Online threats turned real world danger.
Laura Hoffner: So ultimately, going back to where is it freedom of speech, but then where does it go into inciting violence? One that is protected under our Constitution. The other is absolutely not.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Laura Hoffner. She is executive vice president at Concentric, and we're going to be discussing the dangers of online threats turning into real-world violence.
Dave Bittner: All right, Joe, we got some good stories to share this week. I'm going to start things off for us. So, you know, I have another show I do on our CyberWire network called "Research Saturday."
Joe Carrigan: Yes.
Dave Bittner: And that is where I talk to information security researchers about the research they're doing and share the story of the research. So I recently spoke to a gentleman named John Hammond from a company called Huntress, and they're in the threat hunting business. And we were talking about some of their research on malware called BabyShark, which is a...
Joe Carrigan: (Laughter) BabyShark.
Dave Bittner: Yes, it's called BabyShark.
Joe Carrigan: Thanks, Dave.
(LAUGHTER)
Joe Carrigan: You know what I have in my head, right? Everybody...
Dave Bittner: I do. Yes, I do.
Joe Carrigan: Everybody out there has that same thing in their head.
Dave Bittner: Well, I didn't name it, so...
Joe Carrigan: (Laughter).
Dave Bittner: And it's very interesting research from them and goes into a lot of the technical stuff. So if that's something you're interested in, that'll be coming up on "Research Saturday" in the next couple weeks. But what drew my attention and what I think is relevant to this show is the actual phish that the bad guys used and the phish bait that I thought was particularly novel and, in this case, very effective. So let me set the stage for you.
Joe Carrigan: OK.
Dave Bittner: These bad people, who we suppose were from China...
Joe Carrigan: OK.
Dave Bittner: ...Were targeting think tanks.
Joe Carrigan: Right.
Dave Bittner: So political organizations, you know, people coming up with policy opinions and things like that - right?
Joe Carrigan: This is something that China frequently does.
Dave Bittner: They do, indeed. So what they did was they would reach out to people that they were targeting. And the email would say, VOA Interview Request - China's Role in North Korea Diplomacy in Times of Rivalry. So VOA is Voice of America.
Joe Carrigan: Right.
Dave Bittner: And they would say, I hope you've been well. This is so-and-so with VOA Korean Service. I'm collecting experts' opinions, looking at how China will factor into North Korean diplomacy. Will you be available for answering the below questions with about 200 words respectively? I hope you kindly consider. I'd be very grateful if you could send me your answers within five days. Thank you. And then there's a return address to Voice of America, so on and so forth, and four questions, right?
Joe Carrigan: Right.
Dave Bittner: And they're all reasonable questions. So the person who gets this - and I will add, no links, no attachments, right?
Joe Carrigan: Right.
Dave Bittner: There's nothing...
Joe Carrigan: Nothing seemingly malicious here.
Dave Bittner: Just looks like a regular old email.
Joe Carrigan: Right, looks like a media request email. I get these frequently.
Dave Bittner: Yes. Yes. The victim replies and provides the answers to the questions, thinking that they're talking to someone at VOA. They want to be helpful.
Joe Carrigan: Right.
Dave Bittner: The threat actor responds and says, many thanks for this. It's very good material. I did rearrange it a bit. To be secure, this is protected, and they have a link with a password. And they say, please let me know if it meets your mind. Thank you for your time and consideration again. So what they've done here, they've said great job.
Joe Carrigan: Right.
Dave Bittner: We had to make a few edits.
Joe Carrigan: Yep.
Dave Bittner: Before we use this, will you please review the edits?
Joe Carrigan: Right.
Dave Bittner: To make sure this is secure, I provided a password-protected link. Here's the password. So now if the person goes through, it's a OneDrive link. They get a - they download a file.
Joe Carrigan: Right.
Dave Bittner: The file was named VOA underscore Korea dot zip, right?
Joe Carrigan: Dot zip.
Dave Bittner: Dot zip.
Joe Carrigan: OK.
Dave Bittner: They open the file.
Joe Carrigan: Right.
Dave Bittner: It's an Excel - or no, I'm sorry, it's a Word document.
Joe Carrigan: Word document.
Dave Bittner: Right.
Joe Carrigan: Probably teeming with malicious macros.
Dave Bittner: They open the word document. They get a thing that comes up that says, please enable macros.
Joe Carrigan: Uh-huh.
Dave Bittner: (Laughter) And Bob's your uncle.
Joe Carrigan: Right.
Dave Bittner: Right? So they are got.
Joe Carrigan: Right.
Dave Bittner: Now, what I think is particularly clever about this is the path that they lead the victim down...
Joe Carrigan: Right.
Dave Bittner: ...By initially doing something innocuous, establishing trust, doing it in a way that they can stroke their ego a little bit - hey, you're an expert on this. Would you provide your opinions? People love to provide their opinions, right?
Joe Carrigan: Right.
Dave Bittner: Right. And so they have an exchange back and forth, establishing rapport. Then they provide a link with a password. Well, something with a password - that couldn't be bad. Passwords make things safe, right Joe?
Joe Carrigan: Right.
Dave Bittner: (Laughter) And then at this point, they download the file - a properly named file. Nothing unusual here.
Joe Carrigan: This is a lot of effort. This sounds like it's an intelligence agency running this effort.
