Hacking Humans 11.4.21
Ep 172 | 11.4.21

Cybersecurity awareness should be a year-round activity.


Jessica Barker: Cybersecurity doesn't just happen in one month. It shouldn't dictate that this is the time and the only time that we address cybersecurity awareness.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Carole Theriault returns with an interview with Dr. Jessica Barker from Cygenta about how every month should be Cyber Awareness Month. 

Dave Bittner: All right, Joe, let's jump into some stories this week. Why don't you start things off for us? 

Joe Carrigan: Dave, I know this is not a technical podcast, but I do want to talk about something technical today. 

Dave Bittner: All right. 

Joe Carrigan: It's not really too terribly technical, so don't turn it off yet, listeners. 


Dave Bittner: OK. 

Joe Carrigan: So I want to talk about something called password spraying. 

Dave Bittner: Yeah. 

Joe Carrigan: All right? What is password spraying? Well, it's very similar to a credential stuffing attack. In fact, it's almost the exact same thing. And according to the one Stack Exchange post I read about this (laughter), the difference is... 

Dave Bittner: Which makes you an expert. 

Joe Carrigan: Right, which makes me an expert. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: The difference is a pedantic one. Credential stuffing uses known username and password combinations, and password spraying is more of a brute force guessing attack. 

Dave Bittner: OK. 

Joe Carrigan: But they're both the same thing. They're trying credentials on systems to see if you can get in. 

Dave Bittner: OK. 

Joe Carrigan: Right? Here's why it works and why it's easy for an attacker to do it. It's important to understand that a lot of these systems, particularly web-based systems, are what we call stateless. And what that means is each time you click on a webpage or click on a link or load a webpage, that is a new connection to the web server. And the web server has to verify your identity by some previously provided information. Typically it's stored in a cookie. This is why we actually have cookies... 

Dave Bittner: OK. 

Joe Carrigan: ...So that you can maintain state across multiple connections. 

Dave Bittner: OK. 

Joe Carrigan: And if you think about the workflow for logging in to a web application... 

Dave Bittner: Right. 

Joe Carrigan: ...Let's say even something as simple as Gmail... 

Dave Bittner: OK. 

Joe Carrigan: ...Right? - you are presented with a form that usually asks you for your username and password. 

Dave Bittner: Right. 

Joe Carrigan: And you fill those in, and then you click a button that says log in, and that actually causes your browser to take that data and send it to the server in a new connection. 

Dave Bittner: OK. 

Joe Carrigan: Right? That's the workflow. 

Dave Bittner: Right. 

Joe Carrigan: Because that happens exactly as I just explained, I don't even need to load the first page if I'm a malicious actor. I just need to submit the data to the form - of the form to the response page, to the action page of that form, right? Those are actually two separate pages, and it happens over two separate connections. That makes it, for an attacker, really easy to script these kind of attacks and find valid logins based on the response from the server. 

Joe Carrigan: A lot of people don't tend to think of these kind of attacks as social engineering attacks, but I do because it relies on the bad behaviors of humans. It may be more aptly described as a security awareness problem. But again, I think the difference is like the difference between credential stuffing and password spraying, right? 

Dave Bittner: Yeah. And far be it from you, Joe, to be pedantic about something. 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter). 

Joe Carrigan: Sometimes I am pedantic about things, but, you know, sometimes I'm also frustrated with the... 

Dave Bittner: Right. 

Joe Carrigan: ...Different terms we have in this field. 

Dave Bittner: Right, right. It's bad when other people do it. 

Joe Carrigan: Right, exactly. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: That's the way I feel about it, Dave. 

Dave Bittner: Sure. I understand. Yeah. 

Joe Carrigan: So there's an interesting article over on ZDNet written by Liam Tung. And it talks about some information out of Microsoft DaRT. That's their detection and response team. That's why it's DaRT. But it's probably just easier to say DaRT. And it's cool because it's an acronym. They're warning of an uptick in password spraying attacks, and they've observed an emerging Iranian hacking group or malicious actor, some state-sponsored actor out of Iran that is using spraying - password spraying attacks against Israeli and U.S. critical infrastructure in the Persian Gulf. 

