Hacking Humans 11.10.22
Ep 220 | 11.10.22

New laws and the effect on small businesses.

Transcript

Kurtis Minder: One small business, two small businesses - you know, not a major impact. But if this is occurring every day and we're talking about thousands of attacks and we're not able to measure it effectively, what if - what impact is that long term going to have on national security and the economy?

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Kurtis Minder returns. He is the CEO of GroupSense. And we're going to be talking about the impact of new legislation on SMBs. 

Dave Bittner: All right, Joe, let's jump into our show here. Before we get to our stories, we have some follow-up. 

Joe Carrigan: Yeah, well, actually, it's not follow-up. It's kind of a new development. So Elon Musk has purchased Twitter... 

Dave Bittner: Yes. 

Joe Carrigan: ...Right? And you're a big Twitter user, right? 

Dave Bittner: I am. 

Joe Carrigan: So how do you feel about Elon purchasing Twitter now - or Twitter now being an Elon Musk property? 

Dave Bittner: I'm not happy. 

Joe Carrigan: You're not happy? 

Dave Bittner: I'm sad. 

Joe Carrigan: Are you? 

Dave Bittner: Yeah. 

Joe Carrigan: Dave, I got - he has a proposal, though, that might make you happy. 

Dave Bittner: Elon Musk has a lot of ideas. 

Joe Carrigan: Right. 

Dave Bittner: Go on. 

Joe Carrigan: One of them is this blue check mark for 8 bucks a month. 

Dave Bittner: Yeah. 

Joe Carrigan: And Elon says we have to pay the bills somehow. Apparently... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Advertising is not enough. 

Dave Bittner: Yeah. 

Joe Carrigan: And Stephen King - I saw an exchange. He was saying that if Twitter says I need to pay to be authenticated with a blue check, then I'm out. 

Dave Bittner: Yeah. 

Joe Carrigan: And I don't know how I feel about this. First off, one of the things that Elon said is you'll get fewer ads. 

Dave Bittner: Oh. 

Joe Carrigan: For eight... 

Dave Bittner: Yeah, I don't believe that for a second. 

Joe Carrigan: Yeah, for 8 bucks a month, I need no ads. That's No. 1. 

Dave Bittner: OK. 

Joe Carrigan: OK? Because I know you don't make 8 bucks a month on my using Twitter right now. 

Dave Bittner: OK. 

Joe Carrigan: You'll be making more money with me - do me a favor, don't show me those damn promoted - I hate those promoted tweets. I can't stand them. 

Dave Bittner: OK. 

Joe Carrigan: They're terrible. What about my ability? Can I block nonverified accounts on Twitter 'cause I understand what he's trying to do here? I think the idea is that if you have a nonverified account, your account will be taken less seriously, and then you will not be - you'll be more likely to be a bot. Maybe it's part of his move to get bots off the platform. 

Dave Bittner: Could be. 

Joe Carrigan: But first off, do you think $8 a month is a good value for a blue check? 

Dave Bittner: Well, I think it's a misguided approach. I mean... 

Joe Carrigan: OK. 

Dave Bittner: ...First of all, I already pay for Twitter. I pay for Twitter Blue, which gives me - let's see, what does it give me? It gives me the ability to post longer videos. That was actually the main reason that I got Twitter Blue... 

Joe Carrigan: OK. 

Dave Bittner: ...Was so that I could paste last year's CyberWire Christmas video, which was longer than two minutes. So if you pay the $3 a month, you can post longer videos. There are some other benefits. There's some content you get without subscriptions and things like that. So there's some ad-free content you can get for having Twitter Blue. It's 3 bucks a month - not a big deal. 

Joe Carrigan: Right. 

Dave Bittner: So I'm fine with it. And I get a lot of value out of Twitter, so I was like, yeah, 3 bucks a month - you know, let me throw a little money Twitter's way, and I'm happy to do that. But that's different from a verified check mark. I will tell you, I have applied for a verified check mark twice... 

Joe Carrigan: Right. 

Dave Bittner: ...And been turned down both times. 

Joe Carrigan: Right. 

Dave Bittner: The first time, I totally understand why I wasn't. I was - you know, there was no reason for them to give me one, but I figured, oh, what have I got to lose? The second time, I sent them everything they asked for from my position at the CyberWire. 

Joe Carrigan: Right. 

Dave Bittner: And I have - you know, if you go to the CyberWire website, there I'm listed. And I sent them a link to that and, you know, all those kind of things. I'd say the only thing I'm missing is, like, a Wikipedia page on me or something... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Like that, you know? 

Joe Carrigan: You and I don't have Wikipedia pages. 

Dave Bittner: No, we do not. And I'm - whatever. I'm fine with that. 

Joe Carrigan: I'm not (laughter). 

Dave Bittner: But - so I think the mistake here is that to me, the blue check mark and the verification is a way for users of Twitter to know that who they're dealing with is actually who they say they are because there's some level of scrutiny that goes into that. 

Joe Carrigan: Right. 

Dave Bittner: You have to send them a copy of your ID. This is not that. To - $8 to get a blue checkmark is just - for $8, I can say I'm anybody. 

Joe Carrigan: Right. 

Dave Bittner: And so... 

Joe Carrigan: Well, we don't know how this is... 

Dave Bittner: ...This is going to be hard... 

Joe Carrigan: ...Going to work, though. 

Dave Bittner: No, we don't. But why conflate the two, right? Keep the blue check mark - keep the verified accounts for people who truly need it - celebrities, journalists - you know, people for whom we need to know... 

Joe Carrigan: Right. 

Dave Bittner: ...That the information we're getting from them is from them and not from someone pretending to be them. 

Joe Carrigan: Right. 