Dave Bittner: Yes. And I believe it is.
Joe Carrigan: Yeah.
Dave Bittner: I believe it is. But that's what really caught my attention here was the degree to which they go through the effort, but also the effectiveness of it.
Joe Carrigan: Right.
Dave Bittner: I think this is a pretty good pretense for...
Joe Carrigan: This is something...
Dave Bittner: ...Pretense for a phish, right?
Joe Carrigan: Every now and then, I come across one of these things that I say, this is something that would work on me, right? And this is one of them because, like I said, I, from time to time, will get media requests that look very much like this.
Dave Bittner: Yeah.
Joe Carrigan: I will - generally, if somebody wants to - wants me to write something, I might take the time to do that, depending on who it is. Like, I think there was one thing I did for The Wall Street Journal that, like, I actually wrote something, right? And the - Voice of America is an outlet I know.
Dave Bittner: Sure.
Joe Carrigan: Right? Maybe I would write something for them.
Dave Bittner: Yeah.
Joe Carrigan: And then they would send me something - I would like to think that when I got the email attachment that said - or when I got the file that said, please enable macros, that I would have been like, hmm.
Dave Bittner: (Laughter) And I have to say, in my interview with John Hammond from Huntress, he made the point - like, this is the part where the security researchers were sort of banging their head against the desk, going, you know, all of these protections we put in place...
Joe Carrigan: Right.
Dave Bittner: ...All of these things we do, and the person still enabled macros...
Joe Carrigan: Right.
Dave Bittner: ...All the training.
Joe Carrigan: Yeah.
Dave Bittner: You know, so while the training is good, the training is important, you still have to have defense in depth. You have to have, beyond that, things that can catch this sort of thing.
Joe Carrigan: Right.
Dave Bittner: And according to their research, once these folks got into the system, they were in there for about a year.
Joe Carrigan: Really?
Dave Bittner: Yeah.
Joe Carrigan: Well, that's not uncommon.
Dave Bittner: Yeah.
Joe Carrigan: You know, we often talk about the economic situation of these malicious actors, but when you're talking about an intelligence agency, their incentive is different, right? It's still an economic situation if you look at it, right?
Dave Bittner: Yeah.
Joe Carrigan: Depending on if you, like, read, like, what - Dubner and Levitt, the "Freakonomics" guys.
Dave Bittner: Yeah.
Joe Carrigan: They talk about the economic incentives are not always monetary. They're - but they're still incentives.
Dave Bittner: Yeah.
Joe Carrigan: And these guys are incentivized to lay low and just collect information.
Dave Bittner: Right.
Joe Carrigan: That's their job.
Dave Bittner: Right.
Joe Carrigan: So that's what they do. They're not trying to monetize this; they're just trying to collect - the value is the information. So that's something that lets them remain as unobtrusive as possible while collecting all the information. That's why these intelligence agencies - when they get in, they tend to stay there for a long time, like a year.
Dave Bittner: Yeah. Yeah. So again, interesting story. We'll have a link to the actual research from the folks over at Huntress. And again, there's a "Research Saturday" episode that digs really deep into this that'll be coming out probably in the next couple weeks. So if you're interested in that, stay tuned. That'll be coming up soon. That is my story this week. What do you have for us, Joe?
Joe Carrigan: Dave, I meant to tell you this last week, but I am now a crypto millionaire.
Dave Bittner: Really?
Joe Carrigan: That's right.
Dave Bittner: Again?
Joe Carrigan: Yes.
Dave Bittner: OK (laughter).
Joe Carrigan: I bought a million Shiba Inu tokens, so now I have a million tokens.
Dave Bittner: OK.
Joe Carrigan: So, you know, it cost me 25 bucks to become a millionaire (laughter).
Dave Bittner: That's a very interesting...
Joe Carrigan: I don't have a million...
Dave Bittner: ...Definition of millionaire.
Joe Carrigan: Yeah, I have a million of something.
Dave Bittner: If I say I have a million squares of toilet paper, am I a millionaire?
Joe Carrigan: Well, no, because that's not a token or a coin that you can exchange for things, right?
Dave Bittner: Oh, I can imagine circumstances where it could become valuable and worth exchanging for things.
Joe Carrigan: Oh, yes. Yes (laughter).
Dave Bittner: But I digress. Go on.
Joe Carrigan: If you go back two years, it becomes very valuable.
Dave Bittner: I don't mean to hijack your conversation here. Go ahead, Joe (laughter).
Joe Carrigan: Also, recently, I installed a noncustodial wallet on my phone to hold some dogecoin, right?
Dave Bittner: OK.
Joe Carrigan: Another equally valuable cryptocurrency (laughter).
Dave Bittner: Well, you're a high roller, Joe.
Joe Carrigan: I am, Dave.
Dave Bittner: You're a high roller.
Joe Carrigan: I am.
(LAUGHTER)
Dave Bittner: OK.
Joe Carrigan: And, you know, right now I have about 20 bucks in this wallet.
Dave Bittner: All right.
Joe Carrigan: It's not a lot of money.
Dave Bittner: Do you have your phone handcuffed to your wrist...
(LAUGHTER)
Dave Bittner: ...So no one can grab it and run off?
Joe Carrigan: Yeah, I'm really worried about it.
Dave Bittner: Yeah, OK (laughter).
