Is there a growing number of public and private partnerships forming?
Chuck Everette: It's - sometimes it's very disconcerting because you find a threat, you see, OK, this is actively going on. They're actively targeting. And the private sector is able to respond a lot faster than sometimes some governments than we'd like them to be.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Carole Theriault joins us. She's interviewing Chuck Everette from Deep Instinct. They're talking about public-private partnerships.
Dave Bittner: All right, Joe. Before we dig into our stories this week, we've got a little bit of follow-up here.
Joe Carrigan: We do, indeed.
Dave Bittner: You want to take this on for us?
Joe Carrigan: Sure. This is from Rodney (ph). He writes in (reading) Dave and Joe, you were talking today on your podcast about the social benefits cards not having chips in them. I wanted to mention that I have a medical flexible spending card issued through my employer's provider, and it does not have a chip in it either. You know, Dave, I've used those medical flexible spending credit cards or debit cards, and he's right. I don't recall that - mine having a chip either.
Dave Bittner: Yeah, I went and looked because I have one and no chip. No chip in mine either.
Joe Carrigan: Interesting.
Dave Bittner: Yeah. Annoying. Like, I don't - I mean, I don't know. Does it save them a dollar per card or something?
Joe Carrigan: It might. It might - probably less than that.
Dave Bittner: Yeah.
Joe Carrigan: Probably less than that. But when you're talking about millions of cards, Dave, that's millions of dollars.
Dave Bittner: Yeah, yeah, yeah, yeah (laughter).
Joe Carrigan: I was recently - this was recently replaced due to an expired card. So it's not a matter of having the card for years. In fact, I have never had an FSA debit card with a chip in it. So it's not just those provided from the state or the local government for benefits. That's a great observation, Rodney.
Dave Bittner: Yeah.
Joe Carrigan: And it should also be rectified.
Dave Bittner: Yeah.
Joe Carrigan: You also mentioned Woodforest Bank. Well, I'm not certain this is true in all locations. The area where I live, they only exist inside of Walmart stores. So it appears to be more affiliated with Walmart than having standalone branches.
Dave Bittner: That's interesting.
Joe Carrigan: Yeah, I don't go into Walmarts very often just because there's only one by my house, and I go in there when I need something there. Otherwise, I just generally avoid it.
Dave Bittner: Yeah. But it doesn't surprise me that Walmart would have their own bank, if that's what this is.
Joe Carrigan: I don't know. It might be Walmart's own, but it's based out of Texas, if I recall correctly. Is Walmart based out of Texas? I thought it was based out of the Midwest, somewhere north or more north. I don't know.
Dave Bittner: Not sure.
Joe Carrigan: I don't keep track. (Reading) I also still own a landline. The phone I have has smart - has a smart blocking feature. This means anyone whose number is not pre-programmed into the directory has to state their name when they call. I then have the option to hit the No. 1 to answer the call. In fact, the phone will not even ring unless they state their name. I know this because I periodically see it light up and say smart block when it's processing a call. Great show. Love listening on my way to work. Well, thank you, Rodney. You know how I solved the problem with my home landline, Dave?
Dave Bittner: (Laughter).
Joe Carrigan: This is really great.
Dave Bittner: Yeah.
Joe Carrigan: I just don't have a phone plugged into it.
Dave Bittner: Yeah.
Joe Carrigan: I still have a - I still have a phone. I still have the number. And when somebody says, hey, can I get your phone number? I'm like, sure can. Here it is. And they can call and call and call and my phone never rings because it's not plugged in.
Dave Bittner: So I have set up something similar, except we have no phones plugged in. But I have the the landline number forwarding to a Google Voice account.
Joe Carrigan: OK.
Dave Bittner: And so if a call comes into the Google Voice account, the call gets - the message gets transcribed and then sent as a text message to both me and my wife.
Joe Carrigan: Very good.
Dave Bittner: Yeah.
Joe Carrigan: That is excellent.
Dave Bittner: Let me tell you, it's been a while since anybody's called.
Joe Carrigan: (Laughter).
Dave Bittner: So...
Joe Carrigan: Now I have - Comcast is my ISP and television provider and phone provider right now. So from time to time, I will be watching live TV, which I don't actually do very much. I'm actually considering turning that feature off.
Dave Bittner: Yeah.
