Changing the face of identity.
Eric Olden: Now, as a universal approach, we can all agree there's a time and a place that's gone, which is where passwords were effective. And now we need to replace it with more strong authentication.
Dave Bittner: Hello everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got interesting stories to share this week. And later in the show, my conversation with Eric Olden, CEO and co-founder of Strata Identity. We're talking about the current state of identity management.
Dave Bittner: All right, Joe. Before we jump into our stories here, we've got a little bit of follow-up.
Joe Carrigan: Yes, we do, Dave. We have Michael, who writes in with a letter. Do you want to read it?
Dave Bittner: Sure. He says, Dave and Joe, I have listened to the podcast from Episode 1, and I am glad that you kept it going after Season 1. Well, thank you, Michael. He says, with a house full of young people, 14 to 25, I play the podcast as we do life around the house with the hope that they will absorb tidbits of understanding. They might never listen to the full podcast. We also talk about scams at the dinner table from time to time. With that said, my kids and my wife, who claims that she is naive in this space, are getting the message. More and more, my family is grasping how bad the internet is...
Joe Carrigan: It's really bad (laughter).
Dave Bittner: ...As they are now seeing advertisements on YouTube and other social networks that claim magical results, from acne prevention to wealth creation. Before buying almost anything, they ask me, is this really true? And 99% of the time, it is not true.
Joe Carrigan: Right.
Dave Bittner: An example is my 19-year-old son wanted a PlayStation at an amazing price. Of course, payment was only accepted via Zelle. He had no clue that all would be lost if he actually attempted to purchase it. While we're getting better at spotting spam and hack attempts in text and email, we're seeing more and more in social media. I encourage everyone to have a more critical eye. Love the show and the spinoff "At The Movies," Michael. Well, thank you, Michael.
Joe Carrigan: Thanks, Michael.
Dave Bittner: That's very kind of you.
Joe Carrigan: Yes. And your son is going to lose all his money if he Zelles somebody the - is that the verb, Zelle?
Dave Bittner: (Laughter) To Zelle.
Joe Carrigan: I don't like this way that we have apps now as verbs. I'll Venmo you the money. I'll Zelle you the money. I'll PayPal you.
Dave Bittner: It probably started with Googling things.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Yeah.
Dave Bittner: (Laughter).
Joe Carrigan: We did it in the '80s. Remember partying?
Dave Bittner: That's right.
Joe Carrigan: Party was a noun up until the '80s.
Dave Bittner: Oh, that's interesting. Let's party. You're probably right. I don't know. It's just - it's become so normal now, I don't even think about it.
Joe Carrigan: Right.
Dave Bittner: My girl likes to party all the time.
Joe Carrigan: (Laughter).
Dave Bittner: All right. Let's jump in to our stories here. I am going to kick things off with a story that I think is a bit of good news in an otherwise bad situation. This is an article from the folks over at Ars Technica, written by Ashley Belanger.
Joe Carrigan: OK.
Dave Bittner: And it's titled "Teens Can Proactively Block Their Nude Images From Instagram or OnlyFans." So this comes from the National Center for Missing and Exploited Children. Familiar with them?
Joe Carrigan: Yep, I am.
Dave Bittner: They've been around for decades.
Joe Carrigan: Yes, they have.
Dave Bittner: And I guess they were - I'm pretty sure they're the folks who originally were responsible for putting kids' pictures on the sides of milk cartons.
Joe Carrigan: Yes, I think so.
Dave Bittner: That sort of thing.
Joe Carrigan: Yes.
Dave Bittner: But of course, they've expanded, as times have changed and the internet has come. One of the things that they really help with is kids who are being exploited online. And a big part of that is sexual images...
Joe Carrigan: Yep.
Dave Bittner: ...Nudes, that sort of thing.
Joe Carrigan: They maintain a very large list of hashes that match CSAM images.
Dave Bittner: Right, right. And so what they've pointed out in this article is that between 2019 and 2021, the number of sextortion cases that were reported to them on their tip line has more than doubled.
Joe Carrigan: Really?
Dave Bittner: And they said nearly 80% of those cases involve teens suffering financial sextortion, which is pressure to send cash or gift cards with a threat of their images - their sexualized images - being spread around online.
Joe Carrigan: Right.
Dave Bittner: Now, you can imagine, you're a teenager. You know, you've - for whatever reason, you've done what you've done.
Joe Carrigan: Right.
Dave Bittner: What's done is done.
Joe Carrigan: Yes.
Dave Bittner: But somehow it's spread beyond the party that you had initially intended that image to go to.
Joe Carrigan: It probably was never - there probably never was a party, the way this - you know, that initial party may not have been who they said they were.
Dave Bittner: Yeah, that's a good point, too.
Joe Carrigan: Yeah.
Dave Bittner: Right, right. So once that image gets out there, it's awfully tough to get it back.
Joe Carrigan: It is.
Dave Bittner: And one of the problems that the National Center for Missing and Exploited Children has is that with their tip line - they gather information on that line.
Joe Carrigan: Right.
Dave Bittner: So in order to use that, you have to share some things. And you can understand why someone who found themselves in this situation...
Joe Carrigan: ...Doesn't want to share the information.
Dave Bittner: Exactly.
Joe Carrigan: Yup.
Dave Bittner: Exactly. So they have recently launched a tool. It's called Take it Down. It had a soft launch in December, and they said about 200 people have used it so far to block uploads or remove images of minors shared online.
