Hacking Humans 2.18.21
Ep 135 | 2.18.21

Including your passwords in your final arrangements.


Sara Teare: Preschoolers using computers now and logging on to Zoom calls and accessing their remote schoolwork through Google Homework. And there's just so many opportunities for them to be online and have these different accounts. So how do we make that secure for them?

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some interesting stories to share this week. And later in the show, my conversation with Sara Teare. She's the minister of magic at 1Password. Great title. 

Joe Carrigan: Yeah, I love it. I love it. 

Dave Bittner: (Laughter) And we're going to be discussing the things that people don't often think about when it comes to their passwords, and that's including them in their final arrangements. It's actually... 

Joe Carrigan: That's right. 

Dave Bittner: ...Interesting stuff. 

Dave Bittner: All right, Joe, we got some good stories to share this week, but before we get to that, we've got some follow-up here. So we heard from a listener named Jonathan (ph), who wrote in and said, (reading) back on December 16, you were talking about a software update and network device replacement. If you can't update devices on your network, replace them. 

Joe Carrigan: Right. 

Dave Bittner: (Reading) Dave questioned whether you should have a regular replacement program for equipment. Jonathan asks, (reading) how much does this apply to one's phone? Before the holidays, I was encouraging a friend who works as a contractor to an unnamed government agency to trade in his inexpensive Android phone. Not sure what the opposite of a flagship phone is called, but this was it (laughter). 

Joe Carrigan: Right. I would say commodity phone. 

Dave Bittner: There you go. Right. 

Joe Carrigan: Right. 

Dave Bittner: Disposable. 

Joe Carrigan: Burner. 

Dave Bittner: (Reading) Its last software update was sometime in 2019. He had owned this phone for just a little more than a year and had gotten this because he had to quickly replace another broken inexpensive Android phone that he'd had for over three years. I urged him to purchase a new phone, one that would receive software updates for a good period of time - if not an iPhone, then maybe one from Google or Samsung. 

Dave Bittner: (Reading) Since phones are such an integral part of our lives, wouldn't you say this is an important place to make sure you have technology that's getting security updates? What would you say to someone who doesn't want to spend much on a phone? Are there inexpensive Android phones that get updates for greater than three years? He says, I'll take my answer on the air (laughter). 

Joe Carrigan: Yes. Actually... 

Dave Bittner: What do you think about this, Joe? 

Joe Carrigan: This is a great point. And I think you and I have talked about this probably on the CyberWire podcast... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Where it is absolutely imperative that you replace your phone. And Apple and Google both, with their flagship phones, will do something called end-of-lifing the phone, right? And they do that because phones can become a configuration management nightmare if you have way too many of them. 

Joe Carrigan: Jonathan asks here about going with someone like Google, Apple or Samsung. I would recommend staying away from Samsung. Samsung doesn't have a good history of patching vulnerabilities quickly. And one of the reasons that they don't have that history is because they have that configuration management nightmare. Not only do they have, you know, so many different models of phones that they continue to, quote, "support," but they also have different models for each different wireless carrier out there. So they'll get in bed with the wireless carriers, and the phone for Verizon will have different software than the phone for T-Mobile or AT&T. That's a problem. 

Joe Carrigan: Apple and Google don't do that. They say, this is our phone; take it or leave it. And all the wireless carriers go, OK, we'll take it, right? 

Dave Bittner: (Laughter) Right, right, right. 

Joe Carrigan: Because they really don't have a choice 'cause so many people use both these phones. I have a Pixel 3. 

Joe Carrigan: But to answer Jonathan's question about an affordable phone that is good for updates, you have a couple of options. Apple has a lower-end phone that they sell, but it's still kind of expensive. Google has the same thing with their Pixel products. In fact, my mom just was talking to me about getting a new phone, and I recommended she go with - or she and I have reached the conclusion that she's going to get the Google Pixel 4a, which is, like, 350 bucks right now. 

Joe Carrigan: But there's also the Android One program, which when you buy an Android One phone, you're guaranteed to get software updates for, I think, at least two years, possibly more. If they can't meet that guarantee, they won't sell the phone anymore. That's part of the agreement of being part of the Android One program. And some of these phones are as cheap as 250 bucks. 

Joe Carrigan: There are still phones out there that are, like, $60. Don't buy those. 

Dave Bittner: (Laughter) I think there's another interesting point here, which is that, you know, there's that old saying, that old chestnut of, you know, if it ain't broke, don't fix it. And that does not apply to computing devices anymore because... 

Joe Carrigan: Right. 

