Hacking Humans 5.6.21
Ep 146 | 5.6.21

Digital identities are at the core of recent breaches.


Julie Smith: Digital identities are at the core of the majority of breaches that have been happening over the last five or six years.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Carole Theriault returns with her interview with Julie Smith from the Security Alliance and Kelvin Coleman from National Cyber Security Alliance. And they're discussing Identity Management Day. 

Dave Bittner: All right, Joe, let's kick things off with some stories. My story is a little off the beaten path for us, but it's kind of why I like it. This is a story from WIRED. And it's titled "How Pixar Uses Hyper-Colors to Hack Your Brain." So I don't know about you, Joe. I'm a big fan of the Pixar movies. 

Joe Carrigan: I enjoy them, as well. 

Dave Bittner: Yeah, I think it's probably fair to say that Pixar may be the most successful movie studio in Hollywood history in terms of having a consistent high level of quality with the movies that they've released. To me, the only stinker has been "Cars 2" (laughter). 

Joe Carrigan: I've actually never seen "Cars 2." 

Dave Bittner: Well, consider yourself lucky (laughter). This story is about - of course, Pixar being a studio that produces animated content, they have total control over the colors that they generate in their movies. 

Joe Carrigan: Right. 

Dave Bittner: And as we know, colors can really affect your mood. We associate certain colors with certain types of moods and environments. We think of a warm sunset as being something relaxing or romantic, right? 

Joe Carrigan: Right. 

Dave Bittner: Think of the cold light of fluorescent bulbs, that green cast. You know, you often see that used in medical dramas, or it has a sort of foreboding tone to it. 

Joe Carrigan: You say that cold fluorescent, and I instantly think, in terms of Pixar, "Monsters Inc." 

Dave Bittner: OK, yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah, absolutely. Absolutely. So not surprisingly, the artists at Pixar use this to their advantage to help put us into a mood. They use color - light, color, of course, sound, as well. But this article's talking about the color that they use to help nudge us in the direction that they want us to be, put us in a mindset to have the moods that they want when they're telling their stories. By the way, I should mention this article is an excerpt from a book called "Full Spectrum: How the Science of Color Made Us Modern," written by Adam Rogers. Seems like that book is interesting and worth checking out. But the really interesting thing to me this article digs into is how the science and the technology is progressing when it comes to movie theaters' ability to project images on the screen. And specifically, they're talking about movie theaters that are equipped with Dolby digital projection, which is, you know, some of the elite movie theaters. Instead of projecting using a high intensity light bulb, they're actually projecting on the screen using lasers. 

Joe Carrigan: Really? 

Dave Bittner: Frickin' lasers, Joe, frickin' lasers. 


Joe Carrigan: Are they attached to sharks' heads, Dave? 

Dave Bittner: Well, I like to think that maybe up in the projection booth, sure, there's... 

Joe Carrigan: There's a shark with a laser on his head? 

Dave Bittner: There's a big fish tank up there. There's a shark, and he's got a laser attached to his head. And that's how it works. We can - I mean, hey, it'd work for a Pixar movie, right? 

Joe Carrigan: Right, absolutely. 

Dave Bittner: (Laughter). What's interesting about this is that these projectors are capable of generating colors that don't exist in nature. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Right, right. Because they can make pure wavelengths, and the precision with which they can do this with these lasers - they can make colors that are unique. And also, they can do them with an intensity of both saturation and brightness that, previously, they haven't been able to achieve. So the folks at Pixar are taking advantage of these Dolby Cinema capabilities. In fact, this article says that they've produced versions of their movies that work within color spaces that aren't even available to consumers yet. So as the technology improves and you have, you know, TVs with high dynamic range, as that technology increases, as the color gamut spreads on these televisions that you can buy at home, Pixar is ready to release versions of their movies that can take advantage of that. They also talk about how they could take advantage of things like, you know, persistence of vision, you know... 

Joe Carrigan: Yes. 

Dave Bittner: ...Those little optical illusions that you enjoy, you know, when you're a kid and beyond. You stare at something for a while, and then you look away, and you see an after image. So they can take advantage of that. And they they say they can actually use that to create colors in your mind that otherwise wouldn't exist in the real world, colors that you wouldn't be capable of actually seeing. 

Joe Carrigan: Really? 

Dave Bittner: So yeah. 

Joe Carrigan: That's fascinating. 

