Inside the history of a child hacker.

Paul Dant: Your average Android application is just as easy to reverse engineer as my game was in the late '80s because certain aspects of what software is and how it works just simply haven't changed.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We got some good stories to share this week, and later in the show, my conversation with Paul Dant. He's Senior Director of Cybersecurity Research at Illumio. All right, Joe, before we jump into our stories here this week, we have a bit of follow-up. You want to start us off there?

Joe Carrigan: Yeah, Dave. Anthony sent me a message on LinkedIn about a new scam vector that I have not heard of before and he said he saw this message on Nextdoor. Do you know what Nextdoor is?

Dave Bittner: Yes, Nextdoor is how you can tell which of your neighbors are racist.

Joe Carrigan: Yes. That's a good way to do it. I -- I had -- I had a Nextdoor account. I shut it down. I just got so sick of listening to everybody complaining about every single thing that was going on in the neighborhood, because I live close to Merriweather.

Dave Bittner: Oh, yes, yes.

Joe Carrigan: And Merriweather Post Pavilion, for people who don't live in Colombia, is a Frank Gehry-designed concert pavilion.

Dave Bittner: Yes.

Joe Carrigan: It's beautiful.

Dave Bittner: Yeah, yeah.

Joe Carrigan: And big bands play there, I mean, like big names, and one of my favorite stories is Slayer was playing there one night and they went past the 11:00 deadline and my wife was calling them, and I was like, "You're embarrassing me in front of Slayer." But yeah, so I couldn't take that anymore, all the complaining. So I -- that's really what I think it is. I mean, it does have other neighborhood value, and if you're -- if you're into that, but I have a real disdain for social media anyway and I didn't have a real need to be on Nextdoor, so I left it, but Anthony did not. Anthony's still on and came across this great -- this great note from one of his neighbors. It said, "Yesterday I received a call saying they were from Xfinity and they were upgrading Internet from 4G to 5G," okay? Now, initially, Dave, that would be a red flag to me, but T-Mobile has 5G Internet service that you can have at your house.

Dave Bittner: Right.

Joe Carrigan: So I don't know how much of a red flag it is. This makes sense. This is a good ploy right off the bat.

Dave Bittner: Yeah.

Joe Carrigan: It's not how Comcast works, but you -- I mean, I only know that because I'm a nerd.

Dave Bittner: Yes, you are. Go on.

Joe Carrigan: So the guy goes -- the guy on the phone goes on to say that they were having trouble with this person's router. I asked if I should take it in to be exchanged, but they said no, they can fix it through my computer.

Dave Bittner: Good news.

Joe Carrigan: Yes. They had me download TeamViewer, which is a legit application for support desk and let somebody take control of your computer, and then after a couple of minutes said the supervisor would call to help. The next call came from a different number and that person said that a technician would call to run a test. The next call came from yet another number and he said he was from the Xfinity billing department and needed me to log into my bank so he could deposit a rebate of $200.

Dave Bittner: Oooh.

Joe Carrigan: All capitals, it says here. Big red flag, bells going off. I hung up the phone and deleted everything that was on -- on my computer. I did -- I also -- this person also changed their passwords. They say they have a Mac, so they were unable to get anywhere.

Dave Bittner: Oh, okay, right, sure.

Joe Carrigan: But they did have TeamViewer installed on your computer because you did that for them. But it's interesting that this is -- this is a new vector coming in, somebody calling from your cable company and they're going to give you some kind of social engineering attack where they want you to log into your bank. So that's not how any of this works. You know, T-Mobile does do 5G Internet service, home Internet service.

Dave Bittner: Yeah.

Joe Carrigan: Comcast does not. They run a wire to your house. Verizon runs either a wire or fiber optic cable to your house.

Dave Bittner: I will add that it is not at all helpful, and I find annoying, that Xfinity has branded their latest iteration of their home Internet as 10G.

Joe Carrigan: Right, yeah, that is -- that is not --

Dave Bittner: Because that's not at all confusing in the marketplace.

Joe Carrigan: No, that's what -- that was some guy in marketing over at Comcast.

Dave Bittner: Right.

Joe Carrigan: You know what we'll do? We'll call it "10G."

Dave Bittner: You know, we're going to skip right by 6G, 7, 8, and 9.

Joe Carrigan: Right, because those are all actually mobile -- mobile standards, and there is a 6G standard in development right now.

Dave Bittner: Yeah, yeah.

Joe Carrigan: But it's -- don't -- yeah, I'm with you on that. That is irritating.

Dave Bittner: Well, thanks to Anthony for sending this in.

Joe Carrigan: Yes.