Dave Bittner: And then find some way to bring value to an $8 a month subscription. Maybe it is no ads. Maybe - who knows? I don't know. But I think he's coming at this the wrong way by conflating the two. And I suspect it's going to end up blowing up in his face. I think - and actually, it's funny, Ben Yelin and I talked about this on - over on the "Caveat" podcast this week. 

Joe Carrigan: Ah, you did. 

Dave Bittner: I think that Elon Musk's purchase of Twitter is very much like Donald Trump's run for the presidency of the United States. And that is it is a PR effort that went horribly wrong. 

Joe Carrigan: (Laughter). 

Dave Bittner: I don't believe that Donald Trump really ever wanted to be president of the United States. I think he wanted all the attention and publicity that came with running for president of the United States, and it just spun out of control. And I think the same thing has happened here with Elon Musk, where he was - there was a certain amount of bravado, and he said, oh, why don't I just buy it? Hahaha. And the next thing he knows, the FCC is like, you said things, and so you're on the hook here... 

Joe Carrigan: Right. 

Dave Bittner: ...To buy this company. And now he owns it. He's in a terrible position. He's loaded it up with debt. And I'm really afraid that something that has become - that I enjoy as part of my day and, you know, people I communicate with, I think there's a good chance that it could really go down the tubes. So we'll see. 

Joe Carrigan: I don't know if it's going to go down the tubes. I think the platform is always going to have value. I read somewhere - you know, he paid - what? - $44 billion for it, somehow? 

Dave Bittner: Yeah, something like that. 

Joe Carrigan: And then somebody valued the company at like $12 billion. 

Dave Bittner: Yeah. 

Joe Carrigan: Which - I don't know. I haven't looked at what their business model - you know, what their revenue and profits are and all that stuff. I know what their business model is, but I don't know what their revenues are and profits are. I really don't - like I've said many, many times, I really don't like social media, and I don't participate in it. I was just curious about this ability to just buy a blue checkmark and get your opinion out, because I know you are a big Twitter user. 

Dave Bittner: Yeah. 

Joe Carrigan: So... 

Dave Bittner: I can say I think $8 a month, if you can find value in that, great. Make that an option. I also saw somebody did the math on this. And, like, if everybody who's verified right now paid $8 a month, it would only be something like $35 million, which is... 

Joe Carrigan: A year? 

Dave Bittner: Yeah, which is not - I mean, it's a drop in the bucket. 

Joe Carrigan: Right. 

Dave Bittner: That doesn't even service the debt that the company's been loaded up with. So I don't know. They're just - you know, they're moving very fast. They're changing things very fast. And, you know, please hold on to the bar. Here we go. 

Joe Carrigan: Right. (Laughter) Please hold on to the bar. 

Dave Bittner: Yeah. 

Joe Carrigan: All right. You want to move into the stories now? 

Dave Bittner: Let's - please. 

Joe Carrigan: (Laughter) I'm over here poking the bear with a short stick. 

Dave Bittner: Yeah. Ugh. 

Joe Carrigan: Right. I didn't mean to bring you down, Dave. I'm sorry. 

Dave Bittner: No, it's OK. 

Joe Carrigan: All right. Well, I do have another story, and it is another social media story, but we're not going to be talking about Twitter again. We're going to be talking about Facebook. And my story comes from Mike Krafcik at WWMT in Kalamazoo, Mich. I picked this story solely because it comes out of Kalamazoo, and Kalamazoo is fun to say. 

Dave Bittner: (Singing) Kalamazoo. Yeah. 

Joe Carrigan: But it's an interesting scam that's going on, and we'll put a link in the show notes to the story, and you can watch the video that explains it. But there are some things that are some - missing in terms of the reporting here because these reporters are not cybersecurity experts, right? 

Dave Bittner: Sure. 

Joe Carrigan: They're just journalists. 

Dave Bittner: Yeah. 

Joe Carrigan: But there's an ongoing chain of this scam. And what happens is there is a - they got in touch with this first victim who didn't want to be identified, and he wound up sending money to somebody he thought was a Facebook friend. 

Dave Bittner: OK. 

Joe Carrigan: But after he sends the money, his account got compromised. 

Dave Bittner: His Facebook account. 

Joe Carrigan: His Facebook account... 

Dave Bittner: OK. 

Joe Carrigan: ...Got compromised. And they use that account to do the same things to everybody else that was his Facebook friend. Then they interview another woman named Ruth who says she was targeted by the same scam. She got a text message over Facebook Messenger asking for $200. And then she gets a Facebook Messenger video call of her friend, that is - looks like her friend. His mouth is moving and everything. 

Dave Bittner: Yeah. 

Joe Carrigan: And it's a short video call, only 18 seconds long. But she becomes convinced that it's him looking for $200. 

Dave Bittner: OK. 

Joe Carrigan: So she actually sends $200 to her friend via his phone number because she has his contacts. 

Dave Bittner: Right. 

Joe Carrigan: And she looks up his phone number in Cash App, and they go, that's this guy. And she sends $200. And the guy on the other end goes, no, no, no, that's not me. So the scammer got upset. This was actually a scam. I don't - it doesn't really say if she actually sent the money to her friend, but I'm assuming that she did. So she's probably not out that money. She could probably get that money back from her friend. 

Dave Bittner: OK. 

Joe Carrigan: But here's what I think is happening. OK? I think it's spreading kind of like a virus. Of course, there's talk on - in the article and on the video about this being a deepfake technology. But I don't think this is a deepfake technology. 

Dave Bittner: OK. 

Joe Carrigan: So here's what I think happens. Once I've compromised someone's account, everybody gets a video call, right? Somewhere there has to be a first video call. 

Dave Bittner: Right. 

Joe Carrigan: Right? During that video call - it's very short. It's only 18 seconds or something like that. But I, as the bad - or the bad guy is recording the video call. Some - they have some means, some screen recording that they're doing. 

