Hacking Humans 6.22.23
Ep 248 | 6.22.23

Risky chat applications.


Tobias Pischl: There is this implicit trust, this core belief in everybody that I'm protected because I'm in my MS Teams, I'm in my Slack tenant. I feel secure, right? And this is where people typically leave their shield down because they feel secure in that environment.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. Where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs in the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, Tobias Pischl, Head of Information and Email Security at Broadcom, talking about risks in chat applications.

Alright, Joe, before we jump into our stories here, we got a little bit of follow-up here. What have you got for us?

Joe Carrigan: Yes, we do. Don't know if anybody remembers me talking about this young lady. This was Madison Russo, who was a GoFundMe scammer. She pretended to have cancer.

Dave Bittner: Oh.

Joe Carrigan: And we were talking about how the cops came into her house and found a bunch of evidence and she had like saline bags and the tubes that attached to the saline bags taped to her face.

Dave Bittner: Oh.

Joe Carrigan: And then was on GoFundMe asking for money for help with her cancer treatment. And then it turned out to all be fake. Well she has pled guilty.

Dave Bittner: Okay.

Joe Carrigan: To soliciting over 37,000 dollars from donors on GoFundMe.

Dave Bittner: Wow.

Joe Carrigan: And she is awaiting sentencing right now.

Dave Bittner: Alright.

Joe Carrigan: So, I said I was going to follow-up on that one. I'd like to know what the sentence is that she gets.

Dave Bittner: Yeah. Well hopefully some justice done there.

Joe Carrigan: Yes.

Dave Bittner: Yeah. Alright, well let's jump into our stories here, Joe. You want to kick things off for us?

Joe Carrigan: Yes. Dave, I have a terrible story this week.

Dave Bittner: Way to sell it, Joe.

Joe Carrigan: Yeah. It's not happy at all, actually.

Dave Bittner: Alright.

Joe Carrigan: The story I'm quoting from is coming from the New York Post but I've seen it on ABC News and I've actually got something from FOX News here as well. But it's about a high school football player named Jordan DeMay, who killed himself back in March of 2022. He was the victim of a sextortion scam. And we've mentioned that these things happen and people have been driven to suicide by these.

Dave Bittner: Right.

Joe Carrigan: But he was scammed by Nigerians, three Nigerians who impersonated a young girl. And a girl his age, actually.

Dave Bittner: Yeah.

Joe Carrigan: And convinced Jordan to send them compromising pictures of himself. Right? Which is easy to do to a teenage boy.

Dave Bittner: Right.

Joe Carrigan: Right? When they started immediately extorting money from him, he said I have 300 dollars of the 1,000 dollars you want from me. And the guy said well, you got to get more or I'm going to expose you and send this to everybody. And Jordan then said you know, you're driving me to kill myself. And this guy said, well, you better go do it. Because I will ruin you.

Dave Bittner: Wow.

Joe Carrigan: Is what he said. And Jordan did wind up killing himself last year. So, this was done on an Instagram account. So, Meta, who owns Instagram.

Dave Bittner: Yeah.

Joe Carrigan: This is from the FOX News story. They had a statement that was released by Antigone Davis, who is the company's global head of safety. "We want teens to have safe, positive experiences online and we work to help prevent and stop criminals from targeting them with sextortion schemes. This includes cooperating with law enforcement to help protect vulnerable teens from these horrific crimes and bring their perpetrators to justice. In addition to the work we do to protect teens from sextortion, we also help fund the National Center for Missing and Exploited Children's Take it Down, which allows teens to stop the spread of their illegitimate images online." Okay, so I want to talk about Take It Down. That is from the National Center of Missing and Exploited Children. That is a great resource if you are the victim of a sextortion crime.

Dave Bittner: Right.

Joe Carrigan: I don't know if it's only available to people who are underage, but you can say here are the images I don't want circulated. And all the social media companies will say okay, we're not going to circulate those anymore. I don't know what the technology is behind it. If it's using simple hashes or using something like Microsoft's photo DNA technology. I would guess it's probably using something like photo DNA.

Dave Bittner: Okay.

Joe Carrigan: Because that's a better way to describe a picture as a, how do I say it? Like a hash, it's kind of like a hash but it's not a hash.

Dave Bittner: Yeah.

Joe Carrigan: Because very similar inputs will have very similar if not the same outputs. Which, a hash, very similar inputs but slightly different inputs will have vastly different hashes.

Dave Bittner: Okay.

Joe Carrigan: Hash outputs. So, that tool is out there for everybody to use. Part of me really wants to hold Meta accountable here. But they've done a lot. They've incorporated with law enforcement. And in fact, there is a justice.gov posting that came out recently in May, back in May.

Dave Bittner: Yeah.

Joe Carrigan: Saying that they have cooperated or worked with the Nigerian authorities and they have three people in custody in this case.

Dave Bittner: Oh.

Joe Carrigan: Which is good.

Dave Bittner: Wow.