Joe Carrigan: Now, there are some other interesting things in this article. Microsoft estimates that more than one-third of account compromises come from password spraying attacks, which is remarkable to me that one-third of these attacks - and I don't know if this is a combination of password spraying and credential stuffing. I would imagine that it is. 

Dave Bittner: Yeah. 

Joe Carrigan: But one-third of these compromises are from just guessing weak passwords or from finding reused passwords. 

Dave Bittner: Right, and we hear about them using dictionary attacks, where they're just throwing, you know, every word in the dictionary at a... 

Joe Carrigan: Right. 

Dave Bittner: ...As an attempt to log in because people use weak passwords. 

Joe Carrigan: Absolutely. 

Dave Bittner: Yeah. 

Joe Carrigan: Humans are not very good at generating passwords that are actually hard to guess. 

Dave Bittner: Right. 

Joe Carrigan: They're easy to remember. That means they're easy to guess. 

Dave Bittner: Right. 

Joe Carrigan: Microsoft estimates that these attacks have about a 1% success rate. 

Dave Bittner: Which sounds low, but... 

Joe Carrigan: But it is not low. 

Dave Bittner: Volume, volume, volume (laughter). 

Joe Carrigan: It is remarkably high. 

Dave Bittner: Right, right. 

Joe Carrigan: Right? It's like if you're making a penny on every dollar that goes to the bank, you're making a lot of money, right? 

Dave Bittner: Right. 

Joe Carrigan: These kind of attacks are out there. And Microsoft is recommending, of course, their password protection service to avoid bad passwords, which is a great recommendation. But there are other solutions as well. Any password manager will have password-monitoring services that will say, hey, this password's been in a breach; let's change it. 

Dave Bittner: Yeah. And it'll say, hey, we notice you're reusing this password all over the place. Stop it, knucklehead. 

Joe Carrigan: Right. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: Now, earlier I was talking about submitting the forms. 

Dave Bittner: Right. 

Joe Carrigan: And these - it seems like these malicious actors could do this all day. But there's a very old solution to protect accounts against this on the development side of the house. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's if I see somebody - we've all experienced this, right? 

Dave Bittner: Yeah. 

Joe Carrigan: If I see somebody try to log in five times in a row and they don't get it right, I'm going to assume this is some kind of brute force hack and I'm going to lock their account. 

Dave Bittner: Yes. And I'll say for everyone who has ever not been sure what the password was for an account and it says you have three more tries, it is a source of anxiety and stress. 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter). 

Joe Carrigan: By the way, a source of anxiety and stress that is immediately eliminated upon your implementation of a password manager. 

Dave Bittner: (Laughter) OK. Right. 

Joe Carrigan: So do that. 

Dave Bittner: Yeah. 

Joe Carrigan: But these guys are being a little more - a little smart about this, right? They're not trying one username with a bunch of different passwords. They're picking one password and trying a bunch of different usernames to get around this account lockout feature... 

Dave Bittner: Oh. 

Joe Carrigan: ...Which I think is pretty clever. 

Dave Bittner: Turn the thing around. 

Joe Carrigan: That's right. 

Dave Bittner: Turn it on its head. 

Joe Carrigan: That's right. 

Dave Bittner: That is clever. 

Joe Carrigan: So this story is - on ZDNet is about a state-sponsored group, but these actors are out there everywhere doing this kind of stuff. This is a typical tactic that malicious actors use, along with phishing and credential harvesting. 

Joe Carrigan: You know, these phishing - these credential stuffing attacks and these password spraying attacks, everybody is susceptible to these things. They can be done to anybody. They don't even have to know who you are, right? They could just guess at your username and maybe they'll get it right. So if you have an OG username, this is going to be one of the best attacks they're going to use against you. 

Joe Carrigan: Two things you can do to protect yourself, and I say this a lot - multifactor authentication, No. 1. 

Dave Bittner: Right, yeah. 

Joe Carrigan: This - multifactor authentication essentially nullifies a password spraying attack. 

Dave Bittner: Right. 

Joe Carrigan: It can't be automated, and - or it's very difficult to automate it. But it takes more time. And if it's with a hardware key, it's almost impossible to get around that. 

Dave Bittner: Yeah. And if nothing else, they're going to move on to the lower-hanging fruit than you. 

Joe Carrigan: Right, exactly. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: And the other thing - I've already said this - use a password manager and use the features. 

