Human sources are essential.
Dennis Franks: [00:00:00] In any investigation, whether it's criminal nature or counterintelligence, it is absolutely essential to develop human sources of information.
Dave Bittner: [00:00:11] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire on the trailing edge of still having a cold. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:33] Hi, Dave.
Dave Bittner: [00:00:34] Later in the show, we've got my interview with Dennis Franks. He's a former FBI agent, and he's got some interesting insights to share.
Dave Bittner: [00:00:41] But before we get into all of that, a quick word from our sponsors at KnowBe4 - what really makes a strong password? And why are your end users tortured with them in the first place? How do hackers crack your passwords with ease? And what can or should you do about your authentication methods? Stay with us because later in the show, we'll tell you about an insightful new webinar coming up from our sponsor KnowBe4 that will fill you in on what you need to know.
Dave Bittner: [00:01:11] And we are back. Joe, why don't you kick things off for us this week?
Joe Carrigan: [00:01:15] Dave, you remember last week, I said I was going to give the listeners an overview of open-source intelligence gathering.
Dave Bittner: [00:01:21] Yup, yup.
Joe Carrigan: [00:01:21] ...Or OSINT, as it's called in the industry.
Dave Bittner: [00:01:23] Right.
Joe Carrigan: [00:01:23] ...Or OSIG. It depends on which acronym you like. There are tons of places where you can get information about anybody online at little to no cost.
Dave Bittner: [00:01:33] Yeah.
Joe Carrigan: [00:01:33] And I used a couple of guinea pigs named Joe and Dave...
Dave Bittner: [00:01:36] Oh, my.
Joe Carrigan: [00:01:37] ...For these searches. What do you think the first source was?
Dave Bittner: [00:01:41] I would probably start off by Googling someone's name.
Joe Carrigan: [00:01:44] Google - yeah, exactly.
Dave Bittner: [00:01:44] Yeah.
Joe Carrigan: [00:01:45] Exactly. So I Google you, and I find your LinkedIn profile, your Twitter page. And then I find a website called Muck Rack.
Dave Bittner: [00:01:52] Uh-oh.
Joe Carrigan: [00:01:53] Uh-huh. I click on that, and it tells me that you use an iPhone.
Dave Bittner: [00:01:56] That's true.
Joe Carrigan: [00:01:57] And it gives me the longitude and latitude of your home.
Dave Bittner: [00:01:59] Oh. Huh.
Joe Carrigan: [00:02:01] Amazing.
Dave Bittner: [00:02:01] Really?
Joe Carrigan: [00:02:02] Right? I was surprised to even find that. It wasn't even an address. So I'm wondering how they're getting that information.
Dave Bittner: [00:02:07] I would imagine it comes from my iPhone.
Joe Carrigan: [00:02:09] I would imagine that it does.
Dave Bittner: [00:02:10] But - and, I mean, that's sort of creepily specific, don't you think?
Joe Carrigan: [00:02:12] But how do they get it out of your iPhone? Because Apple's pretty good about protecting their users, right?
Dave Bittner: [00:02:16] Yeah, but Facebook isn't.
Joe Carrigan: [00:02:18] No, you're right - hundred percent correct.
Dave Bittner: [00:02:21] So there you go. My address is in the public record. I purchased my home, but...
Joe Carrigan: [00:02:25] Yup, yup. Mine is, too.
Dave Bittner: [00:02:26] Huh.
Joe Carrigan: [00:02:27] I Google my name, and there's a Navy officer with the same name who comes up first.
Dave Bittner: [00:02:32] Oh.
Joe Carrigan: [00:02:32] But the third link takes me to the JHU site that talks about a Baltimore Sun article where I was quoted.
Dave Bittner: [00:02:39] OK.
Joe Carrigan: [00:02:39] I think it was about the Under Armour breach.
Dave Bittner: [00:02:41] OK.
Joe Carrigan: [00:02:41] ...Or MyFitnessPal. If you go onto the second page of the Google results, you find out that I'm a certified scrum master.
Dave Bittner: [00:02:49] What's that?
Joe Carrigan: [00:02:49] That's - it's a software development certification...
Dave Bittner: [00:02:51] OK.
