Physical pen testing: You've got to be able to think on your feet.
Marina Ciavatta: You got to be very quick. You got to be very fast to think of your opportunities and take advantage of them.
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Marina Ciavatta. She is CEO at Hekate. And she's going to be sharing some of her experiences with social engineering and pen testing.
Dave Bittner: All right, Joe. Let's jump into some stories this week. I'm going to kick things off for us. And, you know, my story last week was pretty heavy.
Joe Carrigan: Yes.
Dave Bittner: (Laughter) And actually, we heard from a couple listeners who were like, boy, Dave, that story was pretty heavy.
Joe Carrigan: Yeah, that was a dark story, Dave (laughter).
Dave Bittner: It was. It was. So I'm going to be a little lighter this week.
Joe Carrigan: Good.
Dave Bittner: This is a story from WIRED, written by Isidra Mencos. And it's titled "How to Get Your Family to Actually Use a Password Manager."
Joe Carrigan: Boy, oh, boy, do I need this.
(LAUGHTER)
Dave Bittner: So anyone who's listened to this show more than a couple of weeks knows that you and I are both strong advocates of password managers.
Joe Carrigan: Yes.
Dave Bittner: And I will - actually, you are the one who convinced me to use a password manager.
Joe Carrigan: Well, I'm glad I made a difference in your life, Dave.
(LAUGHTER)
Dave Bittner: That's right. When you and I met, you were already on the password manager train.
Joe Carrigan: Yes, I was.
Dave Bittner: And I was not yet. But now I am. And I have seen the light, and I realize how much better life is with a password manager and in many ways that I didn't expect. You know, I think like most people, I thought a password manager was basically just a locker, a little database...
Joe Carrigan: Right.
Dave Bittner: ...Under lock and key for your passwords. But there's much more to it than that as you...
Joe Carrigan: Yes.
Dave Bittner: ...And I have talked about before. We're not going to dig into all those details this time. But this article is very interesting. It covers how people will get password managers, like you and I have done, and then they decide to buy the family version of the password manager because, you know, they've seen the light and now...
Joe Carrigan: Right.
Dave Bittner: ...They're password manager evangelists...
Joe Carrigan: Yup.
Dave Bittner: ...Again, like you and I.
Joe Carrigan: That's right.
Dave Bittner: (Laughter) And...
Joe Carrigan: Everybody uses the family Spotify. Why won't everybody use the family password manager (laughter)?
Dave Bittner: Right, right. And this article points out that it's not so easy to get everybody on board. Why do you think that is, Joe?
Joe Carrigan: It's inertia, Dave. People like the way they do it now, and they just don't see the value in the password manager.
Dave Bittner: Right, they resist change (laughter).
Joe Carrigan: Right, and they resist change. Exactly.
Dave Bittner: Yeah, absolutely. So this article has a lot of helpful tips here for getting people on board with using a family password manager. I'll just highlight a few of them here that stood out to me. One of them was changing your kids' habits by sort of making them use the password manager. So in other words, walking them through getting it installed and all that sort of thing. But then when the kids come to you and they say, Dad, what's the password for Netflix? - you say, well, it's in the password manager...
Joe Carrigan: Right.
Dave Bittner: ...Rather than just giving it to them. So now they have to go to the password manager. They look it up in the password manager. So you're establishing that habit of...
Joe Carrigan: Right.
Dave Bittner: ...This is where you're going to find these things.
Joe Carrigan: Exactly.
Dave Bittner: Right?
Joe Carrigan: Plus, if you have a password manager, you can have a very complex password.
Dave Bittner: Right.
Joe Carrigan: So you can incentivize the use of the password manager by saying, well, I could tell you, but it's actually easier for you to use the password manager.
Dave Bittner: Yeah. One of the things they suggest here - they say have a designated task master. So have the person in your family whose job it is to lead this charge. In our family, that would be me and probably you (laughter).
Joe Carrigan: Yes.
Dave Bittner: So one here - consider bribery.
Joe Carrigan: Consider bribery.
(LAUGHTER)
Dave Bittner: Yeah, yeah. And the author says, sit down with your teenage kids, offer 'em 20 bucks and say, I'm going to give you 20 bucks to sit with me for an hour, and we're going to update your passwords. We're going to enter logins. We're going to, you know, transfer the important things in your life. We're going to replace the bad passwords with good ones.
Joe Carrigan: Right.
Dave Bittner: I'm going to put them in the password manager, and we're going to go through using the password manager for login.
Joe Carrigan: Right.
Dave Bittner: But - and that may sound silly, but the author points out - they say, if I'm ready to fork out tens of thousands of dollars on my kids' education, why wouldn't I spend a tiny sum to help him protect his most sensitive information?
Joe Carrigan: Yeah.
Dave Bittner: Yeah.
Joe Carrigan: I think it's worth it.
Dave Bittner: Twenty bucks (laughter).
Joe Carrigan: I'm more of the - I don't have teenage kids anymore, but when I was a dad of teenagers, I was more of a sit-down-and-listen kind of dad, not I'm going to give you 20 bucks if you listen to this.
Dave Bittner: Yeah?
