Hacking people vs. hacking technologies to get into companies.
Tim Sadler: People today are hacking people versus hacking technology to get into companies.
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week. And later in the show, Tim Sadler from Tessian on how oversharing on social media can open the door for hackers.
Dave Bittner: All right. Joe, let's jump in with some stories this week. Why don't you kick things off for us?
Joe Carrigan: All right, Dave. My story comes from Abhishek Iyer at Armorblox. And he has the story of two vishing emails that impersonate Amazon. This is interesting, a vishing email. The first email is sent from a Google account. And it has the subject invoice ID, followed by what looks like a genuine invoice number from Amazon. It follows the same syntax, has the same, I guess, regular expression and everything. And the email also contains HTML styling similar to genuine Amazon emails. These are probably just stolen directly from an Amazon email.
Joe Carrigan: And it includes information on an LG OLED TV and an Xbox game console. So they're talking about the purchase of some pretty expensive equipment. And the email alleges that the person who received the email is the person who purchased it. And it's got a nice price tag down at the bottom that makes you go, oh, I better pay attention to this.
Joe Carrigan: Near the bottom of the email, the notice says the Amaz0n team, but Amazon is spelled with a zero in place of an O, which is interesting. And Abhishek says that this is a simple but effective technique to slip past any deterministic filters checking for brand impersonation.
Joe Carrigan: There is a button on the email that says manager order, but this button is actually just an image file. There's no URL behind it - right? - like there is with an Amazon email. And even if there is an Amazon email, you shouldn't be clicking that button anyway. You should be going into Amazon, clicking on my account, manage my orders and do it that way.
Joe Carrigan: But the real payload in this email is the contact us phone number. So there's a phone number at the bottom of the page that says contact us. So if you get this email and you say, whoa, I didn't order this TV and Xbox. Let me see if I can click on this email to manage the - or this link to manage the order and cancel it. If that doesn't work, I guess I better call Amazon. Oh, look; here's a customer service number.
Joe Carrigan: You know, Dave, I deal with Amazon frequently, and I have yet to be able to find an Amazon customer service number.
Dave Bittner: (Laughter) Yeah. Legend has it it exists. But it's kind of like Sasquatch, you know? Like...
Joe Carrigan: Right. That's right.
Dave Bittner: If you do see it, it's blurry...
Joe Carrigan: (Laughter).
Dave Bittner: And you're not going to be able to convince anyone that you actually did see it. So you might as well just keep it to yourself, you know, because people are going to laugh at you if you say that you found Amazon's phone number.
Joe Carrigan: I've got trail cams all over my internet trails...
Dave Bittner: (Laughter).
Joe Carrigan: ...And I've never caught a picture of the Amazon phone number. But Amazon does actually do a good job. You click contact us, and they will call you, which is great. I actually did this - just this past week this happened to me. So I had to talk to Amazon. And I went through the app, and I said, contact me, and they did. They contacted me.
Joe Carrigan: Armorblox actually did call this number. And they said they used a disposable Google Voice number, which is sometimes what I do. And a real person answered the call and pretended to be from the Amazon team. And they asked for the order number, the name and the credit card details before cutting the call off and blocking the number.
Joe Carrigan: So these guys realized that they had caught the attention of a security company and were like, oh. Well, these guys are just going to try to penetrate us. We better stop doing this. They speculate that the full vishing flow may have involved the extrication of other sensitive personal information as well. Like, hey; what is your Amazon login, right? What's your Amazon username and password? - that kind of stuff. What is your credit card number? - those kind of things.
Joe Carrigan: The second email was sent from a spoofed email ID, no-reply@amzeinfo.com. So it kind of looks like the Amazon domain, but it isn't.
Dave Bittner: Right.
Joe Carrigan: And it passes what they call the eye test. And it says, a shipment with goods is being delivered, along with a random order number. So I like the idea - a shipment with goods. I mean, does anybody ever still talk about buying goods, money in exchange for goods and services?
Dave Bittner: (Laughter) Goods and services? Yeah. I don't know. Yeah.
Joe Carrigan: (Laughter) Just like the other message, there are no links to click. It's just a phone number. And this time, when they called it, it just rang and rang and rang. And then a few hours later, the number was taken out of service. So this one was gone before they could test it.
Dave Bittner: Wow.