Joe Carrigan: One of them is Samuel Ogoshi, how is the one they allege communicated with Jordan. And was the one that goaded him into killing himself. These guys are up on some serious crimes. They are, Ogoshi is charged with sexual exploitation and attempted sexual exploitation of a minor resulting in death. They also charged all three men with conspiracy to sexually exploit minors. These guys are looking at a lot of prison time. Ogoshi, if he is extradited to the US, could face the rest of his life behind bars.

Dave Bittner: Wow.

Joe Carrigan: Which is good, I think. I think he should face -- I hope he gets extradited. The Nigerians, the Nigerian government hates that this kind of stuff goes on in their country. They're really not pleased with it. So, they were, I would imagine they were probably very eager - I'm speculating - but they were probably very eager to cooperate with the United States authorities here to get these guys and bring them to justice. It's a sad case. One of the things I want to reiterate here is that something you've said over and over again. Is talk to your kids, tell them there's nothing that would ever make me stop caring about you.

Dave Bittner: Yeah.

Joe Carrigan: This is a terrible, terrible situation for Jordan's parents and for Jordan as well.

Dave Bittner: Yeah, it's just tragic.

Joe Carrigan: It is tragic.

Dave Bittner: And --

Joe Carrigan: One of the things I'm reminded of is the David Letterman case, when somebody tried to extort him. David Letterman was cheating on his spouse and the woman he was cheating with said we're going to expose you. If I'm recalling this correctly. And what David Letterman did was he just laid all the cards on the table at that point in time. And took everything away from the person who was trying to extort him. And I'm pretty sure that woman did jail time. For trying to extort him. Because that is a crime and that is illegal.

Dave Bittner: Yeah.

Joe Carrigan: So if this happens to you, lay the cards on the table. That's your best option. Just say you know what? This is what's happened, I'm not happy, I'm not proud of what I've done, but you know what? We all know that you're a 17 year old kid.

Dave Bittner: Yeah.

Joe Carrigan: Inside every 17 year old kid is not the mind of a person who makes good and rational decisions. And the reason I know this is because I was a 17 year old kid who didn't make good and rational decisions.

Dave Bittner: Yeah.

Joe Carrigan: So, but the thing is, from your perspective as a young person, it seems like this is world ending. Trust me, it's not. Nobody will remember this in a couple of years. And we'll all be glad that you're still around.

Dave Bittner: Yeah.

Joe Carrigan: This is not something you kill yourself over.

Dave Bittner: Yeah.

Joe Carrigan: This is something you go I screwed up. Let's -- here's how we're going to have to deal with this. And I'm sure that 99% of the time that parents would rather have you come to them and tell them about it, more than 99% of the time. Parents -- but there is that rare outlier where it might be more dangerous to come forward.

Dave Bittner: Yeah.

Joe Carrigan: But that's going to be the outlier. That's going to be the exception and not the rule. Your parents are going to be much happier if you come forward and tell them what happened and tell them how upset and distressed you are about it.

Dave Bittner: Yeah. And tell someone. I mean, even if you're not comfortable telling your folks, if you have someone at your church, or school, a counselor, a teacher, someone you trust, a best friend, anyone. You just can't keep it bottled up inside. So, just sharing it with someone will help.

Joe Carrigan: Yeah, dealing with these things on your own is emotionally exhausting.

Dave Bittner: Yeah. And you know, understand there are -- I understand the feelings of shame that you made a mistake.

Joe Carrigan: Right.

Dave Bittner: And particularly this kind of mistake is particularly shamed in our society. But you know, people love you and they'll forgive you and you move on from it.

Joe Carrigan: Right. And we've got to move away from this kind of mistake being shamed. I mean, there have been stars who've had their accounts hacked and had their nudes leaked.

Dave Bittner: Yeah.

Joe Carrigan: And it's that kind of thing, you know, these people, they move on with their careers. They have been the victim of a crime. And that's what Jordan was here, Jordan was the victim of a crime.

Dave Bittner: Right.

Joe Carrigan: It's not like Jordan wasn't doing something that his peers probably do every single day.

Dave Bittner: Right.

Joe Carrigan: It's -- he was doing something that was normal. I guarantee you, Dave, as much as we don't want to admit this, as much as we as parents don't want to say this, I don't have teenage kids anymore, but --

Dave Bittner: I do.

Joe Carrigan: Yeah, I know. I'm going to say this and you might get mad at me, but there's a good chance that your kid is trading nudes with a friend, you know.

Dave Bittner: Yeah, I mean, my wife and I refer to the teenage brain as the vortex of chaos.

Joe Carrigan: That is an accurate description.

Dave Bittner: And I think, you know, it's right. And it's so easy for them to lose track of rational thought and you know, there are few things that can lead you away from rational thought than that kind of sexual, physical titillation. It just short circuits your rational thinking. And so, anybody who says they haven't been there is probably fooling themselves or lying to themselves or something.

Joe Carrigan: I'm going to tell you something I was told when I was in high school.

Dave Bittner: Yeah.

Joe Carrigan: And my parents would say, or my father in particular would say this is supposed to be the best time of your life.

Dave Bittner: Yeah.

Joe Carrigan: Because after you get out of high school, it's all work.

