Phishing seems to be cyclical and thematic.
Jeff Nathan: Phishing is one of those perennial things that everyone observes, especially those working in the information security space. But they seem to be cyclical, thematic, if you will.
Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my discussion with Jeff Nathan. He's the director of threat research at Norton Labs. We're discussing their most recent Consumer Cyber Safety Pulse Report.
Dave Bittner: All right, Joe, before we jump into our stories this week, we have a little bit of follow-up on something you and I were scratching our heads about on one of our recent shows.
Joe Carrigan: Right.
Dave Bittner: And our kind - Several of our kind listeners wrote in with an explanation. What do we got here?
Joe Carrigan: So the first one comes from a tweet from - oh, I'm going to botch this last name (laughter) - Daniel Auroni (ph)?
Dave Bittner: Quaroni, I believe.
Joe Carrigan: Quaroni, yes. Daniel Quaroni. And his username on Twitter is @DanielQuaroni. And he says, @bittner, which is - I guess he's tagging you.
Dave Bittner: Yep.
Joe Carrigan: Quote, "do the needful" was a U.K. phrase that has fallen out of use, but it's still common in India. So it is an English phrase.
Dave Bittner: Right. So just to back up a bit, we were wondering on - I believe it was a Catch - recent Catch of the Day.
Joe Carrigan: Yes.
Dave Bittner: It included this phrase, do the needful.
Joe Carrigan: Right.
Dave Bittner: And I think we suspected that it was some sort of automated translation...
Joe Carrigan: Correct.
Dave Bittner: ...'Cause neither of us were familiar with it.
Joe Carrigan: We had - it was strange to our ears.
Dave Bittner: Yes.
Joe Carrigan: Another listener named Neville actually wrote an email in. Neville is a citizen of India, and he wrote to say that it is the equivalent of saying, hoping that you oblige.
Dave Bittner: OK.
Joe Carrigan: Right? Like, thank you in advance is what we say here in the U.S., I guess. Thanks in advance. That's what I say anyway.
Dave Bittner: (Laughter).
Joe Carrigan: Neville notes that this may not be a translation. This is actually a colloquialism in India.
Dave Bittner: Right, right. OK. Well, good to know. I was not aware of that. I don't think I've heard that before, so...
Joe Carrigan: I have not.
Dave Bittner: No. Thanks to our kind listeners for sending that in.
Joe Carrigan: For doing the needful.
Dave Bittner: (Laughter) There you go. There you go.
Joe Carrigan: (Laughter).
Dave Bittner: We appreciate it. And, of course, we'd love to hear from you. If you have something that you believe requires our attention, you can send us a note to hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, let's jump into some stories here. Why don't you start things off for us?
Joe Carrigan: Dave, my story comes from Lawrence Abrams at BleepingComputer. He has a story about a guy named mr.d0x, who is a penetration tester...
Dave Bittner: OK.
Joe Carrigan: ...Right? So companies hire him to come in and try to break into their systems.
Dave Bittner: Yeah.
Joe Carrigan: And he had been using remote proxies - or reverse proxies, rather - to get around multifactor authentication for accounts. Now...
Dave Bittner: OK. Explain that to me.
Joe Carrigan: A reverse proxy is an attack where - I'm not exactly sure how it works.
Dave Bittner: Yeah.
Joe Carrigan: But essentially, you get the user to open up a proxy that you control.
Dave Bittner: OK.
Joe Carrigan: But that has a fingerprint to it that is easy for these service providers like Gmail and LinkedIn to see.
Dave Bittner: OK.
Joe Carrigan: And when they see that you're connected through a reverse proxy, they will refuse connection. Or they say they won't let you log in. I think LinkedIn actually disables your account.
Dave Bittner: Huh.
Joe Carrigan: So he needed a new way to do it, a new way to get around multifactor authentication.
Joe Carrigan: OK. And this guy, being a creative penetration tester - right? - has come up with a way to do it that is remarkably effective, in my opinion, OK? So there's a tool out there called VNC. I don't know what that stands for, but it's essentially like a remote desktop...
Dave Bittner: Yeah.
Joe Carrigan: ...All right? And it's available for Linux systems, and it's available as part of the package systems with a lot of distributions. I think it's available on Ubuntu. If it's available on Ubuntu, it's probably available on a bunch of other ones, as well, because Ubuntu...
Dave Bittner: And I think VNC stands for virtual network computing.
Joe Carrigan: OK. So it lets you - what that does, essentially, is you can then connect to another computer, and it looks like you're sitting at the desktop. So, I mean, it's very much like remote desktop...
Dave Bittner: Sure.
Joe Carrigan: ...If you're not familiar with it all.
Dave Bittner: A handy, legitimate tool.
Joe Carrigan: Right, absolutely.
Dave Bittner: Yeah.
Joe Carrigan: But he has paired it with a browser, right? And browsers have a feature called kiosk mode, which lets you run - it's designed - it's another legitimate feature that lets you run a web browser as if that's the only thing the computer does. So think of a kiosk like in a mall.
Dave Bittner: Yeah.
Joe Carrigan: You walk up to - who goes to malls anymore, Dave?
