Bad password hygiene jeopardizes streaming services.
Matthew Gracey-McMinn: Part of the problem is that bad password hygiene, sort of that reuse of credentials, is bad, and it's something that's - individually, I think we should be taking steps to try and make sure we're not doing.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week and, later in the show, Matthew Gracey-McMinn. He's from Netacea, and we're talking about security issues with streaming services, so stick around for that.
Dave Bittner: All right, Joe. Before we jump into our stories here, we've got a little quick follow-up here. You want to bring us up to date on that?
Joe Carrigan: Yeah, I do, Dave. Back in Episode 151, we had a story that Jason sent in about some scammers trying to get Liz to send a bracelet, if our listeners go back and listen to that. And Jason...
Dave Bittner: Yeah.
Joe Carrigan: ...Wrote us with a little bit of follow-up on that. And he says, (reading) guys, thanks for covering this. I wanted to share my thoughts since I didn't in the first email and give a brief follow-up to the story as well.
Joe Carrigan: He says, (reading) this kind of reminds me of the Craigslist scams of the early 2000s and 2010s. Back then, scammers didn't use PayPal, but they would send fake cashier's checks to the victims. The victim would then send the scammer the goods. The check would then come back as fake, and the victim would be out the money, out any other fees and the goods. I feel like this scam is an evolution of that - which is probably a good observation. It probably is.
Joe Carrigan: Here's a follow-up to Liz's story. Either the same guy or a couple of other guys tried this again with Liz after she reposted the bracelet. Liz caught on very quickly this time, which is interesting because she's been exposed to it, right? So now she's kind of been inoculated, so she knows...
Dave Bittner: Right, right.
Joe Carrigan: ...That this is a scam. You caught on quickly this time and the second and third times and ended the conversations very quickly. She unlisted the bracelet since then. So I don't know how she's going to sell the...
Dave Bittner: OK.
Joe Carrigan: ...Bracelet or if she's going to sell the bracelet. But the good news is she's not going to get scammed out of it. But these guys...
Dave Bittner: Yeah.
Joe Carrigan: ...Are not just going to give up, either. That's the bad news.
Dave Bittner: No. And it seems pretty consistent and relentless.
Joe Carrigan: Right.
Dave Bittner: On a lot of these social media platforms, there are folks just waiting there. I've seen things. It doesn't matter what people put up for sale. Someone makes an offer on it.
Joe Carrigan: Right.
Dave Bittner: All right. Well, again, thank you, Jason, for sending that in to us. We appreciate it.
Dave Bittner: Joe, let's move on to our stories this week. Why don't you start things off for us?
Joe Carrigan: My story comes from The Conversation, and it's written by Priyanka Ranade and two other professors at UMBC. And she is a Ph.D. student in computer science and electrical engineering at UMBC. And she has an interesting article in here that is titled "Study Shows AI-Generated Fake Reports Can Fool Experts" (ph).
Joe Carrigan: And she starts off talking about the misinformation and having AI that generates fake news articles, but she has these things called transformers. These are AI constructs. These are natural language processing, which is a field within artificial intelligence, devices that will take in some simple input and then generate something that looks like real language or a real news article. And she found out that she could configure these things to produce fake information that could fool cybersecurity experts and medical experts. She tried to target this information towards two different fields of people. Here's an example of some of the text that this thing generated. Are you ready?
Dave Bittner: Sure.
Joe Carrigan: (Reading) APT33 is exploring physically disruptive cyberattacks on critical infrastructure. Attackers have injected a variety of vulnerabilities in web-based airline management interface. Once successful, attackers are able to intercept and extract sensitive data as well as gain unauthorized access to the CMS utility.
Joe Carrigan: That sounds like a real vulnerability report.
Dave Bittner: (Laughter) Yes, it does. It's kind of like - I don't know - "Star Trek: The Next Generation" technobabble, but that sounds like a security report (laughter).
Joe Carrigan: Right. And here's the thing. The security experts she tested were not able to tell the difference between this and a legitimate report. They would have spent time chasing this down. Here's one that targeted COVID research.
Joe Carrigan: (Reading) Systemic and local side effects after BNT162b2 and ChAdOx1 n-COVID-19 vaccinations occur within 24 hours of receiving the second dose of both vaccines. Side effects include fever, headache, chest pain, abdominal pain after first dose. The second dose restores normal tissue oxygenation levels but may be accompanied by dizziness, hypoxia and dyspnea. The results of this analysis are in a population-based cohort, where we systematically collected blood samples and followed the process of mRNA importation, erythrocyte exchange and host cell release post-vaccine.