Joe Carrigan: I even went so far as to make some silly bet with my wife. I can't remember what it was. But I said, I'll bet you 10 dogecoin that's not the case, right? And I lost the bet.
Dave Bittner: Aww.
Joe Carrigan: So I had to go out and install a crypto wallet on my wife's phone and then send her 10 dogecoin (laughter).
Dave Bittner: I see.
Joe Carrigan: That was about 14 cents.
Dave Bittner: OK. Wow.
Joe Carrigan: It's a lot of money.
Dave Bittner: Yeah.
Joe Carrigan: Right? A lot of cryptocurrency.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: But all of this got me thinking about scams that are connected to cryptography - or cryptocurrency.
Dave Bittner: Yeah.
Joe Carrigan: Not cryptography. But - because if you think about cryptocurrency scams, one of the big benefits of cryptocurrency, alleged or - you know, one of the benefits that's touted is it's a decentralized means of transferring something of value.
Dave Bittner: Yeah.
Joe Carrigan: Right? Or something...
Dave Bittner: Right.
Joe Carrigan: ...That we can say has value.
Dave Bittner: Right.
Joe Carrigan: It's intrinsically not valuable.
Dave Bittner: We all agree.
Joe Carrigan: Right.
Dave Bittner: We all buy into the fantasy that it has value...
Joe Carrigan: Right.
Dave Bittner: ...Which is - I mean, you know, fiat currency is pretty much the same thing...
Joe Carrigan: ...The same thing. Right. We all agree that it has some value.
Dave Bittner: Although, that has the good faith and backing of, you know...
Joe Carrigan: ...The federal government.
Dave Bittner: ...The federal government and the FDIC insurance and so on and so forth. But go ahead.
Joe Carrigan: But because these things are decentralized, they're - I mean, they're trying to regulate it, but really, the process will never be able to be regulated. So if somebody says to you, Dave, give me ten dogecoin.
Dave Bittner: Yeah.
Joe Carrigan: There's nothing you can ever do to get those coins back. Once it goes out of the blockchain, it's permanent, right?
Dave Bittner: OK.
Joe Carrigan: So that's...
Dave Bittner: ...Help me understand here, because haven't we had cases recently where law enforcement has clawed back...
Joe Carrigan: They have.
Dave Bittner: ...Cryptocurrency funds?
Joe Carrigan: They have. But you know how they did that? They broke...
Dave Bittner: They had guns. That's how they did that.
(LAUGHTER)
Joe Carrigan: Right, they have guns.
Dave Bittner: Right.
Joe Carrigan: That's right. They put a gun to somebody's head and say, give me the keys.
Dave Bittner: Yeah, very...
Joe Carrigan: Actually, what they did in that in that case - that was the Colonial Pipeline case.
Dave Bittner: Yeah.
Joe Carrigan: They found the affiliate organization - not the actual ransomware company, but the affiliate who got the bulk of the cryptocurrency.
Dave Bittner: OK.
Joe Carrigan: They found their keys online.
Dave Bittner: Right.
Joe Carrigan: Their private keys.
Dave Bittner: OK.
Joe Carrigan: So once you have that, you have access to transfer the money out of the wallet.
Dave Bittner: OK.
Joe Carrigan: Right? Now, that brings me to this new Better Business Bureau report that came out last week about cryptocurrency scams, right? They say that cryptocurrency scams accounted for the second-highest losses reported to the FTC, with about $750.
Dave Bittner: Wow.
Joe Carrigan: And there are a couple of ones I wanted to talk about in here. One of the things they said in this article was the cryptocurrency market offers new opportunities for tried-and-true investment frauds, such as Ponzi schemes and fraudulent initial coin offerings, right?
Dave Bittner: Sure. Yeah.
Joe Carrigan: Anybody can say, hey, I'm going to start a new cryptocurrency, right? And you can actually do it. Or you can just say, give me the money, and I'll give you the coins once we start the blockchain and then disappear, right? So I wouldn't go in on an initial coin offering.
Dave Bittner: OK.
Joe Carrigan: That is not how I would get involved with something...
Dave Bittner: Right.
Joe Carrigan: ...Personally. But one of the big things they do - these scammers do, is they do fake investments. And the Better Business Bureau talks about this in this report or in this article. You can link to the report from the article. But they say, after purchasing cryptocurrency, people are directed to websites where they create an account in order to monitor their investments. Now, these websites are - look real, for all intents and purposes, right? But they're not. Any time you want to make a withdrawal of your earnings, you're asked to pay more money to cover taxes or commissions or fees. And ultimately, you can never get your money out. They have one example of a customer who began learning about bitcoin in the summer of 2021. Probably locked in, you know...
Dave Bittner: What else are you going to do?
Joe Carrigan: What else are you going to do?
Dave Bittner: Right.
Joe Carrigan: Right. So she reached out on WhatsApp to an investing service she saw mentioned repeatedly in the comments of a YouTube video about bitcoin, all right? So here's what's going on behind the scenes. There's these scammers. They're watching - they know where the bitcoin videos are. So they get on there, and they go into the comments, and they go, hey, if you want to invest in bitcoin, contact us on WhatsApp.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: Then you get on WhatsApp, which is an end-to-end encryption communication channel owned by Facebook, so don't use it.
Dave Bittner: (Laughter).