Dave Bittner: Yeah. 

Joe Carrigan: Those are your best bets. 

Dave Bittner: Yeah. 

Joe Carrigan: Multifactor authentication and a password manager will mitigate 99.999% of this threat. 

Dave Bittner: Yeah, absolutely. All right, interesting stuff. That's some cool stuff in that story. Again, we'll have a link to that in the show notes. 

Dave Bittner: My story this week comes from CyberScoop. This is a story by AJ Vicens, and it's titled "Scammers Are Emailing Waves of Unsolicited QR Codes, Aiming to Steal Microsoft Users' Passwords." 

Joe Carrigan: (Laughter). 

Dave Bittner: Now, Joe, do you ever - did you ever make use of QR codes? 

Joe Carrigan: You know, I giggled because just the other night, I was - my son and I were in the car, and there's a - over here by Howard Community College, there is a sign in the ground that just has a QR code on it. 

Dave Bittner: That's it? 

Joe Carrigan: That's it. Just a QR code. 

Dave Bittner: (Laughter) You feeling lucky? 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: And my son looks at that and goes, should I scan it? - you know, 'cause he knows he's doing it. And I say, well, if you have the Trend Micro QR code verifier - which is an app I have on my phone. There might be other ones out there, but Trend Micro makes this available for free. 

Dave Bittner: Right. 

Joe Carrigan: You can scan it and see if it's malicious or not. 

Dave Bittner: Right. Detonate it in a sandbox. 

Joe Carrigan: Right. 

Dave Bittner: Yeah, OK. 

Joe Carrigan: But I didn't because I was driving, and I didn't want to whip out my phone and do it. But I don't - I always verify them with my app. 

Dave Bittner: Yeah. Well, that's smart. That's smart, for sure. 

Joe Carrigan: Yep. 

Dave Bittner: And, you know, I think we've seen, as this article points out, there's been an increase in the adoption of QR codes, largely due to the pandemic. Like, I was at a restaurant recently, and they had - the QR codes for the menu they had laser etched into the table. 

Joe Carrigan: OK, that's good. 

Dave Bittner: Yeah, it was burned into the table, (laughter) right? So there you go. And you see them all - like, I see them at gas stations all the time. 

Joe Carrigan: Right. 

Dave Bittner: You know, scan here to download our app. 

Joe Carrigan: Still use your QR code verifier for that because it's very easy just to stick a malicious sticker over top of that. 

Dave Bittner: Right. Right. Absolutely. 

Dave Bittner: So this CyberScoop story talks about a campaign that was uncovered by the email security company Abnormal - good name for a company. And what this group is trying to do - they're using QR codes. And, of course, there has to be a clever name for this. So they either call it QRishing or qishing. 

Joe Carrigan: (Sighing). 

Dave Bittner: I know, right (laughter)? 

Joe Carrigan: No. OK. 

Dave Bittner: I mean, we love our security and awareness companies. We love our security awareness companies. Knock it off. 

Joe Carrigan: We do. We do. 

Dave Bittner: (Laughter) So what happens is you will get an email with a QR code in it. 

Joe Carrigan: Right. 

Dave Bittner: And below the QR code, it instructs the victim to scan the QR code in order to listen to an encrypted voicemail. So that's the lure. 

Joe Carrigan: That's a good hook. 

Dave Bittner: Yeah. So then that leads you... 

Joe Carrigan: Or a good lure, rather. I'm sorry. 

Dave Bittner: Yeah. That leads you to a fake Microsoft landing page... 

Joe Carrigan: Right. 

Dave Bittner: ...Where they prompt you to enter your email and password in order to play the encrypted voicemail. 

Joe Carrigan: Right. So this is a credential harvesting attack. 

Dave Bittner: Yes. 

Joe Carrigan: But it could be used for just about anything else. 

Dave Bittner: Could be. Could be. Yeah. But what's interesting about this is, as the folks at Abnormal point out, this campaign is a little clunky. So let's walk through this. I mean, you get an email, presumably on your desktop machine. 

Joe Carrigan: Right. 

Dave Bittner: Then you're supposed to use the camera on your phone to scan the QR code. 

Joe Carrigan: Right. 