Joe Carrigan: So, I mean, I'm not a doctor, Dave. I don't...
Dave Bittner: (Laughter).
Joe Carrigan: This may or may not...
Dave Bittner: And thank goodness for that (laughter).
Joe Carrigan: Right. Yeah, exactly. That would be terrible. But apparently, medical experts could not determine whether this was a fake story or not.
Joe Carrigan: She goes on to talk about how, you know, ultimately, the biggest issue is we're going to have to be vigilant about where our information comes from. We're going to have to have vetting our sources of this information. I've talked about this for news that people consume, but now we're talking about threat feeds and medical journals and things like that. We're really going to have to vet these sources. We're going to have to have these trusted sources. We're not going to be able to just listen to whatever shows up on the internet. Those days are - well, those days have been long gone for a while now, but this just demonstrates exactly how vulnerable we are.
Dave Bittner: Yeah. I remember something similar to this in the past few years where someone was able to get some sort of security report into a peer-reviewed journal and published even though it was word salad.
Joe Carrigan: Right.
Dave Bittner: And it sounds like this is sort of an automated way of doing that.
Joe Carrigan: Yeah. I'll have to look that up. That was within the past two years or something. Somebody put out an AI-generated article that was just complete bunk, and it made it into one of these journals.
Dave Bittner: It's a good lesson, though. For that to happen, there has to be failures along the way of the vetting of the story. So whatever peer review...
Joe Carrigan: Right, the process.
Dave Bittner: ...Was going on was - right. So hopefully, that caused them to review their review process.
Joe Carrigan: Yeah. I would hope so.
Dave Bittner: But I wonder what this means, I mean, for the big picture. For me, you know, everything's provisional, right (laughter)?
Joe Carrigan: Right. Absolutely.
Dave Bittner: So you come to every story with a bit of healthy skepticism. But then, as you say, you have to have trusted sources. And nobody's perfect, but those trusted sources - you should be able to feel as though they're doing the work behind the scenes to not just be parroting whatever information is being fed to them, that there's some fact-checking going on behind the scenes.
Joe Carrigan: Yes. Now, there are some issues out there, like recently, there was an article published in some journal. I can't remember what it was, but it was - and, once again, I'm going just from my memory. But the gist of the article was there was life on Mars. These people found fungus on Mars. I saw that. I said, wow, this is great. Let me look into this. Well, it turns out, probably not, right?
Dave Bittner: (Laughter).
Joe Carrigan: But, you know, the person that publishes it has a history of publishing these kind of things. The journal in which he published it was one of these journals that you essentially pay to have your article published, which is a bad model, right?
Dave Bittner: Yeah. Publishing mill.
Joe Carrigan: Yeah. It goes out and publishes papers. And one of the big problems in the academic world is you have to publish every so often - right? - with some frequency.
Dave Bittner: Publish or perish.
Joe Carrigan: Right. Publish or perish, exactly. And if that means that you're going to take these kind of risks to produce this kind of stuff, I mean, that's an issue. That's a big issue in the field.
Dave Bittner: Yeah. We'll have a link to that in the show notes.
Dave Bittner: My story this week comes from the folks at BleepingComputer. It's a story written by Lawrence Abrams. And let me set this up for you, Joe. So let's say that you are a person who holds on to some cryptocurrency, right?
Joe Carrigan: Let's say that I am, Dave.
(LAUGHTER)
Dave Bittner: And you want to be safe with this cryptocurrency.
Joe Carrigan: Absolutely.
Dave Bittner: So you keep your cryptocurrency in an offline hardware wallet.
Joe Carrigan: Right.
Dave Bittner: Now, can you describe to our listeners what that is? What is a hardware wallet?
Joe Carrigan: So a hardware wallet is actually a piece of hardware. It can look just like a USB stick. And all it does is hold the keys in private so that your wallet is not accessible unless it's online, unless it's plugged in.
Dave Bittner: Right. So I guess the notion is rather than having your keys to your cryptocurrency stored on your computer...
Joe Carrigan: Right.
Dave Bittner: ...Which is a vulnerable place because your computer, most of the time, is always hosed up to the internet and, therefore, a target for...
Joe Carrigan: Correct.
Dave Bittner: ...Hackers, if you put them on this wallet, which is not always plugged into your system, sitting in your desk drawer, you know...
Joe Carrigan: Yes.
