Human errors and why they're made.
Josh Yavor: Effective solutions do not need to be perfect, and we need to be willing to accept significant incremental progress over the coming years.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Josh Yavor. He is CISO at Tessian, and we're discussing their new report on human error.
Dave Bittner: All right, Joe, before we jump into our stories this week, we've got a little bit of follow-up here. Do you want to read this, or would you rather have me do it?
Joe Carrigan: Oh, why don't you do it?
Dave Bittner: OK.
Joe Carrigan: I'm not good at doing cold reading like you.
Dave Bittner: All right. Well...
Joe Carrigan: Well not, like, just copy reading.
Dave Bittner: This is from someone who writes in whose name is Jon (ph) and writes in and says, interesting conversation about social media addiction, referring to...
Joe Carrigan: This is from last episode.
Dave Bittner: Yeah. He says, this is a mental health issue. We have to stop treating mental illness as if it isn't an illness just because we don't see the physical manifestation of the symptoms until very late into the illness, when it has become very severe. Just as exposure to carcinogens often doesn't manifest physical symptoms until late-stage cancer, the development of a mental illness brought on by overexposure to false or misleading information, online bullying and other negatives that are present in social media feeds can result in depression and other mental illnesses that can sometimes manifest in life-threatening symptoms such as self-harm and suicide attempts.
Joe Carrigan: Yep, social media is bad for you.
Dave Bittner: Just like smoking is an addiction that often children and young people, myself included, can bring into their adult lives with very negative results, we need to openly discuss the harmful effects of social media. This lawsuit is most welcome in my eyes. Mental illness is too often overlooked. Perhaps, Joe and Dave, you could put some self-help links in your show notes. By the way, you're right about the hard coding of 20 redirects in Chrome. It would be great to have some control over this (laughter). As usual, great show sign-offs. I look forward to your show every week. Cheers, Jon.
Joe Carrigan: Yes, thank you, Jon.
Dave Bittner: Thank you for writing in.
Joe Carrigan: We'll look into putting some mental health links into our show notes, I guess.
Dave Bittner: Yeah.
Joe Carrigan: That sounds like a good idea. Could - certainly could not hurt providing resources to people.
Dave Bittner: Right.
Joe Carrigan: I like the analogy that this - that social media is essentially a carcinogen.
Dave Bittner: Yeah. I've often used the analogy that Facebook is very much like smoking.
Joe Carrigan: Right.
Dave Bittner: Like, we all know it's bad for us, but, you know, it's easy to get hooked on it...
Joe Carrigan: It is.
Dave Bittner: ...And hard to stop.
Joe Carrigan: Yeah.
Dave Bittner: What's - as someone who's stopped, I can - I understand the pull.
Joe Carrigan: Were you ever a smoker, Dave?
Dave Bittner: No, I - you know what? I have - this is - you're probably not going to believe me, but in my entire life, I have never smoked a cigarette. I've never even tried it.
Joe Carrigan: Really?
Dave Bittner: No.
Joe Carrigan: I was a smoker for probably 10 years...
Dave Bittner: Yeah.
Joe Carrigan: ...Maybe a little bit less.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, I smoked pretty much all the way through college and early high school and actually started when I was 16, when they'd still sell you cigarettes when you were 16.
Dave Bittner: Right. Right. I remember when I was really little, you know, my mom would have me run into the grocery store to buy her a pack of cigarettes.
Joe Carrigan: I remember doing that, too.
Dave Bittner: Yeah, that was - oh, different times (laughter).
Joe Carrigan: It was. It was. My mom would give me $0.70, and I'd walk over to the 7-Eleven and pick her up a pack of Merits...
Dave Bittner: Yeah.
Joe Carrigan: ...The ones she smoked.
Dave Bittner: Out of the machine sometimes.
Joe Carrigan: Right.
Dave Bittner: You know, the ka-chunk (ph) machine. Yeah.
Joe Carrigan: I remember those machines.
Dave Bittner: Yeah.
Joe Carrigan: I used to wait by those machines and watch somebody buy a pack of cigarettes and then go over and pull the matches thing and get a free pack of matches.
Dave Bittner: Oh, wow. But we digress.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: I was a hacker even when I was young, Dave.
Dave Bittner: Yeah. Yeah. So I think there is something to this. I think what's difficult is how do you draw the direct line between people's behaviors, the, you know, outcomes, the bad outcomes, the negative results...
Joe Carrigan: Right.
Dave Bittner: ...Things like self-harm, things like suicide - how do you draw a direct line between that and participation in social media? - because I think certainly you could make the argument that there are people out there for whom social media is a positive force in their life.
Joe Carrigan: Right. I would agree with that statement as well, that there - you know, this is not like smoking, which has had an impact on people that - the vast majority of smokers would eventually get lung cancer or something...
Dave Bittner: Right.
Joe Carrigan: ...Or emphysema.
Dave Bittner: Right.
Joe Carrigan: There were some people that it just didn't effect, right?
Dave Bittner: Yeah.
Joe Carrigan: They were in the minority.
Dave Bittner: Yeah. People smoke and drink and live to be 100.
Joe Carrigan: Right.
Dave Bittner: (Laughter).
Joe Carrigan: Right. But that's not the case with social media. I would say that the percentage of people that - for whom social media is physically harmful is a lot lower than something like smoking, I would say. But I don't know. I'd like to know the - I'd like - maybe if we measure not just, like, physical harm, but other mental health harm...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? Like how happy are you when you abstain from social media for a while? Like, I haven't been on Twitter in a very long time. I just stopped going to Twitter. I stopped going to - I uninstalled Snapchat off my phone. I've - you know, I took all the social media platforms off my phone with the exception of the Facebook messenger.
