Password managers and their benefits.
Corie Wagner: People who do not use password managers are three times as likely to experience identity theft as those who properly use them.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show, Corie Wagner, senior industry analyst at Security.org, joins us to talk about their research on password managers.
Dave Bittner: All right, Joe. Before we jump into our stories here, we've got quite a bit of follow-up this week.
Joe Carrigan: Yes, we do. And this is going to be a password manager-centric show, although our first follow-up actually isn't a password manager follow-up.
Dave Bittner: OK.
Joe Carrigan: It's from Mitch, who wrote in about the gift card scam we talked about late last year, where bad guys put a bar code on top of the existing ba rcode so that you reload their gift card account instead of buying a gift card for someone you love and care about.
Dave Bittner: Oh, right. Right. I remember that.
Joe Carrigan: And Mitch writes in, hi, guys. Thanks for a great podcast. Regarding this particular scam, I had kind of heard of this before but didn't quite understand how it works, so it's great to understand that now. There is an easy mitigation, and some of the gift card makers are already using it. They are putting a tear strip over the bar code. So in order to activate it, you have to remove the tear strip. Then you can scan the bar code. If you then try to put it back on the shelf, the tear strip will either be missing or damaged. Since you have a clue that this particular card has been compromised - or it gives you a clue that this card has been compromised. It's probably not perfect because some guy is going to suspend - or spend the effort to glue the tear strip back together - probably a lot better than what's going on today. If people start gluing tear strips back together, then you can make it so it's like in one of those old price tags. You remember the price tag...
Dave Bittner: Right, right, right.
Joe Carrigan: ...For stores where they come apart? It was - always made gift giving so much easier. But you could tear the strip into little pieces and then make it harder to glue back together. Or if you're a bad guy, you can just print up a new strip with a bar code on it.
Dave Bittner: Yeah.
Joe Carrigan: This depends on somebody being aware that there is a - there's supposed to be a safety strip over top of the bar code. If you're not aware of that and you just see the bar code on there, then, you know, who knows...
Dave Bittner: Yeah.
Joe Carrigan: ...What you're going to get?
Dave Bittner: Yeah.
Joe Carrigan: I think the only solution here is maybe start securing the actual gift cards. Although, you know, why do you want to secure something that's technically worthless...
Dave Bittner: Right.
Joe Carrigan: ...Until you put money on it?
Dave Bittner: Right. Yeah. And they don't want to slow down people's ability to buy them, either...
Joe Carrigan: Right.
Dave Bittner: ...You know?
Joe Carrigan: Yeah.
Dave Bittner: Put them behind glass. Yeah.
Joe Carrigan: That's right.
Dave Bittner: Yeah.
Joe Carrigan: The next feedback is about password managers. It comes from Neville, who has written in before, and he says, dear Dave and Joe, the last episode of "Hacking Humans," you - there was mention of the pros and cons of having a cloud-based password manager versus a KeePass, and I'd like to share this with you. And he sent an article along about KeePass. There's a security researcher named Alex Hernandez who found a way to abuse the triggering system in KeePass. Now, I want to be clear, because last week or last time we were talking about this, I did say that I was using KeePass, but I'm actually not using KeePass. I'm using KeePassXC.
Dave Bittner: OK.
Joe Carrigan: I was - well, I was using that. I've actually gone back to using Password Safe because I did have to just eventually give in and install Windows on this machine that I was trying to run as a Linux machine and just settle for the Windows subsystem for Linux.
Dave Bittner: You are a promiscuous password-manager user, Joe.
Joe Carrigan: Yes. Yes, I am. And so now I'm back to using Password Safe, which doesn't have this feature. Also, what's key is that I don't think that Password - or KeePassXC has this feature either. The big difference is KeePass is written in C#, and KeePassXC is written, I think, in C++ and is portable to other operating systems if you recompile it.
Dave Bittner: OK.
Joe Carrigan: But the magazine article - PC Magazine article talks about Alex Hernandez's research, that he found a way that you could export the database of passwords with the trigger interface. And it didn't require you to log in to the system. The - you had to - in order to write a script, you just had to have access to the application on the computer.
Dave Bittner: Back up a second here.
Joe Carrigan: OK.
Dave Bittner: What are we talking about when we're talking about a triggering system? I don't know what that is.
Joe Carrigan: OK, so that's a good question, because I'm making a big assumption that everybody knows exactly what I'm talking about. But KeePass has what's called a triggering system where you can write scripts that do certain things with the data.
Dave Bittner: OK.
Joe Carrigan: OK? And there are triggers, or events, that can happen. And when one of those triggers fires, you can bind some code to that that performs a certain action.
Dave Bittner: OK.
Joe Carrigan: And in this case, what Alex found out was that you could bind code that just exports a - the entirety of your password - you know, your password database here and upload it to an external site. So essentially, if you - if someone compromises your system good enough to actually just get access to the file system...
Dave Bittner: Right.
Joe Carrigan: ...And write - and edit the scripts that are already there - there's already files that are there - they're just empty...
Dave Bittner: Yeah.
Joe Carrigan: ...And then you can - they could enter this script that would upload your plaintext database of passwords out, resulting in a data breach of this.
Dave Bittner: Oh.
Joe Carrigan: KeePass developers said this is not a big deal because it - if somebody has that kind of access to your computer, you're already in trouble. There is...
Dave Bittner: True. I guess what gives me pause is the fact that your passwords are in plaintext ever.
Joe Carrigan: Right. Well, they have - when you do the export, you can put them into plaintext.
Dave Bittner: Oh, I see.
Joe Carrigan: A lot of password managers have this feature.
Dave Bittner: I see. OK, I'm...
Joe Carrigan: So...
Dave Bittner: ...With you now. Yep, yep, yep.
Joe Carrigan: ...You can back it up and keep it offline...
Dave Bittner: Got you.