Dave Bittner: Oh, I see. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: And then they are editing that video call, taking the audio out of it, and then they try to compromise your account. 

Dave Bittner: Right. 

Joe Carrigan: So let's say I'm targeting Dave Bittner. I know that you're not on Facebook any more, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: Lucky you. But let's say I'm targeting you, and I call you up, and you're the first guy, and I just try to do a video call. You think it's actually your friend, Bob, but it's actually bad guy Joe on the other end. 

Dave Bittner: Yeah. 

Joe Carrigan: And I record your video... 

Dave Bittner: Right. 

Joe Carrigan: ...During the call. And then I use, like, OBS Studio or something like that, which is an open source and freely available screen recording tool... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That you can use. And I take that video and edit it in maybe Shotcut, which is another open source and free tool that lets me edit videos. 

Dave Bittner: OK. 

Joe Carrigan: And then I call - I get you to compromise your account by sending you a phishing link somehow. 

Dave Bittner: Yeah. 

Joe Carrigan: And then I call all of your friends and I - when I show the video - when I call them, when I do the video call with them, I actually feed - instead of a camera feed, I feed in your video of you talking and your lips moving. 

Dave Bittner: Right. 

Joe Carrigan: And it becomes more convincing. 

Dave Bittner: Right. That makes sense to me. 

Joe Carrigan: Yeah. I think that's what's happening here. So it's an interesting scam. Of course, Mike Krafcik reaches out to Meta, and Meta says, we strongly encourage people to be wary of unexpected, unusual messages and calls from existing contacts, and report suspicious messages and friend requests to Meta right away so we can take action. I said, that ought to do it. Thanks, Meta. 

Dave Bittner: (Laughter) Yeah, right. 

Joe Carrigan: Great work. Great work, guys. 

Dave Bittner: (Laughter) Yeah. This reminds me of the - like, an updated and enhanced version of the old thing that I saw many times, where a friend's account - let's say, Facebook account, would be compromised. 

Joe Carrigan: Right. 

Dave Bittner: And I'd get a message from them that would have said, Dave, I'm stuck in England, and I lost my passport. Will you send me $50? 

Joe Carrigan: Right. 

Dave Bittner: You know, I'm desperate. And it's a scam. 

Joe Carrigan: Right. 

Dave Bittner: Yeah, so... 

Joe Carrigan: It's the same thing, but now they have a video of it... 

Dave Bittner: Right. 

Joe Carrigan: ...A video... 

Dave Bittner: Right. 

Joe Carrigan: ...Of your friend... 

Dave Bittner: So... 

Joe Carrigan: ...So it actually looks like they're video calling you. 

Dave Bittner: That's right. So if I get that message and then I get a video call from that friend, and I see moving video of that friend, and I think to myself, oh, my friend must be having trouble with their audio. But now it just reinforces that that really is my friend. 

Joe Carrigan: Right. 

Dave Bittner: And I'm much more likely to send the money. 

Joe Carrigan: Right. And that's exactly what happened to Ruth. She talks about - in the article - about how she was convinced that this was her friend. And fortunately, she sent the money via the phone number, rather than the account that the scammer gave her. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, Dave, when we started doing Zoom calls for regular meetings, once the pandemic started... 

Dave Bittner: Yeah. 

Joe Carrigan: ...I recorded a Zoom call of just me, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And put that on full screen, so I could just get a video of me sitting there. And I moved my eyes by - starting by looking directly at the camera, and then I moved my eyes around the room, and then I looked directly back at the camera. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? But I was recording the Zoom call at the same time. So when that Zoom call was over, I had a video of me looking at the camera, looking all the where - around, and then looking back at the camera. 

Dave Bittner: Right. 

Joe Carrigan: Right. So then I took that video, and I made that my background on Zoom. 

Dave Bittner: Yes, I've... 

Joe Carrigan: So... 

Dave Bittner: ...I've heard of this, yes. 

Joe Carrigan: ...So, now... 

Dave Bittner: Dastardly, Joe, dastardly. 

Joe Carrigan: ...Right. Now I'm sitting there in the meeting, and I'm just playing a video of me looking at the camera and looking - and it's important that you start by looking at the camera and end by looking at the camera. And I actually did use Shotcut to edit that back up. And then I sat there, and then I had to talk on the meeting, so I turned my microphone on and started talking, and somebody goes, Joe, your lips aren't moving. And then I turn my camera on, and I go, well, I have a background here. And that got a big... 

Dave Bittner: Busted. 

Joe Carrigan: ...A big laugh. 

Dave Bittner: (Laughter). 

Joe Carrigan: I wasn't so much busted. I was hoping that would happen, you know? I just wanted to demonstrate the proof of concept to everybody. You know, I... 

Dave Bittner: I heard of a lot of students doing that during the... 

Joe Carrigan: ...Yeah. 

Dave Bittner: ...Pandemic. 

Joe Carrigan: Yeah, I - actually, I didn't hear about anybody doing that. I was pretty proud that I came up with that on my own. But I'm sure that, you know, like, I've had so many other great ideas that have just been taken away by other people because they came up with it. 

Dave Bittner: (Laughter). 

Joe Carrigan: And they've made millions by it. But there's no way somebody can make millions with that. But I thought this story was very interesting... 

Dave Bittner: It is. 

Joe Carrigan: ...And a very similar take on that... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Back way of going about it. 

Dave Bittner: Well, it's an extra level of sophistication, but also... 

Joe Carrigan: It is. 

Dave Bittner: ...Effort on their part... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Taking the time to do that. But it's - I can see how it would work. All right. Well, my story this week actually comes from my own life. 

Joe Carrigan: OK. 

Dave Bittner: (Laughter) So... 

Joe Carrigan: I love the ones that come from our lives. 

Dave Bittner: Oh, Joe. My dear, dear father... 