Joe Carrigan: Really?
Dave Bittner: And how this works is it's an anonymous system where you feed the - I'm - forgive me, I'm going to say the offending image, even though that's not what I mean...
Joe Carrigan: Right.
Dave Bittner: ...But the offending image into the system. And that image gets hashed and then the hash is what gets spread around rather than the actual image.
Joe Carrigan: Right. This is very similar to what they do with the database that they keep. They don't actually keep a database of CSAM, just a list of the hashes for those images.
Dave Bittner: Right. And just real quick, Joe, can you give us a little rundown on what exactly a hash is?
Joe Carrigan: Well, actually, I can give you a rundown on what a hash is. But there's also another thing here. But suffice to say, a hash is an encryption algorithm...
Dave Bittner: Yeah.
Joe Carrigan: ...That is a one-way algorithm. So the benefits of a good cryptographic - or the features, rather, of a good cryptographic hash are that if you change the input, you'll get a completely different output. If you know the output, you can't regenerate the input. And it's very hard to take two inputs and come up with the same output.
Dave Bittner: I see.
Joe Carrigan: Now, that's true for cryptographically sound hashes. But I think what the Center for Missing and Exploited Children uses is MD5, which is actually pretty easy to generate collisions. And you'll hear cryptographers say MD5 is useless, but it isn't useless because it has a really interesting feature that is not good for cryptography in that it's fast, but is remarkably good for forensics because you can quickly go through all these files, get their MD5 hashes, find out if any of them match, and then go look at the file that matches...
Dave Bittner: I see.
Joe Carrigan: ...And see if you have an offending image.
Dave Bittner: Right.
Joe Carrigan: So that's the idea of what a hash is and you don't want to use something other than MD5 to do that. You want to be able to do this quickly and then go investigate the matches.
Dave Bittner: So it's that old thing of don't let the perfect be the enemy of the good.
Joe Carrigan: Exactly.
Dave Bittner: Yeah.
Joe Carrigan: Exactly.
Dave Bittner: Yeah.
Joe Carrigan: MD5 is perfect for forensics. Now, there is another tool out there called - I think it's called PhotoDNA. It's from Microsoft - that is more than just hashing an image because one of the things about MD5 is if I change one pixel in that image, the hash will be completely different.
Dave Bittner: OK.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: But with PhotoDNA, that is not the case.
Dave Bittner: OK.
Joe Carrigan: I get something very similar to a hash. It's not actually a hash. It's a - well, I guess you could say it's a hash, but it's a non-reversible representation of that photo that if I start changing little bits of that photo, it'll still come out to something very close to what - or maybe the same as what the PhotoDNA signature is.
Dave Bittner: OK.
Joe Carrigan: So they might be using PhotoDNA.
Dave Bittner: Well, so this technology has been adopted by some big players here. Meta is using it for Facebook and Instagram...
Joe Carrigan: Good.
Dave Bittner: ...So hard to get much bigger than that.
Joe Carrigan: Nope.
Dave Bittner: There's an online networking app called Yubo that's using it. But then also, interestingly, Pornhub and OnlyFans are both participating in this as well.
Joe Carrigan: Yeah, well, these guys are - you know, it's interesting that usually companies that make their money with porn are some of the biggest advocates of the Center for Missing and Exploited Children.
Dave Bittner: Right.
Joe Carrigan: And they - because their business model - they have to walk a very tight legal line.
Dave Bittner: Yeah.
Joe Carrigan: And they want nothing to do with anything illegal.
Dave Bittner: Right.
Joe Carrigan: And, you know, however you feel about it, they're going to do whatever they can do to keep that stuff off their platform because they don't want their business model shut down.
Dave Bittner: Yeah. And I guess it helps their argument for being in business if they can demonstrate their...
Joe Carrigan: Right.
Dave Bittner: ...Participation in something like this.
Joe Carrigan: Hey, look at us. We're good corporate citizens.
Dave Bittner: Right. We're doing this in good faith.
Joe Carrigan: Right.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: And you know what? They may be doing it in good faith. I'm not judging their motives.
Dave Bittner: Right.
Joe Carrigan: But I'm happy with the outcome.
Dave Bittner: Yeah. Yeah. So, interesting article here - we'll have a link to this in the show notes. Again, the tool is called Take it Down. And I think it's worth checking out. But maybe something to have a conversation - if you've got teen kids in your life...
Joe Carrigan: Yeah.
Dave Bittner: ...Something that they might want to know about - spread the word to their friends.
Joe Carrigan: I think the key thing to tell them is that this is now a means of extortion...
Dave Bittner: Yeah.
Joe Carrigan: ...That this is the way people are going after and monetizing the malicious activity on the internet right now.
Dave Bittner: Yeah, you know, it's a really good point, Joe. And this article points out that there actually been some extreme cases where this sort of thing has led to suicide...
Joe Carrigan: Yup. Absolutely.
Dave Bittner: ...Which is the most tragic thing you can imagine.
Joe Carrigan: No one doing that.
Dave Bittner: And so I think your point is excellent that - to have this conversation, to say, you know, there's always hope.
Joe Carrigan: Right.
Dave Bittner: Right? And there are tools like this available that can help with this sort of thing. Nobody has to know who you are. So, yeah, there's always hope.
Joe Carrigan: Yeah. That's an important thing...
Dave Bittner: Yeah.
