If you wish for peace, prepare for cyberwar.
Nick Shevelyov: If you wish for peace, prepare for war. And today, organizations, if you want to run a healthy, prosperous business and maintain a sense of peace, you need to prepare for digital war.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week, and later in the show, Nick Shevelyov. He is the chief security officer from Silicon Valley Bank.
Dave Bittner: All right, Joe, before we get to our stories this week, we got a little follow-up from a listener. What do we have?
Joe Carrigan: We have a letter from a listener who would like to remain anonymous. And A. Nonny Mouse writes, dear Dave and Joe, thank you very much for the great show. I listen to it every week to keep reminding myself of the potential scams out there. Keep up the great work. I wanted to share a story with you about something that happened at work a couple weeks back. I work as a security engineer for one of the largest banks in Europe. We have a policy that, if you want to access company information on a mobile device, you have to roll it into our mobile device management solution. This is very common among a lot of institutions if you bring your own device, including my employer, Hopkins. You have to enroll in this MDM solution.
Joe Carrigan: You can either bring your own device, or the company will provide you one. When you enroll the device, a management profile is installed so that the device can be managed remotely, and a bunch of apps are installed. What happened a couple of weeks back was that the group that operates the MDM wanted to change one of the apps with a different, similar one. Usually, this is announced in advance to as many people as possible, but this time they only announced it to a small group of people. I was personally not aware of the change in apps. So in the middle of a meeting, I got a message saying that the company would like to install an app. I've never heard of this app. Being a skeptic that I am, which is an occupational hazard - we are all skeptics here, anonymous - I hit no and figured I'd check on it later to see if it was legitimate or not.
Joe Carrigan: Well, I was not the only one who thought this sounded suspicious. The help desk and security team were flooded with phone calls, emails and messages from hundreds of people wondering if they had been hacked or if someone was trying to phish them. A lot of people just hit, no, I don't want to install this app, because they had no idea what was going on. Working security sometimes feels like a continuously uphill struggle. So when we get a win, I think we should enjoy it and share it. It seems very clear that the awareness and educational programs that security departments are running are working. So what do you think, Dave?
Dave Bittner: (Laughter) I would love to know what the security team thinks about their success. I mean, I think - I'm sure they have mixed feelings where, on the one side, it's great that people were suspicious of this. On the other hand, they had to field all these calls.
Joe Carrigan: Right.
Dave Bittner: And to me, that's because they dropped the ball when it came to communicating what was - what people should expect.
Joe Carrigan: I agree with you 100%. This is a - while it is a success in some way of making people a little more leery - or a lot more leery, it would seem - of being told they're going to install something, it is an absolute failure of communication. And that is key in this industry. You have to tell people what's going on. You have to communicate appropriately and properly.
Dave Bittner: Yeah. I think it's great to see that so many people are taking personal responsibility for the security of their device. I could imagine a lot of people, you know, would say, oh, this is my work device. Something comes in. Whatever. You know, I'll just hit yes - not my problem. You know, if something doesn't work out, that's the security team's problem. And...
Joe Carrigan: Right.
Dave Bittner: You know, no. We need to do better than that. And it seems like in this case, our listener's coworkers did just that. So good for them.
Joe Carrigan: Yep.
Dave Bittner: All right, well, thanks to our listener for sending that in to us. We would love to hear from you. You can send us your questions or follow-up to hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, let's jump into our stories this week. I'm going to kick things off for us. I have a story. This comes from WIRED, and it's written by Becca Andrews. The title of the article is "They Were 'Calling to Help.' Then They Stole Thousands." And it really is a narrative about Becca Andrews' mother being the victim of a phone scam.
Joe Carrigan: Yikes.
Dave Bittner: And her mother gets a phone call one morning on her mobile phone. There's a gentleman on the other end of the line who says someone has access to your bank accounts through Amazon and they can take all your money. I'm calling to help.
Joe Carrigan: That is typical in these phone scams, where they gin up a problem, and then they immediately offer the solution to the problem. So it's a telltale sign, right?
Dave Bittner: Yeah.
Joe Carrigan: You know, there is a huge problem, and I can help you fix it.
Dave Bittner: Right. And this person says that he just needed some information from her to make sure that her money was safe.
Joe Carrigan: Right.
Dave Bittner: And over the next several hours, she was on the line with this person, even, you know, not hanging up for bathroom breaks or meal breaks or anything like that. The person on the line said, I'll stay on the line while you do things because we want to make sure we get this through correctly. And over the next few hours, she installed several apps at this person's instruction - one of them to be able to have visibility onto her device, to see what she was doing - installed several different cash apps to transfer money - Coinbase, a Zelle account, many different ways to, you know, transfer money out of her device.
Joe Carrigan: Right.