Dave Bittner: ...There are new vulnerabilities that affect old devices that are... 

Joe Carrigan: Right. 

Dave Bittner: ...Discovered over time. 

Joe Carrigan: They are broke is the issue, right? It's not - you know, if it ain't broke, don't fix it - if it - that doesn't mean that if it works, don't fix it, 'cause there is a problem with that phone, and it is broken, but you won't even know that it's broken. That's the worst kind of break - right? - is the failure you don't know about. And this is a security failure here. If you can't get it updated, you're walking around with a - almost a perpetually vulnerable device in your pocket. 

Joe Carrigan: And think of the information we keep on our phones now. You know, many people keep banking information on there. You know, I don't, but a lot of people do. I just think you need to have - I think Jonathan is right here. You need to get a phone that gets updates regularly and will get them for some time in the future. I say look at Apple, look at Google and look at the Android One program. 

Dave Bittner: Yeah, I think it's sort of short-sighted. The money you save on a cheap phone is probably not worth the potential money that you could lose by not having the security elements that some of the more expensive phones would have and the ongoing updates and support that come with a more expensive device that is more - closer to the folks who actually make the operating system... 

Joe Carrigan: Right. 

Dave Bittner: ...Than a phone - a cheapo phone that's just licensing some version of Android or another operating system. 

Joe Carrigan: I don't think you need to license Android. It's open source. 

Dave Bittner: Yeah, yeah. So... 

Joe Carrigan: Anybody can put it on a phone. 

Dave Bittner: I think it's money well spent. I wouldn't look at it as an expense. I look at it as an investment in security. Doesn't mean you need to go, you know, crazy and get the most expensive phone out there, but... 

Joe Carrigan: There are Android One phones available for 250 bucks, so. 

Dave Bittner: Yeah, yeah. All right, well, thanks to Jonathan for your kind note. That is a good topic, and I'm glad we got to address it here. 

Dave Bittner: Joe, let's move on to our stories. What do you have for us this week? 

Joe Carrigan: Dave, this week I have an interesting story that comes from Adam Weidemann over at Google's Threat Analysis Group. Over the past couple of months, Google has identified an ongoing campaign targeting security researchers who work on vulnerability research and exploit development. This has been going on at a number of different companies. 

Joe Carrigan: The actors behind these campaigns have employed a number of different means to target researchers. And to make themselves seem more legitimate, they have set up a research blog that has write-ups and analysis of vulnerabilities that have already been disclosed, right? They also have guest posts from unwitting legitimate security researchers. So essentially, this is just a bunch of plagiarized material that they've put out on this blog. We're going to come back to this blog later, so remember the blog. 

Joe Carrigan: But they've also set up multiple Twitter accounts, and they use that to post links to the blog, to amplify and retweet posts from other fake accounts, right? So they've got this big network of fake Twitter accounts, and one of them will say, hey, look at this blog entry, and then 20 other ones go, hey, that's a great blog entry. That's how Twitter amplification works, and that's how it's exploited. 

Joe Carrigan: They're posting videos of their claimed exploits, and at least one case of these videos, the actors fake the video, right? They posted a link to a YouTube video. And, of course, because YouTube is such a nice, polite place, everybody immediately said, hey, this is fake, and they had no problem disclosing it. But, yes, it turns out the video is fake. It's just an edited video to look like it's showing an exploit, and it's really not showing that at all. But another Twitter account in their network would then retweet the original tweet, going, oh, by the way, this is not a fake video. So very convincing, right? 

Joe Carrigan: I mean, that's - this is all just the setup. This is all how they just lure in these security researchers. Once they have the attention of a security researcher, they would say, hey, you want to collaborate on some vulnerability research? And if the researcher said yes, they'd say, hey, great. I've got this one I'm working on here. It's a - here's a Visual Studio project. 

Joe Carrigan: Now, for our listeners who may not be familiar with what Visual Studio is, this is a Microsoft development tool. It's how you write software for Windows. You use Visual Studio. There are other tools you can use, but by and large, everybody uses Visual Studio because that's the Microsoft tool. You can get free versions of it and - all the way up to versions that cost a lot of money every year to use. But anybody can get it. 

Joe Carrigan: When you have this tool that generates software for the operating system, that can be a complex process. So there's a lot of other files that are involved with a Visual Studio project, but the only project files that people pay attention to are the source code that some of the developers have written. There's a bunch of files behind the scenes that control, like, the build cycle, which is how the software is turned from source code into machine language or maybe into something called MSL (ph), which is what the .NET Framework uses. 