Joe Carrigan: But it's no big deal for the attackers. They can just set up a new one. What was interesting about this and what Abhishek notes in this article is that these emails bypassed the Microsoft security. These emails were detected in or picked up in Microsoft 365 - Office 365 accounts - or Microsoft 365, however they're branding it now, you know? They're always changing the brands. But it had a spam confidence level of one, both of them did, which meant the email was determined to not be spam by Office 365 and delivered to the recipients' inboxes. So these guys have crafted an email that just went right by all of the spam filters and put a phone number in front of the user.
Joe Carrigan: I've heard you say on the CyberWire and on this podcast - we've said this - that spam filters are great, and you should definitely use them. But they are about 90% effective, which means 1 out of every 10 spam messages gets through to the user. So the users still have to be prepared for getting spam messages. They still have to be conscious and thinking about the security of things when they get them. And this doesn't...
Dave Bittner: Right.
Joe Carrigan: ...Just apply in your corporation because I don't think these guys are targeting people in a corporate environment. They're probably targeting individuals. That means people like you, me, our moms and dads and aunts and uncles and kids, even, have to be aware of this as a vector of attack.
Dave Bittner: All right. Well, it's an interesting story. We'll have a link to that in the show notes.
Dave Bittner: My story has some similar elements, coming at it from a little different direction. This is from the folks over at Palo Alto Networks. This is their Unit 42. That's their threat intelligence team. And they are discussing a clever way that the bad guys are getting people to put a particular piece of malware on their computers. And this malware is called BazarLoader, and it's B-A-Z-A-R loader.
Joe Carrigan: Now, we've heard of this loader before, right?
Dave Bittner: Yeah. It's a backdoor, so once it's in your system, basically, that's the ballgame.
Joe Carrigan: Right.
Dave Bittner: You know, they have full access to everything on your computer. But this campaign, similar to what you were describing, makes use of a lot of human interactions. And it's quite elaborate. Basically, what happens is you get an email. And the email says that you have signed up for some sort of trial, and your trial is getting ready to expire. For example, the sample that they provide here, it says, this message is just a reminder regarding your current premium. Your premium trial is coming to an end. But the banking card you've mentioned in your existing profile will likely be used to extend your subscription, right? So already, Joe, you know, this is...
Joe Carrigan: Right.
Dave Bittner: We've all had these sorts of things where, if you don't cancel, you're automatically going to get signed up for another year.
Joe Carrigan: Yeah. Now...
Dave Bittner: Right?
Joe Carrigan: There is one thing I will say, Dave - is that, yeah, a lot of times, these guys don't send you that warning email. They just start billing you...
Dave Bittner: Right.
Joe Carrigan: ...Because when you sign up, you agree, if I don't cancel by the end of the trial period, I allow you to bill me.
Dave Bittner: Yes. That is true.
Joe Carrigan: What business guy in their right mind is going to say, well, let's tell the customer about that and remind them that it's time to cancel that subscription?
Dave Bittner: Well, that's - yeah (laughter), maybe a legitimate business guy...
Joe Carrigan: Right.
Dave Bittner: ...Which is what they're trying to convince you that they are.
Joe Carrigan: Right.
Dave Bittner: But they are not.
Joe Carrigan: Right.
Dave Bittner: They are not. So...
Joe Carrigan: They're warning you that it's coming.
Dave Bittner: Right. In fact, there's a sentence here. It says, thank you so much for your personal faith in our service.
Dave Bittner: OK. So they provide a phone number, a support phone number. Now, what's interesting is the phone number that they provide here - if I can describe how it looks in the email, it's spread out. Like, there's an area code, then the prefix and then the last four digits, and there's a lot of space in between each of those numbers. They point it out here - is that they're using some white-on-white obfuscation here. There are actually characters in those white spaces, but they're the same color as the background. So they appear invisible.
Joe Carrigan: They're not printable characters.
Dave Bittner: And that's a way to hide them from the viewer but also hide them from the scanning software that might be looking for an embedded phone number...
Joe Carrigan: Yeah.
Dave Bittner: ...Or something like that.
Joe Carrigan: Absolutely.
Dave Bittner: It hides it. So if you call that number, you reach a call center. And they have - actually have a transcript of an interaction between the folks and the call center. And they ask you to go to a website. In this case, it's called World Books, and it's worldbooks.us. If you go to the World Books website, a page loads up, and it looks like a legitimate website. It says, download your books directly on your iOS or Android - no USB cable required. So it looks like it's some sort of a book-reading app. The operator then asks you to go to the subscribe button. Look for the unsubscribe button. There's a link at the bottom. It says, do you want to unsubscribe? And you click on that. It asks you to enter your subscription number, which they had put into the email.
