Podcasts
Hacking Humans
Ep 219
Hacking Humans 11.3.22
Ep 219 | 11.3.22

Protecting your identity.

Show Notes
Transcript

Dave Bittner: Hello, everyone. This is Dave Bittner, co-founder and host of CyberWire. Before we get started today, I have an exciting announcement. CyberWire is growing. We're thrilled to announce that CyberWire and CyberVista, an industry leader in data-driven cybersecurity training, are joining forces to form parent company N2K Networks, the world's first news-to-knowledge network. One of the insights we gained about our business since we launched back in 2016 is that you aren't just listening to CyberWire to keep up on the latest news; you're listening to learn.

Dave Bittner: And over time, you've told us that we've become a critical part of your professional lives, a tool that helps you do your job better. That's news to knowledge, and we're excited to lean in on this idea and do more than ever before. So CyberWire and CyberVista are coming together to connect news to knowledge - one continuous spectrum of situational awareness and learning. 

Dave Bittner: The union creates powerful new opportunities for professionals to keep abreast of the latest developments in their industry, climb the knowledge curve quickly and stay ahead in a rapidly changing world. As always, you can continue to count on us at CyberWire to deliver the world-class content you rely on. It's only getting better from here. And if you're new to CyberWire, welcome. Be sure to check out our other shows and partner content. We have more than 20 different shows on our network, and there's something here for everyone. You can find them all on our website, cyberwire.com/podcasts. Thank you for being a valued member of our CyberWire community. And now, back to your regularly scheduled programming. 

Jameeka Green Aaron: Users are not the weakest link in the chain. They can be the first line of defense. And so when we look at user-layer defenses, we're looking at how do we help the users protect themselves? 

Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Jameeka Green Aaron - she is CISO at Auth0, and we're discussing their State of Security identity report. 

Dave Bittner: All right, Joe, before we jump in to our stories this week, we have a number of little items of follow-up. 

Joe Carrigan: Yes, we do. 

Dave Bittner: Got some big news (laughter). 

Joe Carrigan: Go with the first one, Dave? 

Dave Bittner: Well, just real quick, if you're a follower of the CyberWire, you likely saw that we had some big news here at CyberWire. We have merged with another company called CyberVista. CyberVista is a cyber training and education firm. And so we have merged with them and formed a new parent company called N2K Networks. And what does that mean for you as a CyberWire listener? Not much. 

Joe Carrigan: Right. 

Dave Bittner: This show... 

Joe Carrigan: Probably still get the same feed. 

Dave Bittner: Same feed, same shows, all that sort of thing. What it means for us is that there's a lot of potential for growth for us - new shows, new types of shows, and then also, more educational components to our shows as we take advantage of all of the skills and opportunities that the folks at CyberVista bring to the table. So... 

Joe Carrigan: No comedy shows, Dave? 

Dave Bittner: Who - don't rule it out. You... 

Joe Carrigan: OK. 

Dave Bittner: ...Never know. Never know. But we're very excited about it here. It's something that's been in the works for several months. Folks have been working really hard behind the scenes, so looking forward to what the future brings. What other follow-up do we have here, Joe? 

Joe Carrigan: Dave, We have a letter from Richard who writes, hi, Dave and Joe, I just wanted to follow up with your discussion on the phishing kit targeting WordPress sites from Episode 216. Unless you absolutely need a fully-fledged content management system with a database, you are much better off using a static site generator such as Hugo if you want a set-it-and-forget-it site these days. These essentially generate your site locally, spit out some HTML, usually with some CSS and JS thrown - that's cascading style sheets and JavaScript - that you can then serve from a simple web server. No databases, no PHP, just static files, much harder to do anything malicious and much easier to maintain. A nice discussion of their merits versus something like WordPress can be found in Episode 128 of the "Reality 2.0" podcast... 

Dave Bittner: OK. 

Joe Carrigan: ...Which is - I have not listened to that podcast. So that's Richard's recommendation. Richard goes on to say, as a data science guy, my new favorite static website and document generation tool is called Quarto from RStudios. Now, Dave, I'm going to tell you, I agree 100% with Richard here on this. There was a project I was involved with at Hopkins where we were going to - we disseminate on this project, it's still active. I'm not involved with it anymore, but I did help start it. But one of the key - we talk about cryptographic implementation. 

Dave Bittner: OK. 

Joe Carrigan: This site's called cryptodoneright.org. And that site is produced as static web pages. And the content is - the content management system we use on the back end is GitHub. 

Dave Bittner: OK. 

Joe Carrigan: So we just put the content up on GitHub. 

Dave Bittner: Yeah. 

Joe Carrigan: It's a private repository. 

Dave Bittner: Right. 

Joe Carrigan: There are people that have permissions to edit it because we really want to control the information about the proper implementation, about the cryptographic algorithms. We don't want bad information getting out. 

Dave Bittner: Sure. 

Joe Carrigan: So we use a tool. I can't remember which one it is, but it does just exactly what Richard is describing. We generate static web pages. There's no active content on this at all. It is just static pages and a web server. 

Dave Bittner: Interesting. Well, I am going to send this information over to my wife, who is a web developer and actually does a lot of work in WordPress, so this is good information for her to know. She may already know about this. I don't know, but I'm going to ask her. And thank you, Richard, for sending it over. Interesting information for sure. 

Dave Bittner: We got some more follow-up from a Twitter user. I don't know how to pronounce his name. It's O-U-S-A-K - Ousak. Ousak. Don't know. Ousak. OK. He wrote in and said in the last episode of "Hacking Humans," you spoke about people getting caught or not for having multiple full-time jobs at the same time. Equifax, who run credit reports, turned on their employees for doing just that. 

Joe Carrigan: (Laughter). 

Dave Bittner: He said credit reporting agency Equifax has turned its own employee record-tracking tool on its own employees. Twenty-four remote workers have been fired for secretly holding down a second job in addition to their work for Equifax. 

Joe Carrigan: Yeah, I have ethical concerns with that. 