Dave Bittner: Which then takes you to the fake Microsoft page to log in with your credentials. Like, there's a lot of moving parts here. I wonder what their success rate is. I mean, obviously they're, you know, they're doing it. 

Joe Carrigan: Right. 

Dave Bittner: So it must be working to a certain degree. But it doesn't seem to be the slickest operators. 

Joe Carrigan: Well, this is the first time we've heard about this, right? 

Dave Bittner: Yes, yes. 

Joe Carrigan: So maybe it is a new attack. Maybe it will be short lived. I don't know. I kind of think this will work. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, because I want - you want to listen to a voicemail. You normally do that on your phone. 

Dave Bittner: Right. 

Joe Carrigan: So maybe it does work. I don't know. I would imagine, like the Nigerian prince scam, this will catch a small percentage of the people, but that's the goal. That's always the goal. Just like I said with my phishing or credential spraying, password spraying attacks, a 1% success rate is a remarkably high success rate and a good one. 

Dave Bittner: Yeah, yeah. And I think you're right. I mean, this does - that lure of an encrypted voicemail - that could be compelling. 

Joe Carrigan: Right. 

Dave Bittner: What does it say? Who is it? You know, why is someone sending me an encrypted voicemail? There's something - something is just different enough... 

Joe Carrigan: Right. 

Dave Bittner: ...That it can disarm your defenses. 

Joe Carrigan: Yup. 

Dave Bittner: Yeah. Yeah. All right, well, that, again, is from the folks over at CyberScoop, and we will have a link to that in the show notes. As Joe rightfully points out, if you're interested in a QR code, get an app that can read it in a safe way off of your device and see what it is. But even so, I mean, if it asks you - if the QR code triggers some sort of login... 

Joe Carrigan: Right. 

Dave Bittner: ...That's another red flag. 

Joe Carrigan: Yes, it is. 

Dave Bittner: It should not trigger you to log in to Microsoft or Google or any of your accounts. 

Joe Carrigan: Yeah. Anything that looks like a harvesting page - or a login page, rather... 

Dave Bittner: Right. 

Joe Carrigan: ...Any time that happens, any time you receive an email and you click on a link or you - we always say don't do that, but sometimes that's going to happen - or you follow a QR code, as soon as you're asked to log in, that should be, like, red flags. 

Dave Bittner: Yeah. Yeah, absolutely. 

Joe Carrigan: There is an opportunity here to take my credentials from me. 

Dave Bittner: Yup, yup. All right, well, we will have a link to that story in the show notes, of course. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Wyatt (ph), who writes, hello, Dave and Joe. 

Joe Carrigan: You always get top billing, Dave. 

Dave Bittner: Well, what are you going to do? 

Joe Carrigan: Well, you are podcast royalty. I will agree with that. 

Dave Bittner: (Laughter). 

Joe Carrigan: What am I going to do? Nothing. I'm not going to do that. In fact, I'm going to say, you know what? You probably deserve top billing in the show. 


Joe Carrigan: (Reading) I'm a big fan of the show. I recently came across this one in my inbox, and I couldn't help but share it with you. Enjoy. 

Joe Carrigan: This - the title of this email is Donation from Mr. Warren E. Buffett, billionaire investor. And it has a very big red bar across the top of it that says... 

Dave Bittner: Yeah. 

Joe Carrigan: ...From - this is from Gmail. It says, this message seems dangerous. 


Dave Bittner: You think (laughter)? 

Joe Carrigan: So why don't you read this message for us? 

Dave Bittner: All right. It goes like this. 

Dave Bittner: (Reading) Dear email owner, my name is Warren E. Buffett, an American business magnate, investor and philanthropist and the most successful investor in the world. I believe strongly in giving while living. I had one idea that never changed in my mind - that you should use your wealth to help people - and I have decided to give 1,500,000 United dollars to randomly selected individuals worldwide. On receipt of this email, you should count yourself as the lucky individual. Your email address was chosen online while searching at random. Kindly get back to me at your earliest convenience before I travel to Japan for my treatment. 

Dave Bittner: What? 

Joe Carrigan: What? I have no idea what that means. 

Dave Bittner: OK. 