Joe Carrigan: [00:02:52] ...For agile development. So then I click on the images tab for my name, and bam - there's two pictures of me right in the second row, right? The first row was all Captain Carrigan from the Navy, but me, I'm on the second row.
Dave Bittner: [00:03:05] (Laughter) Captain Carrigan - I like that.
Joe Carrigan: [00:03:06] That's his name (laughter).
Dave Bittner: [00:03:06] It sounds like a Saturday morning cartoon or something, you know?
Dave Bittner: [00:03:08] But all right.
Joe Carrigan: [00:03:09] It does.
Dave Bittner: [00:03:09] Go ahead.
Joe Carrigan: [00:03:11] I right-click on one of the photos of me, and I select - because I'm using Chrome - I select search Google for image. And a bunch of information comes up. And this leads me onto my next topic, which is reverse image search.
Dave Bittner: [00:03:23] OK.
Joe Carrigan: [00:03:23] All right. This is a lot of fun. I reverse image search your Twitter photo, and the best guess that Google comes up with - it says Dave Bittner.
Dave Bittner: [00:03:33] Yeah.
Joe Carrigan: [00:03:34] So I put your photo into it, and it comes up Dave Bittner. And it says, here's another picture of Dave Bittner. And I find out that you're a member of the Rotarians.
Dave Bittner: [00:03:42] That is true.
Joe Carrigan: [00:03:43] Right. So it's amazing that - how much information I can find just by reverse searching your image. Now, when I do a reverse image search of my Twitter image for @jtcarrigan, the best guess that comes up is gentleman. Now, I find that a little bit ironic (laughter).
Dave Bittner: [00:03:58] Well, I think that's true. You're a gentleman.
Joe Carrigan: [00:04:00] Well, here I am doing some...
Dave Bittner: [00:04:00] But you're not the gentleman.
Joe Carrigan: [00:04:01] No.
Dave Bittner: [00:04:01] But all right.
Joe Carrigan: [00:04:03] I'm doing very ungentlemanly things on this - in the episode.
Dave Bittner: [00:04:04] That's true. Does a gentleman do reverse image searches on his friends?
Joe Carrigan: [00:04:08] Right.
Dave Bittner: [00:04:08] I don't know. All right. Proceed.
Joe Carrigan: [00:04:10] I click on similar images, and it's - a lot of old white guys come up, and some of them look pretty crazy.
Dave Bittner: [00:04:17] Boy, the truth hurts, doesn't it, Joe?
Joe Carrigan: [00:04:19] Yeah, it does (laughter).
Dave Bittner: [00:04:21] Really does.
Joe Carrigan: [00:04:21] So it wasn't all that productive for me. But there's a lot of links to my tweets. There's a link to an article where I was quoted in The Wall Street Journal. And then it shows Peter Kilpe's Twitter page.
Dave Bittner: [00:04:31] Oh, yeah, our executive producer here.
Joe Carrigan: [00:04:33] Your executive producer.
Dave Bittner: [00:04:33] Huh. That's interesting.
Joe Carrigan: [00:04:34] So it somehow those that we're associated - I'm associated with Peter Kilpe.
Dave Bittner: [00:04:38] Uh-huh. Right. Interesting.
Joe Carrigan: [00:04:38] So after Googling, I wanted to go to some social media, but I couldn't use you and me because we're connected on all platforms of social media. So I picked a random friend - that wasn't really that random. But then I went through their friends, and I picked, at random, one of their friends, and we only had one contact in common. That was our first friend. And then from that person's list of friends, I picked another friend.
Dave Bittner: [00:05:03] OK.
Joe Carrigan: [00:05:04] Right? So this is somebody who's far away from me.
Dave Bittner: [00:05:06] Right.
Joe Carrigan: [00:05:06] ...As far away as I wanted to get in this exercise.
Dave Bittner: [00:05:08] OK.
Joe Carrigan: [00:05:09] And here's what I found out about that person just by looking at their profile while being logged into Facebook. First off, I was surprised by the number of people that I could not send friend requests to, which is great. It was about 10 percent of the people would not let me send them friend requests. And that's because I wasn't a friend or a friend of a friend. There's a security setting in Facebook that says, only allow certain kinds of people to send me friend requests.