Joe Carrigan: ...In storage so that if something ever happens to your password vault, whatever it is, or God forbid, you lose your YubiKey, what do...
Dave Bittner: Right.
Joe Carrigan: ...You do then, right?
Dave Bittner: So it's a feature, not a bug.
Joe Carrigan: It's a feature. But the triggering system - now, I - at the bottom of this article, there was a comment that says it looks like they did something to address this. I don't know what they did. I didn't have a lot of time to go in and look at it. But...
Dave Bittner: Yeah.
Joe Carrigan: ...Like I said, the KeePassXC system does not seem to have a triggering system built in. It just shows you the passwords. You can export your passwords with KeePassXC, as well, into plaintext...
Dave Bittner: OK.
Joe Carrigan: ...But you can't have that automated.
Dave Bittner: All right.
Joe Carrigan: And finally, Richard writes in about password managers. You want to read this one?
Dave Bittner: Sure. He says, Hi, Dave and Joe. When it comes to password managers, Bitwarden is the only one I recommend to users for whom KeePass or KeePassXC might be a bit too technical, as it is open source. It also has a paid hosted cloud sync option, which is very inexpensive - $10 a year for a single user, more for enterprise stuff. This means they have the resources to do things like hire people to do third-party security audits and have a greater user interface. There is an option to host your own sync server. You can secure log in to Bitwarden with a hardware token on the paid version. There is a client on Linux for the real nerds, and they even - they once even implemented a feature that Richard recommended on their user forums.
Joe Carrigan: Ah...
Dave Bittner: So it seems like they're...
Joe Carrigan: ...Well, that's a good enough reason to go with that.
Dave Bittner: ...Responsive.
Joe Carrigan: Right.
Dave Bittner: Yeah. OK. Very good. Certainly - I mean, Bitwarden is absolutely one of the better-known options out there. Yep.
Joe Carrigan: Yeah. Bitwarden is an open-source password manager. The service that they're charging you for is for the hosting and things of that nature...
Dave Bittner: Yeah.
Joe Carrigan: ...And the integration and the other features of using, like, a FIDO Alliance key, or whatever it is...
Dave Bittner: Yeah.
Joe Carrigan: ...To authenticate - definitely worth it if you want to pay 10 bucks a year for that. I would definitely do it.
Dave Bittner: All right. Well, thank you, Richard, for sending that in to us and to all of our listeners who send us stuff. We'd love to hear from you. Our email address is hackinghumans@thecyberwire.com. All right. Let's move on to our stories here. I am going to start things off for us.
Joe Carrigan: OK.
Dave Bittner: I've got a story from Dark Reading. This is written by Jonathan Watson. He's chief technology officer at a company called Clio. And it's titled, "Are Your Employees Thinking Critically About Their Online Behaviors?" And what this comes down to...
Joe Carrigan: Wait, I know the answer to the headline question, Dave.
(LAUGHTER)
Dave Bittner: OK, OK. Don't - spoiler alert, Joe...
Joe Carrigan: Right (laughter).
Dave Bittner: ...Spoiler alert. Yeah. Nothing gets by you, Joe (laughter).
Joe Carrigan: Right. That's right. I'm a very astute reader of headlines.
Dave Bittner: Yes, indeed. And really, what this comes down to, I think, is whether or not - the degree to which everyone in your organization is on board with the things that they should be doing to support security.
Joe Carrigan: Right.
Dave Bittner: And this article points out three mindset shifts to start with. And the first one is, understand data's fundamental value.
Joe Carrigan: Right.
Dave Bittner: The second one is, act with intention. And the third is, follow data best practices no matter the context.
Joe Carrigan: Yeah.
Dave Bittner: So here's what I want to talk about with you. I think people come at this, in general, from a high level, from two different points of view. There are the people who are 100% on board, or some degree of being - maybe it's unfair of me to say 100%...
Joe Carrigan: Right.
Dave Bittner: ...But there are people who are on board.
Joe Carrigan: Right.
Dave Bittner: And they believe that they have to be part of the solution here.
Joe Carrigan: Yes.
Dave Bittner: And then there are the folks who say, that's not my problem...
Joe Carrigan: Yes.
Dave Bittner: ...I've got enough to do here in my job, and that's not my problem.
Joe Carrigan: Right. Yep.
Dave Bittner: I think about it kind of like if you work in a retail establishment, what is your responsibility to help cut down on shoplifting, you know? There - in other words, you know, you're sitting behind the cash register at the electronics store, somebody comes in and grabs a VCR off the shelf - I'm dating myself.
(LAUGHTER)
Dave Bittner: Somebody comes in...
Joe Carrigan: If they grab a VCR, you go, just take it.
Dave Bittner: Yeah, exactly.
Joe Carrigan: You want some more VCRs? We got a box of them in the back.
Dave Bittner: Right, right. And on the shelf next to it is a time machine.
Joe Carrigan: Right.
Dave Bittner: So they grab a VCR, and they tuck a fax machine under their other arm...
Joe Carrigan: Right.
Dave Bittner: ...And they head out of the store, is it your job to say, hey, stop, come back? Is it your job to call the security people? Or is it not your job at all? Why risk your own safety for someone who might be a dangerous person to stop? And I'm just curious what your thoughts are here, Joe.
Joe Carrigan: Yeah.
Dave Bittner: When it comes to cybersecurity, where do we stand with that? Where should we stand with that?
Joe Carrigan: So your analogy is a pretty good one. In - I did some moonlighting at Best Buy at one point in time.
Dave Bittner: OK.
Joe Carrigan: And Best Buy has their own inventory control people. They're the people in the yellow shirts when you walk into the Best Buy that are sitting there.
Dave Bittner: Right. They say, hello, welcome to Best Buy.
Joe Carrigan: Right. Hello, welcome to Best Buy...