Dave Bittner: With which part? 

Joe Carrigan: The - I mean, well, I guess - first off, with which part? Well, OK, multiple parts here. First off, is Equifax gathering this kind of information about employment records for people? 

Dave Bittner: I don't know. 

Joe Carrigan: What is this tool that they're talking about? 

Dave Bittner: I don't know. I mean, I guess it's an open-source kind of thing where, you know, you can look through people's LinkedIn or who knows. But I don't know what kinds of tools Equifax has at their disposal. I mean, I will say there are some remarkably powerful open-source intelligence gathering tools out there. 

Joe Carrigan: Yeah. 

Dave Bittner: I've seen - there's a tool that we use just for - it's like a - what do you call it? It's like a Rolodex, you know, like a digital Rolodex kind of thing. 

Joe Carrigan: Right. 

Dave Bittner: But it goes out and scrapes everything. 

Joe Carrigan: (Laughter). 

Dave Bittner: Like, you put somebody's name in there, and it goes and it finds their LinkedIn, it finds their Twitter, it finds their Facebook. I mean, and it just populates their, you know, their entry in this digital Rolodex thing with everything it can find about them. So that's table stakes these days, right? 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Right? So... 

Joe Carrigan: I guess I don't have an ethical problem with Equifax doing this if they told their employees this was a possibility of that happening. 

Dave Bittner: Yeah. 

Joe Carrigan: Although I don't know that I have a problem with Equifax - I don't know. I'm kind of conflicted about this. I mean, because the expectation is you're going to be putting in a full-time job - a full-time day every day, right? 

Dave Bittner: Right, right. 

Joe Carrigan: So I don't know how I feel. I'm a little bit conflicted here, Dave. 

Dave Bittner: Yeah. I mean, I - part of me thinks that if you're doing a good job and you're doing... 

Joe Carrigan: Right. 

Dave Bittner: ...Everything that's asked of you, then why do they care with - what you do with the rest of your life? 

Joe Carrigan: Right. Yeah. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's really my main concern. 

Dave Bittner: Yeah. But if it's a problem - and I suppose that you could make - there is absolutely a case to be made that if you're holding down two full-time jobs, that you're not going to have the energy or the time to devote to either of them to the degree you would if you were only holding down one. 

Joe Carrigan: Right. 

Dave Bittner: But some people may be totally capable of that. 

Joe Carrigan: Sure. 

Dave Bittner: So I don't know. 

Joe Carrigan: It's entirely possible. 

Dave Bittner: Yeah. Yeah. All right. Well, thanks to everyone for sending in this follow-up. We would love to hear from you. Our email address is hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, let's jump in to our stories this week. I'm going to kick things off for us this time. I have a story from the folks over at Malwarebytes. This is from their labs folks. This is a blog post that was authored by Jerome Segura. And this is about some typosquatting campaigns that the folks at Malwarebytes have been tracking. So real quick, typosquatting - you want to give us a little explanation here of what we're talking about? 

Joe Carrigan: Dave, I have the absolute perfect example of typosquatting. 

Dave Bittner: OK. 

Joe Carrigan: Before Facebook, there was a website called highschoolalumni.com. 

Dave Bittner: All right. 

Joe Carrigan: And if you look at your keyboard, the U and the I are very, very close to each other. 

Dave Bittner: Yes. 

Joe Carrigan: And I was showing my boss at work one day this his website, and I said, hey, Steve, come look at this. And he goes, what's this? I said, it's called highschoolalumni.com. And I go to my keyboard, and I type in highschoolalimni.com. 

Dave Bittner: Oh. 

Joe Carrigan: Right? And all of the sudden the screen goes black and then porn pop-ups everywhere. 

Dave Bittner: (Laughter) Yes. 

Joe Carrigan: Right? 

Dave Bittner: Yes. 

Joe Carrigan: And my boss is standing over my shoulder. 

Dave Bittner: (Laughter). 

Joe Carrigan: And he goes, that's a cool website site, Joe. I'm like, oh, my God, what did I just do? 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: He turned around and walked away laughing. He... 

Dave Bittner: That was my last day at that job. 

Joe Carrigan: Right (laughter). 

Dave Bittner: Yes, yes, yes. 

Joe Carrigan: That is an example of typosquatting. So the idea was that they were looking for people who were trying to go to highschoolalumni.com who were going to hit the I instead of the U. 

Dave Bittner: I learned the hard way in front of a client once... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That if you leave out the Y in YouTube, a similar thing happens. 

Joe Carrigan: Really? 

Dave Bittner: Yes. Yes. It was quite explicit. So this blog post from the folks at Malwarebytes has a list of some of the real examples that they were tracking. So there's some examples here, like realtor.com - the type of squatted website was realtoe.com. Amazon.co.uk, they had amazon.uk.com... 

Joe Carrigan: I see. 

Dave Bittner: ...Right? Politico.com, there was poliitco.com. They - there's an extra I. They swapped the T and the I in the middle there. So exactly to your point. I mean, at first glance, these look like the real thing... 

Joe Carrigan: Right. 

Dave Bittner: ...But they're not. 

Joe Carrigan: Right. 

Dave Bittner: So what is going on here is that if you accidentally go to one of these websites, the way that this particular campaign works is you immediately - your web traffic gets bid out - right? - much in the same way that advertisers bid for placing an ad in front of you online. 

Joe Carrigan: I see. 

Dave Bittner: It's like this real-time bidding kind of thing. 

Joe Carrigan: So they're doing that, and they're redirecting you to whoever pays them the most. 

Dave Bittner: That's right. That's right. So there's a bunch of ad networks. You accidentally type in the wrong name. There's a bunch of ad networks that get to bid on you. And in this case, some of the folks bidding are malicious actors. And then they redirect you to a domain controlled by the malicious actor. And this is malvertising. They have profiling here to ignore bots and VPNs, and they refer to it as unwanted geolocation. So typically, that's - for example, like, Russian threat actors don't go after people who geolocate in Russia... 