Joe Carrigan: It's, you're going to listen to this.
Dave Bittner: Oh, I see. You - just because...
Joe Carrigan: (Laughter) Right.
Dave Bittner: Because I'm your dad, that's why (laughter)?
Joe Carrigan: Right, right.
Dave Bittner: How's that working out for you, Joe (laughter)?
Joe Carrigan: Well, they only use password managers, Dave.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Actually, I don't know. I think they do.
Dave Bittner: All right.
Joe Carrigan: (Laughter).
Dave Bittner: Yeah, yeah. And then, you know, finally, there's a bunch of other things here. I just wanted to highlight some of the ones...
Joe Carrigan: Sure.
Dave Bittner: ...That caught my eye. Finally, they say, don't give up. You know, be persistent.
Joe Carrigan: Right.
Dave Bittner: And I think that's really important here. The basic value proposition is sound and solid, but I remember my own experience of adopting a password manager. I think for most people - and I'll count myself in this list - it takes a little while for the light bulb to go off...
Joe Carrigan: Right.
Dave Bittner: ...To go, oh, I get it. This is actually better.
Joe Carrigan: Right.
Dave Bittner: You know? It...
Joe Carrigan: Yeah.
Dave Bittner: Because...
Joe Carrigan: And it's actually easier, isn't it?
Dave Bittner: It becomes easier.
Joe Carrigan: Right.
Dave Bittner: It's not easier at the outset. And I think that's part of the problem here. It is work, right?
Joe Carrigan: Yeah.
Dave Bittner: Any transition, as you pointed out, rightfully so, people hate change.
Joe Carrigan: Right.
Dave Bittner: And it is a change. It requires a little bit of work to help - to get things set up. And that's where having someone to shepherd them through, to have a helping hand, that could help with that part of it - someone who already understands how it works and can show them how it works. But it is a little work at the outset, getting things done. But, like, for example, the password manager I use, it has a feature where it'll go through and basically - as you login to places you have not logged in before, it'll say, hey, I see you're logging in somewhere we haven't been to in a while. How about we change that password?
Joe Carrigan: Right.
Dave Bittner: And I'll take care of it. I'll do it automatically.
Joe Carrigan: Yeah.
Dave Bittner: Are we good here? And - oh, yeah. OK. So that's a great way to get rid of old, dusty, crusty, reused passwords.
Joe Carrigan: Yeah. And a lot of them will actually, on the back end, look through databases, like Troy Hunt's Have I Been Pwned database...
Dave Bittner: Right.
Joe Carrigan: ...And say, oh, hey, this password's already been leaked.
Dave Bittner: Right.
Joe Carrigan: Let's change it now.
Dave Bittner: Right. And also, if I login somewhere where I am reusing a password...
Joe Carrigan: Yeah, it will...
Dave Bittner: ...Which, thankfully, for me, is a thing of the past.
Joe Carrigan: Right.
Dave Bittner: But it'll say, hey, you know, you're reusing this password, knucklehead.
Joe Carrigan: Right.
Dave Bittner: Let's change it now. Let's take care of that.
Joe Carrigan: Yes.
Dave Bittner: But getting to that point does take a little bit of work. And so I understand getting over that initial hump. Once you do, you're going to be in a better place. It is easier. It's faster. It's not to say that there aren't occasional pains in the butt with using a password manager. I mean, let's - I will admit there are times when I'm in a hurry, I want to get into something. And I'm like - I have to remind myself, OK, Dave, this is for security.
Joe Carrigan: Right (laughter).
Dave Bittner: It's for a good reason. I got to go get my two-factor authentication. I got to get my YubiKey. I got to - you know, like, it's - every now and then, you'll get a speed bump. And sometimes, you just want to bang your head against the desk because of that. But it's all for a better purpose. It's a lot less of a hassle than having your accounts compromised would be. So - (laughter).
Joe Carrigan: Right.
Dave Bittner: All right. Well - so it's a good article. We'll have link to that in the show notes. Again, it's from the folks over at Wired. It's called "How to Get Your Family to Actually Use a Password Manager." Isidra Mencos wrote that. And that is my story this week. Joe, what do you have for us?
Joe Carrigan: Dave, are you familiar with the term NFT?
Dave Bittner: I am.
Joe Carrigan: Yes.
Dave Bittner: I am.
Joe Carrigan: It is something called a nonfungible token.
Dave Bittner: Yes.
Joe Carrigan: And these are objects that exist on some blockchain somewhere that are unique, unlike Bitcoin - right? - which is - maybe we should talk about what fungibility is first...
Dave Bittner: OK. All right.
Joe Carrigan: ...OK? So fungibility refers to the interchangeability of an asset, right?
Dave Bittner: OK.
Joe Carrigan: So if I have a dollar bill and you have a dollar bill and we switched dollar bills, neither one of us has suffered any loss or gain...
Dave Bittner: OK.
Joe Carrigan: ...Right? - because dollar bills - dollars are fungible.
Dave Bittner: OK.
Joe Carrigan: One dollar is the same as the next dollar.
Dave Bittner: Right.