Dave Bittner: [00:05:32] Yeah. So people are up on that. They're properly setting those settings to protect themselves.
Joe Carrigan: [00:05:36] Yeah. And it was a lot more difficult than I anticipated actually finding somebody who had a pretty open Facebook profile. I found a lot of them that were locked down. And I was very pleased to see that. But this particular person did not have their Facebook profile locked down.
Dave Bittner: [00:05:49] OK.
Joe Carrigan: [00:05:49] I learned what school that person currently attends...
Dave Bittner: [00:05:52] OK.
Joe Carrigan: [00:05:53] ...Right? - and what their major is at that school. They're a college student.
Dave Bittner: [00:05:56] Yeah.
Joe Carrigan: [00:05:56] Not only that, but I learned the high school they attended. So if I know the high school, then I know their high school mascot. You ever been asked what your high school mascot is, Dave?
Dave Bittner: [00:06:05] No.
Joe Carrigan: [00:06:05] No? Not on a security form for a web account recovery or anything?
Dave Bittner: [00:06:09] No, I don't think that one's come up, but I could certainly see it being one. I mean, that makes sense.
Joe Carrigan: [00:06:13] I get it frequently.
Dave Bittner: [00:06:13] Is that right?
Joe Carrigan: [00:06:14] Yep, yep. I lie. I use something else, and it's not Panthers. So if you're trying to hack my account, don't enter Panthers. Enter something else and guess at it.
Dave Bittner: [00:06:23] Right.
Joe Carrigan: [00:06:23] Because I knew what high school they attended, there is a link on their Facebook profile to the high school's Facebook page. Then I had the address of the high school, so I had the general idea of where they were, right?
Dave Bittner: [00:06:33] Yeah.
Joe Carrigan: [00:06:33] And then I did a quick search on the area, on this person's last name, and found this person's parents - what I believe is this person's parents. I didn't go any further in this. I didn't call anybody. I didn't - I didn't want to freak anybody out.
Joe Carrigan: [00:06:46] And if you're listening, you're going, hey, this sounds kind of creepy. I didn't even - I don't even remember the name of the first friend that I clicked on to get to the second friend, let alone the name of the second friend. I didn't keep any of this information. It was all just temporal.
Dave Bittner: [00:06:59] Right.
Joe Carrigan: [00:07:00] I was just doing these searches. But the interesting part was, when I found this person's mother, the mother's aliases were in there, including the mother's maiden name. Now, that's a very common account reset question right there is, what's your mother's maiden name?
Dave Bittner: [00:07:12] Sure. Interesting.
Joe Carrigan: [00:07:13] I mean, it was an astounding amount of information about somebody I didn't know that was just readily available. And it's out there. So how do you protect yourself against this? You lock down your social media accounts. You say, if you're not my friend, you can't see anything.
Joe Carrigan: [00:07:28] And that's pretty easy to do on Facebook. And other social media accounts should have settings - you might have to go in and frequently update it - I don't know - because sometimes these people will change the settings, and you'll have to go back in and reset them. But you should do a security review, periodically, on your Facebook page.
Dave Bittner: [00:07:44] Yeah, that's a good idea. And I think it's fairly routine these days. I know I've certainly gotten in the habit of just doing a quick checking out of people if I'm engaging in a business relationship or something, you know, someone - it's just so easy to Google someone. I don't think there's anything wrong to want to know as much as possible about someone before you talk to them. There's nothing wrong with wanting to build rapport.
Joe Carrigan: [00:08:09] Yep.
Dave Bittner: [00:08:09] And by building rapport, you can say, oh, I understand you're a graduate of the University of Maryland. So I guess my point is, you don't have to be up to no good to use these tools. But the point you're making is that if you are up to no good...
Joe Carrigan: [00:08:22] Right.
Dave Bittner: [00:08:22] ...It's really easy to use these tools. And you know - I mean, 10 minutes - you've got a tremendous amount of information on anybody.
Joe Carrigan: [00:08:28] Yeah, it was a little more than 10 minutes, but it wasn't much more than 10 minutes.
Dave Bittner: [00:08:31] Yeah.
Joe Carrigan: [00:08:31] You know, it was (laughter) - it was remarkable how quickly I amassed this dossier of this person. You know, I can absolutely envision a social engineering attack that begins with, this is so-and-so from high school, and I need your help with something.