Joe Carrigan: And it'll be like somebody's calling you on your phone. It shows up on your TV.
Dave Bittner: Right.
Joe Carrigan: Which is OK. But the thing is, I use - I also have an Amazon fire TV stick on that television, and that's what I use to watch TV most of the time. So it doesn't bother me at all.
(LAUGHTER)
Dave Bittner: Right. Right. All right. Well, thanks to Rodney for writing into us. We would love to hear from you. You can email us. It's hackinghumans@thecyberwire.com. All right, Joe, let's do some stories here. Why don't you start things off for us?
Joe Carrigan: Well, Dave, I want to start with some good news. This comes from Saleen Martin at USA Today. I'm not sure how you pronounce this last name - Jack Owuor - would you say - O-W-U...
Dave Bittner: Owuor - yeah. It is an odd one.
Joe Carrigan: It is. He's a 25-year-old man of Paramount, Calif., and he was just sentenced to 46 months in prison as part of a grandparent scam, for his part in a grandparent scam. It was a plea deal, so he didn't go to trial. He just pleaded out.
Dave Bittner: Right.
Joe Carrigan: He was part of a scam where callers would try to convince older people that their family members had legal trouble and needed bail money or they needed money to prevent additional charges from being filed or they needed help with medical expenses from vehicle accidents.
Dave Bittner: Right.
Joe Carrigan: So we've heard these scams. We've covered these kind of scams before. So now the FBI was involved in this. I don't know if he was tried or if this happened in a federal court or a California court. But he was - he's going to be the guest of somebody for 46 months.
Dave Bittner: Yeah.
Joe Carrigan: But he would pick up cash from multiple victims. So this guy was actually in contact with victims that were being scammed here. And he also recruited other people. I would like to see more people from this network get arrested - that would be nice - and tried or convicted or pleading or taking a plea deal. I don't care.
Dave Bittner: Yeah.
Joe Carrigan: Just spend some time in jail for your scamming of old people.
Joe Carrigan: My main story today comes from Brian Krebs over at KrebsOnSecurity. And he has a story, "PayPal Phishing Scam Uses Invoices Sent Via Paypal." Now, what's interesting is I know we've talked about this a lot recently. We talked about it - this is at least the third time in the past two months. So I'm noticing a trend here. What's going on is these scammers are out there, sending out these fake invoices through legitimate services.
Dave Bittner: Right.
Joe Carrigan: And Brian has a great breakdown on this. He heard from somebody that - somebody actually reached out to him and talked to him about it. And here's the invoice that is sent. It says, invoice updated - billing department at PayPal updated your invoice. The amount due is $600. And then it says, seller note to customer. Oh, also, there's a big button right below that that says, view and pay invoice. It says, seller note to customer - there is evidence that your PayPal account has been accessed unlawfully. Six hundred dollars has been debited to your account for the Walmart e-gift card purchase. This transaction will appear in the automatically deducted amount on PayPal activity - this is hard to read because it's so awkwardly worded - on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number. And then there's a toll-free number.
Dave Bittner: Oh.
Joe Carrigan: So the person who received this said, you know what? I'm going to call the number. I think he knew it was a scam right away.
Dave Bittner: Yeah.
Joe Carrigan: So he calls the number, and the guy answers, going, customer service. That's what he says. He doesn't say PayPal customer service, right?
Dave Bittner: Right.
Joe Carrigan: He doesn't wind up in jail like the guy I just talked about, right?
Dave Bittner: Yeah.
Joe Carrigan: He's smart. He's not being fraudulent. He's still going to jail if they catch him. The guy then says, I need you to go to a - what is it? - globalquicksupport.com and download a remote administration tool.
Dave Bittner: Oh.
Joe Carrigan: So he wants to take over the computer. And then, of course, once you - he takes over the computer, you have - he has access to any financial information you have on there, any applications he can get you to log in. He's going to try to trick you into getting money out of it. This is how this works.
Dave Bittner: Right.
Joe Carrigan: But what's interesting is this is a legitimate service that PayPal offers. I went in, and I Googled PayPal invoicing system. And the first result is, send and create an online invoice for free. And then down below, it says - one of the links in the little indented section - I was remarkably surprised. I was surprised, rather, that there was no ad that came up first from Google on this. It was just the PayPal link. It's the - one of the links below - it says, what is PayPal invoicing, and how does it work? So it's actually a short section of their FAQ. I'll read it all right now. Frequently asked questions - that's what FAQ means.