Joe Carrigan: Yes? 

Dave Bittner: ...Who is 88 years old, and I love very much, and - but he is technologically challenged. 

Joe Carrigan: Correct. 

Dave Bittner: I am his - as I suspect you probably are for members of your family - I am his No. 1 source of tech support. 

Joe Carrigan: Yes. 

Dave Bittner: As I often say when I answer the phone and it's my dad, hello, Dave's lifetime unlimited tech support... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...Dave speaking. How may I help you? (Laughter) So, he calls me up, and he says, I've got a problem, Dave. I've got a problem. I got this email from Best Buy, and they're saying that I owe them $500. I'm like, Dad, OK. Forward me the email. 

(LAUGHTER) 

Dave Bittner: I said, don't do anything. Don't do - he said, well, I've been trying to call the number all day. 

Joe Carrigan: Oh, no. 

Dave Bittner: Yeah. He said, I tried to call them yesterday, and it's just a busy signal. And I've been trying to call them all day today, and it's still a busy signal. And I'm afraid - you know, the email says - so let me just back up a little bit. So... 

Joe Carrigan: Right. 

Dave Bittner: ...I got the email from him, and it says, invoice from Best Buy - Best Buy and the Geek Squad. It is dated - there's a date on it from the date that they sent this to him. It says, hello, customer. We respect you choosing our offerings. We would like to let you understand that your prior PC safety plans auto-renewal is today, and you will be charged $499.99, which will be deducted robotically from your saved bank account. And then it says Geek Squad service, price 499.99, payment method auto debit, purchase online. For cancellation of the subscription or refund policy, contact us on our 24/7 helpline number. And then there's the phone number, and that was the phone number he was calling. 

Joe Carrigan: Right. 

Dave Bittner: So I'm guessing that he got lucky that this phone number had already been compromised, had already been shut down, that they were using this phone number. It could be that it was overwhelmed with calls. 

Joe Carrigan: Right. 

Dave Bittner: I don't know. 

Joe Carrigan: That's my fear on this... 

Dave Bittner: Right. 

Joe Carrigan: ...Is that this campaign was so successful that they can't handle the call volume. 

Dave Bittner: Right. Right. But let me tell you, Joe, I get this call from my dad. And this is real to him. 

Joe Carrigan: Right. 

Dave Bittner: He's called his bank... 

Joe Carrigan: Right. 

Dave Bittner: ...To make sure that the money hadn't come out of his bank account already. 

Joe Carrigan: Well, that's the right call to make. 

Dave Bittner: Yeah? 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: Call the bank. You call - you know who your bank is, right? 

Dave Bittner: Yeah. Yeah, yeah. 

Joe Carrigan: Call them up and say, hey, I got this invoice. Look for an account. Tell them. Somebody says they're going to be debiting my account $499.99. That's a fraudulent transaction, if that happens. 

Dave Bittner: Yeah. Yeah. So obviously, that didn't happen. 

Joe Carrigan: Right. 

Dave Bittner: What they were after here was for him to call and then the scam... 

Joe Carrigan: Right. 

Dave Bittner: ...Begins (laughter). 

Joe Carrigan: And then they will install all kinds of malicious software on his computer and... 

Dave Bittner: Right. 

Joe Carrigan: Yeah. 

Dave Bittner: Right. 

Joe Carrigan: It's just a bad situation from there on out. 

Dave Bittner: But I have to say, I felt a little bad because as much as I do to try to prepare him against these sorts of things, he was already on his way down the path. 

Joe Carrigan: Right. 

Dave Bittner: He had called the bad guys... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Before checking with me... 

Joe Carrigan: Yeah. And... 

Dave Bittner: ...Despite me saying to him over and over again... 

Joe Carrigan: Don't do that. 

Dave Bittner: ...Don't do that. 

Joe Carrigan: Right. 

Dave Bittner: Check with me. Send these things to me. They're always scams. 

Joe Carrigan: Yeah. 

Dave Bittner: Never call. Don't click on anything. And here we were. He had already - because he didn't want to bother me, Joe... 

Joe Carrigan: Right. 

Dave Bittner: ...Didn't want to bother me... 

Joe Carrigan: Right. 

Dave Bittner: ...Didn't want to be a bother. So for a couple of days, he had been trying to call the bad guys to give them his money (laughter). 

Joe Carrigan: They were going to get more than 500 bucks if they... 

Dave Bittner: Well... 

Joe Carrigan: ...Had done it. 

Dave Bittner: ...They may - yeah. And honestly, you know, he - I don't know. I - it's hard to say. I mean, my - I'd say my dad is pretty sharp, and he's pretty savvy. At the same time, he was halfway down the path... 

Joe Carrigan: Right. 

Dave Bittner: ...With these folks. So... 

Joe Carrigan: Right. No. And that's a key part. Everybody likes to think, oh, this would never happen to me. I wouldn't fall for this. 

Dave Bittner: Right. 

Joe Carrigan: You know, we all fall for these things. At some point in time, something is going to trip a trigger in your head, and you're just going to just be sucked in. 

Dave Bittner: Yeah. 

Joe Carrigan: It's very important to have people that you can call and people that you can listen to that can - you can bounce ideas off of. 

Dave Bittner: Yeah. Well, and he said - it's funny, too, 'cause when we were talking about it and I was sort of talking him down, I said, Dad, just throw it away... 

Joe Carrigan: Right. 

Dave Bittner: Just delete it. And he would say - he said, I can do that? Yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: Just throw it away. And I don't have to contact the bank? No. 

Joe Carrigan: Well, I mean... 

Dave Bittner: He said - but... 

Joe Carrigan: ...He doesn't have to contact. 

Dave Bittner: I said, Dad, it's a scam... 

Joe Carrigan: Right. 