Dave Bittner: ...Not connected to anything, then that's a safer place to have your keys. That's the notion behind this, yes?
Joe Carrigan: That's right. It's a offline key management system, essentially.
Dave Bittner: Right. Now, do the hardware wallets - do they generally have their own sort of password system on them as well so if you were to lose it, someone wouldn't be able to just plug in and access your keys?
Joe Carrigan: I don't know how they work. I actually don't use a hardware wallet. I've never...
Dave Bittner: OK.
Joe Carrigan: ...Actually done this, so I can't answer that question yet.
Dave Bittner: OK. Well, there is a popular hardware wallet, and it's made by a company called Ledger, and it looks just like a USB key. So the folks who run Ledger were the victims of a hack. And some folks got into their marketing systems, and they were able to get basically a customer list, right? So they were able to get a list of people who use these hardware keys.
Dave Bittner: What happened next was some of the folks who use these hardware keys received replacement keys in the mail, along with a letter allegedly from the folks at Ledger - a nice letter from the CEO - again, allegedly - saying that you may have noticed, you may have seen in the news that we were the victim of this hack. And in response to that, we are sending you this free replacement unit, which is more secure than the one you had. In order to stay safe, we're going to ask you to use this unit instead of the one that you had before. And it comes in a nice shrink-wrapped box. Everything looks great. Logo - it's all - it all looks legit. It looks like a real Ledger hardware wallet. Well, Joe, you probably know where we're going with this.
Joe Carrigan: Yeah, I know exactly where this is going. This is not a real Ledger device, right? Can I just guess?
Dave Bittner: It is not a real - yes. That is correct.
Joe Carrigan: OK.
Dave Bittner: It is not a real Ledger device.
Joe Carrigan: It just takes the keys and uploads them to some third party.
Dave Bittner: Well, it's a little - it's actually a little sloppier than that.
Joe Carrigan: Really?
Dave Bittner: Looks like what these folks did was they took a real Ledger device, they opened it up, and inside, they put a USB flash drive.
Joe Carrigan: OK.
Dave Bittner: And they wired the flash drive in parallel to the USB connection of the actual Ledger.
Joe Carrigan: OK - because that's one of the features of USB is you can plug multiple devices in, right?
Dave Bittner: Right. Right.
Joe Carrigan: Through the same bus - so essentially, what they've done is they've made it so that now you get your Ledger drive, and you get a mounted - like, a thumb drive.
Dave Bittner: Exactly, exactly.
Joe Carrigan: OK.
Dave Bittner: So you get this Ledger drive, this replacement Ledger drive that you think came from Ledger. You plug it into your system and it functions like a real Ledger drive, but also along with it is this USB flash drive which contains - wait for it - malware (laughter).
Joe Carrigan: Malware - right. Who'd have guessed?
Dave Bittner: Right. Right. And so this malware then, you know, scoops up all of your information, gets everything off of your Ledger drive and your passwords and all those sorts of things and sends it back to the bad guys.
Joe Carrigan: OK.
Dave Bittner: The folks here over at BleepingComputer, in this article, they have some photos where they've taken this device apart. And you can see how they put this flash drive inside. They comment that - kind of a shoddy job here. It was done quickly and messily. But from the outside, it looks just like a regular Ledger drive. There's no way to know that this is what's inside of there.
Joe Carrigan: Right.
Dave Bittner: So it's kind of fascinating because there aren't very many giveaways. Now, to be fair, the letter that they sent had some of the typical bad grammar that we see so often with these sorts of things.
Joe Carrigan: Now, see, that's interesting, Dave, because these guys have gone through a lot of effort.
Dave Bittner: Yeah.
Joe Carrigan: A lot of effort to do this - and they didn't take the step to have a native English speaker proofread the letter for maybe 20 bucks.
Dave Bittner: Yeah. Yeah (unintelligible).
Joe Carrigan: You can get those on hacker forums. You can get those services. And they didn't do that.
Dave Bittner: It is kind of mind-boggling because, as you say...
Joe Carrigan: Right.
Dave Bittner: ...This is an expensive attempt here.
Joe Carrigan: Right.
Dave Bittner: They bought the actual device. They're shipping it out. They're - all sorts of effort.
Joe Carrigan: They've modified each individual device - right? - that they've shipped out.
Dave Bittner: Right.
Joe Carrigan: They've gone through the list. They're looking for the high-value targets, right? How many of these are they going to send out - a hundred of them? Proofread the - I'm not trying to give these bad guys any advice, right?