Joe Carrigan: Correct. 

Dave Bittner: ...Generally. 

Joe Carrigan: Correct. Or any Russian-speaking country. 

Dave Bittner: Right. So typically, then you're sent to a temporary webpage that's using Amazon's AWS, and then that pops up a fake alert. And we've all seen these alerts. 

Joe Carrigan: Yep. 

Dave Bittner: Your computer is infected, right? 

Joe Carrigan: Right. 

Dave Bittner: You have two minutes before your device bursts into flames. 

Joe Carrigan: (Laughter) Stand back. 

Dave Bittner: (Laughter) Right. Exactly. And that's basically the scam. So you get a pop-up. It may actually go to a webpage that looks like the page that you were - you meant to go to. But then this pop-up pops up on top of it that says, alert. Your computer's infected. You know, please come here to pay us low, low fee of $50, and we will help... 

Joe Carrigan: Probably much more than $50. 

Dave Bittner: ...You from getting infected. Yeah. Yeah. So, I mean, it's pretty straightforward here. They do talk about a few of the ways that you can protect yourself. Of course, be vigilant about typing in sites. They say if they're sites that you visit frequently, bookmark them. 

Joe Carrigan: Yeah. 

Dave Bittner: So you bookmark them so you don't have to type them in. 

Joe Carrigan: Correct. 

Dave Bittner: They talk about - there are some ad protection browser plug-ins that will automatically keep you from going to some of these ad-bidding types of sites. So they... 

Joe Carrigan: Right. 

Dave Bittner: ...Can get in front of it and say, do you really mean to go up - to go to this place? You know, don't do that. 

Joe Carrigan: Yes. A security plug-in would go a long way here. 

Dave Bittner: Yeah. And then they say don't panic, which is always... 

Joe Carrigan: Right. 

Dave Bittner: ...Good advice (laughter). 

Joe Carrigan: Yeah, remain calm. 

Dave Bittner: They say the scary pop-up is not going to harm your computer. Just close it. Ignore it... 

Joe Carrigan: And move on. 

Dave Bittner: ...Move on. 

Joe Carrigan: Try to retype the address again. 

Dave Bittner: Right, right. Exactly. 

Joe Carrigan: That's really the key thing. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, these pop-ups from websites rely on user ignorance of how computers work. 

Dave Bittner: Right. 

Joe Carrigan: You know, one of these - one of the things that is contributing to a lot of the social engineering attacks is people don't understand how computers work. They just use them... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Right? And so if somebody tells them - somebody who sounds like they know something about computers tells them - I'll give you an example of this. There was a - this is an anecdote I heard years ago where somebody was building computers for somebody, and they had a network interface card on the back of it. 

Dave Bittner: OK. 

Joe Carrigan: And the person who bought the computer didn't know what it was and was, like, really belligerent and complaining about it. 

Dave Bittner: OK. 

Joe Carrigan: And this was back in the days of BNC connections, right? Do you... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Remember BNC connections? So it... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Was like a coax connection. 

Dave Bittner: Yeah. 

Joe Carrigan: So the guy goes, oh, yeah, I see what's happening here. And he goes, and he gets the - gets a little piece of BNC cable with a connector on it... 

Dave Bittner: Right. 

Joe Carrigan: ...Cuts the end of it off and puts it on there and goes, there you go. That's - your bit drain was not configured properly, right? 

Dave Bittner: OK. 

Joe Carrigan: It's - this computer was not - this is in the days before people had home networks, right? So... 

Dave Bittner: Yeah. 

Joe Carrigan: ...When they built computers, they just put the network interface cards in them. 

Dave Bittner: Oh, I see. 

Joe Carrigan: But rather than taking it out and actually taking something from the customer that the customer owned, which is what the customer was saying that could have been an option, the guy just said, nope, that's your bit drain. Any excess bits go there, and they fall on your floor. You won't even see them. They're very, very small. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: And the person said, thank you very much and walked out with the computer. 

Dave Bittner: Right. 

Joe Carrigan: Complaint answered. 

Dave Bittner: Yeah. 

Joe Carrigan: But this is a malicious implementation of that kind of thing, of, you know, you don't understand how the computer works. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. And they're getting pretty good at it, too. I mean, I remember in the early days of this, you know, I would be on some kind of, you know, Macintosh or even in the days of iOS, and something would pop up with a Windows logo and say, you know, like, Windows Defender... 

Joe Carrigan: Right (laughter). 

Dave Bittner: ...And I'd go, you're barking up the wrong tree here, but... 

Joe Carrigan: Yeah, probably not. 

Dave Bittner: Yeah. But lately, when they do pop up and you do see them from time to time - they'll have some kind of logo or, you know, iconography from the proper operating system... 

Joe Carrigan: Right. 

Dave Bittner: ...'Cause, of course, it's not hard for them to... 

Joe Carrigan: No. 

Dave Bittner: ...Query and... 

Joe Carrigan: Your browser tells you - tells the website what operating system you're on. 

Dave Bittner: Yeah. 

Joe Carrigan: They can use that to switch. Generally, it's for delivering content that may be specific to the computer. You know, there may be - this - that's an old thinking - right? - that... 

Dave Bittner: Yeah. 

Joe Carrigan: ...It renders differently in different browsers. It generally doesn't anymore, especially with HTML5... 

Dave Bittner: Yeah. 

Joe Carrigan: ...But they still send the browser string. 

Dave Bittner: Yep. Yep. All right. Well, that is my story this week. We'll, of course, have a link to that in the show notes. Joe, what do you have for us? 

Joe Carrigan: Dave, my story comes from Christian Martinez, who is a staff writer at the L.A Times. 

Dave Bittner: OK. 

Joe Carrigan: I have a question for you, Dave. Your dad was a realtor for a long time. 

Dave Bittner: He was, yes. 

Joe Carrigan: And I had a brief stint as a real estate agent/realtor when I was experiencing my failed sales career. 