Joe Carrigan: I should say Meta, I guess, now.
Dave Bittner: It's Meta. Yeah. Right.
Joe Carrigan: So these guys start scamming these people. She was instructed to buy $1,500 in bitcoin via Cash App. Dave, did you know that you could buy bitcoin on Cash App?
Dave Bittner: I did not. No.
Joe Carrigan: Right over there, that's my phone.
Dave Bittner: OK.
Joe Carrigan: I have the Cash App app on that phone.
Dave Bittner: OK.
Joe Carrigan: Right? I didn't know I could buy bitcoin with it.
Dave Bittner: Oh. Who knew?
Joe Carrigan: But I looked it up as part - you know, as part of my exhaustive research for this episode.
Dave Bittner: Right.
Joe Carrigan: Sure enough, there it is. I can buy bitcoin with it.
Dave Bittner: Oh, OK.
Joe Carrigan: I don't know if that means - I didn't buy any bitcoin with it 'cause, you know, I don't have that kind of money, Dave. I save my money for dogecoin and Shiba Inu coins.
Dave Bittner: Sure, sure. When some people zig, you zag.
Joe Carrigan: Right. That's right.
Dave Bittner: Yes (laughter).
Joe Carrigan: So she sends this - sends the bitcoins via Cash App. And 10 days later, she receives a screenshot displaying a balance that she had more than $7,300.
Dave Bittner: Oh.
Joe Carrigan: So she's very happy. She says, let me have some of my earnings. And they say, oh, there's a 10% commission in broker's fee of more than $800, right? So it's more than - it's a 10% commission plus a broker fee.
Dave Bittner: Yeah.
Joe Carrigan: So - and they're saying, OK, that's going to be 800 bucks to get your $7,300. She pays both because she thinks I'm still up.
Dave Bittner: Right.
Joe Carrigan: And then she receives an email to pay an additional sum of nearly $1,200 to withdraw her money. And that's when she realizes this is a scam. So she gets off fairly cheap, right? She gets out of here for a little over $2,000.
Dave Bittner: Yeah. That's an expensive lesson.
Joe Carrigan: It is. It is. But we've seen losses that are much higher.
Dave Bittner: Sure.
Joe Carrigan: And immediately, what I'm happy to hear is that this woman said, yeah, this is a scam. I'm done. And if she'd have paid that 1,200 bucks, there would have been another fee after that. They would have just kept charging her fees. That's how this works. So the tips - they have some tips in here. No. 1 is guard your wallet. So you have two ways you can keep your cryptocurrency - two main ways. You can keep them in your personal wallet, or you can keep them in an exchange.
Dave Bittner: OK.
Joe Carrigan: The exchange manages the wallet for you, so you don't have to worry about that. But if you have your own wallet, like an app on your phone, that's actually a crypto wallet that holds cryptocurrency, then you have, on your phone, the keys - the private keys.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: The cryptographic keys.
Joe Carrigan: The cryptographic keys.
Dave Bittner: OK.
Joe Carrigan: And one of the ways that you can transmit those keys is by something called a key phrase, right? It's a passphrase...
Dave Bittner: OK.
Joe Carrigan: ...That's a bunch of different words that are not - don't make any sense, but they're random. But really, what these are - these words just map to different sections of your key. So if you enter the words in the correct order, you are able to reconstruct your key.
Dave Bittner: OK.
Joe Carrigan: One of the big scams that these guys do is they try to get you to give them that...
Dave Bittner: Oh.
Joe Carrigan: ...Because then they just need to install the wallet on their phone, enter the passphrase, and they have all your private keys. And bam, they will empty out your wallets in a matter of seconds.
Dave Bittner: I see.
Joe Carrigan: So don't do that.
Dave Bittner: Yeah.
Joe Carrigan: Guard your wallet.
Dave Bittner: Right.
Joe Carrigan: Don't pay for products with cryptocurrency. That's another big scam, apparently. You know, I don't know how I feel about that one. You know, if there's a business out there that accepts products via cryptocurrency - or accepts payments via cryptocurrency and it's a reputable business, maybe.
Dave Bittner: Yeah.
Joe Carrigan: If you're going to do an in-person trade, that's probably fine, right? Beware of fake recovery companies, right? Somebody tells you that they're going to get your cryptocurrency back, unless those people are, like you said, government officials with guns, they're probably not going to do that.
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: You know?
Dave Bittner: Right.
Joe Carrigan: It's just not really possible.
Dave Bittner: Yeah.
Joe Carrigan: Be wary of celebrity endorsements. We've seen this multiple times. There's always that picture of Warren Buffett holding the big bitcoin.
Dave Bittner: Right (laughter).
Joe Carrigan: That's actually not a celebrity endorsement.
Dave Bittner: Right.
Joe Carrigan: Only download apps from the Google Play Store or the App Store. And even here, you're probably not 100% safe. Some of these apps are going to be - you know, there's nothing that says in an app store that the app is - if the app is relatively new, they could give you a wallet address that looks like it's your wallet address, and it's just their wallet address, and the bitcoin never shows up in your wallet on your phone. It just goes directly to them, right? And finally, the last one I'm going to talk about here is if you are looking at crypto investments, never believe promises of guaranteed returns. There is no such thing as a promise of guaranteed returns in cryptocurrency, even if you're talking about staking cryptocurrencies, which actually pay, like, dividends for holding the cryptocurrency...
