Hacking Humans 9.9.21
Ep 164 | 9.9.21

Collaboration platforms are a gateway for ransomware attacks.

Transcript

Gil Friedrich: Change always has an adjustment period where people just don't know how, you know, to protect themselves. And in that respect, we're in that adjustment period.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got interesting stories to share this week. And later in the show, my conversation with Gil Friedrich from Avanan. We're going to be talking about how collaboration platforms like Microsoft Teams, Slack and others have opened up a new gateway to ransomware attacks. 

Dave Bittner: All right, Joe, we've got some good stories this week. But before we do, you've got a little tale you want to share with us today. What do you got for us? 

Joe Carrigan: I do, Dave. I was finally targeted by something. 

Dave Bittner: (Laughter). 

Joe Carrigan: And I'm so happy about it. 

Dave Bittner: OK. That's a dubious distinction. All right. Go on. 

Joe Carrigan: So actually, the way this scam started was I was flipping through my news feed on my Android phone. And there was an ad, a Google ad, for Yeti coolers. Now, for international people, I don't know if Yeti sells internationally, but Yeti is this - they make incredibly good coolers. These things have really low thermal transfer rates, right? 

Dave Bittner: OK. 

Joe Carrigan: They impede entropy like nobody's business. 

Dave Bittner: (Laughter) Well, you had me at entropy, Joe. Yeah (laughter). 

Joe Carrigan: Right. Well, when you see the price, however... 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: These things are not cheap... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Because they're really high quality. I actually have a Yeti cup - right? - that will stay full of ice overnight. 

Dave Bittner: Oh, wow. 

Joe Carrigan: It's amazing. 

Dave Bittner: Yeah. 

Joe Carrigan: And I was looking through the ads, and this ad comes up. Buy this nice, big Yeti cooler for, like, 40 bucks. I'm like, my cup was 40 bucks. 

Dave Bittner: Oh. 

Joe Carrigan: You know, I - this seems like a scam. So sure enough, I look at it, and the link takes me to some fake Yeti store that is run by some, you know, some gobbledygook URL. 

Dave Bittner: Right. 

Joe Carrigan: And it's just sitting there on the web. And I actually got in touch with Yeti. The only way - unfortunately, the only way I could do it was through their customer portal. But they responded on a Saturday, which was amazing. And they said, hey, thanks for letting us know about this. This is not our site. You always go to yeti.com for - I know this, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: They know who they're talking to, of course. 

Dave Bittner: Right. Right. 

Joe Carrigan: (Laughter) You know who I am? 

Dave Bittner: Yeah. 

Joe Carrigan: But the customer service rep said, we'll pass this on to our brand protection team. And by Monday, that site was gone. 

Dave Bittner: Oh, wow. 

Joe Carrigan: So I don't know if Yeti had a hand in that or what, but the site is gone, and it's not out there scamming people, and the ad is probably not running anymore, either. 

Dave Bittner: And the thing that tipped you off was the prices were too good to be true. 

Joe Carrigan: The prices were way too good to be true. Exactly. 

Dave Bittner: OK. All right. Good. All right. Well, why don't we move right into your story, then? What do you have for us? 

Joe Carrigan: Dave, my story this week comes from a listener named Matt, who sent this in, actually, as a Catch of the Day. But I thought it merited more than that. I think there's a lot of information in this, and it's more than a Catch of the Day. I think it's a story. 

Dave Bittner: OK. 

Joe Carrigan: He says back in May, he started a new position as the technology coordinator at an educational cooperative, and the job requires him to commute every day. So he's been listening to our podcast, which is great, and he's going through at about 1.5 to 1.7 speed. 

Dave Bittner: (Laughter). 

Joe Carrigan: So maybe you and I should speak very slowly. So... 

Dave Bittner: You know, I'll share a quick aside with that. When I meet people in person, sometimes - if I go to a conference or something, so many people listen to this show and the CyberWire at faster than real time. 

Joe Carrigan: Right. 

Dave Bittner: When I talk to them in person, they will - it is not uncommon for me to have people say that I sound strange talking so slowly in my actual... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...Day-to-day speed. But I digress. Go on (laughter). 

Joe Carrigan: Yeah. I'm kind of a fast talker. I wonder if that makes me unintelligible at higher speeds. 

Dave Bittner: Like a chipmunk. 