Dave Bittner: We appreciate it, and, of course, we would love to hear from you. If you have something you'd like us to share on the show, you can email us. It's hackinghumans@thecyberwire.com. Well, let's jump into our stories here, Joe.

Joe Carrigan: Okay.

Dave Bittner: I've got an interesting one. This comes from Florida. Have a story here from WESH 2, which is the NBC affiliate in Florida, article written by Claire Metz, who's a reporter there, and it's titled "Florida Principal Who Sent $100,000 to Scammer Posing as Elon Musk Says She Was Groomed."

Joe Carrigan: Hmm.

Dave Bittner: So the story here is that we've got a principal of a charter school in Volusia County, Florida. I'm not sure where that is.

Joe Carrigan: Me neither.

Dave Bittner: She resigned after writing $100,000 check to an Internet scammer posing as Elon Musk.

Joe Carrigan: Hmm.

Dave Bittner: Dr. Jan McGee worked at Burns Science and Technology Charter.

Joe Carrigan: Dr. Jan McGee, Ph.D.

Dave Bittner: Yup, yup, and she says herself, she says, "I'm a very smart lady, well educated, I fell for a scam."

Joe Carrigan: Mm-hm.

Dave Bittner: She said she was taken in by a fake Elon Musk, someone who was posing as him online, and one of the things that this story describes that is interesting here is that she was kind of predisposed to fall for an Elon Musk scam because this is a STEM charter school.

Joe Carrigan: Right.

Dave Bittner: Like, so this is a science and technology school, and evidently she had been trying to get -- she'd been trying to engage with Elon Musk to take part in the educational process at this school, and I don't know if that meant to get money from them, to just get his participation, to get his endorsement.

Joe Carrigan: Right.

Dave Bittner: But she's a fan of the things that he does, and so she had been attempting to get ahold of him and, presto change-o, somebody comes who claims to be him and takes her down a path.

Joe Carrigan: Now, I wonder, I wonder if this is coincidence or not.

Dave Bittner: Yeah. Well, that's a really good point because there's a couple articles that I've read about this as I was doing the research here, and I can't recall if it's in this specific one, but someone made the point that she had been making some of this outreach publicly and perhaps someone had seen that, and sort of in an aspirational kind of way, and perhaps it's possible that someone had seen that and said, "Aha, here's our chance." Could also just be coincidence. Hard, hard to say. The good news, if there is any, is that because she was only authorized to write checks up to $50,000 out of the school account, when she wrote a check for $100,000, one of her assistants noticed that, flagged it, stopped the check, and so the school was not actually out --

Joe Carrigan: Okay, good.

Dave Bittner: Of the money. However, it did lead to her resignation. Sounds like there was some other business going on here. Maybe she didn't get along with some of her co-workers and, you know, this, that, and the other thing, but this was the catalyst for her.

Joe Carrigan: Yeah.

Dave Bittner: Resigning.

Joe Carrigan: I don't think -- I'm not sure that's -- that's unfortunate.

Dave Bittner: Yeah.

Joe Carrigan: And I don't know what the -- what the interpersonal relationships are. Maybe that was too big to overcome, but --

Dave Bittner: Yeah.

Joe Carrigan: It's unfortunate that a social engineering scam, an effective social engineering scam, was enough to get this person to resign.

Dave Bittner: Yeah, yeah. And another thing I just want to emphasize that's a part of this story, what you highlighted, is that this is a highly educated person, right? I mean, working at a -- this is the leader of a science and technology school.

Joe Carrigan: Yup.

Dave Bittner: And was led down this path.

Joe Carrigan: We have had stories of other Ph.D.s being scammed on this show a few times.

Dave Bittner: Yeah.

Joe Carrigan: And it's -- it happens. Everybody likes to think, well, I'm not falling for that because I'm not dumb. It's not about how smart or dumb you are. It's about what your emotional state is and how -- what you're already thinking about.

Dave Bittner: Yeah.

Joe Carrigan: And when the opportunity strikes, these -- or arises, these scammers strike and they're going to hit just at the right time, and that's what happened here. Dr. McGee just so happened to be in the right psychological state to believe that who she was talking to was Elon Musk.

Dave Bittner: Yeah.

Joe Carrigan: Because she had gone through and tried to reach out to him. Now, if somebody pretending to be Elon Musk contacted you or me, people like, "Yeah, right." I'll believe it when a free Tesla shows up at my house.

Dave Bittner: Right, right, right, right. Commuting to work by rocket ship.

Joe Carrigan: Right. But yeah, I . . .