Joe Carrigan: So something that is nonfungible is the opposite. So if I have, like, say, the "Mona Lisa" and you have Van Gogh's "Starry Night" and we trade, now we don't have the same, right?
Dave Bittner: Right.
Joe Carrigan: There may be some difference in value.
Dave Bittner: OK.
Joe Carrigan: And I chose art because a lot of these nonfungible tokens are based on artworks and ownership of the artwork.
Dave Bittner: Right.
Joe Carrigan: So there are also other applications for this. The NBA has actually started selling highlights from the games, highlights from NBA games, as nonfungible tokens. And somebody actually paid $200,000 for - to own the video clip - or a video clip of LeBron James dunking a ball.
Dave Bittner: Yeah.
Joe Carrigan: Now, I'm sure...
Dave Bittner: The video clip that everyone has seen. The video clip that is available online.
Joe Carrigan: Right. Right.
Dave Bittner: (Laughter) Right. Yeah.
Joe Carrigan: Exactly. And how many times does LeBron James dunk the ball?
Dave Bittner: I'm going to say it's a fairly regular occurrence (laughter).
Joe Carrigan: Right. I'm not a basketball fan.
Dave Bittner: Yeah.
Joe Carrigan: I don't get the game. I don't get its attraction. I just - I've never been a fan of basketball.
Dave Bittner: OK.
Joe Carrigan: But I know who LeBron James is.
Dave Bittner: Right.
Joe Carrigan: And I know he dunks...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? So that must mean that he does it a lot.
Dave Bittner: Sure.
Joe Carrigan: So I don't understand - first off, I'm having a hard time wrapping my head around the idea of nonfungible tokens. And...
Dave Bittner: I don't think you're alone in that, by the way.
Joe Carrigan: Right - and the value of them...
Dave Bittner: Yeah.
Joe Carrigan: ...But other people are not. And it is a blockchain-based thing. And other people are actually paying money for it. But there's an article over on The Verge from Andrew Wang, talks about a customer of OpenSea. Now, OpenSea is a company that that deals in nonfungible tokens.
Dave Bittner: OK. This is OpenSea - S-E-A, like...
Joe Carrigan: S-E-A, correct.
Dave Bittner: OK.
Joe Carrigan: And this guy got scammed out of all of his nonfungible tokens.
Dave Bittner: OK.
Joe Carrigan: What happened was he went to a Discord where - now, Discord is a chat service. I'm sure most of our listeners are familiar with it. But it's...
Dave Bittner: Yeah.
Joe Carrigan: It's a pretty good chat service. And he went to - into the Discord chat for OpenSea and started saying, I need support. And somebody calling themselves Pascal said, oh, well, join me over here on the OpenSea support server, right? And he gets over to the OpenSea support server. And there's another guy in there named Nate, which, by the way, is also one of the first names of somebody who works at - in leadership at OpenSea as well.
Dave Bittner: OK.
Joe Carrigan: So he doesn't really realize what's going on. But the support call eventually comes down to - or the "support call" with quotes around it comes down to a screen share opportunity, right? The guy lets these guys onto his computer with a screen share. And at one point in time, he exposes a QR code that represents his private key for this blockchain, right? Now, we've talked about blockchain before. Blockchain is based on two technologies. One is a hashing algorithm. And the other is public key, private key cryptography. So if you own the private keys for something, then the public key becomes your identity, and people know who you are. Even if they don't actually know you personally, they know that your address represented by the public key can only be accessed by people with the private key.
Joe Carrigan: So the goal of these scammers is to get access to the private keys. And they got Jeff's private key displayed in a QR code on a screen-sharing session. Then it was just a matter of taking a picture of the QR code with a QR code reader. And then they had access to the private keys. And they transferred all of his nonfungible tokens out of his ownership...
Dave Bittner: OK.
Joe Carrigan: ...Just took them all, took everything. So this is kind of like the perfect storm of what we talk about here. Here is a new thing that's - I mean, it's not really new. I mean, it's new in historical terms, but nonfungible tokens have been around for a couple of years now. But they're just starting to catch on.
Dave Bittner: Yeah, they're definitely hot.
Joe Carrigan: Right, and they're hot, so this is where the scammers are going.
Dave Bittner: Yeah.
Joe Carrigan: And once they decide they're going to go for it, they really use tried-and-true tactics, right? They went into a Discord server. They set up another Discord server that was a fake support server. They convinced somebody that they were going to help them out by doing a screen share, and they got this person to expose the information that this person needed to expose in order to get this person - in order to get access to this person's private key. And that's the game. And I don't know that there's anything that can be done about this from this point on.
Dave Bittner: Well, so help me understand. I mean, the fact that all this is on a blockchain...
Joe Carrigan: Right.
Dave Bittner: ...Doesn't that, as you said - as you alluded to earlier, I mean, there's certain - because it's immutable, there's a traceability there. Aren't these scammers - don't they have a challenge ahead of them when it comes to trying to cash this stuff out or move it on to some - like it's - 'cause it's - we can track what happens next...
Joe Carrigan: Right.
Dave Bittner: ...Couldn't we?
Joe Carrigan: Yeah, that's a good point.
