The great resignation and data exposure challenges.
Abhik Mitra: To even have the slightest notion that there's a Big Brother element of being watched simply does not work.
Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, I speak with Abhik Mitra. We're going to be sharing the findings on Code42's 2022 Data Exposure Report.
Dave Bittner: All right, Joe. Let's jump right into our stories this week. Why don't you start things off for us?
Joe Carrigan: Dave, my story comes from Linda Gandee. I hope I'm saying that right.
Dave Bittner: Yeah.
Joe Carrigan: She is at Cleveland.com.
Dave Bittner: OK.
Joe Carrigan: And she has a great story about a lawyer-doctor couple named Sherri and Jim Carney...
Dave Bittner: All right.
Joe Carrigan: ...Who were targeted by a bench warrant scam. Here, let me put on my inner Ben Yelin, or my Ben Yelin costume...
Dave Bittner: (Laughter) OK.
Joe Carrigan: ...And tell you what a bench warrant is because I actually looked this up...
Dave Bittner: Yeah.
Joe Carrigan: ...Because I'm wondering, what is a bench warrant? A bench warrant is a warrant that gets issued for somebody who doesn't show up for a court date...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? This is different from an arrest warrant, which is something that a police officer requests. I'd like to arrest that person. I have evidence, and you go present that. But at a bench warrant, you missed a court date, essentially. It's very common for bench warrants to be issued for people...
Dave Bittner: Yeah.
Joe Carrigan: ...If they miss a court date because that is criminal. You're not supposed to do that.
Dave Bittner: Right. And my - correct me if I'm wrong here, but my understanding with a bench warrant is that it's not like they're going to put out a posse and a hard-target search on you. It's just that...
Joe Carrigan: Right. Get an APB out on Bittner. He missed his court appearance.
Dave Bittner: No. But the next time you cross paths with the law...
Joe Carrigan: Right. Yes.
Dave Bittner: ...That's going to be a bad day for you (laughter).
Joe Carrigan: That's - that is - they're going to run your license and go, you have warrants out.
Dave Bittner: Right. Yeah.
Joe Carrigan: Oh, OK. Great. An arrest warrant - they're coming for you. A bench warrant - they're generally not going to come for you.
Dave Bittner: OK.
Joe Carrigan: But, you know, you can always take care of it by going and saying, I missed a court date. Sorry. I don't know how this works.
Dave Bittner: Turn yourself in.
Joe Carrigan: Yes. Ask Ben next time...
Dave Bittner: I will. OK (laughter).
Joe Carrigan: ...During the next episode of "Caveat." I'm sure he listens to this show. He's right now pulling his hair out.
Dave Bittner: Yeah.
Joe Carrigan: So Sherri gets a call. First off, Sherri is a doctor, and Jim is a lawyer...
Dave Bittner: All right.
Joe Carrigan: ...Like Ben. Sherri gets a call at work, and the name on the caller ID says Sergeant Cummings.
Dave Bittner: OK.
Joe Carrigan: And this person leaves a message asking for a callback. So Sherri calls the person back. And when she gets back, she is told by the caller that a subpoena had been served on her. And since she didn't appear in court, now there's a bench warrant out for her arrest. And the guy says this is a courtesy call because you are a doctor. You can come down to the police station and sign a paper to compare signatures on the subpoena. But we need a credit card number to ensure that you show up, right? Now...
Dave Bittner: The fact that we have guns isn't going to ensure that you show up.
Joe Carrigan: Right. Yeah.
Dave Bittner: You need a credit card number. All right, go on.
Joe Carrigan: Now, listeners of our show are already going, hey, that's a red flag.
Dave Bittner: (Laughter).
Joe Carrigan: I've never had a cop ask me for a credit card number, right?
Dave Bittner: No, no, no.
Joe Carrigan: So here's an interesting side bit of information about Jim and Sherri. They work in the same office building, right? Sherri's doctor's office is in the same building as Jim's law office.
Dave Bittner: That's convenient for commuting.
Joe Carrigan: It is.
Dave Bittner: Yeah.
Joe Carrigan: So Sherri runs down to her husband's office, and he gets on the phone call with this guy. And he keeps insisting that he gets a credit card number or she will be arrested right away. So Jim and Sherri say, she can't leave her patients. She has patients to see today, and that's not convenient, right? They're...
Dave Bittner: Yeah.
Joe Carrigan: ...I think they already know this is a scam. But then the guy goes, well, then you need to go to a bank, get out $8,000, turn it into cryptocurrency, then you can come down to the Westlake police station at your leisure, right? So you know what will make this all go away? Eight grand in Bitcoin, Dave.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Point-zero-one-five - I don't know. What's Bitcoin at now, 30 grand?
Dave Bittner: Who knows?
Joe Carrigan: It's - still, eight grand of Bitcoin. And Jim begins to put the caller off, you know, like, you know, I'm starting to get this red flag. And he says - the caller says, I have to stop this now. I've spent too much time with you. Either you get the money to postpone arrest or we'll come by and arrest her immediately, and then we can return the money.
Dave Bittner: OK.
Joe Carrigan: So Jim says he hung up, right? And then he calls the Westlake police department and asks for Sergeant Cummings. Guess what? There is a Sergeant Cummings.
Dave Bittner: Oh, and he's pissed.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: And the badge number that this caller gave is Sergeant Cummings' badge number, right? But the person there says, no, no, that's not Sergeant Cummings calling you.
Dave Bittner: Right.
Joe Carrigan: That's some scammer. We're getting a lot of these calls.
Dave Bittner: I'll bet they are.
Joe Carrigan: And they are furious about it. They don't - the police officers on the phone said, no, we don't want to arrest your wife. That's B.S. Don't worry about it.
