Hacking Humans 8.12.21
Ep 160 | 8.12.21

The attackers keep coming every single day.


Andrew Rubin: The attackers are not waiting for you to get there and then saying, now we're going to see how well you did. They're going to keep coming every single day.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, my conversation with Andrew Rubin. He is CEO and co-founder of Illumio. We're going to be talking about zero trust. 

Dave Bittner: All right, Joe, before we jump into our stories this week, we actually have quite a bit of follow-up. 

Joe Carrigan: Yes. 

Dave Bittner: Let me start off here. First thing we got here was from a listener named Cassie (ph). And she writes in and says, I just got done listening to your January 17, 2019, episode, "Prisoners Have Nothing But Time." 

Joe Carrigan: Right. 

Dave Bittner: And she's starting from the beginning and making her way through (laughter). 

Joe Carrigan: As everybody should, Dave. 

Dave Bittner: That's right. 

Joe Carrigan: Thank you, Cassie. 

Dave Bittner: (Reading) I just wanted to give you another perspective on the prison pen pal scheme. She says, I served seven years in a female prison here in Kentucky. I'm currently out and turned my life around, always trying to do the next right thing. Of course, some of the women I was in with took advantage of pen pals the same way the man in that episode did, but it also happened the other way around. Men would write to the women and try to take advantage of them. 

Joe Carrigan: Really? 

Dave Bittner: (Reading) Those men were usually older gentleman who were lonely and wealthy. They would send money to the woman, and in turn, she would tell them everything about themselves. I know women who turned over control of their social media accounts to random people they wrote. They gave information on their family and friends as well. As a result, when they got out, they have to make new accounts while these people pretend to be them online. 

Joe Carrigan: Wow. Really? 

Dave Bittner: She says, I've almost fallen for a scam on Facebook from the account of someone I was in prison with. 

Joe Carrigan: Right. That's actually an interesting vector. 

Dave Bittner: She says, of course, I'm unsure if they got hacked this way, but it would be too easy. For example, it only takes one quick search to get an amazing amount of information about anyone in prison or even out on parole, like myself. 

Dave Bittner: And then she includes a link to a state corrections website. And I went and looked on there. And sure enough, there's a lot of information there. 

Joe Carrigan: Yeah. 

Dave Bittner: There's a photograph of the person, hair color, eye color, gender, where they are. It's basically, you know, a social engineering catalog of information. 

Joe Carrigan: Right, yeah. 

Dave Bittner: She said - Cassie goes on to write. She says, I basically just say this because it proves what you say about scammers not really caring about who you are when they find out all your info because it can be used to further any other plans of theirs, like that scam I came very close to falling for. 

Joe Carrigan: Exactly. 

Dave Bittner: (Reading) I also want to tell you and Joe that since I started listening to your podcast, I've now randomized all of my passwords... 

Joe Carrigan: Very good. 

Dave Bittner: ...Got a password manager... 

Joe Carrigan: Excellent. 

Dave Bittner: ...And I don't click on email links. 

Joe Carrigan: That's even better. 

Dave Bittner: She says, thank you very much for the show. And if you've made it all the way through this message, I hope I gave you some food for thought. Have a great day. 

Joe Carrigan: Thank you very much, Cassie. I appreciate this perspective, you know? And maybe it's time to rethink what it means to be a matter of public record, right? You know, court records are public records. But should we have this level of information available to anybody online, anywhere in the world? Maybe it's time to rethink that. 

Dave Bittner: Yeah, yeah. It strikes me, too, that I - an angle of this I had not considered is that if you are someone in prison... 

Joe Carrigan: Right. 

Dave Bittner: ...And someone is trying to steal your identity... 

Joe Carrigan: Right. 

Dave Bittner: ...It's probably very difficult to monitor that. 

Joe Carrigan: Absolutely. 

Dave Bittner: You have limited ability to reach out in the world and check your accounts and make sure someone isn't out there trying to use your identity for bad things. 

Joe Carrigan: Yeah. And no one in prison or otherwise should be handing over control of their social media accounts to someone they've never met, someone they don't know. 

Dave Bittner: Right. 

Joe Carrigan: If you're in that situation and you want to hand over control of your social media accounts, hand it over to a family member or a trusted friend, somebody you know personally. Don't hand it over to some person who just started writing you letters. 

Dave Bittner: Yeah, yeah. 

Dave Bittner: We got another email from a listener named Bob (ph). And Bob says, Dave and Joe, I ran into the issue Dave had. 

Dave Bittner: He's talking about the issue from last week with the Google Authenticator issue that I had when I was having trouble getting in Discord. 

Joe Carrigan: When you lost your seeds. 

Dave Bittner: Yes. And he says, what I do now is take a screenshot of the QR code and save the image in a password vault. I have a separate one that just stores these images. This way, if I move to a new phone or have to reset my phone for any reason, I can scan it again. 

Joe Carrigan: Right. And... 

Dave Bittner: I like this idea. 

Joe Carrigan: This is actually what I do - something very similar. 