Dave Bittner: It is fascinating. And, you know, I think to the point of our podcast here, I think it's just - it's interesting from the point of view of the possibility of manipulation... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Where if I can present you with a certain set of circumstances that could predispose you to be open to a type of messaging or help put you in a certain mood, either a relaxed mood or perhaps a fearful mood... 

Joe Carrigan: Right. 

Dave Bittner: ...Based on color. 

Joe Carrigan: If you think about it, a cinema is is an art form. And one of the motivations or purposes of art is to elicit an emotional response from you - right? - to make you... 

Dave Bittner: Right. 

Joe Carrigan: ...Feel something. You know, you go to an art museum. And, sometimes, you see something that really moves you, and you just go, that is just downright beautiful. And when you're experiencing a movie, the director and the producer - you know, they're all trying to elicit an emotional response. And I imagine that with the way Pixar is doing it, it's just a more effective way of eliciting that emotional response. And when I think back to what my is probably my favorite movie, "Monsters Inc.," from Pixar, I remember the colors in that. I really enjoyed the color of Mike Wazowski and Sulley. Even though they were monsters, these colors were actually beautiful. And I just remember going, I could watch this movie a hundred times. 

Dave Bittner: Well, and, you know, probably the most famous example of this is "The Wizard Of Oz," when Dorothy goes... 

Joe Carrigan: Yeah. 

Dave Bittner: ...From, you know, black and white Kansas to color Oz. How more striking (laughter) and in your face could the transition be? Interesting article. Again, it's over on WIRED. It's titled "How Pixar Uses Hyper-Colors To Hack Your Brain." The articles written by Adam Rogers, actually an excerpt from his book "Full Spectrum." So we'll have a link to that in the show notes. Do check it out. That is my story this week. Joe, what do you have for us? 

Joe Carrigan: So, Dave, you know I'm a big fan of multifactor authentication, right? 

Dave Bittner: Yes, indeed. 

Joe Carrigan: I make no secret about that. I always say use multifactor authentication as much as you can. 

Dave Bittner: Right. 

Joe Carrigan: Well, Security Boulevard has a story that's actually from a security company called Enzoic. And they posted it on their website. It's about ways that malicious actors can break into accounts with MFA enabled, MFA being multifactor authentication. So the title of the article is "How Social Engineering Tactics Can Crack Multifactor Authentication." They're not really cracking multifactor authentication with these tactics. They are just getting around them, which is the way malicious actors and and even white-hat hackers think. They think, OK, here's a barrier to my progress. How do I get around this? And the article talks about three ways to bypass multifactor authentication. The first one is the old, tried and tested and true and constantly successful call tech support and impersonate the victim, right? One of the big problems this article points out is that tech support is a customer service job, and customer satisfaction is a very high priority for those jobs. So the cards are already stacked in the attackers favor. They will call in using a spoof number, so that kind of acts as another way that the attackers can impersonate the victim. They'll have the information that tech support needs to verify the person over the phone, right? They'll already have that data ready from intelligence gathering, open-source intelligence gathering, usually. And they'll say something like, I lost my MFA thing, whatever that thing is, whether it's a token that generates a one-time password or if it's, like, a YubiKey or one of those Google Titan Keys, they'll say, I lost it, and I need access right now because there's something big happening. So here again, we see the artificial time constraint that they're putting on the tech support person. I've seen videos of Rachel Tobac calling into credit card companies to do this to get access to credit card accounts for a journalist by impersonating the journalist's wife (laughter) and playing the sounds of babies crying in the background. It's a really effective way to get into an account. There's a few defenses against this. And one - and the article mentions this - is have a policy that just doesn't allow this. I don't know how effective that is because there is a legitimate use case where somebody loses their multifactor authentication device. You can't just lock that person out of their account forever, but you can change that by having a policy that the tech support person has to call the number on file for the customer. Again, this is an inbound call - the customer saying, I've lost my multifactor authentication. Please help me. They're spoofing the number that's on file, but that's not good enough. The tech support guy has to say, OK, I will call you right back at the number we have on file for you. And then hang up the phone and dial out to the number. Now, that doesn't protect against a SIM swap. So if somebody SIM swaps your phone and your cell phone is the number on file, then they're going to get that phone call, and you're not going to get it. So they're still going to get around it. But another good policy for this is have the customer show up in person to get the new token. This is a really good policy for companies where you have on-site employees and for governments. There may be other policy solutions to this, but I think the solution to this problem is really a policy solution. I don't know that there's much technology that can be done here. 

