Hacking Humans 12.2.21
Ep 174 | 12.2.21

Do you really want that device to be a connected device?


Jay Radcliffe: It has become so inexpensive to add connectivity to devices. So for a couple of dollars, we can add a Bluetooth or a wireless module to any kind of device, and then magically, it's on the internet.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Carole Theriault returns with an interview with Jay Radcliffe from Thermo Fisher Scientific. He's sharing his advice and security concerns with smart devices, with the holiday gift season right around the corner. 

Dave Bittner: All right, Joe, before we jump into our stories this week, we've got a little bit of follow-up here. 

Joe Carrigan: OK. 

Dave Bittner: Why don't I just go ahead and read this? This is from a listener named John (ph). He says, hi, guys. As a longtime listener to the show, I've come to trust your advice. 

Dave Bittner: Well, thank you, John. It's very nice of you. 

Dave Bittner: I'm especially keen to hear your views on 2FA, two-factor authentication. I know you like Yubi, but that's just another device to carry around. And since we always seem to have our phones, I'm wondering about these. The Google Authenticator app, which seems to be the most popular, has some flaws from what I can see. First, it is installed on your phone, which means that if you lose your phone, you've lost access to all your one-time passwords. There's now the ability to export, so you can move to a new phone. This works well. It generates a QR code that appears to have the seeds to generate all the codes. But does the QR code have time limitations? Can I export this QR code, print it out and keep it in a safe? 

Dave Bittner: You want to just chime in here, Joe? 

Joe Carrigan: Yeah, I will chime in on that one. Yeah, I don't know specifically, but I would imagine that this is not time-specific... 

Dave Bittner: I don't think it is, no. 

Joe Carrigan: ...Because of the nature of how this works. When you generate a pseudo-random number, it will generate the same sequence every single time for a given seed. This is one of the first things that you learn when you start investigating random numbers in a computer science program - is you have to... 

Dave Bittner: (Laughter) Take your word for it (laughter). 

Joe Carrigan: You have to seed the random number generator properly. And most random number generators by default will use the timestamp as a seed, right? So somehow, Google or whoever is showing you this code - they've picked some kind of seed that's a random number so that when you are pulling your random numbers based on the time, then you have a distinct list of random numbers. So, no, this this should work, regardless of when you save it. It should always be the case. 

Dave Bittner: Yeah. OK, well, John goes on. He says, second, there's no authentication to get into the authenticator app. 

Joe Carrigan: Ah, that's a good one. 

Dave Bittner: It doesn't require a password or fingerprint to open. So if the phone gets lost and subsequently compromised - he says not a huge challenge for Android, at least - the one-time password app is accessible. I've heard of other OTP applications, such as Authy, that sync across secure clouds. But this relies on text messages or emails to allow new devices to sync with the original, which may expose them via SMS hijacking or SIM swapping. I'm not sure whether there is a multidevice application other than Yubi that resolves these issues and would be interested to know your thoughts. 

Joe Carrigan: I don't know about the vulnerability via SMS message on - using something like Authy. I do know that Microsoft and their authenticator application will let you enable the fingerprint reader on an Android device, so you can secure it that way. 

Dave Bittner: Yeah. 

Joe Carrigan: Mine is secured that way. I don't know if you can do that with Google's. Let me check. 

Dave Bittner: Yeah, there's - last week, I believe, we talked about how the built-in password manager in iOS is capable of handling this and syncing it to your iCloud account. Now, John seems to indicate he's an Android user. So that's probably not going to be helpful to him. 

Joe Carrigan: Right. 

Dave Bittner: I know, for example, LastPass, the password manager - they have their own authentication, their own version of the authenticator app. As you pointed out last week, Joe, this is - the authenticator is an open-source protocol. 

Joe Carrigan: Right. 

Dave Bittner: And LastPass can make use of that as well. And they sync theirs to your cloud LastPass account. 

Joe Carrigan: Right. 

Dave Bittner: So again, if you lose your device, you're fine... 

Joe Carrigan: You still have access to your seeds because they're stored up in the cloud. 

Dave Bittner: Yeah, exactly. 

Joe Carrigan: Yep. 

Dave Bittner: I think the thing about a phone being compromised is interesting. I think, you know, you got a password on your phone. You have to have the phone. In addition to that, they have to have your username, your password, your phone... 

Joe Carrigan: Right. 

Dave Bittner: ...Your password to your phone. Your (laughter)... 

Joe Carrigan: Yeah. 

Dave Bittner: So I - you know, I think it's a valid point. But I think in terms of how many layers of factors you go down here... 

Joe Carrigan: Right. 

Dave Bittner: ...I suspect someone's going to have to be highly motivated to get through all of that stuff. So... 

Joe Carrigan: Yeah. The biggest risk here is that you lose your phone or your device becomes unavailable, and you've lost the seeds, kind of like you were talking about a couple of episodes ago with your Discord seed. 

Dave Bittner: Right. 

Joe Carrigan: That is a awful situation, an awful situation. So you need you need to back these codes up somehow. 

Dave Bittner: Yeah. 

Joe Carrigan: Either run that export or store them in the cloud. 

Dave Bittner: Yeah, yeah. Do both. 

Joe Carrigan: Or do both. That's right. 