Joe Carrigan: Yeah. I don't know. He says that - Matt says there are some times that he's been listening to our show when he's wondering how people could fall for things. But this morning, he was going through his email, and he came across the email below. And as soon as he read through it, he knew it was a scam. But thinking for a few minutes, he started second-guessing himself. Maybe this isn't a scam, right? But it is a scam. It's a type of phishing scam. He did a little digging and found an article about it. We'll talk about that in a minute. But here is the text of the email. 

Dave Bittner: OK. 

Joe Carrigan: It says, (reading) dear CEO, it's very urgent. Please transfer this email to your CEO. If this email affects you, we are very sorry. Please ignore this email. Thanks. And that's obviously some bad English right there because they want your attention. 

Dave Bittner: Right. 

Joe Carrigan: But then it goes on. It says, (reading) we are a network service company, which is the domain name registration center in China. We received an application from Wiwa (ph) Ltd. on August 23, 2001. They wanted to register this domain - and it's Matt's domain - as their internet keyword and the same domain .cn, .com.cn, .net.cn and .org.cn. So they wanted to register all these domain names that happened to have before them as whatever Matt's organization is. I'm not going to say it here on the air. 

Joe Carrigan: (Reading) These are all Chinese domain names. But after checking, we found that this domain conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business in China or not. Best regards, Mike Zhang. 

Joe Carrigan: So this is an email that is being sent into organizations. So let's say you and I have joeanddave.com. 

Dave Bittner: Right. 

Joe Carrigan: These guys would send an email to us going, pass this on to your CEO; someone's trying to register joeanddave.cn, joeanddave.com.cn... 

Dave Bittner: Right. 

Joe Carrigan: ...And all these other domain names. 

Dave Bittner: That would get my attention. 

Joe Carrigan: It would get your attention, wouldn't it? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: But there's an article here from Hinshaw Law that talks about guarding against Chinese domain email scams. And this is what this is. So these guys are trying to essentially elicit some kind of fee out of you by sending you an email saying that somebody is going to register the domain in China as your company. 

Dave Bittner: But for the low, low price of whatever, either we'll register for it first, or we'll keep this from happening, I suppose. I'm guessing. 

Joe Carrigan: Yeah, yeah, exactly. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's right. 

Dave Bittner: Right. Wow. OK. Yeah, that's interesting. And I - yeah, this - I mean, I would give this a second look... 

Joe Carrigan: Yeah. 

Dave Bittner: ...As our listener did. 

Joe Carrigan: Yeah. It's absolutely something that I can see people getting taken in by, especially if you're worried about, like, brand protection... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And your name, like in our earlier YETI story anecdote that I had. Truth be known, this may not even be coming out of China, right? 

Dave Bittner: Yeah, it's possible. Sure. 

Joe Carrigan: It could be coming out of some third-party country or, you know, it could just be some other scam. But I - and I don't know where it's coming from. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, and I didn't do the research on the email headers, and Matt didn't actually send those along, so I couldn't get the opportunity to do it. But it's an interesting story. And I just wanted to pass it on to our listeners because it is a scam. And it is something that, as you and I have both said, would get our attention. 

Dave Bittner: Yeah. I dealt with something like - I mean, I dealt with the real-world version of this years ago, over a decade ago, where a previous company I was with - you know, we had the dot-com registered here in the United States. 

Joe Carrigan: Right. 

Dave Bittner: And we had a trademark on the company name and all that sort of stuff, all the stuff you do here to register your - properly register your company name. And someone in the U.K. spun up a company with the same name. 

Joe Carrigan: Really? 

Dave Bittner: And they had the .uk address. 

Joe Carrigan: Yeah, .co.uk. 

Dave Bittner: And they were in the same sort of business that we were in, which the domain name lent itself to. And it was sort of a sticky situation, where you say, well, what do I - is there anything I can do about this? 

Joe Carrigan: What was the resolution? 

Dave Bittner: Didn't do anything about it. There really wasn't - it wasn't worth - you know, they weren't coming after our customers or anything like that. You know, they were an ocean away. 

Joe Carrigan: Right. 

Dave Bittner: So mostly, it was a nuisance. 

Joe Carrigan: Yeah. But how long ago was that - decades? 

Dave Bittner: Probably about 15 years. 

Joe Carrigan: Yeah, international business is much different than it is now. Then it was... 

Dave Bittner: That's true. 

Joe Carrigan: It's changed a lot, I should say... 

Dave Bittner: Yeah, that's true. That's true. 

Joe Carrigan: ...As I stumble over my words here. 

Dave Bittner: And I - you know, I suppose the first step would have been to send them a nastygram. But what are you going to do with... 