Dave Bittner: Yeah.
Joe Carrigan: ...Because it uses a different way of generating the next block. There's no guarantee that that's going to be profitable for you.
Dave Bittner: Mmm hmm.
Joe Carrigan: Period.
Dave Bittner: Right, and it's not like - you know, a bank account is FDIC insured. Like, that doesn't exist down there.
Joe Carrigan: That does not exist in cryptocurrency. You are taking risks. Do not invest any cryptocurrency money you are not prepared to absolutely lose. Like the 25 bucks I paid to become a Shiba Inu millionaire, Dave...
Dave Bittner: (Laughter).
Joe Carrigan: ...I am prepared to absolutely just lose that 25 bucks. In fact, I view that 25 bucks as the cost of me being able to tell people I'm a crypto millionaire.
Dave Bittner: Think of your kids, Joe. Think of your kids. This...
Joe Carrigan: I paid 25 bucks to make a joke.
Dave Bittner: ...Reckless, reckless disregard for the well - the future well-being of your family. Twenty-five dollars - goodness. Oh.
Joe Carrigan: Yes.
Dave Bittner: Oh. My heart breaks.
(LAUGHTER)
Dave Bittner: All right. Well, yeah, interesting stuff, and good advice, for sure.
Joe Carrigan: Yeah.
Dave Bittner: We will have a link to that. Again, that's from the BBB, the Better Business Bureau. They've always got good information on this stuff. You know, it sort of surprises me because I think of the BBB as being kind of one of those old brands.
Joe Carrigan: Yeah.
Dave Bittner: But they're staying current with this...
Joe Carrigan: They really are.
Dave Bittner: ...Stuff.
Joe Carrigan: They're doing a good job with it.
Dave Bittner: Yeah, yeah.
Joe Carrigan: I'll agree with that 100%.
Dave Bittner: All right. Well, those are our stories this week. We will have links to them, of course, in the show notes. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Andre, who writes, Dave and Joe, saw this email titled please, I urgently need you to help, and immediately thought of your amazing podcast. Well, thank you, Andre. I've enjoyed the content for many years. Thanks for all you do for the security community. All right. So Dave, why don't you go ahead and read this email?
Dave Bittner: All right, goes like this. I am John White of the U.S. Army Force and one of the commanding officers of the U.S. Central Command here in Syria. Please, I urgently need you to help me safeguard the amount of money I have here in my possession, which is worth the sum of $11,500,000 USD. I came across this mega cash while on operation as we were on a massive attack, a campaign against the ISIS terrorist group. But minding how horrible and risky it is here in this military camp, I deemed it necessary to look out for a trusted fellow who would assist me in safeguarding the cash until I get out of this horrible zone. It was on this effect that I started the search here online for an honest person whom I can trust to help me safeguard the cash, and I came across your mail address, and I want to know if you're willing to do this deal. I want you to know that I am willing to offer you 40% of the total amount, which is $11.5 million. If you do help me safeguard this money and out of here, I will email you the details on how I plan on moving the cash out of this place as soon as I receive your response. Please get back to me ASAP. Thanks, John White.
Joe Carrigan: (Laughter) Sounds like an American, doesn't it?
Dave Bittner: Yeah, sure.
Joe Carrigan: Yeah. Sounds like someone whose first language is English.
Dave Bittner: Now my throat is sore, but go ahead.
(LAUGHTER)
Joe Carrigan: This is great. I don't think we have a military presence in Syria, Dave.
Dave Bittner: Ah, is that right? Yeah, it's hard to keep track of sometimes.
Joe Carrigan: It is.
Dave Bittner: (Laughter).
Joe Carrigan: It is. Here's another thing - the U.S. Army will never need anybody else's assistance in moving around $11.5 million.
Dave Bittner: No.
Joe Carrigan: That is something they can handle.
Dave Bittner: Yeah.
Joe Carrigan: You know, if they - you know, from time to time, they do come into large caches of things, like weapons and possibly money.
Dave Bittner: (Laughter).
Joe Carrigan: They don't have any problem taking care of those things. They don't need your help. Nobody's going to give you 40%. I mean, that's just - first off, the whole thing's a scam, of course.
Dave Bittner: Yeah.
Joe Carrigan: It's an advance fee scam.
Dave Bittner: Yeah.
Joe Carrigan: Right? Hey, help me out. OK, now I need $2,000 to set up this bank account.
Dave Bittner: Mmm hmm.
Joe Carrigan: And then I'll transfer the money in there, and then you - OK, now they need another $3,000 for this. It's going to be the same kind of thing like it was in the story - in my story today, where they just start adding follow-on fees.
Dave Bittner: Right.
Joe Carrigan: Never engage with these people. Just delete the email, or better yet, send it to us so we can all have a good laugh.
Dave Bittner: (Laughter) There you go, there you go. All right. Well, our thanks to Andre for sending that in. We would love to hear from you. If you have something you'd like us to consider for our Catch of the Day or a story you'd like us to cover, you can send it to us. It's hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Laura Hoffner. She is executive vice president at Concentric. And we're discussing the dangers of online threats turning into real-world violence. Here's my conversation with Laura Hoffner.