Joe Carrigan: People generally don't look at that, and these actors are exploiting that because the Visual Studio project contains a DLL - which you can use Visual Studio to build DLLs, so it's not unexpected to have DLLs in this project file. But there's something called a build event, which is part of the scripting in running a build. Every time you click that build button in Visual Studio, it builds - it runs these events. But this - one of these events fires up this DLL, and it turns out that DLL is malicious, and it just starts pinging out to command-and-control servers and essentially has a backdoor that lets people gain access to the computers of security researchers who research vulnerabilities. 

Joe Carrigan: I cannot imagine a worse situation for a malicious actor to have access to a bona fide security researcher's research. 

Dave Bittner: Right. 

Joe Carrigan: Someone who researches vulnerabilities. In fact, you know what? I'm really amazed it's taken this long for us to have a story about this as I read this. I'm like, why has nobody ever thought of this before? This is who malicious actors should be targeting, right? 

Dave Bittner: (Laughter) Well, this is the first time we've found out about it. 

Joe Carrigan: Exactly. No, you're 100% correct. 

Dave Bittner: (Laughter). 

Joe Carrigan: This is the first time we know. Google also observed several cases where researchers were compromised after visiting the blog. The researchers followed a link on Twitter to a write-up posted on the blog, and shortly thereafter, a malicious service was installed on the researcher's system that opened up an in-memory backdoor that did the same thing - talked to the command-and-control servers. 

Joe Carrigan: Now, here's the interesting part. At the time of these visits, the victims' systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. So these guys are installing this drive-by download on fully patched systems. So they've got some zero-day that they're exploiting here, it looks like. 

Dave Bittner: And people don't burn zero-days. They don't use zero-days, you know, willy-nilly. They... 

Joe Carrigan: Right. 

Dave Bittner: You're right. Exactly. 'Cause they're extraordinarily valuable. 

Joe Carrigan: Yup. Well, I think this might be a valid payoff for those things, right? If I can get access to 20 or 30 security researchers who are really good at what they do, then, hey, I might find another five or 10 zero-days. This might be something that actually pays dividends in its own currency, right? 

Dave Bittner: Right. 

Joe Carrigan: I'm going to spend one zero-day, and I'm going to get five or 10 more zero-days. 

Dave Bittner: Yeah. And they're really targeting people here. And, I mean, what - this is a perfect example of social engineering, of... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Looking - gaining someone's trust, asking them to collaborate, stroking their ego, you know, saying, hey, you're a person I'd like to work with; your reputation is so good, I'd like your help with this. And away they go. 

Joe Carrigan: Yeah. And Google on their blog pointed out that they're unable to confirm the mechanism for the compromise on these fully patched machines, but they really, really, really want to know if anybody has any ideas. And they remind everybody about their bounty program. 

Dave Bittner: I'll bet they do (laughter). Wow. 

Joe Carrigan: I'll bet Microsoft is also very interested 'cause it could be a Microsoft vulnerability. We don't know where the vulnerability is lying. It might not be any vulnerability. We'd like to know what the mechanism they're using to get this thing on there is. 

Dave Bittner: Yeah. What are the recommendations here, Joe? 

Joe Carrigan: This article has some recommendations. I don't know how plausible they are. They say if you're concerned about being targeted, (reading) we recommend that you compartmentalize your research activities using a separate physical or virtual machine for your general web browsing, interacting with others in the research community, accepting files from third parties and your own security research. 

Joe Carrigan: So they're saying that now you need to have two computers for doing this - right? - or at least a virtual machine for running your vulnerable systems. Running a virtual machine is something that a lot of security researchers probably already do. 

Dave Bittner: Yeah. 

Joe Carrigan: In fact, I know they already do it. That's all well and good, but I don't know that you can do it on a separate physical machine. A lot of these folks are just going to have one laptop to go out and... 

Dave Bittner: Sure. 

Joe Carrigan: ...Do this on. And it's physically difficult to go, OK, well, now I have to change modes. I'm going to have to go over to this computer. I don't know that that's a good recommendation. I mean, if I'm a security researcher, I'm not collaborating with somebody I haven't met in person and spoken to. That's my... 

Dave Bittner: Yeah. I saw a response to this - when this news initially broke and we were covering it over on the CyberWire, I saw over on Twitter several security researchers say that they had been contacted by these people, and some of them said that they were running virtual machines, and so that protected them from it. Some of them said, you know, they only went so far with it and they started to sense that something wasn't right, and so they cut off the communication. But... 

Joe Carrigan: Right. 