Joe Carrigan: Yeah. 

Dave Bittner: ...An international thing like that? You know, the long arm of the law doesn't necessarily reach across the Atlantic in a case like this. 

Joe Carrigan: No, it doesn't. 

Dave Bittner: Yeah, interesting. But I guess the reason I tell that story is that, yeah, that got my attention. 

Joe Carrigan: Right. 

Dave Bittner: Right? 

(LAUGHTER) 

Dave Bittner: And this would get my attention as well. So I think the broken English is a red flag here. 

Joe Carrigan: Although in this case, it does make sense that it would be broken English, right? Because... 

Dave Bittner: Yeah, it does. 

Joe Carrigan: ...It's under the auspices of coming from a Chinese source. 

Dave Bittner: Right. 

Joe Carrigan: So this is somebody who's - for whom there's a great chance that English is not their first language. 

Dave Bittner: Yeah, that's true. All right. Well, thanks to our listener for sending that in. That is... 

Joe Carrigan: Thank you, Matt. 

Dave Bittner: ...An interesting story here. And we'll have a link to that article that describes this scam in the show notes. 

Joe Carrigan: From Hinshaw Law. 

Dave Bittner: Yeah. My story this week comes from the folks over at Protocol. And it's an article written by Biz Carson. And it's titled "The FBI's Warning to Silicon Valley: China and Russia Are Trying to Turn Your Employees into Spies." And this is an interesting article about, you know, a risk that particularly companies in tech deal with because they have a lot of folks who work for them who are from overseas. So... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, the United States is a - as you well know, being at Hopkins... 

Joe Carrigan: Right. 

Dave Bittner: ...The United States is a destination for people from all over the world to come to get a good education. And a lot of those people stay. 

Joe Carrigan: Right. 

Dave Bittner: And they seek out jobs here, and they are - they're fine employees. 

Joe Carrigan: Right. 

Dave Bittner: And so companies - the tech companies, they are in demand because they tend to be well-educated, good workers, a good incentive to be here and all those kinds of things. 

Joe Carrigan: Additionally, we have a shortage of tech workers here in this country, and we even have a visa called the H-1B visa, which lets us bring in tech workers if we can't - from foreign soil, they can get a visa to come work for us. 

Dave Bittner: Right. So this article points out that the FBI is on top of this because they have had incidences where China, for example - and we'll just use China as our example here, but there are other nations who do this as well - they contact folks who are working here and try to influence them to become spies for their homeland. And the interesting part of the article here - they say there are four main vulnerabilities that they look out for - someone being a citizen of an autocracy - China in this case... 

Joe Carrigan: China, yeah. 

Dave Bittner: ...Doing business with one, having assets in the country or having family members or employees living or working in the autocracy. But they say that it's the family vulnerability in particular that they see exploited over and over again. 

Joe Carrigan: Right. 

Dave Bittner: And I think that's the part that really, you know, resonates with this show and our listeners - is if you can use the influence of your family members back home, boy, that is a powerful influence over people... 

Joe Carrigan: It is. Absolutely. 

Dave Bittner: ...Particularly when you're dealing with something like an autocracy where they could say, listen; if you do what we want you to do here, good things will happen for your family. 

Joe Carrigan: Right. 

Dave Bittner: And if you don't do what we want you to do... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Maybe bad things will happen to your family. 

Joe Carrigan: Right. 

Dave Bittner: They say that, you know, it's not HR's job to assume that everyone is a spy. 

Joe Carrigan: Right. 

Dave Bittner: And they're really overt here as saying that there is a hazard here. You don't want people to have anti-Chinese or anti-Russian resentment. We don't want to be looking at everyone who's from a different country and saying, oh, they're probably spies, you know? 

Joe Carrigan: Right. Yeah. 

Dave Bittner: That doesn't do us any good either. And we don't want any prejudiced against these ethnic groups just because of a fear of this. 

Joe Carrigan: Right. 

Dave Bittner: But it is something - at the same time, it is something to keep an eye on. It's a concern. It's something that the FBI is concerned about. And if you have a concern, something to alert the FBI about, if you think, perhaps, there - something that's going on, you - every organization should have things in place to protect against having data exfiltrated, for example... 

Joe Carrigan: Right. 

Dave Bittner: ...Making sure that stuff isn't going overseas. But I don't know. I guess part of the - well, the issue I'm having with this is, how do you balance the fact that this sort of thing is going on with the fact that you don't want to, out of hand, just put a target on your Chinese or Russian employees... 