Joe Carrigan: ...Is that, you know, there are tools out there that can resolve this issue. You shouldn't be - you know, I've said here before, and maybe I'm being too much of an old man here, but, you know, don't share nudes with people you know, or people just online. Just don't do it.
Dave Bittner: Right.
Joe Carrigan: It's bad practice.
Dave Bittner: Right, right.
Joe Carrigan: And here's why it's a bad practice. But in the event that you do, there - you know, you're right. There is a light at the end of the tunnel. This will not be something that dogs you for the rest of your life.
Dave Bittner: Yeah.
Joe Carrigan: You will be one of a great many people who have had this happen to them.
Dave Bittner: Right.
Joe Carrigan: It's unfortunate that a great many people have it happen to them, but, you know, don't let the shame drive you to do something terrible.
Dave Bittner: Yeah. Yeah. Absolutely. All right. Well, again, we will have a link to that story in the show notes. Joe, that's what I have for us this week. What do you got for us?
Joe Carrigan: Dave, my story this week comes from David Olive, who is a - sits on the Preparedness Leadership Council. I go to meetings with them sometimes. And Dave sent me this. It is a LinkedIn post by Gary Warner, who's kind of a big deal in the computer forensics industry.
Dave Bittner: OK.
Joe Carrigan: And he - the LinkedIn post is - starts off with the question, why do we have so much fraud? Why do we have all this fraud? And the answer is because the fraudsters are getting away with it. And Gary links to a couple of articles. The first one he points to is a post from the House of Lords in England...
Dave Bittner: OK.
Joe Carrigan: ...Where there is an organization within that government body that's called the - it's got some act in front of it, but essentially, it's the Digital Fraud Committee.
Dave Bittner: OK.
Joe Carrigan: That's the last three words of the committee, the Digital Fraud Committee. And one of the things that this committee noted is that in the U.K., 46% of crime is fraud, but 1% of law enforcement is dedicated to fraud, which is interesting.
Dave Bittner: OK.
Joe Carrigan: And Nicky Ann Morgan, who is the chair of this committee, says - and I'm going to quote her here - "fraud is the most commonly experienced crime in the country. A person is more likely to be a victim of fraud than any other crime, and it costs billions in losses. Yet it is under-resourced, underprioritized and the impact is widely underestimated." There is an - another article that Gary links to from a news outlet called Which? This article is - that's W-H-I-C-H.
Dave Bittner: Right. Right.
Joe Carrigan: Not burn her.
Dave Bittner: I just - I have to - yeah.
Joe Carrigan: Every time I hear Which?, I just go right to "Monty Python."
Dave Bittner: Well, and I'll say over on the CyberWire, from time to time, we reference articles that come from Which? And it just - I feel like I'm in an Abbott and Costello routine where I'm saying...
Joe Carrigan: (Laughter) Right.
Dave Bittner: ...You know, today on - today, Which? reported that - who? No, not who. Which? You know.
Joe Carrigan: (Laughter).
Dave Bittner: Anyway, go on.
Joe Carrigan: Which? is in England.
Dave Bittner: Yeah. Go on.
Joe Carrigan: The author is Josh Wilson. And he noted that the National Fraud Intelligence Bureau, the NFIB, received around 900,000 fraud reports for cybercrime in 2020 to 2021. But of these, just 8%, or 72,000 about, were disseminated to law enforcement for investigation. Then in 2021, just 4,500 - just under 4,500 fraud cases made it to court. So I did some rough back-of-the-envelope math, Dave.
Dave Bittner: (Laughter) Of course you did.
Joe Carrigan: And if that 900,000 number is for two years...
Dave Bittner: Yeah.
Joe Carrigan: ...And one year, they put in less than 4,500. That means you have a 99% chance of getting away with fraud in the U.K., if your case is reported, which it probably won't be.
Dave Bittner: OK.
Joe Carrigan: Remember that that Ms. Morgan said that it is widely underestimated, and I think it's widely underestimated because it's widely unreported - under-reported.
Dave Bittner: Yeah. Now, do you - how much of this do you suppose is that there's fraud and then there's fraud? You know...
Joe Carrigan: Yeah.
Dave Bittner: ...In other words, there's what I would describe as nuisance fraud...
Joe Carrigan: Nuisance fraud. Right.
Dave Bittner: ...Where somebody - oh, I'm out five bucks.
Joe Carrigan: Yep.
Dave Bittner: Oh, darn it. You know, and I'm not expecting the police to bring out a SWAT team in a hard-target search to get my $5 back.
Joe Carrigan: That's an excellent question. That is an excellent question. I don't know.
Dave Bittner: Yeah.
Joe Carrigan: I don't know. The articles don't seem to break that down to that level.
Dave Bittner: Right.
Joe Carrigan: But they do break down - what is interesting is police resourcing. And the city of London, which I believe is actually different from London larger - you know, the - it's a small section of London...
Dave Bittner: OK.
Joe Carrigan: ...Of what you would think of as London - has a police officer staff of 1,357 people. And the fraud desk - you know, the fraud department - is 34 of those people, 2.5%. And that is the most in the United - or, actually, I think this is only England and Wales.
Dave Bittner: OK.
Joe Carrigan: So it's not all of the United Kingdom. But the average is around 0.6%. So, like, for example, the Metropolitan Police - I don't know who that - maybe that's for larger London, but it seems like a pretty big police force at 43,000 people.
Dave Bittner: Yeah.