Dave Bittner: Yeah. 

Joe Carrigan: I keep it in a VeraCrypt volume that I keep disconnected from my computer so if I ever need it, I can put it into a computer and take pictures of the old QR codes. 

Dave Bittner: Yeah. 

Joe Carrigan: This is also where I keep my recovery codes that I get as well. 

Dave Bittner: Yeah, yeah. That's smart. Having it in another place - good idea. 

Joe Carrigan: Right. 

Dave Bittner: And, you know, in the past, similarly, there have been times along the way where I have actually printed out these QR codes, put them in a file, filed them away and... 

Joe Carrigan: Yup. That's a valid solution as well. 

Dave Bittner: Yeah. And, boy, do I wish I'd done that this time. 


Dave Bittner: I did not. 

Dave Bittner: And finally, another piece of follow-up. One of our listeners wrote in and said, hi, guys. Love your show and listen to it every week. 

Joe Carrigan: Awesome. 

Dave Bittner: (Reading) This hit home for me, too, with the multifactor authentication because I've gone through the same pains and troubles many other people have. I mostly use the Google Authenticator app. And after your show, I quickly logged in to my Google account to find out how I could back up my Google Authenticator app. It turns out it's right there in your settings in security. Scroll down to your two-factor authentication and click on it. Once you get into that area, if you scroll down far enough, you'll see an area that says show backup codes. Those are the codes that you reload into your Google Authenticator app should you ever run into this problem. So if you lose your phone or break it, simply forget to transfer everything, this is how you reload all those codes. I hope I've helped in some small way. Keep up the great work. I learn something new from you guys every week. 

Dave Bittner: Oh, we appreciate that. 

Joe Carrigan: That's great. 

Dave Bittner: I followed the directions here, and I have to say I was unsuccessful. 

Joe Carrigan: Me, too. 

Dave Bittner: (Laughter). 

Joe Carrigan: But you and I both don't use Google Authenticator to - as our second factor for our Google accounts. 

Dave Bittner: Right. 

Joe Carrigan: We both use YubiKeys for that, right? 

Dave Bittner: Right, exactly. 

Joe Carrigan: So they may not be there. I don't think these are codes for all of your seeds. I think these are just codes for - these are secondary codes, backup codes for getting back into your Google account. 

Dave Bittner: OK. 

Joe Carrigan: I may be wrong about that, but you and I can't see them. We don't see them at all. 

Dave Bittner: Yeah. 

Joe Carrigan: However, I did look on the Google Authenticator app to see if there's some means of backing these codes up. There is a way you can export them. I don't know what that results in. I haven't done that yet. But on my Microsoft Authenticator - Microsoft offers a very similar product. That has a button on it that says cloud backup... 

Dave Bittner: Right. 

Joe Carrigan: ...So that you can store your seeds in the cloud securely. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't know how Microsoft does that and assures that they're secure. 

Dave Bittner: Yeah. 

Joe Carrigan: I also don't know how you get that back if you're using an authenticator app to access your Microsoft account (laughter). I mean... 

Dave Bittner: Yeah, it's a thing. It's codes all the way down, right? And then... 

Joe Carrigan: Right, exactly. 

Dave Bittner: Yeah. We heard from some other listeners who said that - for example, a password manager like LastPass that has its own authenticator app, and it backs up its codes in your LastPass account automatically. 

Joe Carrigan: Right. 

Dave Bittner: So that's an option. And there are certainly plenty of these sorts of apps. It's - there's quite a marketplace out there for these authenticator apps, and they have varying degrees of functionality. 

Joe Carrigan: Right. 

Dave Bittner: So look into them. But hopefully I - again, we appreciate our listener sending in these sort of breadcrumbs to hopefully find these things. Didn't work for me, but if it works for someone else out there who's under a slightly different scenario, well, that's great. 

Joe Carrigan: Great. Yeah, absolutely. 

Dave Bittner: All right. Well, again, thanks to everybody for writing in. We'd love to hear from you. Our email is hackinghumans@thecyberwire.com. 

Dave Bittner: Let's move on to some stories this week. I'm going to kick things off for us. This actually - my story this week comes from the folks over at Interpol, the international - I don't know what you call them - law enforcement organization. 

Joe Carrigan: Yeah, they're police. 

Dave Bittner: Right, right. 

Joe Carrigan: They're law enforcement. 

Dave Bittner: Yeah, yeah. And they sent out a document. It's called "5 Reasons Non-delivery Scams Work." 

Joe Carrigan: OK. 

Dave Bittner: And non-delivery scams are something that we have covered here before. 

Joe Carrigan: Yes. 

Dave Bittner: That's where you are typically online and you see something that you would like to buy or you're out there shopping for something, you see an ad for something you'd like to buy, and you go to buy it, and you sign up and you see, ooh, this is a good price for this thing that I've wanted. 

Joe Carrigan: Right. 