Dave Bittner: But you know what, I think that's a really good point, Joe, but that doesn't mean that there isn't somebody who we would fall for, right? Somebody that -- like, there's got to be -- I'm just trying to think, like, who would I be so enamored with, who am I such a fanboy of, or some -- I admire so much, admire, respect, worship, whatever, that if someone from their office reached out to me, would I fall for it hook, line, and sinker.

Joe Carrigan: Yeah, I can think of someone right now that I would -- I would -- I would fall for, but I'm not going to say that person's name.

Dave Bittner: Same for me, is I'm lucky Jim Henson is dead.

Joe Carrigan: Right.

Dave Bittner: So anyway, all right. Well, we will have a link to this story in the show notes. Definitely worth a look there. Joe, what do you have for us this week?

Joe Carrigan: Dave, my story comes from Max Heinemeyer who is the Chief Product Officer at Darktrace, and the title of his -- he has a blog post called "Tackling the Soft Underbelly of Cybersecurity-Email Compromise." There's hyphenated there after "cybersecurity" and "email compromise." So he's talking about -- early on in the article, he's talking about a survey they ran, a market survey. One of the things they found in this market survey was that 70% of respondents say they have seen an increase in phishing attacks in the past six months, which is significant.

Dave Bittner: Yeah.

Joe Carrigan: Further down in the article, he mentions that a few weeks ago, Darktrace had some research that they published that said they have not seen an increase in the number of attacks, but they've seen a change in the composition of the attacks and there -- what he's saying here is there has been a 135% increase in novel social engineering attacks in January and February of this year, 2023.

Dave Bittner: Hmm, what does that mean?

Joe Carrigan: That's an excellent question, "What does that mean?" It means that they are different from previous social engineering attacks or from the other social engineering attacks that were coming at the same time.

Dave Bittner: Oh.

Joe Carrigan: They are -- the content is longer. It's more accurately worded. It's got better punctuation. There aren't any grammar mistakes in it. Can you guess why?

Dave Bittner: I -- I'm -- I have an -- I have a notion, but I'm going to let you tell us what it is.

Joe Carrigan: It's because they think, and I'm almost positive this is right, that attackers are using generative AI in order to generate these phishing emails.

Dave Bittner: Uh-huh.

Joe Carrigan: Which you can go to ChatGPT and say, "Write a phishing email convincing" --we've seen -- we had stories on that. In fact, I think all of my stories for the past, like, month have just been AI stories, so this is another one.

Dave Bittner: Right.

Joe Carrigan: These phishing attacks are getting much better, and these attackers are shifting their attention away from the flimsy, you know, click on this link, you need reset password, right, to having ChatGPT write them a phishing email that says, "Click on this link to reset your password." That's credential harvesting site. The question about this is, what do we do about this?

Dave Bittner: Yeah.

Joe Carrigan: The social engineering -- the effectiveness of these attacks, if I can tailor these kinds of attacks, in the past, we've talked about the difference between phishing and spear phishing and how I can spend more time writing a spear phishing email and it will be much more effective.

Dave Bittner: Yeah.

Joe Carrigan: Well, now we're seeing people writing phishing emails using AI that are going to be more effective as well. So they're going to hit larger portions of a spear phishing email, probably the same amount of contact as they would have with a regular phishing email, but it's going to be a much higher quality phishing email in terms of -- in terms of writing, and that means it's going to have a much higher quality or much higher rate of success.

Dave Bittner: Yeah.

Joe Carrigan: I'm going to predict, here's one of my predictions, Dave, that we're going to find that the AI-generated phishing emails are at least 10 times as effective as one that a human writes.

Dave Bittner: Hmm, okay.

Joe Carrigan: That's my -- that's my prediction.

Dave Bittner: The thing that strikes me here also is that they can iterate so much more quickly.

Joe Carrigan: Right.

Dave Bittner: Right? And also it will assist with the research. In other words, if I'm trying to go after a particular CEO at a company through a business email compromise, I can have ChatGPT start off by saying, "Write me a friendly letter to this CEO."

Joe Carrigan: Right.

Dave Bittner: And if that person has a pretty high profile online, it'll be able to draw in things that it knows about that person.

Joe Carrigan: Right.

Dave Bittner: And -- and off you go. So all that research time would -- can be saved by using a tool like this.

Joe Carrigan: Yup, absolutely. So the question becomes, what do we do?

Dave Bittner: Yeah.

Joe Carrigan: And Max has one comment about that. He says, "Do not lay it on the employees," because giving the employees the responsibility is essentially going to create a trust gap in everything that they do, and they're going to spend all of their time and they're going to be relentlessly suspicious of every single email that comes in, and that's going to slow them down. Also, you know, if you have a punitive culture there for things that happen badly, you know, for malfeasance in the company, whatever --

Dave Bittner: Yeah.