Joe Carrigan: I don't know how big - what - how big of an area they cover, but they only have 300 fraud officers. Point seven percent of their police are - investigate fraud - dedicated to preventing fraud...
Dave Bittner: Right.
Joe Carrigan: ...Or investigating fraud. So when you have this kind of disparity in crime and reporting - and first off, is - I mean, there's arguments to be made that there's a problem here.
Dave Bittner: OK.
Joe Carrigan: Right? Like, we - 46% of the crime is fraud. But that fraud - no one dies during that fraud.
Dave Bittner: I was just going to ask about that.
Joe Carrigan: No one gets beat up.
Dave Bittner: Right. Right.
Joe Carrigan: Right?
Dave Bittner: It's not violent crime.
Joe Carrigan: It's not a violent crime.
Dave Bittner: And the violent crime makes the TV news.
Joe Carrigan: Right.
Dave Bittner: And so when the folks who are in charge of funding these places stand up to be reelected...
Joe Carrigan: Yep.
Dave Bittner: ...What are they going to say? I'm going to cut down on fraud.
Joe Carrigan: Right.
Dave Bittner: Maybe. But mostly, we're going to make your neighborhood safer.
Joe Carrigan: Right.
Dave Bittner: That resonates.
Joe Carrigan: Yes.
Dave Bittner: Yeah.
Joe Carrigan: And I would bet - this is focused almost entirely on England and Wales. I would bet that if we did an investigation or somebody did some reporting on this in the United States, we'd find something very similar here and for very similar reasons, I think.
Dave Bittner: Yeah.
Joe Carrigan: You know, and we talk about how devastating it is to be physically assaulted. You know, I have a friend of a friend who had that happen to him and still hasn't fully recovered from it.
Dave Bittner: Sure.
Joe Carrigan: And the issue is, well, what about the people who have lost a hundred thousand dollars? You know, what about the old lady that loses her entire life savings? She is never going to recover from that either.
Dave Bittner: Right.
Joe Carrigan: That is a financial end - the financial end of the road or at least a significant change in the road...
Dave Bittner: Yeah.
Joe Carrigan: ...For that person.
Dave Bittner: Yeah.
Joe Carrigan: These are devastating crimes. You're right. When somebody scams you out of five bucks, nobody should come looking for him. But maybe there should be a cap. You know, if someone scams you out of more than 10 grand - or I guess it's pounds here, right? Ten thousand pounds.
Dave Bittner: (Laughter) Right.
Joe Carrigan: That these things will be investigated, at least to some level.
Dave Bittner: And there may be. I don't know what the...
Joe Carrigan: The threshold.
Dave Bittner: ...Threshold is, for example...
Joe Carrigan: Right.
Dave Bittner: ...If you call your local FBI office, which they encourage you to do.
Joe Carrigan: Or they encourage you to make a complaint with the Internet Crime Complaint Center...
Dave Bittner: Right.
Joe Carrigan: ...Which you may never hear back from.
Dave Bittner: Right.
Joe Carrigan: But they use it for keeping statistics.
Dave Bittner: Right. So...
Joe Carrigan: And maybe for doing data analytics.
Dave Bittner: What is the threshold at which you will get a call back...
Joe Carrigan: Right.
Dave Bittner: ...From your local field office?
Joe Carrigan: It's an excellent question. I don't know.
Dave Bittner: I don't know. I'll have to ask that question. Let's see if I can get an answer to that.
Joe Carrigan: The next FBI person.
Dave Bittner: I know some folks in the FBI. Yeah (laughter).
Joe Carrigan: That's good.
Dave Bittner: I'll have to - a little homework for myself there.
Joe Carrigan: Maybe we should have one of them on as a guest.
Dave Bittner: We could probably swing that. Sure.
Joe Carrigan: Yeah.
Dave Bittner: Sure. Yeah, interesting stuff here. And I guess this is one of those stories that leaves me thinking.
Joe Carrigan: Right.
Dave Bittner: You know, more and more - as many questions as answers.
Joe Carrigan: Yeah. It's a - and that's probably good. That's probably good that we're thinking that. Like...
Dave Bittner: Yeah.
Joe Carrigan: ...It's a real - it makes you scratch your head. I don't want to say the story is a real head-scratcher. The problem is a real head-scratcher.
Dave Bittner: Right.
Joe Carrigan: You know?
Dave Bittner: Right.
Joe Carrigan: Why do we dedicate 1% of our police resources to 46% of our crime?
Dave Bittner: Yeah. I mean, that's a policy decision. But part of it - I'd be interested to hear what, as we're saying, what someone in law enforcement...
Joe Carrigan: Right.
Dave Bittner: ...Would say about this. Why is it that they choose to dial it in this way? Is that their constituents' demand that they dial it in this way? It's an interesting question.
Joe Carrigan: Yeah.
Dave Bittner: Yeah. All right. Well, we will have a link to that story in the show notes, of course. We would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Shon, who writes, I'm an avid listener of many CyberWire podcasts. Great.
Dave Bittner: Yeah. Good.
Joe Carrigan: We love to hear that. As a security leader with a background in social sciences, I particularly enjoy "Hacking Humans," "CSO Perspectives" and "8th Layer Insights." That's Perry Carpenter's...
Dave Bittner: Yeah.
Joe Carrigan: ...podcast. And "CSO Perspectives" is Rick Howard's right?
Dave Bittner: Yep. Yep.