Dave Bittner: Okay.

Joe Carrigan: Right? And I had a teacher in high school named Phil Campbell who was a great teacher. Fantastic teacher. He's since passed on.

Dave Bittner: Yeah.

Joe Carrigan: But he was a good teacher. And he said you know what? Your parents probably tell you this is the best time of your life. And it's not. It's one of the hardest, worst times of your life.

Dave Bittner: Right.

Joe Carrigan: You know, when you're an adult, all those hormones have leveled out and you think much more clearly. I remember middle school as being probably the worst time of my life. High school wasn't that much better.

Dave Bittner: Okay.

Joe Carrigan: Right? So I know exactly what it's like. It's a miserable time of life, but everybody has to go through it, right?

Dave Bittner: It's true.

Joe Carrigan: It's the time when you're supposed to be moving into adulthood and people are looking at you going you're supposed to be doing adult things now, why are you still doing these stupid, screwed up things? But you know what? There's a perfectly knowledgeable explanation for that. And that is that you're still a kid, you're still 17 years old.

Dave Bittner: Right. You're caught between those two worlds.

Joe Carrigan: Yeah, you're caught between those worlds. And that is a very awkward and hard place to be.

Dave Bittner: Yeah.

Joe Carrigan: But trust me, it does get better on the other side of that.

Dave Bittner: Yeah. Well, I think your advice is good. Particularly if you're a parent, just be deliberate about this. Let your kids know that if anything like this happens, you're there for them and that there's nothing so shameful that it's worth taking your life over. There's always a way out.

Joe Carrigan: There is.

Dave Bittner: So. Alright, well we'll have a link to that story in the show note for sure. My story is a little more blessedly run of the mill I guess? For today's show. This is from the folks over at passwordmanager.com. And this is about fake job scams. These folks recently did a survey and they found that one in three recent job seekers have been tricked into applying for a fake job scam. That seems high to me. I -- so.

Joe Carrigan: That's a remarkably high rate of success for these guys.

Dave Bittner: Yeah. So they surveyed 663 Americans who've searched for a job within the last two years. And in their findings, they found that 38% of recent job seekers encountered scam job postings. 32% were tricked to applying for a fake job. And 15% had personal information stolen, 9% had money stolen by scammers. So almost 1 in 10 --

Joe Carrigan: Really!

Dave Bittner: -- lost money from a scammer.

Joe Carrigan: Huh.

Dave Bittner: They go on and they say 4 in 10 respondents found postings that turned out to be a scam. And the number one location was, you want to guess?

Joe Carrigan: The scam site?

Dave Bittner: Yeah, number one scam site. What do you think?

Joe Carrigan: Like the location --

Dave Bittner: What website were the most scams on?

Joe Carrigan: I've already seen the spreadsheet.

Dave Bittner: Oh, okay.

Joe Carrigan: Or the graph here. So I know it. But my first guess would have been Indeed. That's wrong.

Dave Bittner: Alright. Well Indeed is number two, so it's close. The type three are Craigslist, Indeed, and Facebook Marketplace.

Joe Carrigan: I'm not surprised that Craigslist number one, but I do not consider that to be a legitimate job site.

Dave Bittner: No?

Joe Carrigan: No! I would never go to Craigslist and look for a job. In fact, I would expect that to be nothing but scams.

Dave Bittner: Okay. Interesting. Don't you have to pay for a job listing on Craigslist? I think you do.

Joe Carrigan: I don't know. I've never made one. I've only sold and bought a couple things on Craigslist.

Dave Bittner: Yeah.

Joe Carrigan: And everything I bought something on Craigslist, it felt really shady.

Dave Bittner: Okay. I'm pretty sure that's how Craigslist makes their money. Because that's one of the things that they charge for.

Joe Carrigan: Is job listings?

Dave Bittner: Yeah. Where so many other things are free. So, you know, you would think that having that sort of barrier, if someone has to pay for a listing, would slow the scammers down. But evidently not in this case. I mean, we look at the top three here. Craigslist, Indeed, and Facebook Marketplace, they all require you to pay something to have them listed.

Joe Carrigan: I also wouldn't look for a job on Facebook Marketplace.

Dave Bittner: No. I wouldn't either.

Joe Carrigan: I don't like that you have to look for jobs on LinkedIn now. LinkedIn has a big job market. I think, and I've looked through it a couple times. Not that great. Not that great of a job search thing.

Dave Bittner: Yeah. I mean, it totally tracks that the scammers are going to go where the most people are, so these are popular platforms.

Joe Carrigan: I'll bet Craigslist is cheaper than any of the other options, though.

Dave Bittner: Could be, could be. Like you, I would have guessed Indeed. Because I think that's the first online job site that comes to mind to me.

Joe Carrigan: Right.

Dave Bittner: Monster.com is probably second. And interestingly, monster.com had about a third the number of scam job postings, according to this survey, as Indeed did. So I wonder, is that because of, is it less popular? Is it --

Joe Carrigan: I think monster.com has really gone down in user percentage. Because the question is where have you encountered scam job postings? So, Monster being low on the list could indicate that there are fewer scam jobs on Monster, but it could also indicate that fewer people go to Monster to find jobs.