Dave Bittner: And you go through and you buy it and you put in your information and it says, good news; it's on the way, and it never shows up. And after a certain amount of time, you get suspicious and you go back to try to track down what happened, and turns out you were on a scam website. It wasn't the website of the company or the product that you thought you were going to buy. And so that's a non-delivery scam. 

Joe Carrigan: And a lot of times they'll have a - they'll send you something that is of no value. 

Dave Bittner: Right. 

Joe Carrigan: And that's so that when you dispute the credit card charge, they can prolong that process by disputing your dispute. 

Dave Bittner: Right, right. They'll say, no, no. Look; here's the - here's proof. 

Joe Carrigan: Here's the tracking number. 

Dave Bittner: Yeah. There was something delivered. 

Joe Carrigan: Right. 

Dave Bittner: What's this person talking about? 

Joe Carrigan: And all they're doing is trying to buy themselves time so that they can move the money out of the account. 

Dave Bittner: Right, right. So this is a helpful list here, reminders when it comes to these sorts of things. They say, first of all, it's organized crime. So this isn't just lone wheeler-dealers. These are organized groups. These are professionals who are doing this, and they're doing it at scale. 

Joe Carrigan: Right. 

Dave Bittner: And they're doing it internationally. They say advertising draws victims in. And as we've seen, particularly places like Facebook - or these folks will buy these ads that appear to be from the legitimate providers of these products. 

Joe Carrigan: Right. 

Dave Bittner: And they look just like the real thing. 

Joe Carrigan: Yup. 

Dave Bittner: And that's one of the things about working online is that it's really easy to copy the real thing. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Right? 

Joe Carrigan: It is. 

Dave Bittner: You could even pull pictures, you know, images from the real website where the things are alleged to have come from. 

Joe Carrigan: Yep. 

Dave Bittner: They go on and they say everything seems official. They - the interactions with them seem on the up and up. They say salespeople create relationships, so they - and this is where they start to use things like social engineering. 

Joe Carrigan: Right. 

Dave Bittner: They can flatter you. They can say, oh, you're my best client. They can use social engineering where they say, you're so lucky; this product is impossible to find right now. 

Joe Carrigan: (Laughter). 

Dave Bittner: And that's part of how they get you. Because if you're looking for something that's hard to find, like - I don't know - you're looking for the next PlayStation or Xbox or something like that... 

Joe Carrigan: Right. 

Dave Bittner: ...Something unavailable... 

Joe Carrigan: Or the - every year there's some crazy toy that happens around Christmastime... 

Dave Bittner: Right. 

Joe Carrigan: ...That becomes very difficult to find. 

Dave Bittner: Right, right. They'll lie to you. They'll say, oh, we got special permission for this shipment. Don't tell my boss, right? And so... 

Joe Carrigan: (Laughter) So you're in on the secret. 

Dave Bittner: Right, exactly. They build your trust and a sense of rapport, and then, finally, they disappear. 

Joe Carrigan: Right. 

Dave Bittner: When the - by the time the jig is up, by the time you figure out, you've sent off your money and it's something - there's - nothing is coming to you. Usually they're gone. The phones are cut off. The emails are gone. The websites are shut down. And one of the things they point out here - that victims are often ashamed. 

Joe Carrigan: Right. 

Dave Bittner: And so they are reluctant to report the fraud to the police. 

Joe Carrigan: Yeah, that's a real problem in this topic. 

Dave Bittner: Yeah. 

Joe Carrigan: Because all that does is enable these guys to continue their operations. 

Dave Bittner: Right. They count on it. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. So a couple tips here to protect yourself from a non-delivery fraud. They say be aware of bogus websites, so for example, making sure that the website is a dot-com instead of a dot-org or a dot, you know, cm... 

Joe Carrigan: Right. 

Dave Bittner: ...Or cam or something that looks close but isn't quite right. 

Joe Carrigan: Right. 

Dave Bittner: Verify the company or individual offering the items before making any purchases. It's not always easy to do, but... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Good to do. Check online reviews. Other customers - are they saying, hey, I haven't received anything here? Be wary about making a payment to a bank account located in a different country. That's a big red flag. 

Joe Carrigan: You know, Dave, I've bought a lot of things online. 

Dave Bittner: Yeah. 

Joe Carrigan: Never once have I made payment to a bank account. 

Dave Bittner: Yeah. Yeah, me neither. I've certainly purchased things where it's sort of dropshipped from China. 

Joe Carrigan: Right. 

Dave Bittner: You know, and it comes over, like, literally on a slow boat. 

Joe Carrigan: Yeah. 

Dave Bittner: Takes its time getting here. 

Joe Carrigan: Yeah. 

Dave Bittner: And then the other funny thing about that that I've noticed is that very often, what - the description on the package for customs has nothing to do with what's actually in the box. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: So that's the thing. 

Joe Carrigan: That's a completely different topic for a completely different kind of show. 

Dave Bittner: (Laughter) Right, exactly. Right, right. 