Dave Bittner: Right.
Joe Carrigan: And immediately, I noticed I started being a little bit more happy.
Dave Bittner: A little more bounce in your step (laughter).
Joe Carrigan: Right. A little bit more - a little more bounce in my step.
Dave Bittner: OK.
Joe Carrigan: So I'd like to see a measurement of that, a study that measures that.
Dave Bittner: Yeah, well, I know, you know, folks are out there working on it - social scientists and that sort of thing. And there certainly have been results that show, particularly for children, teenagers...
Joe Carrigan: Right.
Dave Bittner: ...That these can be bad for them.
Joe Carrigan: Right.
Dave Bittner: And we need - I agree with our listener here, John, that we need to keep an eye on this. I also agree that, you know, mental health does not get the attention it deserves.
Joe Carrigan: Yeah, me too.
Dave Bittner: And we need to - to me, we need to demystify and take away any of the shame that is associated with mental health.
Joe Carrigan: Yeah.
Dave Bittner: So, all - yeah, I mean, I think John brings up a lot of good points here, and we appreciate him writing in.
Joe Carrigan: Yeah, a lot of this stuff is just not easy to do, though.
Dave Bittner: Yeah.
Joe Carrigan: I mean, it's really...
Dave Bittner: It's a challenge. It is.
Joe Carrigan: It is a challenge.
Dave Bittner: Yeah. It's going to take time, but I'm glad we got people working on it.
Joe Carrigan: Yep.
Dave Bittner: All right. Well, we would love to hear from you. If you have something you'd like for us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, let's jump into our stories this week. I'm going to kick things off for us. I have a little bit of research from the folks over at Avanan. It's a security company. They published something recently. It's titled "Sending Phishing Emails from QuickBooks." So I think we're all familiar with QuickBooks, a very handy, popular - what would you call it? It's an accounting software.
Joe Carrigan: It's accounting software and bookkeeping software for businesses.
Dave Bittner: Bookkeeping, yeah, yeah. That's probably a better way to say it. But one of the functions within QuickBooks is that you can send out invoices. And evidently, when you send an invoice through QuickBooks - if you sign up for the free version of QuickBooks - if you send out an invoice, it goes through a QuickBooks mail server.
Joe Carrigan: I see.
Dave Bittner: So it comes from QuickBooks. So you see where we're going with this, right, Joe (laughter)?
Joe Carrigan: I do see where we're going with this. There's a free account out there...
Dave Bittner: Yeah.
Joe Carrigan: ...That will send emails from a bona fide financial service.
Dave Bittner: Right, right. And not only bona fide emails, but a bill...
Joe Carrigan: Right.
Dave Bittner: ...Right? That - it could also have notes on it, and so on and so forth. So walking through this, the bad folks spin up a free account.
Joe Carrigan: Right.
Dave Bittner: They start sending out invoices to people. And with those invoices, they send notes that say, please pay this immediately or past due or, you know, lawsuit to follow or whatever, you know?
Joe Carrigan: Yes.
Dave Bittner: Don't make me call the police on you - all these things we talk about.
Joe Carrigan: That's right. That fear incentive.
Dave Bittner: Right. So that email, because it's coming from QuickBooks, seems legit...
Joe Carrigan: Yep.
Dave Bittner: ...Makes it past the spam filters...
Joe Carrigan: Absolutely.
Dave Bittner: ...Because you can't sinkhole QuickBooks...
Joe Carrigan: Nope.
Dave Bittner: ...'Cause it's a legit service.
Joe Carrigan: It is.
Dave Bittner: You don't want to miss a legit invoice from QuickBooks, or the legit bad things could happen to you.
Joe Carrigan: Right.
Dave Bittner: And so the hackers know this. They take advantage of this, and they're using this to send phishing emails to people. And evidently, it's quite successful. It seems like what they're doing here is they're not so much looking for a response to the email. They're including a phone number and saying, please call us right away to work this out. And then the victim calls the phone number, and now the bad people have your phone number.
Joe Carrigan: I see.
Dave Bittner: So they got a hot one on the line, right?
Joe Carrigan: Yep.
Dave Bittner: And away they go with the various scams that they're going to try to do. Once they actually engage with you one-on-one, then they - you know, they unleash all of the more direct tools that they have. I'm not sure how you prevent this. I mean, I suppose QuickBooks - I mean, first of all, I'm sure QuickBooks is trying to do everything they can to try to tamp down on this.
Joe Carrigan: Right. Because my first question would be, do they really need the free tier service to send out emails on the behalf of the user? I don't know. Maybe you could just generate an invoice, print it to PDF, and then let them download it and send it via their email.
Dave Bittner: Yeah.
Joe Carrigan: Because everybody that does this is going to have some email address. You just don't send it - unless you are paying for a service from them. That would discourage a lot of these phishers from doing it.
Dave Bittner: Right.
Joe Carrigan: I'm interested to know, do any of these bills have addresses that you can send something to, like a check, and then - or do they have wiring details or Venmo details? I don't know.
Dave Bittner: Yeah. Yeah, I would suspect they probably have all - you know, all the usual things...
Joe Carrigan: Right.