Dave Bittner: [00:08:44] Or calling the person's parents and saying, I went to high school with your son. Yeah. I mean, that's going to put their guard down.
Joe Carrigan: [00:08:50] Absolutely.
Dave Bittner: [00:08:50] Yeah. And me mentioning the name of the mascot.
Joe Carrigan: [00:08:52] Correct.
Dave Bittner: [00:08:53] Right? Right (laughter).
Joe Carrigan: [00:08:53] Yeah. Go Panthers.
Dave Bittner: [00:08:54] All right. Well, it's interesting. You know, I think you're right. It's a good idea to go in and check those settings. Better safe than sorry.
Joe Carrigan: [00:09:01] My main point is that you shouldn't trust somebody who calls you claiming to be somebody just because they have information that you think, who would know that about me? Well, it looks like a lot of people can know a lot of information about just about everybody.
Dave Bittner: [00:09:14] Yeah. Yeah. All right, well, my story this week - it has to do with doubting yourself, Joe. Have you ever had a situation where...
Joe Carrigan: [00:09:22] (Laughter).
Dave Bittner: [00:09:23] ...Something happens and only later do you look back on it and think to yourself, wait a minute, was I scammed?
Joe Carrigan: [00:09:32] I think I have had that situation.
Dave Bittner: [00:09:34] Yeah.
Joe Carrigan: [00:09:34] I tend to doubt myself more in the moment (laughter).
Dave Bittner: [00:09:37] Yeah. Yeah. I'm a trusting person, and so - well, I certainly used to be more than I am now. So I'm driving home one day. I had some business to do in Baltimore. And so I'm driving down Route 95. This is probably a decade ago. And my car just dies. Just - boom, zip, zip. Engine shuts off.
Joe Carrigan: [00:09:55] OK.
Dave Bittner: [00:09:56] So I drift over to the shoulder of the road and, you know, pull off in a position where I feel safe. So that's good. Car won't start - it's just dead. So here I am, standing on the side of 95 and call a tow truck. Tow truck driver comes and seems like a nice enough gentleman. We chat a little bit. You know, tell him where I want to take the car to, the garage I want to do the service. So he loads the car up onto the tow truck. He's got one of those platform tow trucks..
Joe Carrigan: [00:10:26] The old Jerr-Dans.
Dave Bittner: [00:10:27] ...Where they just pull the car up onto a platform.
Joe Carrigan: [00:10:30] Yep.
Dave Bittner: [00:10:31] So I go up and sit in the front of the tow truck with the driver as we're on our way to the garage together. And we start chatting, and on our way to the garage, he says to me, he says, you know, this is my last pickup of the day. I said, oh, well, that's interesting. How come? He says, well, my wife is in the hospital actually. She's giving birth to our daughter. I just got word from her that she is - she went into labor, and she's giving birth to our daughter right now. So as soon as I drop off you and your car, I'm going to go, you know, to take the truck back, and I'm going right to the hospital to welcome my daughter into this world. And I said, well, that's wonderful. That's really wonderful.
Dave Bittner: [00:11:16] So we get to - we get to where we're going. We get to the garage. He drops the car off. I thank him very much, and I give him a big, big tip. And I say, thank you so much. Good luck with the birth of your daughter. Have a great day. Here's a big, big tip. I don't say, here's a big, big tip, but I'm thinking to myself, here's a big, big tip for a guy who's about to just have his first child come into the world.
Joe Carrigan: [00:11:41] It's more than you would have given, right?
Dave Bittner: [00:11:43] Way more than I would've given, yeah.
Joe Carrigan: [00:11:44] OK.
Dave Bittner: [00:11:45] And I am generally a generous tipper, but this was a very generous tip. So I finished my business with this gentleman - feeling good about him, feeling good about myself. Life goes on. Car gets fixed. It's about a year later. I'm thinking to myself - for no good reason, I just think about this event. And I think, gosh, I wonder what happened to that guy. I wonder if everything went well with the birth of his daughter. And then I thought to myself, wait a minute - what if this was a scam?
Joe Carrigan: [00:12:10] (Laughter).
Dave Bittner: [00:12:14] What if every car he picks up, he says to the person...