Dave Bittner: And then finally, they say keep your radar on high alert, especially if you're asked to pay unplanned fees. So good advice here. I think some general stuff, some good reminders. And interesting that this is active enough that the folks at Interpol decided it was time to put this communique out and help spread the word about it. 

Dave Bittner: All right, well, that is my story this week. Joe, what do you have for us? 

Joe Carrigan: Dave, you're familiar with the term catfishing. 

Dave Bittner: I am. 

Joe Carrigan: Right. This is where you - or somebody. Not you, Dave. You would never do this, right? 

Dave Bittner: No (laughter). Only to you as a practical joke, maybe. 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter). 

Joe Carrigan: This is where somebody sets up a social media presence of some kind. It can be across multiple platforms. And usually they're doing this for the purpose of some romance scam or something of that nature. But there are plenty of other reasons they've done it. 

Joe Carrigan: And Proofpoint has a really amazing report that came out just last week as we're reporting this, and it is about an APT called TA456, or Imperial Kitten. 

Dave Bittner: OK. 

Joe Carrigan: Since it has kitten on the end of it, you know that's something to do with Iran. 

Dave Bittner: Yeah. And APT is advanced persistent threat. 

Joe Carrigan: Correct. 

Dave Bittner: That's how we describe nation-state actors... 

Joe Carrigan: Right. 

Dave Bittner: ...Or their... 

Joe Carrigan: Nation-state actors are very - or very sophisticated criminal organizations. 

Dave Bittner: Right, right. 

Joe Carrigan: They created a profile for a person called Marcella, or Marci (ph), Flores. And guess what Marci's job is. 

Dave Bittner: Cybersecurity professional. 

Joe Carrigan: No. She is an aerobics instructor. 

Dave Bittner: Oh. 

Joe Carrigan: Now, Dave, have you ever met an unattractive aerobics instructor? 

Dave Bittner: (Laughter) I have not. 

Joe Carrigan: I have never seen an unattractive aerobics instructor. 

Dave Bittner: That's an interesting point. 

Joe Carrigan: Right. 

Dave Bittner: You know, and I think you're right. I suspect that's part of the job. 

Joe Carrigan: Right. 

Dave Bittner: If you're going to be an aerobics instructor and people are going to stand in a classroom and look at you for an hour or however long an aerobics class takes... 

Joe Carrigan: Right. 

Dave Bittner: ...It's probably to your advantage to be overall a pleasing-looking person. 

Joe Carrigan: Correct. 

Dave Bittner: Yes. 

Joe Carrigan: And the pictures they use for Marci's profile were no different. This is a very beautiful woman. 

Dave Bittner: Yeah. 

Joe Carrigan: And she is Oxford educated. 

Dave Bittner: Oh. 

Joe Carrigan: And she comes across - I mean, it looks like the profile of somebody who is at the top of their game in the field. It's a great profile from an objective standpoint. 

Dave Bittner: OK. 

Joe Carrigan: They use this profile to build relationships across personal and corporate communications platforms with an employee of a small subsidiary of an aerospace contractor. OK? 

Dave Bittner: OK. 

Joe Carrigan: So this is an intelligence operation. And the earliest publicly available Facebook profile photo of this person was uploaded in May of 2018. 

Dave Bittner: OK. 

Joe Carrigan: So that's when they create the profile. 

Dave Bittner: Right. 

Joe Carrigan: Or that's when they upload a photo to the profile. And we actually don't know when they created the profile. In 2019, a year later, that's when they friend the target of this operation. 

Dave Bittner: OK. 

Joe Carrigan: OK? So that's a year later, they send a friend request. And then in November of 2020, this profile starts conversing with the target over these - over this platform. 

Dave Bittner: OK. 

Joe Carrigan: So now another year has passed. Then, finally, in June of this year, 2021, the threat actor attempted to capitalize on the relationship by sending a targeted malware via an ongoing communication chain. 

Joe Carrigan: Now, Dave, I won't get into technical details, but the technical details are in the report from Proofpoint. There's a link in the show notes if you want to check them out. But this is a nasty piece of malware, and it is targeted at this person - specifically at this person. This was - they really thought this guy was of value. I'm assuming it's a guy. 

Joe Carrigan: Proofpoint says the profile bears strong similarities to other profiles previously used by the Iranian APTs to target intelligence targets of interest and of value. And the Marcella program appeared to be friends with multiple individuals who publicly identify as defense contractor employees and who are geographically dispersed from the alleged location of this profile in Liverpool in the U.K. 

Dave Bittner: OK. 

Joe Carrigan: Right? And now in July of 2021, Facebook announced that they had disrupted a network of Facebook and Instagram personas, including this one, that they attributed to an Iranian-aligned attacker or actor. And the - and they shut down the account. So Marcella's account's gone. You can't see it anymore. 

Dave Bittner: OK. 

Joe Carrigan: But it occurred to me this is a lot of effort to go through to target one person. You look at this. They went back - it goes back to 2018, when they created this profile and started populating it. 

Dave Bittner: Right. 