Joe Carrigan: I learn something new and noteworthy from every show, and I am frequently able to put them immediately into practice in my professional and personal lives. So many thanks to the entire CyberWire team. I received the attached message from, quote, "Meta Resources Recruiter" informing me of an open CISO lead role.
Dave Bittner: OK.
Joe Carrigan: So - and it's - what's interesting is that it begins with his name.
Dave Bittner: Yeah. But also that - I mean, a CISO - like, this is swinging for the fences.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: Batting for six, as they say.
Dave Bittner: (Laughter) Right. If you're trying to scam a CISO, which is a top-level cybersecurity professional...
Joe Carrigan: (Laughter) Right.
Dave Bittner: ...Right? Like (laughter). OK. Well, here's the email. It says, (reading) Dear Shon, hi. We are MRG, a recruitment agency based in U.S. We have an upcoming opening for chief information security officer lead role with one of the well-renowned bank in the world, based in the USA. While going through your LinkedIn profile, we thought you might be interested. Please go through the attached JD and revert back to us with confirmation about the interest for the role. Also, kindly send us your updated resume - maximum of three pages - and information below to start process for your application. What is your current residency city and country? Are you authorized to work for any employer or own a contract in your current residency? As this is a contract role, would you be able to commence this contract on C2C? How many years of experience do you have leading IT security systems? Brief us about your experience of end-to-end assessments and remediation projects resulting from company M&A activities.
Dave Bittner: (Reading) Are you proficient in developing physical and digital security protocols and procedures? When can you be available to join, if selected? Please provide your best callback number. What is your desired compensation? Do you provide us right to represent you to our client? Meta Resources Group is a professional service provider firm that has been offering expertise in IT consulting, staffing and recruitment, and offshore IT services based on the latest market and technological trends. Combining the years of experience and knowledge of certified staff, innovative mindsets and implementation of upgraded technologies, Meta Resources Group has been the partner of all business genres with an exceptional capacity in leading technologies for enterprises. Our client is a division of world's second-largest pharmaceutical company who about to expand business in 17 new markets worldwide, having over 150 open positions in diverse roles to fill in.
Joe Carrigan: I thought it was a bank. Did he say bank to start with?
Dave Bittner: I think he did.
Joe Carrigan: (Laughter).
Dave Bittner: You may find more about us at this website. Best regards, Recruitment Team, Meta Resources Group.
Joe Carrigan: So this came as an email attachment that Shon sent along. And it actually has the PDF for the job description. And the title of the job description is Chief Information Security Officer Lead/Project Manager. I don't know who wrote that, but it's just, like, word salad, right?
Dave Bittner: (Laughter).
Joe Carrigan: If you're the chief information security officer, you're not a lead. You're a chief. You're actually part of the C-suite, right?
Dave Bittner: Right.
Joe Carrigan: You're an officer in that company.
Dave Bittner: Right.
Joe Carrigan: And that has certain - depending on what kind of company you have, that has certain obligations that go along with it.
Dave Bittner: Yes.
Joe Carrigan: You're probably also not a project manager. Project managers work for you.
Dave Bittner: Right.
Joe Carrigan: Right? Especially at large organizations like banks. This doesn't make any sense to me.
Dave Bittner: No, no.
Joe Carrigan: If somebody sent me - this is why I don't work with third-party recruiters anymore, Dave...
Dave Bittner: Yeah.
Joe Carrigan: ...Because so many things I get from them look exactly like this (laughter).
Dave Bittner: Right, right. Yeah. All right. Well, our thanks to Shon for sending that in to us. Again, we would love to hear from you. Our email is hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Eric Olden. He is CEO and co-founder of Strata Identity. And we're talking about the current state of identity management. Here's my conversation with Eric Olden.
Eric Olden: From a historical standpoint, I, individually, have been in identity since my first company, Securant Technologies. I co-founded that in 1995. And that company was started at the - really the early days of the web. And what was going on in those early days was that there was a shift to having people on the internet access your website and buy things from you or get information and so forth. And the big challenge, at that point, was that many organizations had never had millions or thousands, even, of users accessing their data and their applications. And so a need arose for, how do you manage the way that people access applications and data and do that at scale? So the first generation of identity management really came up in that era to solve the problem of doing security at scale.
Eric Olden: Then, as the market and technology evolved in the early 2000s, we started to see more and more of the complexity come in. And that meant that instead of just having a single idea of how a user gets into an application or a website where one size fits all, there was a whole lot more complexity introduced because companies needed to be more specific and granular about who can access what. And that meant that identity management started to become more sophisticated as well. And that evolved beyond things like single sign-on to include authentication and access control and authorization and auditing. So in that first generation, we really saw scale and then complexity come in.
Eric Olden: And then if you go a little bit further into the future, around 2006, I started my second company, called Symplified. And we were helping companies deal with the move to software as a service, where now the applications were run by a third party. And that meant that you needed to find a way to have standards that could span different organizations. And I was part of the group that co-authored a standard called SAML, or Security Assertion Markup Language. And what that was really doing was - created a new notion called identity federation. And what we were doing with that was making trust work across the internet between organizations. And you saw a rise in how users would access SaaS applications.