Joe Carrigan: [00:12:18] It's my last pick-up of the day.
Dave Bittner: [00:12:18] ...This is my last pick-up of the day because I'm heading to the hospital because my wife has gone into labor, and I'm going to go there for the birth of my daughter? What do you think, Joe? What's your take on it? Do you think I was scammed or not?
Joe Carrigan: [00:12:32] I don't know. I'd need more information. But...
Dave Bittner: [00:12:34] Yeah.
Joe Carrigan: [00:12:35] ...I'd say there's a good possibility that you're right.
Dave Bittner: [00:12:37] Yeah.
Joe Carrigan: [00:12:38] I mean 'cause you gave him a bigger tip than you normally would have given him.
Dave Bittner: [00:12:41] I did. I absolutely did.
Joe Carrigan: [00:12:42] And yeah, I don't know.
Dave Bittner: [00:12:43] This is one of those...
Joe Carrigan: [00:12:44] I want, like, follow-up with this guy.
Dave Bittner: [00:12:45] I know. Well, you know...
Joe Carrigan: [00:12:47] Does he have a 10-year-old daughter now or son? Or...
Dave Bittner: [00:12:50] Well, you know, maybe if we have anybody in our listening audience who has any association with tow truck drivers or if this is a common scam that makes the rounds among tow truck drivers, you know? Or if you know a tow truck driver, you could ask and let us know if this is something. I'd certainly like to know. Again, we've talked about this before, where this is one of those things where I would have felt like I was much better off had I not had this thought.
Joe Carrigan: [00:13:18] Right, right.
Dave Bittner: [00:13:19] Right?
Joe Carrigan: [00:13:19] Yeah.
Dave Bittner: [00:13:20] Because it troubles me now.
Joe Carrigan: [00:13:21] Right.
Dave Bittner: [00:13:21] I like to give people the benefit of the doubt. And as we've talked about, I would rather live my life giving people the benefit of the doubt and fall victim to this sort of thing...
Joe Carrigan: [00:13:31] Right.
Dave Bittner: [00:13:31] ....You know, it probably costs me 10 more dollars than it would have...
Joe Carrigan: [00:13:35] Right.
Dave Bittner: [00:13:35] ...Or you know, something like that - than to go through my life just being cynical and saying - thinking to myself, you know - ah, well, you know, great. Yeah, he's probably not really having a daughter...
Joe Carrigan: [00:13:46] Right.
Dave Bittner: [00:13:46] ...Born today, you know? Bug off.
Joe Carrigan: [00:13:47] I mean, yeah - I think - again, we're at the point where you're like, you know, what am I out? I'm not out a lot. I voluntarily gave him the money.
Dave Bittner: [00:13:56] Right. Right. It was money I could afford. Right?
Joe Carrigan: [00:13:59] Yeah, it was money you can afford. It's not like it's an ongoing thing where he's going to come back and tell you some sob story about his kid. You're never going...
Dave Bittner: [00:14:05] Right.
Joe Carrigan: [00:14:05] ...To see the guy again.
Dave Bittner: [00:14:06] Yeah. Right, right. And that's what he counts on.
Joe Carrigan: [00:14:08] Right. He doesn't interact with the same people over and over again...
Dave Bittner: [00:14:11] Right.
Joe Carrigan: [00:14:11] ...Because if he has to start interacting with the same person over and over again, that person probably goes out and gets a new car.
Dave Bittner: [00:14:17] Yeah. Right? (Laughter). Right.
Joe Carrigan: [00:14:19] So yeah, I don't know. I have never interacted this way with a tow truck driver because what I've done is called somebody to pick me up and left the key under the mat - right? I mean, nobody's going to steal a car that's not going anywhere...
Dave Bittner: [00:14:32] Right, it doesn't run. Yeah.
Joe Carrigan: [00:14:33] ...And tell the tow truck driver that's where it is. And I never actually have to see them.
Dave Bittner: [00:14:37] All right. Well, that's my story. I'm interested - if any of our listeners have any insights on this, Feel free to contact us. It's sort of unresolved, but I think it's something to look out for and be mindful of. So that's my story. But Joe, it's time to move onto our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: [00:14:56] All right, Dave. We got an email from a listener named Cody (ph). OK? And Cody writes us saying, I listen to your podcasts, and I love them.