Dave Bittner: Sure.
Joe Carrigan: It's not our Sergeant Cummings. So a couple of things that struck me about this scam...
Dave Bittner: Yeah.
Joe Carrigan: First off, a bench warrant is the correct kind of warrant, right?
Dave Bittner: OK.
Joe Carrigan: That makes sense. Two, there is a Sergeant Cummings with the correct badge number.
Dave Bittner: Right. So if you went and just did a Google search to see if Sergeant Cummings is legit...
Joe Carrigan: Right.
Dave Bittner: ...That would add up.
Joe Carrigan: Even if you could look up his badge number, you would think, hey, this makes more sense. But I think badge numbers are public records, so anybody can get them.
Dave Bittner: OK.
Joe Carrigan: Or anybody can call Sergeant Cummings and go, hey, what's your badge number? I need to file a complaint.
Dave Bittner: Right (laughter).
Joe Carrigan: I think he has to give it to him, right?
Dave Bittner: Could be, yeah. Yeah.
Joe Carrigan: Another thing that's interesting is during a portion of the call, it was apparent this guy knew Sherry was a doctor.
Dave Bittner: Right.
Joe Carrigan: So he's - when he initiates the call, he says, this is a courtesy call because we know that you're a doctor. So they have some manner of personal information on Sherry here, which is kind of disturbing. But there's all kinds of information about us everywhere.
Dave Bittner: Yeah.
Joe Carrigan: So when you get a phone call that has all kinds of information about you, you should be aware, No. 1, that's already out there. It's not that hard to find...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? Neither is a police officer's badge number. And you can just Google the difference between a bench warrant and an arrest warrant, right? I did that this morning when I was looking this show up, right?
Dave Bittner: (Laughter) Right.
Joe Carrigan: That's important to note that I did that this morning. And Ben went to five years of - or four years of school.
Dave Bittner: (Laughter) So it's practically the same.
Joe Carrigan: Practically the same, right?
Dave Bittner: Yeah. OK.
(LAUGHTER)
Joe Carrigan: Sorry, Ben.
Dave Bittner: (Laughter).
Joe Carrigan: How to know this is a scam - law enforcement will never call you about a warrant. They just will not do it. You know, everybody that has a warrant against them is a flight risk. If you have an arrest warrant out for you, the - Johnny Law is not calling you and going, oh, by the way, we have an arrest warrant out for you. We're coming to get you if you don't give us money. They're just going to show up...
Dave Bittner: Yeah.
Joe Carrigan: ...Because they're legally allowed to do that.
Dave Bittner: Right.
Joe Carrigan: Law enforcement will never, ever ask you for cryptocurrency.
Dave Bittner: Yes (laughter).
Joe Carrigan: That is - there is no bigger red flag than that. No government agency in the United States does business in cryptocurrency.
Dave Bittner: Right.
Joe Carrigan: They'll never demand it. They'll never ask for it.
Dave Bittner: Yes.
Joe Carrigan: You may be able to pay taxes in it someday, but I don't know. Probably not.
Dave Bittner: Yeah, probably not.
Joe Carrigan: Probably not.
Dave Bittner: (Laughter) Probably not.
Joe Carrigan: You'll probably have to pay your taxes with a check.
Dave Bittner: Yeah.
Joe Carrigan: And you don't need to give a credit card number to make sure that you show up, right?
Dave Bittner: No.
Joe Carrigan: If you need to show up somewhere, law enforcement will make sure that you show up somewhere.
Dave Bittner: (Laughter) That's right.
Joe Carrigan: Right? Westlake Police has a public information officer whose name is Jerry Vogel, and he spoke about the warrant scam. We tell people that you cannot pay for court costs, tax bills, fines, warrants and IT help with gift cards, bitcoin and even Venmo.
Dave Bittner: Yeah.
Joe Carrigan: When you see an unexpected phone call or a pop-up on your computer that says you need to pay money, tell them you're going to independently find their phone number and check out their story, then hang up. Just hang up the phone.
Dave Bittner: Yeah.
Joe Carrigan: Once you say that, I'm going to independently verify your story and then call you back or call the number that I find and hang up, that's probably going to be it. They're not going to call you back. They know - these scammers know, OK, this person's not a good person to run this scam on. Onto the next number.
Dave Bittner: Right. And it's also worth noting that it very likely probably said on the incoming caller ID that it was Sergeant Cummings from the sheriff's office.
Joe Carrigan: It did. It said Sergeant Cummings, yes.
Dave Bittner: That's easy to spoof.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: It is.
Dave Bittner: Yeah. All right. Well, interesting story. Lots of red flags all throughout that one.
Joe Carrigan: Right.
Dave Bittner: Good lessons to learn there. We will have a link to that in the show notes. My story this week comes from the folks over at PIXM. That's P-I-X-M. Joe, speaking of looking things up, I had to look up how to pronounce PIXM. (Laughter) I didn't know if it was Pixum (ph) or...
Joe Carrigan: I would've said Pixum.
Dave Bittner: Pixum - yeah, it's PIXM, PIXM, PIXM. I suggest to all companies who have unusual spellings of their company name on the about page of your website. The first thing it should say is how to pronounce your name (laughter). That's right.
Joe Carrigan: How to pronounce our silly name.
Dave Bittner: Little tip there, free of charge. So the researchers over at PIXM have been tracking a Facebook credential harvesting campaign that is also - refers people to ads. So it's sort of two parts. They're harvesting Facebook credentials and then they use those credentials to trick people to going to ad webpages. And that's where they make their money. So in this case, they're using lookalike login pages. So they get you or me to visit this fake login page. It looks just like Facebook.