Dave Bittner: (Laughter) My kids (laughter).
Joe Carrigan: Right. You walk up to the kiosk, and it's there. Well, that's probably a Windows machine - or it's some machine with a web browser, and you're just looking at a web app.
Dave Bittner: Yeah.
Joe Carrigan: And that's how you're interacting with it. So the other tool he's using is something called noVNC. So I know it's going to get confusing in terms here, but VNC is actually the connection software.
Dave Bittner: Yeah.
Joe Carrigan: NoVNC is a JavaScript client for that connection software.
Dave Bittner: OK.
Joe Carrigan: You see where I'm going with this, Dave?
Dave Bittner: I'm following you.
Joe Carrigan: OK? So here's how this works. Mr.d0x sets up a VNC server with a browser running in kiosk mode, right? Then he sets up a web server with noVNC running that connects to that browser running in kiosk mode.
Dave Bittner: OK.
Joe Carrigan: Then he sends a phishing email to somebody with a link to the web server running noVNC connecting to the VNC's instance that is running a web browser in kiosk mode. So when the user sees it, it looks to them like they've loaded a webpage because before he sends the phishing email, he's gone to, like, maybe Gmail's login page or maybe the company he's attacking - he's doing the penetration test. He's gone to their login page. Whatever their system is for logging in, he's loaded that on the page.
Dave Bittner: I see.
Joe Carrigan: So when the user clicks the link, they're talking to a server that is then talking to his VNC server that looks just like the web login for the company's email because it is the web login for the company's email.
Dave Bittner: OK.
Joe Carrigan: So when the user sees the multifactor authentication code - you know, enter your six-digit code from your authentication app or what we just sent you via text...
Dave Bittner: Right.
Joe Carrigan: They enter that, and he has - essentially, what's happened is the user has unwittingly logged in for the malicious actor, essentially connected to a computer that the malicious actor controls and logged in on their account for them.
Dave Bittner: So is mr.d0x here acting as a man in the middle and logging all of the keystrokes together - you know, the login information and the multifactor code?
Joe Carrigan: Well, the multifactor code is only good once, right?
Dave Bittner: Right, right.
Joe Carrigan: But he's not actually - I mean, Lawrence Abrams' article links to the actual disclosure from mr.d0x about this.
Dave Bittner: OK.
Joe Carrigan: And he says here - mr.d0x says the ways that this can be abused are endless. All right? You can have JavaScript injected into the browser. You can have an HTTP proxy connected to the browser that starts logging everything, right? So, yes, you could start logging keystrokes. You can close the VNC session when the user connects and then just take over.
Dave Bittner: That's what I was thinking of, OK. All right.
Joe Carrigan: Right.
Dave Bittner: Yup, yup.
Joe Carrigan: You've got that. Now you're - you know, you shut down the web server and you open another one that you control and you're logged in as that user.
Dave Bittner: Right.
Joe Carrigan: And there's not much the user can do.
Dave Bittner: So they logged in for you.
Joe Carrigan: Exactly.
Dave Bittner: Then you pull the plug on them.
Joe Carrigan: Yep.
Dave Bittner: But you're still logged in and have access to their account.
Joe Carrigan: Correct.
Dave Bittner: Wow.
Joe Carrigan: So I - it's not stated in this article, but I think that a physical multifactor authentication token would not work on this attack. So if you're using something like a Google Titan or a YubiKey or anything that uses the FIDO open protocol or standard, I don't know that that would - I don't think that would work on this.
Dave Bittner: Because it wouldn't pass through?
Joe Carrigan: It wouldn't pass through, exactly. The request would be coming to your key from the hacker-controlled website, which means that when your key goes to generate the private keys, it will use the hacker-generated website and the challenge response will give an incorrect response. And Google will say, no, that's not the right response.
Dave Bittner: I see.
Joe Carrigan: Something hinky's going on here.
Dave Bittner: OK.
Joe Carrigan: So I know I don't like getting - we don't like getting technical on this podcast, but this was so cool.
Dave Bittner: Too late (laughter).
Joe Carrigan: Too late, right. This was so cool. This is such a remarkably good hack. This is why when I say use multifactor authentication - there are three different types of it in general, and the most secure one is a hardware token. And that will - I'm almost positive that will protect you from this. I've got to do a little more reading on it. But it's - this is why we say that SMS messages and the codes that you get from an app from - you know, the time-based codes...
Dave Bittner: Right.
Joe Carrigan: ...Are less secure than the other attacks now.
Dave Bittner: 'Cause this would work against a time-based code as well, right?
Joe Carrigan: Yeah, it would. Absolutely.
Dave Bittner: Yeah.
Joe Carrigan: It would work against a time-based code.
Dave Bittner: So is the answer to this - in terms of protecting yourself, is it simply have a hardware key?
Joe Carrigan: Yeah. Get a YubiKey or something comparable.
Dave Bittner: Yeah.
Joe Carrigan: Yeah. I mean, I say YubiKey a lot. I always say that because they're the ones I know. If anybody has a recommendation for another key that implements FIDO or a similar protocol, I'd love to hear it.
Dave Bittner: Yeah.
