Stealing your car's identity.
Sam Crowther: Something known as car cloning, where criminals can take stolen VIN numbers and use it to create replica tags so that, you know, you might get pulled over when you're driving your car in, you know, Maryland, right, and the police are like, hey, we, you know, we've got a warrant, or whatever it is when you get pulled over, and it's actually because someone else who committed a crime who's duped your car's information has done it, you know, somewhere else in the state.
Dave Bittner: Greetings to all, and a warm welcome to the "Hacking Humans" podcast, brought to you by the Cyber Wire. Every week, we delve into the world of social engineering scams, phishing plots, and criminal activities that are grabbing headlines and causing significant harm to organizations globally. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week, and later in the show, my conversation with Sam Crowther. He is founder and CEO of Kasada. We're talking about some stolen automobile accounts. All right, Joe, we've got some follow-up here to start things off with. What do we got?
Joe Carrigan: We do. Steve wrote in with an interesting story. He got an email that read, hello, Steve, I'm from Google, and you've been chosen to receive a gift package from Google for your work as part of the Google 3D community. Please provide address details so we can send you your gift. Now, Steve is paraphrasing, because this came out, he got this email a long time ago. In fact, he was a volunteer for a beta program to use Google imagery to make 3D buildings for their platforms.
Dave Bittner: Okay.
Joe Carrigan: So, you know, when you zoom in on Google Maps, you can see 3D buildings?
Dave Bittner: Right. Sure.
Joe Carrigan: He was part of that.
Dave Bittner: Okay.
Joe Carrigan: Now, of course, he thinks an email from Google? Well, maybe.
Dave Bittner: Right.
Joe Carrigan: But it turns out it was actually legit. He did provide mailing information that wasn't his home address, but he provided mailing information and a couple of weeks later, he got a mug and some stickers and some other swag from Google as a thank you for contributing to it.
Dave Bittner: Okay. What's the lesson here?
Joe Carrigan: I don't know. I don't know that I would have responded to this.
Dave Bittner: Yeah.
Joe Carrigan: I don't know that I would have volunteered my time for a large corporation. I'm one of those guys that thinks, no, I'm not doing that for you for free.
Dave Bittner: Okay.
Joe Carrigan: You're a multi-billion dollar corporation, very highly valued, you make tons of money, you can pay people to do this.
Dave Bittner: Yeah.
Joe Carrigan: Yeah. And so that's my thinking on it immediately, but, you know, maybe I give them a post office box or something, you know?
Dave Bittner: Yeah. Well, I mean, good for Steve.
Joe Carrigan: Yeah. Got himself some, some nice swag.
Dave Bittner: Yeah. We got another message here from Derek who writes in with a question. He says, hello, Dave and Joe, I heard you on your fine show, "Hacking Humans" and elsewhere that a concern with AI is its ability to draft convincing phishing emails. However, it's also been noted that phishing emails are often intentionally littered with spelling and grammar mistakes to limit their reach to those who may miss those telltale signs. Is there a tension between those two claims or is the claim with AI that you'll be able to mass produce spear phishing emails tailored to each individual? Given the wide availability before LLMs of service that can assist with spelling and grammar, those errors seem more like a feature than a bug. Curious about your thoughts on this.
Joe Carrigan: So I have my thoughts on it.
Dave Bittner: Yeah. My thoughts are, it depends on the audience. I don't see a tension between these two statements. I think, yeah, spear phishing, there is a definite use case for LLMs and spear phishing to make them really, really good. Right.
Joe Carrigan: My concern with LLMs and spear phishing is that eventually somebody is going to train these models -- in fact, it may already be happening. They're going to be training the models on the writing style of the person they're trying to impersonate. You know, if you're writing style has errors, maybe LLMs will eventually put those in there.
Dave Bittner: Right.
Joe Carrigan: The idea is, who are you trying to convince, right? Who are you trying to scam? If you're trying to scam somebody where the use case is, I need a well-written email, you're going to use an LLM. If you are trying to scam somebody with like a Nigerian prince scam, maybe not.
Dave Bittner: Yeah.
Joe Carrigan: Maybe you just use the old template you have that's ready to go.
Dave Bittner: Right.
Joe Carrigan: And you're going to send out a million of those emails a day and answer the five or six that you get in response every day.
Dave Bittner: Yeah. I'll just mention real quick, LLMs are large language models.
Joe Carrigan: Thank you. I didn't clarify that.
Dave Bittner: Which are the generative AI systems things like ChatGPT uses.
Joe Carrigan: Correct.
Dave Bittner: Yeah. I mean, I pretty much agree with you here. I think the two have their own purposes. And I think the well-written letters are more likely to go towards spear phishing rather than broad spray and pray phishing type of spammy sort of emails.
Joe Carrigan: Right.
Dave Bittner: I think what you're saying about training on someone's writing style is interesting. And I'll just add to it that we know in a lot of these cases, the bad guys have good access to someone's email account and they'll camp out there for a while.
Joe Carrigan: Oh, yeah.
Dave Bittner: Right?
Joe Carrigan: Yeah. If this is a business email compromise, they can feed tons of data into that model.
Dave Bittner: Right. If they're camping out in your email account and they can download the last year's worth of email or for lots of folks, every email they've ever written, yeah, then they could absolutely load that into a model and it would probably be able to do a pretty good version of whoever's email account that they've broken into.
Joe Carrigan: Yeah. You remember when you made that voice recording of you that was simulated?
Dave Bittner: Yeah.
Joe Carrigan: It's like that, but only in writing.
Dave Bittner: Right. Right. All right. Well, thank you, Derek. And thank you, Steve, for writing into us. Of course, we would love to hear from you. If you have something you'd like us to consider on the show, you can email us. It's hackinghumans@n2k.com. All right, Joe, let's jump into our stories here this week. I'm going to kick things off for us. And actually, my story comes from a friend of the show, Graham Cluley.
Joe Carrigan: Graham. I wonder who Graham is.
Dave Bittner: He's a person who has co-hosted this show other than you.
Joe Carrigan: Right. That's correct.
Dave Bittner: He filled in for you once when you were unavailable.
Joe Carrigan: I was unavailable, yeah.