Dave Bittner: ...It was fairly - you know, it was broad enough that I saw several people say, oh, yeah, yeah, they reached out to us. 

Joe Carrigan: Right. 

Dave Bittner: And so it seems like it was a pretty extensive effort here on these bad guys' part. 

Joe Carrigan: Yeah, I would agree. 

Dave Bittner: Yeah. All right, interesting story, for sure. 

Dave Bittner: My story this week - it's a little timely. As we record this, it's not quite Valentine's Day. And when this show publishes, it will have just been Valentine's Day. So I'm sure Lisa (ph) will be very pleased with whatever it is that you gave her for Valentine's and the showering of gifts and affection that you provided her with, right? 

Joe Carrigan: Yeah, I just got her a nice pair of earrings. 

Dave Bittner: There you go (laughter). 

Joe Carrigan: She got me a really nice coffee mug. 

Dave Bittner: They say romance is dead, right? 

Joe Carrigan: Right. 


Dave Bittner: This story comes from the folks over at Threatpost. This is written by Lindsey O'Donnell. And it's titled "Pre-Valentine's Day Malware Attack Mimics Flower and Lingerie Stores" (ph). So, you know, these malware attacks, these phishing attempts, they track the calendar. And Valentine's Day is certainly one that they target. People are always looking for love, you know, so it's not a day without a little bit of anxiety trying to make sure that you got the right thing or that, you know, maybe you're hoping to win someone's affection or... 

Joe Carrigan: Yup. 

Dave Bittner: ...The things that you got for your loved one are going to be appreciated. The folks here at Threatpost are reporting on some emails that went out, and they were confirming orders from a lingerie shop. And it's called Ajour lingerie. Is that right, Joe? I think that's French, right? 

Joe Carrigan: Ajour, yeah - A-J-O-R (ph). 

Dave Bittner: Yeah, yeah, yeah. 

Joe Carrigan: I don't know what that means. I'm not - I don't speak French. 

Dave Bittner: That's French. Yeah, I don't either. 


Dave Bittner: But never slowed me down, though. So - also a flower store called Rose World. And both of these were spreading a malware loader that's called BazaLoader. Now, this - I'm going to talk about this one from the lingerie store. What you would get is a PDF that was not malicious itself. It's just a PDF for an invoice. And it would be a pretty pricey PDF - you know, hundreds of dollars. 

Joe Carrigan: Yeah. The one I'm looking at says $410. 

Dave Bittner: That's a lot of lingerie (laughter). 

Joe Carrigan: That's right. 

Dave Bittner: So somebody's looking to impress someone, right? 

Joe Carrigan: Right. 

Dave Bittner: So that would get your attention, especially - obviously, in this case, you did not spend $410 on lingerie. 

Joe Carrigan: No, no. I bought some nice earrings. 

Dave Bittner: (Laughter) So when you click through on the website that - there's a link to this Ajour - pretending to be Ajour. Of course, it's not the real Ajour. Ajour is a legitimate company. 

Joe Carrigan: OK. 

Dave Bittner: They're a high-end lingerie shop out of New York. So these folks are pretending to be them. If you click through, you will go to a website that looks like the actual website for Ajour lingerie. 

Joe Carrigan: Probably just a direct copy of it. 

Dave Bittner: A direct copy of it. Looks like they went and they scraped the information right from it so it looks like the real thing. They got themselves a look-alike domain name. It's - they bought ajourlingerie.net. And the actual Ajour lingerie website is ajour.com. 

Joe Carrigan: OK. 

Dave Bittner: So you could see someone falling for that. 

Joe Carrigan: Absolutely. 

Dave Bittner: Ajourlingerie.net seems plausible, right? 

Joe Carrigan: Yeah, that is more than plausible, yeah. 

Dave Bittner: So then when you go to the website, there's a contact page. If you go there, you have the option to enter your order number and your order ID. So imagine you're trying to track down, what is this invoice all about? Am I on the hook for this? Did someone buy something? Is someone trying to steal money from me? What's going on? 

Joe Carrigan: Right. 

Dave Bittner: And that contact page redirects them to a landing page, which then links to - wait for it - an Excel spreadsheet (laughter). And the Excel spreadsheet contains also - wait for it - macros. 

Joe Carrigan: I was going to guess macros. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Wait, wait. Are they malicious? 

Dave Bittner: They are malicious. And it's the macros that, if you enable your macros - and, folks, don't enable your macros. 

Joe Carrigan: Don't do that. 

Dave Bittner: There's so (laughter) - there's so few reasons to - if you have a work reason for enabling your macros, great. More power to you. But, you know, just everybody else, turn off your macros. 