Joe Carrigan: Titan - Google Titan also works. You know, it's...
Dave Bittner: Isn't that just a rebranded YubiKey? I think it's a...
Joe Carrigan: It's the same - it's - well, it's Google - Google's hardware.
Dave Bittner: OK.
Joe Carrigan: But it uses the same...
Dave Bittner: Open protocol.
Joe Carrigan: ...Open protocol. I don't know what - it's a standard, the open standard.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Uses the same open standard for authentication.
Dave Bittner: OK.
Joe Carrigan: It's basically a challenge response.
Dave Bittner: Yeah.
Joe Carrigan: So the way a cryptographic challenge response works - I'll go into that a little bit. This is kind of easy to understand. If I have a private key and I give you the public key, and I say, OK, you give me any random number...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? - and I'll give it to you and I will do something to it with my private key that you can verify with my public key - so the operation should be the same, right? So for example, you can encrypt a message to me with my public key that only I can decrypt, right?
Dave Bittner: I see.
Joe Carrigan: So if you say, I'm going to encrypt the number seven with Joe's public key, and then you send me the number 10, right?
Dave Bittner: Yeah.
Joe Carrigan: And I get that, and I run the operation with my private key, and I say, oh, that should be seven. Then you know how - you know that I have the private key.
Dave Bittner: So I have your public key.
Joe Carrigan: Right.
Dave Bittner: And I encrypt something using it. I can't then decrypt it using the public key.
Joe Carrigan: No. It's a one-way algorithm. That's the nature of public and private keys.
Dave Bittner: Right, right. All right. Well, an interesting story for sure. We'll have a link to that.
Joe Carrigan: It is an interesting attack. Mr.d0x, thanks for publishing this. It's a great article that he wrote as well. If you want to get down the low technical weeds and learn how to do this, take a look at the link in the BleepingComputer article.
Dave Bittner: All right. My story this week actually comes from the BBC. This is a long-term investigation some of their folks did. This is from - Leo Sands, Catrin Nye, Divya Talwar and Benjamin Lister were all the journalists who worked on this report.
Joe Carrigan: That's a big group of journalists for one report.
Dave Bittner: It is. And it's called "Jobfished: The Con That Tricked Dozens Into Working For A Fake Design Agency."
Joe Carrigan: Really?
Dave Bittner: Yeah. So this is about a gentleman who goes by the name of Ali Ayad. And according to this report from the BBC, allegedly, he had spun up a design agency that he called Madbird Inc., a digital design firm in London, and he had recruited over 40 people to work for him with this company, actually - and over the period of time, more than that. I believe they even approached about 100 people...
Joe Carrigan: Wow.
Dave Bittner: ...Working for this company. But the way that he hired them was with contracts that said that their initial probationary period, six months, would be commission only, after which they would become full-time employees.
Joe Carrigan: Right.
Dave Bittner: And let's put this all in the framework and the perspective that this was also happening during the COVID pandemic.
Joe Carrigan: Right.
Dave Bittner: So people...
Joe Carrigan: People are probably desperate for jobs.
Dave Bittner: They're looking for work. They can work from home. These are all remote jobs. And so they were - this Madbird company and, in particular, this gentleman, Ali Ayad, was attracting lots of people to work for this organization. He had an impressive background on his LinkedIn and his bio on the company's website, saying that he had quite a design history - work as a professional designer working for companies like Nike, lots of big-name companies. And people were all on board. And evidently, he was running the company as if it were a real company. They had an active Slack channel. He would be - he was engaged with his employees. And I guess I need to put employees in...
Joe Carrigan: Right.
Dave Bittner: ...Air quotes because as they approach this sort of six-month period where people were expecting to get paid, it all kind of unwound. And it turns out there was no company. There were no clients. All of the portfolios that - the sample work that they were using to try to drum up business was all stolen from other companies.
Joe Carrigan: What's his plan here? What's his...
Dave Bittner: Well, that's one of the sort of mysteries about this story is they're not exactly sure. I mean, they speculate that maybe he did intend to have this be a real company and was just going about it in a way that was not on the up and up (laughter).
Joe Carrigan: Right.
Dave Bittner: And he ran out of time, that he - maybe he was legitimately hoping that in the six-month window that he sort of bought himself by having these odd employment contracts with people, that would be enough to win enough business to get this thing actually off the ground.
Joe Carrigan: Right.
Dave Bittner: They speculate that maybe he was just in it for the thrill of doing - of running this con. And it was a con. This guy also had a very - he was very active on social media. There's an example in here where he shared a photo of himself from his modeling career...
Joe Carrigan: OK.
Dave Bittner: ...Inside an issue of GQ magazine - a full-page ad that he was the model for.
Joe Carrigan: OK.
Dave Bittner: And the folks from the BBC who did their research found that that ad never existed.
Joe Carrigan: I'm looking at the pictures right now.
Dave Bittner: Yeah.
Joe Carrigan: And it's a picture of him photoshopped into an actual magazine.
Dave Bittner: Yeah.
Joe Carrigan: So, I mean, there's a magazine laying on a table, and the actual picture is of a watch ad.
Dave Bittner: Right. Yeah, the actual magazine on that page...