Dave Bittner: I mean, we hear about these - what are they called - tumblers? The...
Joe Carrigan: Yeah, Bitcoin tumblers.
Dave Bittner: Yeah, Bitcoin tumblers - to try to...
Joe Carrigan: That worked really well with fungible things. I don't know if it works with nonfungible things.
Dave Bittner: Yeah, yeah. Yeah, it's a shame. I mean, the thing about NFTs is there's - and I don't want to be too dismissive because I know some people are really into this and...
Joe Carrigan: Yeah. And maybe we're wrong about it. Maybe it is the next thing that that blows up big.
Dave Bittner: Maybe. I just can't help thinking about it like Beanie Babies.
Joe Carrigan: Yeah, that's - you know, Dave, that's a great point.
Dave Bittner: (Laughter) Right? I mean, it's something...
Joe Carrigan: I like my tokens fungible. In fact, I like all my assets fungible.
Dave Bittner: Yeah.
Joe Carrigan: And Beanie Babies is a great thing - I like - I'll tell you one thing I like. I like old pachinko machines.
Dave Bittner: Yup.
Joe Carrigan: Right? Like, from the '70s - you know, late '60s, early '70s pachinko machines. And I buy them, and I refurbish them. But I don't do that because I think they're going to increase in value, I do that because they're going to - 'cause I'm going to enjoy them.
Dave Bittner: Right.
Joe Carrigan: When I'm looking for an asset, I want a fungible asset. That's just my personal preference.
Dave Bittner: Yeah.
Joe Carrigan: So I don't know that I'm into this whole non-fungible thing idea. I'd like - for example, art. I don't know that I would buy art. I think we could probably do an episode on the art brokers that exist today, the art market and how that works.
Dave Bittner: Sure.
Joe Carrigan: I think that might be a (laughter) social engineering scam itself, you know?
Dave Bittner: Yeah.
Joe Carrigan: I just don't see the value. Like...
Dave Bittner: Well, I mean, it's the same sort of thing where you don't - there's no set value for these things.
Joe Carrigan: Right.
Dave Bittner: So in the art world, art is worth what someone's willing to pay for it.
Joe Carrigan: Correct.
Dave Bittner: And I've seen things where I wonder to myself, like, oh, look, somebody duct taped a banana to the wall, and someone else paid $50,000 for that piece of art or whatever. And I...
Joe Carrigan: Right.
Dave Bittner: I scratch my head, and I say, well, ok. I wouldn't have paid $50,000 for that, but for the person who did, who can afford it? Great.
Joe Carrigan: Right.
Dave Bittner: Enjoy your art. And if owning that brings you pleasure and you can afford it, more power to you, right?
Joe Carrigan: Yeah.
Dave Bittner: And that's art. And people are framing NFTs in the same sort of way. I guess part of what makes me leery of it is there is so much money laundering in the NFT world. It's just attracted so many money launderers.
Joe Carrigan: Has it?
Dave Bittner: Yeah. And I - my understanding is that the world of fine art is - similarly attracts money laundering.
Joe Carrigan: Money laundering - that makes sense.
Dave Bittner: Yeah.
Joe Carrigan: That makes a lot of sense.
Dave Bittner: So...
Joe Carrigan: Here's one of the things I don't get about NFTs. Like, for example, one of the first things that was put - sold as an NFT was Nyan Cat, which - the original artwork for Nyan Cat, which is a GIF of a Pop-Tart kitty flying through space with a rainbow behind it.
Dave Bittner: Right.
Joe Carrigan: We've all seen it.
Dave Bittner: Yeah.
Joe Carrigan: The YouTube video is - well, it has induced me to laugh. I think it's great. You can still see the YouTube video on YouTube right now.
Dave Bittner: Right.
Joe Carrigan: And you can get the actual - a copy, a digital copy, a perfect replica copy of the original anywhere you look on the internet. I don't see the benefit of what owning it does.
Dave Bittner: Yeah. Well...
Joe Carrigan: What does that mean? You have no hope of actually enforcing a copyright on it.
Dave Bittner: Yeah. I suppose it's - well, I suppose the people who are behind this or who support this, who are enthusiastic about this, would say that it's kind of the difference between owning the Mona Lisa and owning a print of the Mona Lisa.
Joe Carrigan: Yeah.
Dave Bittner: Right? The world has access to plenty of prints of the Mona Lisa - not hard to get. But if you have the actual Mona Lisa, that's something to have. And - where? - the Mona Lisa's at the Louvre, I believe.
Joe Carrigan: Yes.
Dave Bittner: And so what they're saying is we're putting a digital ownership on these...
Joe Carrigan: Yeah.
Dave Bittner: ...Digital things. And...
Joe Carrigan: That's the argument I've heard, too.
Dave Bittner: And if - so if you have that, you are the owner of the Mona Lisa in digital form.
Joe Carrigan: Right. But unlike the Mona Lisa, I can get a perfect replica of Nyan Cat.
Dave Bittner: Right.
Joe Carrigan: It's indistinguishable from the other one.
Dave Bittner: And that, yes, that is...
Joe Carrigan: From the original.