Joe Carrigan: Right.
Dave Bittner: And then they harvest your credentials and then they use those credentials to log in to your account, and then they spam all of your friends on Facebook using Facebook Messenger.
Joe Carrigan: I see.
Dave Bittner: Now, a couple interesting things here. Because they are using Facebook Messenger as sort of a call is coming from inside the house thing, your friends all get the message from Facebook Messenger from you.
Joe Carrigan: Right.
Dave Bittner: So that looks legit.
Joe Carrigan: Yep.
Dave Bittner: Right? But another interesting wrinkle here - they're using some legit services that generate URLs to be able to use some features within Facebook. And I'll admit, I don't have a complete understanding of all the technical stuff going on behind the scenes. But evidently, there are services - they list a few here - glitch.me, famous.co, amaze.co funnel-preview.com. And these are websites that are used to deploy and generate URLs for legitimate uses, but bad guys use them too because they're available for rapid deployment. And what this does is, if you have a security system that is blocking certain URLs, this defeats that because you're generating - you're using this legit service that can't be blocked because it's a legit service and it'll cause a headache for your organization if it's blocked. So they use this legit service to to spin up a new, unique URL that will not be blocked because it's coming from a unique service.
Joe Carrigan: Right.
Dave Bittner: Does that make sense?
Joe Carrigan: Yes.
Dave Bittner: Have I explained that well enough?
Joe Carrigan: Yes.
Dave Bittner: (Laughter) OK.
Joe Carrigan: But eventually, you're going to have to hit the URL of the malicious site - right? - or the...
Dave Bittner: Yes. And evidently, these folks use a number of redirects. So the initial link is legit.
Joe Carrigan: Right.
Dave Bittner: And that keeps Facebook or your local malware detection system from seeing it.
Joe Carrigan: Right.
Dave Bittner: But then once you hit the legit one, then it's redirect, redirect, redirect until you get to the place that they're trying to send you to. And in this example for - they used, like, a Walmart survey campaign.
Joe Carrigan: Right.
Dave Bittner: You know, and that's how they make their money.
Joe Carrigan: Dave, I actually have a serious question here.
Dave Bittner: Yes.
Joe Carrigan: How many redirects is too many redirects, do you think?
Dave Bittner: More than one?
Joe Carrigan: More than one - 'cause if I'm going to go to, like, Bitly or something, I'm going to go to Bitly, and then Bitly is going to redirect me to whatever site, like thecyberwire.com.
Dave Bittner: Yeah.
Joe Carrigan: Right? If Bitly redirects me to something that then again redirects me, right? - because think about this. If a - if I have a business and I create a Bitly link to that business and then I move the business's webpage - so I redirect from the old domain to the new domain, right? Now I have two redirects, right? But how many redirects should I have at most? I mean, I can think of a legitimate use case for maybe two or three redirects, but...
Dave Bittner: Yeah.
Joe Carrigan: ...Maybe after that, we just say, now we're done.
Dave Bittner: Well...
Joe Carrigan: And I know that browsers will say, too many redirects. Stop.
Dave Bittner: Right. I was just going to say that. Sometimes, the browser will either - so two things I've seen. In some cases, at the moment of redirect, your browser will say, hey, this is a redirect. And we paused here, right?
Joe Carrigan: Right.
Dave Bittner: And they're saying, you know, in 5 seconds, you're going to be redirected. If this is not what you want, now's the time to pull the ripcord, right?
Joe Carrigan: Right. (Laughter) That's right.
Dave Bittner: But then other times, exactly what you're describing, which is it'll just stop and will say - and actually, you know what? I think I've noticed that most on my mobile device. It'll pop up, and it'll say, too many redirects. I'm not taking you there.
Joe Carrigan: Right.
Dave Bittner: This is not good.
Joe Carrigan: Right.
Dave Bittner: Nothing good is going to come of this.
Joe Carrigan: I'd like to know what that number of too many redirects is. Are we looking at a number like 16, 20, whatever?
Dave Bittner: Yeah.
Joe Carrigan: Or are we looking at a number like five?
Dave Bittner: Right. I don't know the answer to that.
Joe Carrigan: Yeah, me neither.
Dave Bittner: It's a good question. Yeah. If any of our listeners know or have more of a knowledgeable technical description of how this works under the hood, please let us know. We'd love to know and share it with everybody.
Joe Carrigan: I used to know everything, Dave.
Dave Bittner: (Laughter).
Joe Carrigan: Now I'm the old - angry, old man trying to use technology.
Dave Bittner: Yeah. The older you get, the less you...
Joe Carrigan: (Laughter).
Dave Bittner: ...The more wisdom you have to realize the less you know?
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, exactly.
Dave Bittner: Yeah. So...
Joe Carrigan: Maybe that's what it is.
Dave Bittner: The researchers seem to think that these folks are Chinese. That's the source of all of this.
Joe Carrigan: And their endgame is just to get ad revenue.
Dave Bittner: The end game is to get ad revenue. They - the folks who are selling this, this sort of malware as a service, are claiming to have made over $59 million.
Joe Carrigan: Really?
Dave Bittner: But the researchers think they're probably exaggerating, so - but in my book...
Joe Carrigan: If they're exaggerating by a factor of 10, it's still a pretty good payday.
Dave Bittner: Yeah. (Laughter) It's still a pretty good payday, yeah, for being up to no good.
Joe Carrigan: Right.
Dave Bittner: So - but let's get to the practical stuff here. What are some of the best ways to avoid this?
Joe Carrigan: Well, Dave, this is not going to happen to me because I use my YubiKey to secure my Facebook account.