Dave Bittner: Yeah. So Graham is certainly a friend of the show. And of course, I have appeared on Graham's show many times. You've been on "Smashing Security" as well, right?
Joe Carrigan: Yes, twice.
Dave Bittner: Yeah. So Graham is co-host of the "Smashing Security".
Joe Carrigan: Wouldn't it be nice to have him back on again, Dave?
Dave Bittner: It's not up to me, Joe.
Joe Carrigan: I know.
Dave Bittner: Graham is co-host of the "Smashing Security" podcast along with Carol Theriault, which if you have not checked out, is another fine podcast to add to your list. But Graham has posted something here on his own blog, and it's titled, "Yikes, My Sex Video Has Been Uploaded to YouPorn, Apparently."
Joe Carrigan: Hold on. Let me go look.
Dave Bittner: Yeah. Well, I mean, you know, who among us hasn't already seen a sex video involving Graham Cluley? They're all over. But anyway, seriously. So this sort of tracks through an email that Graham got, and I think it's perfect for our show here. It claims to come from YouPorn, which, of course, is the online adult website that's, I suppose, if not famous, at least known for its user-contributed content.
Joe Carrigan: Okay. I'm going to take your word for it, Dave.
Dave Bittner: Or so I've heard.
Joe Carrigan: So I've heard.
Dave Bittner: So it says it comes from info@youporn.com, and the message from them starts off by saying, greetings, our AI-powered tools have detected that you are featured in a sexually explicit content that was uploaded to our platform. Graham points out here that the YouPorn logo and the message make it all look legit. And he says, uh-oh, it seems YouPorn's AI algorithm has detected me in a sex video that has been uploaded. He says, now, I can be forgetful, but I'm reasonably sure that I have never knowingly appeared in a sexually explicit movie, yet alone uploaded it to YouPorn.
Joe Carrigan: Right.
Dave Bittner: So one would hope. Yes. But what this email is claiming is that YouPorn has some sort of automated AI technology that automatically detects people.
Joe Carrigan: Right. And somehow knows their email address.
Dave Bittner: That's right. That's right. Well, let's give Graham the benefit of the doubt. He's a person of note.
Joe Carrigan: Right.
Dave Bittner: He's certainly fame-ish in certain circles.
Joe Carrigan: Yes.
Dave Bittner: So perhaps that could happen.
Joe Carrigan: Perhaps. Perhaps.
Dave Bittner: They say, of course, we take the security and privacy of our users very seriously, and we use advanced technology to help detect and prevent the distribution of non-consensual intimate images and videos. Then goes on to say, the video will be published to our library within the next seven days, and you will have an opportunity to review the content after the grace period has passed.
Joe Carrigan: You know what that sounds like to me, Dave.
Dave Bittner: Go on.
Joe Carrigan: An artificial time constraint.
Dave Bittner: Exactly what I was going to say. And Graham says that, too. He says, ouch. So if I don't want the video published, I have to let them know within seven days. All he has to do is click the link on the video to check out the video.
Joe Carrigan: Ah.
Dave Bittner: But there's a problem.
Joe Carrigan: Okay.
Dave Bittner: The link doesn't go anywhere. There's no link. In other words, there's a highlight, but the link has no destination.
Joe Carrigan: No href.
Dave Bittner: Exactly. So it's a dud link, right? It's just there to appear to be there. But it doesn't actually go anywhere.
Joe Carrigan: Interesting.
Dave Bittner: Yeah.
Joe Carrigan: Why, I wonder.
Dave Bittner: Well, because I suppose the expectation would be that this is going to take you to view the video.
Joe Carrigan: Right.
Dave Bittner: But then you go, you're like, oh, thank goodness I'll be able to see what this is about. And then you click on it, it doesn't go anywhere. Now you're perhaps even more nervous.
Joe Carrigan: Right. This isn't working.
Dave Bittner: Right. What am I going to do? Right. Making you even more nervous. The letter goes on to say, if you did not approve the upload of this content, we kindly ask that you follow the instructions below to take immediate action. Our platform boasts an extensive network of websites and partners, which means that ensuring the security of our content is a top priority. To achieve this, all uploaded content is digitally fingerprinted using both the Mediawise service from Vobile and Safeguard, our own proprietary digital fingerprinting software. This helps to prevent unauthorized distribution of content on our platform. Sounds good.
Joe Carrigan: Yeah. I wonder how accurate that is.
Dave Bittner: Well, let's keep reading.
Joe Carrigan: Okay.
Dave Bittner: It says, the basic express removal, blocking and protection against reuploading of content on our network of 20 websites costs $199 USD.
Joe Carrigan: I see.
Dave Bittner: However, it gets better.
Joe Carrigan: Better than this?
Dave Bittner: Well, by better, I mean worse.
Joe Carrigan: Right.
Dave Bittner: They say, our plan A includes everything in the basic removal option, plus digitally fingerprinting the content and automated removal and protection against reuploading to our vast network of partner websites, over 300, for one year, all for $699 USD. So Dave, they're saying that for $700, they will keep porn of you off the Internet.
Joe Carrigan: Right. Okay.
Dave Bittner: Your nonexistent porn.
Joe Carrigan: That's right. What a great business model.
Dave Bittner: Well, there's more.
Joe Carrigan: Okay.
Dave Bittner: It says, we recommend plan B, which includes everything in plan A plus digital protection by Mediawise and Safeguard based on facial recognition data for three years. This ensures that any content with your biometrics will be blocked, and it costs $1,399 USD.
Joe Carrigan: $1,400. That's a bargain at twice the price, Dave. Three times the time, twice the price.
Dave Bittner: There you go. There you go. All right. Yeah. Three years. So Graham says, three years isn't as good as perpetual, but it's better than one year and they seem to be guaranteeing that any content with his biometrics will be blocked.
Joe Carrigan: Right.
Dave Bittner: So Graham says, where do I pay?
Joe Carrigan: Right.
Dave Bittner: Goes on and says the payment process is automated through a Bitcoin gateway.
Joe Carrigan: Ah, here we go.
Dave Bittner: The digital number you receive below is unique to your case and doesn't require any extra confirmation. To transfer the amount corresponding to your chosen option, copy and paste this identifier into your preferred cryptocurrency wallet.