Dave Bittner: Yeah. They say that the most commonly reported industries were retail, healthcare, and service industries. That doesn't surprise me at all. And then salary ranges, again, this tracks. The most targeted salary range is 25 to 50,000 dollars.

Joe Carrigan: Really? That's the range of the scam job?

Dave Bittner: Yeah. Yeah. So, I think why that doesn't surprise me is because I think you're targeting a less sophisticated worker.

Joe Carrigan: Right. You're also targeting somebody who might not be making that much to begin with.

Dave Bittner: Right.

Joe Carrigan: Minimum wage in this country's pretty low. It's around 15,000 dollars a year.

Dave Bittner: Yeah.

Joe Carrigan: So if you're offering 25 to 50,000 dollars. Different states have higher minimum wages, though, by the way.

Dave Bittner: Right.

Joe Carrigan: Maryland, I think it's going up to 15 dollars an hour, which is essentially 30 grand a year if you have a full-time job.

Dave Bittner: Yeah.

Joe Carrigan: But yeah, the fact that you're targeting this group of people says to me that you're targeting younger, more inexperienced people.

Dave Bittner: Yeah, and maybe people who don't have as much of a cushion behind them. Where their need to find a job quickly may be heightened. Versus some of the people who have, you know, who have a history of making more money.

Joe Carrigan: Right.

Dave Bittner: So they're likely to be in a more emotional state.

Joe Carrigan: So Dave, I'll tell you, I have a job, an email address that I use for job sites and things like that.

Dave Bittner: Okay.

Joe Carrigan: And it's a professional looking email address, it's not like -- which I suggest everyone do. They should have an email just for job searches. So, in that job search email, I check it occasionally. But I just recently checked it. And it says "We have an open career for you." This is one of the myriad of emails I get about this. "As the shipping and receiving manager at" some company, right? And I am convinced these are just jobs to be a package mule.

Dave Bittner: Oh, okay.

Joe Carrigan: That's what I think these are. But I get probably four or five of these a month. And it's always the same pitch. And I'm amazed that they're going after, they've gotten my name from some job site. They've got some old database. This one comes from a Hotmail address, so yeah, I don't think this is actually Microsoft or Hotmail trying to recruit me to be the shipping and receiving manager. This is just some guy trying to scam me.

Dave Bittner: Yeah. Alright, well, we'll have a link to this story in the show notes. There's some other interesting little tidbits here. They track what companies are the most likely to be impersonated for scams. How many folks have had personal information stolen, that sort of stuff. So, it's an interesting survey. And not a huge number of people surveyed, but I think enough to --

Joe Carrigan: It's enough to give you a good confidence interval. Like I think 95%.

Dave Bittner: Yeah, nice little representative thing there. Again, that's from the folks over at passwordmanager.com. Alright, Joe, time is time to move onto our "Catch of the Day."

[ Sound Bite of Reeling in Fishing Line ]

Joe Carrigan: Dave, our "Catch of the Day" comes from Albert who write, "Hi Dave and Joe. Not sure why I keep getting German phishing emails, but," we don't time to go into this, but Albert did go back and forth with this person.

Dave Bittner: Oh.

Joe Carrigan: It's pretty funny. But I just wanted to start with the -- just read the opening email that this person sent Albert.

Dave Bittner: Okay. It says, "Hello, I am a Swedish philanthropist, anthropologist, and publisher. I'm the founder of the Sacred Rosen Trust, one of the largest philanthropic foundations of Great Britain and owner of the Grant Magazine and Grant Books. I hear about people dying from COVID-19 every day and the challenges everyone faces in these difficult times," faces, faces, "and that's why I offered to accept these donations by distributing 5% of my wealth. This virus brought us friends, family, and it has brought many families to it. Made me very sad in one way or another. So I have decided to help as little as possible. The world is facing unprecedented challenges and societies and economies around the world are facing this one challenge affected by the escalation of the COVID-19 pandemic. The world is coming together to fight the COVID-19 pandemic and brings governments, organizations from all industries and individuals together to respond to this pandemic outbreak. The worldwide solidarity and support through this common challenge was phenomenal. I know that the World Health Organization is the world is leading in coordinating efforts in supporting countries that prevent, detect, and respond to a pandemic. Everyone can now directly support the WHO coordinated response. Individuals and organizations contributing to the spread of the pandemic want to help and fight support the WHO and its partners can now coordinate through the COVID solidarity I have done and would also like you to help some people as soon as you receive your donation. I don't have much to say about myself right now but I'm very happy about it. So I want you, your family, and your friends are happy because I am happy to give the sum of 1,000 euro donate. I give your email from Google Inc. email list selected. Please note that this is my money and I give it to you. Around to verify this, check my Wikipedia. My donation of 1,000 euro may seem small to you, but I think it will do a lot to improve standards contribute. I would like you to provide the information, fill out below, and send me for documentation creation at the end of the report donation to your specified bank account. I look forward to it. Soon to see smiles in you and your family." Wow.