Dave Bittner: (Laughter) Yeah. So, John, I think there are options here certainly worth exploring. Like I said, some of the password managers will handle this - as Joe said, you know, it seems like - I don't know - pretty much every cloud provider has some version of this. Google does. Microsoft does. Apple does. So I think there's options out there to get you what you want. All right, well, John, thank you for writing in. 

Dave Bittner: Of course, we would love to hear from you. If you have a question for us, you can send it to hackinghumans@thecyberwire.com. 

Dave Bittner: All right. Let's jump into our stories here. Joe, why don't you start things off for us? 

Joe Carrigan: Dave, I want to talk about the Robinhood breach. You remember that one. It only happened early November, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: On November 3, some bad guys got into the Robinhood system and accessed the email addresses of 5 million users. 

Dave Bittner: And just real quick, Robinhood is... 

Joe Carrigan: Robinhood is a - that's - excellent question, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: I should tell everybody what Robinhood is. 

Dave Bittner: It's not the Disney movie. 

Joe Carrigan: No, it's a trading platform that's app-based. 

Dave Bittner: OK. 

Joe Carrigan: So you can open an account on your app. And you can send them money. And then you can buy stocks. I think they do fractional shares. They're good for small investors, nonprofessional investors, people like you and me, Dave. 

Dave Bittner: OK. 

Joe Carrigan: I don't have a Robinhood account... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Cause I don't like using my phone for that kind of stuff. 

Dave Bittner: OK. 

Joe Carrigan: But I am always interested in watching stocks, and I do a lot of that. It's fun. 

Dave Bittner: OK. 

Joe Carrigan: So they've taken off recently, right? They've become very popular. Of course, because they're a financial app that handles real money for real people, they have attracted the attention of malicious actors... 

Dave Bittner: Oh. 

Joe Carrigan: ...As any financial institution will. And on November 3, malicious actors gained access to their systems. They got in via this - a very similar way to the Twitter hack from last year. They called in to customer service, and they essentially socially engineered their way into the system. All right. So there's that social engineering angle here. 

Joe Carrigan: So my recommendation to Robinhood is do what Twitter did now. Do that now. Go look at that blog post we talked about on the CyberWire... 

Dave Bittner: Twitter, with the multifactor, yeah. 

Joe Carrigan: ...With the multifactor authentication. 

Dave Bittner: Right. 

Joe Carrigan: Send out YubiKeys or some other security key to everybody that works in your customer service organization. Make multifactor the default way and the only way for people to get in. And there's a great set of instructions over - on how to do that over on Twitter. Take a look at that. 

Dave Bittner: Yeah. 

Joe Carrigan: If you're not already doing that - you may already be doing that. 

Dave Bittner: Sure. 

Joe Carrigan: Once they got breached, the bad guys started demanding ransom from them, right? They - without encrypting anything, they just started demanding money. And that's when Robinhood did what they should have done immediately - and good on them for doing this. They called Mandiant and engaged them immediately to respond to the breach - so very good. 

Joe Carrigan: Here's what they said these guys got or had access to. They accessed 5 million email addresses, the full names of a different group of about 2 million users, further contact information of about 310 users and more extensive information about 10 users. Now, Robinhood is quick to point out that no Social Security numbers were breached and no account numbers were breached. 

Joe Carrigan: But, Dave, if you were a bad guy and I offered you one of these four data sets, which one would you take - the 5 million emails, the 2 million full names, the 310 sets of more complete information or the one - or the 10 mostly complete information? Which one would you take? 

Dave Bittner: Oh. Well, I have to say, Monty, this is a tough choice (laughter). 

Joe Carrigan: Is it going to be door No. 1, door No. 2, door No. 3 or the ever-rare door No. 4? 

Dave Bittner: I think I would probably go for the 10 extensive sets because those are probably the most valuable. I think 5 million email addresses are a dime a dozen. You and I could probably just get 5 million email addresses with a Google search, right? 

Joe Carrigan: Right. Right. 

Dave Bittner: So... 

Joe Carrigan: But I was wondering what you were going to pick here because my choice is the 5 million email addresses. 

Dave Bittner: OK. 

Joe Carrigan: Right? Because like you said, you and I can go out and get lists of email addresses anywhere. 

Dave Bittner: Right. 

Joe Carrigan: So what am I going to do? I'm going to take one of these other email addresses and cross-reference to those 5 million emails that I got from Robinhood... 

Dave Bittner: Yeah. 

Joe Carrigan: ...With other sets to see if I can find, like, names and phone numbers and things. 

Dave Bittner: OK. 

Joe Carrigan: Right? Then I'm going to build a list of potential - or people I know - not potential, but actual Robinhood customers. This is the threat model for everybody that has a Robinhood account and was - had their email breached, OK? So that's what I'm going through. 

Dave Bittner: OK. 

Joe Carrigan: So this is what bad guys are going to do. They're going to cross-reference your name with - your email address with other breaches. Your email essentially is a unique identifier for you. By design, it has to be right? 

Dave Bittner: Right. 

Joe Carrigan: That's why a lot of websites are using these as logins now because there's no chance of a login collision, right? Once I have the email and the phone number and the name, I'm going to start making phishing attempts. And I'm going to start making phone calls into these people. I will bet that that 5 million email list will yield more money than the 10 full - almost full sets of information. 