Joe Carrigan: [00:15:03] Hey - thanks, Cody.
Dave Bittner: [00:15:04] Yeah.
Joe Carrigan: [00:15:05] My favorite part of your podcast is a Catch of the Day - which is my favorite part too, Dave. I love that. This email came, and I thought of you. Enjoy.
Joe Carrigan: [00:15:13] And the email reads - (reading) I just noticed that you own a domain name and would like to ask if you would like to try an iPhone and Android app sepcifically (ph) made for your site - should be specifically.
Dave Bittner: [00:15:28] (Laughter).
Joe Carrigan: [00:15:28] You can test it, and I am sure you will love it. You can keep both apps for just $50, but that is only if you love it. There is no obligation. I would be thankful for trying, even if you do not want to keep it. It would sound impossible, as how on earth I can develop both these apps at such a measly price and even publish them and prompt users to get it installed. But enough speech - and I'll let you actually see it. I don't charge a penny upfront. I make the app, integrate with both iOS App Store and Android Play Store and then prompt each visitor to install the app on site load. And once they install it, the app will live on the user's home screen, resulting in multiple site visits.
Joe Carrigan: [00:16:18] Think about it. Your site is now on their home screen. And they'll almost always inclined to click on it and visit your site multiple times because you know in your firsthand experience that you will always explore the apps on your phone even when you are offline. Having 100 such app installs would guarantee a handful of regular visits as opposed to the pain we have to go through to bring visitors to our site. This is the only service that will make you iOS and Android apps and let you try and moreover, having such a low price. Would you like to give it a try?
Joe Carrigan: [00:16:56] And then it has, like, the developer's name and their title in the company they work for, which may or may not be real. Who knows?
Dave Bittner: [00:17:02] Yeah.
Joe Carrigan: [00:17:03] P.S. Upon your reply, I'll send in full details, including our site address, past work details, contact information, etc.
Joe Carrigan: [00:17:14] What do you think, Dave?
Dave Bittner: [00:17:16] Well, I think, you know, what could possibly go wrong by installing rogue apps on your devices?
Joe Carrigan: [00:17:22] Right.
Dave Bittner: [00:17:22] Getting your customers, people who are interested in your business, to load an app from an unknown developer...
Joe Carrigan: [00:17:29] Yep. My first feeling on this is that it might be an attempt to steal Cody's domain name.
Dave Bittner: [00:17:34] Oh, yeah. Oh, that's interesting. Huh.
Joe Carrigan: [00:17:36] He's telling you he's going to drive traffic to your site. You're going to load the app. And I would assume that maybe you're going to put some stuff into the app. And maybe it's going to ask you for your registrar's name and credentials. I don't know how this works. I certainly wouldn't install this app. Cody is a student and realizing that this is probably a scam.
Dave Bittner: [00:17:52] Yeah. I would imagine that it's just trying to get this app on people's phones, and then it'll just start harvesting, you know, all the things that rogue apps start harvesting.
Joe Carrigan: [00:18:01] That's probably actually more likely. You're probably right.
Dave Bittner: [00:18:02] Yeah, yeah.
Joe Carrigan: [00:18:03] I immediately go for the worst-case scenario.
Dave Bittner: [00:18:05] (Laughter).
Joe Carrigan: [00:18:06] Thank you, Cody, for sending that in. That's a great Catch of the Day.
Dave Bittner: [00:18:09] No, it really is.
Dave Bittner: [00:18:11] All right. Well, coming up next, we've got my interview with former FBI agent Dennis Franks. But first, a message from our sponsors at KnowBe4.
Dave Bittner: [00:18:20] Let's return to our sponsor KnowBe4's questions about passwords. NIST - that's the National Institute for Standards and Technology - recently set out to lessen our password woes by looking at the problem from different angles and offering new authentication guidance, not to mention advice for composing those pesky passwords. Well, as you can imagine, that advice and its implications came as a shock for some and a relief to others.
