Hacking Humans 7.27.23
Ep 252 | 7.27.23

Reducing risk in the cyber community.


Perry Carpenter: Security culture is important, it's something that lives and births in every organization, whether you know it or not, and so the question becomes; how intentional are you about the security culture that you have? How sustainable is that? And what do you need to do about it?

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, Perry Carpenter returns to discuss his book, "The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer." Alright Joe, before we jump into our stories here, we got some follow-up from a listener who prefers to be nameless but someone who I regularly interact with via email, so I know who this person is and they are who they say there are.

Joe Carrigan: I don't know who they are.

Dave Bittner: I will read the message that they sent to us.

Joe Carrigan: Okay.

Dave Bittner: And they said; "As you know, I am both a retired Fed and a cybersecurity geek post-retirement, with an emphasis on anti-scams and anti-fraud awareness. I always recommend not messing around with scammers for fun. They are professional scammers for a living. The average person is not. There is a significant knowledge and experience in balance going on here. The average person is likely not as slick as a professional scammer. There have been instances where somebody messing around with a scammer and who have gone down the rabbit hole of conversational and transactional engagement for fun, have wound up getting scammed. And as Joe alluded to, scammers likely have your contact information and can make your life absolutely measurable if you set them off. I know a number of people who have had to get a new phone number and change an email address in order to put an end to the bombardment of misery that a pissed off scammer was deluging them with."

Joe Carrigan: Right.

Dave Bittner: "There is no upside value proposition to messing with a scammer. One should simply not respond at all to communication that is of the sort that we all instantly recognize as being a scam attempt or is just peculiar. Simply ignore the communication and block the sender as best you can. Any engagement at all only serves to guarantee more contact from scammers."

Joe Carrigan: These are good points. And I've said this in scam baiting, we're still going to probably have scam baiting catches of the day on here--

Dave Bittner: Yeah.

Joe Carrigan: --and I'm still going to watch people like Qdoba, whatever the guy's name is that does the scam baiting, and the guy from England who does a really good job, who's like made almost a career out of this.

Dave Bittner: Right.

Joe Carrigan: But that guys is someone who lives in this environment, are?

Dave Bittner: Right.

Joe Carrigan: The author of this letter is absolutely correct that you are dealing with people who already have your contact information when they come in, and I've done this several times where I've been like, I really want to mess with this guy but sometimes I think, well they already know who I am, it probably isn't hard to find out more information. If I had set up a fake account, then I would mess with them.

Dave Bittner: Yeah.

Joe Carrigan: But it's interesting that he says that people have, I'm assuming it's a he.

Dave Bittner: Yeah.

Joe Carrigan: That people have played along with the scammer trying to, trying to mess with him, and then still gotten scammed.

Dave Bittner: Yeah.

Joe Carrigan: You know, the one of the things they tell you in sales, I remember, remember everybody, I had a brief but failed sales career. Just keep the client engaged, keep talking to them.

Dave Bittner: Right.

Joe Carrigan: It's the same thing in scams, they don't care if you're, if they think that you're scam baiting them, they probably are savvy to that right off the bat.

Dave Bittner: Right.

Joe Carrigan: So if they're just like, I've just got to keep this guy talking and keep him going and eventually I'll get some money out of him.

Dave Bittner: Yeah. And they're the professionals.

Joe Carrigan: Right, and they're the guys that do this 60 hours a week.

Dave Bittner: Right. Right. Right. So they have a big bag of tricks.

Joe Carrigan: Yep.

Dave Bittner: Much larger than yours.

Joe Carrigan: Yep.

Dave Bittner: So, I think this is wise advice and a good reminder that as tempting as it is and as fun as it may seem like it's going to be, you are coming into this engagement outmatched.

Joe Carrigan: Right.

Dave Bittner: Yeah. Alright, well let's jump into some stories here. Joe, why don't you kick things off for us.

Joe Carrigan: Dave, my story comes from Mandiant, which is now part of Google Cloud, I believe.

Dave Bittner: Mm hmm.

Joe Carrigan: And it was written by Rommel Joven.

Dave Bittner: Okay.

Joe Carrigan: Or perhaps, Joven, I'm not sure, and NG Choon Kiat.

Dave Bittner: Okay.

Joe Carrigan: And I hope I'm not mangling those names but I fear that I am.

Dave Bittner: Fair enough.

Joe Carrigan: And this, the article, it's a blog, it's a blog posting, it's called, "The Spies Who Loved You: Infected USB Drives Steal Secrets." And it's talking about these three campaigns that Mandiant has observed that are using USB drives to steal secrets. These are pretty significant campaigns. Now the first one is actually in an entirely different article, without we'll put a link to the first article, but if you click on the first link in that article for Mandiant, you go to another article or blog post that they've made that's called, "Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia."

Dave Bittner: Okay.