Dave Bittner: There you go.
Joe Carrigan: So that's No. 1.
Dave Bittner: Yeah.
Joe Carrigan: Multifactor authentication.
Dave Bittner: Right.
Joe Carrigan: Especially with a - with something that can't be socially engineered like a YubiKey or Google Titan or whatever uses the FIDO alliance's standards.
Dave Bittner: Right because if you just use, like, an SMS code...
Joe Carrigan: Right. That can be...
Dave Bittner: ...They can still harvest that.
Joe Carrigan: They can still harvest that and just say, hey, what's your SMS - we sent you an SMS code. And they're logging into Facebook for you to steal your credentials...
Dave Bittner: Right.
Joe Carrigan: ...On the back end. Sure.
Dave Bittner: Yeah.
Joe Carrigan: That'll work. Even the - that'll also work with the one-time password code that comes up. So those can be engineered out of you. But a challenge response from a cryptographic protocol is much more difficult to fake or to harvest.
Dave Bittner: Right.
Joe Carrigan: So, in fact, I'm not aware of any attacks that have been successful in that.
Dave Bittner: Yeah.
Joe Carrigan: So that's No. 1, multifactor authentication - the best you can do. What else can you do? You know, I mean, I would say complex passwords, but if you're being targeted by something like this and you click on the link and go enter your complex password, they still have it. So that's not really going to help. Really, the only thing that's going to help you is as - from being the victim of the account takeover is the multifactor authentication. Now, if you are a user of Facebook and you get a (laughter) suspicious message - 'cause my son got one of these just the other day from his grandmother.
Dave Bittner: Oh.
Joe Carrigan: And he goes, oh, my grandmother would like me to look at this webpage. And I'm like, don't click on that link.
(LAUGHTER)
Joe Carrigan: Because her account frequently has these kind of issues.
Dave Bittner: Yeah.
Joe Carrigan: And and a lot of times, she actually sends out spam messages herself. You know, it's the nature...
Dave Bittner: Of being a grandmother (laughter)?
Joe Carrigan: ...Of being a grandmother. Right.
Dave Bittner: I see. OK. All right. Yeah, yeah. I know what you're talking about.
Joe Carrigan: Right.
Dave Bittner: I know what you're getting at here, yeah.
Joe Carrigan: Yeah. So, you know, she - I mean, it's just the way she uses Facebook.
Dave Bittner: Sure.
Joe Carrigan: Now, his other grandmother doesn't do that. You know, only one of his grandmothers - I'm not going to tell you which one it is...
Dave Bittner: (Laughter).
Joe Carrigan: ...Because I don't want to seem like I'm picking favorites.
Dave Bittner: She likes sleeping indoors. Yeah, all right.
Joe Carrigan: (Laughter) Right. That's right.
Dave Bittner: Good.
Joe Carrigan: I think everybody knows now.
(LAUGHTER)
Dave Bittner: Fair enough. Fair enough.
Joe Carrigan: Yeah, those are the two things. To prevent your account from being taken over, use multifactor authentication. And to - if someone - one of your friend's accounts does get taken over, just don't fall for it.
Dave Bittner: Yeah.
Joe Carrigan: Just, you know, maybe make a phone call and go, hey, I think your account was taken whenever I'm getting all these kind of weird messages from your account.
Dave Bittner: Yeah.
Joe Carrigan: You know, it's just as easy to clone a Facebook account and then send messages to people once you have friend requests.
Dave Bittner: Yeah. I mean, I guess it's advantageous to take over an existing account...
Joe Carrigan: Yeah. That's much better.
Dave Bittner: ...That has many more folks on it. Yeah. And I'll also just give a little plug here to the Pixm people, who - they, you know, they claim that their solution would catch this. They use computer vision to analyze pages. So rather than just doing analysis of text or metadata or things like that, they'll actually look at images...
Joe Carrigan: Right.
Dave Bittner: ...And, you know, sort of...
Joe Carrigan: They'll say, hey, this looks like it's a Facebook login page...
Dave Bittner: Right.
Joe Carrigan: ...Because it's probably cloned from Facebook.
Dave Bittner: Exactly.
Joe Carrigan: And this is not the Facebook URL or any of Meta's owned URLs.
Dave Bittner: Right.
Joe Carrigan: So red flag, please.
Dave Bittner: Right. Exactly. So, you know, hats off to them. If it works...
Joe Carrigan: If it works, it's good. Use it.
Dave Bittner: That's right. All right. I will have a link to that in our show notes. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from William, who writes, this fake invoice had no attachment or link, so it's clearly meant to get the victim to call the number, which is probably correct.
Dave Bittner: OK.
Joe Carrigan: I'm assuming to try to get an authorization to transfer funds. It could be. One quick red flag is that there's no indication of who the seller might be. In fact, it's worded as if PayPal might be the seller. And PayPal doesn't sell anything. They just facilitate transactions.
Dave Bittner: (Laughter) Just their service. OK.
Joe Carrigan: I get emails like this from time to time, and I could see this causing a big headache for someone who's unaware of this scam. My favorite part about this email is it comes from, Dave. These guys didn't do the clean up of - from their last scam campaign. So who's it from?
Dave Bittner: It's from Tax Invoice.
Joe Carrigan: Tax Invoice.
Dave Bittner: Yeah. So I guess they doing some tax invoice scamming before they got around to their PayPal scamming.
Joe Carrigan: Right. Yeah.
Dave Bittner: It's funny. As much as they take time - as some groups take time with all of their spearphishing, others' attention to detail is not at the top of their game.
Joe Carrigan: That's right. It's all about the numbers for those guys.