Dave Bittner: ...That we have. I don't - I haven't actually seen any of the samples of these. They do actually have an example here in the article. But it's pretty, you know, slim. It's more - it's designed to start the conversation, right?
Joe Carrigan: Right. It's a lead-in.
Dave Bittner: It's not designed to elicit a real follow-up where you're going to send the money. It's the first step in engagement. So...
Joe Carrigan: So the question is, how do you prevent this from happening?
Dave Bittner: Yeah.
Joe Carrigan: And that is - the answer is good process on your business in your accounts payable department, right? Like, everything that you buy should have a purchase order number, right? So if I call a company - if a company sends me this, and I call the number, and I say, OK, so you sent me this bill, I need the purchase order number this came from...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? I imagine that that shuts down the conversation immediately, right?
Dave Bittner: It could, yep.
Joe Carrigan: Because we issue purchase orders for every purchase we make.
Dave Bittner: Right.
Joe Carrigan: And I need you to tell me what that number is, and you should have that number. And if you don't have that number, I'm not paying you.
Dave Bittner: Right.
Joe Carrigan: End of story.
Dave Bittner: Yeah.
Joe Carrigan: You need that number for me to pay you. So that's your answer, Dave, is good process, and communicate that process to the employees.
Dave Bittner: Yeah. Yeah. And again, just take time.
Joe Carrigan: Take time. Right.
Dave Bittner: You know, when you find yourself - be self-aware. When you find yourself in this emotional state where someone's trying to get you into that emotional state, just take a breath, you know, walk down the hall or, you know, take a walk outside, call a buddy, whatever, a coworker. Just give a little time to settle in. And often, that'll help, you know, keep you from reacting in a way you wouldn't want to.
Dave Bittner: All right. Well, we'll have a link to that story in the show notes. Joe, what do you have for us this week?
Joe Carrigan: Dave, my story comes from CNBC, and the authors are Scott Zamost and Yasmin Khorram. And there's a guy named Sean Ragan who is the FBI special agent in charge of the San Francisco and Sacramento field offices.
Dave Bittner: OK.
Joe Carrigan: And he says that fraudsters who exploit LinkedIn to lure users into cryptocurrency investment schemes pose a significant threat to the platform and its customers. Dave, you and I have talked about LinkedIn and fake profiles.
Dave Bittner: Yeah.
Joe Carrigan: I'm pretty sure there's a person that's running a fake profile on LinkedIn right now that both you and I are connected with.
Dave Bittner: Really?
Joe Carrigan: Yep. I think this because the profile picture looks like it was generated by This Person Does Not Exist.
Dave Bittner: OK.
Joe Carrigan: But it doesn't come up that way when I run it through a detector, right? So maybe they've done something to the picture. And the other thing is, this person is commenting randomly on different stories and commenting about a vast swath of things.
Dave Bittner: OK.
Joe Carrigan: But they also have recommendations or confirmations in their bio about things. Now, I'm - I don't know if this person is real or not. I'm really actually wondering. But Ragan's talking about a specific scheme here. Here's how it works. A fraudster posing as a professional creates a fake profile and reaches out to LinkedIn users in general, right? The scammer starts with small talk over LinkedIn messaging, right? How many times do you get LinkedIn - I get a lot of people talking to me over LinkedIn messaging.
Dave Bittner: OK.
Joe Carrigan: And it happens frequently. And they eventually offer to help the person with crypto investments, right? And people that CNBC interviewed say that LinkedIn is a trusted platform for business networking, and they tend to believe the investments are legitimate. I don't know why you would believe that. If someone approached you on Facebook and presented you with a crypto investment...
Dave Bittner: Yeah.
Joe Carrigan: ...Plan and you'd be less inclined to believe it than you would on LinkedIn, I would be equally inclined to believe neither of those, right?
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: But that's my skepticism.
Dave Bittner: Right. Yeah.
Joe Carrigan: Maybe somebody is a crypto investor on LinkedIn.
Dave Bittner: Sure.
Joe Carrigan: I'm sure there's tons of them - right? - that they're actually crypto investors.
Dave Bittner: Legitimate businessmen.
Joe Carrigan: Right. Exactly.
Dave Bittner: (Laughter). Right.
Joe Carrigan: Typically, what the fraudsters will do will direct users to legitimate investment platforms for crypto.
Dave Bittner: Yeah.
Joe Carrigan: And then, after gaining trust in a couple of months - and, presumably, these people actually buying crypto - cryptocurrencies - they tell them, hey, move it to this new investment site that we have. And that's when the money's gone...
Dave Bittner: I see.
Joe Carrigan: ...Right? So here's one of the key points about cryptocurrency. If you don't own the private keys, you don't own the cryptocurrency. This is a common saying among people who invest in cryptocurrency. It doesn't matter what the platform is. If you're trusting an exchange to hold your cryptocurrency, you're hoping and believing that they will give it to you when you ask for it. And it's true - that's true of legitimate and fraudulent cryptocurrency exchanges. The big difference between the two types is that the legitimate ones actually send you the cryptocurrency when you ask for it.
Dave Bittner: (Laughter) Well, couldn't you say the same thing about a bank?
Joe Carrigan: You could, absolutely.
Dave Bittner: But I guess the bank has, you know, the FDIC insuring your deposits...
Joe Carrigan: Right.
Dave Bittner: ...Up to a certain point.
Joe Carrigan: As far as you know, right?
Dave Bittner: Right. Right.
Joe Carrigan: How do you know they don't just buy one of those little signs that says FDIC and put it up in the teller's office?