Joe Carrigan: Then that's going to also cause people to stop and slow down and take everything very seriously.

Dave Bittner: Right.

Joe Carrigan: The rest of the article then goes on to talk about Darktrace's products, which is a blog post on the company's website, you would expect, right?

Dave Bittner: Sure, but here's the problem to which -- to which we have the solution.

Joe Carrigan: Right, yeah. And they do sell AI-powered tools that monitor your emails and watch things like that.

Dave Bittner: Sure.

Joe Carrigan: But my observations are this, one, first and foremost, email is still terrible, and I've been saying that now for a number of years. It's the only service on the Internet that anybody can put something into your inbox or into, you know, just give you something and you will accept it. That's the only service on the Internet that's like that.

Dave Bittner: Yeah.

Joe Carrigan: You don't have to have a webpage that takes any input from somebody else. You can just give things out all the time. But email by its nature has to receive things, right? I would like to think of some possible solutions for this. One of them is just really strict filtering on who you accept messages from. Perhaps there's some way we can do public/private key -- well, there actually is a way already to get public/private key encryption.

Dave Bittner: Oh, that's so easy, Joe.

Joe Carrigan: Right, yeah. It does have -- it does have a hurdle.

Dave Bittner: Yes. But that's the thing, right?

Joe Carrigan: Right.

Dave Bittner: I mean . . .

Joe Carrigan: These things are -- these things are a little tougher to do.

Dave Bittner: Yes, yes.

Joe Carrigan: So . . .

Dave Bittner: I don't know. I think, from what I see, what I suspect is going to happen is that as the next generation comes up and they're using email less and less, right?

Joe Carrigan: Yes.

Dave Bittner: My kids don't use email to communicate with each other. Yours probably don't either.

Joe Carrigan: No.

Dave Bittner: No?

Joe Carrigan: I'm -- I've -- I'm almost walked away from email. I mean, it's -- I use it very sparingly for things. I use it for communicating with a very small specific group of people, and then I use it for communicating with companies and -- that I do business with.

Dave Bittner: Right.

Joe Carrigan: That's it. Everything else is spam in those email -- I got a Yahoo inbox with 2,000 messages that I will never read.

Dave Bittner: Yeah, I mean, that's the thing, and it is still the standard for business communications.

Joe Carrigan: Right.

Dave Bittner: And that's -- and beyond there dragons be, right?

Joe Carrigan: Yes.

Dave Bittner: And that's -- that's the problem, yeah.

Joe Carrigan: I don't like email anymore, Dave.

Dave Bittner: All right, well --

Joe Carrigan: When I first got an email address, I loved it. Now I hate it.

Dave Bittner: Oh, we all -- you remember the thrill of -- I remember the feeling the first time I logged into a local bulletin board, you know, back in the old dial-up days.

Joe Carrigan: Yes.

Dave Bittner: And logged into a local bulletin board where, for the youngsters in the audience, it was one at a time could use this thing, right? So if you dialed up and there was a busy signal, that meant someone else was using it and you needed to wait your turn, but the thrill of the first time you got email from someone, it was like, what?

Joe Carrigan: That was --

Dave Bittner: Like, I got mail and it's electronic.

Joe Carrigan: That was -- that wasn't like email, though. That was like the bulletin board service mail?

Dave Bittner: Yeah, but I mean, it was still -- yes, you are correct. I mean, it was mail, so private mail within the bulletin board itself, so not talking about like, you know, today's federated mail and all that kind of stuff, the precursor, but still, you know, that was the first -- just interacting with other people via computer was novel at the time.

Joe Carrigan: Yes.

Dave Bittner: And exciting.

Joe Carrigan: Indeed.

Dave Bittner: Yeah. All right, well, we will have a link to that blog post in the show notes, and again, we would love to hear from you if there's a story you'd like us to cover. You can email us. It's hackinghumans@thecyberwire.com. All right, Joe, it is time to move on to our catch of the day.

[ SOUNDBITE OF REELING IN FISHING LINE ]

Joe Carrigan: Dave, our catch of the day comes from J.P. who writes, "Hi, Dave and Joe, I got this beauty in my inbox today. Had I not been listening to your show for some time now, I may have fallen for it. Thanks for keeping us informed." Dave, this is masterful. You want to read it?