Joe Carrigan: So this is a new take on the sextortion scam.
Dave Bittner: It is.
Joe Carrigan: That's all this is.
Dave Bittner: It is. It is. But it's pretty elaborate, I think it's safe to say.
Joe Carrigan: I would agree.
Dave Bittner: Yeah.
Joe Carrigan: First off, this is not how any of this works.
Dave Bittner: Right.
Joe Carrigan: And now in many states and I think in many countries in Europe, there are laws against involuntarily uploaded intimate images.
Dave Bittner: Right. Yeah.
Joe Carrigan: You'll hear it referred to as revenge porn.
Dave Bittner: Right.
Joe Carrigan: That's illegal in a lot of places.
Dave Bittner: Yeah.
Joe Carrigan: If you don't explicitly consent to the upload of this stuff to any service like this YouPorn site -- I guess they thrive on user content -- if you don't explicitly consent to that, then chances are the upload is illegal.
Dave Bittner: Right.
Joe Carrigan: There are also other requirements for the upload.
Dave Bittner: Yeah.
Joe Carrigan: Like some kind of verification that everybody in the video is over the age of 18.
Dave Bittner: You would think so, yes.
Joe Carrigan: I know there's a legal requirement for that in the United States.
Dave Bittner: Right.
Joe Carrigan: And that there has to be somebody who's a custodian of records for that information.
Dave Bittner: Okay.
Joe Carrigan: So you can't just upload a video that looks like somebody, the biometrics match and Bob's your uncle, there you go, everybody's looking at Graham's sex tape. That's not going to happen.
Dave Bittner: Right. Right.
Joe Carrigan: Yeah. There's so much wrong with this. But most people don't know this. Right? So they might be afraid of -- oh my gosh, how'd this happen?
Dave Bittner: Right.
Joe Carrigan: There might be people out there that even have these videos of themselves available. And maybe they're thinking, oh, did my former partner upload this video?
Dave Bittner: Right. Right. Right. And with everybody talking about A.I. these days.
Joe Carrigan: Right.
Dave Bittner: We've introduced this magical capability into the mix now.
Joe Carrigan: Right. And it and it does work and would be helpful in this kind of a situation.
Dave Bittner: Right.
Joe Carrigan: But there is no there is no A.I. model here. All there is, is a Bitcoin wallet. I promise you that part is real.
Dave Bittner: Right. Perhaps you have a distinguishing tattoo or something that I can recognize.
Joe Carrigan: Right.
Dave Bittner: All right. Well, we will have a link to this in the show notes. I think I am not doing justice to Graham's singular sense of humor that he expresses throughout this post here.
Joe Carrigan: Right.
Dave Bittner: So I do recommend you go check it out and read the original.
Joe Carrigan: Graham's a very funny writer.
Dave Bittner: He is. He's very good. All right. That's my story. Joe, what do you have?
Joe Carrigan: Well, Dave, a couple of weeks ago, Proofpoint released their State of the Phish report for 2023.
Dave Bittner: Okay.
Joe Carrigan: So I wanted to spend some time going over this report.
Dave Bittner: All right.
Joe Carrigan: Because I love data, Dave.
Dave Bittner: I know you do, Joe.
Joe Carrigan: Am I going to bore you with this?
Dave Bittner: No, no. It's not my boredom I'm worried about Joe.
Joe Carrigan: Goodbye, listeners. So we'll start off with the really interesting stuff. It was a commissioned survey of 7,500 working adults across 15 countries and 1,050 cybersecurity professionals across the same countries.
Dave Bittner: Okay.
Joe Carrigan: They paired this with the data that they've collected over the years because Proofpoint has phishing testing software, as well as the ability to report emails from the customers. So there's 135 million examples of Proofpoint sending out phish tests and then 18 million examples of reported emails from users at the customer sites.
Dave Bittner: Okay.
Joe Carrigan: So a lot of data.
Dave Bittner: Yeah.
Joe Carrigan: And they've combed through it. And there is some interesting information in here. And one of the first ones I wanted to talk about was user understanding and knowledge gaps. Dave, you and I, when we talk on this show, we often say things like malware, ransomware, phishing, vishing, and smishing.
Dave Bittner: Right.
Joe Carrigan: And I've talked about how much I hate the terms smishing and vishing.
Dave Bittner: Yes.
Joe Carrigan: But of all these terms, the only one that has consistently gained mind share among users is ransomware. That's the only one that has gone up consistently since 2019.
Dave Bittner: Okay.
Joe Carrigan: All the other ones are kind of like the people who answered the survey could not answer, could not identify, or about the same all across.
Dave Bittner: Right.
Joe Carrigan: Ransomware, 40% of people surveyed knew what that was.
Dave Bittner: Okay.
Joe Carrigan: 40%. Now, I'll tell you, Dave, that surprises me.
Dave Bittner: Which direction?
Joe Carrigan: I would think that more people would know what ransomware was. It's in the news.
Dave Bittner: It is.
Joe Carrigan: All the time.
Dave Bittner: Yeah.
Joe Carrigan: But only 40% of people know what it is. Phishing, 58% of people were able to identify. They were able to say what that is. And malware, 69% of people knew what malware was.
Dave Bittner: Nice.
Joe Carrigan: Right. Smishing and vishing, down around 29 and 30.
Dave Bittner: Okay.
Joe Carrigan: They note that those are relatively new terms, smishing and vishing.
Dave Bittner: Okay.
Joe Carrigan: So it's at least understandable that people wouldn't know what those are.
Dave Bittner: Right.
Joe Carrigan: I think there's other problems with that. I think that smishing and vishing are not really descriptive of what's going on. If you say phishing email, everybody knows what a phishing email is. If I say a smishing message, I think there's got to be a better -- scam text message, maybe.
Dave Bittner: Yeah. Yeah. They're not great.
Joe Carrigan: There's a new acronym I saw, TOAD, for phone calls. I can't remember. Telephone, something. It might even be in this report where I saw it. One of the big problems in our industry, Dave, is communicating with the regular users the problems that exist and why they need to care. And I think a lot of that stems from our jargon.
Dave Bittner: Yeah. I agree. I agree. I'll just, quick aside here, since we're talking about things that get our hackles up, I got a pitch from someone last week who claimed to be a cyfluencer.