Joe Carrigan: PayPal invoicing makes it simple to send professional customized invoices. PayPal emails your customer a link to the invoice, and you can supply a link in your own email. Your customer then views the invoice details and securely pays with a credit - debit card, PayPal or PayPal credit. Whichever payment method the customer chooses, you generally receive your money in minutes. You can also manage your invoices, all this other stuff. But it goes on. It says at the bottom, sending and managing invoices costs you nothing. You pay PayPal's standard processing fee only when you get paid online. So these bad guys have a permanent, free solution...
Dave Bittner: Right.
Joe Carrigan: ...To sending out invoices from a legitimate provider like PayPal. Now, in the Krebs article, PayPal has a statement. They say - it says, we have a zero-tolerance policy on our platform for attempted fraudulent activity, and our team works tirelessly to protect customers. We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and contact customer support directly - customer service, rather - directly if they suspect they are the target of a scam. So in other words, PayPal says, well, we took care of this one.
Dave Bittner: (Laughter).
Joe Carrigan: They have a zero-tolerance policy for fraud, which you would expect, right?
Dave Bittner: Sure.
Joe Carrigan: But they don't - it seems like they're not doing much here. These guys - this specific incident has been mitigated. They shut down the account - is what they did.
Dave Bittner: Yeah.
Joe Carrigan: Right? I'm speculating, but that's what they did. These guys are going to go out and open another PayPal account...
Dave Bittner: Well...
Joe Carrigan: ...Because...
Dave Bittner: But I - so that's an interesting aspect of it because as you describe this to me, I'm wondering. I wonder if they are making use of a stolen PayPal account because when you set up a PayPal account, you have to provide banking information.
Joe Carrigan: That's true.
Dave Bittner: Right?
Joe Carrigan: Yep.
Dave Bittner: So if they - you know, somehow they come upon - probably buy access...
Joe Carrigan: Yep.
Dave Bittner: ...To someone's stolen PayPal account and they - so they take - let's say I'm the scammer, and I take over your account.
Joe Carrigan: Right.
Dave Bittner: Right. And then I send an invoice out to somebody from you...
Joe Carrigan: Yep.
Dave Bittner: ...Right? - from your account.
Joe Carrigan: Entirely possible.
Dave Bittner: Yeah. And then the victim sends the $600 to your account.
Joe Carrigan: Right.
Dave Bittner: Right.
Joe Carrigan: Well, actually, it doesn't work that way. But, I mean, that's not part of the scam. The scam is just - they want you to call the number.
Dave Bittner: Oh, really?
Joe Carrigan: So there's - yeah, there's a number on the invoice. It says, call us if you didn't order this. And their - the idea is that then you call them, and they - and you go - they go through the installing the remote administration tool onto your system.
Dave Bittner: OK. I guess I was - the other thing that caught my attention was the fact that they referenced gift cards...
Joe Carrigan: Right.
Dave Bittner: ...In the description of the scam.
Joe Carrigan: Yeah. They want you to think that you're being targeted by a different scam.
Dave Bittner: Oh, you think?
Joe Carrigan: Yeah.
Dave Bittner: OK.
Joe Carrigan: I think that's part of the attack...
Dave Bittner: OK.
Joe Carrigan: ...Is they're saying, oh - because everybody has heard about gift card scams, right?
Dave Bittner: Yeah.
Joe Carrigan: Hey. Somebody just bought $600 for the gift cards for my PayPal account. Hi there. Check this out. Call this number right now.
Dave Bittner: See, I thought that they were sort of priming the person so that if they started seeing a gift card transaction, that they would say, oh, they they told me this might happen.
Joe Carrigan: That is a good idea and a good observation.
Dave Bittner: (Laughter).
Joe Carrigan: But again, Dave, let's not help these guys.
(LAUGHTER)
Dave Bittner: Yeah, right. Exactly. Interesting.
Joe Carrigan: It's - but that's not what they're going for here. They're going for you to call. It's very similar to the one phone call I got where it was somebody allegedly from Amazon...
Dave Bittner: Yeah.
Joe Carrigan: ...Saying that they had purchased an iPhone and I hadn't.
Dave Bittner: All right. Well, I mean, what's the warning here? What's the protection? I mean, if you - I guess...