Dave Bittner: (Laughter).
Joe Carrigan: You know what? Don't do that. Your translation software is just fine.
Dave Bittner: Yeah, it's good. Full speed ahead. Yeah.
Joe Carrigan: Right.
Dave Bittner: So the folks at Ledger have put a notice on their website, of course, warning their customers to look out for this sort of thing. I guess the broader advice here is never plug anything into your computer that you didn't specifically order, right?
Joe Carrigan: Right. Right.
Dave Bittner: Even if it's a brand that you are already doing business with and especially something that is this valuable, that has to do with your own valuables.
Joe Carrigan: Right.
Dave Bittner: Boy, before you plug in something like this, at the very least, reach out to them and say, hey, did you actually send me this?
Joe Carrigan: I can absolutely see how this works, Dave. If I'm a user of Ledger products and I follow the news and I see that they were breached and I receive this in the mail, this all makes sense.
Dave Bittner: Yeah, it does. It absolutely adds up. Yeah, it seems legit.
Joe Carrigan: Yep.
Dave Bittner: Yeah. Regrettably, hats off to the folks who...
Joe Carrigan: Right.
Dave Bittner: ...Tried to pull this off because it's an impressive scam, but it's one you got to look out for. All right. Well, we will have a link to that in the show notes.
Dave Bittner: Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener we'll call R. Now, R sent us a story more than a Catch of the Day, so we won't really have a letter here. But this is about a phone call they received. They received a vishing scam, and they attached a screenshot of how it came up on their caller ID. And it's just a V followed by a long string of numbers. And then below that, there's an 877 number to call back.
Joe Carrigan: And R says that it was odd, but it got my attention. I answered and was greeted by an automated voice system saying it was, quote, "Sydney from AT&T DIRECTV" and that they were offering 50% off to existing customers. Putting aside the fact that I am not a customer of DIRECTV and the fact that real DIRECTV would do this, doesn't seem very realistic. But, yeah, why would any cable company or streaming provider call up existing customers and offer them 50% off? That's just silly.
Dave Bittner: No. No. The only thing they do is usually - it's always bad news, and it shows up as a surprise on your bill.
Joe Carrigan: Right. Right. Yeah, your bill just goes up. It never goes down.
Dave Bittner: Congratulations, we're charging you more for your bundle.
Joe Carrigan: Yes (laughter). So R is right about that. It's very suspicious. R says, I was interested. The automated system then proceeded to ask for my account PIN. I made up a random sequence of four numbers. And no surprise, but they accepted them. Throw in 60 to 90 seconds of hold time. The system came back and asked what I was paying. This is the automated system doing this. About 60 bucks, I said. The system replied, I see you're paying 60 bucks a month.
(LAUGHTER)
Joe Carrigan: We can reduce that to 30 bucks for two years, and it's contract free. So after saying that I was interested, another short hold - both times complete with realistic hold music and regular interruptions announcing my estimated wait times. This time, I got a person who told me that all I have to do is prepay for 10 months of service to get this deal - so $300 in my case.
Joe Carrigan: At this point, R says, I figured out what I wanted to know, which was what the scam was. So R was curious about this and wanted to figure this out, then says, oh, so that's the scam. And the person quickly terminates the call.
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: So interesting work here, R. That's really cool. I'm kind of feeling left out, Dave. I don't get a lot of these calls. And obviously, they're just looking to get the 300 bucks out of you or 10 times whatever you say. They're just going to try to charge your credit card, and you're supposed to be happy about it.
Dave Bittner: Right.
Joe Carrigan: And then your bill from DIRECTV comes and it hasn't gone down, and you still owe DIRECTV whatever you owe them, right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: It's just these guys have made off with your 300 bucks.
Dave Bittner: It's interesting to me that the whole front end of the call is automated.
Joe Carrigan: That is...
Dave Bittner: And I don't know if they're using some kind of voice recognition system or something like that, but they're doing a lot of automated filtering before they hand you off to the real live person.
Joe Carrigan: Right. That's fascinating.
Dave Bittner: Yeah. All right. Well, thanks to our listener, R...
Dave Bittner: Does he freelance as a pirate? Arrr (ph).
Joe Carrigan: Right.
(LAUGHTER)
Dave Bittner: ...For sending that in to us. We would love to hear from you. You can send in your Catch of the Day to hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Matthew Gracey-McMinn. He's from a company called Netacea. And we are talking about security issues with streaming services. Here's my conversation with Matthew Gracey-McMinn.