Joe Carrigan: I got something like that on my LinkedIn.
Dave Bittner: Yeah.
Joe Carrigan: And you were a mutual connection.
Dave Bittner: I think we probably got the same one.
Joe Carrigan: Yeah. Well, I just ignored the connection.
Dave Bittner: No, I didn't connect, but I mean, I recoiled at the term.
Joe Carrigan: Right.
Dave Bittner: Yeah, I saw that person. Yeah. I was, no, I'm done. Ignore. Ignore this invite. Okay. It's not just me.
Joe Carrigan: Nope. Not just you.
Dave Bittner: All right. Back on track.
Joe Carrigan: Yes. They have a section here called Imposter Syndrome. I think that Proofpoint could have done a little bit better with the titles that they picked, because imposter syndrome is something completely different than what this is. This is impersonation.
Dave Bittner: Okay.
Joe Carrigan: 21% of users don't know that an email can appear to come from anybody.
Dave Bittner: Okay.
Joe Carrigan: Now, this ties in with what Graham was just talking about. 44% of people don't know that familiar branding doesn't make the email safe. So, I mean, maybe people are familiar with the YouPorn branding, but that branding was all over that email.
Dave Bittner: Right.
Joe Carrigan: Right? And I don't know if that's a real logo, but it probably is.
Dave Bittner: Yeah. Right.
Joe Carrigan: I'm not going to verify that right now because this is a Hopkins laptop and I don't want to have to answer questions later.
Dave Bittner: That's right. That's right. But we see this, you know, lots of these have to do with shipping, so you'll see the FedEx logo or the UPS logo or the Postal Service logo.
Joe Carrigan: Or the DHL logo. Or it has to do with impersonating Microsoft and they put Microsoft's logo all over the place.
Dave Bittner: Right. Anybody can do that. Yeah.
Joe Carrigan: Right. Anybody can do that. And apparently that's why they're doing it, is because it works. 63% don't know that the text and the link destination on a link in an email can be different. 63%. That's almost two-thirds of people don't know that. That is shocking to me.
Dave Bittner: Okay. Have you met my father?
Joe Carrigan: Your father's not a working adult anymore, right?
Dave Bittner: No, he's not.
Joe Carrigan: He's not one of those guys, one of those people.
Dave Bittner: No. I mean, obviously I love my father to death, but I use him as someone who's representative of, you know, a whole generation who is not a digital native.
Joe Carrigan: Yeah.
Dave Bittner: So all of this stuff is news to him, and he really didn't have an opportunity to learn this stuff in the same way that you or I did, and certainly our children below us probably have an even better grasp of all this.
Joe Carrigan: Absolutely. I will say that I'm actually pretty pleased with the way my parents have grasped a lot of the tech that's coming on.
Dave Bittner: That's good.
Joe Carrigan: And I don't know why they're outliers like that. My wife's parents, not so much.
Dave Bittner: Yeah.
Joe Carrigan: But my mom and my dad have done pretty well identifying things that are scams. Maybe it's because they're just generally better at identifying things that might be scams.
Dave Bittner: Yeah.
Joe Carrigan: By education, they're both financial people.
Dave Bittner: Okay.
Joe Carrigan: So maybe that contributes to it.
Dave Bittner: Might be.
Joe Carrigan: Bookkeeping and accounting, those kind of things. There's scams all over the place.
Dave Bittner: Yeah, there's a culture of oversight and auditing and just general, you know, carefulness.
Joe Carrigan: Right.
Dave Bittner: Now, in the Habits, they have a segment here called Blurred Lines. Okay.
Joe Carrigan: 78% of people use work devices for personal activities. I think that means that 22% of the people lied. No, no, no, I don't do that. I think you do.
Dave Bittner: So you're talking about like checking Facebook or on your work machine.
Joe Carrigan: Right.
Dave Bittner: Sure, okay.
Joe Carrigan: 72% of people admit that they use personal devices as work devices.
Dave Bittner: Yeah.
Joe Carrigan: I think that's probably also artificially low. Are you telling me that you don't have your work email on your phone?
Dave Bittner: Right.
Joe Carrigan: I mean, actually, that one I'm more willing to accept. I do a lot of work. My phone that has my Hopkins email on it. Sometimes when I'm preparing for this show, I'll do that on my home computer. I will log into my Hopkins account on my home computer sometimes. I don't install Hopkins software on my home computer, but I still use my home computer for work stuff.
Dave Bittner: Yeah.
Joe Carrigan: And this one I find shocking, 48% of people said that they let family and friends use their work devices. Dave, I don't let family and friends use my personal devices. I think I'm the outlier here, Dave. The rule at home is don't touch my computer. Just don't touch it.
Dave Bittner: Right.
Joe Carrigan: You know, there's been a family computer, and now, shortly after that, when computers decreased in cost and were readily available, everybody got their own computer.
Dave Bittner: Yeah.
Joe Carrigan: And that way, there's no cross-contamination. One person's bad behavior doesn't necessarily impact everybody else.
Dave Bittner: Right.
Joe Carrigan: But you know, I've never let my kids play with my work computer at all.
Dave Bittner: No.
Joe Carrigan: But they've never needed to.
Dave Bittner: Yeah.
Joe Carrigan: They have their own computer.
Dave Bittner: No, I think in the era of mobile devices, I'm having trouble imagining good reasons to let your family access a work computer.
Joe Carrigan: Here's some password habits. 28% of people say they reuse passwords for multiple work-related accounts, which is terrible.
Dave Bittner: Yeah. Doesn't surprise me.
Joe Carrigan: Right. 18% said they use a password manager, and that's for work stuff, while 17% said they use it for personal stuff. I've migrated to KeePassXC.
Dave Bittner: Okay.
Joe Carrigan: And I keep two separate databases, one for work and one for home. And I found that to be a really good way to divide stuff, and it doesn't take long to migrate. I mean, every now and then, I'm going to have to go back to PasswordSafe, open up that thing, and move a password over. But I haven't had to do that in a couple of weeks. When it comes to rotating passwords, only 16% of people said they rotate somewhere between one and four passwords. And this means changing your passwords with some regularity, I guess.