Joe Carrigan: Right.
Dave Bittner: ...Had a picture of a watch - no humans in the picture at all.
Joe Carrigan: Right.
Dave Bittner: But the picture he was sharing around on social media was just him...
Joe Carrigan: Right.
Dave Bittner: ...You know, nicely dressed and, you know, handsome guy. Also, it turns out that at least half a dozen of the senior officers in this company were made-up personas.
Joe Carrigan: Didn't exist.
Dave Bittner: They were people who did not exist. They were photos that were scraped from all over the web. One of them was a stock image from Getty Images. Another one they tracked down was a gentleman named Michal Kalis, who turns out is a beehive maker.
Joe Carrigan: (Laughter).
Dave Bittner: Right. So, yeah.
Joe Carrigan: That's remarkable.
Dave Bittner: Yeah. So the sad part of this story is that you have dozens of employees who were working in good faith. They were basically financing their own existence through money they borrowed. Some of them took out credit cards and so on and so forth. Multiple - these folks are interviewed in this story. As I was reading this, I was thinking about how, you know, to me, this is a prime example of the sunk cost fallacy, right?
Joe Carrigan: Right. Absolutely.
Dave Bittner: You know, as time goes on, these folks have sunk their time and their resources into the belief that this is going to pan out. And they don't want to cut loose because if they do, they'll lose all of that.
Joe Carrigan: Right.
Dave Bittner: So they keep hoping that it's going to pan out. And, of course, it never did. The article points out that many of the folks here are embarrassed to have been caught up in it.
Joe Carrigan: Yeah.
Dave Bittner: That's a common thread here we have. So they're less likely to report, you know, the company for not being on the up and up.
Dave Bittner: Right.
Dave Bittner: The BBC actually confronted this gentleman.
Joe Carrigan: Oh, they found him?
Dave Bittner: They found him. There's a video of them confronting him. And, you know, he's slippery.
(LAUGHTER)
Dave Bittner: You know, he says things like, well, some of the things were true. Some of the things were exaggerations. Some of the things were lies - and promised several times to sit down with an interview with them. And, of course, that never came to pass.
Dave Bittner: Right.
Dave Bittner: And he is - seems to have slipped away.
Joe Carrigan: Has he broken any laws?
Dave Bittner: Well, that's a good question. I would imagine - well, certainly stealing all the other companies' assets, all of their - and representing them as his own.
Joe Carrigan: Yeah. That's - yeah. That's - that might be...
Dave Bittner: It's fraud.
Joe Carrigan: Yeah. That's fraud, I guess.
Dave Bittner: Yeah. So I imagine he's violated several things in employment law and, again, fraud probably being the top one. This all happened in the U.K., so I don't. - not up on what the specifics would be, but...
Joe Carrigan: We need a barrister.
Dave Bittner: (Laughter) We'll see if he gets run down here and if he actually gets brought to justice. But, you know, what really caught my eye about this story was this whole notion, you know, as they call it, job phished.
Joe Carrigan: Right.
Dave Bittner: And I think as we've got more remote jobs, this, I think, is the most elaborate of these sorts of scams that I've seen. But it's not the first one we've seen, people getting...
Joe Carrigan: No, it's not. Seen a lot of these.
Dave Bittner: Yeah.
Joe Carrigan: And we're going to only see more of these as time goes on because one of the things the pandemic has done is a lot of office space is now going to remain vacant. Right?
Dave Bittner: Yeah.
Joe Carrigan: Companies have said, well, if I don't, you know, some companies have said, if I don't have to pay for office space and people will gladly give me part of their house for...
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: ...And pay for their own electricity and everything, why would I pay for my own office space?
Dave Bittner: Yeah.
Joe Carrigan: And I, you know, and that's kind of a benefit for the employee too, right?
Dave Bittner: Sure.
Joe Carrigan: They get to stay home if they like, you know, get to have your dogs in your office all the time.
Dave Bittner: Yeah, no commute time, all that stuff.
Joe Carrigan: No commute time. That's a real time suck, a commute.
Dave Bittner: Yeah.
Joe Carrigan: So, you know, it's - I think it's a happy medium. I'm not upset with it. But the situation does lend itself to exactly this kind of scam.
Dave Bittner: Yeah. I think it's noteworthy also that this person, you know, had so much other stuff out there that if that - like on social media, so if you wanted to do your homework...
Joe Carrigan: Yeah. If you did your due diligence, you'd find what you were looking for.
Dave Bittner: Right. There was an active website full of employees. The LinkedIn profile had all sorts of praise from people that this person had, you know, allegedly worked with in the past and so on and so forth. So this would not be an easy one to track down as being a scam.
Joe Carrigan: Yeah. I think the only tipoff is that you're starting as a six-month contract employee on commission only.
Dave Bittner: Right. Right.
Joe Carrigan: And that to me, you know, when I have - when I've been doing job searches, when people say it's a six-month temp-to-perm position, I tell them, no.
Dave Bittner: Yeah.
Joe Carrigan: I tell them no. And I've always told them no because I've always been suspicious of that, that it's - that there's some kind of scam behind it. And it's probably completely legitimate. And I can actually see a business reason why you want that, right?