Joe Carrigan: And then this person goes on to ask for whole names, gender, age, single or married, address, profession, telephone number.

Dave Bittner: Yeah.

Joe Carrigan: But funnily, doesn't ask for any banking information.

Dave Bittner: No. And it's signed Ms. Sigrid Rausing.

Joe Carrigan: Now, I did a little bit of poking around.

Dave Bittner: Yeah.

Joe Carrigan: Sigrid Rausing is a philanthropist from Sweden.

Dave Bittner: Oh.

Joe Carrigan: A real person. So this person is obviously not Sigrid Rousing.

Dave Bittner: My grandmother's name was Sigrid.

Joe Carrigan: Was it really?

Dave Bittner: And she was Swedish.

Joe Carrigan: It's a very good name. I like names with g's in them.

Dave Bittner: Okay, fair enough.

Joe Carrigan: And I don't know why. So like, I always thought that like Ingrid was a beautiful name.

Dave Bittner: Yeah.

Joe Carrigan: Gretchen. I know that a lot of people don't, you know, would disagree with me on this, and I don't know why. But I found these Germanic names like Ingrid, Gretchen, Sigrid, Olga.

Dave Bittner: Nothing wrong with that.

Joe Carrigan: I like them.

Dave Bittner: Yeah.

Joe Carrigan: I also like names with v's, I don't know why. I digress. As I often do. And today, I've digressed in the most bizarre digression. Thank you, Albert, for sending this in. This is obviously just an advanced fee scam with some personal identifiable information gathering as well. That's always valuable if these guys get enough responses with this PII, they can actually sell that list to other scammers and make some money that way. These guys are looking to monetize everything.

Dave Bittner: Yeah, yeah. Alright, well we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com.

Joe, I recently had the pleasure of speaking with Tobias Pischl. He is Head of Information and Email Security at Broadcom. And we're talking about some risks in chat applications. Here's our conversation.

Tobias Pischl: What we have to realize is email is dead to an extent, where that story has been around for the last 20 years. And I think it really took off over the last decade or so now with the tools around collaboration for Slack, Teams, Google Chat, and so on. Which makes it relatively easy to collaborate within an organization for exchange of information. And so we're seeing, and some of the analysts out there have predicted some additional growth with some of the new platforms that are coming along or additional expansions of these platforms. But we see definitely strong adoptions in large enterprise organizations because of the flexibility that those tools give. They are even now starting to be used for some of the devops and some of the learning and monitoring in organizations. So it becomes part of the broader ecosystem for an organization these days.

Dave Bittner: And how are organizations approaching this from a security point of view? Are people understanding the potential risk here?

Tobias Pischl: Partially, I would say. I think it really comes back to security has been, for the better half of the decade, an afterthought. When you think it through, who is choosing those kinds of platforms? Who is choosing in an organization what to use in terms of let's say Teams, Slack, and so on? It always comes back to those have been great collaboration tools. Those are being used by kind of the workplace teams, the IT teams that make the decision on this, and security is naturally the afterthought, or aftermath and the afterthought. So what has to happen there is the shift that to bring in the security teams early on and to really have a mindset change to actually have a track model for those applications. Because they're offering the same capabilities when it comes to attacks as with some classic email system would be. Then again, because of the nature of collaboration and productivity, security is not the decision maker in the criteria or in the selection process.

Dave Bittner: I think about, you know, our own use of this here at CyberWire. And I guess it doesn't really cross my mind that is this communication encrypted? Who can see it? If I have a private message between myself and one of my colleagues, can my boss read it? Can IT read it? You know. I think most people probably either don't know or don't think much about the degree to which this stuff could be shared with other people. Either intentionally or otherwise.

Tobias Pischl: Correct. And that's just the beginning of that, right? It's really just the table stakes of are the sessions encrypted? I think the concept of zero trust really applies here. Because when we look at the goals a level deeper from, you know, just on the, right, is it encrypted and can somebody else read it? I think that's, when you look at that, it's a commonality. But then the second part is really when you apply something like a zero trust model, you assume breach, right? And I think we really see an interesting scenario is those tokens that those applications are using, Slack, Teams, again, those are at risk. And I think this is where we have to consider, in kind of the trap model. So imagine that you have an organization that just brought on Slack or Teams. Imagine now in the next step that you have every one of your users logging into Slack, interacting with the platform. And the next thing happens, some developers are starting with it as well. And people get more comfortable with it, share maybe some personal information on it. They share eventually some business relevant data on it. And then, to the next step, an attacker gets hold of the token. Either because the development team didn't secure kind of the application tokens properly, or the user machine is eventually compromised and the token gets lost, right? Then in that situation, an attacker with the token has access to your full message history and all of the channels and all of workspaces, all of the messages. They can literally anticipate how you, what human being you are based on the conversations you have had, your writing style. And in this case, really start using the token more efficiently for their own purpose. And this is the situation that I think, well I'll just say imagine it is actually the reality. That's what we are seeing with organizations, customers the have fallen victim to those types of attack these days.