Dave Bittner: So, again, we're having this interaction with this customer service person, right?
Joe Carrigan: Right.
Dave Bittner: And we're building rapport, and we're getting more and more comfortable. You know, we're going down what seems to be a normal pathway. There's nothing unreasonable yet. It all looks good. It feels good. It's a little bit of a pain to have to do this in the first place, but you feel like you're making progress.
Joe Carrigan: Right.
Dave Bittner: And then at some point when you put in your confirmation number, your subscription number, it asks you to download an Excel file. The person pretending to be the victim in this case asks the operator - says, what is this? Why is it asking me to download an Excel file? And the operator says, that is the confirmation document. That's where you put in your confirmation code.
Dave Bittner: All right. So you download the document, the Excel file. You try to open the document, and, of course, the operator on the phone is telling you, this is what you need to do to unsubscribe. You try to open the document, and the document says, this document is protected. You have to press enable editing and enable content to preview this document. So what do we do in here, Joe? What are we enabling?
Joe Carrigan: We're enabling macros, Dave.
Dave Bittner: Yes.
Joe Carrigan: And that is code that is behind the scenes here in Microsoft files. There are macros that you can enable. That document displays that information. And when you enable the macros, it may change the information, but you must enable macros in order to view the content. That's just the content of the document. That is what's in there. But there is code behind the scenes that's going to do all kinds of bad stuff, I'll bet. What happens after I do what this guy tells me and enable the macros?
Dave Bittner: Well, I mean, that is the ballgame.
Joe Carrigan: Right.
Dave Bittner: That's when it downloads the BazarLoader backdoor and installs it. And so now your computer belongs to them.
Joe Carrigan: Right.
Dave Bittner: But what's interesting is that the operator doesn't just hang up on you, and the operator actually continues. In this case, the operator put the caller on hold for about a minute, came back and said, I've checked with the IT department, and they're saying that your cancellation went through correctly. We're having an issue with our server, so you might not get confirmation right away, but the cancellation went through successfully. So nothing's going to be charged to your account. We're all good here. Thank you very much. Have a good day.
Dave Bittner: So off you go, thinking that you have dodged a bullet, when instead you have actually thrown your body in front of the bullet.
Joe Carrigan: (Laughter) Right. You think you're off scot-free when, in fact, you're pwn'd (ph).
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Right. Absolutely, absolutely.
Joe Carrigan: Well, that's insidious.
Dave Bittner: It is. It is. So, I mean, let's talk about, you know, how we could go about preventing this sort of thing.
Joe Carrigan: Think about this from your perspective. Do you remember signing up for any services? You know, one of the things Brian Krebs talks about is, if you didn't ask for it, don't download it, right?
Dave Bittner: Yeah.
Joe Carrigan: Or don't install it or whatever. But did you sign up for a service? Maybe. If you use a credit card to sign up for services online, you can always say this is a fraudulent charge.
Dave Bittner: Right.
Joe Carrigan: So that's one way to protect yourself. When you get the call center - you know, actually, instead of calling the number in the email, look up the number online.
Dave Bittner: Yeah.
Joe Carrigan: Although I don't know - if they're saying - they could very well establish an entire company that makes it look like you've purchased something from them, right? They could fake all this, right?
Dave Bittner: Yeah.
Joe Carrigan: And even if you then Google the fake company, you're still getting connected to this call center. Of course, the other thing is you've downloaded something from the internet; you really don't know what it is, don't enable macros on it. No matter how much they insist upon that, that is a big red flag.
Dave Bittner: Yeah. Downloading any file (laughter)...
Joe Carrigan: Right.
Dave Bittner: ...And being asked to execute it to unsubscribe from something - that's certainly not necessary.
Joe Carrigan: But I can absolutely see where somebody would believe it is. This is terrible because once the person picks up the phone and calls, I'll bet this has a very high success rate.
Dave Bittner: I would imagine so. So the folks at Unit 42 go into some of the other technical details here. It's an interesting one, definitely worth checking out. The transcript between the fake customer service person and the caller is quite interesting. So it's a good one to check out and share because I think what's interesting here, also, is how much these bad actors are investing in infrastructure like call centers...