Eric Olden: And that second wave was really interesting because it coincided with a lot more - this confidence that organizations would have that data needs to reside outside of their firewall, outside of the perimeter. Then if you scale it to - fast-forward to kind of modern times, where the cloud becomes the main idea of where you're going to run your computing - and a lot of this was accelerated with COVID in the pandemic, where everybody had to work remote. And so all of a sudden, all of your applications and all of your data and all of your users were now anywhere on the internet. And that led to a shift of identity becoming the perimeter. And notions of zero trust came out and became popular.
Eric Olden: And where we find ourselves today is how do you secure the users and applications when everybody can be anywhere and your applications and your data are everywhere? And that is the multicloud problem. And what we've seen as a way to kind of move into that and solve that problem is to apply the concept of orchestration to identity. And orchestration is very common in technology. It started in IT automation and server management and things of that type - things like Kubernetes and Terraform. But it hadn't yet been introduced to the identity plane. And that's really where the innovation is happening today, which is how do you automate and integrate security for your users and your apps and your data in this really distributed multicloud world? So it's been a long history, but it's been an exciting one to be part of.
Dave Bittner: Yeah. I'm curious, like, from someone who has your perspective and your history with this, what are some of the problems that you consider to be solved when it comes to identity, and what are some of the challenges that we still face?
Eric Olden: Yeah, that's a great question. I think one of the - the most profound one is that the root of so many problems is passwords. Passwords are the weakest link in security, in my view. And the reason for that is that it's so easy to use social engineering and phishing to steal somebody's - basically trick them into providing their password. And then a bad actor can take that password and steal data and do bad things. And so we've known about this forever, and there have been various efforts to replace passwords with various things along the way and multifactor authentication, passwordless being the most popular, and tokens before that. The ironic thing is that we know what the problem is. We know how to solve it. But up until really recently, there hasn't been the organizational will to get rid of passwords and move to passwordless.
Eric Olden: And I think it's interesting that we're seeing now a combination of factors accelerating that trend, including legislation from the federal government requiring alternatives to passwords to be used, but also with the private industry and insurance, where if you want a cyber insurance policy, if you don't have a multifactor authentication or a passwordless strategy implemented, then you may not get your policy underwritten. So we're seeing these factors drive adoption, which has been really good because now, as a universal approach, we can all agree there's a time and a place that's gone which is where passwords were effective, and now we need to replace it with more strong authentication. So I think that was probably the biggest one.
Eric Olden: And then the other, related to that, is that virtually everybody today has a very powerful authentication mechanism in their mobile phone. And most phones have the ability to apply biometrics, which mean that they can scan your face or your fingerprint and basically take something that you are - your facial proportions or your fingerprint - and then link that physical identity to your digital identity. So this is really, I think, making that move to how you can be able to have secure access without using passwords. Just use your phone. And so that's exciting. But we're really early on in the implementation. So everyone's got the phone. Now we need to solve the problem by making that work with the applications, and there's a lot of integration work to go into that. And, you know, we think that the appropriate way to do that is to not require custom integration but to instead use your technology to do that. So that's kind of where I see the state of identity security at the moment.
Dave Bittner: Can you describe for us how you imagine something like that working? I mean, I think for a lot of us, myself included, you know, who uses lots of different passwords every day but also enjoys using things like face ID, like touch ID and can kind of see a future based around those sorts of technologies, what does the future look like in terms of folks going about their everyday business and being authenticated for the things they need to use to do that business?
Eric Olden: Well, you know, the great thing is that it's so much more convenient for people to use their biometrics on their phone than it is to remember all of these various passwords. So I think that's been a really nice thing is that the security gets better, and you have ease of use. So I think that's maybe the magic that is of the moment is that historically, security used to mean a lot more work. And now you actually get rid of work because you don't have to remember your fingerprint. You have it on you at all times.
Eric Olden: So I think that's going to be good news for people - myself, yourself and everyone else. I think on the other side is if you're an enterprise or government agency, how do you bridge the technology with your environment, with your applications? And that's really driving a lot of digital transformations today, are looking to use modernization of their infrastructure to solve this security problem while they upgrade their systems to be more cloud-based. So there's this idea that instead of lifting and shifting your application workloads from your enterprise into the cloud, oftentimes that translates to moving your mess. Instead, we see an opportunity to move and improve so that you adopt the cloud, but at the same time, you modernize your identity technology so you can use these new biometrics and passwordless technologies to secure your applications. So it's basically taking advantage of the fact that you have to move things to modernize them and to use this as an opportunity to upgrade and do that in a measured way so that it doesn't get to be a huge challenge in terms of upgrading your systems.
Dave Bittner: Are there any established or proposed standards for this so that, you know, we could perhaps see things that work across platform and across devices and across, you know, destinations on the internet? Is that ultimately something we aspire to?
Eric Olden: Yeah, absolutely. I think standards are the backbone of the internet, and we wouldn't have the internet as we know it without agreeing on core standards. And so if you look at the standards that underpin the transformations that I'm referring to, there's a couple that really stand out. I think the first one is SAML, which is how you can rely on different organizations to securely authenticate their users and interact in a trusted way. The next generation of federation is OpenID Connect, or also known as OIDC. And that is a really powerful way to avoid having passwords at all because through OIDC, for instance, you can use your - say, your Google Gmail authentication over at an e-commerce store and buy something. So you don't have to have a password at the store because you can use your identity at Google through this OIDC standard to authenticate you at the store.