Dave Bittner: Well, it seems to me that in each of these cases, what you're doing is you're slowing things down, right? 

Joe Carrigan: Right, exactly. 

Dave Bittner: As we always talk about, slow it down. 

Joe Carrigan: That's right. 

Dave Bittner: And that solves a lot of these problems. 

Joe Carrigan: Yup. You know what? Let's say you're a bank, and your customer calls in and says, I've lost my multifactor authentication device. And you say to them, OK, that's fine. We will send you a new one for $25, and that's our policy. Now, you still can get access to your account, but you cannot get instantaneous access to your account. A lot of times, that need for instantaneous access is a ruse. The other thing you can say is, if you need access right now to your account, you can go to one of our branches. 

Dave Bittner: Right. 

Joe Carrigan: That's what you're going to have to do. You're going to have to show... 

Dave Bittner: Right. 

Joe Carrigan: ...Up in person. 

Dave Bittner: Bring your ID. 

Joe Carrigan: Right, and bring your ID. Right. And then... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...You can do that business there at the branch. Otherwise, I'm sorry. You've lost your multifactor authentication, and you're just going to have to deal with the time delay. That's what happens. 

Dave Bittner: Right. Right. You put this in place for a reason. 

Joe Carrigan: Right. And here's the reason. 

Dave Bittner: You did this (laughter). 

Joe Carrigan: As far as I know, you could be a scammer. 

Dave Bittner: Right. Right. 

Joe Carrigan: And if this were a scammer and I helped him, you'd be very angry with me (laughter). 

Dave Bittner: That's right. That's right. 

Joe Carrigan: The second one they talk about in this article is fake websites. These are essentially phishing websites, right? We've all heard of phishing kits and phishing landing pages where you get an email that says you need to update your account or sign in. Usually you get these for PayPal or from Microsoft Office 365. You click on the link - which you should never do - but you click on the link, and it takes you to a site that looks exactly like the real site. In fact, it may just be a copy of it. And then it prompts you for your username and password. And if you don't have multifactor authentication turned on, then it just passes you off to the original website. And the attackers still have your credentials. They keep them. Now you're hosed. 

Joe Carrigan: But if you do have a multifactor authentication, what they're going to do is they're going to try to log in with your credentials, and they're going to see that it asks for a multifactor code. And then they're just going to turn around and ask you for the multifactor code. And if you provide that, they're going to provide it to the website, and they're into your account. That works... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Really well with the SMS message. It works with a one-time code generated by either a authenticator application or even one of those little tokens that you give to your employees - you know, the - you've seen them - the SecurID tokens. But one thing it does not work with is universal two-factor, like in the YubiKey and the Titan. And it doesn't work because those keys, those private keys, are generated on the fly using the secret that's inside of the hardware and some other information. And part of the other information is the domain that the request is coming from. So because the domain from a scam domain is going to be different from the domain from the actual domain, the keys won't be the same, and it won't work. 

Dave Bittner: Right. I point out, too, that this is sort of one of the lesser emphasized benefits of using a password manager because a password manager... 

Joe Carrigan: Ah, right. 

Dave Bittner: ...Also keeps track of the web domain that you're trying to use your credentials on. So if you go to one of these fake websites that's impersonating a real website, your password manager is going to say, hold on here. Before I fill in this stuff, this is not the usual place where I fill in this stuff. 

Joe Carrigan: Right. 

Dave Bittner: Are you sure you want to do this? So that's a good thing as well. 

Joe Carrigan: With a browser-integrated password manager, it won't fill it in because it's... 

Dave Bittner: Right. 

Joe Carrigan: ...Only going to put that password into a domain like, let's say, your Google password is only going to go into a Google domain. It's not going to go into joe'sphishingsite.com. The password manager will go, I don't have any password for joephishingsite.com. You're out of luck here. So that's a really good point, Dave. And these browser-integrated password managers are really good for exactly that purpose. Now, the one I use is not browser integrated. It's a standalone application. Finally - this is a big one - the way they get around these multifactor authentication-protected accounts is with the knowledge-based authentication that is the security questions. Now, you remember a couple years ago when Sarah Palin was running for vice president? 

Dave Bittner: Yeah. 

Joe Carrigan: And somebody got into her Yahoo email account? The way they did that was they couldn't guess Sarah Palin's password, so they used Yahoo's password reset feature and answered the security questions. And the security questions were, where did you go to high school? Things like that. And that information is readily available about... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: ...A lot of people, right? Especially somebody who's running for vice president. 