Dave Bittner: In the end, she ended up being scammed out of about $11,000. And one of the other harrowing parts of this story is the person on the other line convinced her that she had to keep it all a secret, that perhaps it was her spouse who was in on this and she shouldn't tell anybody...
Joe Carrigan: Right. So...
Dave Bittner: ...Stoking her fears about that.
Joe Carrigan: This is common, right? They try to isolate you. It's a common feature of these scams. But what's abhorrent here is that this guy doesn't care about her interpersonal relationships with their spouse, right?
Dave Bittner: Yeah.
Joe Carrigan: He's perfectly fine sewing discord in that relationship just to get his money.
Dave Bittner: Yep. Yep. And so some time passed between when she did not tell her spouse about this, and her spouse had been asking, what have you been doing? You've been on your phone all day, you know, that sort of thing. But then eventually the weight of it got to her and she shared the story. And so her spouse was able to - well, what her spouse did was call their daughter, who is the woman who wrote this article.
Joe Carrigan: Right.
Dave Bittner: And then she kicked into gear to try to help them. Part of this article is about how difficult it is to deal with some of these online cash companies that...
Joe Carrigan: Right.
Dave Bittner: You know, as with so many of these online companies, they are not set up for customer service.
Joe Carrigan: No, that's their business model.
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: You know, use the service. And then when something goes wrong, tough. Don't complain to us because - well, I mean, you can complain to us, but we don't hear it. It's great.
Dave Bittner: Yeah.
Joe Carrigan: It's a great business model. People use the product, and then when they can't use the product, they just stop using the product.
Dave Bittner: Mmm hmm. Mmm hmm. They were able to get back about $10,000.
Joe Carrigan: Oh, good.
Dave Bittner: It took several months to do and a lot of time, a lot of work, a lot of frustration. But it really left them all feeling exposed. It left them feeling vulnerable. It left them feeling victimized.
Joe Carrigan: Right. Well, they were victimized.
Dave Bittner: A little more cynical - yeah. Yeah. So it's - we'll have a link to the article here. It's worth a read, and it's definitely worth sharing around to your friends and family. As you point out, Joe, there are a lot of red flags in here. You know, one of the things that I think it's important to reiterate is that this person's mother or the author's mother, she said she felt like it was her fault. You know, like...
Joe Carrigan: Right.
Dave Bittner: ...She said, I did a stupid thing. I'm so stupid...
Joe Carrigan: No.
Dave Bittner: ...That she fell for this. And she didn't. She was manipulated. She was...
Joe Carrigan: Right.
Dave Bittner: She was outgunned. There was no way she was going to outsmart these people who do this sort of thing every day.
Joe Carrigan: Yeah. I mean, the only thing you can do to outsmart them is just hang up on them. That's it.
Dave Bittner: Right. Right. And there is kind of a little end to this story where later on, another scammer called her, and that's exactly what she did. She just hung up on them. And then she called her daughter and said, hey, I did the right thing, you know? I've learned my lesson so, you know...
Joe Carrigan: Right. Well, that is a win. That is a big win. A lot of times we see people get scammed over and over and over again. They follow on scams and everything like that. This woman lost a thousand dollars, it sounds like, and a lot of time trying to get the other $10,000 back.
Dave Bittner: Yeah.
Joe Carrigan: But she has learned and now just hangs up when these people call.
Dave Bittner: Right.
Joe Carrigan: That's great, you know?
Dave Bittner: Yeah.
Joe Carrigan: You know, my son was telling me the other day, he got an email from Amazon. It looked like it came from Amazon, but it was really just a phishing email. I actually opened up the attachment once I - I tested the attachment for viruses, and then - with VirusTotal - and then I opened it up and found out it was just linking to a phishing site. They were just trying to phish his Amazon credentials. But he said it was almost convincing. You know, the email itself was almost convincing enough for him to do it. The only thing he noticed was that the address wasn't right. So, I mean, these guys are really good at what they do, really good at it.
Dave Bittner: Yeah. And if they get you on the phone, they - one of the things this story points out is how what a calming presence the people on the other end of the line were. You know, they're here to help, and they're...
Joe Carrigan: Right.
Dave Bittner: You know, just trust me. We're going to get through this together, that sort of thing.
Joe Carrigan: Yeah.
Dave Bittner: So we'll have a link to this in the show notes. It's a good read. It's really one of the best narratives I've seen about this sort of scam and the things - what it takes to try to claw it back - so definitely worth checking out, passing around. There's a lot of good lessons to be learned here and a great way to raise people's awareness. So again, that's written by Becca Andrews and it's over on WIRED. That is my story this week. Joe, what do you have for us?
Joe Carrigan: Dave, you have spent some time bashing Facebook.
Dave Bittner: (Laughter) I've been known to be critical of Facebook from time to time.
Joe Carrigan: Yes, me, too.
Dave Bittner: What have they done this time (laughter)?