Dave Bittner: All right. So let me see here. So this says, Dear William, you've sent $871 to PayPal. It may take 24 hours for this transaction to appear on your account. Order Date - May 28, 2022. Product - Dell G15 Gaming Laptop, 11th gen Intel Core i5-11260H 12mb cache six cores 12 threads, up to 4.4ghz turbo, eight gigabytes, 512 gigabytes, dark shadow grey. Items - $768.99, shipping and handling $52.37, subtotal $821.36, sales tax $49.72, order total $871.08, shipping method standard. Thank you for shopping with us. Your order will reach you within three to five working days. You'll receive a tracking link once the order is shipped. You can check the status of your order in case of any issues with this transaction. Call our customer support care for further assistance. Thanks. In regards, Team PayPal.
Joe Carrigan: Now, I have another red flag here.
Dave Bittner: Yeah.
Joe Carrigan: No self-respecting gamer is going to buy an i5 laptop for gaming with only eight megs of RAM.
Dave Bittner: (Laughter) OK. You can play Tetris.
Joe Carrigan: You could play Tetris. That's right. You might be able to play like the old Half-Life game on here. If you get the Orange Box, you can play that on here.
Dave Bittner: Sure.
Joe Carrigan: Probably smoke that pretty well.
Dave Bittner: Yeah.
Joe Carrigan: But, you know, you're not playing any modern game on this with any great - first off, it doesn't even tell you what the graphics processor is in this email. These scammers don't know...
Dave Bittner: Don't know their target audience.
Joe Carrigan: Actually, they do know their target audience. Their target audience isn't gamers. A gamer is going to see this and go, nope. But the person is going to see this and react to it is the the person who goes, whoa, whoa, whoa. I didn't order this. I didn't order it. Let me call this number. And you should never call that number.
Dave Bittner: It's actually a pretty cheap computer, you know, 870-some dollars for a computer.
Joe Carrigan: It is.
Dave Bittner: And maybe this all - these may be legit numbers for this Dell laptop. Who knows?
Joe Carrigan: Right.
Dave Bittner: Yeah. But we do know that this person did not order it. And so you're right, the whole thing is to get you to call. And that's when they hook you.
Joe Carrigan: Yeah, that's when the scam begins. Actually, I guess you could say the scam begins when they send the email, but that's when they - that's when the concentrated effort of the scam - you become the - you get the undivided attention of these scammers. And that is something you do not want.
Dave Bittner: All right. Well, our thanks to William for sending this in to us. We would love to hear from you. You can email us to hackinghumans@thecyberwire.com. And we will consider your Catch of the Day for our show.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Abhik Mitra. He is the head of portfolio strategy at Code42. And we are talking about their latest data exposure report. Here's my conversation with Abhik Mitra.
Abhik Mitra: Yeah. So the data exposure report has become somewhat of an annual tradition for Code42 and I think in particular now given that we are all living this remote hybrid environment that we're in. So the purpose of the report, as the name suggests, is really to understand how security teams are facing challenges when it comes to protecting corporate data from exposure, leak or even theft. And this year in particular, there were three key trends that really stuck out to us in the data exposure report. And I'm going to call this DER just because as a security company, I can't but help but use an acronym.
Dave Bittner: (Laughter) Sure.
Abhik Mitra: So we're just going to continue calling it DER from here on out.
Dave Bittner: OK.
Abhik Mitra: But let's get back to the trends. So, you know, when we - the first one should be pretty obvious - right? - which is we definitely noted the continued adoption of cloud technologies but also a stark spike in lack of visibility into them. In fact, we noted a 51% spike since Q3 in 2021. And this is an interesting one because when you think about the fact that we're all remote or hybrid, cloud technologies aren't going away. They're only going to grow. But with that and with the speed of adoption there comes the additional challenge of needing security visibility into them. So that was a key insight that definitely caught our attention. The other is the impact of the great resignation. We kind of call this the great resignation now, but this is really about departing employees taking IP with them potentially to their next jobs, to a potential competitor. And the data from the DER points to the reality that 71% of security practitioners don't know what's leaving with them. And I think you kind of couple that with a couple of other learnings over time, which is for a lot of employees, there's almost this feeling of, I created this data, it's my right to take it along with me no matter where I go. So that's certainly a concern that organizations have to deal with.
Abhik Mitra: And then I think the last major takeaway here and I think hits the heart of the issue, which is internal misalignment. So we note that between the board, security leadership, as well as security practitioners, there is real misalignment on priority. In fact, over 50% of security practitioners surveyed said that they weren't even consulted by their leaders when their corporate cybersecurity strategy was framed up. And I think we kind of get to the heart of the issue, which is 96% of companies acknowledge that they were challenged when it came to protecting data from insider risk. So all in all, you know, probably not the most positive report if you're an organization trying to protect against insider risk. But there are certain realities, as I mentioned, just with the continued adoption of cloud technologies.
Dave Bittner: Can we take a step back real quick and just cover some definitions? I mean, you all at Code42 I know are really specific about referring to it as insider risk as opposed to insider threats, which I think is, you know, another popular term for this. But you all think there's some - there's some nuance here worth explaining, yes?
Abhik Mitra: Absolutely. I'm happy you asked that question because it is an important delineation to make for organizations because there is a fundamental difference in approach. So the way I like to explain it is with insider threat, you know, with the very definition, you've almost assumed that somebody is doing something for the purposes of being malicious, right? When you say threat, it kicks off almost an investigation that's completely based on essentially victimizing somebody - right? - before you get to the context of what may have led to that individual doing what they did. With insider risk, it works a little different because you're looking at the context. You're looking at all of the key events leading up to what could become an insider threat. But the importance of insider risk is you really get to - as an organization, you put yourself in a situation where you're now able to understand what may have done - what may have been done maliciously or what may have been done non-maliciously.