Dave Bittner: Now, when you say the token, can you explain that for folks who may not be familiar with it? Is that the thing that identifies you as being who you are?

Tobias Pischl: Pretty much. There's a little bit more context to this one, but the token is basically what sits at your end point or sits on your device, which authorizes you with certain roles and permissions within the application. So Toby, as an example, when I login in the morning and I go to Slack, the token basically grants me the permission that I can write messages to you, as an example, or on a channel. Or basically I have no other permissions. And same for, let's say, application permissions. So the token is pretty much your key that helps you to unlock the door to then enter every part of the house or maybe a room is closed, right? And it provides all of that context. And that's where the token is really useful.

Dave Bittner: And would someone be able to gather this token if they compromised your browser? How would they find access to that?

Tobias Pischl: So how they find access to this is typically it's common stored locations on the end point. Where those applications store those tokens. And then, as I said, the second risk there is around the developers using those tokens and eventually creating new app integrations. User services that can make your life easier again. But then checking that token, which is access to your, let's say Slack tenant on GitHub. And if that's a public repository, then obviously you have a problem because now the token is out, publicly known by everybody literally. Same obviously with some of the info stealers that we are seeing harvesting those tokens from Windows devices, as an example, and sharing it, again, through other applications so that the hacker has access to it. Just uploading that file or just uploading that token to a common file storage application. Which then the attacker has access to and can use the token onwards.

Dave Bittner: Is this is the sort of thing where multi-factor authentication could help?

Tobias Pischl: Not really. And this is the interesting part, right? Multi-factor authentication only helps when you authenticate to the service originally. Right? What happens typically after the authentication is that the token is generated and placed on your device, right? And at that point, you don't have to re-authenticate that token. At that point, it is exactly the keys onwards for accessing and collaborating as you in the tenant.

Dave Bittner: Right, so it's the classic balance between convenience and security, right? I mean, one of the nice things about a tool like Slack or Teams. Is that I don't have to login every time. But on the other hand, as you point out, that could lead to some insecurity.

Tobias Pischl: Correct. And that's where some of the recommendations are really, when you look at kind of the guidance that those platforms give you, it's like hey, just rotate your key. And rotating the key is obviously one thing, because it's still, how often do you want to reauthenticate, right? And as you said, I enjoy going in the morning, opening my computer, it just works. I don't have to reauthenticate to Slack, right? What if I do that every hour? Then you lose the productivity aspect of it because you have to reauthenticate every hour. But then again, you shouldn't have your tokens obviously running for, you know, a month or a year. At the same time. But this is where some of the security counter measures really come in to help and provide additional context to secure these applications in an efficient way.

Dave Bittner: Well, let's dig into that. I mean, what are some of the additional things that people can do?

Tobias Pischl: So for this, we need to really understand what are some of the common attacks that are being executed? One of those are, obviously as you said, get the token, get access, and get access as you to the platform. Right? When it really comes to those attacks, then, you have the same logic as we applied to email security in the past, right? Email security, what we've learned over the years is I can use it as an infiltration for malicious files, for malicious links. Phishing links, as an example. Or, over the last couple of years, those business email compromise type of things, those impersonation attacks. And at that point, the same variety of tools are available obviously on those platforms. Why? Because in collaboration, you can exchange files, you can exchange links to some sites. And you have obviously access in this case, as me, to the platform. So if I send a message to my colleague and say can you do this transaction for me? Maybe it's an actual transaction. In this situation, my colleague will probably execute it and not question twice why because it is on this so-called trusted platform, Slack, that we're only using internally. And this kind of misbelief of, this implicit trust of this is an internal application, nothing can go wrong, which we have over the last 20 years literally learned that for email it doesn't happen. This kind of implicit trust is still there for those collaboration applications, right? So when we look at tools specifically to address those things, then I think we really need to -- we need to dig in what those applications provide already. And some of those have some table states, like basic virus filters, or you know, you can not execute any code on those or you can not upload, let's say, any executable files and so on. And still, to this point, those are by factory default not enabled. The reason is because those are collaboration platforms, right? Those are not security platforms in the first place. So, enabling and understanding those capabilities that the platform provides. And then bringing additional capabilities in like model scanning of table states these days, eventually sandbox files that are sitting in your Slack channel, eventually run URL protection on URLs that are being shared within Slack, within Teams. Making sure that you have insight into the threats or the potential threats that are going around within your tenant and then maybe laterally move. And then last but not least, also, UBA being a big topic. The reason why I'm saying UBA is imagine an impersonation attack. If I just send a message to you asking for financial transaction, that's great. An attack that we have seen in an organization that we work with is somebody using various stolen tokens and then starting to post messages with, let's say, your Windows security update for this month, right? People obviously believe that at that point and download and start executing and eventually have malware spreading in the environment like fire. At the same time, having the controls that, let's say, UBA can provide, visibility into how many messages does Toby really post on a given day, or maybe on a Friday afternoon? Then in that situation, you have the visibility that there's an abnormality that can help address, in this case, those types of situations where impersonation attacks or malware is being spread across the organization from an outside attack.