Joe Carrigan: Well - so I have two stories. First - the first story is from Business Insider. It comes from Ben Gilbert. And it's about the Facebook earnings report that came out last week. In - do you remember back in 2021 when Apple said, we're going to make apps - people have to opt in to get the Apple Advertiser ID?
Dave Bittner: Yeah.
Joe Carrigan: When Apple enacted that, 95% of iPhone users who had downloaded the update opted out of advertising - of tracked advertising. And Facebook revenue, it looks like, is going to take a billion-dollar hit in the coming year - or $10 billion hit - $10 billion hit in the coming year.
Dave Bittner: Wow.
Joe Carrigan: Ten billion dollars sounds like a lot of money, doesn't it, Dave?
Dave Bittner: (Laughter) Yes, I would say - I would say, by any measure, $10 billion is a lot of money (laughter).
Joe Carrigan: OK, so here's the thing. Their total revenue for the past year was almost $118 billion.
Dave Bittner: OK.
Joe Carrigan: And they're complaining or telling shareholders to expect a $10 billion hit in ad revenue because of this one change that Apple made. So in other words, about 50% of the U.S. market and 14% of the global market now has privacy enacted, and it cost Facebook less than 10% of their revenue.
Dave Bittner: OK.
Joe Carrigan: So it's not that big of a hit, in my opinion. Yeah, I know you're upset that you can't track people and you can't specifically target ads at them. But maybe that's a good thing, which kind of leads me into my next story, which comes from The Guardian out of Australia, and it's written by Josh Taylor. Do you know who Andrew Forrest is?
Dave Bittner: I do not.
Joe Carrigan: OK. Me neither. I did not know this until I read this article, but he is an Australian billionaire, and he has launched criminal proceedings against Facebook for failing to take action on scam ads that feature his image.
Dave Bittner: Oh, OK. So this is - is he - he's like Australia's Warren Buffett, sounds like.
Joe Carrigan: He might be.
Dave Bittner: (Laughter).
Joe Carrigan: In fact, that's the first thing I think of when I think of billionaire scam ads. I think of Warren Buffett holding the big bitcoin.
Dave Bittner: Right. Right.
Joe Carrigan: You know, I Googled that image today and still got a chuckle out of it because it's obviously Photoshopped, right?
Dave Bittner: Yeah.
Joe Carrigan: There's no way Warren Buffett could hold up a piece of metal this big (laughter).
Dave Bittner: Well, true.
Joe Carrigan: I don't think I could hold up a piece of metal that big in the way he's holding it. So the ads appear on Facebook's news sites as programmatic ads supplied by Google or from Facebook as well. But these ads target specific individual users, and they are presented as a news story claiming to be the celebrity that had made a big investment, and banks are shocked by how well it's doing, right?
Dave Bittner: (Laughter) Banks hate him.
Joe Carrigan: Right, exactly.
Dave Bittner: (Laughter) Right.
Joe Carrigan: You and I see these ads and we just scroll by them, right?
Dave Bittner: Mmm hmm.
Joe Carrigan: Because we know that - you know, we've been on the internet long enough we know that these are scams. We know that this is clickbait. We know that this is just erroneous. But here's what happens if you actually click the ad. It takes you to a fake news story that includes a link claiming that - claiming to be some cryptocurrency investment scheme. And you enter your details and register for the scheme, and then you receive a phone call asking you to make an initial investment of some small sum, like 250 bucks. Then you are asked to invest increasingly larger amounts. In one case that this paper previously reported on, a 77-year-old Queensland grandmother clicked through from a Facebook ad featuring Andrew Forrest and initially transferred $5,000 to a cryptocurrency exchange before being encouraged to put in more of her money. Scammers eventually emptied her accounts, stealing her entire life savings of $80,000 the article says.
Dave Bittner: Oh, wow.
Joe Carrigan: And she was unable to get her money back because, unlike your story where these are banking apps, this is not a banking app. This is a cryptocurrency app. Once you buy that cryptocurrency and send that cryptocurrency to somewhere else, that's on the blockchain forever, and you can't get it back.
Dave Bittner: Mmm hmm.
Joe Carrigan: Unless you do something which is impossible without consensus, right? And people are just not going to agree to that. Interesting, The Guardian has investigated who's behind the ads, and they found hundreds of these sites that the ads linked to were registered to just five names with addresses all in the center of Moscow. And surprisingly - so I'm I'm shocked by this, Dave - none of those people listed on the registration forms responded to The Guardian's attempts to contact them.
Dave Bittner: (Laughter).
Joe Carrigan: They just didn't have...
Dave Bittner: So help me understand what Andrew Forrest is doing here. So he's decided that Facebook is liable for allowing these scam ads to run.
Joe Carrigan: Right.
Dave Bittner: So he's - now, it's interesting to me that this is going to be a criminal proceeding.