Dave Bittner: (Laughter) That's right. Sure.
Joe Carrigan: I mean, this is exactly the same problem.
Dave Bittner: Yeah.
Joe Carrigan: I could easily set up an online bank and say, start transferring money to me, and we'll open a bank account for you. It could be done. So if you do own cryptocurrency and you keep it in an exchange, don't transfer it to a new exchange. Just don't do it. You know, there are exchanges out there like Coinbase and Kraken and a bunch of other ones that are legit. And you can - I think it's pretty safe to keep your coins there. Again, you're trusting them, and you're trusting that they'll remain secure. So you have to do your due diligence and find out what their security policies are. But...
Dave Bittner: Right. But I mean, isn't it fair to say that they're all legit right up until the moment when they're not?
Joe Carrigan: Right.
Dave Bittner: They could still fail...
Joe Carrigan: They could fail.
Dave Bittner: ...The same way that a bank - you know, certainly in the Great Depression, you know? And it's harder to happen now. But we all have faith. All of this...
Joe Carrigan: Right.
Dave Bittner: ...All - money requires a certain amount of faith, right?
Joe Carrigan: Right.
Dave Bittner: So...
Joe Carrigan: If I could talk about that for a minute, I mean, there are things out there that - like, I don't do business with any of the large banks...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? Because if one of those fails, the FDIC has a problem, right? If I - if a small local bank fails, the FDIC doesn't have a problem...
Dave Bittner: OK.
Joe Carrigan: ...Right? It's not a - I'm going to get all of my money back if my local bank fails. If a national bank fails, I may not get all my money back.
Dave Bittner: OK.
Joe Carrigan: That's my fear, anyway.
Dave Bittner: All right.
Joe Carrigan: In a statement, LinkedIn acknowledged that there has been a recent uptick in fraud on its platform, telling CNBC that, we enforce our policies, which are very clear - fraudulent activity, including financial scams, are not allowed on LinkedIn.
Dave Bittner: Yeah.
Joe Carrigan: Well, thank you, LinkedIn. That should take care of the problem.
Dave Bittner: (Laughter).
Joe Carrigan: They go on to say, we work every day to keep our members safe, and this includes investing in automated and manual defenses to detect and address fake accounts, false information and suspected fraud.
Dave Bittner: Right.
Joe Carrigan: And they - the statement goes on with stuff like, we work with law enforcement. But it really is an issue of stopping this from happening. I think LinkedIn should be doing more to stop this from happening.
Dave Bittner: Like what?
Joe Carrigan: Well, I don't know how LinkedIn works internally, but maybe they are looking at account behaviors, right? Hey, here's a new account who just made a bunch of requests, and now this person is sending a bunch of messages out there. Do they have end-to-end encryption on the messages? I don't think LinkedIn does have that, so LinkedIn can probably read the messages. Are these people talking about cryptocurrency and Bitcoin? Is that coming up? OK, this guy is just sending out a bunch of things, and it looks like this is just a scammer...
Dave Bittner: Yeah.
Joe Carrigan: ...All right? And maybe they're doing that.
Dave Bittner: They may be doing that, yeah.
Joe Carrigan: They may be doing that now.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: But this is happening a lot more. Oscar Rodriguez, who is the senior director of trust, privacy and equity, says, quote, "Trying to identify what is fake and what is not is incredibly difficult." So...
Dave Bittner: I think I would add at scale.
Joe Carrigan: At scale, right.
Dave Bittner: (Laughter) Right? Which is - I mean, that's the ball game...
Joe Carrigan: Yeah.
Dave Bittner: ...For social media platforms.
Joe Carrigan: Exactly. He goes on to say, one of the things that I would really love for us to do would be to get more proactive education for members, letting members know or basically allowing them to understand the risks that they might face. Well, you know, here's my question for Oscar Rodriguez. You are the senior director of trust and privacy and equity - trust, privacy and equity. Why is that not what you're doing? If that's what you'd like to see what - see LinkedIn do, you're in charge of this part of the issue. Start doing that.
Dave Bittner: You have mandatory training before they allow you to continue on LinkedIn...
Joe Carrigan: It...
Dave Bittner: ...Before you can create your account.
Joe Carrigan: ...I don't - no, actually, Dave, I don't think it should be mandatory training.
Dave Bittner: Yeah?
Joe Carrigan: I think it should be, for all the users, continuous reminders...
Dave Bittner: OK.
Joe Carrigan: ...Right? Small reminders. Like, you know, like - you know those annoying subscription requests?
Dave Bittner: Like Clippy, like Clippy. Clippy could pop up. We see you're about to do a cryptocurrency interaction. Are you sure you want to proceed (laughter)?
Joe Carrigan: You know, maybe if it's the first time you go to LinkedIn during that day...
Dave Bittner: Right.
Joe Carrigan: ...You get a little window that says, remember, there's an opportunity for cryptocurrency scams on LinkedIn.
Dave Bittner: Yeah.
Joe Carrigan: And you can click dismiss...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? A reminder like that.
Dave Bittner: Yeah.
Joe Carrigan: That's all it takes.
Dave Bittner: Yeah. I agree.
Joe Carrigan: Active education that happens on a regular basis.
Dave Bittner: Yeah. I think it's a good idea.
Joe Carrigan: Yeah.
Dave Bittner: All right.
Joe Carrigan: And, yes, I understand your concerned that that would be annoying.
Dave Bittner: (Laughter).