Dave Bittner: Yeah. Yeah. That's interesting. I mean, I remember years ago, before I knew better and before password managers really were a thing, I remember my wife and I would have, probably the best way to describe it is different tiers of passwords.
Joe Carrigan: Yes.
Dave Bittner: You had the complex one that you used for the important stuff, and then you had throwaway ones that you reused for accounts that you didn't really think -- where security wasn't as important.
Joe Carrigan: Right. And to some extent, that's a good risk assessment for the time.
Dave Bittner: Right.
Joe Carrigan: But now, you have password managers now, first off, so that solves most of the problem.
Dave Bittner: Yeah.
Joe Carrigan: And it really makes it really easy to change these passwords and to create very hard-to-guess passwords.
Dave Bittner: And it badgers you if you're reusing a password.
Joe Carrigan: Right. It badgers you if you're reusing it. Some of them will integrate with Troy Hunt's database and say, hey, this password's already been breached. Let's change it.
Dave Bittner: Right.
Joe Carrigan: When it comes to rotating more than four passwords, the numbers are the same if you go with five to 10 or more than 10. So 6% of people say they do that for both of those. Now, I don't know if that means that 6% only rotate -- I guess that means 6% only rotate somewhere between five and 10 passwords. And some people rotate more than 10 passwords, 6% of people.
Dave Bittner: Okay.
Joe Carrigan: I rotate more than 10 passwords, but I do not rotate all of them. There are some I just don't rotate. The passwords are already long and complex. The account is not that important to me. And if it's available, it's protected with some kind of multi-factor authentication.
Dave Bittner: Okay.
Joe Carrigan: So I've done the risk assessment. If I lose access to that account, I'm not going to be impacted that much.
Dave Bittner: Okay.
Joe Carrigan: This is an interesting report. I mean, I think I'm going in here too much into the data. I would encourage everybody -- oh, here it is, TOADs, which is Telephone-Oriented Attack Delivery.
Dave Bittner: I've never heard that before. Oh, boy. Right. Because what we really need is another acronym, right, Joe?
Joe Carrigan: Right. Yep.
Dave Bittner: Okay. TOADs. TOADs.
Joe Carrigan: This is an interesting report. It's a really good report, and I think it's well done and well written. I have my issues with it in terms of -- but they're all just my issues. It's not any professional thing I have.
Dave Bittner: Okay.
Joe Carrigan: It's just, this is what irritates Joe.
Dave Bittner: Yeah.
Joe Carrigan: But it's a good report. I mean, check it out. You have to give them some information, but it's worth the read.
Dave Bittner: All right. Well, we will have a link to that in the show notes. All right. It is time to move on to our "Catch of the Day".
Joe Carrigan: Dave, our "Catch of the Day" comes from my boss, Dr. Tony DiBurra. Somebody sent this message to him and the president of our university, President Daniels.
Dave Bittner: All right.
Joe Carrigan: Now, mind you, the email came from a Gmail address, but it wasn't looking like it was spoofed. I've redacted the name and the name of the company.
Dave Bittner: Okay.
Joe Carrigan: But because I think this might actually be something legitimate, I don't know. Let's read, shall we?
Dave Bittner: Okay.
Joe Carrigan: It goes like this. Dear President, I have reviewed thousands of schools' forensic Internet data. I'm contacting you because I have found illicit material that is associated with your university. Your website has one associated websites linked to yours, referring domains that contain pornographic material and 12 links to your website, backlinks, associated with porn. I will include photos of the links and Excel spreadsheets detailing this relationship to your website. I'd like to explain more about how these things can become associated with your website. Your site is linked to other websites through hyperlinks that act as shortcuts to get to related topics. A backlink is like a recommendation on the Internet. It's a link from one website to another, guiding people to more information on a related topic. Other than the links related to porn, there are some other backlinks. Google French redirects advertisement de redirection and some interesting subdomain backlinks from other universities that could indicate that someone has included the university on a PBN, private blog network, that could impact the Internet more than the Cambridge Analytica scandal. I hope that the university takes a serious look into this, and please let me know if I can be of any further help. So they sent along a bunch of Excel file or spreadsheets that were Google Docs. I didn't click on any of them. Tony didn't click on any of them. We had Chris Venghaus, our system engineer, look at it. He didn't click on any of them. We actually discussed this.
Dave Bittner: Okay.
Joe Carrigan: Could this be real? And the point is anybody can put a link on the Internet that points to jhu.edu.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Sure.
Joe Carrigan: Somebody has done that on a porn site.
Dave Bittner: Okay.
Joe Carrigan: And that might be the case.
Dave Bittner: Allegedly.
Joe Carrigan: Allegedly. Yeah. There's nothing we can do about that.
Dave Bittner: No.
Joe Carrigan: I mean, I don't know what the business model is here for this guy, what he's trying to do, aside from maybe do some reputation management, but I think everybody on the Internet knows, that those kind of things can be added anywhere.
Dave Bittner: Right.
Joe Carrigan: One thing that is interesting in here is I had to look this up. There's a technique called the private blog network. He calls it a PBN where you pump a link into this PBN. It's just a bunch of blogs that essentially link to other sites.
Dave Bittner: Right.
Joe Carrigan: The hope is that Google will index these sites and that you can have your site rise in the search rankings. It's part of SEO, search engine optimization.
Dave Bittner: Yeah, yeah. I mean, this is a very old school technique.
Joe Carrigan: Right.
Dave Bittner: I remember this from probably 20 years ago.
Joe Carrigan: Right.
Dave Bittner: Yeah. And this whole email strikes me as being 20 years old.
Joe Carrigan: Right.
Dave Bittner: Like explaining what is a hyperlink, those sorts of things.
Joe Carrigan: Right. I have another complaint about this, and the terminology is correct, but backlink is just a URL that points outside of the current website.
Dave Bittner: Okay.
Joe Carrigan: I don't know why they're called backlinks. That doesn't seem like a good name.
Dave Bittner: All right. I don't know why.
Joe Carrigan: No, I looked it up. That is an actual term.
Dave Bittner: Okay.
Joe Carrigan: I hadn't heard it before. I'd always just refer to them as links. Links can be internally --
Dave Bittner: It makes me hungry. I'm going to cook up some eggs and some delicious backlink sausage. Right?