Dave Bittner: Yeah.
Joe Carrigan: You want to try somebody out for six months and, OK, bring them on board. Make sure they're not somebody who has completely misrepresented themselves as an employee.
Dave Bittner: Yeah.
Joe Carrigan: Because then you have an employee that you can't, you know, that you have to manage, right?
Dave Bittner: Right.
Joe Carrigan: But it's a lot easier - it's just as easy to say we have a six-month probationary period where if it doesn't work out, we just part ways.
Dave Bittner: Yeah.
Joe Carrigan: I mean, and that, to me, I've accepted those kind of engagements, right? But not a not a temp-to-perm situation.
Dave Bittner: Yeah. The flip side to this that I've seen is I've seen social media stories about scammers who have taken on multiple remote jobs at the same time.
Joe Carrigan: Yeah.
Dave Bittner: And, for example, someone will take a job of being a developer or a programmer...
Joe Carrigan: Right.
Dave Bittner: And they'll say, I take on the job. It takes them about six weeks to figure out that I am no good at the job, right? In that amount of time, I have collected X number of paychecks. They fire me. I move on. But, you know, if I have four or five of these going at the same time, I'm just turning over and churning and churning and churning, you know, profit - make millions right before people catch on.
Joe Carrigan: Right. You know, that can only last so long because you do need your real identity to apply for a job, right?
Dave Bittner: Yeah. Word gets around. But, you know, I guess that's the flip side to this sort of scam. It goes both ways. And this is the new world we're in with remote work. So be vigilant, right? (Laughter).
Joe Carrigan: Right. And watch out for that sunk cost fallacy. You know, if you're not seeing any money coming out of anything, you know, understand that you've lost some time - OK. Time to walk away, I think.
Dave Bittner: Yep. Yep.
Joe Carrigan: It's tough to do that, though. It's really tough to walk away from a sunk cost, but you're vested.
Dave Bittner: Yeah.
Joe Carrigan: You're emotionally vested.
Dave Bittner: Absolutely. All right. We will have a link to that story in the show, notes. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Our Catch of the Day comes from a listener named Randy (ph) who writes, hi, Dave and Joe. You get top billing this time, Dave.
Dave Bittner: (Laughter).
Joe Carrigan: Love the show. As well you should, by the way.
Dave Bittner: (Laughter).
Joe Carrigan: I saw this email in my spam box today and thought you might enjoy it. I'm unsure what the end goal is here, but whatever it is, I had a great laugh. This one is a kind of short one, but we'll have some discussion afterwards. So why don't you read the email? It comes from Gmail, and Gmail has flagged it as suspicious.
Dave Bittner: So it comes from - the return address on this is emaildepartmen (ph).
Joe Carrigan: Right.
Dave Bittner: No T at the end of it - and the actual email address is just a string of random characters at a - I don't know - generic dot com address.
Joe Carrigan: Right.
Dave Bittner: It could be anything. And then it says, why is this message in spam? It is similar to messages that were identified as spam in the past. So that's, I suspect, from Gmail, right? They've flagged...
Joe Carrigan: Right. Yep. That's from Gmail. Yep.
Dave Bittner: OK. And then it's - below it says, please confirm your unsubscription to remove your email from our list by replying unsub to this email. Thank you.
Joe Carrigan: Right.
Dave Bittner: OK.
Joe Carrigan: What do you think's going on here, Dave?
Dave Bittner: I don't know. What do you think is going on here?
Joe Carrigan: I think somebody has a list of email addresses. This is a spammer.
Dave Bittner: Yeah.
Joe Carrigan: Right? And they're trying to validate the list of email addresses.
Dave Bittner: I see.
Joe Carrigan: Right?
Dave Bittner: Yep.
Joe Carrigan: They're sending out messages that when they get bounced back, they'll go, OK, I'll take that email off the list. And if somebody replies, unsub, they go, this one goes to the top of the list.
Dave Bittner: I see.
Joe Carrigan: Right? Because not only does this person have an email, but they're checking it, and they're silly enough to go ahead and reply to an unsolicited unsubscribe email address.
Dave Bittner: Right. And so then they could either use this for spamming or they could sell the list as a more valuable...
Joe Carrigan: Correct.
Dave Bittner: ...Verified list.
Joe Carrigan: Yep.
Dave Bittner: Yeah.
Joe Carrigan: That's my suspicion.
Dave Bittner: OK. No, I like it. It's good. All right. Well, thanks to our listener for sending that in. We would love to hear from you. Our email is hackinghumans@thecyberwire.com. If you have something you'd like for us to consider on the air, send it to us.
Dave Bittner: Joe, I recently had the pleasure of speaking with Jeff Nathan. He is the director of threat research at Norton Labs. They recently released their Consumer Cyber Safety Pulse Report, and that was the center of our conversation. Here's my talk with Jeff Nathan.
Jeff Nathan: What drives these Pulse Reports is this collection of telemetry we have - sort of a weather station, if you will - the sort of things that our various products see, as well as some positional data, trying to lick our finger, stick it up into the wind and get a sense of which way things are blowing.