Joe Carrigan: I get it. And - but as a - I don't know how a social media platform would perform these education tasks without doing something like that.
Dave Bittner: Right. That's the challenge is that...
Joe Carrigan: Right.
Dave Bittner: ...They're all about engagement. They want you to spend as much time...
Joe Carrigan: On the platform. Right.
Dave Bittner: ...As you can on the platform, and so they want to reduce friction as much as possible.
Joe Carrigan: Yes.
Dave Bittner: And training is friction...
Joe Carrigan: It is.
Dave Bittner: ...Right? Security is friction.
Joe Carrigan: It is. Yep.
Dave Bittner: So you have a - I guess it's fair to call it a perverse incentive.
Joe Carrigan: I would say it's a perverse incentive.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Absolutely. That's exactly what I would call it, actually.
Dave Bittner: All right. All right. Well, we will have a link to that story in the show notes as well. Again, we would love to hear from you. You can email us at hackinghumans@thecyberwire.com. All right, Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Jennifer (ph), who writes, hi, Joe and Dave, I love "Hacking Humans," and I'm downloading and listening to all of them. Well, thank you. I'm a total novice with all of this, but I enjoy and take heed to all of your security suggestions. I was recently listening to one of your podcasts on Zelle when I received the attached text. Pardon my language. Naturally, they did not respond. So Dave, it's a very short SMS message.
Dave Bittner: OK.
Joe Carrigan: Why don't you read this? And then I will read and censor Jennifer's response.
Dave Bittner: (Laughter) OK. It says, Venmo - your Venmo checking account was used to make a transaction of $799. Contact customer support if not initiated by you.
Joe Carrigan: Screw you, scammer. I don't have a Venmo account just because I know you are out there.
Dave Bittner: (Laughter).
Joe Carrigan: And that's the end of the conversation. Now, this is a very short Catch of the Day.
Dave Bittner: Yeah.
Joe Carrigan: But I wanted to thank Jennifer for sending it in because it's actually a very important Catch of the Day for three reasons. One, this Catch of the Day - this scam started over text message, SMS. We've talked about this. One of the recent changes we're seeing is that more scams are coming over SMS and less over email because email is getting better at protecting people...
Dave Bittner: Right.
Joe Carrigan: ...Right? SMS doesn't have any such protections at all. Payment apps are pretty new, and they're almost all based on your phone. That's how you pay people. So it makes 100% sense that you would get a text message when you - when there was a transaction. Like, I have credit cards that, when I - when there's a transaction on the credit card, I get a text message...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? And the brevity of this is why it works. So be wary when you get this. If you call that number, you're going to be asked to install some kind of remote-control software on your phone, and they're just going to try to transfer money out of their - out of your Venmo app. They already know that you have Venmo if you call them back because that's what the hook is here - or the lure, rather.
Dave Bittner: I will also point out that in the message here, they spell Venmo with a zero at the end instead of an O.
Joe Carrigan: That is an interesting observation. And that is probably to get through the - some kind of filter. I don't know if that...
Dave Bittner: Yeah.
Joe Carrigan: ...Works or not.
Dave Bittner: Yeah. There - I mean, there is some filtering on iOS devices, I know. Like, I have a, you know, unknown sender folder where it'll put things.
Joe Carrigan: Yeah. My Android - my Google device puts things in spam quickly.
Dave Bittner: Yeah. Yeah. So there is some filtering going on. But you're right. I mean, it's not like email.
Joe Carrigan: Right.
Dave Bittner: Yeah. All right. Well, our thanks to Jennifer for sending this in. If you have something you'd like us to consider for Catch of the Day, you can send it to us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Josh Yavor. He is the chief information security officer at a company called Tessian. And they recently published a report on human error. Here's my conversation with Josh Yavor.
Josh Yavor: I think the creation of the report was driven by, really, just the reality that we're seeing in the marketplace. We see a ongoing, multiyear, multi-decade trend where the majority of cybersecurity incidents and breaches either start with or are dependent upon human error and human involvement.
Dave Bittner: Well, let's go through some of that. I mean, what are the specific things that this report tracks?
Josh Yavor: Yeah. So in this report, we're really looking at the overall landscape of how human behavior intersects with attacker behavior as well and the successful breaches that have occurred. So we're really trying to understand the psychology behind, you know, human error through data and the learnings that we can get from the behavior of humans who have been engaged with by attackers and, in many cases, sadly fallen victim to phishing attacks in particular.
Dave Bittner: Well, let's explore that together. I mean, what are some of the highlights here, some of the things that caught your attention?
Josh Yavor: Yeah. So I think, like, stepping back and looking at, you know, the broader landscape, so to speak, we know from the research that more than 1 in 4 respondents fell for phishing emails at work over the last year, and that we're now up to over half of employees saying that they actually fell for phishing emails because the attacker was impersonating a senior executive. And that's up from, I believe, around 40%, 41% from the previous year. And so to us, it's the trending of behavior and learning what is effective on the attacker side that helps us understand how to better educate, inform and defend our end users who are falling victim to these attacks.
Dave Bittner: Yeah. You bring up a really interesting point, a question that I have, which is, you know, to what degree do we think that the trending here is because the bad guys are growing more sophisticated in their approach?
Josh Yavor: It's a great question. And I have some personal bias here, I mean, admittedly. I see the sophistication question in - through two different lenses. First is, yes, we can recognize that attackers are genuinely increasing their sophistication. An example of that is that over the last five years in particular, attacker access to toolkits that allow them to do things like bypass traditional MFA solutions and so on have become increasingly sophisticated and largely freely available in many cases. And so I think that is a legitimate example of attacker sophistication increasing through the use of, you know, progressively, like, modern and useful tooling.