Joe Carrigan: Aware that this is an ongoing scam, that there's a lot of this going around. Every invoicing service out there that's legitimate and can't really be blocked because you can't block PayPal from sending you emails, you don't want to do that because...
Dave Bittner: Yeah.
Joe Carrigan: ...Especially if you use PayPal or if you do business with somebody who uses PayPal. I mean, there is all - you really - this is something you can't really block. Just be aware of it and know that it's a scam out there. If you see any email that says this has been charged to your account, please call this number, don't call the number.
Joe Carrigan: Yeah.
Joe Carrigan: Check with PayPal to see if there's any activity.
Dave Bittner: Call PayPal. don't call the number that's in the email.
Joe Carrigan: Don't call the number that's in the email. Right. Call the number on PayPal's customer support site.
Dave Bittner: Right. And don't call the number when you Google for PayPal phone number.
Dave Bittner: (Laughter) Right.
Dave Bittner: I mean, geez, so many hoops you got to jump through.
Joe Carrigan: It is.
Dave Bittner: Go to PayPal's actual website...
Joe Carrigan: Right.
Dave Bittner: ...And find the number and call customer service. And good luck to you, my friend.
Joe Carrigan: Good luck, everybody.
Dave Bittner: Yeah. Yeah. All right. Wow. Interesting. All right. Well, we will have a link to that story in the show notes, so do check that out. My story actually came to my attention, I first saw this on Twitter. And it linked to a story over from Sky News written by Alexander Martin. And it's titled "Criminals Posting Counterfeit Microsoft Products to Get Access to Victim's Computers." Now, since Sky News is from our friends across the pond, when they say posting, they don't mean posting online, they mean sending through the post.
Joe Carrigan: Right.
Dave Bittner: So mailing right for those of us on this side of the pond, for those of us who speak American English, not the queen's English.
Joe Carrigan: The good English. I kid everybody in England.
Dave Bittner: I think this is kind of fascinating. So the - this was drawn to someone's attention because the person who reported this was a gentleman named Martin Pitman, who is a cybersecurity consultant. And his mother called him because she was at a friend's house, and the friend had received a package in the mail that looks like a Microsoft Office Professional package.
Joe Carrigan: I'm looking at it right now, and this looks exactly like a Microsoft Office Professional package.
Dave Bittner: Right. So imagine this is a box that you would buy in a retail store, has the Microsoft logo. Everything looks legit. And when you open it up, inside, there is a USB stick, little memory stick, which is also - I was going to say embroidered. That's not right.
Joe Carrigan: Embossed.
Dave Bittner: Embossed. Thank you very much. Yeah. It would take a long time to embroider (laughter) one of these sticks. Yeah, it is embossed with the Microsoft Office logo, so that looks legit. And what happens is when you put this in your computer...
Joe Carrigan: There's even a product key. This looks very much like an Office product, like a Microsoft product. This is exactly what my Windows install media looks like.
Dave Bittner: Yeah. And who knows? It may be. They, you know, maybe they found this in the recycling bin. You know, someone had installed it, thrown it away, you know, who knows? Or they might have paid to have it made. No way to know from this article. But what happens if you plug this in, immediately, you get a pop-up on your screen that says that - congratulations, you have a virus. And they say, to fix the issue, call this toll-free number...
Joe Carrigan: OK.
Dave Bittner: ...To get the computer up and running again. And when you call the number, there is a helpdesk who installs some sort of TeamViewer.
Joe Carrigan: Right.
Dave Bittner: And they take control of the victim's computer.
Joe Carrigan: This is very similar to the story I just talked about.
Dave Bittner: They sort out the problem. They pass you over to the Office 365 subscription team.
Joe Carrigan: Right. No, you have to put air quotes around that, Dave, because it's actually not...
Dave Bittner: Actually not them. That's right. And that's the scam. What is remarkable about this is that they went to the time, trouble and expense to send a physical package to someone with this, you know, this whole virus-generating scam.
Joe Carrigan: I would like to get a copy of this. If anybody has one and wants to send it to me, let me know.
Dave Bittner: Yeah, yeah.
Joe Carrigan: I'd like to take a look at it.