Dave Bittner: [00:18:47] On Wednesday, November 14, 2018, at 1 p.m. Eastern Standard Time, our sponsors at KnowBe4 will tell you what you need to know about the recent NIST guidance and related password-cracking problems. Join KnowBe4's chief hacking officer, Kevin Mitnick, with decades of firsthand red team penetration testing experience, as he faces off against Roger Grimes, KnowBe4's data-driven defense evangelist with decades of experience on the blue team. They'll give you an in-the-trenches view of authentication hacking, help you understand the effectiveness of passwords, share perspectives on various password management guidelines and offer advice on building stronger authentication systems employing multiple factors. The referee will be Perry Carpenter, KnowBe4's chief evangelist and strategy officer. Register today at knowbe4.com/password. That's knowbe4.com/password.
Dave Bittner: [00:19:48] We are back. Joe, I recently spoke with Dennis Franks. He is a former FBI agent. Currently, he's the president of a company called Investigative & Security Global Solutions. And he was also the host and executive producer of a show on A&E. It was called "A&E Investigates: The Plot Against America." So here's my conversation with Dennis Franks.
Dennis Franks: [00:20:11] In any investigation, whether it's criminal in nature or counterintelligence, it is absolutely essential to develop human sources of information. I think that it's pretty well-known that there was a period of time in which I think that intelligence and counterintelligence operations started relying too much on other sources of information. You know, whether it's through satellites, you know, communications, (unintelligible) communications and things of that nature - and didn't pay as much attention to human sources. But there's certainly been a realization that use of human sources is absolutely essential.
Dennis Franks: [00:20:51] In my career as an FBI agent, we were required to develop sources. They were known as informants or cooperating witnesses or assets. The terminology depends on the particular area you're working in. And it has changed, to some extent, over the years. But we were evaluated on the ability to develop sources and utilize them to make cases, essentially. And there were even squads and groups dedicated solely to source development, whether it was in the drug trafficking area or other areas.
Dave Bittner: [00:21:30] Now, can you share - what were some of the methods that you used when dealing with these sorts of folks? Were there standard ways that you would manipulate them or get them to do the things you needed them to do?
Dennis Franks: [00:21:41] It really depended on the circumstances. There are sources who would cooperate for various reasons. It could vary - anything from just a good citizen who wanted to help to somebody who kind of had this cop-wannabe attitude. It could be those who were in it for gain. You know, maybe they thought they could make some money doing it. There were a number of them - and probably the vast majority, at least in the criminal investigative arena - who would cooperate to reduce their possible sentences from their criminal activity. They had been arrested or were possibly going to be arrested, so they would cooperate to reduce their sentences.
Dennis Franks: [00:22:31] And the way you dealt with the source would depend on those circumstances. The ones who were of a criminal nature - the cartel leaders, those involved in organized criminal activity - you tended to be a little more heavy-handed with them or a little more direct with them, whereas there may be someone who is reporting on white-collar criminal activity who's just a citizen who wants to do the right thing. And you deal with that person a little differently.
Dennis Franks: [00:23:02] Now, I'll say this. The intent and the methods used were generally geared toward getting the person to cooperate, gaining their trust and confidence. So when I use the word heavy-handed, I don't mean that you were necessarily rough with them. But your position, your attitude would be a little different when you're dealing with the drug cartel leader or a member of the organization versus someone who's witnessed some fraudulent activity and just wants to report it.
Dave Bittner: [00:23:36] In terms of some of the things we're seeing today in the news - you know, things like bots, you know, fake news, fake groups, some of these Russian information ops, those sorts of things - what is your take on that?
Dennis Franks: [00:23:47] It's astounding, to begin with, the extent to which the Russian intelligence operations have utilized this. It's astounding the extent to which they've been successful and it's astounding that - the extent to which it's still going on, evidently. As of August 2018, it's still working. There's evidence in the news that it's ongoing. It's widespread. And it's still causing, in some cases, groups to go protest when the organizers of the protests are operating these bots at the behest of Russian intelligence. Quite frankly, to me, it's scary how Russian intelligence and perhaps other agencies, other governments throughout the world, have been successful in causing disruption in our society by posting fake items, creating fake news stories, creating controversy and getting people who tend to be inclined to want to believe those things to get involved.
Dave Bittner: [00:24:56] Now, we often hear about people who have fallen victim to this sort of thing. They'll - they won't report it. They'll be embarrassed to reach out. They feel like, you know, they've been taken advantage of. At what point does it make sense for someone to reach out to an organization like the FBI?