Joe Carrigan: Yeah, I thought that, too. That's something that stood out in my mind. I don't know how Australian law works. Here in America, I can't begin a criminal proceeding against somebody. Law enforcement - only the state can begin a criminal proceeding. I can begin all the civil proceedings I want and sue Facebook in a civil court. But I can't file a criminal complaint in - or I can file a criminal complaint, but I can't begin a criminal lawsuit here. I don't know how that works in Australia. Maybe they can. Maybe Australian law says, yeah, you can actually go ahead and file criminal lawsuits, launch criminal proceedings.
Dave Bittner: Yeah. Or, you know, I guess if he convinces the right - whatever the Australian version of...
Joe Carrigan: Right.
Dave Bittner: ...Attorney general is to...
Joe Carrigan: Yeah, absolutely.
Dave Bittner: ...That this is - that this rises to criminal - to the criminal level.
Joe Carrigan: Yeah. If I called up Brian Frosh, who's the attorney general of Maryland, and said, hey; I think you should be prosecuting this, you know, and he agreed or someone in his office agreed, that might be how I would do this. In fact, that is exactly how I would go about it because...
Dave Bittner: Yeah, yeah.
Joe Carrigan: ...In Maryland, the AG's office is pretty responsive to the citizens.
Dave Bittner: Yeah. You know, it's interesting to me that the big platforms like Facebook don't do a better job with this.
Joe Carrigan: Yeah.
Dave Bittner: And...
Joe Carrigan: Yeah.
Dave Bittner: I don't accept that they can't do a better job with this. I know, for example...
Joe Carrigan: Right.
Dave Bittner: Back when I was on Facebook, the one that always annoyed me - I would always see ads for Ray-Bans.
Joe Carrigan: Right.
Dave Bittner: You know, would you see those? And it would be, like, the Ray-Bans logo at a slight angle. And, you know, somehow they'd get into friends' accounts. And friends would be posting, hey; look - Ray-Bans, you know?
Joe Carrigan: Right.
Dave Bittner: But, like, you know, Facebook, Google, all these platforms - they can identify a photo of me, you know, when a sliver of my ear is showing.
Joe Carrigan: Absolutely.
Dave Bittner: Right. They can't tag something with a logo or a front-on photo of Andrew Forrest or...
Joe Carrigan: Right, or Warren Buffett or Keanu Reeves or...
Dave Bittner: Or Warren Buffett - right, right. Bill Gates, any of these folks - I mean...
Joe Carrigan: Right.
Dave Bittner: They should automatically - when they see - like, they can't fingerprint that ad. And I know, you know, folks can do adversarial things in the images and alter them. Blah, blah, blah. Still, I think the reason that they're not doing more against these is because it's against their interest to do so because...
Joe Carrigan: Right.
Dave Bittner: ...The people who are running these scams are paying Facebook and Google or whoever to do it.
Joe Carrigan: Yeah. So...
Dave Bittner: And so...
Joe Carrigan: Here's another angle on this. Apple disabling the access to the - you know, what Apple did here, disabling the access to the ad token - do you think Google will ever do that in Android? Do you think they'll ever make that a feature in Android where users have to opt in to advertising? I don't think they will because it's...
Dave Bittner: Yeah.
Joe Carrigan: ...So much of their revenue.
Dave Bittner: Yeah.
Joe Carrigan: They'd be losing a lot more than the $10 billion that Facebook is losing if Google did this.
Dave Bittner: I think the only way we'll see that is if we have legislation that requires it.
Joe Carrigan: I agree with you.
Dave Bittner: If they make it so that you have to opt in...
Joe Carrigan: Right. Yeah.
Dave Bittner: ...That's the only way we'll see some of these ad-focused platforms do something like that.
Joe Carrigan: The amount of tracking that goes on for us is ridiculous.
Dave Bittner: Yeah.
Joe Carrigan: I would cancel Facebook tomorrow if I could, but unfortunately, they got me, Dave. They got me.
Dave Bittner: Yeah.
Joe Carrigan: They got me good.
Dave Bittner: No, it's - you know, I say I'm not on Facebook anymore. But part of the reason I'm able to not be on Facebook is that my wife is very active on Facebook. So...
Joe Carrigan: Right.
Dave Bittner: If something happens on Facebook with a mutual friend or a family member, I will hear about it through her. So it's a little bit of a cheat. But, you know, my own mental health benefits because of it.
Joe Carrigan: Yeah. I do spend a lot less time on all social media platforms these days. In fact - and you say your mental health benefits from it. I've been spending a lot of time on LinkedIn lately, just connecting with people because that's where I've been talking with people. I'm finding even LinkedIn, which is as benign of a social network as you can get, is...
Dave Bittner: Yeah.