Dave Bittner: Right. 

Joe Carrigan: Do you know what a short sale is? 

Dave Bittner: I am familiar with the term, but I - and I kind of know what it is, but I would not be able to explain it with a lot of confidence. 

Joe Carrigan: OK. So I can explain things even if I don't know them - know about them... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...With a lot of confidence. 

Dave Bittner: (Laughter) Right. Right... 

Joe Carrigan: But I actually do know... 

Dave Bittner: Right, you have... 

Joe Carrigan: ...What a short sale is. 

Dave Bittner: ...Male answer syndrome. 

Joe Carrigan: Right. 

(LAUGHTER) 

Joe Carrigan: Exactly. 

Dave Bittner: Even if you don't know the answer to something... 

Joe Carrigan: I could just make it up. 

Dave Bittner: ...That doesn't stop you... 

Joe Carrigan: Right. 

Dave Bittner: ...From making it up and replying with great confidence. Proceed (laughter). 

Joe Carrigan: I one time made up a story about where the Reuben came from - the Reuben sandwich. 

Dave Bittner: Oh. 

Joe Carrigan: And I just made up a complete story, and I got it right. The only thing I didn't get right was the name, the actual name of the person 'cause I picked the name of somebody named Reuben from my childhood. 

Dave Bittner: Yeah. 

Joe Carrigan: And I used a different last name, but the guy's first name was Reuben. He was in Manhattan, and I even nailed the year of 1916 or something like that. 

Dave Bittner: Wow, OK. 

Joe Carrigan: I made it all up. 

Dave Bittner: Wow. But good... 

Joe Carrigan: So that did not help (laughter). 

Dave Bittner: ...Better to be lucky than good sometimes. 

Joe Carrigan: Right, exactly. 

Dave Bittner: All right. 

Joe Carrigan: But I do know what a short sale is. 

Dave Bittner: Yes. 

Joe Carrigan: And a short sale is when you own a house and the house has less equity than the mortgage on the house. So if you have bought a house at the peak of a market, and now the market has crashed, and also now you're in a situation where you need to get out of the house... 

Dave Bittner: Right. 

Joe Carrigan: ...You will have to go to your mortgage holder and say, I'm going to sell the house so you don't have to foreclose on it, but I'm going to sell it for less than I owe. And the mortgage company has to agree to this because what's happening is they're not being made whole by the payment of the mortgage. 

Dave Bittner: Right. 

Joe Carrigan: They understand they're going to take a loss on the mortgage. And the value of the house that they're going to sell it for is short of the value of the mortgage. It doesn't have all the money. 

Dave Bittner: Yeah. 

Joe Carrigan: That is a short sale. 

Dave Bittner: OK. 

Joe Carrigan: Well, this story is about a South Bay man who has accepted hundreds of offers on houses that really weren't even for sale. So there is two people, Adolfo Schoneke and his sister, Bianca Gonzalez. And what they would do is they would host open houses at homes that weren't even for sale... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...And they'd tell people, this is a short sale, right? So there's going to be some issues going through the process of selling this home... 

Dave Bittner: OK. 

Joe Carrigan: ...Because a short sale is never really a simple, you know, here - we're moving - we're buying this house from these people, and everything's going to be normal and fine. The process is - that process is streamlined. The short-sale process is by no definition streamlined. 

Dave Bittner: OK. 

Joe Carrigan: Everybody expects it to take much longer. 

Dave Bittner: OK. 

Joe Carrigan: So they were capitalizing on that. The homes were not even for sale. And it was a front scheme that resulted in the loss of $6 million from victims. And federal prosecutors have gone after these two. 

Dave Bittner: Let me just pause here for... 

Joe Carrigan: OK. 

Dave Bittner: ...A second. How does one execute an open house on a home that is not even for sale? I'm just imagining somebody holding an open house on my house (laughter) while I'm living in it. 

Joe Carrigan: So... 

Dave Bittner: So these must be - are they driving around looking for abandoned houses? Or, I guess abandoned isn't the right word... 

Joe Carrigan: Yeah, it's... 

Dave Bittner: ...But unoccupied homes. 

Joe Carrigan: It says, according to prosecutors, Schoneke and others found properties to list for sale, regardless of whether or not the owners intended to sale - sell, or not... 

Dave Bittner: OK. 

Joe Carrigan: ...And then listed them on real estate websites... 

Dave Bittner: Oh. 

Joe Carrigan: ...Marketing them as short-sale opportunities. So the owners may not have even known - maybe the owners were not there. 

Dave Bittner: Right. 

Joe Carrigan: Right. Maybe they find that there are tenants in there and they say, hey, the owner's selling this house. But, you know, your lease survives - all the, you know... 

Dave Bittner: Yeah. 

Joe Carrigan: ...There's all kinds of lies you can tell these people. 

Dave Bittner: Right. 

Joe Carrigan: But somehow they got access to it. 

Dave Bittner: OK. 

Joe Carrigan: And then they would put them up on real estate sites, never having a contract for sale, right? So there is - somebody in this system is some kind of realtor with access to some kind of MLS system. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. 

Joe Carrigan: Once they had the - once they had this - the listing, they would tell people, all right, time to start making payments here on - you know, put down your earnest money deposit. And then they'd, you know, take that. Or they - there were even some people who paid full cash price for the house and put that into their - these scammers' custody. 

Dave Bittner: Wow. 

Joe Carrigan: And when they did that, the first thing they started doing was, OK, well, we're working with the bank. We're working with the bank. We're working with the bank. Years, years they would delay these things - up to a year, I guess. But another interesting thing is that they would - what they would do is they would direct office workers in their office to withdraw large amounts of cash from these escrow accounts. 

Joe Carrigan: They were in charge of the escrow accounts, which is wrong, right? These people should never be in charge of the escrow account. In fact, whenever you're buying a house, I know in Maryland, you, as the purchaser of the house, pick the escrow company, right? And the person selling the house never gets the opportunity to say, you're going to have to use this escrow company. 