Dave Bittner: They seem to be sending these out to the elderly, which I suppose is not surprising. They, of course, they checked with Microsoft, and Microsoft said, yeah, this is counterfeit. This is not us. We won't - we will not send you unsolicited packages. We will not contact you out of the blue for any reason. Microsoft does have an online reporting tool if you want to, you know, send this or let them know so they can help track it, try to track it down.
Joe Carrigan: Right.
Dave Bittner: But I guess the remarkable part to me is just that they went to the expense to do this.
Joe Carrigan: Yeah.
Dave Bittner: Obviously, if you get something sent to you in the mail, don't plug it into your computer.
Joe Carrigan: Right. That's one of the things Brian Krebs talks about or one of his golden rules. If you didn't ask for it, you don't install it.
Dave Bittner: Yeah.
Joe Carrigan: Right? What's interesting here is this is not how Microsoft does Office anymore. This is how they do Windows, because you can't - you know, Windows is the operating system. And if you are building a new computer, you can't just go out and download windows and install it on your system. I mean, maybe there's a way to do that. I mean, I guess there is probably a way to do that.
Dave Bittner: Yeah.
Joe Carrigan: But you may not have that capability because you may only have one computer in your house, right? You know, most people aren't like me with six computers in my office, right (laughter)?
Dave Bittner: Right. Right.
Joe Carrigan: So they make this media available for operating system installs.
Dave Bittner: Yeah.
Joe Carrigan: But when you put - when you get office now, you don't actually get a product. You get Office 365, which is a subscription service. And, you know, I think it's reasonably priced. It costs you $100 a year for you to have, you know, Home & Student is what it's - what the entry level costs. It also comes with a terabyte of cloud storage...
Dave Bittner: Yeah.
Joe Carrigan: ...For all the users, which is great, I think. I think it's good value. I'm a little bit of a - I guess I'm gushing here on Microsoft.
Dave Bittner: (Laughter).
Joe Carrigan: But you don't get media. You just - you go to Microsoft's website. And you say, go ahead and install the Office products I'm licensed for, and it does it.
Dave Bittner: Yeah.
Joe Carrigan: And it works very well.
Dave Bittner: Well, and I wonder if, you know, that's part of why they're targeting older folks with this...
Joe Carrigan: Yeah.
Dave Bittner: ...Because they're more - they're used to going to the store and buying a box. And, you know, that's a comfort - there's a comfort level there for them, perhaps.
Joe Carrigan: Yeah. When I would - yeah, you buy a software box. I mean, I still - it took me a while to get used to this model. It happened with Steam first - right? - where you never got an install media for the game. And initially I was like, I don't like this.
Dave Bittner: Right (laughter).
Joe Carrigan: I really don't like this. But...
Dave Bittner: Right. You like the comfort of having that box on the shelf.
Joe Carrigan: Yeah, I got my orange box. I was looking at my orange box yesterday, which is the old Half-Life game. But...
Dave Bittner: OK.
Joe Carrigan: But when I bought that game, I actually had to sign up for Steam and register it. And I have never since purchased - for probably 10 years, I have never touched that media inside. I just download it and install it now.
Dave Bittner: Yeah.
Joe Carrigan: I've become accustomed to that business model...
Dave Bittner: Yeah.
Joe Carrigan: ...Of online software delivery.
Dave Bittner: Yeah. Well - and that's the way of things.
Joe Carrigan: Yeah, it is.
Dave Bittner: And that's how it is, so it makes sense.
Joe Carrigan: So everybody be aware - Office does not come this way anymore.
Dave Bittner: Right. Right. All right. Well, we will have a link to that story in the show notes as well. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from William, who writes, I'm seeing a number of these kind of emails that claim to have already charged my account for some service. They often do not explain what the service is and come from an email address that seems completely unrelated. I assume, in this case, they want me to call so the scam can begin. So Dave, you want to take a look at this? Comes from - it comes from Summer, Dave.
Dave Bittner: Summer (laughter).
Joe Carrigan: Summer...
Dave Bittner: Yes.
Joe Carrigan: ...Who has an email that's a Gmail address with some name and then a random bunch of numbers after it, looks like a zip code almost here in the U.S.
Dave Bittner: OK.
Joe Carrigan: Go ahead.