Dave Bittner: What cities can you see from your house? 

Joe Carrigan: (Laughter) Yes. It's not a good form of authentication. It's a very weak form of authentication. This article makes the point that if you have a - you know, what was your first pet's name? Somebody who can see your information on Facebook can probably collect that information. 

Dave Bittner: Right. 

Joe Carrigan: They almost certainly can collect the information of the high school you went to. It's not that hard to find out. One of the big points that this article makes about these security questions is that your account is only as secure as the weakest link in that account, in the security chain here. And if knowledge-based authentication is the weakest link, that's the level of security on your account. It's not any better than that. It doesn't matter if you have multifactor authentication enabled. It doesn't matter if you have a really strong password. If somebody can get around those things by answering simple questions about you, then they can get into your account. So my recommendation is lie. Lie on those questions... 

Dave Bittner: Right. (Laughter) Right, right. 

Joe Carrigan: Some websites insist that you fill these out. My password manager has a space for notes. And in that note space, I write a little hint to the question and my answer to the question. For example, what city were you born in? I might say Timbuktu. Right? Take a wild guess. I was born in Timbuktu, Mali. You know. Or I might even not pick a name for a city. Right? I might say... 

Dave Bittner: Yeah, the moon... 

Joe Carrigan: Yeah, the moon. Right. 

Dave Bittner: ...Saturn (laughter). 

Joe Carrigan: Or, you know, the green cup that's on my desk could be the answer. Just pick something else. Don't put something that's actually accurate in there because that's really easy to figure out. 

Dave Bittner: Mmm hmm, mmm hmm. 

Joe Carrigan: One thing I want to say about this is training is always a good countermeasure to these attacks, right? These kind of attacks go around, so train the people that answer the phones to recognize the signs of a social engineering attack. The biggest red flag for tech support is the artificial time constraint, the immediate need that you have to meet right now and we can't wait for the security protocol. We have to get this done. That should be a huge red flag for anybody that works in tech support. 

Dave Bittner: Yeah, absolutely. All right. Well, it is an interesting article for sure. We will have a link to that in the show, notes. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Brett (ph). Brett writes, I work in a PC repair shop and deal every day with people who have let scammers remote into their PCs. Usually, the scammers type out everything the customer will be required to pay on a Notepad text file. Normally they are boring, but I couldn't contain my laughter while reading this one. The customer didn't pay, but was worried their kids would have to live with the shame of no internet. Thought you might enjoy it as well. Dave, this is a good one. Take it away. 

Dave Bittner: (Reading) As we are the U.S. government authorized company, from today onwards, your case will be handled by the senior security department. Some legal paperwork will be sent to you in writing, which you have to sign it. A team of five Level 100 digital home network technicians will be handling this case. You have no choice. You must accept. Your IP hangs in to balance. You don't want bad IP for lifetime - permanently, as in forever. Once it will be fixed, nobody in lifetime will be bale (ph) to hijack your usir (ph) identity again in future. Already all e-vices (ph), all machines, every device will be safe and secured forever. We use top secret gov IT tools you'll find nowhere else. These tools provide each and everything you need to never be hacked again. One, LAN security - $214.25 tax; two, WAN brick hard security - $342.15 tax; three, super massive firewall - $184.25 tax; four, even more massive firewall - $1,425.25 tax; five, extremely even more massive super-duper firewall - $2,880.01; six, Facebok (ph) protection - $759.99; seven, Hacker Attacker Pro Super Deluxe - $1,237.25. Total - $7,043.10, one-time payment for lifetime. Warranty in writing will be sent to you from USA Legal Services that after today, if anything goes illegal or wrong under your name, you have no responsibility for all your devices. We have a coupan (ph) if decide to do it now. We'll waive $5,000.10 and add an eighth software, Hacker Don't Come Backer software, which costs $3,800. If you don't do now, I have to blacklist you IP, and you never will be able to use internet again. Think of your kids living a life of shame with no internet. 

Joe Carrigan: I'm almost speechless with this one, extremely even more massive super-duper firewall. 

Dave Bittner: Mmm hmm (laughter). 

Joe Carrigan: This smacks of... 

Dave Bittner: Seems legit. 

Joe Carrigan: Huh? 

Dave Bittner: Seems legit. 