Dave Bittner: Well, I suppose - I mean, it's no surprise that you all have a good view of the sorts of things that are facing consumers out there. Can we go through some of the things that bubbled to the top here in this edition of the report? What caught your eye?
Jeff Nathan: Sure. There are a number of themes that sort of shook out of this most recent version. Naturally, fishing is one of those perennial things that everyone observes, especially those working in the information security space. But they seem to be cyclical - thematic, if you will. There are certain themes and lures that pop up at different times of the year, and themes around tax credits, things around taxes and specifically around, you know, COVID themes have been pretty strong, especially as we get to the end of the year and people are preparing to file their taxes in the U.S.
Dave Bittner: Yeah. You know, one of the things that caught my eye was the things that you all tracked in terms of people being tracked by their own browsers, their browsing histories, that there's all these online trackers. Can you give us some insights there of what you all discovered?
Jeff Nathan: Sure. So there are - there has been a lot of research into really sophisticated tracking techniques that have been developed in an attempt to bypass the protections built into the browsers. And just as a bit of background, the major browser creators - that is, you know, Firefox, their foundation and Google's Chromium that then feeds into Chrome and whatnot - they all have initiatives out there trying to build a better browser to protect people who use them from being tracked. But just as that is happening, there is also a bit of an arms race in developing more sophisticated tracking techniques because advertisers drive so much of the commerce on the internet. And so through some pretty intense research, we were looking at some of the ways that people are being tracked in their browsers that evade the protections built into the browsers. That work led to some novel discoveries that then fed into some of our work that is now being driven out to our customers.
Dave Bittner: Well, can you describe some of that to us? I mean, what sort of things are going on under the hood there?
Jeff Nathan: It's interesting that you ask this. This is a - there's sort of a very timely element to this. But to be a little bit more specific, there are all of the things on the surface of the browser that people, even those who aren't super technical, can imagine. You know, there is what you're visiting, where you're coming from and the individual flavor of your browser. Are you running that browser on a popular operating system? Is it a popular browser? But then there's this tension between the information that your browser presents and where it came from, right?
Jeff Nathan: So browsers are sort of big engines designed to parse the information that comes into them and render them to the person using it. But where that information comes from kind of dictates how the browser is going to treat that information. And you get this sense of sort of first party versus third party and - specifically with cookies. Also in that mix is to consider that web pages are sort of composed like a bento box of sushi, if you will. What might look to someone as a single page might have content that comes from all over the place. So when the browser goes to render all that content, depending on where it came from and where it's being referred to, the browser will apply a bunch of different rules to it. So knowing that, people who are in the business of tracking information have been trying to capitalize on the rules that the browser applies and to trick the browser into treating some of this third-party information as first-party information. And that's because the browser builds a bunch of rules around that.
Jeff Nathan: And so this is part of that arms race. We determined that, you know, on the surface, people were aware of some of those techniques, but it actually gets a lot more complicated in terms of some of the techniques. And without revealing too much, perhaps, of what we're doing in our secret sauce, there's sort of an interesting story yesterday - and this is just a bit of an anecdote. Some...
Dave Bittner: Yeah.
Jeff Nathan: ...Researchers released a paper where they are now using individual fingerprints from a GPU. I mean, that's the graphics card in a browser and how they - they're each individually - they're each rendering something on the screen, but they are - everyone's computer is doing a bunch of things at the same time. So they have enough unique artifacts in what that graphics card is able to render, for ones that actually have a specific capability, that they were able to fingerprint them. That is, the researchers were able to use that as a fingerprint for a browser. And so that's emblematic of how sophisticated some of the fingerprinting can be. The browsers themselves offer so much functionality, a giant parsing engine and your primary interface to how you use the internet.
Jeff Nathan: There's just a lot of knobs and buttons to twist and turn to not just render information in the browser, but to also gather information back from the browser, especially in building up a series of fingerprints or breadcrumbs that can be traced back to a bunch of the things people have done. One of the ones that sticks out for people is this fundamental tension between letting a site set a third-party cookie that is then used when you visit that third party. That's probably the example that most people are aware of, and even that in and of itself has been the subject to some of the arms race.
Dave Bittner: You know, I think it's a little discouraging for folks who are trying to keep an eye on their own privacy. I mean, this report finds - points out that it doesn't take long, even after you clear your browser history, for things to kind of, you know, reestablish themselves and the folks out there who want to do this to start effectively and successfully tracking you again.
Jeff Nathan: Yeah, the nature of how we use the internet kind of is predicated on using search engines. And search engines themselves, some of the most popular ones we use, are also tied to large advertising networks. So just the fact of how we use the internet and the fact of how it gets paid for, people might be surprised to learn that there is a global - a globally unique identifier that's going to be assigned to your browser by virtue of using that search engine, and then that specific identifier gets used all over the place. Because, referring back to that bento box of sushi, how browser pages get composed, some of those little boxes in that overall bento box might be coming from some service provided by that - the company behind that search engine, and all that provides a bunch of telemetry. So sure, go clear your cookies, but then your natural day-to-day activities start building that profile right back up again.