Dave Bittner: Summer writes, membership renewal notice. Thank you for your order. Your annual subscription plan is renewed. And the services are resumed again. Your device protection and network security shield is reactivated. The automatic recurring fee of $379.98 is charged from account credits. The annual recurring charge will be debited every year from the nominated payment method unless cancelled, as your auto debit service is still active. To avoid future payments or stop auto debit charges or need assistance related to this charge, kindly get in touch with our accounts team within two business days. Contact customer care support at this 800 number. You have a good day ahead. Maria Garcia, consumer handling and accounts team.
Joe Carrigan: So Maria Garcia, not Summer.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Canceled is misspelled. That's kind of good.
Dave Bittner: Yeah.
Joe Carrigan: One of the things I like about this one, it's a good example of the artificial time horizon, you know, the artificial time constraint...
Dave Bittner: Yeah.
Joe Carrigan: ...That is frequent in social engineering attacks. That should be a big red flag. Whenever you hear somebody tell you you need to act before a certain time...
Dave Bittner: Right.
Joe Carrigan: ...And that time is short...
Dave Bittner: Yeah.
Joe Carrigan: ...You should be - OK, let's slow down here. Slow down.
Dave Bittner: Yeah, you got two days.
Joe Carrigan: Yeah, it's good catch.
Dave Bittner: Yeah.
Joe Carrigan: It's a good catch.
Dave Bittner: Yeah.
Joe Carrigan: Thank you, William.
Dave Bittner: All right. Well, we would love to hear from you. If you have something you'd like us to consider, you can email us. It's hackinghumans@thecyberwire.com. All right. Joe, it's always a pleasure to welcome Carole Theriault back to the show. And this week, she is having a conversation with Chuck Everette from Deep Instinct. And they are talking about the benefits of public-private partnerships. Here's Carole Theriault.
Carole Theriault: It seems that the need for public-private partnership to combat cyberattacks has never been more urgent. In a recent New York Times article, it said that even if American intelligence agencies picked up on the kind of crippling cyberattacks we've been seeing in the Ukraine, they do not have the infrastructure to move that fast to block them. So I've invited Deep Instinct's Chuck Everette to talk to us about this topic. He's the director of cybersecurity advocacy at Deep Instinct. Welcome, Chuck.
Chuck Everette: Thank you for inviting me.
Carole Theriault: Are we seeing a growing number of public and private partnerships out there?
Chuck Everette: There hasn't been as much growth as we'd like, but definitely there has been some good trends along those lines. Project LadyBird was a great example, that of where joint law enforcement from seven different agencies as well as some private security researchers came together to bring down Emotet botnet. That was kind of like the crown. But there's been other sporadic here and there. But private threat researchers are definitely helping and giving that leg up to government agencies where they need it.
Carole Theriault: So what does the private sector have that the public sector need?
Chuck Everette: Real-time analysis of what - the threats that are coming in because a lot of times we're seeing - behind the scenes, we talk amongst each other because a lot of it, we don't want the - getting out to the public. The companies that we work for, high-profile companies that employ our services, don't want it getting out to the public, but yet we need to get that out to the masses. And by providing that to the government and helping them and showing them what trends are going on and things behind the scenes, but a lot of times that - don't make it to the higher levels of the government as fast as possible because there's so much red tape.
Carole Theriault: So in other words, the private sector is designed on efficiency and effectiveness and building tools to service that, whereas that's a harder ask inside the public sector, I guess.
Chuck Everette: Correct. You know, even rapid response for the government, they don't have that capability because it crosses several borders, and once it involves several countries, they have to kind of follow it. Threat researchers, we can kind of thread the needle and find out, OK, where is this actually coming from? What are the threats being developed at? Who's utilizing them? Is this nation-state sponsored and then got into the hands of criminal elements? Those type of things, we can thread that needle relatively faster than some of the agencies out there. Some of the agencies can, but the problem is they can't go public with it, and they can't go with it because of some of the means - they're inhibited by rules. Rules of engagement for government agencies is different than of private threat researchers.
Carole Theriault: So any private company out there who is starting to collaborate with the public sector needs to exercise, I don't know, patience, I guess, because obviously there are going to be hoops that the private sector will have to go through that will be new to the private sector.
Chuck Everette: Correct, yeah. It's - sometimes it's very disconcerting because you find a threat. You see, OK, this is actually going on. They're actively targeting. And the private sector is able to respond a lot faster than sometimes some governments, than we'd like them to be. Not all governments are the same, but some of them - you know, it's like, who do you reach out to? Some governments don't have the maturity yet of how to combat this. And that's the problem, is that these cybercriminals know where to take up shop. They know where - you know, what governments don't have the infrastructure to track them. Or some governments just don't want to enforce.