Dave Bittner: Seems like a lot of work, though, Joe (laughter). 

Joe Carrigan: Well, here's the thing, Dave. I got programming skills - mad programming skills. 

Dave Bittner: OK. Well... 

Joe Carrigan: I can write a couple of Python scripts that go through these datasets and spit out everything I need in a matter of minutes. 

Dave Bittner: The advantage is yours (laughter). 

Joe Carrigan: Right. 

Dave Bittner: Whereas I will simply use my guile and gift of the gab to call those 10 people (laughter). 

Joe Carrigan: You're going to charm the money out of them, right? 

Dave Bittner: Yes, exactly. Exactly. Or just scare it out of them (laughter). 

Joe Carrigan: Right. Now, that's a good one, too. 

Dave Bittner: That's - it's interesting that you and I chose the opposite ends of the spectrum here. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. OK. 

Joe Carrigan: So... 

Dave Bittner: But I think your case is compelling. 

Joe Carrigan: Yeah. So there are a couple of things on here. One security person said, go out and change your password right now, which is probably good because they may have gotten access to password hashes. We don't know. 

Dave Bittner: Yeah. Couldn't hurt. 

Joe Carrigan: It couldn't hurt to change your password, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Enable multifactor authentication on your Robinhood account if it's not enabled already. I'm not sure what kind of - I'm not a Robinhood user. I don't know what their workflow looks like. 

Dave Bittner: Yeah. You'd think if they're handling money, they must have multifactor. And if they don't, find someone else (laughter). 

Joe Carrigan: Right. Yeah. Time to close your Robinhood account and move your money somewhere else. 

Dave Bittner: Right. Right. 

Joe Carrigan: Right. Erich Kron from our sponsor KnowBe4 is quoted in this article. And he said bad actors behind these attacks are often highly skilled and very convincing when they get a potential victim on the line. Unfortunately, technology is not as good at stopping these attacks, so the best defense against these attempts is to educate the people and train employees. 

Joe Carrigan: So - and this applies also to the people who've had their information stolen. That's because they're going to send you emails and text messages and phone calls that say they're coming from Robinhood. And that's how they're going to attack you. Alicia Townsend, who is a technology evangelist - I want to get that job, Dave. 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: Just go around evangelizing technology. 

Dave Bittner: Yeah, you'd be good at that. 

Joe Carrigan: I think I would. 

Dave Bittner: Yeah. 

Joe Carrigan: She works at OneLogin. She says cybersecurity education needs to occur more than once a year, and she likes it to be in the form of self-based online training. And it needs to be spread throughout the year, which is true. 

Dave Bittner: Yeah. 

Joe Carrigan: Absolutely true. The more frequently you put this in front of users and customers and employees, the better off you are. 

Dave Bittner: All right. Well, certainly word to the wise there. It's an interesting story. And yeah, again, I'm just fascinated that you and I came at it from different points of view. 

Joe Carrigan: Right. 

Dave Bittner: But I think - and neither of us went for the middle (laughter). 

Joe Carrigan: Yeah. 

Dave Bittner: We went for the extremes. 

Joe Carrigan: Yeah, actually, I think the list of names is fairly innocuous... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Because there's - that is not a unique identifier for somebody, right? The 310 and the 10 more complete, most complete... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Are very damaging. But I think the value here lies in the volume. 

Dave Bittner: OK. 

Joe Carrigan: That's my opinion. 

Dave Bittner: Yeah. All right. Well, we will have a link to that in the show notes. 

Dave Bittner: My story this week - actually, this came to me by way of LinkedIn, but it's actually from a blog written by a gentleman who goes by the name The Hatless Elder. And he subtitles his blog, Open Source Intelligence for Everyone. And this is an article he wrote. It's titled "LinkedIn Fakes - A Wolf in Business Casual Clothing." I love it (laughter). 

Joe Carrigan: OK, I'm listening already. 

Dave Bittner: So this gentleman was perusing LinkedIn and the invites that we all get on LinkedIn. If you're ever on LinkedIn, you probably get invites practically every day. 

Joe Carrigan: Right. 

Dave Bittner: I know I do. 

Joe Carrigan: I do. 

Dave Bittner: And what he noticed was that a lot of the invites he was getting were very similar to one another. They all had a smiling, youngish woman's face - a professional woman, you know, probably in her 30s or something like that. 

Joe Carrigan: Right. 

Dave Bittner: But fairly generic - nothing unusual about them. Backgrounds were generic wide shots of different cities around the world. And the invitations were always pretty similar. And based on this person's experience, The Hatless Elder's experience, he started suspecting that these images were artificially generated. 

Joe Carrigan: Aha. 

Dave Bittner: Right? So... 

Joe Carrigan: That's funny that you say this story because yesterday I got an invite from somebody that had the similar profile here, you know, the same kind of thing. 

Dave Bittner: Yeah. 

Joe Carrigan: They didn't have a background, but their image looked like it came directly off of This Person Does Not Exist. 

Dave Bittner: OK. Yeah. 

Joe Carrigan: I thought it looked like that. But I submitted it to an analyzer and it said, maybe not. So I don't know. 