Abhik Mitra: You know, it turns out that over 50% of these data leak-type situations are done completely by accident. So it's important for organizations not to go down this path of we're going to control and potentially block you from getting your work done and collaborating because we assume that something happened and that you did something for malicious purposes. So we feel like this conversation is shifting more so toward insider risk. And I think that's reality. I think the fact that we're all remote hybrid now, I think organizations have to think about risk proactively versus waiting for that, you know, that next press release to hit where they're unfortunately part of the headlines.
Dave Bittner: Yeah. Can we dig in some to this notion of the great resignation? I mean, I think for older folks like me, I think we think of the people coming up behind us as perhaps being more job hoppers than my generation, you know, Gen X was. And you mentioned that there seems to be perhaps a perception of entitlement of people taking data with them.
Abhik Mitra: Yeah. You know, that's - we asked that question in one of our previous DER reports, and in that, 63% of those surveyed actually acknowledged that they had taken IP from a previous job to a new job. And we often joke here that, you know, the other 27% weren't necessarily telling us the truth. Who knows? But everybody to some degree has done this, whether or not they have - they know that they're doing it rightfully or not. So when we talk about the great resignation, we're really talking about the - I think of it as you're given the keys to the kingdom, the moment you join a job, right? Like, the moment you are given a username and password, that's your keys to the kingdom, and that keys to the kingdom could be access to source code, access to the road map, access to company financials, you know, anything that could be detrimental in the hands of somebody else - so anything leaked, potentially, right? You could be a major studio - not that this ever happens, of course. But you could be a major studio where a script for the next big movie is leaked, and you have no idea how or what happened.
Abhik Mitra: I think when we talk about the great resignation, we talk about the reality that a lot of people are now in a situation where the job market is hot. People are constantly being enticed by other organizations. And whether they're with organizations for six months to a year, they have access to a lot of data. Probably the biggest issue with the great resignation is gone are the days where you could enforce VPN. Gone are the days where you were going into work and you're kind of subjected just to that network. It was a security practitioner's dream, right? Like, you're kind of locked down. But the reality now is, not only as a security practitioner do I need to give you tools like Slack or Microsoft OneDrive or Google Drive to do your job; I also now have to balance that with protecting data from leaving because it's ridiculously simple for me to just put data onto those cloud repositories and essentially take them with me to my next job.
Dave Bittner: How much of this is a cultural issue here of making sure that it's - I mean, I can imagine even from the point of onboarding new employees of, you know, establishing what the boundaries are, making sure that everybody's on the same page.
Abhik Mitra: Culture is huge. And it's interesting whenever I hear security teams talk about culture because it's the one term that you wouldn't typically find somebody within security mentioning.
Dave Bittner: Right.
Abhik Mitra: But I think the reality is this - right? - we are today onboarded, living our tenure with the company and departing completely in a virtual environment. It is very feasible that nobody in the people or HR department even interacts with somebody face to face, which is good, but it's also scary because you're trusting them with your corporate assets. So when we talk about culture, we really have to talk about trust, right? There is this notion that any time I am going to be a company that embraces remote or hybrid workforces, I am trusting you. The problem that a lot of folks run into - and again, this kind of goes back to some key data points in the DER - is, you know, we noted that 96% of organizations want to improve their security training. And the reason I talk about training is it is a big part of shaping culture. And I'm not talking about, like, that once a time, you know, during orientation training or maybe once a quarter. We're talking about point-in-time training. We're talking about delivering training particularly in those situations where an employee might be doing something, again, completely accidentally. How nice would it be to get a nudge in that moment, maybe like a module, like a two-minute video, that suggests, hey, noticed you're doing this. This is the best practice way of doing it. I have just received something that is easy to digest, just 2 minutes, and I've course-corrected my behavior.
Abhik Mitra: And the point of that is that if you do that enough times with different employees, you are helping shape culture. And when we talk about culture, we also have to talk about transparency. One of the things that becomes very important whenever insider risk or monitoring employees is involved is be open with the employee in terms of what is being monitored. I think at this time, like, we're all in the midst of this pandemic - to even have the slightest notion that there's a big-brother element of being watched simply does not work. So establishing culture is understanding. It's talking. It's treating the end user and everybody, other departments, as an ally in insider risk, bringing everybody to the table, so to speak, and then establishing this sense of a culture where everybody is inheriting that responsibility of protecting your data.
Dave Bittner: You know, you all have been doing the research here for the DER for a number of years now, and certainly - you know, obviously, the pandemic was a big event for everyone, globally. Is there a sense that we're headed in a different direction now, that since the pandemic, you know, we're off on a sort of an adjusted journey?
Abhik Mitra: Yeah, definitely. I think the pandemic was - in many ways, accelerated what organizations had already started doing with digital transformation. Certainly, our research and even talking to the CISO community suggests that a lot of folks were already underway with embracing cloud, just embracing this notion that, you know, in order to recruit, you have to give people the flexibility to work from a location of their choice. So a lot of the building blocks were in place. The last piece of this, really, was a - is building a robust data security program, if you will. The problem that a lot of organizations ran into is they also thought that on this journey, they could also take legacy tools along with them as well, tools that were essentially built for the network, built not with remote employees in mind. From that perspective, there's been a bit of an adjustment where organizations have to accept the reality that, you know, employees may want to work on a network of their choice, may want to not necessarily VPN in. So the challenge, as I often call it, or the conundrum with security is, you know, you have to protect data on one hand, and then on the other hand, you have to ensure that all of these remote employees can continue to collaborate and continue to be productive. So I think more and more organizations are embracing that. There are definitely more solutions, specifically in the insider risk side of the House, which are allowing for that free collaboration and at the same time protecting data.