Dave Bittner: Right. 

Joe Carrigan: That's illegal in Maryland. 

Dave Bittner: Right. OK. 

Joe Carrigan: Probably in all other 50 states because of exactly this reason, right? 

Dave Bittner: Yeah. 

Joe Carrigan: This is why it's not allowed. They would withdraw the money in cash - right? - so he immediately becomes untraceable. 

Dave Bittner: Right. 

Joe Carrigan: And they took $12 million from approximately 750 victims. Seven hundred and fifty people fell for this to the amount of 12 million. 

Dave Bittner: Wow. 

Joe Carrigan: And they only got back 6 million. So $6 million is gone from these guys. Now, Schoneke pled guilty in May and will now be a guest of the federal government for nine years for conspiracy to commit wire fraud and other charges. 

Dave Bittner: Wow. 

Joe Carrigan: So good that he got caught. So if you are looking to buy a house, here's my advice. I mean, there's all kinds of scams that happen around buying a house. Remember that that is no longer the sure and safe thing that it used to be. There are lots of opportunities to be scammed. And this is just another one. This is kind of on the front end of it. 

Joe Carrigan: If you are going to put money into an escrow account, you pick the escrow agent, under all circumstances. You make that a condition of your sale, even if it's not a law in your state. I'm going to select the escrow agent. If they say no, walk away. Walk away. Don't accept that. That's an unacceptable risk when you're doing anything, when you're buying anything with a large amount of money. No. 2, a short sale is attractive because people think they're getting a value out of something. 

Dave Bittner: Right. 

Joe Carrigan: I don't know that it's - that you're getting a value out of it. You're paying the market price of the house. It just so happens that the market price of the house is less than it was when the mortgage was written to the extent that the owner is what we say is upside-down on the house. 

Dave Bittner: Yeah. But they're also motivated to sell because they're in a stressful situation. 

Joe Carrigan: Right, but they're not selling below market value 'cause the bank will not have it. 

Dave Bittner: Right. Right. 

Joe Carrigan: There is a point at which the bank would rather foreclose and... 

Dave Bittner: Sell it themselves. 

Joe Carrigan: ...Sell it themselves. Exactly. That is always an option for the bank. So just be mindful of these two things. A short sale - when you see short sale, I've seen people go, oh, short sale. I'm like, don't get excited about that, you know? 

Dave Bittner: (Laughter). 

Joe Carrigan: All that means is that it's going to be a more complicated sale. There are plenty of other houses on the market that are not short sales that are going to be comparable... 

Dave Bittner: Right. 

Joe Carrigan: ...That are going to be easier to buy. 

Dave Bittner: Yeah. And this also reminds me that we've seen similar scams with rentals... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Where people will advertise a rental online, and then they'll say, you know, we need your deposit. And they'll even go to the point of sending people keys. 

Joe Carrigan: Right. 

Dave Bittner: And then they go to move into the place, and somebody else is living there... 

Joe Carrigan: Yeah. 

Dave Bittner: ...'Cause it was never on the market. So... 

Joe Carrigan: Right. It was - it's just completely fraudulent. 

Dave Bittner: Yeah. 

Joe Carrigan: But this is the same thing but with buying the house. So, Dave, I'm - let me ask you. If you're going to go for a rental deposit, which is just two month's rent, or you're going to go for selling a fake house that's not really up for sale... 

Dave Bittner: Yeah. 

Joe Carrigan: What are you going to sell? What are you going to do? I'm going to sell the fake house because that's going to get me tens or hundreds of thousands of dollars. The rental deposit - I'm only getting $5,000, right? So I'm going to get much more money scamming people out of buying a whole house... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Because - actually, I'm not going to do that because I'm not really a bad guy. But that's the thinking. 

Dave Bittner: No, and - crooks. 

Joe Carrigan: Crooks. It makes you angry, doesn't it? 

Dave Bittner: (Laughter) It does. But I also think, like, so many of these things you could probably get away with if you just did it once, right? 

Joe Carrigan: Right. Right. 

Dave Bittner: But no, they have to go $12 million. 

Joe Carrigan: Right, 750 people. 

Dave Bittner: You know, they had a whole organization set up to do this. 

Joe Carrigan: Yeah. 

Dave Bittner: And the longer you do this, the greater your odds of being caught. And good for them for being caught and good for law enforcement. And I guess it just speaks to the mind of the criminal that they're motivated by - more motivated by greed than common sense or even the possibility of consequences, right? 

Joe Carrigan: Right. 

Dave Bittner: They're living in the moment (laughter). 

Joe Carrigan: Yeah. 

Dave Bittner: They're not thinking about what's to come. 

Joe Carrigan: They don't think about the future. 

Dave Bittner: No. 

Joe Carrigan: They don't have that dad gene that lets you see three seconds into the future at all times. 

Dave Bittner: (Laughter) Right, exactly. Exactly. All right. Well, interesting stuff. And again, we will have a link to that in the show notes. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Our Catch of the Day comes from Chris, who says, hey y'all. I've been a listener for a few years, and I have never received a phish at home or work. I finally got hit with a phish attempt through my PayPal and not through email or text. Dave, do you have PayPal on your phone? 

Dave Bittner: I don't have a PayPal app on my phone, no. 

Joe Carrigan: Right. 

Dave Bittner: I mean, I use - I have used PayPal. But - I have an account. 

Joe Carrigan: I don't have the app on my phone either. 

Dave Bittner: No. 

Joe Carrigan: I use it on the website. That's how I do it, right? So I'm not familiar with this interface. But he said, I thought you might find this interesting. Thanks for the great show and looking forward to many more years. But, Dave, there's a picture of his phone, actually - of Chris' phone here - that shows you the message that he got on PayPal. 

Dave Bittner: OK. It goes like this. 