Eric Olden: On the authentication side, there is a really interesting standard called FIDO, F-I-D-O. And what FIDO stands for - well, basically, what FIDO does is makes the authentication mechanism itself open so that no one vendor controls how the authentication process works. And so you have FIDO and now FIDO2, which is the next version of it, allowing you to mix and match different authentication technologies without rewriting your applications. So that's been a really big and powerful capability. And you can see it in this new technology that's coming out called passkeys, which are really very compelling because they avoid passwords. And they're supported by the major platform vendors, like Apple and Microsoft and Google. And what that allows you to do is basically to use your identity in these other platforms in a similar way as OIDC but to use this in a more ubiquitous way, and you can link that with a device. So passkeys in FIDO are really interesting.
Eric Olden: And then the last one, I think, is one that we're - I'm personally very involved with, which is the identity query language, or IDQL. And what IDQL was designed to do is to make the rules and the policies in all of the different cloud platforms on an east-and-west basis - so imagine Amazon and Google and Azure - making your rules consistent across all of these different clouds and also through the computing stack so you can have a consistent way to define and manage policy at your application, your data and your networking layer.
Eric Olden: So IDQL is really the kind of cornerstone of policy orchestration. So think about it as a universal language to define the rules, no matter where the application and data is. And that allows organizations to do this in a much more - do governance and say how they're going to allow people to access apps and data in a consistent way. And so there's a open-source project that we helped get off the ground called Hexa - H-E-X-A - and it's now part of the CNCF, which is an open-source body that a lot of people know for Kubernetes and OpenTelemetry. So the standards - they're all coming together, from SAML, OpenID Connect, to FIDO and passkeys and now IDQL, and that's really how to think about standards and identity in this complex, distributed world.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Really interesting. You know, the identity thing is, you know - I think of it as, how do you prove that somebody is who they say they are?
Dave Bittner: Right.
Joe Carrigan: And how do you - and then how do you do that at scale?
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: ...Which is a real problem.
Dave Bittner: Yeah.
Joe Carrigan: The identity management - initially, we were just talking about doing the triple-A, you know, the authorization - the authentication first, authorization second, auditing all the while.
Dave Bittner: Right.
Joe Carrigan: there are - some people use a different A for auditing, and I can't remember what it is.
Dave Bittner: OK.
Joe Carrigan: But it, essentially, is the same thing. It's just creating an audit trail. And then the question becomes, what do you do when you start relying on other people to attest to someone's identity?
Dave Bittner: Right.
Joe Carrigan: Right? And we do that with the Google Authenticator, or Google authentication accounts. You know, we - are there any accounts that you use that you just log in - you say, use my Google identity?
Dave Bittner: I used to go down that path, but after, years ago, being burned by Facebook, I'm not falling for that again.
Joe Carrigan: Yeah.
Dave Bittner: (Laughter) Right?
Joe Carrigan: Yep. Right. I'm not falling for that trick again.
Dave Bittner: No, no.
Joe Carrigan: So many great jokes end with that punchline.
Dave Bittner: Yeah. I just - upload my entire address book? Well, sure.
Joe Carrigan: Sure. Yeah. That's another one that...
Dave Bittner: That'll make it - that'll be so convenient for me to connect with my friends. Why not?
Joe Carrigan: I one time had somebody interview me for a job that was looking for somebody that was - to develop apps to go out and do just that.
Dave Bittner: Yeah.
Joe Carrigan: I was like, I'm not working for you.
(LAUGHTER)
Dave Bittner: Good for you.
Joe Carrigan: In fact, after this interview, I'm going to go take a shower. That's gross.
Dave Bittner: (Laughter) OK.
Joe Carrigan: You know, there was no infrastructure like this 25 years ago. There - everybody had their own username and password. You really didn't know who they were. And now this SAML language has stepped in to help you share this authentication over these different areas. But you're right. How do we trust that?
Dave Bittner: Yeah.
Joe Carrigan: How do we trust that with using, like, Facebook? I wouldn't trust Facebook to do anything.
Dave Bittner: Right.
Joe Carrigan: I don't even trust Facebook to run Facebook ethically or Meta...
Dave Bittner: Right.
Joe Carrigan: ...to run their social apps, whatever they are.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: I use them as little as possible. But then the interesting thing happens with COVID, where everybody has to go home and work from there. And now your users can be coming from anywhere. And when I heard this, I honestly thought for a second, this is something we all should have seen coming - right? - as an industry. We should have seen that we're going to need to have this kind of capability. We're going to be having - you know, the parameters of organizations were dissolving. All COVID did was just really speed that up...
Dave Bittner: Yeah.
Joe Carrigan: ...Make it happen within a couple of weeks...
Dave Bittner: Right, right. Right. Right.
Joe Carrigan: ...Which was probably a little too fast.
Dave Bittner: Yeah.
Joe Carrigan: But now everything is everywhere and - including our authentication. And one of the words that Eric uses, or one of the phrases - I love this term - we live in a multicloud world. That is an interesting way to think about it. And that's exactly right. There are all these different services running everywhere. And I'm going to come back to this idea of cloud in a minute. But when you ask him what the problems are, he says that the root of most of the problems still comes down to passwords. And that's because, as humans, we suck at making passwords. We just can't do it.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Just - but we had a guest a couple of weeks ago who said if you use a password manager, you're a lot less likely to be a victim of fraud because you're going to have the passwords that are different for every site and complex. But if nobody does that, or if users don't do that or if companies don't enforce it, then it's not going to be successful. It's not going to be the case.
Dave Bittner: Right.