Dave Bittner: (Reading) So I know your email address is valid, email me here. Thank you for accepting our offer. We are, indeed, grateful. You can Google my name for more information, Warren Buffett, or you can visit my website, wikipedia.org/wiki/Warren_Buffett. God bless you. Best regard, Mr. Warren E. Buffett, billionaire investor. 

Joe Carrigan: I am Warren E. Buffett, billionaire. I own a mansion and a yacht. 

Dave Bittner: (Laughter) I wonder if it says that on his business card. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: Just says, Warren Buffett, billionaire investor. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: You know, if I ever reach that point, Joe... 

Joe Carrigan: Right. 

Dave Bittner: ...I'm going to have business cards made that say just that. 


Joe Carrigan: Dave Bittner, billionaire. 

Dave Bittner: Billionaire. 


Dave Bittner: Right. You obviously don't know who I am. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: Permit me to give this to you. 

Dave Bittner: Right, exactly. All right. 

Joe Carrigan: This is fantastic. So many question marks in here and, like, where they don't belong. United dollars - obviously not Warren Buffett. 

Dave Bittner: (Laughter). 

Joe Carrigan: Warren Buffett doesn't give money away to individuals. He gives charitably and generously, I should add... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: ...To organizations like the Gates Foundation. 

Dave Bittner: Right, right. Isn't he one of the billionaires who's on board with that plan to try to give away most of his money before he dies? 

Joe Carrigan: Yeah. Yeah, he's one of those... 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: ...One of those guys. I don't know what that means, what that entails... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Or how much I trust it, but. 

Dave Bittner: (Laughter) Well, at least he's doing something. 

Joe Carrigan: Right. 

Dave Bittner: He's not lighting cigars with $100 bills all day. 

Joe Carrigan: No. He's definitely on board - and he's given away a lot of money. So... 

Dave Bittner: Yeah. 

Joe Carrigan: So this is why it makes sense, because Warren Buffett has given away billions of dollars. 

Dave Bittner: Right, right. All right. Well, another good one. And our thanks to our listener, Wyatt, for sending that in. 

Dave Bittner: We would love to hear from you. If you have a Catch of the Day for us, you can send it to us. Send it to hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, it is always a treat when Carole Theriault joins us. 

Joe Carrigan: It is, indeed. 

Dave Bittner: And this week, that treat is extra sweet because Carole is joined by Jessica Barker, who I had the pleasure of interviewing over on the CyberWire before. So here are Carole Theriault and Dr. Jessica Barker. 

Carole Theriault: So I'm here with Jessica Barker. She is co-founder of Cygenta, a company based in the U.K. She is author of "Confident Cyber Security," a book about how to get a career in the industry. And she's co-founder of "Cybersecurity ABCs." Welcome, Jessica. 

Jessica Barker: Hi. It's great to be here. 

Carole Theriault: Thank you for coming here and talking to me about October being National Cybersecurity Awareness Month. 

Jessica Barker: My pleasure. 

Carole Theriault: So as a profesh (ph) in the industry, do you think that the Cyber Awareness Month is a good idea, like, to have a dedicated month to cybersecurity? 

Jessica Barker: That is such a good question. And I was actually talking to a client about that yesterday because they had planned a few activities for Cybersecurity Awareness Month, and due to circumstances outside of their control, they couldn't go ahead with them, or not in the way that they intended. And I said to them, you know, it is great to have a month dedicated to cybersecurity awareness, and I love seeing how organizations do more and more around it every year. It's a great theme to galvanize people. 

Jessica Barker: But at the same time, cybersecurity doesn't just happen in one month, you know? 

Carole Theriault: Yeah. 

Jessica Barker: It's a constant thing. And if talking about cybersecurity, for whatever reason, in October doesn't work for a particular organization, then you've got to do what's right for you. It shouldn't dictate that this is the time and the only time that we address cybersecurity awareness. 

Carole Theriault: If you could choose any month of the year, do you think October is a good month? Or if they had asked you - they said, Jessica, choose whatever month you want; any one of them can be Cybersecurity Month, would you have chosen October? Would you have gone somewhere else? 

Jessica Barker: Ooh, I might've actually gone just a little bit further and gone for November because it's such a big issue in terms of online shopping, in terms of the lead-up, for many people, to the festive period and Christmas. So actually, for a lot of the organizations we work with, that's when we really focus on cybersecurity in the personal life because people may be buying gifts, they may be, you know, getting things like gadgets and video game consoles and all sorts of things, things for the home now that are connected. So actually, we find around that festive period can be a bit of a tricky time for people. So actually, that can be a great time to talk about cybersecurity. 