Dave Bittner: ...A part I don't understand.
Joe Carrigan: Right.
Dave Bittner: But it is - presumably, the people who are buying this are doing so either from the pleasure it gives them or their belief that at some point they're going to be able to turn this around and it will increase in value. Again, back to Beanie Babies...
Joe Carrigan: Right.
Dave Bittner: I suspect we're going to see the bottom fall out of this. And so it's just where everybody's riding the wave and the values are going up. But I maintain - and I could be totally wrong here.
Joe Carrigan: Yep.
Dave Bittner: And I - and part of me hopes I am so that lots of innocent people don't lose a lot of money.
Joe Carrigan: Yes.
Dave Bittner: But I suspect that history has shown us that with things like Beanie Babies, with things like Pogs, with, you know...
Joe Carrigan: Pogs (laughter).
Dave Bittner: That people move on to the next thing.
Joe Carrigan: Yeah.
Dave Bittner: And my fear is that NFTs is just going to be that. It will run its course. It will be something that continues to exist. But these inflated values will be a thing of the past, and lots of people will end up having lost a lot of money.
Joe Carrigan: As with any digital currency or digital thing, my advice is don't put money into this you can't afford to lose. There are also other scams. You know what? I think next week I'll do a story on a different kind of NFT scam. Maybe I'm going to go on an NFT kick here for a little bit, Dave...
Dave Bittner: (Laughter) Well...
Joe Carrigan: ...Because I think there's lots of social engineering opportunities here. And I think that...
Dave Bittner: Yeah.
Joe Carrigan: ...This is going to be a big area. So this area is going to be rife with scams, and I'm going to spend some time talking about it.
Dave Bittner: And I have no doubt. And our listeners are going to let us know the parts of this we've gotten wrong (laughter).
Joe Carrigan: Yes, I'm sure. Oh, they love doing that (laughter).
Dave Bittner: Yeah, yeah. And that's fine, you know?
Joe Carrigan: And that's fine. No, we love hearing it.
Dave Bittner: Right.
Joe Carrigan: I don't mean to sound flippant there.
Dave Bittner: No, no, we want to learn.
Joe Carrigan: Right.
Dave Bittner: And if we got something wrong, we want to know.
Joe Carrigan: Right. Absolutely.
Dave Bittner: And we'll share the things that we learn along the way. So we're coming at this from - I would, you know - certainly, you and I have informed opinions when it comes to the security side of things, but neither of us are NFT experts.
Joe Carrigan: No.
Dave Bittner: So what about the person in this article, though? What could he have done to prevent this happening to him?
Joe Carrigan: You know, aside from not going to the fake Discord channel, I don't know. I mean, because he didn't do this through the web page. He didn't - he went to the actual Discord channel where the scammers were there waiting for him.
Dave Bittner: Right.
Joe Carrigan: And one of them just said, hey, come to the support channel and we'll take care of you. And they had set up a fake support channel.
Dave Bittner: And he revealed his key...
Joe Carrigan: And he revealed his private keys...
Dave Bittner: ...Thinking he was dealing with support people.
Joe Carrigan: Yeah. Yep.
Dave Bittner: And that was it.
Joe Carrigan: With people impersonating OpenSea support.
Dave Bittner: Yeah.
Joe Carrigan: And that was the end of it.
Dave Bittner: OK. All right. Well, we will have a link to that in the show notes, of course. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from William, who sent this one in. Dave, you're in trouble with the IRS again.
Dave Bittner: Again?
Joe Carrigan: Again.
Dave Bittner: (Laughter) Oh, no.
Joe Carrigan: Why don't you read this one?
Dave Bittner: All right. Goes like this.
Dave Bittner: (Reading) Attention. Good day. I'm Charles Paul Rettig, the Internal Revenue Service IRS Commissioner - Washington, D.C., United States of America. We received a report case from the Central Bank in conjunction with the International Monetary Fund, Washington, D.C., United States of America. They say you have been working and engaging yourself with scammers and importers, helping them to scam the United Nation world. However, we need you to reconfirm the below stated information for verification and confirmation reasons. And secondly, you have to get a case file so we can take down your statement also - full name, current home address, home phone number, cellphone number, valid ID card, driver's license. Nevertheless, the less, you have to provide us with the above stated information so as to enable us to proceed with our investigation. And we have only been investigating underground. And so far, we have placed a tracker on your cell phone. And we have also contacted your network provider company to provide us with number data information from day one till date. And we have also contacted your email address company to provide us with your data information from day one till date, as we have also placed a tracker on your email so we can keep monitoring all your activities from now onward.
Joe Carrigan: (Laughter).
Dave Bittner: (Reading) Meanwhile, kindly note that your maximum cooperation and understanding is required in this investigation so we can carry out this investigation smoothly, because any hesitation to do the needful required from you at any time will have to proceed with judgment with their report statement. And we hope you're aware that working and engaging yourself with scammers and importers is a punishable offense by the United Nation World Law of Section 9 Act of 1987. We look forward to your urgent and swift response so as to enable us to proceed with this case, as we wish you all the best in this case. Best regards - Charles Paul Rettig, Commissioner and Chief of Staff, Internal Revenue Service, Kansas City, United States of America.