Joe Carrigan: I find it impacts my state of mind. I don't like the way it impacts my state of mind. But, yeah, I don't know what to do here, Dave. I mean, I guess do what I - keep doing what I'm doing, which is stay off of Twitter, stay off of Facebook, stay off of LinkedIn, stay off of any social networking site. It's just...
Dave Bittner: Yeah.
Joe Carrigan: I don't think it's good for you. I really don't think it's good for you.
Dave Bittner: No. I think it's - you know, I think quitting any of these platforms - I think folks who've been through quitting smoking describe it as being similar, you know?
Joe Carrigan: Right.
Dave Bittner: It's - you get pulled back to it. It's a pleasurable thing. And you know it's not good for you. But...
Joe Carrigan: Right.
Dave Bittner: Boy, it's hard to hard to break away. So...
Joe Carrigan: It is. It is.
Dave Bittner: Yeah. All right. Well, those are our stories this week. Again, we would love to hear from you. If you have something you'd like us to cover, it's hackinghumans@thecyberwire.com. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named Jonathan (ph), who writes, I discovered the show a couple months ago and have really been enjoying it. Check out this Geek Squad subscription scam email I just received. The thing I found hilarious about it is that it says call a number, but then you can't even read the number it says to call. I have my suspicions, Dave, but why don't you go ahead and read this email? And we'll talk about it after the - after you read it.
Dave Bittner: All right. It goes like this. Dear customer, thank you for being our valued customer. Your subscription has been successfully auto-renewed and updated. The email confirms that you have renewed your one-year subscription with us for $299.99 on January 29, 2022. The amount has been auto-debited from the account or card registered with us at the time of the purchase. The debited amount will reflect within the next 24 to 48 hours on your account statement. Please review your purchase history below - product information, invoice number, order ID, type, protection plan. Duration - one year from the date of purchase. Amount - $299.99. Payment method - auto debit. The subscriptions will auto renew every year unless you turn it off no later than 48 hours before the end of the subscription period. To cancel or upgrade the subscription or if you need more information about the invoice, please call our billing team on the number given below working on Monday to Friday from 9 a.m. to 7 p.m. Eastern Standard Time. For further assistance or query, please call us at #+1NANNNAN##6N6N8##N#3N5N7N6##. Thank you for choosing us. Regards, Geek Squad team. That's a hell of a number there, Joe.
Joe Carrigan: Yeah. Thank you, General Stonewall Jackson, for reading this.
(LAUGHTER)
Dave Bittner: Sometimes they just come to me.
Joe Carrigan: Yeah. It reminds me of that - of the - I can't remember. It was - maybe it was "Deputy Dawg." Remember "Deputy Dawg"...
Dave Bittner: Yeah. Yeah.
Joe Carrigan: ...The sheriff in "Deputy Dawg"? That's what you - that's what I visualized when you were saying that...
Dave Bittner: (Laughter).
Joe Carrigan: ...The guy with just a mustache...
Dave Bittner: I was thinking a little bit of a Foghorn Leghorn, actually.
Joe Carrigan: Foghorn Leghorn, yeah. I love Foghorn Leghorn.
Dave Bittner: Maybe some Boss Hogg thrown in. I don't know.
Joe Carrigan: (Laughter) Boss Hog. So here's my thinking on this. You read that phone number. And that's exactly how it appears in the email. I don't think this is a phone number. I think these are variables that you're supposed to change. I think what happened here is some noob to the criminal world bought a phishing kit. And the phishing kit contained an email template that - (laughter) for a Geek Squad scam. And he or she didn't change any of the variables, didn't change the emails with all the hashtags because this thing just has hashtags all the way throughout it, right?
Dave Bittner: Yeah. Yeah. Right.
Joe Carrigan: And it's - I think they just said, well, let's just send this.
Dave Bittner: (Laughter).
Joe Carrigan: I mean, there's no way for anybody to get in touch with them, except maybe to reply to the email. But aside from that, you know, what this - how this is supposed to work is you're supposed to call a number. Somebody from customer support - and our listeners can't see my air quotes going on there. But...
Dave Bittner: Yeah.
Joe Carrigan: It's going to install some malicious software on your machine and, essentially, rob you blind.
Dave Bittner: Right.
Joe Carrigan: That's how this scam works. But these guys - apparently, this is their first try at it. And they just sent this out to Jonathan and probably out to another hundred people. But the good news is...
Dave Bittner: (Laughter).
Joe Carrigan: A hundred people - probably 100 million people, 100 million email addresses. But the good news is, now that this email has flooded the internet, it's going to be all over the spam filters. So whoever paid money for this essentially just flushed that money right down the toilet.
Dave Bittner: (Laughter) Right. Right. I just hit send. You did what? I just hit send.
Joe Carrigan: (Laughter) Right.
Dave Bittner: We haven't put any of the variables in. Uh oh.