Carole Theriault: Yeah, totally agree because everyone's going out and trying to - kids want gadgets. Parents are buying them, grandparents are buying them and not necessarily thinking about security at all. 

Jessica Barker: Yeah. 

Carole Theriault: I saw a stat recently that said 90% of Americans are concerned about cyberattacks, such as ransomware, ID theft, the whole lot. Does that surprise you - 9 out of 10 people? 

Jessica Barker: That sounds about right. I - and I would be interested to know what the stat was or would've been even just five years ago 'cause I think people are a lot more concerned about it now. 

Jessica Barker: My concern of that is, are people concerned in, like, a healthy way in that they're taking more interest, they're doing more, they're being a bit more proactive about security behaviors online? Or are people concerned in, like, a worried way? 'Cause I never want people to be worried about cybersecurity. I never want people to be scared about cybersecurity. Are people - healthy worry - concerned, checking that they're being as secure as they can be, or are people feeling actually a little bit afraid, and then that can lead to... 

Carole Theriault: Yeah. 

Jessica Barker: ...A whole host of more negative behaviors? 

Carole Theriault: Yeah, and you can see how it would happen, right? Because a journalist needs eyeballs in order to say, great, I'm doing a good job, so often, the titles and the first paragraphs will be quite explosive. Not all these articles have advice for people on what to do. 

Jessica Barker: Yeah. And sometimes it can be, you know, using a lot of technical jargon or, as you say, kind of scare mongering a little bit. And it's classic social engineering, right? We see the cybercriminals doing it, too. 

Carole Theriault: OK, so now we're - here we are, October, National Cybersecurity Month. People are worried, and they are getting this onslaught of tech terms and things that they need to worry about. And I am convinced that the average computer user understands 20% of that stuff. And same as that - you know, medical terms. I don't understand all the medical terms. I understand probably 20%. 

Carole Theriault: I don't know why our industry tends to try and use all these new terms, coin new terms all the time. What are the ones that people can - should really be focused on right now to try and, you know, do a bit better job of looking after their data? 

Jessica Barker: So my No. 1 rule when I talk to people - and I'm doing a lot of awareness raising this month. The main thing that I'm talking about is social engineering, particularly phishing, so when we are manipulated into giving over information or clicking links or downloading attachments. And so the No. 1 thing I say to people is if you receive a communication - it can be an email, a text, social media, WhatsApp, whatever it is - if it's unexpected, if it makes you feel something and if it asks you to do something, that's a big red flag that it may be social engineering. 

Jessica Barker: So that's when you need to slow down and, you know, read it out loud to someone else. Take a pause. Check it through. Maybe check with the supposed sender. Did they really send it? Because that combination of factors can be a sign that it is, say, phishing. Not all phishing will use emotion, but the phishing messages that do, we are more susceptible to clicking on that link or downloading that attachment. So look for that combination of unexpected, emotive and asking you to do something. 

Carole Theriault: That's really good advice. OK, what else? 

Jessica Barker: So I then have three top categories that I ask people to really consider. No. 1, protect your accounts. By that, I mean look at your passwords, how you manage your passwords. For example, I use a password manager, generates secure passwords for me. I don't have to think about it. I know they're all unique and strong. And multifactor authentication, so your accounts are not just relying on passwords. So No. 1, protect your accounts. 

Jessica Barker: No. 2, protect your devices. Make sure you lock your screens and you do your updates. 

Jessica Barker: And No. 3, protect your information. Be wary on social media of what you're clicking on and the information you're sharing. And doing that, plus being wary of social engineering, that will take care of, like, 95% of the threats out there. 

Carole Theriault: What are your views on using your faceprint or your thumbprint to get into your devices? Are you cool with that, or do you think it should be a passcode for the average user? 

Jessica Barker: So I think it can be - it can be really helpful for a lot of people, and I think it can be better than some of the other - you know, when we see people using, like, 1234 or not having a PIN set up, I think it's much, much better. And it can also be really good for when we are traveling, moving around more. Someone can be shoulder surfing, see what PIN you put in and swipe your phone - a lot harder for them to do if you're using biometrics. So they certainly have their place, and we shouldn't overlook the convenience. And if we can make security a bit easier for people, then more power to it. 