Joe Carrigan: Right.
Dave Bittner: ...To make these things work, right? I mean, that's an expense.
Joe Carrigan: I should note, Dave, that I did look at this article. And when you enable macros, the file does change and present different content.
Dave Bittner: OK.
Joe Carrigan: So it looks even more plausible.
Dave Bittner: I see. We'll have a link to that in our show notes, of course.
Dave Bittner: Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named Scott, who writes, I didn't respond to this one, but I don't remember this particular scam being shared on "Hacking Humans." And this actual scam was sent to Scott via fax. Dave, do you have a fax machine?
Dave Bittner: (Laughter) No, I left my fax machine in 1985.
Joe Carrigan: I thought this was astounding. This is a phishing fax (laughter) that Scott received. Dave, why don't you read it?
Dave Bittner: (Reading) Dear Scott Schabel (ph), my name is Edward Williams. I'm a partner at Williams LLP Canada. Apologies if my letter came to you as a surprise, since there's been no previous correspondence between us. There is an unclaimed, permanent life insurance policy held by our deceased client. The transaction pertains to an unclaimed transfer-on-death savings monetary deposit in the sum of $11,030,900 United States dollars. The policyholder was one of our clients, the late Dr. Amos Schabel, who was an investor and previous stone dealer. He died in an auto crash over nine years ago. Since his death, no one has come forward for the claim, and all of our efforts to locate his relatives have proved unsuccessful.
Dave Bittner: (Reading) The insurance company code stipulates that insured permanent policies not claimed must be turned over to the abandoned property division of the state after 10 years. Therefore, I ask for your consent to be in partnership with me for the claim of this policy benefit. In view of the fact that you share the same last name and nationality with the deceased, if you permit me to add your name to the policy, all proceeds will be processed on your behalf. I wish to point out that I want 10% of this money to be shared among charity organizations, while the remaining 90% will be shared between us.
Joe Carrigan: Yay.
Dave Bittner: (Reading) This is 100% risk-free. I do have all necessary documentation to expedite the process in a highly professional and confidential manner. I will provide all the relevant documents to substantiate your claim as the beneficiary. This claim requires a high level of confidentiality, and it may take up to 30 business days from the date of receipt of your consent. Kindly provide a reachable contact number for faster communication. Your earliest response to this matter would be highly appreciated. Edward Williams, principal partner.
Joe Carrigan: (Laughter) So this is a typical insurance scam or beneficiary scam. If Scott were to reply to this, he'd be getting phone calls from these people, and they'd be trying to convince him to pay some fees or something, and that's where the goal is here.
Dave Bittner: Right.
Joe Carrigan: But I find it interesting that it comes via fax and that they have tailored this for Scott. They know his fax number, and they address it to him, and they have tailored the alleged deceased's name, the fictitious - there is nobody that has died...
Dave Bittner: (Laughter).
Joe Carrigan: ...To have the same last name. Very clever. Very clever. I'm glad Scott didn't fall for this. I hope none of our listeners would fall for this. They would just either crumple it up and throw it in the trash or do as Scott did and send it to us, where we could read it on the air.
Dave Bittner: (Laughter) I wonder how many people still have active fax machines running.
Joe Carrigan: That's a great question.
Dave Bittner: Like, you know, a dedicated fax line? I mean, I could see still having fax capabilities and being like, OK, you're sending me a fax. All right, let me turn on my fax machine, and I'm ready for it.
Dave Bittner: But like - you know what's funny? I just saw this past week that - I want to say it was, like, the Department of Defense is retiring their secure fax capabilities. They had some sort of encrypted fax system, you know, that they've been using for decades...
Joe Carrigan: Right.
Dave Bittner: ...And they finally decided to pull the plug on it, that they're going to some sort of better encrypted, you know, electronic system of communication. And I say it's about time (laughter).
Joe Carrigan: Right. Actually, you know, there's - fax is actually pretty good. And if you've got good encryption on the fax, it's fine. But I think it's just really slow and tedious.
Dave Bittner: Yeah.
Joe Carrigan: I mean, there are much better ways to communicate information in a - particularly in a secure manner with the Department of Defense or anybody that needs to do that. No need to do this anymore.
Dave Bittner: Yeah. They were miraculous when they were new, right (laughter)?