Joe Carrigan: And they didn't try to send the malicious attachment until three years later. 

Dave Bittner: Wow. Yeah. I mean, espionage is a long game, I suppose. 

Joe Carrigan: It is long game. When you're dealing with a threat actor like this, you know, you have to expect the long game. 

Joe Carrigan: Here's an observation I have on this. It's really difficult to avoid being targeted this way because if you're on LinkedIn and on Facebook - right? - and I go and do a search on LinkedIn for people that work in defense contractor, there's a picture of you there, right? 

Dave Bittner: Right. 

Joe Carrigan: Chances are there's a picture of you on your Facebook profile as well. So I can reach out to you on your Facebook profile and try to befriend you on your Facebook profile never even using your LinkedIn. And LinkedIn is where I - and I've said this before. LinkedIn is a fantastic open-source intelligence tool. 

Dave Bittner: Right. 

Joe Carrigan: So it's - I don't know how you protect yourself against this other than being suspicious of people that you've never met when they send you attachments. 

Dave Bittner: Well, that's - I mean, that's - (laughter) that's the - shouldn't that be enough, Joe (laughter)? 

Joe Carrigan: Yeah, actually, it was enough in this case. I don't think that this attachment - that this payload fired off. I think that they caught it. 

Dave Bittner: Yeah. 

Joe Carrigan: I think the guy may have been suspicious and said, you know, this is going on a little too long. 

Joe Carrigan: Another thing that would make me suspicious is if out of the blue, a very attractive female aerobics instructor friended me from the U.K. 

Dave Bittner: Oh, come on, Joe. Don't (laughter)... 

Joe Carrigan: I would be immediately suspicious of that. I'm like, why? Why is this woman interested in me? 

Dave Bittner: Oh, come on, Joe. You're a big-time podcast host. I mean... 

Joe Carrigan: That's right. It's - yup, big-time podcast host. 

Dave Bittner: Yeah. You never know. I mean, you know? Yeah, yeah. You know, it's funny. I would say a couple times a week, you know, my wife and I will be sitting on the couch, and she'll hold up her phone to me with a Facebook friend request, and she'll say, do you know this person? 

Joe Carrigan: Right. 

Dave Bittner: And I'll look and I'll go, nope. She's like, all right. And, you know, that's it. Like... 

Joe Carrigan: That's the end of it, right. 

Dave Bittner: Right. That's the end of it. But I think it's an interesting additional avenue for folks to get in, which is that if you're trying to come at someone who's part of a couple - right? - a married couple... 

Joe Carrigan: Right. 

Dave Bittner: ...For example, and you can befriend the spouse... 

Joe Carrigan: Right. 

Dave Bittner: And the spouse is not the target, but befriend the spouse, and then, for example, if they go to friend me and I look and they say, oh, well, this person is friends with my spouse. I guess... 

Joe Carrigan: Yes. 

Dave Bittner: ...They know - we know who that person is. All right, I'll say yes. 

Joe Carrigan: Right. 

Dave Bittner: And then, you know, we'll swing back around and check later, right? So, I mean, that's a common espionage technique as well... 

Joe Carrigan: Yes. 

Dave Bittner: ...To become friends with the friends or the loved ones or whatever. 

Joe Carrigan: So if you work in the defense industry for any country, be wary of these kind of things. Be wary of these kind of requests that come out of the blue. 

Dave Bittner: I wonder if Marcella Flores was specifically created just for this one person or was she playing the field... 

Joe Carrigan: Well... 

Dave Bittner: ...With the defense contractors (laughter). 

Joe Carrigan: She did have multiple defense contractor contacts... 

Dave Bittner: OK. 

Joe Carrigan: ...Before her account was taken down. So, yes, she was definitely playing the field. 

Dave Bittner: She had a type. 

Joe Carrigan: Right. 

Dave Bittner: Right (laughter)? 

Joe Carrigan: You say she, but it's really some group - a group of guys in Iran who are... 

Dave Bittner: Right, yeah. 

Joe Carrigan: ...Who are running this. 

Dave Bittner: Burning the midnight oil. 

Joe Carrigan: Right, exactly. 

Dave Bittner: Exactly. The opposite of an aerobics instructor, right? 


Dave Bittner: All right. All right, well, interesting story. And, of course, we'll have the link to that in the show notes. 

Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Timothy (ph). Dave, you're going to read this one. And this is going to be challenging because just about every other letter in this - none of the letters in this email - the physical, like, letters - are actually the appropriate letter, right? 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: They are from the Unicode set, and they look similar to the letters. Many of them have diacritics over them. But this is obviously to get through a spam filter. But the letter is very interesting. 

Dave Bittner: All right, well... 

Joe Carrigan: Let's see how it goes (ph). 

Dave Bittner: ...It goes like this. It says, (imitating Russian accent, reading) Payment From Your Account. Greetings. I have to share bad news with you. Approximately a few months ago, I gained access to your device, which you use for internet browsing. After that, I have started tracking your internet activities. 