Joe Carrigan: Dave, I think I have my new harebrained business idea.
Dave Bittner: That's right.
Joe Carrigan: Dave and Joe's backlink sausage.
Dave Bittner: Backlink sausages. Yeah, nothing but the best.
Joe Carrigan: That's right.
Dave Bittner: All right. Well, I don't know what to make of this. Like you said, it could be real -- the offer could be real.
Joe Carrigan: Right.
Dave Bittner: And even if it is, the service seems odd.
Joe Carrigan: Yeah.
Dave Bittner: But even if it is real, it's written in such a way that makes me question it.
Joe Carrigan: Yeah.
Dave Bittner: And it makes you all not want to follow up with this person.
Joe Carrigan: Right. There's one bit of hyperbole in here. When he compares PBNs, he says they could impact the Internet more than the Cambridge Analytica scandal.
Dave Bittner: Yeah.
Joe Carrigan: That's not anything related.
Dave Bittner: No.
Joe Carrigan: I mean, those two things are not the same thing.
Dave Bittner: Right. It's like saying, this will be worse than Watergate.
Joe Carrigan: Right.
Dave Bittner: Okay. Maybe that's what he's doing, is that PBNs are going to be worse than Watergate.
Joe Carrigan: They're not going to be worse than Watergate.
Dave Bittner: No. >21 Or Cambridge Analytica. It's just cranking up the pressure.
Joe Carrigan: Right. Yeah. The rhetoric, definitely.
Dave Bittner: Right.
Joe Carrigan: Anyway.
Dave Bittner: All right. Well, thanks to Joe's boss, Tony, for sending this over. We do appreciate it. And we hope that good President Daniels at Hopkins did not follow up with this person.
Joe Carrigan: No, he did not.
Dave Bittner: I'm sure he did not. He has plenty of people.
Joe Carrigan: Yeah. Someone else writes his emails. He's guiding him what to do.
Dave Bittner: Right. Absolutely. Yeah. All right. Well, again, we would love to hear from you. If there's something you'd like us to consider, you can email us. It's hackinghumans@n2k.com.
Joe Carrigan: Send those catches in.
Dave Bittner: Joe, I recently had the pleasure of speaking with Sam Crowther. He is founder and CEO of a security company called Kasada. And he and his colleagues there have been doing some interesting work looking at credentials from automotive accounts. So things associated with your car that are being sold online.
Joe Carrigan: Right.
Dave Bittner: Here's my conversation with Sam Crowther.
Sam Crowther: Our threat research team found evidence that some criminal syndicates had been launching credential stuffing attacks against large, particularly U.S.-based auto manufacturers and selling the compromised accounts, which contained, obviously, the VIN numbers, the makes and models of the vehicles, the PII of the owners within some of their Telegram communities. And it was at a scale that was quite alarming to go from zero to where they landed. So it raised just massive red flags on our side. And we figured this is absolutely something we need to talk more about.
Dave Bittner: Well, what kind of scale are we talking about here? How many stolen accounts did you all track?
Sam Crowther: So the initial two waves, there was about 15,000 U.S. accounts for these cars that came up for sale.
Dave Bittner: Well, let's talk about the information that was taken here and why it matters for folks. I mean, I think people are kind of used to getting reports that some of their information has been compromised, their name, their address, maybe something like that. But I think it's fair to say most of us don't think about things like the VINs of our cars.
Sam Crowther: I completely agree, right? I'm like, when you buy a car from a manufacturer, particularly modern ones, and you sign up for the account to manage your servicing or even manage the vehicle remotely, you never really think too much about what's going into it and the sort of access and information that it has.
Dave Bittner: Well, let's talk about some of the things that folks can do with a VIN here. What are the risks?
Sam Crowther: Something known as car cloning, where criminals can take stolen VIN numbers and use it to create replica tags so that you might get pulled over when you're driving your car in Maryland, right? And the police are like, hey, we've got a warrant for this or whatever it is when you get pulled over. And it's actually because someone else who committed a crime who's duped your car's information has done it somewhere else in the state, right? Which is really, really problematic. There's also the potential for basically the duplication of ownership papers. So someone could own your car from the government's eyes. It's pretty concerning. And when you couple that with the information around where the individuals live, how to contact them, it can start to become a really scary form of identity fraud.
Dave Bittner: How so? How would folks use this information specifically?
Sam Crowther: You can leverage all the contact and VIN information. It's also possible to take out loans, for example, against the car, like additional cash out, which I guess is the ultimate goal for almost any identity theft is money from the banks that's tied to someone else. What's really interesting, though, on the actual seller's side is how popular and how cheap seemingly these accounts were, right? Like normally, to get your hands on enough information to properly commit identity fraud, it's going to cost you $500 to $1,000, whereas you look at some of these automotive accounts and you can pay as little as $2 and you basically have all the information you need to get started.
Dave Bittner: Any insights on why they were going so cheaply?
Sam Crowther: My guess is that the sellers didn't realize the true value of them. And the folks that launched these attacks typically stick to retail, so taking over retail accounts with safe credit cards where the value is only a few dollars an account. And so I think this is new territory for them and they have not realized actually they're sitting on something far more valuable than a traditional retailer's online account.
Dave Bittner: One of the things that you all pointed out in your report here was that a lot of these manufacturers have mobile apps for the vehicles now and then they're linked together and by having this information, the bad guys can take advantage of some of the functionality of those mobile apps.
Sam Crowther: Yeah, it's a pretty scary thought, isn't it? The fact that all someone really needs is your username and password and then your VIN and they can see things like car location. There's innocuous things like air conditioning, but the ability to lock, unlock, remote start, you're starting to again get into something that folk on the security side have shouted from the mountaintops could happen where someone takes over your car. It actually just is one step closer to being very real.
Dave Bittner: What are your recommendations for folks to protect themselves against this sort of thing?
Sam Crowther: So look, the number one would be, and I know it's said over and over again, but unique passwords, particularly on systems like this. I know it's probably not something many of us think about being overly sensitive, but the reality is it's actually quite important for us to protect it. So making sure that access to that account is 2FA where it can be. It's a strong password. And then if you can disable certain functionality or you can avoid having some of these accounts entirely, maybe if it's not going to impede your user experience, it may be best to do so. In a lot of cases, most people don't need these accounts. Most of the cars attached to these were old from what we could see, and there was no app to control them remotely for these older models. So there was really no big value add, yet they'd sort of been driven to sign up by the manufacturer.