Joe Carrigan: Seems legit, right. This smacks of those Nigerian prince emails. They're just getting ridiculous in order to try to weed out the people that won't fall for it and just take the people that will fall for it and are just going to cough up a credit card number almost. 

Dave Bittner: Yeah, could be. 

Joe Carrigan: I mean, this thing is so out in left field. 

Dave Bittner: (Laughter). 

Joe Carrigan: I can't believe somebody actually wrote this down on a Notepad to leave behind as evidence once they had remote access to someone's computer. 

Dave Bittner: Mmm hmm. Yeah. Well, I - they seem to feel like they're operating with impunity. 

Joe Carrigan: They do. 

Dave Bittner: All right. Well, thanks to our listener for sending that in. 

Joe Carrigan: Thank you, Brett. 

Dave Bittner: That is a good one. We would love to hear from you. You can send us emails to hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, it is always great to have Carole Theriault return to our show with her interviews - always enjoy those. This week she comes to us with her conversation with Julie Smith from the Security Alliance and Kelvin Coleman from the National Cyber Security Alliance. And she spoke to them on the ramp-up to Identity Management Day. Here's Carole Theriault. 

Carole Theriault: All right. So Identity Management Day aims to inform us about the dangers of casually or improperly managing and securing digital identities by raising awareness, sharing best practices and leveraging the support of vendors in the identity security space. Sounds lofty. Well, we have two founding members, the brains behind Identity Management Day, Security Alliance executive director Julie Smith and National Cyber Security Alliance Executive Director - oh, what a title - Kelvin Coleman. Thank you guys for joining us. 

Julie Smith: Thank you. 

Kelvin Coleman: It's great to be here. 

Carole Theriault: We are recording this session the day before your big launch. So are you guys excited, tired? Talk to me. 

Julie Smith: Yes, all of the above. 

Kelvin Coleman: All of the above. 


Carole Theriault: What has been the most stressful thing? 

Julie Smith: For me, just kind of coming down to the homestretch. You know, it's been an amazing journey. We - this - which started about six months ago when the idea came to us from one of our vendor members, Centrify. And it's been a lot of discussions, a lot of planning and some some great execution by the team over the last month, really. We announced it on February 23. And then leading up to tomorrow, it's just pulling together all of the content that's been created, responding back to the over 150 champions that have raised their hand and said, we want to be a part of this, and really just getting organized for tomorrow so that we've got a great day of events and content that's going to be shared across the industry for the benefit of not just consumers, but organization as well. 

Carole Theriault: So you're basically saying you guys are like swans right now. Everything is going perfectly to plan, but underneath the water, your feet are really pumping. 


Kelvin Coleman: Yeah, we're certainly putting a lot of effort into this wonderful, wonderful day - Identity Management Day. And as you point out, it's the first one. Right? And so you're probably as nervous on this one as you ever will be. I guess it's like having kids. Like, your first one you're, like, so nervous and, oh, my God, everything. And then you start having more. You're like, eh, it'll be fine, you know? (Laughter). 

Carole Theriault: I know. My grandmother had eight kids. I wonder by the eighth if she even noticed, you know? 

Kelvin Coleman: Exactly (laughter). 

Carole Theriault: So tell me - so what are the main messages you're trying to get across with this day? And I also want to talk about resources later as well. 

Julie Smith: The main message that we want to get across is that digital identities are at the core of the majority of breaches that have been happening over the last five or six years. The research that we've done, 79% percent of the organizations have suffered an identity-related breach... 

Carole Theriault: Gee, really? 

Julie Smith: ...In the last two years. And identities are the thing that - it's the low-hanging fruit for hackers. All they need to do is get access to a username and password - a legitimate username and password. They log in, and then they start to do their damage. And I think in the past, identity management, especially for an organization, has been considered more operational. So how do I get my employees, for example, access to the applications they need to do their jobs? But the reality is it's a security threat. It is the main thing that hackers are going after. And organizations need to really think about it from a security perspective. So I'd say that's a message from an organizational perspective. You know, Kelvin and his organization do a lot around educating consumers on how to stay safe online. And so I'll let him speak to the messages we want to put out there for the consumer side of this story. 

Carole Theriault: Yeah, 'cause things have gotten bad, haven't they, Kelvin? 