Dave Bittner: Well, based on the information that you all have gathered here, what are your recommendations for organizations to best protect themselves?
Abhik Mitra: There are three major recommendations. I think the first really comes back to trust and transparency, which is leaders really need to work with security teams, with the extended teams as well, again, just to bring them to the table and really help understand and translate what risk is. I think this is the other thing that gets lost in translation a lot, which is helping the executive or board teams understand and even quantify what risk is. And that begs a number of different questions. You know, are you measuring the right metrics? Are you focused on the right metrics? And once you can finalize what the right metrics are, it's absolutely key and essential that you can simplify that message to the executive team because, you know, if they are not understanding it, that next so-desired step, whether it's increased budget for insider risk, really falls flat. So that would be the first part of this journey.
Abhik Mitra: The second part is training, being able to educate employees and really empower them and thinking about security training in terms of frequency and, you know, the delivery mechanism itself. We often joke that the 30 minutes of really poorly acted videos that we're subjected to then have to take quizzes on do not really get us very far, but I've noticed that organizations that tend to have fun with the trainings - almost don't take themselves too seriously - are the ones that truly make the impact. They're the ones that truly move the needle in terms of, like, how digestible the message is and just course-correcting some of those behaviors over time.
Abhik Mitra: And then the last component to this is technology. And you'll notice I mentioned technology last, and that is deliberate. I think a lot of organizations get trapped into leading with this is a technology-first problem. It's actually a people and process problem first. And again, going back to the trust and training component, if you have those building blocks in place, you now are in a position to leverage technology and build a program that can be all about phases. I think a lot of people get scared by this notion of a program. But again, going back to the DER data, a lot of folks, in spite of knowing what these risks are, haven't completely made investments into insider risk programs. And that's pretty significant because on one hand, you're aware of these risks, but on the other hand, you're not going forward with a program. So the recommendation there is maybe don't even think of it as a program. Think of it as a journey, not a destination, and think of it as phases. We often talk about being data-centric, but if you put the right pieces in place first, you can really lead that effort of building a program with data. And the data really leads you to, you know, where might your gaps be within the business? Where are your visibility gaps? And once you get to some of those building blocks, you can start building policies and other right-sized response mechanisms to really help you in these situations.
Dave Bittner: Joe, what do you think?
Joe Carrigan: I like this interview, Dave.
Dave Bittner: Yeah.
Joe Carrigan: I like - first off, I like when these reports come out.
Dave Bittner: Yeah.
Joe Carrigan: I got to check this report out. One of the key findings in this report is that as cloud usage is increasing, the visibility into that cloud usage is not increasing. So people aren't paying attention. They're just going, just sign up for it. Let's go - we'll worry about the security afterwards.
Dave Bittner: Yeah.
Joe Carrigan: Dave, I can tell you from a lifetime of experience, worrying about something afterwards is kind of a bad idea...
Dave Bittner: Right.
Joe Carrigan: ...And not just in security.
Dave Bittner: No. You know, temporary solutions tend to become permanent solutions.
Joe Carrigan: Yeah, they do.
Dave Bittner: Yeah.
Joe Carrigan: That's right. And my wife will tell you that about the floor in our kitchen.
Dave Bittner: (Laughter) Right.
Joe Carrigan: If boards are not seeking input from their security practitioners when they're developing security policy or strategies, I can almost guarantee you those strategies are garbage. You know, you - as a board member, you should be seeking input from your security team. You pay these people a ton of money...
Dave Bittner: Right.
Joe Carrigan: ...To do what they're doing.
Dave Bittner: Right.
Joe Carrigan: Ask them what they think is important.
Dave Bittner: No, you wouldn't have your board of directors design the new HVAC system (laughter).
Joe Carrigan: Right. Right. You also wouldn't have your board of directors do sales forecasts or do strategic business planning without talking to the CTO or the CFO and the other C-suite executives.
Dave Bittner: Right. Sure.
Joe Carrigan: Right? And those guys are going to go down and involve, you know, accounting and sales and all those other things.
Dave Bittner: Yeah.
Joe Carrigan: You - why are you doing security strategy without the input from your personnel on this?
Dave Bittner: Right.
Joe Carrigan: That is the most flabbergasting thing from this report, I think. And it's probably the most terrifying to me.
Dave Bittner: OK.
Joe Carrigan: I just - I can't fathom this.
Dave Bittner: Yeah.
Joe Carrigan: One of the things I really, really, really like that Code 42 does here - and Abhik talks about this - is talk about the insider risk versus the insider threat...
Dave Bittner: Yeah.
Joe Carrigan: ...Because 90% of the time - no, I would say more than 90% of the time - when you're compromised by somebody on the inside, they're doing it inadvertently. They're not being threatening. They're not trying to hurt you. They're just being misled.
Dave Bittner: Right. They're not being malicious.
Joe Carrigan: Right. They're not being malicious. Exactly. They're being victimized. And I hope this conversation switches - is switching from threat to risk. And I hope that that's - I think that's an important distinction that we need to make. The idea of IP coming along with the employee - first off, when I write code, I love the code I write, and it's very hard for me to leave it behind. I totally understand where this comes from...
Dave Bittner: Yeah.
Joe Carrigan: ...You know, especially if you've done a lot of work that's really generalized and applicable to other places. But the truth of the matter is, when you signed up for the job, you probably signed an agreement that said everything you do, at least while you're working here, is our intellectual property. And you don't have any rights to it.
Dave Bittner: Yes.