Dave Bittner: ...They didn't contact your bank. 

Joe Carrigan: Right. 

Dave Bittner: It's fine if you want to check with them, great. 

Joe Carrigan: Sure. 

Dave Bittner: If it makes you feel better, great. 

Joe Carrigan: Yep. 

Dave Bittner: But that's not what this scam is. 

Joe Carrigan: Right. Right. 

Dave Bittner: So... 

Joe Carrigan: Yeah, but... 

Dave Bittner: ...Your bank is fine. You're fine. Delete it, and get on with your life, and hopefully, you know, live to fight another day. 

Joe Carrigan: But I think that him calling the bank will make him feel better, and that's why he should do it. 

Dave Bittner: Yeah, that's true. 

Joe Carrigan: And for no other reason - you're right. It doesn't do anything for the scam because the scam has not actually been pulled on him yet. This is just... 

Dave Bittner: Right. 

Joe Carrigan: ...The hook for the scam. 

Dave Bittner: Yes. 

Joe Carrigan: He's hooked in. 

Dave Bittner: Yeah. 

Joe Carrigan: But he hasn't actually been victimized yet. 

Dave Bittner: Right. 

Joe Carrigan: So - but if calling the bank and telling them about this, and say, be on the lookout for a fraudulent transaction - if that puts his mind at ease, that is well worth the time it takes to make the call. 

Dave Bittner: Yeah. I agree. I agree. So - I'm not - you know, there's nothing for me to link to here. This is a pretty common scam. 

Joe Carrigan: Right. 

Dave Bittner: But a, you know, tech support scam, I guess, is how we would categorize it. 

Joe Carrigan: Yeah. 

Dave Bittner: And I see a lot of these going around from - pretending to be from places like Best Buy. There's one that makes the rounds that pretends to be from, like, Norton Antivirus, from McAfee, you know, all these consumer-facing tech brands. And it's this exact same thing. They say we're - hey, good news. We're going to auto renew your subscription. And you - of course, you don't have a subscription. 

Joe Carrigan: Right. 

Dave Bittner: So they get you on the phone, and then they got you. 

Joe Carrigan: Yeah. Does your dad listen to this podcast? 

Dave Bittner: No. 

Joe Carrigan: (Laughter). 

Dave Bittner: No. Does my dad listen to this podcast? Joe, I love you, man, but... 

Joe Carrigan: Sorry. 

Dave Bittner: ...Does my - No. No. My dad - oh, gosh, no. I have - let me - I bought my dad a remote control for his TV that has fewer buttons, Joe. 

Joe Carrigan: OK. 

Dave Bittner: (Laughter). 

Joe Carrigan: I get it. 

Dave Bittner: OK. 

(LAUGHTER) 

Dave Bittner: So that's where we are... 

Joe Carrigan: I empathize with that. 

Dave Bittner: ...With my dad. No, there's no way he could handle a podcast subscription. 

Joe Carrigan: OK. 

Dave Bittner: No, no. I just - I love my dad. It's not his thing (laughter). So - but - and you know what? I could go to him every week when I visit him and just do it live. 

Joe Carrigan: You just - yeah. 

Dave Bittner: (Laughter). 

Joe Carrigan: Just play it out of your phone. 

Dave Bittner: No, just do it just me. Just... 

Joe Carrigan: Oh. 

Dave Bittner: ...You know, just... 

Joe Carrigan: Oh. 

Dave Bittner: ...Do a live performance for him. 

Joe Carrigan: I'm Dave Bittner... 

Dave Bittner: You know... 

Joe Carrigan: ...From the CyberWire. 

Dave Bittner: ...Maybe one day, you and I can go over and do it in person. 

Joe Carrigan: Yeah. That'd be great. 

Dave Bittner: I mean, we'll just sit down with him and give him a... 

Joe Carrigan: Have a conversation. 

Dave Bittner: ...Best-of version of the show. Maybe... 

Joe Carrigan: Yes. 

Dave Bittner: ...It'll help out. And as we say, help inoculate my dear, dear father... 

Joe Carrigan: Yes. 

Dave Bittner: ...For some of these things. All right. That is my story this week. Joe, time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from an anonymous listener who writes, hello, favorite podcast men. 

Dave Bittner: Aww. 

Joe Carrigan: Hey, we're someone's favorite. 

Dave Bittner: That's nice. 

Joe Carrigan: It is a pleasure to write to you. 

Dave Bittner: Aww. 

Joe Carrigan: This was sent to me on an email address I once set up for a security camera I tried to install but never got working properly. I guess the company got breached. Thinks it was D-Link... 

Dave Bittner: OK. 

Joe Carrigan: ...Which makes sense. I think we've heard of D-Link breaches. It's interesting that he set up an email just for a camera, which is a good idea, I think. Emails are pretty cheap. 

Dave Bittner: Yeah. 

Joe Carrigan: But he says - at the end of his note, he says he wonders if these emails ever work. And I think they do work. 

Dave Bittner: Sure. 

Joe Carrigan: And that's why you keep getting them. 

Dave Bittner: Right, right. 

Joe Carrigan: Because, you know, it's - this is just an advance fee scam email. But, you know, like we've seen so many of these before, but the wording is terrible. 

Dave Bittner: Mmm hmm. All right. It goes like this. Hello, dearest one. It's my pleasure to write you, and I know you are good. My name is Mrs. Phong Dung. I was born in Hung Yen, Vietnam, but I lived with my husband in Whistler, Canada, for a long time until he died. I have been suffering from cancer and have a short life to go. I lost my husband in June. Meanwhile, before my husband's death, he worked on a contract of 1,800,000 U.S. dollars only with the American government. But his death took him before the money was transferred to my bank account. My husband was a philanthropist before his death. He also encouraged me to help the poor orphans and widows. Since we got married, we couldn't have children until death separates us. I have deposited $800,000 to the hospital for my treatment. Now, due to my state of health, I want to send the remaining $1 million to you so that you will help me give it to the poor and widows in your country. As ordered by my late husband because we have no children to inherit the money, I do not discriminate against religion, ethnicity when controlling this project. 