Kelvin Coleman: They have. They really have. But manageable, though, right? And we don't want to give the impression that this is a foregone conclusion and people really can't do anything about it. The primary message, Carole, that we're putting out to people is be identity smart, right? Just as you'd protect your Social Security - your physical Social Security number - you certainly wouldn't have your card flashing it out everywhere, letting people see that Social Security number or driver's license or any other part of what's called PII - right? - personally identifiable information, you should protect that same information online, especially online. And so be identity smart is really what our message is for the month. And many of the things that Julie's talking about as it relates to enterprises or companies, those very same things can be applied to individuals, right? And even as Julie talked about the 150 champions that we have, many of those are companies - right? - corporations that represent thousands of employees. But some of those are individual people who're just saying, hey, we want to really support the day, as well. And so be identity smart is really what our message is and what we try to drive home. 

Carole Theriault: It's just interesting how on one side, lots of companies are trying to make everything frictionless, like one click from Amazon and da-da-da. And they have all your information already secured, some companies say. But others may not. But at the same time, we want to tell people, be really careful with your identity because it - that's the authorization process to so many different services across the digital sphere. 

Kelvin Coleman: Yeah, absolutely. We try not to complicate it too much - right? - because people have so much to think about. And the one thing that you may be surprised - when we say be identity smart, the first thing we advise people is to think before you click. To your point about this seamless sort of one-click future that we have, well, think about that, though, before you click. If you're receiving an enticing offer via email or text, don't be so quick to click on that link because if it's too good to be true, it probably is, right? Instead, you know, go to the company's website and verify that it's legitimate. Now, this is an extra step. I get it. And people are trying to take steps out of their lives, not put steps into them. But as a little country boy from, you know, South Carolina, I was always told an ounce of prevention is worth a pound of cure, right? And so... 


Kelvin Coleman: ...Make sure that you are taking time to think before you click. One of the last things I'll tell - while, you know, going to have this conversation - share with care, right? 

Carole Theriault: Yeah. 

Kelvin Coleman: Before posting about yourself and others online. Consider what a post reveals, who might see it, how it might affect others. And so those two things alone, think before you click and share with care, could do a - go a long way in mitigating the challenges as it relates to identity management. 

Julie Smith: Yeah, the one thing that's very much kind of following in line with what Kelvin's saying - very much a crossover between, you know, employees and individuals. So as a - you know, shopping online as a consumer and employee within an organization is good password hygiene. So, you know, there's a significant - I think it's 33% of consumers out there use the same password every time they create an account. And if you cross that over into your role as an employee, that puts your organization at risk, as well. So, you know, I'd throw that one into the top three things that people should do to practice good identity hygiene. 

Carole Theriault: Yes, absolutely. So tell us - what services or resources are available on your website? Because, of course, we're going to be listening to this after your big launch day. So I've had a look, and there's tons of stuff there. Maybe you can just tell us a bit about what people can find there if they're interested in looking. 

Julie Smith: Yeah. So on the - on - identitymanagementday.org is the website. And you'll find a Resources section. And there's everything from advice from our identity management champions to white papers from organizations here in the U.S. that are focused on health care. We'll be adding blogs from identity management champions and other sort of industry experts. You know, one of the reasons we partnered with Kelvin and the National Cyber Security Alliance is because of what they do with Cybersecurity Awareness Month, which is October. And so the goal is it's not just one day focused on identity security and identity management, but it's all throughout the year. And we'll also put a spotlight on it again in October. So come back to the website often, and you'll find the resources growing. 

Carole Theriault: Brilliant. Kelvin, anything to add to that? 

Kelvin Coleman: Our resources at no cost - maybe I'll add that. By the way, you know, very easy to understand, layman term things. We don't get too technical in our language or jargon, but no-cost resources that people can take advantage of. Be identity smart, and you don't have to go it alone. There are organizations out there who are certainly willing to help. And the businesses want to help because they want you to be, you know, smarter on this, more keen on this. So... 

Carole Theriault: It's a win-win. 

Kelvin Coleman: It's absolutely a win-win, Carole. 

Carole Theriault: Can I say, thank you for all the hard work you guys have put in putting this together? I have done these types of things, and I know how much (laughter) work goes into them. 

Kelvin Coleman: (Laughter). 

Carole Theriault: So I take my hat off to you both. Julie Smith, Security Alliance executive director, and Kelvin Coleman, National Cyber Security Alliance executive director. Thank you so much for your time today. 

Julie Smith: Thank you. 

Kelvin Coleman: Really appreciate it. 