Dave Bittner: Yeah. Are there advantages to using some of the browsers that claim to be privacy focused? Does it actually make a difference?
Jeff Nathan: Well, that's a really interesting and nuanced question because a difference is probably best described as differences in measures of degree. There's a bunch of different ways we could describe that. One of the first and most prominent things that sort of describes our behavior in how we use the internet is that conversion of a name we remember into a sort of internet street address, a name in the internet's domain name system to an IP address. And that process is actually rich with intelligence. And so along the way, a new standard emerged. And that was, instead of you in your browser maybe using your service provider's servers to turn those names into street addresses, there was a newer technology that did that sort of in encrypted browser transactions. They're not exactly a browser transaction, but they're sort of similar to what your browser does.
Jeff Nathan: And what that did was to eliminate some of the spying that can be done. People are concerned what their provider can see them do, and so this standard emerged to change who could observe it. And the idea being that there would be privacy between, say, the person and their browser and whoever provided the information as opposed to the old way, which was the person who was interested in using the internet and then all the hops along the way between them and the server that ultimately gave them the answer. So that in and of itself has sort of improved some of the privacy out there. So I would say yes, maybe with an asterisk, right? So even a non-privacy-focused browser is going to use this newer technology to turn a name into a number. And I guess all of the major browsers are also doing something. When we say major browsers, are we even talking about more than two, right? Anything based on Chrome or Chromium and then Firefox. But...
Dave Bittner: I suppose there's Safari additionally.
Jeff Nathan: Yeah. No, that's actually a pretty good point. The - all of the major browsers now have an initiative to sort of build privacy in. So then we have to look at, what is a browser that calls itself a privacy-focused browser, well, what else does it do, right? And so that's where I want to say it's kind of a tricky answer because they're out of the box. They're giving you a couple of additional plugins. If you look at Brave, for example, their Shields up is basically kind of repackaging some other plugins that people are already using. So are you getting a little bit more privacy? Yes. But one may also be creating a signal that they are unique. And I want to give you a little bit more specific example here just to go on a bit of a side path for a second here.
Dave Bittner: Yeah.
Jeff Nathan: If you remember when do not track became a big thing in browsers, right?
Dave Bittner: Right.
Jeff Nathan: And this was a - yeah, you could set that as a header that gets passed from the browser. Don't track me. Yeah. All of a sudden, a bunch of people who thought they would communicate this optional request to browsers - excuse me, to web servers from their browser, and then hopefully that would preserve their privacy. But take a step back and look at this from a 20,000-foot view, or, if you will, a giant collection of data and pretend you were just sifting that data into two categories, all the browsers that didn't send a do-not-track request and other browsers that did. And when you look at it sometimes from a high enough level, just this idea that you are trying to preserve your privacy, but depending on how that works, you may end up also giving away some information, giving away some privacy.
Jeff Nathan: So to really kind of bring that home, do I think that the privacy-focused browsers do something? Yeah. And they make it easy for someone who isn't an expert or even hobbyist in privacy to maybe get a little bit more privacy than they would out of a browser that didn't do that because they might not be inclined to tweak a couple of settings or install a couple of plugins.
Dave Bittner: So what's to be done here? I mean, what are the recommendations? Is - are - is this a hopeless fight, or are consumers able to take some reasonable measures here and improve their situation?
Jeff Nathan: Very fair question and one that's tough to answer, but maybe it depends on how we look - how long we're looking out, right? In the short term, there is a lot of interest from a lot of parties in preserving privacy. And it seems that more and more people are becoming aware of privacy being an issue for them. The idea that as long as I'm not doing something wrong, it doesn't matter who's looking seems to maybe be leaving the social zeitgeist. So if you take that as a signal, that's a signal to the various companies who are responsible maybe for improving and providing privacy, yeah, I think that maybe more than ever, there's an incentive to deliver better privacy.
Jeff Nathan: And that's why it really matters that, A, the people who make browsers are trying to build better privacy protections into the browsers, and then research groups such as our own over at Norton is working on really advancing the state of browser privacy and understanding the ways that the existing protections are being evaded and then building that into something that can get into the hands of someone. So it's not all bleak, but there's going to be an arms race for a while until maybe there's a big paradigm shift, and then privacy will move into maybe some different realms.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: Themes, Dave, themes for phishing attacks. I think the people who run phishing campaigns have a calendar a lot like the Catholic liturgical calendar. Do you remember the Catholic liturgical calendar?
Dave Bittner: I do, yeah.
Joe Carrigan: But instead of having, like, Lent, there's tax phishing season. Instead of Advent, it's package delivery scams.
Dave Bittner: Right.
Joe Carrigan: Right? And I imagine this calendar, in my head, on a wall, and it's colored with, like, muted pastels for each season, each time of the year.
Dave Bittner: Right. They change the decorations as the year goes by.
Joe Carrigan: Right, exactly. Yeah.
Dave Bittner: OK.
Joe Carrigan: That's how I imagine this being.
Dave Bittner: (Laughter) OK.
Joe Carrigan: I don't know. It's probably completely inaccurate, but...
Dave Bittner: Yeah.