Dave Bittner: Yeah. Well, this person points out that these photos can be hard to spot. Sometimes things stand out, like hair will look funny, teeth will look funny. But most of the time, and certainly if you're just breezing through, you know, if you have half a dozen requests and you're not analyzing the photos, it's - they're good enough that it's easy to just... 

Joe Carrigan: Yep. 

Dave Bittner: ...Say, oh, that looks like a real person. 

Joe Carrigan: Click accept and move on. 

Dave Bittner: Yeah. And like you were saying, there are these online sources that just generate these - as many as you want. 

Joe Carrigan: Right. 

Dave Bittner: They'll make them (laughter). 

Joe Carrigan: Right. If you go to thispersondoesnotexist.com and just keep hitting refresh, you'll get a new face every single time. 

Dave Bittner: Right. Right. So the thing that this guy noticed was - he said, many of these have a short bio section talking about who they are. And he noticed that a few of them have lazily repeated each other. 

Joe Carrigan: Oh. 

Dave Bittner: So he took that bio and he used some of his Google abilities... 

Joe Carrigan: Right. 

Dave Bittner: He searched on LinkedIn for the phrase, I've had an interesting career with several wonderful companies, but being a world-class HR consultant and practitioner has always been my passion. Came up with 95 people who had... 

Joe Carrigan: Who have that exact same... 

Dave Bittner: ...That exact same description. Right? 

Joe Carrigan: You smell that, Dave? 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: That's a bunch of bots (laughter). 

Dave Bittner: Right. Right. So he tried a few more. There's one that's - I've made a name for herself as an - I've made a name for herself. It's what it says. I made a name for herself as an international HR and staffing consultant. There's another one. I am a consummate networker, thinker, traveler. And there's one that says, changing the world through providing quality jobs to people in developing economies. Again, these came up with hundreds of matches... 

Joe Carrigan: Wow. 

Dave Bittner: ...For the exact same descriptions. Now, he speculates what this could be for - that this is really just a first step of getting into someone's organization - right? - just lowering your defenses. You know, they could - once they get you to agree to connect with them on LinkedIn, they could reach out and say, hey, I've got a job here. Just open this PDF... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, enable macros... 

Joe Carrigan: Sure. 

Dave Bittner: ...Or, you know, you're being underpaid where you are. You're underappreciated. You know, let's connect and talk about job opportunities. 

Joe Carrigan: Right. First thing to do is say, I found this great job opportunity. The salary ranges from this to this, right? 

Dave Bittner: Right. Right. So he doesn't go into any specifics about, you know, following through and seeing exactly what these people are up to. None of them followed up with him in that way. But it seems like they're certainly laying the groundwork for something like this. And as you mentioned, Joe, there's - I think there's no question here that these are generated by bots. And it's a shame that if it was this easy for The Hatless Elder to find these duplicates just using Google, why hasn't LinkedIn? 

Joe Carrigan: That's an excellent question, Dave. I was wondering if LinkedIn has read this article or commented on it. 

Dave Bittner: Yeah. Yeah. I mean, it's not hard (laughter). 

Joe Carrigan: You're right. This is pretty easy. This guy just did a little bit of Google dorking. And - bang - this is what he gets. 

Dave Bittner: Right. 

Joe Carrigan: All this threat intelligence on these guys. 

Dave Bittner: Yeah. This blog post also has some nice links to some tools and things that he uses in his - you know, techniques he uses for his Google dorking and some of these databases that generate these images. So if you're into those sorts of things, it's an interesting read, and you could come away with some nice tips and techniques for trying to suss these sorts of things out. 

Joe Carrigan: In this article, does he have a link to a tool that will identify a generated image, a synthetic image? 

Dave Bittner: Yeah. So he references an online website called sensity.ai. And if you go there, that's a service that - they do identity verification for onboarding. So basically, they're looking for these artificial types of images. 

Joe Carrigan: Right. 

Dave Bittner: So they can help you suss that out. So but before we wrap this up, Joe, I mean, you know, when you're looking through your LinkedIn requests, how do we protect ourselves against this sort of thing? What are the red flags here? 

Joe Carrigan: Well, they're getting fewer and far between, aren't they? 

Dave Bittner: Yeah. 

Joe Carrigan: I mean, you can do what The Hatless Elder did here and notice a trend maybe. But if you don't notice the trend, you don't have a mind for pattern recognition, maybe not. Everybody wants to build their LinkedIn network. And I have close to a thousand connections on there. I'm sure some of them are fake. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? So, I mean, I really don't see a real risk here until these accounts start interacting with you. Be mindful of what you put on LinkedIn or any other social media. You might want to adopt the policy of - if I haven't worked with you or haven't met you in person, then I don't accept your LinkedIn connection. That would be OK as well. 

Dave Bittner: Yeah. 

Joe Carrigan: For people in our position, that's not really possible because we're so world famous, Dave. 

Dave Bittner: (Laughter) That's right. We're world famous in podcasting. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: Yeah. I would say, too, if someone reaches out to you on LinkedIn in a position like this, an HR person or a hiring person, a recruiter, don't just trust their existence to LinkedIn. 

Joe Carrigan: Right. 

Dave Bittner: Do your due diligence. 

Joe Carrigan: Yeah, search around. 