Dave Bittner: Yes, it starts off and it says, "Dear Customer, we're excited to inform you that we will be upgrading our services to better meet your needs. As one of our valued customers, we want to ensure that you have the best possible experience with our company. Our service upgrade will provide you with the following benefits, improved speed and performance of our services, enhanced security features to protect your data, additional features and functionalities to improve your user experience. Here are the other details. Amount, $389. Product, anti-threat protection. We understand that change can be difficult, but we are confident that these upgrades will significantly improve your overall satisfaction with our services. Our team has been working hard to ensure a smooth transition and minimal disruption to your service. The upgrade will take place on April 6, 2023, and we expect it to take approximately 12 to 24 hours. During this time, you may experience some temporary service interruptions, but we will work to minimize any downtime. We appreciate your loyalty and trust in our company and we look forward to continuing to serve you with the best possible services. If you have any questions or concerns regarding this upgrade, please do not hesitate to contact us. Thank you for choosing Nort-0ne." Okay, it was so good.

Joe Carrigan: It was.

Dave Bittner: So good.

Joe Carrigan: This is probably written by AI.

Dave Bittner: Yeah. So what we neglected to mention is, at the very top of this, there is a logo from Norton.

Joe Carrigan: Norton. It says "Norton 360."

Dave Bittner: Yeah, and Norton, the well-known -- well, I guess, I mean, originally known for virus protection, all sort -- Norton utilities.

Joe Carrigan: Yeah, Peter Norton.

Dave Bittner: Yeah, Peter Norton had a suite of utilities, and these days, I guess it's mostly virus protection, that sort of thing.

Joe Carrigan: Yes.

Dave Bittner: A well-known name.

Joe Carrigan: Identity prediction as well.

Dave Bittner: Yes, yes, yes. So the last sentence of this says, "Thank you for choosing Nort-0ne, N-O-R-T dash the number zero, N-E.

Joe Carrigan: Right, and why it does that is that gets it through the spam filter.

Dave Bittner: Yeah.

Joe Carrigan: Because the spam filter knows that it's not coming from a Norton address, and the spam filter doesn't see the picture says "Norton" on it.

Dave Bittner: Right.

Joe Carrigan: You do, the human, but the spam filter sees the "Nort-0ne" down the bottom and it goes, "Well, that's not -- okay, that's fine. Let it through." So there is a little bit of trying to elude a spam filter that makes it look a little janky in here, but this whole thing is really well written.

Dave Bittner: Yeah.

Joe Carrigan: And that kind of makes me think that this is AI-generated.

Dave Bittner: Yeah, I agree. I agree. All right, well, again, thank you to J.P. for sending that in to us, and we would love to hear from you. Send us your catch of the days to hackinghumans@thecyberwire.com.

Dave Bittner: Joe, I recently had the pleasure of speaking with Paul Dant. He is --

Joe Carrigan: Paul Dant.

Dave Bittner: He is Senior Director of Cybersecurity Research at Illumio. Here's our conversation.

Paul Dant: I actually got started when I was around nine years old. My interest in computer games sort of unexpectedly led me into what would be my first lesson in reversing software. I was really fascinated with computer game design, the industry, the business, everything about it, so I wanted to replicate that. I taught myself how to code in BASIC and I wrote my first game called "Gulliver's Travels." Never read the book. I'm pretty sure I got the idea from that Ted Danson TV film, Gulliver's Travels, but nevertheless, what I was also really interested in was studying how these game developers were using copy protection to make sure that people were actually paying for their games. So I pursued the shareware model where I could charge people $5 for a number that they could type in, made some money, you know, in my fourth-grade class. Wasn't really smiled upon to run a software enterprise in fourth grade, but what I also encountered was a parent of one of the kids who had bought my game said they found my code in my software and that their kids should get their money back, and then, you know, kind of piled on where people were upset about paying for something that they felt they shouldn't have to pay for. And long story short, understanding that somebody could find my little code in that software was eye-opening for me, and so at nine years old, I really wanted to pursue that, and so I kind of retired from software development and jumped right into software piracy and started learning how to crack games. Once I got into modems and bulletin board systems and all that stuff, I got pretty heavy into, you know, wares and distributing, not so much for money, but the barter system, distributing cracked software for cracked software. And then it was really Sneakers, I'm sure you're familiar with that film with Robert Redford in --

Dave Bittner: Sure.

Paul Dant: The early '90s, that kind of got me thinking, you know, all of this stuff that I'm doing at school that I'm kind of getting in trouble for, I could do this as a living. I could actually have people pay me to break into their stuff and then show them how I did it so they can stop other people from doing it, and that's really what set me on the path. So I'll end it there. That's kind of going back in time and really how I got to where I am today.

Dave Bittner: Well, let me rewind a little bit back with you. I'm curious, when you say that one of the parents found some code, what exactly was going on there? What was it that had folks upset about what you were up to?