Dave Bittner: (Imitating Russian accent, reading) Here is the sequence of events. Sometime ago, I purchased access to email accounts from hackers. Nowadays, it's quite simple to buy online. I have easily managed to log in to your email account. One week later, I have already installed the Trojan virus on the operating systems of all the devices you use to access your email. It was not hard at all since you were following the links from your inbox emails. All ingenious is simple. 

Dave Bittner: (Imitating Russian accent, reading) This software provides me with access to all your devices, controllers, your microphone, video camera and keyboard. I have downloaded all your information, data, photos, web browsing history to my servers. I have access to all your messengers, social networks, emails, chat history and contacts. My virus continuously refreshes the signatures. It is driver-based and hence the remains invisible for antivirus software. 

Dave Bittner: (Imitating Russian accent, reading) Likely, I guess, by now, you understand why I have stayed undetected until this letter. While gathering information about you, I have discovered that you are a big fan of adult websites. You love visiting porn websites and watching exciting videos while enduring an enormous amount of pleasure. 

Joe Carrigan: (Laughter) Enduring pleasure. 

Dave Bittner: (Imitating Russian accent, reading) I have managed to record a number of your dirty scenes and montaged a few videos. If you have doubts, I can make a few clicks of my mouse and all your videos will be shared with your friends, colleagues and relatives. I also have no issue at all with making them available for public access. I guess you don't want that to happen, considering the specificity of the videos you like to watch. You perfectly know what I mean. It would cause a real catastrophe for you. 

Dave Bittner: (Imitating Russian accent, reading) Let's settle this this way. You transfer $1,602 to me in Bitcoin equivalent according to the exchange rate at the moment the funds transfer, and once the transfer is received, I will delete all this dirty stuff right away. After that, we will forget about each other. I also promise to deactivate and delete all the harmful software from your device. Trust me. 

Joe Carrigan: Trust me (laughter). 

Dave Bittner: (Imitating Russian accent, reading) I keep my word. This is a fair deal, and the price is relatively low, considering that I have been checking out your profile and traffic for some time by now. If you don't know how to purchase and transfer bitcoins, you can use any modern search engine. Here is my Bitcoin wallet. You have less than 48 hours from the moment you open this email - precisely two days. 

Joe Carrigan: Excuse me; 48 hours, precisely 48 hours, is precisely two days, not less than 48 hours. 

Dave Bittner: Oh. 

Joe Carrigan: Right? 

Dave Bittner: Yes. 

Joe Carrigan: Isn't that a mathematical error on this scammer's part? 

Dave Bittner: Well (laughter), I'm sure it got lost in translation. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: All right. There are a few more things here. 

Joe Carrigan: Right. Everybody gets the idea. 

Dave Bittner: But I think we get the gist of what's going on here. And, yes, this is challenging to read. 

Joe Carrigan: (Laughter) Good. 

Dave Bittner: Yeah. It's like they have a different letter for everything. 

Joe Carrigan: Right (laughter). It's amazing. So this is obviously just another sextortion scam... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Somebody trying to capitalize on somebody else's guilty conscience. There is no video of anybody like this. They're just hoping that you'll send the bitcoin. Now, Timothy did go to a blockchain tracing site to check out the address, the Bitcoin address. Nobody has sent any bitcoin to this person. 

Dave Bittner: Good. 

Joe Carrigan: So nobody's falling for it. 

Dave Bittner: (Laughter) Yeah. I mean, I think the wacky letters are probably a bit of a dead giveaway... 

Joe Carrigan: Right. 

Dave Bittner: ...As well as the broken English and on and on and on. 

Joe Carrigan: Right. 

Dave Bittner: So good. Good no one is falling for this so far. 

Joe Carrigan: Yes. 

Dave Bittner: Wow. All right. Well, thanks to our listener for sending that into us. We do appreciate it. We would love to hear from you. You can send us your Catch of the Day to hackinghumans@thecyberwire.com 

Dave Bittner: All right, Joe. I recently had the pleasure of speaking with Andrew Rubin. He is the CEO and co-founder of a security company called Illumio. And our conversation centers on this notion of zero trust. Here's my conversation with Andrew Rubin. 

Andrew Rubin: So first of all, let's back up one very large step and go back and acknowledge that over the last three decades, almost the entire cybersecurity model has revolved around detection and using detection to try and find, and therefore stop, bad things from happening. And obviously, our track record recently of relying on that as a strategy proves that it's no longer enough. And so I think there's a very important point there that we've had a strategy for a long time, but the news of late proves that it's no longer enough to keep us safe. 

Andrew Rubin: I think the second thing is that we've seen a seismic shift in the outcomes when we miss. This was a story that, for many years, was told around data being stolen or information leaking out. And then a few weeks ago, we had lines at gas stations, and we had concerns about the food supply making its way around the country. We've tipped over from this becoming a cyber incident with a cyber outcome to becoming a cyber disaster with potential physical world or physical outcomes. And so I think that that's sort of the second important piece. 