Dave Bittner: Yeah. And even then, you know, just because they show up on a website somewhere else, that doesn't mean necessarily that they're real. So look for some credentials. See if they know someone you know. And, you know, just check around. Just make sure. 

Joe Carrigan: Yeah. 

Dave Bittner: It's a shame it's come to this. But... 

Joe Carrigan: Right. But it has (laughter). 

Dave Bittner: ...Not all these people are real. Yeah. All right. Well, we will have a link to that blog post. Again, it's from The Hatless Elder. And I think it's an interesting one worth checking out. 

Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Michael (ph), who was trying to sell his car. It starts off with a text message and then moves on to email. So why don't you - I've put it all in the script here. Why don't you read the parts that say Dave? 

Dave Bittner: OK. 

Joe Carrigan: And the first thing is a text message allegedly coming from this person's spouse. 

Dave Bittner: All right. My husband like to know if your vehicle still available for sale. If yes, please email him on this email address with last price. 

Joe Carrigan: Yes, the Impreza is still for sale. It's listed for $11,250 - negotiable. If you'd like to inspect it, please let me know, and I can arrange a time. Thank you. Mike. 

Dave Bittner: Thanks for the response. I would have loved to call you directly, but due to the nature of my work - I work with the Australian Army Corps. Ooh. 


Dave Bittner: (Imitating Australian accent) We do not have access to phones at the moment... 

Joe Carrigan: (Laughter). 

Dave Bittner: (Imitating Australian accent) ...Which is why we contacted you with an internet messaging facility. I'm buying this for my first son, who just graduated the top of his class at Aviation University. I want it to be the perfect graduation gift for him, and I'm making a surprise package. Does it have any history I should be aware of? And why are you selling it, if you don't mind my asking? 

Dave Bittner: (Imitating Australian accent) I don't mind asking - adding an extra $200 for you just to take down the posting. I'm already in talks with freighters that'll handle the pickup and delivery. I will really appreciate it if you could email more information. 

Dave Bittner: (Imitating Australian accent) Due to the nature of my work, I'm a very busy man working all day. I'm an operating officer. I'm presently onboard. I don't have access to my bank accounts online, as I'm not with my credit card details. But here I have my ANZ Bank account linked up with my PayPal account, so I'll be paying you through that account to your nominated bank account, or better still, if you has a PayPal account, please get back to me with your BSB and account details or PayPal account so I can proceed with the payment and contact the courier agent who will come to pick it up and deliver it in NT for my son. Await your reply. 

Joe Carrigan: Now, Michael is already wise to the scam. So he goes, thanks for your email. And Michael is, I assume, also Australian. But I'm not going to attempt the accent. 

Dave Bittner: (Laughter). 

Joe Carrigan: I'm no Dave Bittner, ladies and gentlemen. 

Dave Bittner: Count your blessings. 


Joe Carrigan: Right. He says, thank you for your email. I'm sure you must be proud of your son to want to buy him a car. Congratulations to him on his hard work. This car is in great condition and has no issues to be worried about. I think your son would be very happy. May I ask what his name is? I appreciate you are a busy man, and I would like to help you, so I am happy to take the advertisement down. However, I'm selling the car to pay for surgery for my auntie. I need as much as I can get. She really needs breast augmentation due to a horrible jet ski accident. 

Dave Bittner: (Laughter). 

Joe Carrigan: Would you be willing to give me an additional $750 to take the ad down? If you can make a PayPal transaction by tomorrow morning, I'll be able to put down the deposit for the surgery tomorrow. It would mean a great deal to our family and change her life. Please let me know as soon as possible so we can sort out payment and the car immediately. Thanks, Michael. 

Dave Bittner: (Imitating Australian accent) Thank you. I appreciate your honesty with detailed explanation with regards to your words on the item status. Just to let you know, I am keen and interested in buying the item. I will make the payment now once you get back to me with your bank details. And I believe I will not be disappointed from buying this from you. Now kindly get back to me with your bank details so that I can send you the payment through my PayPal account into your bank account, and we can schedule a pickup time and date for the pickup - your full name, account number, BSB, phone number and price. 

Joe Carrigan: (Laughter) So this is not how PayPal works, right (laughter)? You don't send somebody else your bank - that's kind of the purpose of PayPal... 

Dave Bittner: Right. 

Joe Carrigan: ...Is to be the middleman to send money without me having to give you my banking details, right? So Michael replies, of course, I'm happy to help find a way to make it work. Would it be possible to make payment using Woolworth's gift cards? 

Dave Bittner: (Laughter). 

Joe Carrigan: I don't want the money to go through the bank. I'm worried if my cousin knows that I have the money in my account, he'll poison my cats. I've been breeding and showing them for years. Last time, he broke my nose and kicked two of my cats. 

Dave Bittner: Aww. 

Joe Carrigan: I'm sure you understand. 

Joe Carrigan: Who kicks cats? 

Dave Bittner: I... 

Joe Carrigan: A fictitious cousin does. 

Dave Bittner: (Laughter). 

Joe Carrigan: So those are fictitious kits - kicks, probably on fictitious cats. 

Dave Bittner: (Laughter) Right. Yeah. 

Joe Carrigan: So don't worry. No cats were harmed in the making of this email. 