Dave Bittner: It's a really interesting point you bring up. My wife happens to be in the market for a car, and she hasn't purchased a car in probably about a decade or so. And she's finding it frustrating that she can't get away from a lot of these electronic enhancements that she's not really that interested in.
Sam Crowther: Right. They're there by default, and you can't do much about it, can you?
Dave Bittner: No. And as you say, it does open up kind of a whole new attack surface that we hadn't really considered before. People who listen to this show hear me say over and over again that my favorite iPhone accessory is my car. And I think we're really getting to that point.
Sam Crowther: Yeah, I completely agree. Completely agree.
Dave Bittner: Is there any responsibility from the car manufacturers here? I mean, have they chimed in on any of their attempts to secure this kind of thing?
Sam Crowther: Huge responsibility. This is ultimately their problem. If this happened in any other industry where the information was as sensitive, there would be outrage. Imagine if the MyChart accounts you have for your medical information had the same problem. The impact would be pretty material. And functionally, this is very sensitive PII. So we've reached out and tried to notify the manufacturers. One has engaged. The others have remained silent. The one that's engaged has been really good and proactive about actually properly digging in and looking at what went wrong and how to address it, which is great to see.
Dave Bittner: Yeah. Where do you suppose we're headed here? I mean, could you see regulations coming that could help tie these sorts of things down better?
Sam Crowther: General security rules and regulations around liability is something that will help here, right? The world is so fast-paced, and particularly if you take the case of auto manufacturers who've been ripped out of the stone age very, very quickly, there's just so many different unique cases and data sets and data types to deal with. But, you know, laws around, hey, what is acceptable for an organization to lose when it comes to customer data, right? How many accounts can be compromised before there are some, you know, whether it's like criminal or other sorts of charges brought against the company. That's really where this needs to go. And if you look at other countries, they're starting to move there, right? Actually, my home country of Australia has recently implemented some new laws around liability if organizations are shown to be negligent. And the penalties are really severe, right? Similar to what you'd see in the European Union. I really think that's the best way to do it because right now the equation these companies make is, what's the chance we get caught? How much is it going to cost us if we get caught? You know, we're fine to accept that risk without actually really considering what the impact to their customers is.
Dave Bittner: Yeah. You'd hope that we wouldn't have to get to the point where there was, you know, some kind of loss of life or bodily injury for folks to sit up and pay attention to this.
Sam Crowther: Yeah, we do not want to get to that. That is not a great outcome.
Dave Bittner: Joe, what do you think?
Joe Carrigan: I haven't heard this one before.
Dave Bittner: Yeah.
Joe Carrigan: Well, first off, the attack is something that just starts with a credential stuffing attack. And then they're getting in and monetizing it by selling these things for a couple bucks apiece.
Dave Bittner: Right.
Joe Carrigan: I put credential stuffing attacks into the social engineering category. Some people don't do that. I do, because they're exploiting a human habit. And these attacks don't actively attack people, but passively attack people through the things they've already done, like reusing passwords. And this is a habit that people have. Just like we saw in my story, a lot of people are reusing passwords. 28% say they use multiple passwords at work that are the same.
Dave Bittner: Right.
Joe Carrigan: This is why we say use a password manager, because that protects you from this kind of attack.
Dave Bittner: Yeah.
Joe Carrigan: They're selling the access and the information, 15,000 accounts that have been breached. That's interesting. I'll bet that these guys amassed a bunch of different email and password pairs, and then just started stuffing the big three auto manufacturers in the US, and that's how they got it.
Dave Bittner: Could be.
Joe Carrigan: They have access to this, and they say, why don't we try this? Okay. So then the issue comes up of what can these bad guys do with it, and Sam talks about car cloning. And the funny thing is, once he said that you get access to your VIN number, your VIN rather, I shouldn't say VIN number, because the last N is number.
Dave Bittner: If you're on your way to the junkyard, make sure you stop by the ATM machine.
Joe Carrigan: Right. But he talks about car cloning.
Dave Bittner: Yeah.
Joe Carrigan: So this goes back to the olden days of car thieving, right? You would buy a car that was a model that you wanted, right? And it would be junked, just in a wreck, never going to drive this car again.
Dave Bittner: Okay.
Joe Carrigan: But you buy it, and you get a title. Then you would go and steal a car of the same model, and then they were people that -- I remember watching this on 20/20. There were people that would cut the VIN numbers out, and weld them back into the stolen car, and bam, you've got a new car. So they change all the VIN numbers on the stolen car to match that of the destroyed car.
Dave Bittner: Right.
Joe Carrigan: Now you have a new car with a clean title.
Dave Bittner: I see.
Joe Carrigan: And everything's good to go. Now, that can't be done so much, because now we have these things like junk titles and salvage titles, and something called -- I can't remember, but it says that you have to destroy the car.
Dave Bittner: Okay.
Joe Carrigan: So somebody has to destroy the car, and a junk title and a certificate of destruction, those cars can never be on the road again.
Dave Bittner: Right.
Joe Carrigan: So you can't do that anymore, but you sure can take a perfectly good car and clone that by putting another VIN on there, and then go get a nice clean title for it.
Dave Bittner: Yeah.
Joe Carrigan: And then, imagine when somebody's run a bunch of red light cameras in another state, and doesn't pay them, because they know you're going to be getting the bill for it. It's a form of identity theft.
Dave Bittner: Yeah.
Joe Carrigan: Another weird, modern problem here is that now, maybe you can actually go ahead and install the app on your phone, if you're the bad guy, and because you have access to the user's account, have access to their car.
Dave Bittner: It's possible.
Joe Carrigan: I don't know if that's -- I don't have a modern enough car, Dave. My car is from 2012.
Dave Bittner: Well, yeah, like I said, my wife is in the market right now, and she's a little frustrated by the forced sophistication of these cars.
Joe Carrigan: Yeah.
Dave Bittner: It's hard to find one that's --
Joe Carrigan: I'm not looking forward to buying my next car.