Carole Theriault: And, listeners, if you want to check out these free resources to help you improve your privacy, check out identitymanagementday.org. This was Carole Theriault for "Hacking Humans." 

Dave Bittner: All right, Joe. What do you think? 

Joe Carrigan: Very interesting interview. It was great to hear from Julie and Kelvin. This is really interesting stuff. Digital identities are at the core of the majority of breaches. You know, this is not really the way we think of people hacking into our systems from a security standpoint. We're always worried about somebody coming in through a vulnerability or finding a way through the firewall or finding something exposed. But the vast majority of breaches are from somebody getting a username and password. It's easy to get. People frequently cough it up. And once you're in, you're in. One of the interesting points that Julie makes is that identity is viewed as an operational function and not a security function. That's very telling. And I think that is indicative of an issue within the tech industry. Identity should be a security-managed system or at least have security insight It shouldn't be just operational. I understand that you need to get these people up and running. New employee shows up. You got to give them access to everything, and you have to set up their identity and create it. But security should absolutely be involved in this at some point. I think in a lot of organizations, they are. But this is the authentication part of the AAA - right? - authentication, authorization and auditing. And it's the first thing that users have to do from a security standpoint when they come into your system. They have to authenticate and identify themselves. From the customer standpoint, Kelvin was talking about, don't wave around your PII. Dave, do you remember when you were a kid and you had, like, your first wad of cash and you pulled it out and you waved it around to your parents? Look at the money I have. And your parents said... 

Dave Bittner: Right. 

Joe Carrigan: ...Don't do that. 

Dave Bittner: Your birthday or something, yeah (laughter). 

Joe Carrigan: Right, yeah, exactly. Your parents said, don't do that. Don't flash your money around, right? And then later in high school, there was the kid who whose parents never told him that. He had no problem flashing money around, right? He deliberately opened his wallet up so you could see that there were many bills in there. 

Dave Bittner: (Laughter). 

Joe Carrigan: Or, you know, he might even pull it out and go, oh, yeah, I've got to put that back. And then... 

Dave Bittner: Fanning himself with it. 

Joe Carrigan: Right, exactly. Yeah. 

Dave Bittner: (Laughter). 

Joe Carrigan: And then later, the kid tells you, hey, I'm missing 40 bucks, right? This is just like that, right? Don't be the kid that waves everything around. Don't put all your personal identifiable information out on Facebook, you know? One of the big things we're seeing right now is people are posting their vaccination cards up. Well, those vaccination cards have information on them about you. Don't wave those around. From the development side, we do want to make the authentication experience frictionless because it's easier for the customer. There's at least an equal amount of responsibility that rests on the developers, if not more, to make the system secure and, if possible, frictionless. I understand we all want a frictionless user experience, but at the same point in time, asking people to use multifactor authentication is something that people will get used to very quickly, and it will become almost frictionless. I use a YubiKey for a lot of my authentication. It's plugged into my computer right now. It only functions when I touch it. So, I mean, it's literally me reaching down to my tower case here and just touching something on the YubiKey. And that's it. That's all I have to do. It's a great multifactor authentication that's very secure. And it doesn't require much from me once I've set it up, I would say it's really close to frictionless. Password hygiene - Julie was talking about 30% of users using the same password on everything. I'd like to talk to these people. 


Joe Carrigan: I think this should be a job interview question because as Julie points out, if I can compromise your Yahoo password and you use that password for work, guess what? I'm in. 

Dave Bittner: Yeah. I remember the one time that I had a more corporate job, and they were onboarding me. And the IT folks came down. And, you know, one of the first things, you know, the guy said - all right. I need you to create a password for yourself. It has to be at least 13 characters long and has to have this, has to have this. And I was like, oh, crap. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) You know, like, and then he's like, all right, now I need you to create a different password that is also - oh, crap. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) But I think - and I had to sit there and think about it for, you know, a couple minutes. And this was in the days before I was using a password manager. But the good part about it was that it kept me from falling back on some of the default passwords or even the default password formulas that I thought I was so clever in using, right? 

Joe Carrigan: Right. 

Dave Bittner: Which we all know now are not so clever. 

Joe Carrigan: They are not clever at all. 

Dave Bittner: Right (laughter). All right. Well, our thanks to Carole Theriault for joining us. And, of course, we want to thank our guests, Julie Smith and Kelvin Coleman, for taking the time. We do appreciate that, as well. 

Dave Bittner: That is our show. We'd like to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.