Joe Carrigan: Right. 

Dave Bittner: ...Who may very well - who most likely are very up and up, good people... 

Joe Carrigan: Sure. Yeah. 

Dave Bittner: ...Who aren't spying for their countries. So do you put extra vigilance in place when it comes to those people? Or do you put broad systems for everyone? 

Joe Carrigan: I think you could put broad systems for everyone. I don't think it's right to target people... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Based on their country of origin. I mean, we actually have laws against that in this country. 

Dave Bittner: Right. 

Joe Carrigan: But I'm not an expert in employee law, so I don't know what the implications are. But there is something else that we should be aware of, and that is that these are not the only folks out there who are subjected to this kind of risk - or who manifest this kind of risk, rather. Just because they have family in an autocracy doesn't mean that somebody who was born and raised in America isn't - hasn't been compromised by another competitor or something like that. 

Dave Bittner: Right. Right. Yeah. Yeah. 

Joe Carrigan: So it's wise to have some kind of data loss prevention system or - I don't know what that would look like. But if I was going to do that, I wouldn't just do it on my employees who were citizens of these countries or who had family back in these countries. I'd be doing it for everybody because there's more than just that risk. 

Dave Bittner: Yeah. Yeah. And the FBI points out in this article, the - one of the folks from the FBI says, so much of this is not just people who steal because they want to steal technology. A very, very large chunk of it is normal human beings who do not want to steal, who are just trying to protect their families and have to steal in order to protect their families. Yeah. And that's sort of a sad truth of this, I suppose. 

Joe Carrigan: It is. It's a terribly sad truth. 

Dave Bittner: Yeah. Yeah, so interesting article. There's a lot more details to that. We'll have a link to that from Protocol. As I said, we'll have a link to that in the show notes. All right. Joe, it's time to move onto our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from a listener named Iain. And he sent us this timely little gem. The subject line is, hello from Afghanistan. And it comes from a Gmail address. You want to go ahead and read this one? 

Dave Bittner: Sure. Attention, sir, ma. I want to bring to your attention a sensitive, confidential business proposal. My name is Saleh Mohammed, a resident of Afghanistan whose country is currently taken over by the leadership of the Taliban after President Ashraf Ghani managed to escape the rebel forces. The embattled Afghan president, Ashraf Ghani, fled the country on helicopter full of cash. You can read the details in this link. Consequently, senior customs officer discover about $30 million in cash, which was part of the money left behind at the presidential wing of the airport. And the funds have been moved diplomatically through Pakistan to the United Arab Emirates. Presently, we are looking for a reliable person who can further receive the funds before the Taliban government commences investigation on the funds. The funds are secured for now, hence our decision to further move the funds to your country through you. And for your cooperation in this venture, we will give you 15% of the total amount that will be moved through you to your country. Upon your acceptance of this proposal, further details will be given to you. Thank you. Yours sincerely, Saleh Mohammed. 

Joe Carrigan: So these guys have taken advantage of a news story where the Afghan president did flee the country in vehicles full of cash. 

Dave Bittner: Right (laughter), as you do (laughter). 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: And they're trying to - oh, look; he had so much money, he left behind $30 million. 

Dave Bittner: Right. 

Joe Carrigan: And you can get away with - what's 15? I should be able to do this math in my head. 

Dave Bittner: It's a lot. Doesn't matter, it's a lot (laughter). 

Joe Carrigan: Yeah, it's a lot of money. 

Dave Bittner: It's real money, Joe (laughter). 

Joe Carrigan: Yeah, it's more than a million dollars - or $3 million. 

Dave Bittner: Yeah. 

Joe Carrigan: It's $4.5 million, Dave. There. 

Dave Bittner: There you go. 

Joe Carrigan: I just did it in my head (laughter). 

Dave Bittner: See? That's what you get for being at Hopkins, right? Just those brainiacs rub off on you, don't they, Joe? 

Joe Carrigan: That's right. They do. 

Dave Bittner: Yeah (laughter). All right. Well, it's a good Catch of the Day. And we appreciate our listener for sending that in. We would love to... 

Joe Carrigan: Thank you, Iain. 

Dave Bittner: We would love to hear from you. If you have a Catch of the Day, you can send it to hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe. I recently had the pleasure of speaking with Gil Friedrich. He's from a company called Avanan. And we were discussing how some bad actors are taking advantage of some of the common messaging apps that organizations use to communicate internally to fraudulently make their way in and to do the things they want to do. Here's my conversation with Gil Friedrich. 