Joe Carrigan: Right, yeah. Yeah, that was amazing. Now it's, oh, you got to send me a (groaning) - nobody likes this anymore.
Dave Bittner: Right. Are you kidding me?
Joe Carrigan: Right.
Dave Bittner: Like, what? OK. Let me figure out how to do that.
Dave Bittner: Well, thanks to our listener, Scott, for sending that in to us. We would love to hear from you. You can send Catch of the Day to hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He's from a company called Tessian. And our conversation centered on this whole notion of oversharing on social media and how that can help open the door for hackers. Here's my conversation with Tim Sadler.
Dave Bittner: So today we're talking about the report that you all recently put out. This is "How to Hack a Human." And I have to say you win the prize for the most suitable report to be covered on our "Hacking Humans" podcast. So congratulations for that (laughter).
Tim Sadler: Thank you.
Dave Bittner: Well, I mean, let's dig in. Let's start with some high-level stuff here. I mean, what prompted the creation of this report?
Tim Sadler: I think it's the simple fact that, actually, attacks on companies and organizations are far more basic than most people think. They're far more fundamental. I'm thinking of the people in my life that I speak with - you know, my parents, maybe - who don't even think about cybersecurity, but they think they know what hacking is. And they're often surprised when I tell them that people today are hacking people versus hacking technology to get into companies. And a lot of these breaches that we read about are actually because an attacker hacked a human rather than hacking a piece of technology.
Tim Sadler: So we really wanted to just try and create something and do a piece of research around the problem of hacking humans and bringing this story and creating awareness around this risk to as many people as possible.
Dave Bittner: Well, let's go through the report together. What are some of the things that stand out to you?
Tim Sadler: I think there are really three things that we covered in the report.
Tim Sadler: There was this concept of social media overload, so just how much people actually share on social media every week. So 84% of people post on social media every week. Two-fifths - about 42% - post every day. And these people are sharing a lot of information online about things like hobbies, interests, relationships, locations, et cetera. Half share the names and pictures of their children. And almost three-quarters - about 72% - mention birthday celebrations. And the reason why those things are problematic is because a lot of people also use those kinds of pieces of personal information in things like secrets, so things like their password or their password recovery information.
Tim Sadler: The second core finding from the report was about out-of-office responses and 93% of people enabling out-of-office responses when they're on vacation and in that out-of-office response actually giving at least one personal detail. Now, out-of-office responses are necessary. I set an out-of-office, and they are an important part of actually managing things when you are out of the office.
Tim Sadler: But what some people don't realize is that, actually, those out-of-office responses can also be used to aid attackers in terms of understanding whether somebody is at work or away from work. And if you're putting in information for that out-of-office message - for example, who to contact or telephone details or, you know, if this is regarding a financial inquiry, contact this person - all of those things can be used, again, to hack humans.
Tim Sadler: And then the final thing in the report to call out is the need for cybersecurity awareness. So while at work, only about half of people pay attention to their sender's email address. And less than half - so about 44% - check the legitimacy of links and attachments before responding or taking action. And this is, again, really, really important and pretty concerning because 88% of the respondents that we surveyed received a suspicious email in 2020.
Tim Sadler: So it was really those three things - social media overload, out-of-office responses and then also the need for cybersecurity awareness - that we covered in that report.
Dave Bittner: How much of the issue with social media is dialing in who you share things with in addition to the things that you share? I mean, I guess where I'm coming from is, you know, a big part of what makes social media fun is being able to wish someone a happy birthday or share photos of your kids, you know, at school or events or things like that. How much of this is a matter of not making those things available to the general public?
Tim Sadler: I think a lot of it is that. So I think it's just being very mindful and aware of the settings and controls you have on your social media accounts. If you are sharing all of your social media accounts and the information you put out there publicly, that is not good. And if you are sharing it with everybody - for example, if you have a Twitter account and, you know, everybody with a Twitter account can see what you're posting - then you just need to be conscious of that, and you need to adjust the information that you're sharing.
Tim Sadler: The second thing, though - and I think this is, you know, the fundamental point - is, anything that is used for access or passwords, you really need to make sure that you're not basing those secret pieces of information on things that attackers can find out about you easily on the internet. So this is pretty easy when it comes to passwords. Just use a strong, indecipherable, ideally generated via a password manager password. And then, you know, you significantly limit that risk.