Carole Theriault: I guess there would be also some deep learning opportunities in these collaborations to see, for example - you know, learn new tricks and tips on how to handle things.
Chuck Everette: Absolutely. Absolutely. And threat researchers, we do that amongst ourselves now, where we're constantly talking between each other, sharing what information we have 'cause everybody's got different pieces of the puzzle.
Carole Theriault: Right.
Chuck Everette: And then we're finding the government sometimes has more piece of the puzzle, especially around state actions, which will help kind of pull that together. But the problem is getting to work and facilitate with them is difficult at times. They want that - you know, wrap everything up and handed to them, but the problem - once it gets there, sometimes that information can be leaked out, and by then, the threat actors have moved on because they've gotten tipped off. So a lot of it is just - you got to really protect the data and act fast.
Carole Theriault: Chuck Everette, director of cybersecurity advocacy at Deep Instinct. Thanks so much. This was Carole Theriault for "Hacking Humans."
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, I said this recently, and I think it merits me saying this again. Government tends to be slow moving. In many cases, that's by design, right?
Dave Bittner: Yeah.
Joe Carrigan: Like, actually, our legislative branch of government in the United States is designed - I think it was George Washington who said that the Senate is the tea dish on which the tea of legislation cools...
Dave Bittner: (Laughter) Yes, yes. That's right.
Joe Carrigan: ...Or something like that.
Dave Bittner: Yeah, I've heard that. Yeah.
Joe Carrigan: In other words, you know, the House is supposed to be fast reacting and the - you know, the panicky group of people that - we need a law that says this.
Dave Bittner: Right (laughter).
Joe Carrigan: And the Senate's supposed to be the more thoughtful people that go, well, do we really need this law?
Dave Bittner: Yeah.
Joe Carrigan: That was the intention. But it was designed, actually, to be slow.
Dave Bittner: Yeah.
Joe Carrigan: Or to slow down the process.
Dave Bittner: To be deliberative.
Joe Carrigan: To be deliberative. Absolutely.
Dave Bittner: (Laughter) Right.
Joe Carrigan: And so it's not bad that government is slow moving. But one of the big issues with cybersecurity in the government is that in many cases it can't respond very quickly...
Dave Bittner: Yeah.
Joe Carrigan: ...Because of its very nature.
Dave Bittner: Right.
Joe Carrigan: Additionally...
Dave Bittner: (Laughter) I'm just - I'm sorry. I don't mean to interrupt.
Joe Carrigan: No, go ahead.
Dave Bittner: But I just imagine, like - like, everybody, we're under attack. You know, the cyber - the computers are all being DDoS'd. There's viruses coming in left and right. Well, we're going to have to put it out to bid.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: Somebody's got to fill out this form in triplicate.
Dave Bittner: Right. Right. Exactly. Yeah. Sorry.
(LAUGHTER)
Joe Carrigan: Exactly. That's apt. That fits right in here.
Joe Carrigan: Yeah.
Dave Bittner: Additionally, traditionally, government positions don't pay as well as private sector positions.
Joe Carrigan: Right. They kind of lag behind a little bit. The jobs are more secure. You have less fear of a layoff when you're working for the government.
Dave Bittner: Yeah, usually good benefits, too.
Joe Carrigan: Usually very good benefits. That's right. But hiring people is hard because in cybersecurity, there's this skills gap that we keep hearing about. And companies are willing to pay more. So that's where the cybersecurity professionals go.
Dave Bittner: Right.
Joe Carrigan: Because they're willing to pay substantially more than government can afford.
Dave Bittner: Yeah.
Joe Carrigan: If you really want to see something interesting, go to a local government website and look at what they pay Network administrators and the requirements for the position. I don't know how they even hire some of these people. I was looking at Baltimore City's hiring or open positions a couple of years ago and was shocked at how little they were paying.
Dave Bittner: Yeah.
Joe Carrigan: So I don't know if that - I mean, that's part of the problem, I should say.
Dave Bittner: Yeah. Well, and I think also it leads to a lot of turnover because folks who take those jobs, I think quite often, are looking at it as some sort of steppingstone.
Dave Bittner: Absolutely.