Gil Friedrich: We always ask ourselves the question of, you know, why now? - why this proliferation of attacks? You watch CNN or you read The New York Times, and all of a sudden cybercrime gets, you know, gets headlines, I want to say, almost every day - definitely every week - so definitely COVID-accelerated digitization. People are more vulnerable. I think people are also home - so maybe a little, you know, a little off guard. But then the key thing is, as you mentioned, it's - we just use those new platforms more. We don't know how to protect ourselves. 

Gil Friedrich: Email's still a huge problem. But I think people have their email training, etc. But Teams, you know, it was just introduced to enterprise. And the question of how to protect it is still very, very new. So I think that's part of - the change always has an adjustment period, where people just don't know how, you know, to protect themselves. And in that respect, we're in that adjustment period. 

Dave Bittner: How much of this is - you know, when you think about the platforms, like Microsoft Teams, like Slack, you know, some of these collaboration tools, I think for a lot of folks, they think to themselves, well, this is something that was provided to me by my work. So it must have been vetted. It must be secure. There must be things that are going on behind the scenes that make sure that - they're to keep me out of trouble. Do you think that's part of the mindset that's problematic here? 

Gil Friedrich: I think it's part of it. There's an assumption that unlike email, where anyone on the planet can send an email to any one of your employees, those platforms are a little more closed. So it's by invite. Even if it's outside of your organization, you know, there's some previous, you know, vetting of whoever can communicate with your team. So people put more trust in it. 

Gil Friedrich: And then we really see that with behavior of users. There's also an assumption that it's not actually monitored by the organization. So I think employees know that their employer, you know, archives, tracks every email they send. They behave in Teams as if they're, you know, chatting on WhatsApp with their friends - very loose, sending anything, even sensitive information, trusting anything, assuming there is no attack on it. So that's part of it. There's that assumption and the lack of education that, hey, you know, this might be phishing or might be similar to phishing, you know, from email. Don't trust everything you read. 

Dave Bittner: What are you and your colleagues seeing in terms of people taking advantage of these platforms? How are the bad actors getting into them and doing the things they want to do? 

Gil Friedrich: So most commonly - and this is because when you think about Microsoft 365, it's when it comes to all their apps - the initial break-in will be done through email, and then the spreading will be done through another platform. It could be Teams. It could be OneDrive or SharePoint. And by doing this, you know, hackers are able to bypass everything done for email security, but they're also able to propagate through a platform that just has more trust by the recipient. 

Dave Bittner: Yeah. That's interesting. 

Gil Friedrich: Yeah. So come in via email and then spread in Teams - that's something we see pretty commonly done by hackers. 

Dave Bittner: Yeah. It's sort of a - I don't know - a vulnerability that I hadn't really considered. I mean, it makes total sense that, you know, if you're using so many of these different tools within the platform, and it's all - the keys to all of them come through your email address, that's a - that could be a pretty broad spectrum of vulnerability - be it - whether it's Microsoft Teams - I mean, I suspect you have the same thing over on the Google side. 

Gil Friedrich: True. Yeah. It could be Google Drive for sure. We have statistics that, I think, about 3% of links to Google Drive in organizations were actually malicious. So, you know, just by itself, the fact it's a link to a Google Drive by itself was an indicator for our AI to say, something's phishing here - you know, pay attention. 

Dave Bittner: So what are your recommendations for folks to protect themselves against this? Is it the standard digital-hygiene type things, or are there any specific things people should have awareness of? 

Gil Friedrich: Excellent question - so I think, always in these attacks, at a high level, there are - you know, there are two layers to think about. One of them is, you know, the platform, the machines, whatever you can do automatically. And the other one is the human. And I think the very first step for organization is to acknowledge that, you know, they open the line of communication. 

Gil Friedrich: They need to spend some time answering the question of, you know, what's a threat? What kind of configuration am I going to allow? Am I going to allow, you know, just internal organization communication? Or am I going to open with the outside, etc? Once they figure out the configuration that is right to them, you know, then comes the question of, what tools am I going to use? Am I going to use something that's going to scan and make sure there's no malware, there's no phishing links, there's no account takeover, etc? And at the same time, am I going to train my users? The - we used the cartoon a while back where it was basically someone on the phone saying, what? - we email these to you, I'll get fired. Let me Slack it to you. So to - you know, to basically... 

Dave Bittner: (Laughter). 