Matthew Gracey-McMinn: I think probably the best place to start is understanding what's happening with streaming services at the moment. And if you're anything like me, you're probably getting increasingly annoyed by the increasing number of monthly payments I'm having to make in order to watch all the TV shows I'm interested in, you know? There seems to be a growing plethora of streaming services.
Dave Bittner: (Laughter) Yeah.
Matthew Gracey-McMinn: Almost every week something new comes out. It's - even local theaters and so forth have started their own streaming services now over here. So it's starting to get quite expansive. There's a lot of different streaming services out there, all of them with sort of monthly fees, and that sort of means that there's more and more accounts. People are creating accounts on more and more different streaming services, you know?
Matthew Gracey-McMinn: Originally, you know, I just had Netflix. Now I've got, like, Netflix, Amazon Prime, Disney+. You know, it's growing. There's Paramount+ out now, things like Marquee TV. I'm sure if I looked online, I'd find dozens that I've never even heard of before.
Dave Bittner: Right.
Matthew Gracey-McMinn: Others I probably would have heard of as well. So we're seeing more and more, and there's been more and more interest in them particularly over the last year with sort of lockdowns occurring all over the world, people being stuck at home with not a huge amount else to do. So certainly, there's a lot more people buying these accounts.
Matthew Gracey-McMinn: There's been a significant growth in the amount of people using these services, more and more of these services. More people now have more of them because they've watched everything on - I think I've watched everything on Netflix. That's probably a bad thing to say. It's only been a year, and there's certainly a lot on there.
(LAUGHTER)
Matthew Gracey-McMinn: But so - I probably should use my time more constructively, shouldn't I? But there we are.
Dave Bittner: Shouldn't we all. Shouldn't we all, yes.
Matthew Gracey-McMinn: So, yeah, we've got more and more of these streaming services. And these accounts have value. As - let's say I was a criminal, and I was able to take over some of these accounts. I could sell them on, give them away in order to build sort of a reputation on hacking forums to build up some sort of kudos and so forth that would allow me to sort of have more of a reputation, a better reputation, amongst these sort of hacker communities.
Matthew Gracey-McMinn: But I could also sell them on there. These accounts have value. They have worth. People will pay money for them. People have decided that don't want to pay the $7.99 for a Netflix account, whatever it is in whatever country you're in, and they've decided, oh, what happens if I just buy one straight out for $2? And then on that account, it's perpetuity - sort of thing.
Matthew Gracey-McMinn: So there's a lot of interest in taking over these accounts. And obviously, as we've had more and more people move online, more and more shops have gone online over the last year, many of them smaller shops that previously didn't have much of an online presence - generally speaking, we were seeing a shift towards e-commerce and things away from sort of - what we call in Britain sort of traditional high-street shopping. You know, people were moving to buying things online rather than going to their local shops - sort of thing.
Matthew Gracey-McMinn: And as we've seen that, we sort of see more and more data breaches. Smaller companies are coming online. They perhaps can't invest as much in security. They perhaps don't have the sort of technical knowledge needed to protect themselves so well, and so they have data breaches. Username and password credentials gets dumped online.
Matthew Gracey-McMinn: And these lists - these combo lists, you can find them all over the hacking forums, on the open web, on the dark web there. They're not really very secretive. You can find people listing accounts they have - sort of username and credential parings on Twitter even. I was about to say it's an open secret. It's not even a secret. People are very open about this. So we've got this sort of data that's being dumped out, these username and password parings.
Matthew Gracey-McMinn: And people tend to now reuse a lot of usernames and passwords, and I myself have been guilty of this in the past - actually, recently, without even intending to be, you know? When you create - I think it's now - the average person has over 190 online accounts now...
Dave Bittner: Wow.
Matthew Gracey-McMinn: ...Which is ridiculous. And it's very hard to think of individual passwords for all of them. So I have, before getting myself a password manager, reused passwords without even realizing it, which means that if one of those accounts get compromised, technically they've all been compromised.
Matthew Gracey-McMinn: So these attackers know that there's this vulnerability. Not many people are varying their passwords particularly well. And say you have Netflix and Disney+ and Paramount+ and HBO's offering and Marquee TV and all of these others. You'll probably decide, hey, what if I use the same username and password for all of them? So you go ahead and do that, and then the attacker takes over one of these accounts. They've actually got access to all of them.