Dave Bittner: You know, it's a great place to learn, But if you're in charge of - if you're the step above that person - and you're going to have to deal with the reality that chances are you're going to have a lot of turnover.
Joe Carrigan: That's 100% correct. That was a problem that my father used to complain about when he was working. They used an Oracle database system. And they would take somebody from their company and train them - from their organization, wasn't a company - but they trained them. And the person would get really good at Oracle, and then they'd get hired away for like double their salary...
Dave Bittner: Right.
Joe Carrigan: ...Sometimes by Oracle.
(LAUGHTER)
Dave Bittner: Right.
Joe Carrigan: So I would listen to my father grumble about how much he doesn't like Larry Ellison. But there's plenty of other reasons not to...
Dave Bittner: So grumbling is a family tradition (laughter).
Joe Carrigan: It is. It is, Dave. It's a family.
Dave Bittner: Good to know.
Joe Carrigan: The parts of the government that can move quickly and make the associations then generally can't turn around and tell everybody what they found, right? And I'm sure that many of our listeners from this area know exactly what Chuck is talking about here, right?
Dave Bittner: Right. Right.
Joe Carrigan: Hey, that's classified information now.
Dave Bittner: Yeah.
Joe Carrigan: So we can't just give that out. So these - in these partnerships, the flow of information is probably going to be one way because of that, right? So you think about that. These public - or these private sector companies go, hey, Mr. Government Guy, we've got this information here about this emerging threat. And the government guy goes, interesting.
Dave Bittner: (Laughter).
Joe Carrigan: Thank you.
Dave Bittner: Yeah.
Joe Carrigan: They say, what else you got? We can't tell you what else we have.
Dave Bittner: Yeah.
Joe Carrigan: And that's OK, too, but it's just got to be the way it is, right?
Dave Bittner: Yeah, although I will say that I think it's been remarkable recently when you look at, you know, organizations like CISA.
Joe Carrigan: No, CISA does a good job.
Dave Bittner: Jen Easterly, you know, taking the lead there. And they are all-in on these public-private partnerships, recognizing that...
Joe Carrigan: Right. They're also all-in on making sure that the information gets disseminated quickly.
Dave Bittner: Yeah.
Joe Carrigan: Right? Which is great.
Dave Bittner: Yeah.
Joe Carrigan: Other organizations like the NSA, the National Security Agency, cannot do that, right?
Dave Bittner: No, they can't. But I will add that I have witnessed personally in the past few years just what a turnaround they've had in terms of outreach, public relations, you know, just like wanting to be in touch with organizations like us at the CyberWire to help spread information and help open those lines of communications.
Joe Carrigan: They have done that.
Dave Bittner: The days of no such agency are kind of behind them.
Joe Carrigan: Long gone. Yeah, everybody knows that they're there now.
Dave Bittner: Right.
Joe Carrigan: But they still can't - There's a lot of information they still can't give out.
Dave Bittner: Sure.
Joe Carrigan: Right. But what they can give out, they do a good job of disseminating. I will say that about the NSA. They've actually moved a little bit towards being a national security agency. They're not really just part of the Department of Defense. I mean, they are part of Department of Defense, but they're doing more for the rest of the country as well, not just defense.
Dave Bittner: Yeah.
Joe Carrigan: These rules are different for the government. And, you know, that's kind of what we're talking about here, prime example. You know, when I was working as a government contractor, especially when I was new in the field, I found a lot of those rules frustrating. Like, why can't we just do this?
Dave Bittner: Right.
Joe Carrigan: Right? No, you can't do that. And there's reasons for it because you're talking about taxpayer money, and that needs to be accounted for and monitored. So when you say we have to put this out for a bid and you joke about that, you know, there's a reason we have to put it out for a bid so that - we hope that - or the hope is that there's not some government guy with a good buddy on the outside going, yeah, yeah, I'm coming. I'm going to make a bid on this, and you're just going to get this by this service. You don't want that, right?
Dave Bittner: Yeah.
Joe Carrigan: So I think it was a - I really enjoyed this interview, hearing from Chuck. I thought it was very interesting to hear these things. And, of course, it's always great to have Carole on the show.
Dave Bittner: Yeah, absolutely. All right. Well, again, we do thank Carole Theriault for bringing us this interesting interview with Chuck Everette from Deep Instinct. We appreciate both of them taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bitner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