Joe Carrigan: The price of the car is 11,250, plus an extra 750 for taking the advertisement down. I know the gift cards can be up to $500, so you'll need 24 of them. You can buy them online and send them to me via email. As soon as you email me the gift card numbers, I'll let you know where the pickup location is. Hope you have a good evening. Thanks again, Michael. 

Dave Bittner: OK, this is brilliant. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: I just have to say, Michael, hats off to you for... 

Joe Carrigan: (Laughter) Right - well done. 

Dave Bittner: ...Turning the tables and using gift cards (laughter). 

Joe Carrigan: For Woolworth's. 

Dave Bittner: Right. 

Joe Carrigan: Are they still around? They're not around anymore. 

Dave Bittner: I believe they are still a thing in Australia. 

Joe Carrigan: Oh, really? 

Dave Bittner: Yep. Yeah. 

Joe Carrigan: OK. 

Dave Bittner: Pretty sure, pretty sure - yep. Yeah. In fact - yeah, pretty sure. So, yeah, this is great to turn it around on the scammer. And I suppose this is probably the last that the scammer heard... 

Joe Carrigan: Yeah, that's the end of the chain. 

Dave Bittner: ...Last they heard from them. 

Joe Carrigan: (Laughter). 

Dave Bittner: Right. The jig was up. 

Joe Carrigan: Right. 

Dave Bittner: Yeah, yeah. All right. Well, that's a fun one. And thanks to Michael for sending that in. 

Dave Bittner: Again, we would love to hear from you. You can send your Catch of the Day candidates to hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, it is always a pleasure to have Carole Theriault return to the show, and this week is no exception. She interviewed Jay Radcliffe. He is from Thermo Fisher Scientific. And he is sharing his unique advice from his position in the industry about smart devices, especially with the holidays coming up. Here's Carole Theriault speaking with Jay Radcliffe. 

Carole Theriault: So today we chat with Jay Radcliffe. Now, he currently is working with Thermo Fisher Scientific, but he has worked with a number of different companies in the past. So first, Jay, welcome to the show. 

Jay Radcliffe: Well, thank you for having me. 

Carole Theriault: Tell me about Thermo Fisher Scientific. 

Jay Radcliffe: I currently work at Thermo Fisher Scientific in product security research and testing. So my job is to make sure that the products that Thermo Fisher sells are safe to use on the internet and safe to connect to networks. And Thermo Fisher produces a lot of devices for the scientific community. Particularly, right now we are very focused on the COVID-19 testing and vaccination products. So we produce a lot of equipment that people use to produce vaccines and to do all of the testing that people need throughout the world. 

Carole Theriault: You've been involved with medical devices for a while. You've made your name with insulin pumps. 

Jay Radcliffe: That is correct. I'm a Type 1 diabetic. And I always say that I'm very fortunate to have access to a lot of different types of equipment to kind of look at the security of the products that keep me alive. And that has been a very interesting journey, I will say. 

Carole Theriault: Now, I was looking you up before we did this interview, and you have a lot of titles that the press have given you over the years. It starts off with hacker, and then experimental hacker, and then security researcher, and then medical device security expert. And I would say basically when - what you said - they're probably all true. 

Jay Radcliffe: Yeah, I think that that is very accurate. It is true. You know, and there's a lot of discussion about the term hacker and if that's a good term or a bad term. But, you know, I embrace it. I think that, you know, a hacker is somebody that looks at something and makes it do something that it wasn't designed to do, that kind of pushes the boundaries of what the designers had in mind. And that could be a computer. That could be anything, really. 

Carole Theriault: Well, that brings me on to our topic because Christmas is loomin'. And I know and fear Christmastime because I know everyone goes out and buys smart devices for their kids, their grandkids, their parents. And I thought you'd be a perfect person to tell me about the dangers of that or any guidance to help us, you know, guide us through this world of, like, infinite devices from infinite companies. 

Jay Radcliffe: Oh, my - yes. I have three children, ranging from 16 to 10 years old. And they want all the devices that connect to everything. 

Carole Theriault: I don't even know where to start. So there's so many things, in my view, that are connected that don't need to be. Do you have that feeling as a security expert, or do you totally understand why everyone is trying to smartify every gadget that we use? 

Jay Radcliffe: Oh, absolutely. This is something that I see all the time. I have given many talks about how we connect everything, and everything needs to be connected. And do we need to do that? 

Jay Radcliffe: You know, and the example that I give all the time is, like, a toothbrush, right? There's electronic toothbrushes that have Bluetooth in them now, so you can keep track of how long you brushed your teeth, what pressure you used, all of this information. But on the backside of that, there's security concerns with it. With - in regards to, like, this toothbrush, there was a security vulnerability that allowed different attackers to see who owned the type of toothbrush. So you could get, like, a listing accidentally of all the email addresses of everybody who owned this particular brand of toothbrush. 

Carole Theriault: (Laughter) We've already put a battery in it. 

Jay Radcliffe: That's right. 

Carole Theriault: Now let's put a Bluetooth in it, yeah. 

Jay Radcliffe: Right. Some of it is - it has become so inexpensive to add connectivity to devices, and manufacturers are always looking for ways to distinguish themselves from their competitors or to make a higher-end product. So for a couple dollars, we can add a Bluetooth or a wireless module to any kind of device. And then magically, it's on the internet, and we can connect to it, and we can collect all sorts of data and do all sorts of things. 