Tim Sadler: It can be a little bit more difficult when you're using services that have some kind of password recovery and, you know, things like the name of your pet or the name of your child might be a recovery phrase, in which case you can't always control what the recovery question is. So you do actually just need to be conscious then of who you are sharing the information with. But, of course, we understand, yeah, absolutely. Everyone uses social media. It's an important part of our lives. And we're not saying don't share any information on these platforms. It's just about being aware of these risks and managing things accordingly.
Dave Bittner: There's an interesting section of the report where you describe the information that is on a boarding pass, for example. And I think a lot of people, when they're traveling, it's sort of a fun thing to post a picture of your boarding pass. Here we go. We're off on holiday, you know? But there's a lot of information in there.
Tim Sadler: There is, completely. And, again, it's one of those things that we now do. We document our lives. We take so many photographs. And we want to share that with our friends. We want to share it with the world. There is a lot of personally identifiable information about us on these kinds of documents. So it could be a picture of your boarding pass or, as crazy as it sounds, it could be a picture of your passport.
Tim Sadler: I remember seeing something a year back where somebody was tweeting at their bank to help them with a support query they had, and they sent a picture of their bank card in a tweet to the bank to say, hey, can you assist me?
Dave Bittner: Oh, my.
Tim Sadler: So it is pretty crazy. And as obvious as these things may seem to some people, I think we just sometimes get lost in how - yeah, in how much we share and, you know, we share freely.
Dave Bittner: Well, what are some of the tips that you have then for folks to strike that good balance between still being able to enjoy the things they want to do online, but having, you know, good security practices? What sort of things do you recommend?
Tim Sadler: It really comes back to advice that I find myself giving to everybody that I know - family members, friends - whenever asked about security. I think two things we can all do just to limit this kind of information being leveraged to hack us as humans is to use a password manager and to use strong passwords and not use the same password for the same services.
Tim Sadler: And the second thing is to enable two-factor authentication of some kind on as many of the accounts that we use as possible. So if they have two-factor authentication available, use it. And what this means - again, this isn't foolproof, and this doesn't mean that you're then immune to being hacked. But it makes it significantly harder for hackers to - through an understanding of your profile online, it makes it much harder for people to then try and get into your accounts and compromise those systems.
Tim Sadler: The second thing then is, I think it's about being aware of the security controls and privacy controls you have on your social media accounts. So just always worth going into the settings page and just understanding, what are you actually sharing, and with who? So it's really easy to do this in LinkedIn and in Twitter, in Instagram, so on and so forth. You can actually implement privacy controls. So, you know, maybe you actually limit who can see the posts that you're putting out.
Tim Sadler: And then the final thing I would say is, I think it's just really important to have a general awareness that there are people out there that are scraping social media profiles on the internet to try and build up an understanding and a picture of people's personal lives in order to try and launch attacks where they are trying to guess passwords or they're trying to force password reset, et cetera, through these things. They may seem to you like only you would know them, but, again, we are now sharing them with the world.
Tim Sadler: And then maybe just the final thing I would say is an awareness that by gaining access to this kind of information, hackers may not have to compromise your account directly, but they can use knowledge of your life and of you as a person to create very targeted, very convincing phishing emails or phishing SMS that may then trick you into accessing a website that then forces you to give over credentials that then can be used to compromise your account. So I would encourage people to be aware of those final two things and then also just to implement safe practice when it comes to social media accounts that you have - using strong passwords, not reusing passwords and then also enabling two-factor authentication.
Dave Bittner: All right, Joe. What do you think?
Joe Carrigan: Well, I agree with you, Dave. That is a great name for a report.
Joe Carrigan: Oversharing is a big problem, particularly on social media. And I love this vector of out-of-office responses. And Tim makes an excellent point that if you're in accounts payable - right? - and you say, I'm out of the office right now. If you need assistance with a bill, please contact - I don't know - Tracy (ph) - let's say Tracy in accounts payable as well.
Dave Bittner: Right.
Joe Carrigan: And that person goes, oh, wow. Look; I'm an attacker, and I just emailed this person because I saw on Facebook that they were out of the office. And look; they gave me the information. Now I can send an email to Tracy and say I was working with the person that sent me this thing. And that lends instant credibility to the attack...
Dave Bittner: Right, right.
Joe Carrigan: ...Which is what a lot of this is talking about - is the ability for the attacker to have instant credibility based on the information that they've collected.