(LAUGHTER)
Joe Carrigan: (Imitating horn).
Dave Bittner: Yeah. Right. All right. Well, again, thank you to our listener, Jonathan, for sending that into us. We do appreciate you taking the time. Joe, I recently had the pleasure of speaking with Nick Shevelyov. He is the chief security officer for Silicon Valley Bank. Interesting conversation - here's Nick Shevelyov.
Nick Shevelyov: So I talked a little bit about this in my book, is that about a hundred years ago, there was a revolution in Russia. My parents' ancestors immigrated to China. Both my parents were born there. They immigrated to the United States. And I was born in Washington state. But during the early '70s, you know, America wasn't a very particularly friendly place to people of Russian ethnic descent. My dad took a job with the State Department. And we moved back to the Soviet Union. They had an interest in getting to connect with their culture, but also hopefully do some good work and sharing about, you know, how life is like outside of the Iron Curtain.
Nick Shevelyov: And during that period, we lived in an apartment. And the apartment, we learned, was bugged. And so I learned at an early age that if you have something important to say, you, you know, signal to someone. You go over to a faucet. And you run the water. And you talk over the faucet because that blurs the sound for the bugs. And it obfuscates what you're trying to say. That was an interesting, a very sort of formative experience that you - in some cases, your privacy and your safety can be in jeopardy. Later, my dad would publish a book that had an accurate map of Moscow, which was something that the government didn't like.
Nick Shevelyov: And so the KGB came one day and took him away and interrogated him. And when he returned, we quickly left the Soviet Union and returned back to the United States, where we stayed. But I guess those experiences and formative years of your childhood kind of reminds you that your safety and security and your privacy can be infringed upon. And so I think, in a lot of ways, it influenced my interests in life. And at a relatively early age, I became interested in technology and sort of the democratization of data and sharing of information. But at the same time, my childhood experiences around security and privacy influenced the choices that I made in my career, focusing on what we called back in the '90s IT security but is now referred to as cybersecurity or technology risk management.
Dave Bittner: You know, those experiences that you had growing up and having that reality of, you know, folks listening in, how has that informed your views these days? I'm thinking specifically as we've seen, you know, many of these online social media platforms rise to prominence, and a lot of that is based on what is referred to as surveillance capitalism. You have, I guess, a different life experience and perspective on that than a lot of other people would.
Nick Shevelyov: Yeah, you're right. In fact, there is an interesting Netflix documentary called "The Social Dilemma" that talks about surveillance capitalism. I don't - I touch upon it in the book. I don't go too deeply into it. You know, one of the phrases that I use in the book is the very technology that empowers us may also imperil us, right? And for all the enablers that we get from social media and other technology, how can that be used against us? It is used. Information harvested about you is used in fraud attempts, in cybersecurity attacks. And social engineering is used all the time to break into computer networks. I personally am careful what I share and how I share it because, you know, what I share and what I share today might be viewed differently five, 10 years from now. And so, sure, I have a lot of network-enabled devices in my home, but at the same time, I'm cognizant of some of the benefits that I get but also the tradeoffs that might ensue today or down the road, depending on how you leverage those technologies.
Dave Bittner: Well, the title of the book is "Cyber War... and Peace: Building Digital Trust Today with History as Our Guide." What prompted the creation of the book?
Nick Shevelyov: So, you know, for years I've been speaking at seminars and conferences, both technology and security related, and I decided, you know - and about 10 years ago, I sort of went through this period of introspection. Who am I? What do I believe? Why do I believe it? What are my values? How do they influence my decisions, my reactions? What are my earliest memories? What are my most valuable memories? And I kind of kept coming back to this story that my father told me as a young boy and as we were moving back to the Soviet Union because I was scared, and it was a very different shift in life and a real culture shock. And the story I kept coming back to was about a Spartan boy and a fox. And to learn more about the story and how it relates to the book, you'd have to buy a copy of the book. By the way, all proceeds of the book are being donated to charity. They're going to go to the SVB Foundation, which will route the proceeds to NextGen Cybertalent - is giving opportunities for underprivileged, underserved communities to get educated and get a job in cybersecurity. So hopefully, a win-win for the community.
Nick Shevelyov: And so as I was going through this period of introspection and the story that influenced me over the course of my life, I started thinking more about how many things that I believe in and take action on really are stories and how powerful storytelling is and how I have enjoyed history and philosophy and technology and innovation. And if I were to sort of tie all the things that I enjoy in life together, then hopefully I can share more meaningful stories with audiences. And so I did that, and afterwards people would come up and say, boy, this is great. Thank you for sharing. You spoke to me in a way, on a complex and complicated topic, that I better understand now. You should write a book about this. And I just never had the time.