Paul Dant: Great question. So what it really came down to, I think it was, as I mentioned before, this was a game that was written in BASIC, and my mind was still thinking that people are just interested in seeing a demo, paying me money, and playing the game. What I didn't realize is that, you know, it's very easy to hit ctrl-C and then type "list" and see the actual code of my game. That was just the nature of it being a game written in BASIC. And so I think when one of the parents was able to find that without paying for it, that was kind of the justification to say, you know, "We want our money back." Like, "We didn't need to pay you to play this game." And, yeah, that was a shift in thinking for me, absolutely.

Dave Bittner: That's interesting, and, you know, it sounds like you and I sort of came up around the same time, and for folks who may not have been around then, you know, a lot of this, we're talking about floppy disks and maybe even cassettes of loading and saving software. But it's fascinating, you know, you're right, back then the early software developers and the folks who are selling that stuff, they would use all kinds of clever copy protection on those discs to try to keep people from copying them, from selling those wares, but I feel like every one of us, we had a friend, and it sounds like for your friend group, you were that friend who knew how to get in there and unlock those disks so that everybody could get a copy of that latest hot game.

Paul Dant: Right, right. It kind -- it became a hobby, in a sense, but it was also just, in my mind, it was also research, you know, was hacking these games, not just to distribute them, and, you know, I certainly wasn't thinking about the commercial ramifications back then, although I probably should have been, but it was really more about understanding how those things worked, and, of course, that branched into just the general idea of reverse engineering software. And what's so interesting and why I like to tell stories like this is, how long ago that was, how rudimentary we might think some of the technology was. You mentioned cassettes, and, you know, five and a quarter inch floppy disks, but fast forward to today and I would venture to say that your average Android application is just as easy to reverse engineer as my game was in the late '80s because certain aspects of what software is and how it works just simply haven't changed.

Dave Bittner: How does that inform the work that you do today? I mean, for me, I think back to that time and I really appreciate that those old early computers taught me how to think. They taught me how a computer works and taught me how, as a human, to interact with the machine. I mean, you learned a lot of lessons back then. Are you still using those lessons today?

Paul Dant: One hundred percent. In fact, that's one of the key things that I love about being at Illumio, I love about the Illumio product, is the focus on what I've known since, you know, my early days of hacking, was the core issue, and that is this ability for an attacker, once he or she has gained access into a network, can typically move pretty freely. "Lateral movement" is the phrase that we hear describing that quite a bit. But, you know, when I was carrying out these attacks, kind of taking over, you know, middle school networks, I grew up in a pretty rural area of Maryland, and so there was not a lot of, what I would say, computer awareness or computer savviness primarily among the staff at the schools, and so there was just a lot of question, you know, what is that kid Paul actually doing on these computers, and those days were what really showed me that getting into one computer alone is typically not going to be enough, and now, especially when you look at the much larger, much more diversified attack surface that we see today on the Internet, it makes a lot of sense that moving past some of these security controls that we've kind of thought of as the "the" security controls for a very long time, they can be evaded, and once that attacker has gained access to a single system in that network, typically they're able to move around, and that's how these ransomware attacks that we see unfolding quite a bit these days and have been for years, that's really how they're able to be so successful, moving silently from system to system, analyzing what's on those systems and finding exactly what would cause the most havoc, whether it's bringing their operations to a halt, releasing confidential, sensitive information, whatever the manner of extorting that money ultimately is, the key to it really is lateral movement, and that's kind of the lesson that I still apply today, to answer your original question, Dave.

Dave Bittner: When we're talking about that risk, that digital risk, but then also the human side of it, that a big part of this these days is social engineering. How do you recommend that people go about balancing how they protect themselves across those two domains?

Paul Dant: It's a great question, Dave, and not a very easy answer. We see the attackers are constantly shifting and adapting, whether it's when we bring in multifactor authentication to help better secure an account, finding ways to evade or even just utilize that to their benefit. So I think when I really look at it, it comes down to an understanding of what these attackers are ultimately looking for, what is the motivation, and it's, in most cases, either your financial accounts information or your username and password. So as much as we talk about it, it's still critical to be reminded that those are sets of information that absolutely must remain with us, that our bank is not going to be calling us asking, "What is your password to your account?" That's not going to happen. I still think, you know, we have some work to do in getting that awareness really out there.

Dave Bittner: What are your recommendations, then? You know, when you're out and about talking to folks who are looking to better protect themselves, what are your words of wisdom?