Andrew Rubin: And I think the third piece is we've watched the response in volume and velocity ramp up enormously, highlighted probably more than in anything else by the president of the United States' executive order just a few weeks ago mandating the federal government uplift to a zero-trust model and, just on the heels of that, a couple of weeks later, the White House publishing a memo imploring corporate America to acknowledge the ransomware pandemic that we're currently living in and to begin to do things to combat it, including segmentation of their networks and infrastructure. 

Andrew Rubin: So I think we're in this very interesting time where we've had a model for decades. We're watching the model fall apart. The outcomes prove that. And the question is being asked, rightfully so, what are we going to do now? And the answers are beginning to come out, but we're very, very early in this conversation. 

Dave Bittner: And so what, in your estimation, do we have in terms of options moving forward here? I mean, what sort of approaches should we be taking? 

Andrew Rubin: Well, one of the most interesting things - and I think it speaks to the question - is, let's assume there are other options. Let's assume that we change the model, build something new to supplement the old model. Let's assume that something can be done differently. 

Andrew Rubin: The first question to ask is, what's getting in the way of that happening? We're not waiting for yet another breach. We've had enough of them. We're not waiting for the outcomes to get worse. Most people agree that we're already tipping between terrible and catastrophic. So the question is, why not faster? Why not now? And actually, I think the first question you have to ask is, what's stopping us from making these important changes? 

Andrew Rubin: And I actually think that the hardest thing is changing our mindset. We have had the exact same mindset for 30 years around cybersecurity. Detect bad things, stop bad things. And we relied on it 100%, all stop. 

Andrew Rubin: The first thing we have to do is acknowledge that no matter how much detection you have, no matter how hard you try or how much money you spend, you're going to be breached. There is a reason why zero trust is defined, at its core, as assuming breach - not because people are fatalistic or they're pessimistic about the outcomes; they're realistic about the outcomes. The attackers have the largest attack surface in the history of humankind in cyberspace. They have the fastest ability to go after that attack surface. And as a result of that, I think that when we accept that breach is now part of life, by starting with that acknowledgement, we can then ask the question, what can we do differently? And I do think the answer to that question is becoming, by standard practice, adopting a zero-trust mindset. 

Andrew Rubin: And then the next question after that has to be, now, what do I do about that? What security control do I put in place? What product do I buy? What vendors do I align with? 

Andrew Rubin: But I think the first thing is acknowledging that we need a different strategy, changing the mindset. The second thing is figuring out what that new mindset is or what we're going to add. And that's zero trust. And then you get to the tactical and implementation question of, what do I do about it? We just have to go really quickly because unfortunately, the attackers are not waiting around for us to get this right. They are making us think about this and push harder and go faster. And if we don't, they're going to keep winning, and they're going to win more often. 

Dave Bittner: What are your recommendations, then, for organizations in terms of, you know, turning the various dials for the different types of security that they implement? I mean, is it safe to say that it's premature to, for example, jettison detection altogether? But if we're going to shift some of our spending, how does each organization go about calibrating how they set those priorities? 

Andrew Rubin: So it's a fantastic question. And I think that there's two very important points that come out of it. None of this is about throwing away everything that we've been doing or we're doing today. In other words, exactly as you asked, nobody would say turn off all your detection because it doesn't work. It's how well it works, or does it work perfectly? And we all know the answer to that second part is no. 

Andrew Rubin: So we see a lot of value in trying to detect and obviously block and stop bad things. But even if you're right 99.99999% of the time, unfortunately, that is not perfect. And when you miss, the immediate question you should be asking is, now that I've missed, is this an incident, or is it going to be a catastrophic breach? And the differential between those two things - you have to have an answer for how you're going to prevent it from becoming catastrophic. So this is about not throwing away the model; it's about adding to the model. It's about recognizing there is a new problem to solve. 

Andrew Rubin: And so I'll tell you the two things that I honestly believe are coming out of all this conversation that we're having right now. No. 1 - there is a real acknowledgement that our existing model alone is not enough. I think that's an incredibly healthy thing. The outcomes are happening more often, meaning the breaches. They seem to be getting worse, and they're happening to more and more organizations every day. That should be enough evidence that we need to be asking the question quickly, what else do we need to be doing? 

Andrew Rubin: But that leads to the second part, which is - there's an old expression about - the enemy of a good plan is a perfect plan. Acting now and moving us into a zero-trust position, even if it's not all the way there, is better than spending the next three years debating about what the perfect zero-trust model might be. And one of the things that we're finding in conversations with all of our prospects and all of our customers is that segmentation in of itself is not zero trust. You don't just segment your network and automatically become zero trust. But it is a core pillar and a foundational element of a zero-trust strategy. 

Andrew Rubin: And so for our customers, we talk to them aggressively about, make progress, go quickly, take some of the easy things, and segment them right now. In other words, do something today to reduce your risk tomorrow. You can then work more tomorrow on reducing your risk further. But don't spend a lot of time doing nothing but planning in hopes of getting to a perfect new model. The attackers are not waiting for you to get there and then saying, now we're going to see how well you did. They're going to keep coming every single day. 