Laura Hoffner: This is an entire generation and career that we just haven't had to deal with until the recent history, and so we are slowly catching up as to how best to support this unique security paradigm that these influencers do have. And I think it ultimately comes down to an accessibility and a desensitization problem. So accessibility - meaning, when in the past have we been able to watch someone in their bedroom, be able to interact with them on a regular basis and hear their stream of consciousness without feeling like we are their best friend - right? - and so that line of that accessibility being the norm now, but that does not necessarily inherently mean that you have a relationship with them. And then the desensitization - as these poor influencers are streaming throughout their role online, the threats and the comments on who they are, what they look like, where they're living and things that could be done to them is perceived as normal and OK. And so when that threshold for the noise is just so high, it's very hard to discern where it becomes a threat versus this freedom of speech line. So ultimately, going back to - where is it freedom of speech, but then where does it go into inciting violence? One is protected under our Constitution. The other is absolutely not.
Dave Bittner: Yeah, I mean, it strikes me that part of what is going on here is a real shift in how we think about celebrity. You know, I think for me, being a little older and growing up and thinking of the celebrities that I admired or, you know, aspired to maybe meet someday - part of being a celebrity was that you had a team of people around you who were sort of managing these things. And it strikes me that these days, you know, someone - a YouTuber or a TikToker, you know, can set up in their room, and it's really just them.
Laura Hoffner: Right. The differences are, 1, the size of that entourage, right? Right now, there's just so many of our celebrities and influencers these days that they just can't possibly have that same entourage that they used to. But then also, those celebrities in the past had a very specific time where they were available to the public. They were playing a game, and they could be seen for those - that hour, hour and a half, or they're going to be going to a movie and a show, and that was it. The accessibility would start and stop at that point. But now, what we're seeing is it's constant. You're livestreaming as soon as you wake up in the morning, showing them where you're going for your breakfast, coffee, etc., throughout the entire day. So people can follow you, and that obsession tendency can be very real.
Dave Bittner: What do you say to folks who say, well, you know what? These folks should simply set better boundaries. You know, why invite me into your bedroom? Why invite me - you know, all these places that used to be off-limits - do a better job of putting guardrails on yourself.
Laura Hoffner: Yeah, that victimization mindset, making it their fault that - how dare they should want security when they've chosen this profession. But then...
Dave Bittner: Right.
Laura Hoffner: ...On the other hand, we're also validating that profession by following them and giving them billions of views each time. So it's a very mixed message of what we're giving them that - please continue this access and this content, but also this is all your fault, and we can't do anything about it. So that stigma really needs to stop. There is a really great documentary put together by Sweet Anita, who is a gamer, and she says that she really loves her profession. She just doesn't think she should have to die for it. And that quote is so profound because who should think that they're choosing their profession and that they're willing to die for it just because they're giving their fans what they want?
Dave Bittner: You know, I've heard from folks who've run into these sort of situations that when it gets to the point where they feel as though they have to go to law enforcement, that quite often law enforcement just doesn't know what to do with them.
Laura Hoffner: Yeah, and that's got to be so frustrating on both sides, right? So on their side, they're seeing these threats come in. They can point to exactly what this person said at this time, and usually, it's a death threat, very specifically. But then on the police side, with how much online content there is right now, there is just no way for them to look into every single death threat that's put online. That is just not something that's going to be able to happen. And then on the few threats that you are able to validate intent, how do you then go from a profile that was made off of a VPN without any personal information associated with it, and try to find the perpetrator in any kind of swift amount of time before it becomes no longer relevant? So the frustration is on both sides.
Laura Hoffner: Of course, going back to that desensitization, we have allowed people to say these things and just let it be this freedom of speech, which is not the case. It should not be that you are allowed to incite violence or conduct death threats online as part of your constitutional right. But then also, what these streaming services need to do is a little bit more of that verified account process so that once an account makes a death threat, there is some research that can be done on the back end to see who was that, where are they, and how do we interrupt that possible switch from it just being an online threat to physical violence?
Dave Bittner: Now, that's a really interesting point, and I think you're - the way you're describing it has a bit of nuance that I don't think I've heard a lot of people talk about. And that's that, you know, I think a lot of these platforms are kind of - I think their impulse is to hide behind Section 230 of the Communications Decency Act to say, oh, we're just a platform. We're allowing people on here. We can't be responsible for what they're saying. But to have that balance of allowing a certain amount of anonymity but still behind the scenes have verification of who people actually are - in my mind, that could be a bit of a sweet spot.
Laura Hoffner: Exactly, and right now, as it stands, yes, you're not allowed to make death threats. That is a violation of the terms of service of most, if not all, of these streaming services. But once an account gets locked or taken down, they can easily just make a new account, and they don't need any personal information. That account doesn't need to be verified. So these people are just going through account after account after account, and it's impossible to tie it back to that initial death threat because it's all perceived as different people.
Dave Bittner: Are there examples of influencers who are doing this particularly well? I mean, are there best practices in terms of using the tools that are available to manage your audience and, you know, build a community that has your back when these sorts of things arise?
Laura Hoffner: You know, that's a tough answer to provide because it's essentially proving a negative, right?
Dave Bittner: Yeah.
Laura Hoffner: The people who are not in the news for being stalked are the people who are most likely doing it right (laughter).
Dave Bittner: Yeah, yeah.