Carole Theriault: You've looked at a lot of IoT devices in your time. What kind of rough percentage would you say just don't meet your security bar - like, your security kind of, like, this is the level of entry that I think it's OK for production or - and for sale? 

Jay Radcliffe: You know, what I'm finding is that when I look at these devices, the ones that you find that have - are major name brand players - the Philips of the world, the Amazons of the world - those types of major manufacturers, they pretty much have their act together. And a lot of times, they have a security program. They have security professionals like myself working on these products. It's when you get into the world of knockoffs and, you know, generic brands, that's where really things start to become a little more dangerous. 

Carole Theriault: Because right now, like, a lot of IoT devices are now probably going to start introducing some kind of facial recognition, right? Do you - have you seen that starting to happen? 

Jay Radcliffe: Yeah, yeah. We're starting to see that more and more - and leveraging things like Apple's Siri platform or Amazon's Alexa platform. So that way, you can talk to your toothbrush, and you can tell it, you know, your thoughts and feelings. And it can help you with your brushing your teeth. 

Carole Theriault: I'm such a Luddite. I'm a Luddite. I think - it scares the poo out of me. It really does. 

Jay Radcliffe: It is a very interesting world, you know? And people expect these things to be connected, and they - that's how they choose to interact with their devices and their world these days. 

Carole Theriault: Can I ask you - maybe this is too personal. But, like, how much IoT do you have in your living quarters with your family? Do you, like - do you embrace it? Or - you embrace it because you understand it and you know which ones are safe and which ones aren't. Or are you like a - really, it's got to really - I'm tough on this? 

Jay Radcliffe: You know, because of the kids, they have a lot of things. You know, the one thing that I always focus on, though, is I - and I tell this to a lot of people - is that I know there's a trade-off, that I'm trading a little bit of my privacy for the convenience of having that connected device. I think that these things always come with a little bit of trade. Like, if you want - if you're very concerned about privacy, then you shouldn't have a lot of these devices, but you lose some of the convenience features of these devices. And if that's important to you, then you can trade that. 

Carole Theriault: So Christmas, people are buying stuff for kids and for everybody. Is there any - like, I've already heard you say, stay to well-known brands. That's probably a good idea. Don't go to knockoff brands. Stay with the big names, potentially, if you don't know what you're doing. Is there any other little tips that people - to help them navigate this very complicated world? 

Jay Radcliffe: Yeah, I - you know, I think that one of the most important things from a security perspective is always going to be about passwords, you know? And as a researcher and as somebody that's in the industry, a majority - like, probably over 70% - of the security vulnerabilities that we see somehow relate to a password from a user. So I think it's really important for consumers to pick good passwords and to know how to pick good passwords. 

Carole Theriault: Are you a fan of password managers? There's a number of them out there. 

Jay Radcliffe: Humans can't remember - if - you know... 

Carole Theriault: I can't remember anything (laughter). 

Jay Radcliffe: If you follow all the rules - kind of like a gremlin, right? - you have to follow all these rules. And the rules are you have to have a different password for every account that you have, and there's hundreds and thousands of accounts that you have now. So it's impossible to memorize all of those. So I think a password manager is a great idea. 

Carole Theriault: I wonder if one of the big things with these IoT things is they set up default settings. And I wonder how many people go, oh, the default's going to be safe because that's - you know, they've set it for me. And I don't even know what I'm doing, so may as well just stick it there. And in my experience, although it's, like, a fraction of yours, I found a lot of default things are designed for connectivity, but not for privacy or for security. 

Jay Radcliffe: Right. They're really designed so that way, the user and the end consumer has a very easy path to get these things. 

Carole Theriault: Mmm hmm. 

Jay Radcliffe: You know, they want you to have a great experience using whatever toothbrush or whatever widget that you're using that connects. So if it's very hard to connect and it's very difficult to use, then that makes the user kind of put it back in the box and return it. So I think that you're right. I think some of the default settings - some of them - can be - have less security. 

Carole Theriault: Yeah. And it's just important, I think, if you're going to buy this stuff, make sure you look at it. Don't just plug and play. That's - you know, take some ownership of it because it's your privacy, right? 

Jay Radcliffe: That's right, you know? And I think that it's, you know, it's a good thing to know, you know, where those things are and maybe understand that you're giving up some data to the manufacturer, you know? 

Jay Radcliffe: You know, I'll use the toothbrush example again. You know, it's very interesting that they can collect all of this data from people that use these types of toothbrushes, and they can say, oh, you know, we can see that, you know, consumers that use these toothbrushes are only brushing twice a week, or they're only brushing for 30 seconds at a time. 

Carole Theriault: Yeah. 

Jay Radcliffe: And it can help you adjusting that. It can say, oh, you know what? You are more - you're doing more than the average user is. And that can be very helpful if you're trying to, like, fight cavities. Or let's say you have kids, like I do. You can say, oh, look at this. The app is telling me you're not brushing long enough. And that can be a big help, but you are trading off a little bit of that privacy 'cause they are collecting data on that. 