Paul Dant: So if we're talking about individuals, you know, it's don't panic. That's the first recommendation I always make. We see all of these examples of, you know, people who may, in some ways, be especially vulnerable to a popup on their computer or a phone call that says, "We're monitoring your system. We're from Microsoft. You have a virus." My first recommendation is explaining that that's just not going to happen in a legitimate scenario. Microsoft is very, very unlikely, if at all possible, going to know that you have a virus on your computer, and, you know, we're still in the age where we have a lot of people utilizing technology that they aren't necessarily that deeply aware of and don't have a deep understanding of to even know that, that Microsoft's not going to call them. Microsoft doesn't know they have a virus. So that's one of the first things when it comes to individuals. Now, enterprises, corporations, I think, you know, that's a whole other set of things when we're talking about very differently motivated attackers who are using very different techniques.

Dave Bittner: Joe, what do you think?

Joe Carrigan: Dave, do you know that I know Paul Dant?

Dave Bittner: I -- well, I did not know that. I know that now. How do you know Paul Dant?

Joe Carrigan: Paul Dant and I used to work together.

Dave Bittner: Really?

Joe Carrigan: At Accuvant, yeah.

Dave Bittner: Okay.

Joe Carrigan: In fact, when I think of Paul Dant, the first thing I think of is the earthquake that happened in 2011.

Dave Bittner: Yeah.

Joe Carrigan: Because I was sitting at my desk, under what my -- under what my boss, Chris Cullison, called the "widow-maker," which was a network cabinet that was not bolted to the wall when the earthquake happened, and the first time, I thought one of -- another one of our co-workers was shaking my desk, so I stood up and looked over my desk to see nobody there, and then Paul came out of his office and goes, "Was that an earthquake?"

Dave Bittner: Wow.

Joe Carrigan: And then the earthquake, it came as a second wave and I realized I'm standing underneath the widow-maker, so I ran out of my cubicle before I got killed. It didn't fall off the wall.

Dave Bittner: Well, thank goodness.

Joe Carrigan: There's my Paul Dant story.

Dave Bittner: Yeah.

Joe Carrigan: I know Paul Dant. I'm a big fan of Paul Dant. Paul -- my job at Accuvant, or Ciphent/Accuvant was the first hardcore all-cybersecurity job I had.

Dave Bittner: Okay.

Joe Carrigan: So I've learned quite a bit from Paul.

Dave Bittner: Oh, nice.

Joe Carrigan: I'm very interested to find out he got started at the age of nine.

Dave Bittner: Yeah.

Joe Carrigan: And it was the reverse engineering part that got him into it. Somebody had essentially reverse engineered his BASIC code.

Dave Bittner: Yeah.

Joe Carrigan: Or his environment, really. And it's really an interesting story. My opinion of that would have been, with parents came to me asking for the $5 back would have been, "No, you paid for the license, actually. Did you read the EULA?" Because -- there were no EULAs, no fourth-graders writing EULAs, right?

Dave Bittner: No.

Joe Carrigan: So, I mean, but I don't think those people were entitled to their money back. They paid for the software.

Dave Bittner: Right.

Joe Carrigan: It was shareware. Paul is correct about Android apps being very similar to BASIC. You know, BASIC is not a compiled language. It's essentially a very early scripting language. I remember the first thing I learned was BASIC.

Dave Bittner: Yeah, me too.

Joe Carrigan: And the first thing I did with was write a game as well. It was not a -- I don't -- I got it -- it was terrible code all the way through, but what do you expect from a 12-year-old?

Dave Bittner: Well, that's okay.

Joe Carrigan: Yeah.

Dave Bittner: I mean, that's -- that's what BASIC is for.

Joe Carrigan: Right.

Dave Bittner: You know, I mean, it's to introduce you to it, and it's great for that.

Joe Carrigan: It is.

Dave Bittner: Yeah.

Joe Carrigan: The big point here, one of the big points that Paul touches on that's a little kind of -- it's not explicitly stated, but the general curiosity is what you're looking for in somebody who wants to go into cybersecurity. They need to have that curious nature that takes them and goes, well, how does that work? I need to know how that works because I'll bet that doesn't work right or doesn't work well or isn't built well, and, you know, sometimes when I look at -- look at the inside of things, I wonder how it works at all, and I frequently go, "I'm amazed this works."

Dave Bittner: Yeah.

Joe Carrigan: And when Paul's talking about that process of thinking, of, you know, when he was talking about reverse engineering and cracking things, once you kind of get that process, once you kind of -- you have it, you can always use it for a lot of different things. It's really helpful. One of the key barriers, however, to this process is there are a number of epiphanies that you need to have along the way, and I'll give you a great example. The very first epiphany I had to have when I was essentially learning how to program by reading a book in 1981, sitting in front of an Osborne computer --

Dave Bittner: Yeah.