Dave Bittner: Please don't steal anything.
Joe Carrigan: ...We're watching you. Don't steal anything.
Dave Bittner: (Laughter) Right...
Joe Carrigan: Right.
Dave Bittner: ...Right.
Joe Carrigan: And they're loss prevention. And in order for you to have a store that can offer decent prices, you're going to need to have some manner of loss prevention, or you're going to have to accept the loss. That just leads to higher prices. And that is bad for business, right?
Dave Bittner: Sure. Yeah.
Joe Carrigan: So in - when we were there, we were told, you are not to intercept anybody. That is not your job. That is loss prevention's job. They're trained to handle that. But your job is, indeed, if you see someone suspicious, to notify loss prevention.
Dave Bittner: Ah.
Joe Carrigan: Right? So there is a clear delineation here. And I think your analogy holds up here. There are some things that are your responsibility, and there are some things that are not your responsibility. So as a normal employee, it is your responsibility to be vigilant, to watch out for things like credential harvesting...
Dave Bittner: Yeah.
Joe Carrigan: ...Those things - there's - or to notify somebody that that's happening, if you see it, or to report spam or phishing emails. Although, we had a story recently that said something like 80% of those reports are false positives, right? People think they're phishing emails, and they're not.
Dave Bittner: Yeah. And I think with your report - or last week, you were talking about how, like, less than 2% of employees report suspicious things.
Joe Carrigan: Right. Yeah.
Dave Bittner: Yeah.
Joe Carrigan: It's incumbent upon employees to report suspicious things to the security team. It's incumbent on the company to do a couple of things, number one, have a way for employees to do that and socialize that throughout the company and, number two, create a business culture where people care about it. I've said this before, that if you induce apathy in your employees, that's going to be really, really dangerous, particularly when it comes to cybersecurity stuff. They're going to be like, I just don't care.
Dave Bittner: Yeah.
Joe Carrigan: And I think that might be even more dangerous than having malicious actors inside. You know, if you have - 'cause your malicious actors are going to be few and far between, but people that don't care, you can make that across the organization.
Dave Bittner: Right.
Joe Carrigan: Bad idea.
Dave Bittner: Yeah. I also think it's really important to communicate this to your employees...
Joe Carrigan: Agree.
Dave Bittner: ...And not just what you need to do but why.
Joe Carrigan: Yeah.
Dave Bittner: You know, I had a situation, actually, with - here at CyberWire, where, you know, we had to do some security-awareness training. And I'll be honest, I sort of rolled my eyes about it, and I was like, oh, like, I kind of know this stuff (laughter).
Joe Carrigan: Yeah. Do you know who I am? I'm Dave Bittner.
Dave Bittner: Well, I mean, but, you know, not only that, but, you know, I host a show about this.
Joe Carrigan: Right.
Dave Bittner: So, yes, perhaps I was taking myself a little bit too seriously. But, you know, again, I'm busy.
Joe Carrigan: Yeah.
Dave Bittner: You know, I didn't want to take the time to do this. So I asked, is there any way I can, you know, be exempt from this? I think I'm kind of - I think, of the folks who work here, I might be in the top percent of people who are up to speed on this.
Joe Carrigan: Yes.
Dave Bittner: But it was explained to me that part of the reason why we do this is to - in addition to training people and for awareness - it's so that we can say, as an organization, everyone is trained on this.
Joe Carrigan: Yes.
Dave Bittner: So if there is a problem, we can say that. You know, everyone in our organization has done this and has passed the test. So as an organization, we are compliant.
Joe Carrigan: Right.
Dave Bittner: So...
Joe Carrigan: I think that's important.
Dave Bittner: ...I hadn't considered that part of it. And when that was explained to me, I said, OK, yeah, that makes sense. So it's worth my time to contribute to the team, the greater good of the whole organization, and go ahead and take that training.
Joe Carrigan: Right.
Dave Bittner: And I was fine with that, right? It didn't seem like such a pain anymore. So I think that is an important part of this. People want to know why they should do something and not just be told, you got to do this because, you know...
Joe Carrigan: Yeah.
Dave Bittner: ...It's what we do, and it's the way we do it, and - you know?
Joe Carrigan: Yeah. That is a big change, especially for a lot of older workers. In the workplace, they have grown up with, do this, and their response is, OK, right? And...
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: ...You know, you and I, when we were in - you know, our first jobs were very much like that, right?
Dave Bittner: Sure.
Joe Carrigan: And now we have younger people who, when they were being brought up, their parents would say, do this, and they'd say, why? And their parents would answer the question - right? - honestly. And that - frankly, that's the way I raise my kids.
Dave Bittner: Yeah.
Joe Carrigan: Right? They would ask a question, and I'd - they'd say - or I'd say, do this. They'd say, why? And I - sometimes I'd just say, just because I told you, and we'll explain later. But you need to do it now. But many times...
Dave Bittner: Don't make me get my belt (laughter).
Joe Carrigan: Right. No. No, never did that. Many times - most of the time, I would take the time to explain why.
Dave Bittner: Yeah.
Joe Carrigan: And the - and that's the way a lot of people are brought up. Additionally, by explaining why, I found that I got a lot more buy-in from my kids. Like, for example, I remember when my daughter was very young, we were talking about - she was - time for her vaccinations. I said, we're going to go in here, and we're going to get you some shots. She said, I don't want a shot. And I said, do you want to get a terrible disease that may kill you in a very slow and painful way? And she said, no. I said, well, the vaccination will prevent that from happening.
Dave Bittner: Right.
Joe Carrigan: And she said, OK, right?
Dave Bittner: Yeah.
Joe Carrigan: So, I mean, by explaining that to her, I got buy-in. Now, I don't mean to compare employees to children. I mean, it's not the same thing.
Dave Bittner: No.
Joe Carrigan: But it's human nature to need to understand the reasoning behind an action.