Joe Carrigan: Right. 

Dave Bittner: Macros are nothing but trouble. So if you have your macros enabled, it'll download the BazaLoader, which is a malware loader. And Bob's your uncle now. Now they've got you. Yeah, we're using Valentine's Day to trick people into this, also the specter of having an unpaid bill... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Hefty bill for something that you did not order. 

Joe Carrigan: This is hitting all the buttons, Dave. 

Dave Bittner: Right. Step by step, it looks legit as you go through this. 

Joe Carrigan: Yeah. 

Dave Bittner: But it's not. 

Joe Carrigan: It's a well-crafted campaign. And we've been talking about this now - I know that I've been focusing on it for the past two or three months - about the malicious actors going through the calendar and aligning themselves up with whatever's coming up next. Valentine's Day is no exception to this rule. It represents a great opportunity for these malicious actors to do exactly what they're doing here in this story. 

Dave Bittner: Yeah, yeah. So it's a good reminder. There's another story they cover in here, if you're interested, where they're talking about a flower shop - same sort of thing, downloads the same BazaLoader downloader. 

Dave Bittner: So it's an article worth checking out, again, written by Lindsey O'Donnell over on Threatpost. Do check it out. It's a good one to share with your friends and family 'cause this is the sort of thing that makes its way around. With all the holidays, you'll see them, you know, using the holidays as an excuse to spread these sorts of things around. So... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...Check it out. 

Dave Bittner: All right, well, those are our stories. It is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Kristian (ph). And it is a legitimate deal, Dave. And... 

Dave Bittner: (Laughter) Of course it is. 

Joe Carrigan: That's the title of the email. So why don't you read it? It's pretty good. 

Dave Bittner: All right. It goes like this. 

Dave Bittner: (Reading) Legitimate deal. Good day. I'm Aisha Gadhafi, daughter of late Colonel Gadhafi, the Libyan leader. I'm contacting you to assist me in removing the sum of $65 million being deposited with a security company in UAE Dubai. The funds was deposited with a security company in my name. As a matter of fact, me, my only surviving son managed to escape with the help of a security guard on duty that fateful day. I'm presently into hiding in a refugee camp between the border of Chad and Nigeria because I know that the regime of my father has collapsed after his death. 

Dave Bittner: (Reading) Please, for your kind assistance, I will offer you 30% of the total sum. All the legal documentation concerning the deposit are with me. I will issue power of attorney, making you the new beneficiary of the deposit so that the security company can release the funds to you. Once you successfully secure the funds from the security company, an arrangement would be made for disbursement. May Allah grant you the heart to assist me and my only son in this, our trial period. Please never you abandon me with my son because just we are Arabs. But I want to assure you that honesty and trust must remain our bond. Get back with your details so that we can proceed without delay because I am here without help from no one. Regards, Aisha Gadhafi. 

Joe Carrigan: Interestingly enough, Moammar Gadhafi did have a daughter named Ayesha (ph), but it's not spelled... 

Dave Bittner: Really? 

Joe Carrigan: ...Like it's in this email. It's spelled differently. So somebody did a minimal amount of research. 

Dave Bittner: (Laughter) Right. He reached over to the guy in the next cubicle. He said, hey, Bob, what was the name of Gadhafi's daughter? 

Joe Carrigan: Ayesha. 

Dave Bittner: I think it was Ayesha. All right, good enough (laughter). 

Joe Carrigan: But it's spelled here like Aisha Tyler, you know... 

Dave Bittner: Right, right. 

Joe Carrigan: ...Who's an American actress... 

Dave Bittner: Yeah. (Laughter) Oh, my. 

Joe Carrigan: ...And not like Ayesha Gadhafi, who is a Libyan daughter of Moammar Gadhafi, I guess. I don't... 

Dave Bittner: Right. 

Joe Carrigan: I think that's a great story. If I could - I could see that exact - that exactly happening. 

Dave Bittner: Yeah. 

Joe Carrigan: Who was Gadhafi's daughter? Ayesha? OK. 

Dave Bittner: Good, good, good. 

Joe Carrigan: I don't think it matters how I spell it. 

Dave Bittner: Yeah. All right. Pretty straightforward here what's going on, right? 

Joe Carrigan: Yeah, this is just very similar - in fact, it's the exact same scam as the Nigerian prince scam. You might be able to call this the Libyan princess scam. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I don't know. 

Dave Bittner: Yeah. 