Nick Shevelyov: And so as we were going into the pandemic and going into lockdown, I thought, you know, this is going to change my life, our lives. I'm going to be, you know, at home. What do I want to do? And so I thought, you know, I will take this as an opportunity to write a book and take poignant lessons from history that have been relevant to me that translate into sound technology and cybersecurity practices. And I'll write a book about it, and I'll share a little bit about a personal - some of the personal stories in my life. And I'll weave it together, and I'll kind of walk through history and take these lessons from history, tie them to sound security practices and write it for an audience that might not necessarily have a technical background - business leaders who are reading The Wall Street Journal and want to learn more about technology. And they can pick up this book and learn about a lesson in history, use the power of analogical thinking and storytelling and apply it to sound security practices. And hopefully, that will help the community.
Nick Shevelyov: If you're a practitioner, you might be able to tell your story a little more effectively through the power of analogy. And at the end of the day, at one point having been a poor kid living in one room with his family after we had returned from the Soviet Union, I would have loved a leg up in life and someone helping me out, so, again, proceeds will go to charity. So hopefully using the power of storytelling, helping demystify a complex topic, having a little bit of fun along the way and all for a good purpose is sort of the genesis of the book.
Dave Bittner: Can you give us a representative sample from the book, something that - where you've looked back into history to inform what we're up to these days?
Nick Shevelyov: Sure. You know, I start off with a chapter - in Chapter One around how the Romans used to think about, you know, war and peace. They had a saying in Latin (speaking Latin) - if you wish for peace, prepare for war. And today, organizations, if you want to run a healthy, prosperous business and maintain a sense of peace, you need to prepare for digital war. I go on to Chapter Two around the code of Hammurabi. In ancient Babylon, Hammurabi was trying to build an empire but was running into problems such as poor architecture. And he developed a set of laws, what he called a set of codes. And one of the codes said, if you build a building and it collapses and it kills someone, that will be your fate. And so he got skin in the game and that contributed to architectural prowess in ancient Babylon, which later contributed to the Hanging Gardens of Babylon, one of the ancient - one of the wonders of the ancient world. And today, that translates directly to how we should be thinking about technology architecture. We should have investment in the outcomes within our decision-making process. And so that translates directly to a National Institutes of Standards and Technology principle on how you should be thinking about architecture.
Nick Shevelyov: You know, we move on to the next chapter around the Spartan 300. How did 300 Spartan soldiers hold off a million-man Persian army for three days and three nights? How did they do it? They managed their attack surface. And today, organizations need to be thinking through managing their attack surface, where we maintained legacy defense in depth technologies while evolving to cloud-first, mobile-first technologies. How do you think through managing your attack surface and managing Zero Trust models where you have the right set of multifactor authentication, identity and access management, roles-based access with continuous validation and managing that attack surface?
Nick Shevelyov: And so each chapter moves on through history and takes the key lessons. So in Chapter Four, I talk about Marcus Aurelius. Marcus Aurelius was a Roman general who became Caesar, and he kept a diary on his thoughts about life. He was a stoic philosopher. And later, that diary turned into a book, "Marcus Aurelius' Meditations." It's a book that's had a profound influence on my life in how to leverage aspects of stoic philosophy and thinking about resilience for yourself and for organizations. And so know thyself is one of the principles of that book. And so know thyself is so key today in managing technology risk. It's something that Sun Tzu also talked about in "The Art Of War" and talked about know thyself and know thy enemy and you will win a hundred battles. And today, organizations need to know their assets. They need to know their data. What data is yielding economic value? What data has turned toxic? And instead of being oil, it's more like uranium, where you store it, where you handle it, how you transfer it. It can provide power but also toxicity. And so those are some of the concepts in the early part of the book. I'll pause there and see if you want me to continue on through the various chapters or if that kind of hits the points you wanted to talk about.
Dave Bittner: No. I mean, I think that gives us a good idea of what the book is about. You know, I have to say, you know, when you look back as that young kid in, you know, a single room, you know, coming back to the United States from the Soviet Union and wondering what was ahead of you - and now here you are. You're the chief security officer at Silicon Valley Bank. That's quite a journey. When you look back on that, do you sometimes have to pinch yourself?
Nick Shevelyov: A little bit, you know, a little bit. I go back to those times where I would, you know, escape my reality to go sit in the garage and I would set up a computer and get on the internet and join bulletin board services. And this is pre-browser days, right? So it was interesting. It's poignant. And technology has been such a fundamental aspect of my life. It's so interesting the innovation that we've seen over the last 40 years, so excited to see what's going to happen over the next 40 years, but also how it's helped me build a life. You know, one of the foundational principles I - you know, it was instilled in me is a sense of curiosity and a sense of continuous learning and development. And so the first investment I've always made is an investment in my own education. And so - and that's compounded over the course of time.