Dave Bittner: Right. What's the value proposition?
Joe Carrigan: What's - right, exactly. Why am I doing this?
Dave Bittner: Yeah.
Joe Carrigan: Does this have any value? Is it worth my time to do it?
Dave Bittner: Yeah.
Joe Carrigan: Like, exactly what you were saying - is it worth Dave Bittner's time to sit down and take the social engineering course, when Dave Bittner and Joe Carrigan sit down every week and have an in-depth discussion on social engineering tactics.
Dave Bittner: (Laughter) Right, right. Exactly.
Joe Carrigan: Right. So, yeah, it's worth it. So do the training, and here's why.
Dave Bittner: Yeah. Yeah. There's another thing that this article points out. It says security theater distracts from steady improvements.
Joe Carrigan: Yeah. I'll agree with that.
Dave Bittner: And it says security theater is - they say it's a set of rules or guidelines that offer the appearance of security, but don't guarantee it. And I think that's a good point to hear, because I think when you have security theater and people recognize it as being such, it's frustrating.
Joe Carrigan: I'll give you a great example of security theater that I experienced - or was talking to my son about yesterday.
Dave Bittner: Yeah.
Joe Carrigan: Is when you go to a financial website and they say to you, your username cannot be the same as your email username or cannot contain the same kind of - you know, if you're - we're going to have a different username so - than your email is, right?
Dave Bittner: Right. Sure.
Joe Carrigan: So - or your username must contain a digit...
Dave Bittner: OK.
Joe Carrigan: ...Because that makes it harder to guess.
Dave Bittner: Yeah.
Joe Carrigan: That is security theater. And the reason that's security theater is because, if the data gets breached, the username is always going to be in plain text.
Dave Bittner: Yeah.
Joe Carrigan: It doesn't matter that you've made my username more complex for me, it's going to be in plain - it's - yeah. OK. Maybe it's harder for someone to guess what it is if they don't know it, but if they breach it, they're going to guess.
Dave Bittner: Yeah.
Joe Carrigan: They're going to know. They're not going to guess; they're going to know.
Dave Bittner: Yeah. So I think as leaders, as people who are making these policies in the organizations, you just need to be mindful that you're not doing - that you're not having these security theater - these - what we - sometimes I think you refer to it as - or we've referred to it as, you know, check-box...
Joe Carrigan: Yeah.
Dave Bittner: ...Security...
Joe Carrigan: Yeah. That's...
Dave Bittner: I agree - when we're compliant.
Joe Carrigan: Some of that will make you more secure. Some of it won't. You know...
Dave Bittner: Yeah.
Joe Carrigan: ...You really have to consider the motivation behind things.
Dave Bittner: Right. Right. But I think the overarching thesis of this article is quite good, which is, you know, encourage critical thinking in your employees. But if - when you do that, you have to expect that they are going to think critically...
Joe Carrigan: Right.
Dave Bittner: ...Which means you have to have good answers and explanations for why you're doing the things that you do. And you need to welcome those questions.
Joe Carrigan: Right. And one of the best ways to get in - get buy-in is, when you explain your reasoning, follow that up with, that's why we're doing it, and that's the reasoning. Now, if you have a better idea, I am all ears. Let's discuss it, because maybe you do have a better idea...
Dave Bittner: Right. Right.
Joe Carrigan: ...And we should be discussing it.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: If your better idea is, well, let's just not do that, no.
(LAUGHTER)
Joe Carrigan: That's - you - we're going to discuss this seriously.
Dave Bittner: Yeah. Yeah. All right. Well, that is my story this week. Joe, what do you have for us?
Joe Carrigan: Dave, my story actually comes from the FTC.
Dave Bittner: OK.
Joe Carrigan: That's the Federal Trade Commission, here in the United States.
Dave Bittner: Yeah.
Joe Carrigan: And the title of this is "New FTC Data Reveals Top Lies Told by Romance Scammers."
Dave Bittner: Oh.
Joe Carrigan: So the FTC has gone through, I think, 8,070 reports in 2022. And, Dave, you're not looking at the article yet, are you?
Dave Bittner: No, I'm not. No.
Joe Carrigan: OK, good. Let's play the game we always like to play...
Dave Bittner: (Laughter).
Joe Carrigan: ...With these things...
Dave Bittner: OK.
Joe Carrigan: ...What do you think is the No. 1 lie told by romance scammers when they're trying to get money out of the person they've been talking to for a long time?
Dave Bittner: The No. 1 thing is I love you.
Joe Carrigan: Ah. OK.
Dave Bittner: (Laughter).
Joe Carrigan: Yeah. That - I think that's on here...
Dave Bittner: OK.
Joe Carrigan: ...Somewhere.
Dave Bittner: I'll tell you, the other one I thought of was, I want to travel to see you, but for some reason, I cannot afford the tickets with which to do so.
Joe Carrigan: That's interesting. I would have thought that would have been a pretty high one up here. But that's not even on the list.
Dave Bittner: Really?
Joe Carrigan: It's not.
Dave Bittner: OK.
Joe Carrigan: The No. 1 lie is, I, or someone close to me, is sick, hurt or in jail.
Dave Bittner: Oh.
Joe Carrigan: Right?
Dave Bittner: Yeah. OK. Sure.
Joe Carrigan: So that is - 24% of these events contained a lie like that. No. 2 - and this is interesting. It's actually tied for No. 2, 3, 4. But the first one here is, I can teach you how to invest, right?
Dave Bittner: Of course.
Joe Carrigan: And we've talked about pig butchering...
Dave Bittner: Right.
Joe Carrigan: ...On this show, and that's what this is. This is an opening to a pig-butchering scam.
Dave Bittner: Right. Romance plus greed...
Joe Carrigan: Right.
Dave Bittner: ...Equals profit.