Joe Carrigan: It's the same scam. And if you respond to this, they're going to start talking about, oh, now we're going to start moving the money. Oh, by the way, we need some fees. Why don't you send me the money for the fees, and I'll get the money moved over - which always perplexes me. I mean, how does somebody have millions of dollars and can't pay the fees? 

Dave Bittner: Well, 'cause they're in prison. This person's in a refugee camp, Joe. 

Joe Carrigan: Is in a refugee camp - that's right. 

Dave Bittner: Yeah. 

Joe Carrigan: Well, that makes sense, I guess. 

Dave Bittner: (Laughter) Right. All right, well, that's a good one. Our thanks to our listener Kristian for providing that for us. That is our Catch of the Day. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Sara Teare. She has the greatest title in security. She's the minister of magic at 1Password. 

Joe Carrigan: Awesome. 

Dave Bittner: (Laughter) Yeah. But we're talking about an important topic, which is something that a lot of folks don't consider, which is what happens if something bad happens to you. If you pass away or something, you know, like that - you're unable - you're unresponsive, who gets custody of your digital things? Who gets your passwords? Who gets all that stuff? 

Joe Carrigan: Right. 

Dave Bittner: Here's my conversation with Sara Teare. 

Sara Teare: We were trying to figure out how families in general are using passwords. The world as we know has really changed in the last while, and what role does having passwords play with estate planning, with having kids at home, with remote work and, all of a sudden, now instead of having work machines and home machines, having everything all sort of combined - and what kind of information we could gather from people in terms of how that's all working together. 

Dave Bittner: Well, let's dig into estate planning itself. I mean, this part of it fascinates me because I think it's - it may be something that a lot of folks don't really put a lot of thought into. 

Sara Teare: I think it was very surprising to me when we looked at the statistics where only 38% of Americans had a will to begin with, and fewer than half of people - half of all those people had passwords within their will, which one of the things when you're using 1Password we prompt you for is to download your emergency kit and write your master password right on there and include it with your will so that if something happens down the road, your family has access to that information because a lot of our living is now online. So it's very hard to think that all of a sudden, if something were to happen to you, what happens to those online accounts? And trying to get access to those can be quite challenging. 

Dave Bittner: You know, it's interesting 'cause I think of my own parents, who are elderly. And, you know, they keep lots of things in their safe deposit box. And I wonder if the generation coming up is even very familiar with what a safe deposit box is. 

Sara Teare: I actually don't think they are. I know for myself personally, with our bank account, we got a free safe deposit box with it. Never put anything in it. I'm not even sure where the key to the safe deposit box is. But at the same time, I know that I'm going to have to have my will. So I've got that together, and I've got important information with that. But I don't think a lot of the newer generation is even going to think of going into a physical bank, let alone having a security deposit box at a physical bank. 

Dave Bittner: So what are the ramifications here? I mean, if someone - in modern society, someone passes away. And if they've not left a proper trail behind when it comes to their passwords, what is their family probably in for? 

Sara Teare: A lot of difficulty, unfortunately. Unfortunately, as you start doing all of the estate planning and dealing with the actual funeral arrangements, things like that, you've also got bill collectors, you've got hydro bills, you've got cellphone bills, you've got all of those things mounting up. And when you can't access those accounts to cancel services or access any of that information, it becomes very difficult for people and it just adds to that stress that they're already dealing with. 

Dave Bittner: So what are your recommendations here? I mean, obviously, Joe and I on this show, we try to convince people to use password managers all the time. And, of course, you all are on board with that. But, I mean, beyond that, let's say someone's using a password. What's the proper way to prep it in case something like this happens? 

Sara Teare: I think if someone is particularly resistant to using a password manager or just trying to keep things simple, as I often find a lot of older adults will tell me they find it complicated, I think making sure that those key passwords for anything are written down and kept somewhere secure and safe so that people have somewhere for that. 

Sara Teare: Because not necessarily even if something were to happen to you where you were to no longer be with us, but unfortunately, as we've seen with COVID, people can go into hospitals for long, extended amounts of time. It could just be a matter of you're not able to look after your own affairs for a couple of months while you're getting better - making sure someone has access to that information for you. 

Sara Teare: My husband, David, and I were talking and said, you know, if there's someone that you would give a key to your house to go in and water your plants and check on things and all that kind of stuff, that's someone that you'd want to be able to give a key to your accounts so that they could make sure everything's taken care of for you. 

Dave Bittner: What about, you know, multifactor authentication? You know, I'm thinking that, obviously, it's something we encourage folks to do. But, you know, in this case, I could imagine, as you say, you know, giving a neighbor the password to my account, but they could be thwarted by multifactor. 