Josh Yavor: Now, on the other hand, though, I think we tend to, as an industry, overuse the term sophisticated attack. And there's - I don't know which security leader coined this, otherwise I would give them credit. But the saying goes that we only call them sophisticated attacks when they're successful and we have to talk about them. And I think that the underlying truth that we have to realize is that social engineering attacks and including those that include email-based phishing or social engineering over SMS, voice or even social media like LinkedIn, Twitter and so on, these are effective inherently because they're not sophisticated in many cases. It's simple human communication at scale with a set of target victims. And it's the persistence and it's the skill and it's the fact that the age-old tricks of how to convince a human to believe you when they shouldn't are still not that sophisticated, and they still work. And so I think both are true. We are seeing increasingly sophisticated attacks in some cases, but a large amount of the events that actually occur and result in breaches and security events are not as sophisticated as we might otherwise like to claim.
Dave Bittner: So what role does security awareness training play in all of this? Is there any data here that points to that, you know, moving the needle in either direction?
Josh Yavor: Yes, I think so. And I would say that it was the - that second data point that I mentioned a few minutes ago around the increasing trend of impersonation of executives in particular that we can look at and extrapolate from. So if we think about security awareness training, we have, you know, at this point now, multi-decades of security awareness training behind us. And sadly, I can't sit here and claim that it's been all that effective, aside from checking compliance boxes, unfortunately, for a lot of organizations. And I say that because all of our - maybe not all. The majority of our training effort for security awareness has really been on things like detecting signatures of phishing emails, trying to train people to look at a URL without clicking it and somehow know whether it's dangerous or not or look at files and try to magically know whether it's dangerous or not.
Josh Yavor: That type of training is something that we should really consider legacy these days. In some cases, it may be useful to do some things there in terms of how to spot a phish at a very high level. However, there's two things that we can learn from recent trends and reality. Technology, first, needs to be the way that we solve the - how to spot a malicious URL, how to identify a malicious file. Humans, at scale, will never be technical enough, on average, informed enough or have the tools necessary on their end to do that effectively. Security tooling, email platforms in particular and products in the email security space - have to get that right to support people. And that means that our security awareness training should focus on where technology on its own cannot operate and solve these problems independently. And a great example of where security awareness training really needs to go is really to follow what we're seeing in terms of successful attacks.
Josh Yavor: Executive impersonation - security awareness training that consciously addresses executive impersonation and similar types of modern attacks and informs end users of what they can count on, that their CEO, their CFO will never email them from a personal email address asking them to buy gift cards for folks or that nobody in an executive position will ever send an SMS message and require that somebody make a wire transfer to another party in the next few hours because it's urgent. And if we shift our awareness training approach to address what attackers are actually doing while we actually apply the most useful technologies to cover the rest of what security awareness training once was, I think that's how we really progress and do better here.
Dave Bittner: Well, let's touch on some of the technological solutions here, as well. I mean, where do we stand when it comes to that? What's the state of the art in helping people from that side of things?
Josh Yavor: Yeah, I think technology has continued to progress, perhaps not as rapidly or completely across all attack surfaces and threat vectors that we would like. The optimist in me points to a few different things in terms of modern security technology. First, we see a large-scale migration by many organizations to cloud email infrastructure, and many organizations today just start in cloud-based email. And with that comes a lot of built-in capabilities and safety controls that are provided by providers like Google and Microsoft, whether you're using personal Gmail, personal Outlook or Google Workspace or Microsoft 365. And no matter what tier you're paying them for, you're getting a lot of technology solutions that keep you safer in your email day to day. And the best part is you don't need to turn them on. You don't even know about it. It's just taken care of in the background. That used to be really difficult and expensive for any individual or organization to take on. Today, it's increasingly accessible, cheap, if not free, in terms of, you know, security 101 for email.
Josh Yavor: The other thing I would point to is cloud email provider and additional security products in the email security space, investing in and developing more advanced features. And whether that's things like advanced malware analysis. And similar in the cloud email providers, we're progressing there. And then we also have additional tooling that's now available and has become available over the past few years. My company, Tessian, is in this space, but there's a number of other vendors out there, as well, that are applying behavioral analysis and data, science-based outcomes to identify what is odd or anomalous in terms of email behavior and providing opportunities that rules and, like, signature-based solutions really can't identify reliably. And the beautiful part of, you know, the future that we're working towards - and again, I know I'm being a little bit optimistic. Glass is way more than half full in what I'm saying here. But we're heading in exciting directions in terms of different layers of security for email playing nice together and providing effective solutions as well-integrated technologies that really protect people at the end of the day.
Josh Yavor: Now, I just said a whole bunch of warm, fuzzy things.
Dave Bittner: (Laughter).
Josh Yavor: There is so much work to do. We are nowhere close to where we need to be as an industry in all of these things working well together and firing on all cylinders, so to speak. But I think it's where - we have a positive trajectory, and we just need to continue working on this trajectory. And I think to our conversation a moment ago around, like, security awareness training and some of the traditional approaches, we have to be willing to shed what has not worked historically or what may have worked years ago but is no longer the best solution for us and be open to different types of integrated security outcomes in order for us to be prepared for the future.