Joe Carrigan: Exactly.
Dave Bittner: Yeah.
Joe Carrigan: And these are devastating attacks when they're successful. People have lost all of their money to these things because of the nature of these attacks. They actually go through the process and actually give you some money back. They actually take a loss initially because they think they're going to get more money. And when they do get more money, they get a lot more money. It's remarkably - remarkable how good this is.
Dave Bittner: Yeah.
Joe Carrigan: Number - also tied for No. 2, at 18%, is, I'm in the military far away. That's...
Dave Bittner: OK.
Joe Carrigan: ...A common lie...
Dave Bittner: Yeah. Yeah. I would have - I - that would have been on my list...
Joe Carrigan: I've seen...
Dave Bittner: ...For sure.
Joe Carrigan: ...That one come through with - on my wife's account. She says, oh, look, here's another military guy who says he's stationed overseas. I need help with an important delivery.
Dave Bittner: Oh.
Joe Carrigan: Now, this is interesting. It's going to tie into our Catch of the Day. But it is - you know, this is just setting - this is just using romance to set somebody up as a mule.
Dave Bittner: Yeah.
Joe Carrigan: We've never met, but let's talk about marriage. This is the one I was...
Dave Bittner: (Laughter).
Joe Carrigan: ...Thinking of. Twelve percent. Let's talk about getting married, even though we've...
Dave Bittner: Wow.
Joe Carrigan: ...Never met. This is one of the ones where I have no understanding of why people fall for this. I get that they do, and I guess I know why they do, because it has to do with the loneliness and now you have...
Dave Bittner: Right.
Joe Carrigan: ...Someone that - but it's just something that would absolute - this is one I would be impervious to, right? You know, I often talk about the ones I'd be vulnerable to. This is not one of those.
Dave Bittner: Yeah. I think it's hard to imagine or understand the depths of sadness and loneliness that some folks have out there...
Joe Carrigan: Yeah.
Dave Bittner: ...And it can seem like a lifeline.
Joe Carrigan: It absolutely can.
Dave Bittner: Yeah.
Joe Carrigan: And I have empathy for these people. I'm just saying that this is not something that - I don't think this is something - I mean, who knows?
Dave Bittner: Yeah.
Joe Carrigan: You know, my current position is...
Dave Bittner: (Laughter).
Joe Carrigan: ...I'm a happily married man.
Dave Bittner: Right.
Joe Carrigan: So maybe I'm lacking empathy because of my current position.
Dave Bittner: Yeah.
Joe Carrigan: I've come into some money or gold.
Dave Bittner: Ah.
Joe Carrigan: Hey, now I need your help to ship it, right? Gold's very heavy, right?
Dave Bittner: That's right.
Joe Carrigan: So I need your help shipping it. I'm on an oil rig or a ship, right? On an oil rig, I understand how you're sending email or communicating. But on a ship? Do those things have a - I mean, I've talked to people who've been on cruises. This is a luxury...
Dave Bittner: Yeah, I mean...
Joe Carrigan: ...Line.
Dave Bittner: ...They do now.
Joe Carrigan: You can't...
Dave Bittner: Sure. I think - I know - for example, sailors have access to email...
Joe Carrigan: Yeah.
Dave Bittner: ...When they're out at sea, so...
Joe Carrigan: Well, that's true.
Dave Bittner: Yeah.
Joe Carrigan: That's the - yeah, that's - well, OK, that's a good example. I'm on a ship. Maybe I'm a - maybe another military person.
Dave Bittner: Right.
Joe Carrigan: And number - the last one listed here at 3% is you can trust me with your private pictures.
Dave Bittner: (Laughter).
Joe Carrigan: Right?
Dave Bittner: OK. Sure. Joe, I don't trust you with my private pictures (laughter).
Joe Carrigan: Right. Of course not.
Dave Bittner: First of all, I don't take private pictures (laughter).
Joe Carrigan: Yeah. The article then goes on to talk about - no, I don't either. And you know what? I've always - I've - you know, it was one of the things I hammered into my kids when I gave them the cellphone, right?
Dave Bittner: Oh, yeah.
Joe Carrigan: I said look...
Dave Bittner: Yeah.
Joe Carrigan: ...Don't even think about doing this.
Dave Bittner: (Laughter) Yeah.
Joe Carrigan: Don't - yeah. You're - they're going to lie to you.
Dave Bittner: Yeah.
Joe Carrigan: They're going to - and I hope that everything was - that, you know, I don't really know if...
Dave Bittner: Yeah.
Joe Carrigan: ...You know, there may have been exchanges that I don't...
Dave Bittner: Yeah.
Joe Carrigan: ...Know about.
Dave Bittner: Yeah. It's hard.
Joe Carrigan: But I'd like to think I know. And I'm going to continue...
Dave Bittner: So much peer pressure with that stuff these days.
Joe Carrigan: Yeah, absolutely.
Dave Bittner: Yep. Glad we didn't have that.
Joe Carrigan: Yeah. You don't - you do not want your picture showing up on 4Chan.
Dave Bittner: There you go.
Joe Carrigan: Trust me.
Dave Bittner: Yeah.
Joe Carrigan: But the article goes on to spotlight one of these schemes using this technique - you can trust me with your private pictures. The romance scammers then use sextortion where they - after you've shared these pictures, they threaten to expose them.
Dave Bittner: Right.
Joe Carrigan: And the report notes an increase of more than eight fold in the past three years of this tactic with customers ages 18 to 29 being six times more likely than older customers to report this kind of - this form of romance scam. So it looks like this is one of those scams that younger people are more susceptible to. And I think that stems from just a general lack of experience. Maybe you've exchanged risque photos in the past with no consequences...
Dave Bittner: Right.
Joe Carrigan: ...And now you're going to continue along this path with somebody you just met online. And - but once this happens to you or once you see this happen to a couple of people, you gain that experience and you never do that again.
