's like, they're still being aware. And they're still talking to other people and their other co-workers about how they're entering the drawing and making the other workers want to do that more as well. So that's the key thing. That is something that you want to encourage - is, like, not the false reporting but reporting in general, just letting them know that even if they make a mistake and click on a link that they shouldn't have, that it's still OK for them to report it to information security so they can deal with it immediately instead of, like, three months down the line when they realize they've been compromised.
Dave Bittner: [00:25:33] When you wrap up an engagement with someone and you sit down and discuss with them how things went, are there patterns? Are there typically things where people have eye-opening moments, when they go - wow, this is not what we expected?
Jayson E. Street: [00:25:45] Yes. Mostly every single engagement - what I do is - I really hate writing reports, so I'm not great on writing reports. But I'm really good at giving presentations. So what I usually do is I will actually wrap up with the executives is, like, I give them a presentation of what's happened with pictures and sometimes video of me actually doing the actual engagement, times where it's like I've actually had to, like - I've done so much where it's like the executives are demanding a meeting to explain exactly how I was able to get into where I was able to get into. So there's always a wrap-up. We do it from an educational standpoint. We do it from a way that shows them, OK, this is what was happening, but this is what we can make it better.
Jayson E. Street: [00:26:25] And every time I finish an engagement - even on-site, when I'm actually doing the break-in - I will leave successfully. Once I've left successfully the location, I wait for two minutes. And then I go back in, usually with an employee from the company, and I explain to every person that I compromised - I explain to them what I did and what they could do better. So I give them that one-on-one educational moment right then and there - right when it's fresh, right when they realize something went wrong.
Dave Bittner: [00:26:53] So interesting guy, huh?
Joe Carrigan: [00:26:55] Yes. I got a couple takeaways - or actually four of them.
Dave Bittner: [00:26:57] OK.
Joe Carrigan: [00:26:57] First, 100 percent of the time, he gets somewhere. That's because there is no such thing as a perfectly secure anything. It doesn't matter what it is, it's not perfectly secure. There's a way to penetrate it. Second, your own self-doubt is Jayson's biggest tool. That was key. When you see something, say something. And I also like his encourage reporting - that it's OK. And he brings up a great idea for a way to handle this because, a lot of times, people don't want to deal confrontationally with other people.
Dave Bittner: [00:27:25] Right.
Joe Carrigan: [00:27:25] So if you see something that's up, just go ahead and call your security organization and say, hey, there's something going on up here. Come up here, and take a look at it. And your company should have a way to handle that.
Dave Bittner: [00:27:35] Yeah.
Joe Carrigan: [00:27:36] You know, in small businesses that don't operate secure environments, there should be something analogous to that.
Dave Bittner: [00:27:41] If you've got people who work for you who are, by nature, nonconfrontational, have a mechanism for them to be able to pass that along to the person who are paid to be confrontational.
Joe Carrigan: [00:27:50] Exactly - exactly my point. The fourth point that I want to bring up here is that management needs to start looking at infosec as a loss prevention tool. You don't run a retail store without some kind of loss prevention organization. If you think, a retail store is something that people walk into all the time. Now every business is something that people go into online. Every business has a front door, so to speak, that people can just walk in through - or shouldn't be able to walk in through but sometimes can walk in through.
Dave Bittner: [00:28:18] If only in a virtual way.
Joe Carrigan: [00:28:19] Exactly. So if you look at it as loss prevention, then you change the paradigm or the way people think about it. You're preventing the huge detriment that's going to happen when the lawsuits start rolling in because you've lost a bunch of data. So a lesson for pen testers here - in the beginning of the interview, he talks about how he couldn't lie to a cleaning crew. So he tells the cleaning crew the complete truth in a dishonest way. I think that if you can convince yourself that you're telling someone the truth, that the chances that you will display physiological signs of lying are reduced. Overall, I thought that interview was absolutely amazing.
Dave Bittner: [00:28:54] Yeah, he's an interesting guy. And...
Joe Carrigan: [00:28:55] He is.
Dave Bittner: [00:28:56] ...I highly recommend - he's got - a bunch of his presentations are on YouTube, so check it out. Again, our thanks to Jayson E. Street for joining us. And thanks to all of you for listening.
Dave Bittner: [00:29:05] And of course, thanks to our sponsors at KnowBe4. They're the social engineering experts and the pioneers of New-school Security Awareness Training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest.
Dave Bittner: [00:29:21] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about what they're up to at isi.jhu.edu.
Dave Bittner: [00:29:31] And our "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:48] And I'm Joe Carrigan.
Dave Bittner: [00:29:49] Thanks for listening.