Dave Bittner: You know, I think you make some excellent points here. And I - personally, you know, I think back to some of the early days when, really, the world started coming online, and we started connecting with each other, you know, via this fancy new thing called the internet. And one of the big problems back then was, of course, spam. And it was a hard problem. But it strikes me that today, to your point, with many of the - particularly the cloud providers, spam is pretty much solved. You know, I don't - maybe it does me good to go looking through my spam filter, you know, every couple weeks to make sure something hasn't gotten gobbled up in there. But overall, they do a remarkable job with that. Is that where we're headed with these other things, with things like business email compromise? Do you envision a day when we look back and we say, gosh, remember the dark days of that?
Josh Yavor: I sure hope so. And I think that's a great example of where we've really progressed. I, too - like, when I started using email for the first time, spam, just basic spam, was the biggest problem - just the sheer volume of it.
Dave Bittner: Yeah.
Josh Yavor: And I think that today, while I still have spam emails hit my personal inbox in particular, it's actually the exception rather than what was the norm. And so I think that if you think - if you look at spam as an example of what a couple of decades-plus of investments and incremental improvement over time can result in, I think there's two things there. One is that these capabilities are imperfect. No provider, no security technology, nothing can say we're going to 100% prevent all spam from ever hitting your inbox. That can be true, while at the same time, you and I just agreed that today spam is mostly a solid problem. And so I think that's the other thing that we need to learn from the progress that we've made in securing email against spam in this case is that effective solutions do not need to be perfect.
Josh Yavor: And we need to be willing to accept significant incremental progress over the coming years towards exceptional yet impossible to get 100% perfect outcomes in increasing email security and safety, whether that's through business email compromise or similar - like, account takeover attacks that may affect email as well because of modern MFA bypass and so on. We need to look for similar levels of incremental progress and, again, reminding ourselves that done is better than perfect. And I think that while it still takes a work to maintain, you know, resilience against spam, let's not kid ourselves there.
Dave Bittner: Yeah.
Josh Yavor: And the work will never be done. We're done enough to say that we've protected enough of, you know, the global attack surface. And that should be a similar goal for many of these additional risks in email security.
Dave Bittner: So what are your recommendations then? I mean, for folks who are charged with helping secure their organization's email, how do you recommend they go about that?
Josh Yavor: Yeah. I think that there's - you always have to take care of the Security 101 basics. To me, what that means is starting with the traditional most common attack vectors. It's making sure that you have secure access to email, strong account protections in terms of authentication, strong multifactor authentication, ideally secure access policies that are in place to make - you know, to provide resiliency and access to those accounts. Because, let's face it, email accounts are the gateway to everything that we do online, both in our personal lives and in our corporate lives. And so you still have to get all that basic configuration right. We really need to make sure that we're turning off legacy protocols as much as possible, things like POP and IMAP that are generally not compliant with secure access policies or MFA.
Josh Yavor: But then as I look forward to, like, the cloud email providers and then the broader, like, email security space, there's a few other things I would recommend. First is go all-in on the security capabilities that are provided by your cloud email provider. When you look at Microsoft and Google, they have fantastic capabilities that are just a checkbox away. But you have to go through, and you have to think about which ones to turn on, which ones to not turn on potentially and make those conscious decisions. It's amazing to me how many organizations, especially, like, in the mid-market, have all these capabilities that just have yet to be turned on sometimes that they're already paying for or got for free. So get that layer right, and then think about what comes next.
Josh Yavor: And that's where we get into the more advanced product space out there today. And so that's things like what we were talking about before for what is in marketing terms called integrated cloud email security. It's a marketing term. Don't blame - don't shoot the messenger. I didn't make it up. But these are the email security products that are additive and build on top of what the cloud email providers are able to do as, like, the baseline security features. And in this space, that's where you're going to find things like behavioral analytics and deeper integrated outcomes across multiple aspects of security.
Josh Yavor: And in my case here at Tessian, one of the things that I like about being in this space is that you have the opportunity to converge some of the things that we were talking about. How do you get email security right from a behavioral analytics and advanced attack perspective while also taking advantage of opportunities for effective, in-the-moment security coaching and training that goes beyond the traditional hey, it's that time again to do our annual security awareness training, and we're going to hope that, you know, we tell you something useful?
Dave Bittner: Right.
Josh Yavor: It's in this product space that you find the opportunity to get that more right by meeting people in the moment, coaching them on how to think about an email they're sending, an email they're receiving, and let them make an informed decision that you're confident will also protect your business at the same time.
Dave Bittner: Joe, what do you think?
Joe Carrigan: I like a lot of what Josh has to say - first off, multidecade trend that human error is responsible for a very large part of breaches.
Dave Bittner: Yeah.
Joe Carrigan: And yet we continue to invest heavily in the technical solutions to this problem.
Dave Bittner: Right.
Joe Carrigan: And, I mean, I'm not saying we shouldn't invest heavily in technical solutions. We should.
Dave Bittner: Yeah.
Joe Carrigan: They're absolutely essential.
Dave Bittner: Right.
Joe Carrigan: You can't live your life without a firewall.
Dave Bittner: Yeah.
Joe Carrigan: Right? I'm glad that somebody is finally looking at the psychological nature. The psychology behind this is very important - interesting that more than 25% of respondents fell for a phishing email in the past year and 50% of employees said that they had been victimized in the past by someone impersonating their executives.
Dave Bittner: Right. It's widespread.
Joe Carrigan: It's widespread. And it's interesting that they're saying - that Josh is telling us about these tools that are out there. And just like in other markets, the cost of these tools is going down to the point where it's almost free, right? This is the same economic pressures that are happening.