Joe Carrigan: How noble. 

Dave Bittner: I pray that God will give you a kind heart to take care of this project. I will not be there to watch you for this project, but God will be there to see you. You have to take 30% for the money for your personal use, and use the rest for charity. Please help me to fulfill my last wish. Reply back to me in the email below for more details on how you will receive the money without any complications. Yours faithful, Mrs. Phong Dung. 

Joe Carrigan: (Laughter) This is very interesting, I think. 

Dave Bittner: (Laughter). 

Joe Carrigan: I mean, it's just typical. It's typical. Couple of things wrong with it. First off, the English is a little bit broken. 

Dave Bittner: Yeah. 

Joe Carrigan: So it looks like it may have run through a translator. Maybe it was written by someone who isn't a native English speaker. Who knows? 

Dave Bittner: Yeah. 

Joe Carrigan: I loved when you yell because the 1,800,000 U.S. dollars only is in all caps. 

Dave Bittner: Right. 

Joe Carrigan: That's there to catch your attention. 

Dave Bittner: Yes (laughter). 

Joe Carrigan: Another point here is that she has deposited $800,000 into the hospital for her treatment in Canada, which has... 

Dave Bittner: Oh, I didn't think about that. 

Joe Carrigan: ...Socialized medicine. So she... 

Dave Bittner: Right. 

Joe Carrigan: Nobody in Canada pays $800,000 for medical treatment. 

Dave Bittner: No. I was going to say here in the States, that'll get you a few aspirin (laughter). 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Oh, that's a good - yeah, I didn't catch that. That's a good one. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: So, I mean, there's a couple of red flags in here. But, you know, these are - we read these because we know they're scams, right? So we look for the holes in them. But if somebody's not looking at this from a standpoint of skepticism, then that's how they fall for this. 

Dave Bittner: Right. And, hey, take 30% of the money for my personal use. 

Joe Carrigan: Yeah. That's $300,000. 

Dave Bittner: I'm only following the good widow's request here. 

Joe Carrigan: Right. 

Dave Bittner: Right? Her instructions. She wanted me to take 300 grand for my own use. 

Joe Carrigan: Right. 

Dave Bittner: So I'm just being a good person. 

Joe Carrigan: So what happens here is if you reply to this email, you'll get advance fee requests, right? You might actually get requests for your personal identifiable information and bank account information. 

Dave Bittner: Right. 

Joe Carrigan: And they may try to steal money from you that way. This is just a scam - just the tip of the spear of the scam. 

Dave Bittner: Yeah. 

Joe Carrigan: And by the way, if you start paying advance fees - this is what I like to say every single time - you will always just pay advance fees, until you either run out of money or stop giving it to them. 

Dave Bittner: That's right. 

Joe Carrigan: That's what happens. 

Dave Bittner: Yeah. All right. Well, very good. Thanks to our listener for sending that in. We do appreciate it. We would love to hear from you. Our email address is hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, it's great to welcome Kurtis Minder back to the show. He is the CEO of an organization called GroupSense. And our conversation today centers on some new legislation that may affect small and medium-sized businesses. Here's my conversation with Kurtis Minder. 

Kurtis Minder: The ransomware cases that we see and hear about on the news are often very focused on the larger companies. For every one of those that we hear about, there's probably thousands. You know, our sample size at GroupSense is what it is. But - and many of these go unreported, but probably thousands of small businesses that are being hit, that aren't being paid attention to or addressed. And unfortunately for a lot of the small businesses - you know, they end up in a situation where, you know, they don't have the economic resources to recover. For them, more than for the larger companies, this situation ends up where they have to make a decision to either go out of business or pay the ransom. 

Dave Bittner: Yeah. And so, I mean, you know, Congress in its own special way, and by that I mean slowly, has - is working on some things to assist here. But I understand in your mind maybe this isn't going to provide the relief that some of these small- and medium-sized businesses need. 

Kurtis Minder: Well, you know, any step in a positive direction is good. But I don't think that the small business community is represented well enough in Congress. And I have met with the small business folks there, the committee lead there and talked about this, and we're in agreement. The problem for them also is that because a lot of these go unreported - and they go unreported for a number of reasons. Primarily shame or embarrassment is part of that. Fear of retribution from law enforcement - just lack of knowledge of the circumstances there. But, you know, the metrics that would drive policy from a small business perspective aren't really clear. So that's a hard thing to overcome. 

Kurtis Minder: But yeah, ultimately what I've been campaigning for - I'm using that word sort of loosely. What I've been campaigning for is if we need to try to find a way to curb ransomware payments, then, you know, simply making that illegal or forcing reporting aren't going to solve that necessarily. They're - in fact, they may drive behavior underground. What we need is to provide some third option for small businesses beyond, you know, go out of business, pay a ransom. Perhaps, you know, even a subsidized program to help recover or prevent. Obviously, prevention, in my mind, is always the best option. And that's usually the case in everything in life. It's the cheapest and best option, right? 

Dave Bittner: Yeah. What do you imagine something like this could look like? How - in a practical way, how could it play out? 

Kurtis Minder: Well, I don't want to turn a blind eye to some of the work that, like, for example, CISA, the Cybersecurity Infrastructure and Security Agency, are already doing from a sort of a public service announcement perspective, where they're promoting best practices around cyber hygiene and things like that. So, you know, that's part of the prevention effort. So let's, you know, let's give them kudos for taking that first step. But perhaps, you know, taking some of the macro-level data that we have about the cyber attack landscape - and we're talking a little bit about ransomware here. But also keep in mind that one of the - you know, there's a number of other cyber attacks that are occurring and in volume across not just large companies but small businesses - like, for example, the business email compromise - that could be prevented with a little bit of cyber hygiene, education and perhaps some subsidized program. 