Matthew Gracey-McMinn: So what these attackers do is they're aware of this. They get these combo lists from the open and dark web, and they go, well, I've got 2 million credentialled parings here; let's try them all against Netflix and see which ones work. And the success rate can be phenomenally low for those things. You know, these sort of attacks against streaming services, these success rates are phenomenally low for these mass attacks. They'll throw all 2 million credential parings into there, and say, maybe a thousand, 2,000 will stick; they'll be able to get access to them.
Matthew Gracey-McMinn: But they can then sell these accounts for a couple of dollars each. That's a sizeable profit for them. So that's really where the current situation is sort of sitting and where these credentials are coming from. They're generally breaches of a sort of unrelated sort of system to the streaming services that has leaked these credentials online, and these attackers are taking them, this information, and using to stage as a weapon against other organizations.
Dave Bittner: You know, I can't help wondering, is this an area where people generally consider these sorts of passwords to be a lower priority than, say, their banking passwords? If someone gets my Netflix password and Netflix still works for me, you know, there's not a whole lot of pressure on me in terms of, you know, feeling as though there's a whole lot at risk.
Matthew Gracey-McMinn: Yeah, absolutely. Yeah. People - first of all, it is - might be hard to detect. You may not be aware. You might start seeing some odd things. Maybe a new profile pops up on there or your algorithm changes.
Dave Bittner: (Laughter) Right, right. Right.
Matthew Gracey-McMinn: You sort of - (laughter).
Dave Bittner: All the sudden, I'm interested in Russian-language documentaries.
Matthew Gracey-McMinn: Yes. Yeah, exactly (laughter).
Dave Bittner: (Laughter).
Matthew Gracey-McMinn: I didn't realize you were a Russian speaker.
Dave Bittner: (Laughter) Neither did I.
Matthew Gracey-McMinn: So yeah, yeah. You know, you'd see these - some changes. And Netflix do (ph) a pretty good job of trying to detect, say, logins from unusual locations and so forth. But you probably don't really care so much until, say, the attacker decides, hey, I'm going to change the password and lock you out of the account entirely. And if an attacker is feeling like they're getting their use out of it without doing that, they probably don't want to give the game away and so forth. So you...
Dave Bittner: Right.
Matthew Gracey-McMinn: ...Get this sort of quiet pilfering of things. And a lot of people do share their password with their family. So I share it with my family who live with me. They all know the password. I haven't traditionally made it, perhaps, hugely complex. I've massively increased the complexity sort of about six, seven months ago and then logged everyone in with it (laughter)...
Dave Bittner: Yeah.
Matthew Gracey-McMinn: ...And sort of left that - those particular devices and said, if you need another device in, let me know and I'll put the password in sort of thing. But historically - and again, I was guilty of this - you kept the password fairly simple so you don't have to keep logging your kids in, so you don't have to keep logging the rest of your family or your household in. And some people, of course, as we know from recent developments with Netflix, were sharing them cross-household as well. So there's more of an impetus to keep the password simpler, which makes it easier to guess anyway.
Dave Bittner: Yeah. And also, I mean, there's a user interface issue here as well. Because especially if you're doing this interaction right on your TV or if you have an Apple TV or whatever, you know, chances are you're trying to use some kind of a remote control. And boy, that is a big old pain in the butt.
Matthew Gracey-McMinn: (Laughter) It certainly is. When you look at particularly long passwords, like you're saying, yeah, it is a pain in the butt. And one typo and you're back to the start sort of thing. So it's not...
Dave Bittner: Right.
Matthew Gracey-McMinn: It's not really ideal solution (ph). 2FA helps. You know, a lot of people talk about 2FA. And there are 2FA, MFA bypass methodologies, but it does offer an extra layer of protection. It's a lot harder for an attacker to get in if there's MFA on there. You know, you can see when someone's logged in.
Matthew Gracey-McMinn: But not all of these services offer MFA historically. And generally speaking, people don't like to use MFA because it slows things down. And, you know, you sit down in front of the TV. Like you said, you know, you get the remote out. You put your username, password in. You log in. And then, oh, I've got to go upstairs to get my phone and click OK. And then I get upstairs, and it's timed out. I've got to go down and try again. So, you know, it's a bit of a hassle there. So people have historically been a bit reluctant to do it. And organizations have been reluctant to inflict that on their customers in many ways as well.
Dave Bittner: Is there a possibility that we could be heading towards some sort of collaborative approach where, you know, we have sort of, you know, one login to rule them all?