Joe Carrigan: (Laughter) This is fantastic, William. Thank you for sending this in. A couple of notes on writing better phishing emails.
Dave Bittner: Yeah.
Joe Carrigan: No. 1, it's Charles Rettig - R-E-T-T-I-G.
Dave Bittner: OK.
Joe Carrigan: Not ratting, like a ratting terrier, like a chihuahua.
Dave Bittner: Like ratting people out.
Joe Carrigan: Or ratting people out - right. Yeah.
Dave Bittner: Yep.
Joe Carrigan: For some reason, whenever I hear the term ratting, I always think of ratting dogs.
Dave Bittner: Yeah.
Joe Carrigan: Like dogs that hunt rats.
Dave Bittner: Yep.
Joe Carrigan: Mr. Rettig's office is in D.C. and not in Kansas City, like his signature says. But in the email, he actually says that he's from D.C.
Dave Bittner: Yeah, that makes sense.
Joe Carrigan: So a little bit of consistency would be nice. And learn how to format an American mailing address...
Dave Bittner: (Laughter).
Joe Carrigan: ...Because this is not how you format - you can't see it, dear listener, but it's a mess.
Dave Bittner: Yeah. Seems like this one's been through the - like, Google Translate at least once.
Joe Carrigan: Right, yeah. It's been through the translator. Nevertheless, the less (laughter).
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Which is a great - that is literally written in this email...
Dave Bittner: Yeah.
Joe Carrigan: ...As three separate words.
Dave Bittner: All right. Well, our thanks to our listener for sending that in. We would love to hear from you. If you have something you'd like for us to share on the air, you can send it to us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe. I recently had the pleasure of speaking with Marina Ciavatta. She is the CEO at Hekate, and she has a lot of experience with social engineering and pen testing. Really interesting woman, and I really enjoyed my conversation with her. Here's my conversation with Marina Ciavatta.
Marina Ciavatta: I started off as a journalist, actually. My degree - my first degree is in journalism. And I started producing content for this company back in Brazil that did a bunch of hacking and attack events and content as well. So that's how I had my first contact with hacking. And throughout the years from - you know, from a content producer, I became an events organizer. I started organizing events throughout the entire country - more than 200 events of hacking and tech around Brazil.
Marina Ciavatta: And because of that, I also became a - what we would call there an engagement management manager or a community manager. And because of that, I had contact with a lot of people from everywhere around the country and the globe as well because, you know, I would talk to speakers and communities in Brazil and so they can organize villages and workshops and so forth. And because I had that close contact with everyone in the hacking event, although I was never technical - I'm still not technical - I've learned a lot about hacking. I've learned a lot about hacking culture - you know, what people like, the career paths they take, what interests them, what they do for entertainment, everything. They were my friends. They were my coworkers. You know, they were people that I admired. And because of that, I've heard about social engineering. A lot of years ago, in a talk, one of the speakers was talking about social engineering. I was like, oh, that sounds like hacking, but for a humanities.
(LAUGHTER)
Marina Ciavatta: Sounds like hacking for journalists (laughter).
Dave Bittner: Interesting.
Marina Ciavatta: And that's how I first heard of it. But I did not became an actual social engineer 'til - you know, under a contract, 'til a few years later. And it was with a friend of mine. We also were coworkers, and he was working on this awareness tool, like, platform software thing for a few companies. And one of the companies contacted him, and he requested a physical pen test. But he was a technical person. He was not very into, you know, the people part of hacking (laughter).
Dave Bittner: Right.
Marina Ciavatta: There was a reason why he was working behind a computer (laughter). And - but he came to me, and he was like, I know you're very good with people. You know, you're community organizing. You're an events organizer. You deal very well with social situations. Can you help me with this assignment? And I was like, of course. I've never heard of physical pen tests before. But that sounded absolutely fascinating when I heard. And he was like, oh, you'll be able to break into places and steal stuff and, you know, spy on what they're doing (laughter) and steal documents.
Dave Bittner: It sounds like he was a bad influence, right?
(LAUGHTER)
Dave Bittner: What was that first encounter like then? What was the assignment?
Marina Ciavatta: It was actually several of assignments. Since I've never done physical pen testing before, I didn't know about scope, right? So it didn't set any limits for the client. So I had, like, 25 different missions in just one day. It was insane. I stayed there for quite a long time, but I accomplished all of the missions before what was scheduled. And the client was very happy at the end.
Marina Ciavatta: Because the way I did it - I opened a communication channel with the client, and on that channel, I would post pictures and videos and, you know, my exact steps throughout the entire day. And I would give them choices. Like, do you want me to go through this door? Do you want me to go to the other room? And that engaged the client to a level where, at the end, they were like, oh, my God. We felt like playing video games, but with you inside our company (laughter).
Dave Bittner: Can you give us some insights - I mean, to what degree were you able to go places you weren't supposed to go inside this organization?