Dave Bittner: Right. The cynicism of life has not...
Joe Carrigan: Yeah.
Dave Bittner: ...Yet set in for these people (laughter).
Joe Carrigan: Yeah. I think that's why people 18 to 29 are six times more likely. And I'll bet if you broke that down, that really skews to the younger side.
Dave Bittner: Interesting.
Joe Carrigan: I would like to see that information.
Dave Bittner: Yeah.
Joe Carrigan: It's a pretty short article. We drug it out long, but it's - you know, it's a good read. It's interesting.
Dave Bittner: Yeah.
Joe Carrigan: I love data. I love looking at graphs and...
Dave Bittner: Yeah.
Joe Carrigan: ...Talking about them.
Dave Bittner: All right. Good stuff. Well, we will have links to all of our stories in our show notes. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Gordy.
Dave Bittner: All right. It says, the Catch of the Day is an email...
Joe Carrigan: Right.
Dave Bittner: ...And it starts off and it says, we've studied your resume and our team choose to invite you to join the employment procedure at our swiftly growing company. The job role title is a quality-level control associate at PS Group LLC. Career specifications - professional, U.S. citizen only, passionate and supportive, concentrated on targets. Basic skills - using MS Office programs, capability to carry deliveries weighing, at most, 30 pounds. The role chores are inspecting packages to determine whether they match the enclosed packaging slips, generating reports on a daily basis, saving data in regards to shipments, obtaining and mailing mail. You'll be receiving packages, examining all of them and ensuring its content is undamaged. Then the shipments must be transferred to the client. If you desire to send the application, please remember to respond to this email with your contact number. The team associate from our HR department will get back to you at the earliest possible convenience to schedule a job interview with you. We will be really glad if you are prepared to take this proposal.
Joe Carrigan: Basically this email just says, hey, Gordy, would you like to be a package mule for our criminal enterprise?
Dave Bittner: (Laughter).
Joe Carrigan: Right?
Dave Bittner: That's right.
Joe Carrigan: I think this is actually - there may actually be HR people on the other end of this email from a criminal enterprise looking for you to be a package mule. I think if you respond to this, you're going to get roped into that. That's what I think is going on here.
Dave Bittner: Just real quick, a package mule is?
Joe Carrigan: A package mule - so here's how this works. We talked about this, I think last week or a couple of weeks ago...
Dave Bittner: Yeah.
Joe Carrigan: ...With the scams of moving packages - or going up to - being like - it's kind of like being a porch pirate, except there's fraud involved in terms of you're not just going up and stealing packages...
Dave Bittner: Yeah.
Joe Carrigan: ...These people know where a package is going to be delivered and they tell you to go to the place. You pick it up and then you bring it back. You open it and then you re-deliver it out to some other place, usually out of the country.
Dave Bittner: Right.
Joe Carrigan: So, yeah, you're part of a criminal enterprise stealing stuff from companies like Amazon or maybe even smaller businesses.
Dave Bittner: Yeah.
Joe Carrigan: But they're using fraud to purchase things. Then they have to have legs in the U.S. to go and get the packages.
Dave Bittner: All right. Well, our thanks to Gordy for sending that in. Again, we would love to hear from you. If there's something you'd like us to consider for our Catch of the Day, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Corie Wagner, a senior industry analyst at Security.org, and our conversation centers on password managers.
Joe Carrigan: More about password managers.
Dave Bittner: Here's my conversation with Corie Wagner.
Corie Wagner: So at Security.org, we want to make sure our readers have as much information as possible to make the decisions they need to to protect themselves online. Part of that is making sure they have information about their digital security. And password managers are a really important practice that we encourage everyone to use as part of their online safety strategy. They're very essential for protecting your data online, but consumers haven't fully embraced them yet. So part of the reason why we do this study is to educate people on the effectiveness of password managers and their simplicity. So this is our second annual study we've conducted. They're nationally representative, and we just found out, basically, how Americans perceive these tools and how they are employing them to keep themselves safe online.
Dave Bittner: Well, so let's dig into some of the things that you all shared here. I mean, what are - what's the state of things in terms of use of password managers? How many folks are on board these days?
Corie Wagner: Absolutely. So this year over last year, it's a very similar rate. About 21% of Americans are using password managers to protect their credentials. This is as many as 45 million Americans. So it's, you know, pretty decent market saturation. But, of course, many more people might benefit from these tools as well.
Dave Bittner: And what do we suppose is keeping people from taking this up?
Corie Wagner: So some of the main reasons people aren't using these tools is because they're not even sure that they need one. So they might not understand exactly how they work or what they might protect people from. Other people felt that they might not be secure. And that is a reasonable thing to think, especially because, in the past year, we have heard about major password manager companies having data breaches. So that might have definitely influenced why some people are still not adopting these tools - very high-profile breaches, from LastPass in particular. That's a really popular tool. So that might have gotten the attention of a lot of nonusers.
Corie Wagner: And then other people have felt the cost was just too much for them, or they felt they were too hard to set up. So those two reasons are also probably attributed to a lack of knowledge about the product - because they can be free, and they can also be really easy to use. They're often built into your browser or built into your actual device. So those are a few of the main reasons why people aren't using them.
Dave Bittner: And what are we seeing in terms of people's general relationship with their passwords? You know, are they improving? Are people still reusing passwords as much as they used to? Or are we seeing that trend in a good direction?
Corie Wagner: Unfortunately, we're not seeing a great direction in terms of best practices for passwords. The No. 1 most common way people are keeping track of their passwords online still is just pure memorization, followed by writing them down on a piece of paper. So if you have passwords that you're memorizing, writing down, they're probably not going to be very complex passwords. They're going to be really simple. So that also is extremely risky.