Dave Bittner: Yeah.
Joe Carrigan: I like what he says. The only way we call them sophisticated attacks is when they work. That's the only time we call them sophisticated attacks.
Dave Bittner: Right.
Joe Carrigan: Right - kind of true. Yeah.
Dave Bittner: Yeah.
Joe Carrigan: This is one of your points that you've been making for years.
Dave Bittner: Yeah.
Joe Carrigan: These are really good hackers that managed to penetrate our networks.
Dave Bittner: Right - nation-state level attacks.
Joe Carrigan: Right.
Dave Bittner: How could we possibly have defended ourselves against it? Please don't sue us.
Joe Carrigan: (Laughter) These attacks are not sophisticated in a technical sense, but they kind of are sophisticated emotionally, right? Additionally, they're also large, so they're sophisticated in volume, I guess you could say. So there are...
Dave Bittner: Yeah.
Joe Carrigan: ...Kinds of sophistication that they have. But he's right. You know, these are not leet haxors (ph) coming into your network.
Dave Bittner: No. I would say, like, in my mind, they're refined.
Joe Carrigan: Yes.
Dave Bittner: Right?
Joe Carrigan: That's a good way to put it.
Dave Bittner: Yeah.
Joe Carrigan: They're refined.
Dave Bittner: Yeah.
Joe Carrigan: Josh makes an excellent point about security awareness training. Don't ask people to look for technical indicators like malicious URLs or malicious files. That's a technology thing. Let technology handle that. People are bad at it, and technologies are good at it. Instead, train people to look for patterns that indicate it's a phishing email. This is where people are much better. So go at the strengths of each. Like, for example, does your - this phishing email have an immediate call to action? It's a violation of policy. It's something you're not familiar with. Those three things right there - that's a pattern.
Dave Bittner: Yeah.
Joe Carrigan: You should be able to see that and go, something's up here. This - now I need to go and independently verify this.
Dave Bittner: Right.
Joe Carrigan: I'm not just responding to this.
Dave Bittner: Yeah.
Joe Carrigan: I like what he says about communicating policy. Make sure everybody knows that nobody on the executive team is ever going to go to the individual contributor level and ask them to do something, right...
Dave Bittner: Right.
Joe Carrigan: ...Like buy gift cards.
Dave Bittner: Right, right.
Joe Carrigan: Right? I mean...
Dave Bittner: Right.
Joe Carrigan: I can't remember the last time the president of university called me. He never has.
Dave Bittner: (Laughter).
Joe Carrigan: Right? He doesn't even know who I am.
Dave Bittner: I was going to say, he just - yeah. He's not pining away, wondering if you'll answer his call, right?
Joe Carrigan: Right. Exactly.
Dave Bittner: (Laughter).
Joe Carrigan: President Daniels has no idea who Joe Carrigan is. Now, the dean does. The dean knows who I am.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: I get a Christmas card from him every year.
Dave Bittner: OK.
Joe Carrigan: Corporate card.
Dave Bittner: I was going to say you're on his watch list.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: That's right. I got to listen to this show to make sure Carrigan does doesn't say something stupid...
Dave Bittner: Yeah.
Joe Carrigan: ...And embarrass the university. But the - you know, it's - you're in a much smaller organization, though, right?
Dave Bittner: Sure. Yeah.
Joe Carrigan: And it's not unusual for the CEO to send you an email.
Dave Bittner: Right.
Joe Carrigan: So that's Peter, right?
Dave Bittner: Yeah.
Joe Carrigan: So, I mean, you get Peter - emails from Peter every day.
Dave Bittner: Yeah - can't get him to shut up.
Joe Carrigan: (Laughter) But...
Dave Bittner: I love you, Peter.
Joe Carrigan: Yeah, as do I. We're both big fans of Peter. And - but I'm pretty sure that you know that Peter would never send you an email going, Dave, I need you to get me some gift cards.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: So you've got - what you have to do is you have to assess where your organization - your - you know, your organization - you have to do threat modeling on what your organization looks like. And then you have to train your people to recognize the malicious patterns that these bad guys are following...
Dave Bittner: Yeah.
Joe Carrigan: ...Because they're almost always following a standard set of principles that we talk about on this show all the time.
Dave Bittner: Yeah.
Joe Carrigan: They have some pretext. They have some emotional trigger. They have some call to action, and they have some artificial time horizon. And then they may try to isolate you.
Dave Bittner: Yeah.
Joe Carrigan: Right? You see any two of those things in an email, it should lead you to believe that this email is not genuine.
Dave Bittner: Right. Right. And they do it because it works. And they do it - they use those things because they work at volume.
Joe Carrigan: Right.
Dave Bittner: So just make sure you and your organization are not the low-hanging fruit.
Joe Carrigan: Correct.
Dave Bittner: Yeah.
Joe Carrigan: I like Josh's optimism about the idea that we will get there. I agree with that. I think eventually we will. I think there has to be more - the involvement of more psychologists in this field.
Dave Bittner: Yeah. And I think we just got to make it so that it's not worth it. The cost is too high. Get them to move on to something else.
Joe Carrigan: Yeah.
Dave Bittner: You know, but we've got a ways to go. But I'm glad folks like Josh are out there doing the good work, and we appreciate him reaching out to us and taking the time with us.
Dave Bittner: All right. That is our show. We want to thank all of you for listening. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isc.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