Kurtis Minder: And if we took the macro-level data, and we looked at it and said there is a return on investment keeping, you know, fiat, liquid capital in the U.S. economy, which, by the way, you know, I don't have to say this out loud but I should, I guess, small businesses make up most of the U.S. GDP and more than half the jobs typically. So they're kind of important. I would argue, you know, collectively, they're critical infrastructure, right? So if we could take a look at that data and determine an ROI or a return on investment for a subsidized program to help them fund some of the defenses and prevention efforts, and then potentially even provide some remediation if it occurs anyway, that would be amazing. 

Dave Bittner: So, I mean, we're - are we thinking along the lines of, you know, other public programs we have? I mean, you know, we have clean water. We have - there are organizations like FEMA who come in and help clean up after there's been a natural disaster. Are we thinking along those sorts of lines? 

Kurtis Minder: Yeah. And I do think that some of the efforts under DHS and CISA are headed in that direction. But the legislation hasn't quite caught up. 

Dave Bittner: You know, I was recently having a conversation with some folks from my local FBI field office, and they were saying how an effort for them is really to have outreach so that these small and medium business owners know that they're a resource, that they should reach out to the FBI if they have a problem, and they're not going to be audited, you know? 

Kurtis Minder: Right. 

Dave Bittner: The FBI's not going to come through and rifle through all of their paperwork. You know, they are actually here to help. 

Kurtis Minder: Yeah, that's refreshing to hear. We obviously work tactically with the FBI field offices as we go through these cases. And the only downside to that is that they would also probably tell you that they're overextended. So they're simultaneously offering their hand, but what they're not telling you is, we don't have a whole lot of resources to use on it. And the smaller the case, the less likely they're going to be able to allocate resources to it. So, again, once again, small businesses are sort of falling to the bottom of the priority pile. And, again, I'll start restate it - one small business, two small businesses - you know, not a major impact. But if this is occurring every day and we're talking about thousands of attacks, you know, and we're not able to measure it effectively, what impact is that long term going to have on national security and the economy? So, you know, I'm just trying to raise a flag, you know, myself, both public speaking, volunteering at chambers of commerce. I just did a TEDx Talk on the topic, trying to promote good cyber hygiene and behavior on the small businesses. Also, what I found is a lot of small businesses still feel like this isn't going to happen to them. So they're not - they don't understand the why well enough. And it is highly likely that they are a target. And so we have to get the word out that, you're not - just because you're a small, you know - I don't know - accounting firm in middle America doesn't mean that this isn't going to happen to you. 

Dave Bittner: You know, in terms of communications with - you know, you mentioned, like, a chamber of commerce or, you know, even making a phone call or writing a letter to our representatives. What sorts of things should we be asking for? What should we be advocating here? 

Kurtis Minder: You know, communication, I think, is kind of a backbone of all of this - is, you know, one of the things that we have to get out there is that it is OK to report this. But again, I'm just getting back to the macro-level data. In order to get people to get out of their seats and make changes, they need to understand the impact. And right now, you know, many - not just the small business ones, but many of these cyberattacks are kind of swept under the rug to the best of the ability of the victim for a number of reasons. And so we need we need to certainly promote transparency and communication, at least with law enforcement, about this so that we can get that macro-level data. And then, you know, prevention programs are key. You know, we actually out of GroupSense launched a nonprofit that partners with universities that trains university students to assess and make some of the cyber hygiene changes for small businesses in the university communities. They do that for free. They get school credit and get paid to do it. And so just on a community-by-community basis, you know, I would say even to my hacker colleagues at DEF CON, you know, go to your chamber of Commerce and have these conversations with your local businesses, right? It's really a communication first issue. 

Dave Bittner: Are you optimistic that we're headed in the right direction here? Do you sense that things are getting better? 

Kurtis Minder: It's really hard to say because, you know, again, a lot of the stuff is going unreported. Our sample size, you know, is what it is. And we - the number of cases we get, you know, hasn't really changed. So those indicators indicate that it was sort of status quo. But I think from an awareness and a policy perspective and some of the things I see CISA doing and, you know, the way that the FBI has organized their response, I think those are all positive steps that are undergoing policy next, right? The policy needs to catch up to that. 

Dave Bittner: Where do you stand on mandatory reporting? I mean, is that overall a good thing? Or might it lead to unintended consequences? 

Kurtis Minder: I think the spirit of it is good. You know, the intention and the spirit of it is a good thing, and the potential for it to impact policy and national security is good. You know, like any other kind of reporting or data sort of stewardship. You know, you always have the concerns that that data gets leaked or, you know, the victim data gets leaked at our government level. And so it's - as long as they're putting the right protections around the people who are reporting to protect their privacy, that's - I think that's key. But yes, I think it's generally a good thing. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: First off, it's always great to have Kurtis back. I like listening to what Kurtis has to say. I think there there is a huge business opportunity that's being missed by providing cybersecurity services to small- and medium-sized businesses. Maybe I'm wrong. Maybe other people out there have those great ideas and have thought about this and then tried to sell it to small- and medium-sized businesses, but they don't have the money to buy it. And that's really the key problem - is generally, small businesses and medium-sized businesses don't have a ton of cash. 

Dave Bittner: Right. 

Joe Carrigan: So my opinion on this matter is this has to be something that's done at scale, right? There has to be a company that is founded with the idea that we're going to represent security services for these businesses, and we're going to just have some economy of scale by the fact that we have so many customers. And we're essentially going to treat them like our own employees and our own security model. And we're going to say, you're going to get our security model, and that's how it's going to work. 