Dave Bittner: Yeah.
Joe Carrigan: And the same problem is with TVs. You can't get a TV that isn't a smart TV anymore.
Dave Bittner: Right.
Joe Carrigan: And refrigerators. Why? Why can't I get a -- actually, you can still buy dumb refrigerators, and that's the best kind. You don't want to be dumber than your refrigerator, Dave.
Dave Bittner: No.
Joe Carrigan: You want the refrigerator to be one of the dumber things in the house.
Dave Bittner: Yes. Yes.
Joe Carrigan: The refrigerator and the dog have to be at least as smart.
Dave Bittner: Yeah.
Joe Carrigan: Sam notified the manufacturers and heard back from one of them.
Dave Bittner: Yeah.
Joe Carrigan: So, 33%. That is actually a pretty good ratio.
Dave Bittner: Okay.
Joe Carrigan: One of these companies is taking this seriously. I would like to know which company it is. Sam didn't mention that, probably because he agreed to non-disclosure stuff.
Dave Bittner: Right.
Joe Carrigan: Which I understand. So how do you protect yourself against this? Well, number one, use multi-factor authentication. I don't know that these auto manufacturers are going to offer that. So in lieu of that, a password manager will help you create a strong and unique password that makes it almost impossible to fall victim to a brute force attack.
Dave Bittner: Right.
Joe Carrigan: I'm not going to say it's impossible. There is a chance that it will happen, but it's a very, very, very, very small chance. Auto manufacturers need to make multi-factor authentication required for their sites. If you're going to have this kind of PII that's accessible, you have to take it upon yourselves to protect the user by making it so that they have to use multi-factor authentication at some level. Just stop the automated attacks like this, where 15,000 of your records get sold online.
Dave Bittner: And you've already got a key. The car has a key.
Joe Carrigan: Right.
Dave Bittner: So make the key MFA, right? The key has electronics in it.
Joe Carrigan: Yeah. That's a good idea.
Dave Bittner: Right.
Joe Carrigan: Dave, you should be patenting that idea, not giving it away for free.
Dave Bittner: Well, there you go.
Joe Carrigan: Also, I think manufacturers need to let us minimize our attack surface. What if I don't want my car to have a Wi-Fi hotspot? I just don't want that.
Dave Bittner: Yeah.
Joe Carrigan: I don't want that to be available. I don't want that to be a thing. I don't even want there to be a SIM card in my car that is calling out and checking if it can be used for Wi-Fi. I don't want that. Because that means it's probably one of those SIM cards that is lifelong and just sends data across it, like is in those Amazon Kindles. When you buy an Amazon Kindle, there's like a 3G or a 4G SIM card in there that just runs forever. It's low cost because the data usage is so low on those things.
Dave Bittner: Right.
Joe Carrigan: I don't want that in my car. I just don't.
Dave Bittner: Right.
Joe Carrigan: I don't want that.
Dave Bittner: I'm picturing you, Joe. You know I love you, Joe.
Joe Carrigan: I'm going to cover my car in tinfoil.
Dave Bittner: I was just going to say, I was picturing you driving around in a car that had some kind of Faraday cage welded on the entire perimeter of it. When you wanted to do something, you have a handheld antenna that you hold out of the window if you need to get some data or tune into a radio station or something. The neighbors are all looking at you through their blinds saying, oh, what has Joe done this time?
Joe Carrigan: Yes. That happens a lot. The neighbors do. I see them peeking out going, oh, what's he up to now?
Dave Bittner: Right.
Joe Carrigan: Why does he have that big antenna mast out in the front yard?
Dave Bittner: Yep.
Joe Carrigan: There is something here that made me a little bit nervous with my current car. When I bought it, I started noticing that if I drove by the dealership where I bought it, within a day, I'd get an email letting me know that it was time for an oil change or something.
Dave Bittner: Really?
Joe Carrigan: Yeah. But that was 2012 that car was made.
Dave Bittner: Yeah, that doesn't make sense.
Joe Carrigan: But I'm wondering if there's some kind of just constant beacon emitting stuff and whenever it drives by a dealership -- it's a Toyota product, whenever it drives by a Toyota dealership with this receiver in it, does it just upload the data or does it just receive the data?
Dave Bittner: That's interesting. I mean, I suppose you do see, you'll sometimes see devices on the side of the highway that have some sort of antenna array.
Joe Carrigan: Yeah.
Dave Bittner: And it's my understanding, going way back, they used to have ones that would be able to detect what radio station you were listening to as you drove by.
Joe Carrigan: Really?
Dave Bittner: Yeah. It was able to sense some kind of resonance out of the tuner and would be able to gather that information anonymously, you know, back then. So I suppose it's plausible, but it seems unlikely, especially for a car that goes back that far.
Joe Carrigan: Yeah, it's 11 years ago now.
Dave Bittner: You never know. Well, a little paranoia never hurt anybody.
Joe Carrigan: Yeah. Maybe I should get one of my software-defined radios out and start the car up and see what happens.
Dave Bittner: Right. Right. Just go around. Yeah. Yeah. Go around and see if it's beaconing anything.
Joe Carrigan: Right.
Dave Bittner: I wonder what would happen -- now I'm thinking of how could you test this.
Joe Carrigan: Right.
Dave Bittner: If you drove by the dealership, but you pulled the fuse on your car's head unit, on the radio business in the car, would that do anything? Or who knows, could be a passive thing. I don't know. Look, if anybody knows anything about this, let us know.
Joe Carrigan: Let us know. Dave and I are going down a rabbit hole of paranoia that we probably shouldn't be going down.
Dave Bittner: Yeah. Yeah. All right. Anything else before we wrap up?
Joe Carrigan: No, that was it. That was all I had. The last thing I was going into was my story about my car.
Dave Bittner: Okay.
Joe Carrigan: That wasn't even in the script.
Dave Bittner: All right.
Joe Carrigan: We have digressed, but all at the end of the show.
Dave Bittner: There you go. All right. Well, our thanks again to Sam Crowther. He is the founder and CEO of security firm Kasada, and we appreciate him taking the time for us. That is our show. We want to thank all of you for listening. A quick reminder that N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Lean more at n2k.com. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. Our senior produce is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.