Gil Friedrich: ...It's almost always enough to tell the employee, listen, you know, this is an enterprise environment. We're monitoring this. And for better or worse, if you see something, say something - those kind of things that just tell them, you know, it's not the Wild West. You need to protect yourself. And we'll help you. But you, the user, you're also a layer of security here. 

Dave Bittner: Yeah - that the users bear a sense of responsibility the same way that if they - you know, that they have to - I don't know - keep strangers from walking in the front door of the building, right? 

Gil Friedrich: Exactly - and they are well aware that, you know, not every link is a link and not every email that looks like it came from the CFO is the CFO. They just need that level of awareness when it comes to other lines of communication. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Very interesting stuff, Dave - COVID definitely accelerated our movement to these other messaging apps. But it was going to happen eventually. We were going to be - you know, I was already actually into Slack. And we already had Teams set up. Although I hadn't used them nearly as much as I have here. And actually, what I've used the most is Zoom, not really Slack. I think my Slack usage is probably around the same. I'm not really a big fan of Slack. You know, maybe it's just because I haven't been using it as much as I like. 

Dave Bittner: Yeah. 

Joe Carrigan: But I'm just not a big fan. I'd rather talk to somebody than sit there and type to them. 

Dave Bittner: Yeah. 

Joe Carrigan: There is a change with an adjustment period. But we've had a lot of changes in such a short time. And I think that's really a big part of the issue, right? Like, we were going - you know, if we were going to be more organic in our changing, it would have been slower. You know, we would have gone from a rollout from one - from just email to Slack maybe over a couple of years. But no, we didn't do that. We went into that new environment in like a month, right? 

Dave Bittner: Right. 

Joe Carrigan: And I think that that is a big part of the issue. So these platforms, we tend to think of them as a little more closed. And there is this assumption of security. So a phishing email that harvests credentials - and those credentials are then used to access, let's say, Teams - because Gil was exactly right. If I can break into somebody's Microsoft 365 account, I don't have access to just their email. I have access to all their files. I have access to their Teams accounts. So I can send messages as them. Once you're in there, you're in there. 

Joe Carrigan: But there's still the assumption of security - right? - still the assumption that this person is the real person I'm talking to - because, like he said, it is - everybody assumes it's vetted. It all starts with an email that can be sent by anybody. This is why email still stinks, right? It's the only service in the world where anybody can send you something. 

Dave Bittner: (Laughter). 

Joe Carrigan: I think it's interesting that 3% of the Google Drive links are malicious. That was - I think that's stunning. That's a lot. I mean, if 3% of the files... 

Dave Bittner: Yeah. 

Joe Carrigan: ...On your computer were malicious, you'd be terrified. And he talks about two layers, the tech and the people. And he really views users as a layer of security. And that's great. I think that's a good way to look at it. You know... 

Dave Bittner: Yeah. 

Joe Carrigan: ...I often say, if I was CISO or, you know, security awareness whatever person in a company, that would be the first thing I'd tell everybody is, you know, you're all part of my security team now. If you see something... 

Dave Bittner: Right. 

Joe Carrigan: ...Say something. And I expect that you guys are going to notice these things when they come in. I'm also expecting that sometimes you're going to fall for it. And that's OK. Just, you know, don't be afraid. Don't be embarrassed. Let's just get it fixed. 

Dave Bittner: Yeah. You know, not long after Gil and I had this conversation, I noticed on our own Slack channel at the CyberWire, one of my colleagues popped up with a second identification, like a different version of the same person than I was used to seeing. And I - and it caught my attention. And I reached out to this person on their original (laughter) account - private message - and said, I just want to check to make sure this is you, you know? And the person responded and said, yes, yes, that was me. I - you know, I accidentally logged in using a different device and so on and so forth. It was just a - it was an error on my part. But - and thank you for checking. 

Joe Carrigan: Right. 

Dave Bittner: Right? So, I mean, I don't mean to toot my own horn here or anything. But having had the conversation with Gil, I think, put me in that frame of mind to be extra vigilant about this sort of thing. And I'm glad I was. It turned out to be nothing. 

Joe Carrigan: Right. 

Dave Bittner: But it was better that I asked than not. So I would say to everybody out there - it's that old if you see something, say something thing, right? 

Joe Carrigan: That's right. And that's why we do... 

Dave Bittner: Yeah. 

Joe Carrigan: ...This podcast, isn't it, Dave? 

Dave Bittner: (Laughter) That's right. All right. Well, our thanks to Gil Friedrich from Avanan for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show we want to thank all of you for listening. And we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building, the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.