Dave Bittner: Right. 

Joe Carrigan: So there's a free billion-dollar idea for somebody out there... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...If you want to start that up. Additionally, these companies are really not focused on their on their own security, right? 

Dave Bittner: Yeah. 

Joe Carrigan: They're focused on making money and being a business because a lot of these small businesses are family-owned businesses where they have to put food on the table. And they have to pay their employees. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, having employees is a big burden in a - or is a big emotional burden in a small business, right? 

Dave Bittner: Yeah, huge responsibility... 

Joe Carrigan: It's a huge responsibility. Exactly. 

Dave Bittner: ...For other people's well-being. Yeah. 

Joe Carrigan: Exactly. 

Dave Bittner: Yeah. 

Joe Carrigan: And it's terrible when these companies are faced with the two options of either going out of business or paying some ransom. That is a decision I would never want to make. I'm sure nobody wants to make it, but it's one you need to think about, right? 

Dave Bittner: Right, right. 

Joe Carrigan: You know, that exercise I talk about where, you know, if you - you take your security team and you pick up the newspaper and you look at the latest cyber breach and you say, how would we respond to this, right? You as a small business owner or a medium-sized business owner have to do that, you know? Get with your management, if you have management, or just sit down with your employees and go, how would we do this? 

Dave Bittner: Right. 

Joe Carrigan: You know, take five minutes and think about it. 

Dave Bittner: Right. 

Joe Carrigan: It's not a bad exercise to do at any level. 

Dave Bittner: Yeah. 

Joe Carrigan: Prevention is definitely the cheapest option. And, you know, that's - and Kurtis is one 100% correct. That's the case in everything. It's the case in medical stuff. It's the case in cybersecurity. It's the case in just physical security and worrying about like - you know, it's a lot cheaper to make sure you lock your car at night than it is to try to get your car repaired after it's been stolen and taken for a joyride. 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: Right. It's cheaper in time, money and effort. 

Dave Bittner: Yeah. 

Joe Carrigan: And peace of mind. 

Dave Bittner: Yeah. 

Joe Carrigan: When we're talking about legislation - legislation - I'm not sure that regulation helps small businesses. You and I have talked at length about the banking situation in our country. There aren't a lot of small banks anymore. 

Dave Bittner: Right. 

Joe Carrigan: And the reason there aren't a lot of small banks is because the regulatory burden placed on banks is great for these small banks, and they can't be competitive. 

Dave Bittner: Yeah. 

Joe Carrigan: Now, there are some small banks that are still around, and I generally like to use them because if one of those fails, it's not really a problem for the federal government and for the FDIC, right? But if a large bank fails, that might be a problem - right? - this concept of too big to fail. 

Dave Bittner: Yeah. 

Joe Carrigan: Because there's things that are too big to fail, I don't keep my money with those. That's just my personal choice. 

Dave Bittner: Right. 

Joe Carrigan: Right. Another great option is credit unions. You can use credit unions. 

Dave Bittner: Sure. 

Joe Carrigan: If you - if you're - you probably qualify for some credit union somewhere. Use that. You get a lot of great banking services at lower costs. 

Dave Bittner: Yeah. 

Joe Carrigan: But I digress, as I often do. So to get back to what Kurtis said, if you own a small business, you got to take cybersecurity seriously. You are a target. This is one of the things I - in my talks, I frequently say, yes, you are a target. Even if you're an individual, you're a target. Bad guys have a way of monetizing just about everything you have. They even now have ways of monetizing your cash by getting you to go buy Bitcoin. I can't think of a time in history when somebody could remotely scam you out of your cash. Now you can do it, right? So your best bet is to practice basic security hygiene, cybersecurity hygiene. 

Dave Bittner: Yeah. 

Joe Carrigan: Learn what that is, and do it. And the other thing is, it is OK to report this to law enforcement if you've been compromised. And Kurtis makes a comment in passing here that a lot of people don't want to do that because they think for some reason they're going to be the target of law enforcement after that. 

Dave Bittner: Yeah. 

Joe Carrigan: And I understand that. 

Dave Bittner: My conversations with the FBI says that's not true. 

Joe Carrigan: Right. 

Dave Bittner: And they're trying to be really clear about that. If you go to law enforcement - if you go to your local FBI field office - which, if you have something happen, you absolutely should do - this is not going to trigger an audit. 

Joe Carrigan: Right. 

Dave Bittner: You know, that's just not how it works. 

Joe Carrigan: Right. But I absolutely understand the fear of that. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, the government is a very large, multi-tentacled organism, you know, and from the small business person's perspective, they're there as an adversarial agent, not there to help. 

Dave Bittner: Yeah. 

Joe Carrigan: And, you know - and again, we're talking about the level of regulation, which - you know, I understand that we need regulation so that terrible things don't happen. But at the same point in time, it is - the small and medium-sized businesses are the ones that suffer the most for that. 

Dave Bittner: Yeah. And I really - this whole point about basic cyber hygiene I think is really important because I believe that you could take care of the vast majority of these issues by going through one of the large providers - let's say - just, like, your email, right? Go through one of the large providers, the Googles of the world, the Microsofts of the world. You know, pay them for a professional-grade account and use something like a YubiKey. Use a hard - some kind of hardware key, some kind of multifactor authentication. That gets you so far down the line... 

Joe Carrigan: It does. 

Dave Bittner: ...Of protecting yourself. 

Joe Carrigan: It really, really does. That is a great, great suggestion. 

Dave Bittner: And, you know, these folks are - they're - you're allowing their massive resources to do the heavy lifting. 

Joe Carrigan: Yep. Yep. 

Dave Bittner: Right. So, all right, well, again, our thanks to Kurtis Minder for joining us. It's always a pleasure to have him visit us here on the show. We do appreciate it. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.