Dave Bittner: And UBA is?

Tobias Pischl: User Behavior Analytics. So, like very simple frequency learning. You can say like how often, if I send everyday 20 Slack messages, that's great. But what if on a Friday afternoon where I typical don't work, right? Then in that situation I have 1,000 messages that are being generated? And that's an abnormality that eventually helps to identify those situations. And then address those situations.

Dave Bittner: Right. Or if suddenly I'm logging in from Eastern Europe somewhere where I've never been before, right? Yeah. I think your point is really excellent in that there's a sense of trust with these apps. In other words, if I get a request from a colleague or my boss, if that comes through on email, so much of the training that we've gotten says that we need to be careful with that. We need to scrutinize that, really check the details before we take action. But I don't think we have a similar skepticism when it comes to these sorts of collaboration tools.

Tobias Pischl: Exactly. As I had mentioned, there is this implicit trust, this core belief in everybody that I'm protected because I'm in my MS Teams, I'm in my Slack tenant. What could go wrong? Because this is, after all, an internal tool where we're maybe not federated with somebody. I feel secure, right? And this is where people typically leave their shield down because they feel secure in that environment. We've done everything over the last 20 years when it comes to, let's say, email security and, as you said, training people don't click on links in emails, right? This kind of mindset has not transformed or has not been evolved yet into those collaboration platforms where people generally, as I said, leave their guard down. In that case, click on links, execute things, and this is where attackers definitely take advantage of humans and the core implicit trust that they have to those platforms in the first place.

Dave Bittner: So, suppose I'm the person at my organization who is in charge of our Slack instance here, or our Teams instance here. Are there any tips that you can share, ways that we can better secure them?

Tobias Pischl: I think number one is really enable some of those core security controls that the platform provides. Typically, those software rotate your token often. As I said, you have to find the right balance. Daily, weekly, but then again, it comes back to assume breach that this token eventually gets breached. Add additional capabilities, like content scanning, to those platforms. If they are built in, great. A lot of these tools do not have the advanced capabilities like URL scanning or sandboxing of files, especially when it comes to like zero day attacks. So leverage those tools that's, let's say, McAfee can provide. And then in addition to that, leverage some of those risks analytics tools to identify with user behavior, analytics, where there is an abnormality as far as posting behavior or download or upload behavior where you can identify those situations quicker and then quicker respond to those ones by as I said, locking out accounts or eventually removing malicious content, malicious links from these platforms before users can click on those. And this is where McAfee as an example has some of those table states and really complements and brings, steps up the security to those collaboration tools.

[ Music ]

Dave Bittner: Joe, what do you think?

Joe Carrigan: Dave, I said it before, I'll say it again, email's terrible, chat apps are better. But there is some caveats with that.

Dave Bittner: Okay.

Joe Carrigan: I'll tell you why email is terrible. It's because anybody could put anything into your inbox. They don't have to be on your system. They don't have to gain access to your system to be able to send you an email.

Dave Bittner: Right.

Joe Carrigan: Whereas with Slack, someone has to be invited to the channel, or the server, or whatever it is, same with Discord, same with whatever chat app you use. Somebody has to be connected --

Dave Bittner: Yeah.

Joe Carrigan: -- to you in order to do that.

Dave Bittner: Right.

Joe Carrigan: That does leave you with some more vulnerability in that you're just going to assume that it's safer, right? And Tobias talks about that here. You know when I first started working with instant messaging clients, the very first one I was on was AOL Instant Messenger. Do you remember AOL?

Dave Bittner: Sure. Yeah. Absolutely.

Joe Carrigan: I thought that was a fantastic technology when it came out.

Dave Bittner: Yeah.

Joe Carrigan: And we actually used it at work.

Dave Bittner: Yeah.

Joe Carrigan: And we used it at work until our IT security company, our team said, our security team said no, we're blocking that because it's a vector for viruses and things and people can send you files. And we were using it for sending messages. I don't think we used it to send files back and forth, that would have been silly. Because we knew that everything went up to AOL at the time.

Dave Bittner: Right.

Joe Carrigan: So we just used communication. Also, it was kind of unencrypted, it was not really secure.

Dave Bittner: Yeah.

Joe Carrigan: But it did make things work well. So when they -- when they banned it and we needed to start using a chat app, we started using a service that we paid for that was good. But AOL Instant Messenger was also bad for the same reason email's bad. Anybody could send you a message on that. You could just send the message out of the blue to anybody. Do you remember doing that?

Dave Bittner: I do not.

Joe Carrigan: No?

Dave Bittner: No, my wife would get a lot of things because she was on AOL earlier enough that her AOL address was her first name at aol.com

Joe Carrigan: Right.

Dave Bittner: So it was easy to, you know, people just put a list of names in.

Joe Carrigan: Right.

Dave Bittner: So she'd get all kinds of stuff.

Joe Carrigan: And they'd wind up getting a hold of her.

Dave Bittner: Yeah.

Joe Carrigan: People are only partially getting the security risks here. Well, it seems like security's an afterthought, according to Tobias.

Dave Bittner: Yeah.