Joe Carrigan: Jeff makes a great analogy here - is that webpages are like a bento box of sushi, right? When you load up a webpage, there could literally be anything on it.
Dave Bittner: Yeah.
Joe Carrigan: Right? And it could be - it could have pieces of third-party webpages. It could load other content. I mean - and that's been a feature of the web since its inception.
Dave Bittner: Sure.
Joe Carrigan: Right? It's just the way it's designed to work.
Dave Bittner: Yeah.
Joe Carrigan: So you don't really know what you're going to get.
Dave Bittner: Yeah.
Joe Carrigan: I want to know more about this GPU fingerprinting. I'm going to have to look for that research. But I think fingerprinting is an interesting concept in terms of web browsing.
Dave Bittner: Right.
Joe Carrigan: So the way this works is, if I know enough about you as somebody who accesses my website - and there's all kinds of things I can get. Like, I can run JavaScript on your web browser that collects information about how big your window - your web browser window is - right? - and reports it back to me. I can also ask it to do some kind of examination of your computer and tell me what kind of components you might have on it, right?
Dave Bittner: Right.
Joe Carrigan: Or I can benchmark it, which is what they were talking about with GPU fingerprinting...
Dave Bittner: Yeah.
Joe Carrigan: ...And see how long it takes to process something. These kind of things are all feeding into a - some kind of large big data system that then is able to identify you when you connect again, even if you've blown away all your tracking data.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: And it's remarkable how accurate it is. The GPU fingerprinting is just another piece of that puzzle.
Dave Bittner: Yeah.
Joe Carrigan: I cannot wait for third-party cookies to be a thing of the past. Will they ever stop? I don't know.
Dave Bittner: (Laughter).
Joe Carrigan: But, you know, I think there are some web browser manufacturers out there who have a vested interest in not doing that.
Dave Bittner: Yeah.
Joe Carrigan: I'm looking at you, Google.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: But, you know, Jeff makes another good point. There are really only two browsers out there. There's the Chromium-based browsers and then the Firefox-based browsers. That's it. There aren't - oh, and you said Safari as well.
Dave Bittner: Yeah, yeah.
Joe Carrigan: So three.
Dave Bittner: Yeah.
Joe Carrigan: So it's interesting that despite having all these browsers like Brave and - I can't remember what the other...
Dave Bittner: Microsoft's Edge.
Joe Carrigan: Edge - Edge is actually Chromium-based.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: But there - no, I was thinking of another one. Maybe Opera? Am I still - is Opera still a thing?
Dave Bittner: Yeah, Opera is out there. Yep.
Joe Carrigan: That's chromium-based, right?
Dave Bittner: Yep.
Joe Carrigan: So, you know, you're not looking at a large ecosystem. You're looking at a...
Dave Bittner: Right.
Joe Carrigan: (Laughter) You know, what seems to be a large ecosystem but isn't.
Dave Bittner: Right - not a lot of genetic diversity out there...
Joe Carrigan: Right, exactly.
Dave Bittner: ...In the browser world (laughter).
Joe Carrigan: Good question about the privacy-focused browsers - DNS over HTTPS, or as they call it, DoH, is very helpful.
Dave Bittner: Yeah.
Joe Carrigan: But using privacy-focused features of a browser is just another data point for a fingerprint, right? So if you think about it, it probably provides, you know, a bit - one bit of entropy...
Dave Bittner: Yeah.
Joe Carrigan: ...Whether or not this person has this enabled or not. And it's easy to identify if they do because the browser actually requests that you don't track them. Of course, you're bound by the ethical responsibility of the company you're asking not to track you because it is a do-not-track request, not an order. It's a request.
Dave Bittner: Right.
Joe Carrigan: Be clear about that. Jeff thinks that people are starting to walk away from the idea of, if I don't do anything wrong, I have nothing to fear. I really hope so.
Dave Bittner: Yeah.
Joe Carrigan: I really hope so. This is one of the biggest - this has been, traditionally, one of the biggest impediments to privacy and privacy - progress in the field of privacy over a long period of time. You know, I've told people, you don't want to be - have all this data collected about you. And they're like, well, it doesn't matter. I'm not doing anything that I'm concerned other people know. But chances are, if you think about it, you are doing things that you don't want everybody to know.
Dave Bittner: Right.
Joe Carrigan: Right? And it's not anything nefarious. You know, it's things that just help identify you demographically with certain groups. And maybe you don't want everybody to know what your median - or, you know, what your household income is, right?
Dave Bittner: Or when I have an appointment with a doctor.
Joe Carrigan: Or when you have an appointment with a doctor - right.
Dave Bittner: Yeah.
Joe Carrigan: You know, maybe you want to keep that kind of stuff private.
Dave Bittner: Sure.
Joe Carrigan: I think it's better that we're starting to move in that direction, and I'd like to see more people move in that direction. And every time I talk to anybody, I try to help move them in that direction by scaring the crap out of them.
(LAUGHTER)
Dave Bittner: Very good, very good. All right. Well, our thanks to Jeff Nathan. Again, he's the director of threat research at Norton Labs, and the report is their Consumer Cyber Safety Pulse Report.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The Hacking Humans podcast is proudly produced in Maryland at the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