Sara Teare: Again, that's definitely going to be a long-term consideration. And I think that that's where the password managers, things like that - that comes into such a big help, because especially as you've made things more secure for yourself and making sure, you know, you're not becoming victim to hacking or identity theft or anything like that, you've just made it that much harder as well to gain access should something happen to you. So following up and making sure that complete record-keeping and the whole estate planning is all a big part of the bigger picture is really important. 

Sara Teare: The start of a new year's always a great time to look at those sort of resolutions and say, you know, what sort of things can we do? And the new year sort of lends into the spring cleaning. And it's one of those things where it's nice to just sit back and look at things and say, OK, how does this all fit together? What's the bigger picture? How can I make sure that something is happening? And if something does happen, how do I make sure that people have access to what they need? 

Dave Bittner: What are some of the other key things that came out of this family password report? These days, how are families handling their password ecosystem? 

Sara Teare: One of the things that really made me laugh was just that 30% of parents had said they have - with high schoolers, they claim that they know all of their children's passwords. And I thought... 

Dave Bittner: (Laughter). 

Sara Teare: ...As a parent of a high schooler... 


Sara Teare: ...I don't even know the PIN code to her phone anymore... 

Dave Bittner: Right. 

Sara Teare: ...'Cause that's... 

Dave Bittner: That's adorable (laughter). 

Sara Teare: Yeah. But there's no way. There's no way. 

Dave Bittner: Yeah. 

Sara Teare: You know, and I guarantee you 100% of those 30% of parents think those are the only accounts those kids have. 

Sara Teare: It's a remarkable thing, but I think just even looking at the younger generation in terms of how many kids are now online schooling, what that remote environment looks like, trying to teach kids how to set passwords up so that they're not the name of your pet dog, they're not the street you live on. How do you set up passwords in a way that they're safe, but they're also memorable and so that it's easy for the kids to use? Because you've got preschoolers using computers now and logging on to Zoom calls and accessing their remote schoolwork through Google Homework. And there's just so many opportunities for them to be online and have these different accounts. So how do we make that secure for them? 

Dave Bittner: Yeah. I mean, I think it's a really good point that, you know, just the same way that we teach our youngsters about basic hygiene, that, you know, that digital hygiene is something that's going to be important and serve them well throughout their lives as well. 

Sara Teare: And I think that's just in terms of just overall being aware of - being a good netizen, the old - that makes me sound really old when I say that. Oh, my. 

Dave Bittner: (Laughter). 

Sara Teare: You know, a good citizen on the internet and that whole password hygiene, but, like, you know, accepting friend requests from people you don't know and just keeping yourself safe online. And I think that's discussions that parents need to be willing to have with kids, especially since they're online so much. 

Sara Teare: I think the other part is just it's more readily accessible now to all kids. Like, it used to be where you'd have a phone, and you'd let your kids borrow it from time to time. Or they'd have an hour where they borrow the family iPad to watch a show or things like that. Now, with - you know, parents are working from home. They've got their computer. The kids have their computer. There's just a more number of devices. So it's more about managing how it all works together and making sure that everyone can have access to what they need and that people are doing it properly. 

Sara Teare: 'Cause, again, last thing - we've got two kids. So if both kids had the same password to the same account, then, you know, this one's in that one's mess, and this one's in that one's. It ends up being a real mess. And you want to make sure that your kids are all being safe online, but also not, you know, driving each other crazy for the sake of driving each other crazy. 

Dave Bittner: Yeah. I mean, it's one of those modern parenting challenges of balancing between respecting their privacy, but also, you know, keeping - looking over their shoulder and, you know, having an appropriate amount of parental care over what they're doing day to day. 

Sara Teare: I think that was actually one of the things when we were setting up our family account, it was important to my daughter in particular. She's 15 now. So when we set that up - was just her being able to have the knowledge that her private vault was her private vault. And, yes, as administrators, we could help her recover her vault if something - she forgot her master password or if she needed help, we could help her, but we wouldn't have access to those passwords 'cause I think that you want to have that autonomy, that privacy. 

Sara Teare: And then on the opposite end, we've got my in-laws, where we're setting them up and, you know, having to make sure where things are at and then trying to encourage them to put things in a shared vault with myself and my husband and then them, as opposed to using the private vault, so that we can help manage things as things progress as they get older and making sure that, you know, we can all access what we need to at the right time. 