Matthew Gracey-McMinn: Yeah. I mean, that would be an option. And there are certainly organizations who - essentially, you can link your accounts together and access all of them from a single source of truth, a sort of one account of power almost. The problem there, of course, is if you do lose access to that account - those accounts are much more valuable to attackers. So if they take over - say you've linked all of your - you know, your Netflix, your Disney+, your HBO, Paramount+ and everything all together into one account, and you've got that one account, an attacker - that account is then much more valuable to an attacker. It's sort of putting all your eggs in one basket, almost. You know, it's great if you can then protect and guard that basket. It perhaps makes things easier. But if an attacker does get to that basket, they've got all the eggs.
Dave Bittner: What about the providers themselves? I mean, I've read stories recently where Netflix seems to be putting a little more effort into cracking down on these things.
Matthew Gracey-McMinn: For Netflix, they are now sort of trying to crack down on people who are sharing their passwords cross-households, which will hopefully try to crack down on this. You know, so if someone from Indonesia or somewhere logs into my account, it's probably going to look a bit suspicious because they may think, hey, as far as we know, Matt's in the U.K. He's not actually in Indonesia. So did he share the password or was his account taken over? So it offers a bit of extra protection there and I'm sure also may well help their bottom line in the long run, stopping that sort of sharing.
Matthew Gracey-McMinn: But part of the problem is that bad password hygiene sort of thing, that reuse of credentials, is bad. And it's something that, individually, I think we should be taking steps to try and make sure we're not doing that. You know, use MFA, use a password manager with - so we can more easily handle 190, 200 different accounts on an individual level.
Matthew Gracey-McMinn: But there is more of an impetus as well on organizations to do more to protect their customers. And a large part of that isn't just to - obviously, there's a sort of, we need to protect our customers. You know, it's bad for our reputation. It's bad for our customers if their accounts get taken over.
Matthew Gracey-McMinn: But there's also the cost of these takeovers. There's sort of secondary impact. So let's say you lose a hundred thousand accounts, and it takes customer support staff five minutes on the phone to repatriate that account to the actual owner. At a hundred thousand times five minutes, I dread to think how many hours of work that is to get all of those back. And that's time and ultimately money that's been - not being spent elsewhere.
Dave Bittner: Right. Well, what are your recommendations there? For folks to best sort of, you know, strike that balance between security but also a practical ease of use, how do you suggest folks dial that in?
Matthew Gracey-McMinn: If you're watching on a computer, obviously, password managers are a useful tool. On televisions and so forth, personally, I like to use MFA as much as possible, but obviously, being in the industry, I am - I'm very security conscious. I'm more worried about security than I am about ease of use quite often. It is a tricky one.
Matthew Gracey-McMinn: I would say that the key thing is don't reuse credentials. These credential stuffing attacks are so easy to perform. There's dozens of tools out there. And all an attacker has to do is literally sort of download a tool off GitHub or anywhere else - also online for the hacker forums and so forth are full of them - download that, and then they use something called a conflict file. Essentially, it's sort of a, this is what the website, this is what the target looks like. And then they just upload a list of username and passwords into it, and they hit run. And off it goes. And it just fires off all of those password - username and password combinations over and over and over again.
Matthew Gracey-McMinn: As individuals, what we can do to take steps to protect ourselves there is make sure we're not using those usernames and passwords. So if we lose one account somewhere through no fault of our own - say, companies being breached or whatever - we've not lost multiple accounts across all of our other 190, 189 services, whatever it is. And if we can turn on MFA, great. I highly encourage people to do that.
Matthew Gracey-McMinn: Another method to do is to look for those telltale signs. And like you said, you know, if you suddenly start seeing Russian-language documentaries on there and start thinking, hey; what could have caused these to come up, that sort of - hate to quote "Harry Potter" here, but constant vigilance, that awareness of some - hey; this looks a bit odd. You know, if you were in your house and all the lights suddenly went off, you might think, hey; there's a power cut. But if, you know, you start noticing lights in rooms you're not in turning on, you might think, maybe I should investigate that. It's the same thing with Netflix or Paramount+ or, you know, any of these streaming services. If you start seeing suspicious behavior on your account, change your password. Contact customer services. Look at login - currently logged in accounts.
Matthew Gracey-McMinn: Many websites now - Facebook, for instance - offer, hey; where are you currently logged in? Have a look at it and see if it adds up to where you currently are. Providing security to individuals, to our customers as organizations - you know, it's not just dependent on the individual, and it's not just dependent on the organization. It's very much a team effort, a team sport here to make sure we're protecting ourselves.