Marina Ciavatta: Oh, yes. I got into a product-launching meeting for a highly critical product that they were launching at the market. And no one even heard of it before, and they had all the schemes, all the code, all of the strategy on screen. And they were just sitting there and recorded the entire meeting. The security team was in panic, actually, when that happened because they had no idea the meeting was happening that day. And it happened in a common area. So I got footage of all that. I stole around 10 or 15 max. I got information from their contracts by having meetings with the team because they had a meeting room unattended, and I just pretended I was from the internal system that they use. And I wanted feedback on stuff. And people just kept giving me information because I had the meeting room. Security came after me, and they didn't confront me or anything. And I was sitting in the middle of the department with my laptop opened and, you know, recording everything. It was a hell of a day that day (laughter).
Dave Bittner: Wow. To what do you attribute your great success there? I mean, was it a matter of carrying yourself with confidence? Did you have a very good backstory? Or what was the combination of things that led to you being so successful there?
Marina Ciavatta: I got to say I am pretty good at thinking at my feet. I know a lot of social engineers will frown upon this. And I am one of those that whenever I hear someone saying this, I'm like, you should never, you know, count of your - solely on your improvising skills. That is very dangerous. You should do your homework every time you can, you know, how extensive you can. You can - you should do your OSINT. You should do your recon. You have to, you know, have a plan before you go. But the truth is, especially back in Brazil, a lot of things happen outside of your plan - a lot of things. It is extremely hard to predict your entire day inside a company back in Brazil. It's a poor country. Nothing works the way it's supposed to, you know. And you got to be able to think very quickly on your feet.
Marina Ciavatta: And I had that because of organizing events. And we have a saying in the event production, you know, field that if anything can go wrong, it will go wrong. So you have to have, you know, all of the plans - the backup plans, the B - the ABCs of everything (laughter). And that really helped me with social engineering because whenever someone would say no, I would be very quick to just change my course to - you know, to make up a new story or to change my clothing or to steal some new uniform that I knew would get me inside somewhere or, you know, just avoid some people that I thought was suspicious. It's a huge combination of factors. But it all - you know, it all comes up to be - you got to be very quick. You got to be very fast to think of your opportunities and take advantage of them.
Dave Bittner: Do you have any examples of times when you've gone out to do physical pen testing and things have not gone your way?
Marina Ciavatta: Oh, yes (laughter) - a lot of them, actually. I think one of my funnest (ph) stories - one of the assignments that I had the most fun was I had to break into the director's department area thing there. It was a hall filled with the important rooms from the directors. And I could have not done it during the day because there was a bunch of people walking around there. It would be too - you know, too obvious that I was malicious in there. It was heavily guarded and all of that. And I was like, I wonder if, you know, after-hours, it's going to be easier. And it was. It was way emptier, you know, very few security guards doing their rounds. And it was way, way easier.
Marina Ciavatta: But I had not counted on the light sensor (laughter). So as soon as I stepped in, you know, during the after-hours, during the night, I just hid myself in the closet the entire day to wait for everyone to go away. And then I came out of the closet 'cause I'd been in that client doing missions before throughout the day. And then, well, after I left the closet and went to the director's department, I stepped on it, and the lights went on. And I freaked out. I'm like, oh, my God (laughter). And I just threw myself on the ground, waited for the lights to go out, you know, waited a couple minutes to see if anyone was coming, if I set any alarms. And nothing happened. And I was like, OK. It was just the light sensor. No one's seen it. I'm on the clear. I'm just going to crawl my way through the entire department and steal everything I can. And I did just that - like, hours of crawling on the floor and hiding myself under the desks to open the cabinets around me. And at the end of that assignment, it was already almost, you know, morning. And I was just so sore. My entire body was sore 'cause I did not expect that kind of physical (laughter)...
Dave Bittner: Wow.
Marina Ciavatta: ...Demand - you know, the physical exercise throughout the entire night.
Dave Bittner: I'm just imagining you, you know, crawling around on the floor and humming the theme to "Mission: Impossible" to yourself while you're doing it.
Marina Ciavatta: (Laughter) That was the feel, yes.
Dave Bittner: Yeah. So let me ask you this - I mean, for organizations who are trying to do a better job protecting themselves against these sorts of attacks, what are your recommendations? How do organizations come at this thing?
Marina Ciavatta: I mean, I know this is going to sound cheesy and this is going to sound, like, whatever everyone says all the time, but just do your basic stuff, you know. Just be sure - you don't have to have people trained to combat, you know, invaders or anything like that. Just do your business. Be sure your accesses are secure, you know, people are accessing what they should be accessing, badges - you know, the visitor badges are not badging into, you know, formula labs or important meeting rooms or anything like that. Just be sure your basic accesses are very well-protected and people are well-aware of those - how they should work, what they should do, how should they behave. And don't ever let anyone, you know, do whatever they want by not obeying the basic rules like badging someone in or letting someone, you know, shoulder surf or tailgate because we do get comfortable. And we forget the basic protocols, and we do that very poorly. It's in one of those very silly mistakes that I get in.
Marina Ciavatta: I swear, I do not - I know it sounds crazy what I do, but I don't do a lot to get into places. It's really not that much of a challenge. If you just put your mind to it and, you know, find the opportunities to explore, you're in, and you're in the most insane places ever, like secret labs and, you know, media rooms and control rooms and security rooms heavily guarded and whatnot with just knocking in the door and asking a few questions and getting in because people forget to do the basic.