Dennis Franks: [00:25:11] I think it's become so commonplace that people shouldn't be embarrassed by it. You know, every day, there are numerous businesses who are attacked through ransomware. And I think a lot of them just go ahead and pay because usually, it's just a small amount, all things considered, that's asked to, you know, to get rid of the ransomware. But it's something that shouldn't be embarrassing because it happens every day. And even where, you know, someone has been hacked or businesses have been hacked, it's just so easy for employees to click on something they shouldn't no matter how well they're instructed to be careful. I mean, look at all the big organizations where it's happened - big corporations, news organizations and even the government where employees, at some point, click on something they shouldn't.
Dennis Franks: [00:26:04] And you know, unfortunately, we're, I think - to some extent, we're behind the curve as far as preventing these measures. And it's a reactionary position that we have to take in the cybersecurity field. As you know and as, I'm sure, the listeners know, there are certain measures that can be taken to block this. But there are efforts, and I'll bring this up. There's - I'm familiar with and I'm kind of collaborating with - there's a new cyber engineering school that has been created at, of all places, a small university in Houston - the Houston Baptist University.
Dennis Franks: [00:26:42] They've created a school that - in which they are offering degrees in computer science, cyber engineering and - I forget the third one right now. But the emphasis is on creating the future scientists, the future cyber engineers who will develop means and methods to counter the cyberattacks that are so prevalent today. And it is of my understanding - it is being done in collaboration with government agencies.
Dave Bittner: [00:27:12] All right, Joe, what do you think?
Joe Carrigan: [00:27:14] Social engineering is new to the FBI, I guess. It's not really new techniques. We've talked about that numerous times.
Dave Bittner: [00:27:20] Yeah.
Joe Carrigan: [00:27:21] But now it's risen to the level where the only law enforcement agency that can answer these kinds of things is a national-level law enforcement agency. So if you got scammed 30 years ago, that would not rise to an FBI level.
Dave Bittner: [00:27:33] Right.
Joe Carrigan: [00:27:33] It would be a local issue. And they wouldn't be involved. I kind of found it interesting on how he develops informants. Everybody that becomes an informant has their own reason to do so. I guess they're going to go after whatever they think is that person's motivation and feed that motivation. Like he said, there are some people who are, like, wannabe cops. If they want to exploit that resource, then they're going to say, oh, man. Maybe you should get into law enforcement. Yeah, tell me more.
Joe Carrigan: [00:27:55] And finally, the OPSEC note - he said that he got some suspicious LinkedIn connections. I'm very suspicious of LinkedIn connections. I get a lot of them from time to time. I actually called somebody into my office the other day and said, do you know this person? - because they are sending me a LinkedIn request, and I've never met them. And he tells me something that I'm like, well, I don't think I want to answer that link. I'm just going to ignore this request.
Dave Bittner: [00:28:20] Yeah.
Joe Carrigan: [00:28:21] So yeah, I have ignored LinkedIn requests. I've checked on people and said, hey, is this a real person? And actually, I'm kind of glad I do that from time to time (laughter).
Dave Bittner: [00:28:29] Yeah, it's hard to know sometimes. For you and I, you know, hosting podcasts and things, there are lots of people who reach out...
Joe Carrigan: [00:28:35] Right.
Dave Bittner: [00:28:35] ...Who are listeners and fans of the show.
Joe Carrigan: [00:28:36] Right. I get those time to time.
Dave Bittner: [00:28:38] You have to figure out how you're going to dial that in.
Joe Carrigan: [00:28:41] Yeah, it's rough. I hope I haven't ignored any requests from listeners.
Dave Bittner: [00:28:45] That's our show. Thanks for listening.
Dave Bittner: [00:28:47] And of course, thanks to KnowBe4 for sponsoring our podcast. And don't forget to register for their password webinar on November 14 with Kevin Mitnick, Roger Grimes and Perry Carpenter. Visit knowbe4.com/password. That's knowbe4.com/password to reserve your spot today. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.
Dave Bittner: [00:29:17] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik; technical editor is Chris Russell; executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:34] And I'm Joe Carrigan.
Dave Bittner: [00:29:35] Thanks for listening.