Joe Carrigan: Which is correct. People should be involving their security teams early in the process. If you're going to go with a chat application, whether it's Teams, whether it's the Google Chat application or Slack or whatever --

Dave Bittner: Yeah.

Joe Carrigan: -- your security team should be involved from the beginning. And how you manage it should be secure. That's very important. Your question about privacy is really important when you ask about, you know, does my employer have access to these messages? If you're operating on your employer's system. Employer provided system, whatever that system is. If it's your laptop, if it's a chat app, if it's Teams. Assume that your employer can read everything. Don't assume that it's private.

Dave Bittner: Right.

Joe Carrigan: Just assume that they have access to it. And the reason you assume that is because they may actually be legally required to have access to that thing.

Dave Bittner: Right, it could be a compliance thing.

Joe Carrigan: It may be a compliance. Like with Sarbanes-Oxley? They may have to comply with that. With that regulation by recording all of your messages in plain text in some server.

Dave Bittner: Right.

Joe Carrigan: So don't ever assume that your employer's system is private for you to use to talk to people about personal matters.

Dave Bittner: Right, right.

Joe Carrigan: Unless you're okay with that.

Dave Bittner: Or talk bad about the boss.

Joe Carrigan: Right. Or talk bad about the boss, yeah. Don't do that on corporate systems, either.

Dave Bittner: Yeah.

Joe Carrigan: Probably best not to do that anyway, right? Tobias spends a lot of time talking about these tokens, these authentication tokens?

Dave Bittner: Yeah.

Joe Carrigan: And it's interesting that the multi-factor authentication cannot help you if your authentication tokens are stolen. And the reason for that is multi-factor authentication is there to help you establish the session where you get the token.

Dave Bittner: Right.

Joe Carrigan: But once you have that token, the assumption is you're authenticated. So you're beyond -- you're in the workflow beyond the multi-factor authentication step. You know, immediately upon hearing this problem, I came up with a bunch of different solutions that would make it easier. But I'm not going to go into that right now. It seems like I'm getting lost in the weeds, like I frequently do whenever there's a technical problem.

Dave Bittner: We should start a second feed called "The Weeds with Joe." "Weed-Whacking with Joe."

Joe Carrigan: And it's just me where I pontificate about silly ideas for things.

Dave Bittner: Just, you know, just a free verse, you know, exploration of your mind.

Joe Carrigan: Right. Stream of consciousness.

Dave Bittner: Yeah.

Joe Carrigan: Everybody would love to hear that. Suddenly everybody finds out how much I like chickens. These tokens are what attackers are going to go after. Especially if you start using multi-factor authentication. Because if I can get the token, I'm going to be able to impersonate you on a much more authentic level.

Dave Bittner: Right.

Joe Carrigan: But those tokens do need to be breached somehow. With the installation of malware or with the inadvertent disclosure. And there's a number of ways that you can protect against that. We all understand the compromise of a collaboration app would be a very bad thing. But this is where your policies are really going to come in handy, right? It doesn't matter that your boss is on Slack telling you that you need to send 10,000 dollars to somebody. That's not how we do business.

Dave Bittner: Right, right.

Joe Carrigan: That needs to be clearly communicated policy. Of course, there are other things that might indicate compromise. But again, I don't want to get into the weeds. The security is not being enabled by default on these apps. And we talk about this frequently. These apps want adoption. Right? And in order to get adoption, they go with the least amount of friction for the user to set up and start using the apps.

Dave Bittner: Right.

Joe Carrigan: So, the app publishers or manufacturers or authors or whatever you want to call them, they're probably not going to go ahead and enable security by default. Probably not going to happen.

Dave Bittner: Yeah.

Joe Carrigan: So you're going to have to do that. Behavior analytics is great, I think. But it still requires that somebody be sending malicious messages to violate the behavior analytics. Right? So in other words, in the example that you and Tobias talked about was the, you know, I'm not there on Friday but on Friday I start sending 1,000 messages. Okay, something's up. Okay, but I still have to send the 1,000 messages for that to set off a flag.

Dave Bittner: Right.

Joe Carrigan: Right? But now I can catch it sooner.

Dave Bittner: Yeah, and it could also be, you know, I'm logging in from the Virgin Islands. But I've never been before. Or something, you know.

Joe Carrigan: That should be something that just ends the session.

Dave Bittner: Right.

Joe Carrigan: Couple of good suggestions. Rotate the content, or rotate these tokens. Rotate these tokens frequently. That way if somebody does steal a token, it's only good for a certain amount of time. Time is your enemy when you're talking about breaches. Anything you can do to cost the attacker time is good. And add content scanning. Which I think should be enabled on everything by default. You don't just trust anything that anybody sends you, even if it's on one of these systems you believe to be closed.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: Scan the content.

Dave Bittner: Alright, well again, our thanks to Tobias Pischl for joining us. He is Head of Information and Email Security at Broadcom. And we do appreciate him taking the time.

That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and isi.jhu.edu. We'd love to know what you think of this podcast. You can email us at hackinghumans@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. This show is edited by Elliot Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.