Dave Bittner: All right, Joe. What do you think?
Joe Carrigan: Dave, I will start off by saying I agree with Matthew that I am also irritated by the number of streaming services that I have.
Dave Bittner: (Laughter) Yes.
Joe Carrigan: I guess I'm spending what used to be my gas money on them.
Dave Bittner: (Laughter).
Joe Carrigan: But one of the key things that Matthew says - and it's something I say all the time - these accounts have value. Everything you have online has value.
Dave Bittner: Right.
Joe Carrigan: Don't think it doesn't. One of the biggest objections that I deal with is, hackers are not interested in me. They are interested in you. And here's one of the things they're interested in because they can sell access to your Netflix account for a couple of bucks. And Matthew uses an example here of somebody getting 2,000 hits out of a 2-million-record database. And he says that's a very low percentage, but it's still 2,000 hits. I can turn around and sell each one of these things for five bucks. That's 10 grand.
Dave Bittner: Not a bad payday.
Joe Carrigan: That's not a bad payday. And it doesn't take long for this automated script to go through and try all 2 million of those records. And I can do whatever I want while that's going on, right? I'm not sitting there...
Dave Bittner: Right.
Joe Carrigan: ...Trying this. It's a script. And I let my computer make me $10,000. The hardest part is actually selling the credentials and laundering the money. Finding the credentials is easy. It's all automated. The UI on these streaming services is a big deal, and hearing a long, 20-character password is really awful, you know, especially since I use uppercase, lowercase, numbers and symbols in my things.
Joe Carrigan: But what I've taken to doing for my streaming services is changing the settings on those accounts. So I still use a very long password, but I only use letters so that it's easier for me to enter it. You know, there's all the math about how complex your password has to be, but, you know, you understand the risk model. And really, what they have to be in order to protect yourself from these kind of attacks is they just have to be unique. They don't have to be terribly, terribly complex. You know, a 20-character password made up of all lowercase letters is going to take a long time to crack, and nobody's going to do that.
Dave Bittner: Yeah.
Joe Carrigan: And if it's unique, then you don't really need to worry about it showing up in another password breach. And that's how you secure your account. Netflix doesn't really care if your credentials get stolen, right? But they do care if you share your credentials with your family member. And I think the reason they care about that is because that's actually something that happens more frequently than people's accounts getting broken into. And that's costing them revenue, and I understand that.
Joe Carrigan: But the good news is that these things look the same from Netflix's perspective. Matthew talks about Netflix going and trying to stop you from sharing your Netflix account with your family members who don't live with you. But at the same point in time, they're going to have to stop people from stealing your Netflix account.
Dave Bittner: Right.
Joe Carrigan: It's just kind of...
Dave Bittner: Right.
Joe Carrigan: ...Going to be part and parcel. Use MFA if the service offers it. That's a great idea. I think that's a lot easier than having a long, complex password for all these things. It's a lot easier than switching between the numbers and the symbols and the uppercase and lowercase letters. I still say...
Dave Bittner: Yeah.
Joe Carrigan: ...Use the complex and unique password. Maybe limit the character space of it and make a little bit longer to account for the difficulty. And look for the telltale signs that your account has been compromised. Can you go to that where am I logged in page on the service provider's website? Can you look at what I'm - well, you know, continue watching for Joe on Netflix is what I see all the time, right? And...
Dave Bittner: Right.
Joe Carrigan: Is that...
Dave Bittner: Have your interests suddenly changed?
Joe Carrigan: Right. Have my interests suddenly changed? Look at all this anime. No.
Dave Bittner: Yeah.
Joe Carrigan: I don't watch this.
Dave Bittner: All these foreign-language movies...
Joe Carrigan: Right.
Dave Bittner: ...That I never was interested in before. What's up with that?
Joe Carrigan: Yes. Keep an eye out on that. And when you see that, go ahead and just change your password. And that should fix the person who's - that should get the person locked out of your account. Matthew does talk about somebody locking you out of your account. I don't know what the workflow is for that aside from a phone call to the provider, but if they change your password, now you have to go through the process of calling them. And...
Dave Bittner: Right.
Joe Carrigan: Nobody likes calling.
Dave Bittner: Probably verifying your credit card or something like that.
Joe Carrigan: Right. Nobody likes calling these companies that just like billing you. And that's really the business model. They just want to bill you.
Dave Bittner: Right. That's right. All right. Well, our thanks to Matthew Gracey-McMinn for joining us. We do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening.
Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.