Dave Bittner: I'm curious if you have insights on what an effective approach is in terms of reaching out to folks to try to convince them to adjust their mindset. You know, there's that joke about how, you know, nobody likes change. I mean, is there a way to come at this, a diplomatic process, that doesn't lead to people just sort of throwing up walls, you know, and saying, hold on there, you know, you're going too fast for me here? 

Andrew Rubin: I think it's a critically important question because you're actually highlighting something that - in cyber, certainly, but I think it's true across many facets of change. We traditionally don't embrace change as people. And especially if we have an operating model that we're comfortable in and that we've been using for a long time, it's even harder to think about doing it differently. I think some of the forcing functions are when you have these catastrophic breaches and you read about them or, you know, unfortunately, sometimes they happen to you or your organization. That obviously forces you out of your comfort zone. 

Andrew Rubin: But I do think there is a diplomatic - to use your word, a diplomatic way to get people a little more comfortable, which is prove to them that the technology that you're bringing them and the change in the operating model required to use it is actually not an enormous change and not a scary change. So in other words, show up with a playbook, not just a piece of software. Explain how that playbook could be used to segment in a day or an hour or a week and not require a three-year project to get to the first outcome. 

Andrew Rubin: And so one of the things that we focus on very heavily at Illumio is working with our customers to say, there may be a longer horizon on your zero-trust journey, but we want you to immediately start reducing risk with quick and easy wins in segmentation that could be delivered in hours or days or weeks to prove two things; one, risk really can be reduced quickly and easily, and two, that you can do it. And use that as a way to build confidence to continue further down the journey. 

Andrew Rubin: And I think that the word diplomatic, as you used in your question, is exactly right. You can't just walk in and say, this is broken, and we need you to rethink everything, and we need you to do it in one day. It's difficult enough to do this work even when you're committed to it. So when you make somebody very scared or very uncomfortable of making this change, it gets even harder. 

Andrew Rubin: We want to make it easy and comfortable. We want to give you quick wins quickly so that you actually build confidence that, yes, this is the first time in decades I'm changing my security model. But No. 1, I have to do it. No. 2, the attackers are not waiting around for me to do it. And No. 3, it's possible. And it's actually not even not scary. It's actually doable, and it's doable comfortably. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Andrew makes a very good point that the strategy of detection alone is insufficient. There are some things we're just not detecting, Dave. 


Dave Bittner: Right. Right. 

Joe Carrigan: And by the time we do detect them, it's too late. 

Dave Bittner: Yeah. 

Joe Carrigan: I like what Andrew says about zero trust and assuming a breach. It's not because we are fatalistic or not because we are pessimistic. It's because we are realistic. That is one of the things I like to say when people say to me that I'm being too pessimistic. I say I'm actually not being pessimistic. I'm being realistic. I'm actually optimistic about our ability to get around this. 

Joe Carrigan: He throws out a number here - 99.9999% of the time. Five nines is what he said. And a lot of people see that and think it's sufficient. The problem is we tend to think of things being nice and evenly distributed, and we've achieved Six Sigma, right? But attackers don't attack that way. They don't think this way. And they are not Gaussian in their nature. In other words, their distribution isn't normal. 

Dave Bittner: Right. It's not evenly spread out. 

Joe Carrigan: Exactly. It's all going out towards one end. And if there is a way, they're going to find it at some point, even if it takes them 10 million attempts - right? - which is what this number represents, one out of 10 million. 

Dave Bittner: Right. 

Joe Carrigan: And a single attacker can quickly rack up 10 million attempts. 

Dave Bittner: Yeah... 

Joe Carrigan: It doesn't take long. 

Dave Bittner: ...With automation. 

Joe Carrigan: Right. 

Dave Bittner: These computers are darn fast, Joe (laughter). 

Joe Carrigan: Yeah, they are. 

Dave Bittner: And they're patient (laughter). 

Joe Carrigan: And they are patient, you know? They just - they do exactly what you tell them. 

Dave Bittner: Right. 

Joe Carrigan: Andrew is 100% correct about what he says with do something today to move closer towards zero trust or whatever improvement you're going to do. Do something today. This doesn't apply just to the cybersecurity realm, I think. I think this is a universal truth. And it is particularly useful in this realm, in our realm here. Too often, the perfect is the enemy of the good. And if your network is not segmented at all, any kind of segmentation will be an improvement. So if you can do that now, do that now. 

Dave Bittner: Right. 

Joe Carrigan: Change is scary for a lot of people - for most people, I would say. So I like his incremental approach. It's, you know, slowly getting people to move towards a safer environment. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: Remember, it's a continuum, right? Security is a continuum. Just keep moving in the more secure direction. 

Dave Bittner: Yeah, a little better every day. 

Joe Carrigan: Exactly. 

Dave Bittner: Yeah. All right. Well, our thanks to Andrew Rubin from Illumio for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.