Carole Theriault: I know. I think it's a lot of privacy. But then, you know, I'm on the other side, so (laughter). Jay Radcliffe, this has been a fascinating conversation. I really hope people take heed and listen because you're very IoT-positive, IoT-safe, right? And it's good to have someone like you on because I'm a little scared of it all still. 

Jay Radcliffe: That's right. We'll keep looking at these devices, and people like myself will keep trying to make them safer and better for the consumers to use. 

Carole Theriault: Absolutely. Jay Radcliffe, experimental hacker, security retrieval (ph), medical device security expert, et cetera, from Thermo Fisher Scientific, thank you so much for chatting with us today. 

Jay Radcliffe: And thank you very much. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: It's good to hear someone who has skin in the medical device game - I mean, literally. I mean, this guy is a Type 1 diabetic and has an insulin pump and monitor. You know, I have a friend who is in the same situation. 

Dave Bittner: Yeah. 

Joe Carrigan: And I worry about her insulin pump a lot when she and I have discussed it. And so - and, of course, we don't discuss it anymore because it kind of makes her uncomfortable. 

Dave Bittner: (Laughter). 

Joe Carrigan: So I really appreciate Jay's position here. 

Dave Bittner: Yeah. 

Joe Carrigan: When it comes to the term hacker, I'm in Jay's camp as well. I think a hacker is someone who finds unintended use cases or finds a way around an obstacle - you know, something you put in the way. And I don't think that's always malicious. That's why when I say - when I'm talking about guys who are doing bad things, I say malicious actors or bad guys. I don't say hacker. I deliberately don't say hacker. 

Dave Bittner: OK. 

Joe Carrigan: It's no surprise that larger manufacturers have better security. 

Dave Bittner: Yeah. 

Joe Carrigan: They can afford it, right? Amazon does a really good job of security. They may not do a good job of privacy, right? We may have our concerns about how we're tracked all over the internet. Every time we search for something on Amazon, we see the ads pop up everywhere we go. But the security is pretty good, and those are two different things. 

Joe Carrigan: Interesting that 70% of the issues are caused by user password issues - weak user passwords or default passwords. I find that interesting. Again, we hear Jay say, use a password manager. 

Dave Bittner: Right. 

Joe Carrigan: When you use these devices, understand that you're making a trade-off. That's very important. And actually, I'm going to go back to the large manufacturers. Most large manufacturers are good. Some are not good at their security. 

Joe Carrigan: And we do connect way too many things to the internet. Every single thing you connect to the internet is more surface area that is exposed and needs to be defended. And there is tons of information that these manufacturers collect about you that you no longer control. So you got to ask, do you really need your toothbrush connected to the internet, like in the example that Jay was talking about? Or do you need your refrigerator to connect to the internet? When is the next software update for your toothbrush coming out? 

Dave Bittner: (Laughter). 

Joe Carrigan: I'll bet the answer to that question is never. That's... 

Dave Bittner: Can you brick your toothbrush? 

Joe Carrigan: Right. 


Joe Carrigan: Can you brick your toothbrush? I tried to root my toothbrush, Dave, and now I accidentally bricked it. 

Dave Bittner: (Laughter). 

Joe Carrigan: And Carole says that she's a Luddite for not doing this. I don't think that we're Luddites. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? We're not opposing new technology. We're not, you know, smashing looms in the woods, as it were. 

Dave Bittner: (Laughter). 

Joe Carrigan: We're talking about stuff that might actually be bad for us and dangerous, right? And I'm hesitant to use the term Luddite because, you know, I'm all about new technology. I want to see new stuff happening and all these cool things. But I - you know, the amount of information we've all given up and the number of data breaches and the - just the sheer volume of personal information that we've all lost... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Is staggering. 

Dave Bittner: Yeah. I guess for me, it's everybody has to make their own risk assessment and their own value proposition. 

Joe Carrigan: Right. 

Dave Bittner: You know? If you want to connect your refrigerator to the internet because when you're at the grocery store, you want to be able to look on your phone and have your refrigerator tell you whether or not you have milk - right? - like, that's a value proposition. 

Joe Carrigan: Right. 

Dave Bittner: Do I have milk? Ah, I forgot to look in the refrigerator. No problem. I'll check with my refrigerator. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) And the refrigerator says, yes, you have milk. So if - and if that value - if the value you get out of that is worth the risk that you're taking by putting that information out there, by hosing up your refrigerator to the internet... 

Joe Carrigan: Right. 

Dave Bittner: ...Well, then for you, it's probably worth it. But it's not worth it for everybody. 

Joe Carrigan: No. It's definitely not worth it for me. 

Dave Bittner: Yeah. 

Joe Carrigan: I am never putting a refrigerator on the internet. 

Dave Bittner: Yeah? No? 

Joe Carrigan: I just don't think I'm going to ever do it. 

Dave Bittner: (Laughter) You're going to say - and you're going to be out of milk one day, and you're going to say, dang, I wish my refrigerator was connected to the... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...To the internet (laughter). 

Joe Carrigan: My cat's going to be very angry if she doesn't have her little bit of milk in the morning. 

Dave Bittner: (Laughter) That's right. That's right. 

Dave Bittner: All right. Well, our thanks to Carole Theriault again for bringing us that great interview with Jay, Jay Radcliffe. We do appreciate her doing it, and we appreciate him taking the time for us. 

Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.