Joe Carrigan: So the - another point that Eric makes is we still lack the organizational will to move away from passwords. So we're sticking with passwords, and we're sticking with doing them poorly. It's not - that's not a tenable solution.
Dave Bittner: Yeah.
Joe Carrigan: It's not going...
Dave Bittner: It's...
Joe Carrigan: ...To work.
Dave Bittner: Yeah. I mean, there's efforts, you...
Joe Carrigan: Right.
Dave Bittner: ...Know, and I feel as though the edges are chipping away at the username-password combination. But you're right. It is slow going.
Joe Carrigan: Yes. The phone is a pretty good tool. Eric says it's not 100% ready yet. I believe that. I think it - but I think it does have the capability 'cause it does have other ways to authenticate yourself, like with biometrics, like the Apple Face ID, which is remarkably good.
Dave Bittner: Yeah.
Joe Carrigan: I like FIDO, which Eric also mentions. And I think that's a great way to go. But I want to get back to the cloud topic, and I want to ask this question and maybe, you know, have a discussion with you about this. Am I a Luddite for saying that I don't trust the cloud? I don't trust cloud things?
Dave Bittner: In what way?
Joe Carrigan: So...
Dave Bittner: How do you...
Joe Carrigan: ...I have a coffee mug that my daughter gave me.
Dave Bittner: OK.
Joe Carrigan: You know, my daughter also works in this field.
Dave Bittner: Yeah.
Joe Carrigan: And it says on the coffee mug, there is no cloud; it's just someone else's computer.
Dave Bittner: Sure.
Joe Carrigan: Right?
Dave Bittner: Yeah. That old chestnut.
Joe Carrigan: Yep.
Dave Bittner: Yep (laughter).
Joe Carrigan: And it's absolutely correct in that you don't know what happens when you put your data in the cloud. I was talking with another friend of mine who's been doing cybersecurity since before we called it cybersecurity. And he was talking about what he does and how he is remarkably against doing cloud data - of just putting data in the cloud. You have to make sure that when that data goes to that cloud provider, it's encrypted so that when that data provider - when that cloud provider gets breached at the location of whatever place they're getting breached at - and you don't know where it is. You have no idea where the data center is. You just know you have a service on the internet that you can access.
Dave Bittner: Right.
Joe Carrigan: You know, and in fact, that's why it's called the cloud is because on those old diagrams, the internet was just a big cloud.
Dave Bittner: Right.
Joe Carrigan: We don't know what's up there.
Dave Bittner: Right.
Joe Carrigan: We don't know where it is. We just go to the internet and get it.
Dave Bittner: Yeah.
Joe Carrigan: So, you know, I'm taking us down that rat hole that you hate when I go down.
Dave Bittner: (Laughter).
Joe Carrigan: But I don't trust the cloud, Dave.
Dave Bittner: Well, you know, I'll - so I'll come at it from the other direction, which I think there's a good case to be made that when you're using the cloud instead of using your own on-site - as they say, on prem -...
Joe Carrigan: Right.
Dave Bittner: ...Resources, your own servers, you know, it used to be that we would joke that IT folks like to be able to go into the server room and hug their servers.
Joe Carrigan: Yes.
Dave Bittner: They like having them nearby.
Joe Carrigan: I've hugged a couple servers in my day.
Dave Bittner: And so the - I think part of the notion is that the cloud providers are going to have more resources at their disposal to help with security...
Joe Carrigan: Yep.
Dave Bittner: ...Because they're running at such a larger scale, presumably, than you are...
Joe Carrigan: Right. I get that.
Dave Bittner: ...So there's going to be security baked in.
Joe Carrigan: Yep.
Dave Bittner: And so that just becomes part of your risk proposition, that there are some things you're going to have to worry about, other things you probably won't. And if on balance, the cloud makes it a better proposition for you - not to mention it's probably going to be cheaper...
Joe Carrigan: It is probably going to be cheaper.
Dave Bittner: ...Then there you go.
Joe Carrigan: You're 100% right about the cheaper and easier. And particularly for, like, smaller companies, I get the use case there.
Dave Bittner: Yeah.
Joe Carrigan: But when you're talking about larger companies and, like, maybe even government organizations, I think there's a lot of pitfalls that you open yourself up to if you just blindly start subscribing to cloud services and setting them up. I think that...
Dave Bittner: Yeah.
Joe Carrigan: ...That - but, of course, there's all kinds of different things you have to do. And there's story after story of how people have deliberately configured things to be less secure than they are. And that's, like, a user issue, right?
Dave Bittner: Right, right. I also think that if you're one of those big-time users who's going to be operating on the cloud at a large scale, then you're going to have things in place to ensure that all those things are being taken care of...
Joe Carrigan: Right.
Dave Bittner: ...That things are being encrypted, that they're being distributed, that they're, you know, backup - all that stuff. You're going to be asking those questions before you sign that check that has a lot of zeros in it.
Joe Carrigan: Right. So am I a Luddite or not?
Dave Bittner: No.
Joe Carrigan: I don't think I'm a...
Dave Bittner: No, you're not a Luddite. You just have a healthy dose of paranoia and skepticism.
Joe Carrigan: I think I have more than a healthy dose.
(LAUGHTER)
Dave Bittner: All right. Well, our thanks, once again, to Eric Olden for joining us. Again, he is the CEO and co-founder of Strata Identity, and we do appreciate him taking the time for us today.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.