Corie Wagner: Like I said before, only about 1 in 5 people are using password managers. And those are really great because you can generate these complex, unique passwords that are really hard to guess that would take, you know, many millions of years for someone to guess it using a computer program. So, yeah, it's not trending in a great direction. And we also found, unfortunately, that people who don't use password managers are experiencing identity theft at a much higher rate. So that's another reason for people to maybe consider using these tools. In fact, yeah, I can tell you exactly. People who do not use password managers are three times as likely to experience identity theft as those who properly use them.
Dave Bittner: And what about mobile versus desktop here? You tracked a difference in adoption rate between those two types of users, yes?
Corie Wagner: Yes. So that was actually really interesting. We found that, this year, the mobile usage actually surpassed the desktop usage. That was surprising to me because the first place I ever used a password manager was on my computer, like, my personal computer, and I adopted it on my mobile phone a lot later. So I figured maybe that would be the same for others as well. But, you know, we need to log on to just as many accounts on our phones these days as on our personal computer. So it would make sense that, you know, more and more people are also using password manager apps on their mobile phone. Eighty-four percent of people this year said that they have a password manager app on their smartphone.
Dave Bittner: And what about the major providers here? I mean, I'm thinking of, you know, companies like 1Password or LastPass and - are they continuing to lead the way here?
Corie Wagner: So unfortunately, there was a - quite a big change this year over last year. LastPass, like I mentioned, dropped from the No. 1 password manager down to the fourth in our study. And like I mentioned before, they did have a widely publicized breach, not once but twice in the past 12 months. So that definitely could have caused the company to lose favor with consumers and probably diminish trust. You're putting your most essential information into these tools, so you need to know that they're going to be secure, and no one is going to be able to access that information. So that definitely caused a change in our rankings this year. Overall, the most popular tools this year are Google Password Manager and the iCloud password manager. Those are built into either Google Chrome or built into the iPhone. So these native tools are really popular just because they're free, and they also don't require any additional downloads. They're just easy to use, built right into your device or built into your browser.
Dave Bittner: Did you all track any statistics of people using these at work versus using them in their personal lives?
Corie Wagner: Yes, we did. About 50% of people only use them for their personal information and then the other half use them for either work only or work and personal use.
Dave Bittner: And what do you think it's going to take here? I mean, what are your recommendations for folks to better implement these, to get more people using these password managers?
Corie Wagner: Absolutely. So as bad actors harness technology to steal people's identity and to conduct data breaches, I think it's important for us, as individuals, to also remember that we can use technology to fight against these kind of attacks. There's really nothing to lose in trying out a password manager. Like I said, they can be free, can be built in already. You don't have to spend any extra money. I would encourage people, if they are interested in using a tool like this, to educate themselves about the benefits, how they work and also definitely encourage people to protect their master password. Yeah, there's absolutely nothing to lose in giving it a try. And you might even find that your information is safer than it has been before. And you could also avoid, you know, an identity theft incident in the next 12 months. These are becoming more and more common. This is not something that's going away. So people really should be looking into as many strategies as possible, as many tools as possible to protect their digital information.
Dave Bittner: Yeah, I don't know what your experience has been like, but for me, when I started using a password manager, you know, I think I went through that little bit of resistance that most people do when they're trying something new. But once I got into the habit of using it, I never want to go without it. It really does make things easier in the long run.
Corie Wagner: Oh, I totally agree. So the No. 1 reason people adopted password managers in our study was simply because they had too many passwords to just keep track of in their memory or on a piece of paper. It wasn't even for the safety benefits or the data security benefits, it was just to not have to memorize all of these codes. So, yeah, once you try it out, you might find that it's just so much easier not have to memorize every single account. A lot of us these days have so many online, you know, accounts - your bank, your car payment, your social media accounts. It is way too many. So, yeah, that's absolutely a benefit that people should not ignore.
Dave Bittner: Joe, what do you think?
Joe Carrigan: You and I agreed a couple weeks ago that despite these breaches, we're still on team password manager...
Dave Bittner: Yes.
Joe Carrigan: ...Right? So...
Dave Bittner: For sure.
Joe Carrigan: ...LastPass - was it LastPass? Yeah.
Dave Bittner: LastPass was the one in the news lately, yeah...
Joe Carrigan: Right. For having...
Dave Bittner: ...For having the big breach.
Joe Carrigan: ...Two breaches in the past 12 months.
Dave Bittner: Yep. Yep.
Joe Carrigan: Hey.
Dave Bittner: Yeah.
Joe Carrigan: Twenty-one percent of Americans now use a password manager. That is up. I seem to remember a single digit number not too long ago. Do you remember that?
Dave Bittner: I don't recall specifically, but it wouldn't surprise me that it's on the way up. I think, certainly, there's more awareness.
Joe Carrigan: People are listening to us, Dave.
Dave Bittner: That's right.
Joe Carrigan: It's all because of us.
Dave Bittner: That's true.
Joe Carrigan: Why do people not use a password manager? They don't know they need them.
Dave Bittner: Yeah.
Joe Carrigan: The idea of password re-use is not a security threat to a lot of people. They're like, my password is pretty well-protected. And that's all well and good until you come across the poorly developed website that has not encrypted your password or hashed your password...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? And it's just storing it in plain text. That has happened in the past. Hopefully that doesn't happen very much anymore. But if I had to hazard a guess, I would say it happens.
Dave Bittner: Yeah, of course. Yeah.
Joe Carrigan: It's out there. So when Corey is talking about people that write down their passwords, the weakness there is if you're not using a good way to generate those passwords. So there is the XKCD where you - cartoon where you can pick four words that make a password. That's a pretty good technique. And if you're writing those down in a book and keeping that book in a secure location, I still don't have that much of a problem with that.
Dave Bittner: Yeah.
Joe Carrigan: I mean, it's not the best solution, but nobody's ever going to hack that book remotely...