Dave Bittner: (Reading) The request for amount $500 is canceled. We've detected that your PayPal account has been accessed fraudulently. If you did not make this transaction, please call us at toll-free number to cancel and claim a refund. If this is not the case, you will be charged $500 zero today, within the automated deduction of the amount. This transaction will reflect on PayPal activity after 24 hours. Our service hours - 7 a.m. a.m. to 6 p.m. Pacific time, Monday through Friday. Transaction type - request received canceled. 

Joe Carrigan: So this is apparently a message you can send over PayPal. 

Dave Bittner: OK. 

Joe Carrigan: And it looks like it's a transaction that was canceled but has this text to come along with it to convince you that it is a message from PayPal and to get you to call that number. 

Dave Bittner: Oh. 

Joe Carrigan: And when you call that number, that's when the scamming begins. And they probably install some remote access software on your phone or maybe on your computer... 

Dave Bittner: Right. 

Joe Carrigan: ...And they go in, and they just take all your money out of all your accounts. 

Dave Bittner: And so the pressure point here is that you'll be charged $500 today. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: Yep. That's the artificial time constraint. 

Dave Bittner: So how do we protect against this? I guess, first of all, obviously vigilance. 

Joe Carrigan: Right. And know how PayPal works. 

Dave Bittner: Right. 

Joe Carrigan: If you do receive one of these messages and you are concerned about it, call PayPal directly or work with PayPal directly by going through their customer service interface, whatever that may be. I'm not - I've never had to deal with PayPal's customer service before. 

Dave Bittner: Yeah. 

Joe Carrigan: So... 

Dave Bittner: It may not even exist. I don't know (laughter). 

Joe Carrigan: It may not. Right. 

Dave Bittner: It may be awesome. I don't know (laughter). 

Joe Carrigan: It's - I've never had an issue arise. 

Dave Bittner: Right. 

Joe Carrigan: But if you do have - if you do receive one of these and you're a little bit concerned, first off, you should know it's a scam. But if you don't know if it's a scam, do not call the number on the message. 

Dave Bittner: Well, and that's always a red flag, right? 

Joe Carrigan: Right. 

Dave Bittner: Whenever anybody tries to pull you off of the platform that you're on... 

Joe Carrigan: Right. 

Dave Bittner: ...Be it PayPal or TikTok or Facebook or whatever, that is... 

Joe Carrigan: Or a dating site. 

Dave Bittner: Or a dating site. Right. That is always a red flag. 

Joe Carrigan: Yep. 

Dave Bittner: Yep, yep. 

Joe Carrigan: Hundred percent agree. 

Dave Bittner: Yeah. I wonder, also, on PayPal, if you - if there's a tool in there to automatically reject messages from people who you don't already have a relationship with... 

Joe Carrigan: There may be. 

Dave Bittner: ...Or people who aren't in your address book, something like that 'cause that could be helpful for it, too. 

Joe Carrigan: There is a button on this picture that says report this person. And I hope that Chris just clicked that button right away. 

Dave Bittner: Yeah (laughter). All right. Well, that's a good one. Thanks to Chris for sending that in. And again, we would love to hear from you. Our email address is hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Jameeka Green Aaron. She is the CISO at a company called Auth0. And we were discussing their recent State of Security Identity Report. Here's my conversation with Jameeka Green Aaron. 

Jameeka Green Aaron: So I think this report - and this report actually predates my time at Auth0 - but it's my favorite report. And I actually read it before I joined the company because this report really takes what we learn as a customer identity company and turns those findings out into something useful for the customers that we work with. But, also, it's a really easy read. So even if you don't understand the technology of identity management, this report is something that really can help you, as an individual, understand, what are the best practices? What are we looking at to help protect your identity? - and how you can be a part of that. 

Jameeka Green Aaron: So I love this report. That's kind of how it started. It really is taking our insights data that we collect, threat intelligence that we collect and using it as a tool to help all of the community that really is focused on identity. 

Dave Bittner: Well, before we dig into some of the specifics in the report, can you just give us a little overview of, exactly what are we talking about when we say online identity? What does that encompass? 

Jameeka Green Aaron: Right. So customer identity is essentially, probably, the identity that gets closest to each and every human being every single day. When we say customer identity, it's the identity that you use to log in to gaming consoles, to access banking information, to access your social media. That is what we're talking about when we say customer identity. It's the identity that the customer sees outside of work that faces them every single day. And so that's our area of focus, and that's what we're really talking about here. 

Dave Bittner: Well, let's dig into the report together here. I mean, what are some of the highlights for you? What caught your eye? 

Jameeka Green Aaron: So I am always thinking about how technology impacts the human experience and how we can leverage technology to help us. I always say that technology is about people, and I think that this report really shows the ways in which people interact with identity. So high level, we're talking about the major science threats. And we break that down into what we are calling defense in depth, which is a multilayered approach to how you implement security. We hit three major topics. We talk about user-layer defenses, application-layer defenses and then also network-layer defenses. So stacking those together in your environment, that is what we're thinking is the best implementation to customer identity. 

Dave Bittner: Well, let's go through each of those one by one. I mean, what are some of the things that people should be aware of? 

Jameeka Green Aaron: So one of the things that I have really been interested in is some Gartner research around beyond awareness. And that is this idea that we have to kind of turn our - what we think about our users on its head. Users are not the weakest link in the chain. They can be the first line of defense. And so when we look at user-layer defenses, we're looking at, how do we help the users protect themselves? So multifactor authentication - you know, something you know, something you have, something you are - so having more than just a username and password. So what does that look like? 

Jameeka Green Aaron: Adding WebAuthn - one of my favorite frictionless technologies, for the most part, is biometrics. And that's enabled via WebAuthn. We're thinking about breached password protection. And how can we put information into the user's hands to really help them protect themselves and breached passwords? And a lot of the new password tools have the ability to notify users that, hey, your password's been breached. You should change it. And then also, identity proofing - so really leveraging the wealth of knowledge that we have, via social media and other methodologies, to really help us proof out a user's identity. 