Carole Theriault: So in other words, better to use your faceprint or a thumbprint than nothing. Definitely. 

Jessica Barker: Exactly. Absolutely. 

Carole Theriault: I hope you guys listen to Jessica Barker 'cause she's a very, very smart lady, a co-founder of Cygenta and author of "Confident Cyber Security" and co-author of "Cybersecurity ABCs." Thank you for joining us, Jessica. 

Jessica Barker: Such a pleasure. Thank you. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: We are recording this in October. 

Dave Bittner: Yeah. 

Joe Carrigan: And that is Cybersecurity Awareness Month. But I think cybersecurity awareness needs to happen year-round, Dave. 

Dave Bittner: Yeah. 


Dave Bittner: Not just a month. 

Joe Carrigan: Right, not just a month. And Jessica makes a great point. Maybe we should be doing this in November because there's huge timing coming up. In fact, next month, I'm sure you and I are going to have a story about some fake retailer that is scamming people out of hundreds of dollars selling fake toys or counterfeit goods or something. 

Dave Bittner: Yeah, yeah. 'Cause the holidays, sure. Yeah. Yup, yup. 

Joe Carrigan: Right, 'cause those are coming up. 

Dave Bittner: Yeah. 

Joe Carrigan: Interesting that Dr. Barker talks about how 90% of people are concerned about cyberattacks, yet we hear stories - like a couple months ago, we had a story about Twitter's metrics on multifactor authentication, where that was below 10%. It's something very simple to implement that would really go a long way towards mitigating your risk. 

Dave Bittner: Yeah. 

Joe Carrigan: Jessica makes a good point about not being overly concerned, right? Don't be paralyzed by the fear. Take an action, like enabling multifactor authentication or getting a password manager. 

Dave Bittner: Right. 

Joe Carrigan: Do something about it. 

Dave Bittner: Right. 

Joe Carrigan: Carole and Jessica have a great discussion around jargon, and we've been talking - we talked about this early on with the - what was it, qishing? 

Dave Bittner: Yeah, yeah, yeah, yeah. 

Joe Carrigan: QRishing - can you even say that? 

Dave Bittner: Yeah, there's qishing, there's smishing - yeah. 

Joe Carrigan: Password spraying versus credential stuffing - it doesn't - this kind of stuff gets under my skin. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? And what's even worse is when we start talking about acronyms - right? - like TTPs or IOCs, indicators of compromise. I think IOC is a good one. Indicator of compromise is a good one. But, you know, when we start getting beyond this thing, we start - it's almost - I think it has a real tendency in this community to be exclusionary. 

Dave Bittner: Yeah, I agree. 

Joe Carrigan: And I think that's bad. 

Dave Bittner: Yeah. 

Joe Carrigan: This industry really loves buzzwords, and I think we need to do something about that. I just think that needs to change. 

Dave Bittner: Yeah. 

Joe Carrigan: I absolutely love Jessica's explanation of what constitutes any kind of social engineering attack. This is one of the most concise definitions I've ever heard. It's got three points, and it applies to any communication that comes in. The first point is this communication is unexpected, right? Any email message, anything that comes in that you're not expecting - that should be observation point No. 1. 

Joe Carrigan: No. 2, it causes any emotional response, whether you get angry, whether you get sad, whether you get scared. 

Joe Carrigan: And No. 3, if it has a call to action to ask you to do something. 

Dave Bittner: Right. 

Joe Carrigan: These three things together are key indicators. You look for - you see that, you need to do exactly as she says. Step back. Go read the message to somebody else. Think about it. Don't act. That's a great piece of advice and a great summary of what a social engineering attack looks like. 

Dave Bittner: Yeah. 

Joe Carrigan: Protect your accounts, protect your devices and protect your information. Those are the three key things to look out for as well. That's essentially all your exposure on the network, on the internet. 

Dave Bittner: Yeah, absolutely. All right. Well, again, our thanks to Carole Theriault for bringing that story to us. And thanks to Dr. Jessica Barker for joining us as well. That was a real treat. 

Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.