Dave Bittner: Right.
Joe Carrigan: ...Right? It's still a good solution.
Dave Bittner: It's a totally viable solution for some people.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Right. Some people might not be using password managers because they are - they have a cost associated with them, and they're difficult to get set up.
Dave Bittner: Yeah.
Joe Carrigan: There's a learning curve with them. And there is a little bit of a learning curve.
Dave Bittner: That's true.
Joe Carrigan: It's not debilitating, though. It's a minimal learning curve.
Dave Bittner: No. And I would make the point that, once you have gotten over that hump...
Joe Carrigan: Yeah.
Dave Bittner: ...I think, for most people, you'll wonder how you lived without it.
Joe Carrigan: Right. It's a thing that we say frequently on this show.
Dave Bittner: Yeah.
Joe Carrigan: We have no idea - I have absolutely no idea how I didn't live with a password manager before.
Dave Bittner: Right.
Joe Carrigan: Going back to the notebook - the one thing I would recommend you not do is keep an Excel spreadsheet with your passwords...
Dave Bittner: Ah, right.
Joe Carrigan: ...Which I was actually guilty of in the early 2000s. So don't - I didn't actually keep the passwords in them. I just kept what - you know, notes about which password it was.
Dave Bittner: Oh, OK (laughter).
Joe Carrigan: You know, 'cause I was reusing passwords...
Dave Bittner: Right.
Joe Carrigan: ...Until I got Password Safe.
Dave Bittner: Right. They were buried in your front yard under a rock, on a piece of parchment. And you had...
Joe Carrigan: Right. No, I'd just say...
Dave Bittner: ...Secret code of where to...
Joe Carrigan: ...This password is your standard password.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: This password - you know?
Dave Bittner: Yeah.
Joe Carrigan: But use a password manager so you can have independent passwords for every site.
Dave Bittner: Right. And back then, you had a standard password, right?
Joe Carrigan: Right. Yeah.
Dave Bittner: And, of course, now you don't.
Joe Carrigan: People - no, I don't, but there are people out there that still do.
Dave Bittner: Yeah. Oh, I did, too. I think most of us did.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: There has been no - what's interesting here is that Corie talks - there has been no improvement in password practices of people. So if you're - you know, if you're not using a password manager, I guess that would - that's, first, an improvement - letting the password manager generate your password and remember it for you.
Dave Bittner: Right.
Joe Carrigan: But if you're not using a password manager, then people are still doing the same thing they've always been doing, right? Using - reusing passwords, changing a digit - one digit - incrementing it by one to get to the next password...
Dave Bittner: Right.
Joe Carrigan: ...Those kind of things. It's interesting that ID theft is so much higher if you don't use a password manager because - and the reason is because you're - if you're reusing passwords, it's easy to guess your password on other accounts. And that's just - if they breach one site, they're going to breach a lot more sites.
Dave Bittner: Yeah.
Joe Carrigan: It's an interesting - there used to be a Twitter bot that would tell you when there were password dumps made to Pastebin, but they shut it down, which was a great site or a great bot, rather - a good security-minded bot. But they - it violated the hacked - what? - the hacked content policy of Twitter - pretty clearly violated that. Mobile use has now surpassed desktop usage. That's interesting. My wife uses the mobile password manager from Microsoft.
Dave Bittner: Mmm hmm. Yeah, yeah.
Joe Carrigan: She stores it in there. Or maybe it's Google - I don't know. But she uses it. And 84% of people have a password manager on their phone. That's wonderful. Good news.
Dave Bittner: Yeah. iOS has one built in.
Joe Carrigan: Yep.
Dave Bittner: It's quite good, yeah.
Joe Carrigan: The fact that LastPass has fallen from No. 1 to No. 4 shows that people who use password managers pay attention. So I really think that's interesting. It may also have something to do with the fact that all the password managers on your phone - like the Google password manager, the Microsoft Authenticator password manager and the iOS password manager - they're all free.
Dave Bittner: Yeah.
Joe Carrigan: You don't pay anything for that.
Dave Bittner: Right.
Joe Carrigan: And you get that - so I think those business models might be going away. So, you know, take that for whatever it's worth.
Dave Bittner: Well, and a lot of - you know, we've talked here where there's a serious, concerted effort to move away from passwords altogether.
Joe Carrigan: Yeah, absolutely. And that's - you know, there is going to be some kind of key management system that takes over and replaces passwords.
Dave Bittner: Right.
Joe Carrigan: And hopefully - and the big challenge there is making that usable. So, you know, usable security is good security. Interesting about the - some people - you know, the statistics - I can't remember what she said about the breakdown for numbers, but some people use password managers for home and work. I would absolutely recommend everybody do it for both.
Dave Bittner: Yeah.
Joe Carrigan: Something I've started doing is keeping two separate files so that, when I'm done with a job, I can just say, OK, I can get - this file of password manager - just archive that or get rid of it.
Dave Bittner: Right.
Joe Carrigan: And then I don't have to destroy all - or go through and remove thing - I just don't have to worry about it.
Dave Bittner: Yeah. And if you - or if something went, you know, wrong at work - you and your employer parted ways - they could cut off access from your password manager if you were commingling your personal stuff...
Joe Carrigan: Right, right.
Dave Bittner: ...With your work thing, which, of course, you know, generally, you should not do, but...
Joe Carrigan: Right.
Dave Bittner: ...Lots of people probably still do it.
Joe Carrigan: It's a good idea not to commingle your stuff. Yeah.
Dave Bittner: Then you could be cut off from personal things...
Joe Carrigan: Yep.
Dave Bittner: ...Because you won't have access to that password manager anymore.
Joe Carrigan: Absolutely.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: That's a good point - one that I hadn't even considered.
Dave Bittner: All right. Well, our thanks again to Corie Wagner from Security.org for joining us. We do appreciate you taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