Sara Teare: I think the most important thing I can share is just the reminder to people to talk to their loved ones. Estate planning is never a fun topic to talk about. You know, it's not filled with good thoughts and happy memories. But find those opportunities, whether you're watching TV shows, whether you're watching the news. If you're near your parents, talk to them about it. Find out what their wishes are. Talk to your kids about it and make it more of an open family discussion by sort of demystifying the whole process of passing away and how that all works. 

Sara Teare: I think it really works better for the entire family to sort of make those plans together and be aware of what everyone wants to do and then, as an adult, making sure that you've got everything put together and, you know, complete that package. Make sure you have a will. Make sure you put important information with that will so that if something were to happen, people can take care of it. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Good interview. I'll tell you, Dave, it's a tough topic for people to deal with, and I think that's why only a third of us have wills. My father was a CPA. He's since retired. But he did a lot of work with people doing some estate planning and other things. 

Joe Carrigan: One of the things he said to me was, you know, everybody has a will by default. It's just the probate system, right? And the idea of having a will is so that when you go into the probate system, that part happens quickly, and it happens as you prescribe. 

Dave Bittner: Right. 

Joe Carrigan: Because if you don't have that documentation, then it's up to the judge and trustees and other people to make those decisions for you after your untimely or timely death, right? 

Dave Bittner: Right. 

Joe Carrigan: It's a great idea to have this written out in some way, shape or form. I will say that I have not left my passwords for my survivors, but I've made other arrangements for them to get access to the things that are important for them to get access to. You know, things like financial assets - they can get access to it. They just can't log on directly to the website. They'd have to actually go in person and, you know, handle things. And that's not too much of a burden, I don't think. 

Dave Bittner: Yeah. 

Joe Carrigan: Sara recommends writing these passwords down. And initially, as security practitioners, we always - you know, the hair on the back of our neck stands up, and we go, don't write your passwords down, right? It's all about gauging the risk and mitigating it, right? If you're wanting somebody to have access to your digital assets after you pass, then there is no better way than to put it on a piece of paper and make sure that that paper is secure somewhere, like in a safe deposit box. That's OK to do, especially if they're strong passwords, right? 

Dave Bittner: Right. 

Joe Carrigan: The only problem is if you go through a password changing regimen, now you just have to go over and update the document that's in the safe deposit box that's secured somewhere. 

Dave Bittner: Yeah. You know, it's something we deal - I deal with personally, you know, as my folks get older. That is something we have to - you know, the planning - estate planning for them. And... 

Joe Carrigan: Right. 

Dave Bittner: They've done just this very thing. You know, there's a file that has all of their important passwords. And I know where it is. It's secure. But if something were to happen to them, I know where to go. 

Joe Carrigan: You could get it, right. 

Dave Bittner: I could get it, yeah. 

Joe Carrigan: Yup. 

Dave Bittner: Yeah. 

Joe Carrigan: One of the things that I liked about this interview is when she's talking about parents saying they know their kids' passwords. I guarantee you you don't know all of your children's passwords. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: When I was raising children, I think I knew one of my children's passwords when they were younger - like their email account. And then I never really knew another one. I'm a bigger fan of making your kids the kind of people who don't need that kind of monitoring. You see their online behavior that they show you, and you make sure that's all up to date. You make sure they're not participating in any risky behaviors. You educate them about the risks, tell them the horror stories of things that have happened to people, 'cause there are plenty of them out there. I am a firm believer in not sheltering your kids from that information, you know? 

Dave Bittner: Yeah. 

Joe Carrigan: It's - you know, you say, hey, look; this kid got online with somebody. They thought they were talking to another 14-year-old kid. Turned out they were talking to a 35-year-old man, and now they're dead. Look at that. You know? 

Dave Bittner: Yeah. 

Joe Carrigan: I mean, it's a horror story, and it happens, but it is a risk when you're online. 

Dave Bittner: Sure. It's sobering things to think about, but it is important, you know? 

Joe Carrigan: I would agree 100%. 

Dave Bittner: Good to check in from your own point of view. My take on this is that you want to make things as easy as possible on the folks who are left behind if... 

Joe Carrigan: The survivors. 

Dave Bittner: ...Something were to happen to you, yeah. And this is a way to do that. This is a gift you can leave for your family that, among all the things they're going to have to worry about at the time of your passing, this is one less thing they'll have to worry about. And so you can do a little bit of work ahead of time and make things easier on them. And to me, that's probably time well spent. 

Joe Carrigan: I would agree. 

Dave Bittner: All right. Well, our thanks to Sara Teare from 1Password for joining us. We do appreciate her taking the time. 

Dave Bittner: We thank all of you for listening to our show this week. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.