Jameeka Green Aaron: And so I'll give you an example. I own Jameeka Aaron on linkedin.com. You could essentially say - use that as a method to identity proof me. Is this actually her login? Is it the same, you know, Gmail account that she uses? And so that's a method of us using identity proofing and pulling that together with our technologies to help identity proof a user and really say, yes, they own this identity, and this is them. So that's kind of the user-layer defenses. 

Dave Bittner: Well, that's really interesting. I mean, what about application-layer defenses? 

Jameeka Green Aaron: So when we think about application layers - and I think we all learn very early as technologies - technologists, we earn - you know, we learn, you know, our kind of - our seven layers. And so this works into that, into that scope of what those are. And so when we think about application-layer defenses, you often hear the term lateral movement. And that goes hand in hand with what we're calling impossible travel - so the inability of the threat actor to move across - to take that user's identity and move across your environment. So we're really thinking about that when we think about impossible travel. 

Jameeka Green Aaron: But we're also looking at other technologies that we can leverage to really improve our application-layer defenses. So rate limiting, looking at those suspicious spikes that come into two systems - in identity-facing systems, customer-facing systems - that help us to understand how we can use rate limiting to understand denial of service attacks, to understand credential stuffing attacks, so really implementing controls there. Also suspicious IP blocking - this is one of those kind of cat-and-mouse things where we're always looking at IP addresses to help us understand how we can leverage blocking to block suspicious IPs and really protect the consumer. 

Jameeka Green Aaron: And then finally, bot detection - bots are really becoming one of the biggest adversaries. They allow for the attackers to launch loads of attacks against consumer-facing systems, and so really looking at, how do we detect and fight those bots? And so those are kind of the application-layer defenses that we're talking about. 

Dave Bittner: Well, let's continue on with the third one, then, which is the network. What sort of things should people be on top of there? 

Jameeka Green Aaron: So network is, I think, probably the simplest of these. We're talking about our network-based controls, our web application, firewalls and then our continuous monitoring. And this is really where you start to look at, what are the tools that you have in place that really help you to protect your consumers and your infrastructure? Whether that's on prem, hybrid or in a cloud environment, those network-layer defenses really become critical. When we think about our web application firewalls and our ability to share information about what we're blocking, what we're allowing, that really is helpful. 

Jameeka Green Aaron: We're also talking about tweaking, continuously tweaking, to help - to create the kinds of systems that actually work. You know, there is no one size fits all when we think about network-layer defenses. And so continuous monitoring is where that comes in. I know for us, we have a detection and response team that's continually monitoring, looking at where we can leverage machine learning and intelligence to help us create the kind of observability that allows continuous monitoring to not just be something that we do as a human interaction, but really allows our systems to learn and to become intelligent with continuous monitoring. 

Dave Bittner: You know, it strikes me that securing our identities online has become such a fundamental part of everyone's day to day. Where do you suppose we're headed here? What does the future look like? 

Jameeka Green Aaron: I think the future is - and I see this future coming to fruition pretty quickly here. I think the future is both passwordless and loginless. I think those are things that we can look forward to in the near future. And with - and when we think about passwordless and loginless, it's not that it's not there. It's that it's something that is so easy to interact with - it's frictionless - that the users will adopt it. 

Jameeka Green Aaron: So when we think about passwordless - in many cases, we don't have to type in a password. We're using external authenticators, we're using password tools that actually implement the password for you. And so I think we're headed down that path where passwordless - using passwords becomes a thing of the past. And then when you think loginless, same kind of - same technology, I think, that's in play there where you do have a login, you just don't see it very often. 

Jameeka Green Aaron: And we see a lot of technologies that don't require logins anymore. When you think about social media, there's - the companies that run social media are some of the best adopters of passwordless and loginless. They're tying their applications together to authenticate against one another. They understand step-up authentication and multi-factor authentication. And so I think in those social media spaces, we see a lot of the future technologies coming to fruition already with passwordless and loginless. 

Dave Bittner: What about the adoption rates? I mean, are people getting on board, or is - how much resistance are you all seeing? We all know how much people like change. 

Jameeka Green Aaron: So here's the challenge of getting on board. I think if - every CIO and every CISO would get on board if they had the ability to do so quickly and friction - in a frictionless manner. That isn't possible. We still have lots of technical debt. We still have lots of on-prem architecture and implementations that don't allow that yet. And so I think what we have to do - and digital transformation is a big buzzword, but it's an important buzzword. It's one that is enabling the technologies of the future. That's what digital transformation means to me. It means that we are doing the work now to enable the technologies of the future. 

Jameeka Green Aaron: And so I think with implementation in many cases, we have a lot of technical debt, we have a lot of technology that are legacy technologies that just won't allow for us to use things like WebAuthn and biometrics. And so what we have to do first is start to upgrade our technologies to be able to use these new technologies. I think once we get to that point, and we're probably still a few years out, I think adoption will go through the roof. 

Jameeka Green Aaron: So I don't think that our adoption rates are where we'd like to see them be. But I think it has to do with us really understanding our workforce. The boundaries of our workforces have moved. We did a lot of work to support the remote workforce, and now we have to do that same work to protect that remote workforce for their formidable future. 

Jameeka Green Aaron: And so, no, adoption is most certainly not as high as we'd like to see it. But I think that everyone that I have spoken to and in my CISO community understands how important identity is and understands that if we don't do this work now, we're going to create identity silos where you have a system that manages identity that's in a silo and is completely separate from everything else that you do, and that's not what you want. In order to leverage some of the tools that I've talked about, like social logins and WebAuthn, and you've got to have some centralized idea about how you want to implement identity. 

Dave Bittner: How does privacy interact with all of this? You know, I remember years ago when some of the big popular social media platforms spun up and there was this idea that you could use, you know, one social media platform to log in to everything. But it turns out that they weren't being respectful of people's privacy. And I think some people feel - and me personally, I feel a little bit stung by that. How do the two things go hand in hand? How do we build that trust? 