Dave Bittner: Do you think people just want to be polite, that they want to be nice and so they hesitate to say, who are you and what are you doing here?
Marina Ciavatta: Yeah. It is - I think it's a mix between being extremely polite and not liking, you know, confrontational situations - just being lazy, actually. Because it's just going to take so much work for you to do something right. And you get used to, you know, your day to day, your routine.
Marina Ciavatta: Sometimes you're not being lazy because you're mean or anything like that, you're just tired and you don't understand why the protocols are important. You know, no one took the time to explain them to you. No one took the time to explain what happens if you don't do, you know, what you should be doing. So yeah, it's a mix of, you know, the laziness, the tiredness, the politeness and, just altogether, the lack of awareness.
Dave Bittner: All right, Joe. What do you think?
Joe Carrigan: I love hearing stories of how people get into the industry. Marina started as a journalist and then kind of got involved in physical pen testing. It's a great story.
Dave Bittner: Yeah.
Joe Carrigan: I love hearing it. Pen testing is an important part of any security program, and I think that should always include some element of physical pen testing. And I - with this story that she's talking about, it's amazing to me - actually, I guess I shouldn't say it's amazing to me because I feel like at this point in my career, I shouldn't be surprised by things like this.
(LAUGHTER)
Joe Carrigan: But she just essentially walked into a product launch meeting for a secret product.
Dave Bittner: Right.
Joe Carrigan: Can you imagine if that had been an adversarial person in there, you know, somebody from a competitor...
Dave Bittner: Yeah.
Joe Carrigan: ...Who had just gotten in and was just sitting there going, oh, what are these guys doing? Oh, this is interesting.
Dave Bittner: Slugworth.
Joe Carrigan: Right, exactly - Slugworth.
Dave Bittner: Right.
(LAUGHTER)
Joe Carrigan: You got me with that one. That was...
(LAUGHTER)
Joe Carrigan: She also managed to steal computers, like - what? - eight of them.
Dave Bittner: Yeah.
Joe Carrigan: And, I mean, that alone - I mean, somebody walking - that alone has value. And there were all kinds of other things she got, she - just by posing as a person taking opinions on a product that they use.
Dave Bittner: Right.
Joe Carrigan: Amazing.
Dave Bittner: Yeah.
Joe Carrigan: It's amazing how much information people will give you if you just asked for it. I agree that thinking on your feet is a key skill for this position.
Dave Bittner: Yeah.
Joe Carrigan: You have to be able to do it. That doesn't mean don't do your research. And I think that Marina really strikes that balance that - you know, she says, yes, you have to do your research, but that she's really good at thinking on her feet and that makes her a stronger pen tester.
Dave Bittner: Yeah.
Joe Carrigan: I would agree with that a hundred percent. I think that's absolutely the case.
Dave Bittner: I was thinking, too, that - I think, you know, spending some time either observing or taking part - if this is something you're interested in...
Joe Carrigan: Right.
Dave Bittner: ...Taking part with your local improv comedy group...
Joe Carrigan: Yeah.
Dave Bittner: ...Is something that's going to hone your skills of thinking on your feet quickly, of coming up with replies quickly. You know, that aligns with the skills required for improv comedy.
Joe Carrigan: Do you do improv comedy, Dave?
Dave Bittner: I have done improv comedy.
Joe Carrigan: Is there any place around here to do improv comedy?
Dave Bittner: Yeah, the community college has improv comedy groups. Sure.
Joe Carrigan: OK.
Dave Bittner: You'd be surprised, Joe. They're out there.
Joe Carrigan: I know.
Dave Bittner: They're out there (laughter).
Joe Carrigan: Are they any good? (Unintelligible) I asked that. I'm sure they're great. This is something I think would be challenging to me, which is kind of why I was asking if there is improv comedy groups around here.
Joe Carrigan: I think it's very interesting what Marina says about what people can do to protect themselves. You asked that question, and she says, just do the basics and do them well. Don't let people tailgate into your office, which is when, if you have a badged access, you badge the door open and the next person comes in without badging.
Dave Bittner: Right.
Joe Carrigan: Everybody has to badge in, right?
Dave Bittner: Right. People don't want to be confrontational.
Joe Carrigan: Right. People don't want to be confrontational, but make it OK to be confrontational. Don't let people shoulder surf. And the other thing she says is vigilance. People get tired, but you have to be vigilant against this.
Dave Bittner: Yeah.
Joe Carrigan: And what's remarkable to me in this entire interview is she says when she's doing a penetration test, to get in, she doesn't do a lot. She just does, like, tailgating or going into an open area and sitting down and listening while people talk about a product launch.
Dave Bittner: Right.
Joe Carrigan: It's fascinating. This was a great interview. I really, really enjoyed listening to Marina.
Dave Bittner: Yeah. Yeah, me too. It was a really fun conversation. And our thanks to her for joining us.
Dave Bittner: And we want to thank all of you for tuning in and listening to our show. Of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