Joe Carrigan: Right? There are some companies - I've even signed agreements that said everything you do outside of work is also our property. I've heard of even more draconian things from other people who have been telling me horror stories about this.
Dave Bittner: Right.
Joe Carrigan: I think that's a bad idea. Don't make it so that things people do in their own free time becomes your intellectual property because what if I, as a developer, want to contribute to an open-source project? Does that become your intellectual property? I don't think you have a good argument there.
Dave Bittner: Yeah.
Joe Carrigan: But I've also heard stories of people being very passive aggressive and going, here's a recipe I came up with - turning that in as intellectual property...
Dave Bittner: (Laughter).
Joe Carrigan: ...Which I think is a great way to handle it. But I will tell you, Dave, I have, during job interviews on the phone, had recruiters say to me, hey; can you give us a sample of something from your office? And I've said, no, no. Why would you even ask me for that?
Dave Bittner: Right.
Joe Carrigan: You know, I think now, if somebody asked me for that now - I mean, this was years ago, probably 10, 15 years ago, and I could kind of understand it. But if somebody asked me for that now, I think I'd say, you know what? We're done. I have ethical concerns with the way you operate your business. Goodbye.
Dave Bittner: Yeah.
Joe Carrigan: And be done with it.
Dave Bittner: Could you - I mean, could you point to, like, a GitHub repository or something like that and - so in other words, if you'd done stuff for public consumption...
Joe Carrigan: Right. Now...
Dave Bittner: ...I suppose you could redirect them to something like that.
Joe Carrigan: That's a different question.
Dave Bittner: Yeah.
Joe Carrigan: If somebody is asking me for a code sample, like, on an open-source project, yeah, I could point them to my GitHub...
Dave Bittner: Right.
Joe Carrigan: ...User account or to a repository I built. Like, I built a Wordle solver when Wordle first came out.
Dave Bittner: OK.
Joe Carrigan: It was a brute force, terrible Wordle solver. But I was just like, how does this work?
Dave Bittner: Sure - for fun.
Joe Carrigan: For fun. Right.
Dave Bittner: Yeah.
Joe Carrigan: That's what I do for fun - is I write code. That's the kind of nerd I am. But I wouldn't - actually, I wouldn't send that to anybody as an example because it's garbage. But it works. But, yes, I think pointing someone to a GitHub repository where you have your own code, your own fun projects that you do or your - some contributions to an open-source project - that's fine.
Dave Bittner: Yeah.
Joe Carrigan: I don't have a problem with that. But asking me for code that I've done at work - I can't abide that.
Dave Bittner: Sure.
Joe Carrigan: Culture is huge. Constant training is better for building a healthy security culture. I've been saying this now for a long time. I think it's - the data bears it out. And that's why I've been saying it, actually.
Dave Bittner: Yeah.
Joe Carrigan: And I'm glad to see this study. And Abhik and his people are reinforcing this idea. Be open about what is being monitored. And depending on your state, this may actually be a legal requirement. You may have to tell your employees, hey; we're monitoring all this stuff. I don't - I think I've heard of - this is another question for Ben. But I'd like to know where that is the case. But it wouldn't strike me - it wouldn't surprise me at all, if you monitored somebody and then fired them but never disclosed to them that you were monitoring them, that you might have a wrongful termination suit on your hands.
Dave Bittner: Yeah. I mean, I like the idea of having, like, an organizational wiki about security and monitoring...
Joe Carrigan: Right.
Dave Bittner: ...So that everyone in the organization knows. You know, you can say, we monitor your web browsing. We monitor your email. We monitor, you know, all of this...
Joe Carrigan: Right.
Dave Bittner: ...As we are allowed to and perhaps even obligated to do. So...
Joe Carrigan: Right.
Dave Bittner: There's no mystery. I don't like the idea of - I don't know - trying to keep your employees in line with fear and uncertainty.
Joe Carrigan: Yeah, I agree a hundred percent.
Dave Bittner: Just tell them what the expectations are, and hold them to it. But, you know...
Joe Carrigan: I was working for a company, and as this company was maturing this network process, they sent out an email that said, we're going to start monitoring everything that happens on our network.
Dave Bittner: Yeah.
Joe Carrigan: It doesn't matter what it is. We're going to start monitoring and logging it. That's fine if that's what you're going to do. I appreciated the transparency of that company.
Dave Bittner: Right.
Joe Carrigan: It was great.
Dave Bittner: I agree.
Joe Carrigan: We all stopped playing video games at lunch.
Dave Bittner: (Laughter) OK.
Joe Carrigan: True story.
(LAUGHTER)
Joe Carrigan: Culture is huge. Did I already say this? I did say this.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, never mind. Security is a balancing act between productivity and security. Of course, we know this.
Dave Bittner: Yeah.
Joe Carrigan: I can make every system in your office completely secure. All I have to do is turn them off.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Nobody's hacking it.
Dave Bittner: Right. Yeah.
Joe Carrigan: But that's not very useful. So there is this continuum that you have to move along. Three recommendations - I like a big-three recommendation. Trust and be transparent. Trust your employees. They generally do - they are generally good people, and they're going to try to do things.
Dave Bittner: Yeah.
Joe Carrigan: Be transparent. Be the good guy, too, right? Training - the more frequent, the better. And technology - I like that he says it's last for a reason. Your technology will absolutely not help you if one of your people is under the influence of a malicious outside actor. Your tech - all the technology in the world just goes right out the window. It doesn't matter.
Dave Bittner: All right. Well, our thanks to Abhik Mitra again. He is from Code 42, and we will have a link to their data exposure report in the show notes. We appreciate him taking the time for us.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.