Nick Shevelyov: And here is an opportunity to hopefully share some insights in a fun and interesting way where others may benefit from it and may be able to better protect themselves and their organizations. And so it has been sort of a journey that I pause and look back on and feel a lot of - a sense of accomplishment and hope to pay it forward for others as well so that the kid who's, you know, sitting in or living in a room with his family could maybe understand the power of storytelling and incorporate it into their life or the business leader who wants to learn more can do that just the same.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: What an interesting story about his upbringing. You know, his - I am fascinated by his story. His grandparents - actually, he said, he - his parental ancestors - I guess it was grandparents - they moved to,- they moved out of Russia into China and then from China to the U.S., where his dad got a job at the State Department. That's amazing. It's a great story. Very interesting to listen to. One of the things he says is he's careful about what he posts on social media. I post very little now, not just because of my aversion I was talking about earlier in the show, but largely because of that, but also because of a point that Nick makes in this interview is that you don't know how these things are going to age. You know, you don't know how the culture is going to change. And these Twitter accounts or these tweets may last for years. Now, there's - when you're on "Grumpy Old Geeks" every now and then, Jason and Brian talk about a tool that goes out and just deletes all your tweets beyond a certain age. I can't remember the name of that tool is, but...
Dave Bittner: Right. Yeah, I don't remember either, but I was thinking of the same thing.
Joe Carrigan: Yeah. And that would be a great idea. Yeah, I don't post - when I first started using social media, I would post stuff willy nilly on there. And at one point in time, I just said, you know, this is not something I want to be remembered for having said. And it was something stupid. It may have been a joke. And it may have just been like a dumb joke, right? It wasn't anything like, oh, geez, I better remove this before so-and-so sees this. It was something benign, something that was not - I still don't think it would've been harmful, but it was just - I don't. So I went back, and I actually just deleted all my history through Facebook. And that took like two days for me to do it. But now, I just put like family updates on there. And, you know, maybe - and Facebook's memories always have like the worst memories for me.
Dave Bittner: (Laughter).
Joe Carrigan: For example, Dave. A quick perusal of my Facebook posts, back in December of last year, I got a memory come up on Facebook - Facebook has these memories, which are like former statuses that you posted. And the only thing I say in this is - status is Oklahoma, Oklahoma, Oklahoma, Oklahoma.
Dave Bittner: Were you in the midst of a stroke or something?
Joe Carrigan: Right, exactly. My comment on this is another another great Facebook memory for which I have zero context.
Dave Bittner: There you go.
Joe Carrigan: I don't know why I was - maybe I was watching "Dirty Rotten Scoundrels" because that's, you know, that's a line. But I don't know why I posted that. But for some reason, Facebook said, hey, Joe, remember when you said Oklahoma, Oklahoma, Oklahoma, Oklahoma?
Dave Bittner: Right. Right. Well, there's - that algorithm is on top of things.
Joe Carrigan: Right. Seven years ago, apparently I said that. And I have no recollection of even making that post. So, yeah, so that's kind of what I'm talking about here is, you know, why did I do that? What was the point? Storytelling is a great analogy and a great way of relaying key concepts? And I'm actually working on this myself. I'm actually working on a presentation that has some storytelling in it to help talk about social engineering attacks. And I think it's going to work well. I'm hoping that it works well. I like the ancient analogies that are the ancient history analogies that Nick puts in here. Hammurabi makes it so builders have a vested interest in making sure that the buildings of Babylon don't collapse. What if every time someone got a scam, someone got scammed on Facebook, Meta had to refund the money that they were scammed?
Dave Bittner: Oh, wow. Yeah. That would could change the equation quick.
Joe Carrigan: Yeah. If you know, do what Hammurabi did. You know, say - your fate will be their fate, Facebook. You know, that guy - that person lost $80,000 thanks to a Facebook scam. Pay up. The Spartans held off the Persians at Thermopylae for three days by reducing their attack surface, but eventually they did lose the battle because they were up against a large nation-state actor with tons of resources. Right? The Persians actually did penetrate that and get through into the rest of Greece, which, by the way, at the time, was all just a bunch of city states, not Greece as we think of in modern terms. "The Art Of War" and Marcus Aurelius "Meditations" are great books. Make sure you get good translations on these, though. It's kind of important. Some of them are just wrong, so make sure you get good translations. I have my opinions if you want to know. Feel free to reach out.
Joe Carrigan: Overall, a great interview. I like that Nick uses your analogy on data becoming toxic when it, you know, some data can become toxic if you get too much of it together. You say it becomes radioactive. Think of it like nuclear material, fissile material that if you get enough of it together, it becomes dangerous. But, you know, sprinkled about the planet, it's fine. You know, it's not bad. Overall, very interesting interview. And I was really interested to hear Nick's story. And I'm going to pick up his book. Good review.
Dave Bittner: Yeah. Absolutely. Well, again, we appreciate Nick taking the time, a really interesting guest. So thanks again for being with us.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.