Laura Hoffner: So I haven't been able to find many of them. But what people can do is not stream from your bedroom, put a blanket background. Do not post while you're at certain locations that can be stalked; post after the fact. Don't actually put any locations because if you go to it with any regularity, that link is going to be made. And then also, requesting these streaming services, these people who have millions, if not billions, of followers - have a point of influence with these streaming services to ask them for this verification. And I think that's their right to do so. Never would we not assume that in the physical world these NBA stars or these movie stars would be able to be harassed, attacked, stalked at these locations without that overall company that's hosting them and allowing their stardom to protect them for that. So I think these streaming services - very similar to what we saw with Facebook - there's an obligation. You can no longer just say, we're the host; whatever happens happens. You have a moral obligation to assist these people that you are providing this career for.
Dave Bittner: Is there any recognition by regulators that this is an area that requires some of their attention?
Laura Hoffner: Yes, I do think there is, but it's such a complicated conversation because of exactly that freedom of speech line in the sand and then also the law enforcement bandwidth issue. So there's no easy solution, and that's why it keeps getting pushed back on to the influencer as their problem.
Dave Bittner: You know, I've seen in some of the cybersecurity circles that I run in on social media that, occasionally, you'll see someone who takes it upon themselves to track down some of these folks who are up to no good, you know, use open-source information, and I have to say, some of the most gratifying ones are when they discover that they're teenage boys, and they reach out to their moms.
Laura Hoffner: (Laughter) Yeah. And even...
Dave Bittner: I realize that's not a scalable solution, but it sure does feel good (laughter).
Laura Hoffner: It sure does. Don't we love a good justice story, right?
(LAUGHTER)
Dave Bittner: That's right. That's right. Even if it's vigilante justice, sometimes you can't help but smile.
Laura Hoffner: But then that also depends on the mom doing the right thing.
Dave Bittner: Yeah.
Laura Hoffner: Even in this Sweet Anita documentary, she interviewed a bunch of other influencers about the security issues that they've had, and one of them identified that it was an underage male who had been stalking him and sending him death threats. And he reached out to the man's father and said, please make your son stop doing this. And the father's response was, my son would never do that; he's a good guy. So you're always having to depend on someone else to essentially do the right thing (laughter)...
Dave Bittner: Right.
Laura Hoffner: ...Which is really hard to enforce.
Dave Bittner: Right. Well, I mean, until we get there with better tools and better enforcement and, you know, as we say, making people register themselves on some of these platforms, to what degree is education an element here, of letting the folks know who want to be influencers, who aspire to that, you know, putting these best practices in front of them so as they create these accounts and these personas that they know what they're in for, but they also have the proper tools to try to manage these things?
Laura Hoffner: And I think this new generation knows that better than anybody, but it's this middle generation that we still need to teach that to, those who just didn't think that when the internet first started that - they assumed that they could stay anonymous in the internet or that they could just take away one of their usernames and go to another, and they'd never be associated between the two, even though they linked them by email address. So that history of the internet that doesn't forget ever, this new generation gets that. And so I think that we have a good opportunity with them to identify these security protocols. But in regards to the education requirement, what we also need to do is remove the stigma that just because these stars are choosing this life, that they're not entitled to the same safety and privacy that we are. And again, this new generation is doing a great job of removing all stigma and taking away stereotypes. And so hopefully this will be one of the many things that they can do that with. But that's what we owe these people that we are asking to stream from their homes and to show us what products to buy and where to go, that they also have the right to inherent safety and privacy.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, I might be too much of an angry old man here.
Dave Bittner: (Laughter) OK.
Joe Carrigan: But I think the relationships that people have with influencers are unhealthy. I think by their nature, they're unhealthy. There is a huge shift in the paradigm of what's valuable in industry, and one of the most valuable things in industry now is influence.
Dave Bittner: OK.
Joe Carrigan: And we see that in the tech industry more than we see it anywhere else. But influence has actually always been a very important part of, like, marketing and things like that.
Dave Bittner: Sure.
Joe Carrigan: But now it's so amplified, right?
Dave Bittner: Yeah.
Joe Carrigan: Through social media and through the diversity of our general media as a whole. I mean, remember - Dave, you remember when we were kids, and we'd sit on the front porch, and there'd only be three channels on TV?
Dave Bittner: Well, you know what? I'm thinking about, like, when I - when we were - again, when - yes, when we were kids, and my sister would be very excited to get the latest edition of Tiger Beat magazine...
Joe Carrigan: Right.
Dave Bittner: Right? - to see...
Joe Carrigan: Yeah.
Dave Bittner: ...What sneakers Donny Osmond was wearing.
Joe Carrigan: Yeah.
Dave Bittner: Right?
Joe Carrigan: Yeah.
Dave Bittner: So to me, like, that was the influencer culture back then.
Joe Carrigan: Yes.
Dave Bittner: But I think and I suspect part of what you're getting at here is that social media allows us to feel even more connected to these people.
Joe Carrigan: Right. Exactly. And that's my point, is that this is the same asymmetric relationship it's always been. It has not changed, but it feels like it has.
Dave Bittner: OK.
Joe Carrigan: Right? - because you're interacting with people - or actually I'm not. You and I probably aren't. Do you follow any influencers, Dave?
Dave Bittner: I probably do. I don't know. No, I guess not. No. No, not - no one that people would consider - not, like, the big - no, none of the big ones.