Joe Carrigan: Which was, I was trying to understand, how am I going to get the computer to know that I want to play a game, that I wanted to produce a game, and I sat there and thought about it for like two hours and, like, was racking my brain about it until it dawned on me. You big dummy, the computer doesn't know anything, right? The computer is waiting -- is just following the instructions you give it. You're telling the computer exactly what to do and when to do it.

Dave Bittner: Right.

Joe Carrigan: That's what's happening.

Dave Bittner: Yeah.

Joe Carrigan: But if you don't have that understanding, and you say, "Yeah, right," like as if that's first -- first-hand knowledge to you, but at some point in time, you had to make that realization --

Dave Bittner: Right.

Joe Carrigan: Of what happens, of how that works, and everybody who works in IT works in -- works in computer science, works in cybersecurity, they all know that, but if you don't ever make that leap, then I don't know -- I don't think you'll ever make, you know, make it in the field. I just don't -- I think you need to have -- and there are a number of those things that need to happen, and there are people that can guide you along the way.

Dave Bittner: Yeah.

Joe Carrigan: Like, one of my favorite things is my daughter. When she started taking programming classes, I told her about the epiphany story about, you know, the computer and she said, "Yes, my instructor was very good at teaching that. He said the computer is a fast idiot."

Dave Bittner: That's good.

Joe Carrigan: I said, "That is an excellent way to describe it."

Dave Bittner: Right.

Joe Carrigan: So good teachers are imperative, I guess, but --

Dave Bittner: Yeah.

Joe Carrigan: Back to what Paul was saying, when he starts talking about the current stuff, attackers getting into a network and moving around, you know, many times attackers go into a network and they can just freely move about, but they're also doing this because they've been through the same process and have the same curiosity.

Dave Bittner: Yeah.

Joe Carrigan: You know, they want to find out. You know, they want to make their money, but at the same point in time, they want to see what you've got, right? It's not just -- they're not just there to make money. They're kind of also there because they enjoy what they're doing. What does this network look like? I really want to know. What are these guys doing? Are they going to be able to stop me? Probably not. I'm a pretty advanced hacker. I can get in here.

Dave Bittner: Right. How do they have things organized?

Joe Carrigan: How do they have things organized? What barriers am I going to have to get around? Can I get around them? These are all almost fun for these guys.

Dave Bittner: Yeah, well, in a way, it's a game in itself.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: I like what Paul says here, two pieces of advice. Keep in mind their goal, and when I give talks on cybersecurity, I tell people the number one goal is money. Any other goal is just to get to the money, right?

Dave Bittner: Right.

Joe Carrigan: So they want either your money or they want access to your money, or they want something that will make you give them money, or they want you to route your money. They want something, but it's always money is the end -- is the end goal. And every year, the Verizon report comes out, the VDBR, the Verizon Data Breach Report.

Dave Bittner: Right.

Joe Carrigan: And every year it says that the vast majority of these crimes are financially motivated. The second piece of advice that Paul offers is really good advice and it's, don't panic.

Dave Bittner: Yes.

Joe Carrigan: Remain calm, and we talk about that a lot in the show. The goal of these phone calls and emails is to panic you, because when you panic, you don't think clearly. That fires off your amygdala, and the amygdala thinks a lot faster than your upper brain, and it results in you doing whatever you think you need to do to get out of the situation you're in. It's great when you have a fight-or-flight, a real fight-or-flight situation and your amygdala makes a decision whether you're going to stand and fight or run, it's perfect. If you're out in the woods and there's a wolf near you, that's a good situation to have that ability.

Dave Bittner: Right.

Joe Carrigan: But if you're on the phone with somebody who's scaring the crap out of you because you're going to -- they're going to -- they're going to turn your electric off tomorrow --

Dave Bittner: Yeah.

Joe Carrigan: Right? How are you going to cook? Then you got to go and get me a Walmart gift card. Okay, okay, okay, I'll do that.

Dave Bittner: Right.

Joe Carrigan: It's don't panic in these situations.

Dave Bittner: Yeah.

Joe Carrigan: That's the goal of these guys' operation, is to shut down your cognitive processes. It's good to hear from Paul. I got to reach out to Paul. We got to get together.

Dave Bittner: Yeah, yeah. Well, it's nice to know that you two have that connection.

Joe Carrigan: Yeah.

Dave Bittner: And again, our thanks to Paul for joining us. That's Paul Dant. He is the Senior Director of Cybersecurity Research at Illumio, and we do appreciate him taking the time.

Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. The Hacking Humans podcast is proudly produced in Maryland at the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.