Jameeka Green Aaron: I think that privacy probably is one of the greatest strengths of customer identity. If we do a good job implementing customer identity, we also have the ability to do a better job protecting consumer privacy. One of the things that we didn't do, and this is probably - you know, we're decades now into what we did, you know, that was contrary to privacy. In many cases, you know, the new privacy laws essentially are asking us to - at any point in time, a consumer can say, where is my data? You know, delete my data. What are you doing with my data? And that's a database, you know, architecture issue. We didn't build these databases to actually do that, to fetch that information for the consumer. We built it to fetch it for us, the technologists. 

Jameeka Green Aaron: And so one of the things I think that identity is doing or identity and CIAM is doing is building that muscle so that, you know, as we understand the consumers more, we're also better able to manage their information more. And we do - you know, we're building in the capabilities to really say, hey, users, this is what we're doing with your data. On top of that, I think it's critically important that we be transparent about how we use the user's data. And so I think that CIAM is one of the key approaches to that. It really helps us to get granular with how we're using the user's data and give that information back to the users. 

Jameeka Green Aaron: And so protecting identity isn't just about us the consumer - us the business needing to manage consumer identity, it's about the - us working with the consumer to really show them that, you know, if privacy is their major concern, it's also our major concern. The other thing that I think is critical about the security of CIAM is that we're protecting the users' identities. And so when there's a big data breach, oftentimes what the attackers are after is the user's private information. And as we implement multifactor and biometrics and build on top of WebAuthn, we are better able to protect the privacy by protecting their identities. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Dave, I think identity is one of those things that is hard to define online, right? You know, in person, it's pretty easy. I'm Joe. You're Dave. 

Dave Bittner: Right. 

Joe Carrigan: This is not talking about someone's social identity. I'm actually talking about the issue of substance, like, what you are... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Who you are. And you are - you know, you are Dave Bittner. 

Dave Bittner: Right. 

Joe Carrigan: I am Joe Carrigan. 

Dave Bittner: Right. 

Joe Carrigan: And we need... 

Dave Bittner: Big bag of meat walking around. 

Joe Carrigan: Right, exactly. 

Dave Bittner: (Laughter) Right, right. 

Joe Carrigan: And, you know, if you think about this traditionally, we've thought about authentication as our means of identity management. But there is all kinds of other aspects of identity that go along with just authentication, right? Authentication is how you can demonstrate that you are who you say you are, but identity is a way of proving that you are somebody. It's - I don't know if the difference is subtle. Jameeka talks about the three layers that they use at Auth0. The user layer - and I like her thinking that users can be the first line of defense. They're not just the biggest source of errors. I think they probably are still a big source of errors, but they can be defensive, like... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Having them use multifactor authentication, right? If you insist that everybody use multifactor authentication when authenticating to your site, that's better than not doing so. 

Dave Bittner: Yeah, huge. 

Joe Carrigan: Huge. Right. Some kind of password manager, preferably one that lets you know when your passwords have been breached - that's always a good tool. 

Dave Bittner: Yeah. 

Joe Carrigan: And then in the application layer, where you're talking about the software that you're using, some kind of rate limiting is remarkably important. That is going to protect you and your customers from being - falling victim to, like, a credential stuffing attack. 

Dave Bittner: Right. 

Joe Carrigan: Right? That is a huge way of trying to get in to sites because there are tons of credentials out there, you know - email, username, password pairs out there that are readily available for anybody to try a credential stuffing attack. You can also use password spraying, which is very similar, but you just use random passwords. But if you rate limit login attempts, password spraying is just not going to work, right? And credential stuffing is probably going to be less effective. But if somebody is reusing passwords and they only have, like, five passwords, your rate limiting may not stop a credential stuffing attack. 

Dave Bittner: Right, right. 

Joe Carrigan: It may fail. That's why multifactor authentication is so important. Suspicious IPs, you know, the exit nodes for a lot of VPN services or Tor exit nodes - you might want to not let those people authenticate through that. Or better yet, you may want to rate limit those to one attempt. Impossible travel - that's an interesting concept. You know, if the last time you logged in was an hour ago in Maryland and the next time you log in is now in England... 

Dave Bittner: Right. 

Joe Carrigan: Right. 

Dave Bittner: Five minutes later. 

Joe Carrigan: Right, five minutes later. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah. You can't do that, right? 

Dave Bittner: Without either a transporter or a time machine. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: One of those two, either of which are feasible. And then bot detection - you know, bot detection - credential stuffing is done with bots. That's all it is. It's just a... 

Dave Bittner: Yeah. 

Joe Carrigan: It's an automated process. And I guess if you're talking about bot detection, you're talking about bot network detection. So maybe there's a bunch of these things out there trying it. That would come in really handy. From the network layer, you're talking about continuous monitoring and web application firewalls and proper configuration of those devices. And that assumes that you have - well, for the web application firewall, you do have a perimeter on the web application, right? But continuous monitoring and reporting - you need that kind of stuff. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, we need to be able to do both of the following things. No. 1 verify our identities online - there are things that we need to be able to do that for, like... 

Dave Bittner: Right. 

Joe Carrigan: ...For banking and for applications where it's important that whoever's on the other end of the communication knows who we are and can validate that. 

Dave Bittner: Yeah. 

Joe Carrigan: The other thing we need to do is to be able to conceal our identities online. We need to maintain some level of privacy here. When - people can maintain multiple identities online as - you know, for different aspects of their own personal lives. 

Dave Bittner: Right. 

Joe Carrigan: And I think that's a valid use case. I would think that anything financial would be under a requirement for identity, but anything not financial, maybe you want to do that anonymously. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Maybe. 

Joe Carrigan: It would be nice. 

Dave Bittner: Be nice to at least have the option. 

Joe Carrigan: Yes. 

Dave Bittner: Yeah. 

Joe Carrigan: Yes, it would be. 

Dave Bittner: Yeah. All right. Well, again, our thanks to Jameeka Green Aaron. She is the chief information security officer at Auth0. We do appreciate her taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.