Joe Carrigan: Right. Like, I follow on YouTube SmarterEveryDay and Jeremy Fielding.
Dave Bittner: Yeah.
Joe Carrigan: But those guys do, like - which by the way are great channels. And Mark Rober is another good one. And I enjoy what those guys do, but I have no illusion that they know who Joe Carrigan is.
Dave Bittner: Right.
Joe Carrigan: Right? And when you're interacting with these people on, like, Facebook or on Twitch, they can see your comment roll by, and they may say something about it, right? And that has an endorphin hit.
Dave Bittner: Yeah.
Joe Carrigan: Right? So I - but I really think that this is an unhealthy - overall, this is an unhealthy situation that people need to understand the asymmetric nature of this. It's still essentially going and getting a Tiger Beat magazine.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Right?
Dave Bittner: Right, right.
Joe Carrigan: But it feels like the way you interact with your friends on Facebook or on Twitter or wherever your social media - whatever the kids are using these days.
Dave Bittner: Right.
Joe Carrigan: That old man rant out of the way...
Dave Bittner: (Laughter) OK.
Joe Carrigan: ...I will say that what Laura is doing here is something that needs to be done. These people are subjected to - because of the very nature of what I just said, these people are subjected to all kinds of things that other people, you and I, would never be subjected to because we're not influencers, right? And the operational security that these people have to go through - they really have to be mindful of this. One of the things about these influencers is that they're young people.
Dave Bittner: Right.
Joe Carrigan: Right? And young people do stupid things.
Dave Bittner: (Laughter) Count on it.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: And as I said - I think I've said this now continuously for three episodes. I'm glad this stuff wasn't around when I was a kid because, you know, I don't know.
Dave Bittner: Youth is wasted on the young.
Joe Carrigan: It is, yeah. My son - when I say that to my son, he goes, retirement's wasted on the old.
Dave Bittner: OK. Fair enough, touche.
Joe Carrigan: Right. But I don't know. You know me, Dave. I'm a big advocate for freedom of speech.
Dave Bittner: Yes, you are.
Joe Carrigan: Right? But there are things that you can be punished for when you say them.
Dave Bittner: Yeah.
Joe Carrigan: And I don't mean punished by some capricious moderating system.
Dave Bittner: OK.
Joe Carrigan: I mean legally punished for.
Dave Bittner: Right.
Joe Carrigan: And when you take a class or take a major in something like communications or in journalism or in English or, you know, speech and debate, you quickly learn about the legal framework of freedom of speech.
Dave Bittner: Right.
Joe Carrigan: Right? Freedom of speech is not the right to say anything at all.
Dave Bittner: Yeah.
Joe Carrigan: And there are limits on it, like slander.
Dave Bittner: Sure.
Joe Carrigan: Like, if you say something that's slanderous of somebody, they can haul you into court and sue you. If you make death threats against somebody, that's a criminal offense. If they find out who you are, they can prosecute you criminally.
Dave Bittner: Sure.
Joe Carrigan: Right. So - and I'm OK with that, even as a rabid free speech advocate, you know? But from the streamer's perspective, from the influencer's perspective, you have to take this as an operational security problem, right? Yeah. You have to understand, yeah, people are going to make these kind of death threats to you. How are you going to handle that? How are you going to make sure that they don't find out where you live? Maybe you do something pseudonymous, right? Can you even do that? Is that even possible? Is this a risk that you want to incur? These are judgments you have to make. And I don't think a lot of these younger people are prepared to make those judgments.
Dave Bittner: Right.
Joe Carrigan: But I will say this - do practice some operational security. Don't have pictures of you outside so that people can know where you are. Don't go to the same Starbucks every day. If you have habits, do not put those on your streams, right? I love seeing the I'm going to tell their mom stories that you were talking about.
Dave Bittner: Yeah.
Joe Carrigan: And sometimes that ends well. But every now and then, you get that parent that's - my kid's a good kid and wouldn't do that.
Dave Bittner: Yeah.
Joe Carrigan: Right? You know, my kids were both good kids, too.
Dave Bittner: Yeah.
Joe Carrigan: But I didn't put it past him to do something remarkably stupid.
Dave Bittner: (Laughter) That's right 'cause we all have.
Joe Carrigan: Right. Exactly.
Dave Bittner: (Laughter) Right.
Joe Carrigan: So, you know, if somebody ever - nobody ever actually came to me and said, you know, your kid did this jerk thing.
Dave Bittner: Right.
Joe Carrigan: But if they had, I would have gone, OK. I will have a conversation. Let me - first off, let me see...
Dave Bittner: That sounds like them.
Joe Carrigan: ...What you have. Right?
Dave Bittner: Sounds like them.
Joe Carrigan: It sounds like them. That sounds like them. Let me see what you got. I will present this to them, and I will have a discussion with them.
Dave Bittner: Yeah.
Joe Carrigan: And that will be the end of it.
Dave Bittner: Yeah. Yeah. All right. Well, interesting topic.
Joe Carrigan: Yes, it is an interesting topic. And I understand that this needs to be done. But at the same point in time, I just don't think this relationship we have with these people is healthy.
Dave Bittner: Yeah. Well, our thanks to Laura Hoffner for joining us again. She's an executive vice president at Concentric, and we do appreciate her taking the time for us.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.