Joe Carrigan: I find it disheartening that less than half the people who receive an email check the legitimacy of the link. We've been standing on the mountain tops for years screaming about this, and...
Dave Bittner: Yeah.
Joe Carrigan: ...It seems like nobody's listening, Dave.
Dave Bittner: (Laughter).
Joe Carrigan: Security settings can make it much more safe to share things on social media, but the problem with this is that's not the default. By default, when you sign up for a Facebook account, everything is public. Same with Twitter. It's all public with everybody.
Dave Bittner: Right, right.
Joe Carrigan: You have to proactively go in and make these changes. I've done that. I don't let anybody except my friends on Facebook see my posts. Twitter, however, is different. I have a different use case for that. I want everybody to see my posts on Twitter, and I don't put things on Twitter like, hey, I'm going to be out of town this week. I just don't do that.
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: I don't even do that on Facebook, mainly because I don't trust my friends, Dave.
Dave Bittner: (Laughter).
Joe Carrigan: I run with a seedy...
Dave Bittner: Right.
Joe Carrigan: ...Crowd. So take some time, go through Facebook and lock that thing down. You know, when I see friend recommendations come up on Facebook, often I click on them. And one of the things I subconsciously do is, let's see how much I can look - I can - how much information I can get about this person. And about 50% of the time, they have their accounts locked down. And I'm like, all right, good. But the other 50% of the time, they're just wide open. Everything's out there.
Joe Carrigan: One of the things that Tim said is absolutely true. Passwords that are easy to remember are easy to guess. So use a password manager and use cryptic passwords. On those knowledge-based authentication questions for password resets, lie - lie, lie, lie.
Dave Bittner: (Laughter).
Joe Carrigan: Make something up...
Dave Bittner: Right, right.
Joe Carrigan: ...And make a note of it in your password manager if your password manager has notes. That is what I do every single time. I don't even have the same security answers. Like, what's your birthday? I just enter what I think is a random date or something, you know, something that has no significance to me, and I put that in there. What was your favorite pet's name? I put in, like, Mordock (ph) the Destroyer or something. I don't know. I make something up, right?
Dave Bittner: (Laughter) Right, right, right.
Joe Carrigan: And I make a note of it in my password manager so if I ever need to recover my password, I can do that because I have that information. But that information is then encrypted and protected with multifactor authentication. So it's pretty good.
Dave Bittner: Yeah.
Joe Carrigan: One thing Tim says that I find kind of disturbing is that people post their boarding passes on social media. I don't get this. Never post your boarding pass on social media, not only for the PII reason, but for the operational security reason of people know that you're not at home, and that leaves your home vulnerable, I think. One of the things I've often considered doing but I've never actually done is, like, taking some pictures around the house of my dogs or something and then putting it on Facebook while I'm away, right? Look how good my dogs are being today.
Dave Bittner: Yeah (laughter).
Joe Carrigan: But my concern with that is that - one of my friends posting, hey, are you back home? I thought you were out of town (laughter).
Dave Bittner: Right. Well, and people can't resist posting pictures of their vacations as well, which I think is natural. But it does kind of - I suppose if it were a concern, it does also say, hey, come rob us (laughter).
Joe Carrigan: Right. Yeah, exactly. Exactly. And my wife and I have discussed this, and we've adopted the policy of posting those vacation pics when we get home.
Dave Bittner: Oh, OK.
Joe Carrigan: I think it's just good operational security. I like all the stuff that Tim says at the end of the interview - great, great points, great tips. Be mindful of what you're sharing and with whom. Check those settings on your Facebook and your Twitter page and make sure that you're cognizant of who can see them. And if you're not cognizant of who can see them, just think that everybody can see them. Security awareness is big. It's very important for everybody.
Joe Carrigan: I like how Tim starts this interview, and he starts off saying, you know, these guys aren't attacking your computer; they're attacking you. That's what you need to prepare for. They're not going to try to penetrate your network by using zero days and all that. They're going to talk to you, and they're going to ask you to do things for them. That's how this works. Password hygiene - use good password hygiene and use a password manager to help you implement that. And multifactor authentication, multifactor authentication, multifactor authentication - over and over and over again...
Dave Bittner: Yeah (laughter).
Joe Carrigan: ...That's what I say. If you're going to do one thing, do that.
Dave Bittner: Yeah. All right. Well, our thanks to Tim Sadler for joining us. We do appreciate him taking the time and sharing his expertise.
Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