Joe Carrigan: And this is talking about a collection of USB devices that have been dropped around various areas, including Southeast Asia, the U.S., Europe, and the Asia Pacific Japanese Region.

Dave Bittner: Yeah.

Joe Carrigan: But it seems that every time that these malicious USBs are activated, they're trying to get in somewhere in the Philippines.

Dave Bittner: So that's where they're phoning home to?

Joe Carrigan: Right, well they're trying to, they're trying to attack somebody in the Philippines.

Dave Bittner: Oh! Okay.

Joe Carrigan: Yep.

Dave Bittner: Interesting.

Joe Carrigan: And they believe that this is a Chinese organization. I don't think Mandiant is actually doing any full-blown attribution here, that's really difficult to do, but they're saying this has, they assess it as having a Chinese-nexus, or China-nexus.

Dave Bittner: Yeah.

Joe Carrigan: And they are calling this threat, UNC4191, which I think is Mandiant's term for an unclassified threat, and then just a number.

Dave Bittner: Okay.

Joe Carrigan: But they've observed a bunch of malware that includes something called NCAT, which is a way of opening a reverse shell back to the, back to the command and control, which lets them do whatever they want.

Dave Bittner: Mm hmm.

Joe Carrigan: This stuff is all written in C++ or C and C++, and it's going to happen as soon as you plug the drive in.

Dave Bittner: Hmmm.

Joe Carrigan: The second attack is called, SOGU, s-o-g-u, malware. It's the same kind of thing, they're seeing it across all kinds of industries and geographies. It is being released in the U.S., all across Asia, in Australia, in Saudi Arabia, in Egypt, and France, Italy, a lot of European countries, England and Ireland, or I should say, the United Kingdom and Ireland.

Dave Bittner: Mm hmm.

Joe Carrigan: They're just listed as one country here, but it's going across all kinds of different industries and the number one industry is pharmaceuticals at 11.8 percent, and that's also tied at number one with IT. So I don't know what they're going after here, but it looks like they're, I mean there's a broad swath of industry here.

Dave Bittner: Yeah.

Joe Carrigan: Going all the way down to education, finance, and nonprofits. So I think this is just a, let's see what we can gather kind of thing. But what's really happening is these are data exfiltration tools, so these guys are staging and then exfiltrating all this, any data they can find. And they're sending it back to wherever they can, wherever it goes to, and this SOGU malware is also linked to China. The third one is actually targeting oil and gas organizations in Asia. And this one they have not linked to China, it's a campaign they're calling UNC4698, and they are, they're targeting, of course, oil and gas but they are targeting organizations in Asia. they're executing payloads on Windows command prompts. And using removable media to create local staging directories, which is where they're going to muster all the data before they send it out.

Dave Bittner: Hmm. It's interesting that these things kind of come in waves.

Joe Carrigan: Right.

Dave Bittner: They ebb and flow, you know, for years ago we heard of things being dropped in USB drives and then that sort of faded away, I think because awareness increased about it.

Joe Carrigan: Yeah.

Dave Bittner: But now it's back.

Joe Carrigan: Now it's back. And that's an excellent question, why is this resurging?

Dave Bittner: Yeah.

Joe Carrigan: Or why is it maybe this case is kind of unique, maybe it's a blip on the radar, but, or maybe there is just the same level of noise, we just haven't been paying attention to it. But this is just, wherever you live or work, don't pick up random USB drives that might say something interesting on the outside. Perhaps something prurient that makes you think, oh, I really want to look at what's on here.

Dave Bittner: Right.

Joe Carrigan: And then plug it into your, into your computer or your organization's computer.

Dave Bittner: Plug it in to the person in the cubicle next to you.

Joe Carrigan: Don't do that either.

Dave Bittner: While they're at lunch.

Joe Carrigan: While they're at lunch. You still just hosed your company.

Dave Bittner: Right, right, right. You go to one of your competitors.

Joe Carrigan: Yes.

Dave Bittner: And you plug it into one of their computers.

Joe Carrigan: There you go. That's what you do.

Dave Bittner: Yeah. Now it's interesting to me, this notion of dropping these devices you know, around the world, and then having them target folks in the Philippines.

Joe Carrigan: Right.

Dave Bittner: Like are they trying to make it, I don't know, make it seem like the traffic isn't coming from China I guess?

Joe Carrigan: I will bet, I will bet what they're doing is they're targeting organizations that they know do business with the target organization in the Philippines.

Dave Bittner: Oh, okay.

Joe Carrigan: So they're dropping, they're going into the parking lots of those places and just dropping USB drives down.

Dave Bittner: Right. So they have an established relationship so chances are there's like, the two companies aren't on each other's block lists.

Joe Carrigan: Right.

Dave Bittner: For IT stuff.

Joe Carrigan: Exactly, so for example, and I in the '80s the World Bank did some work with the Philippine Government.

Dave Bittner: Yeah.

Joe Carrigan: If you were targeting the Philippine Government, it would be great to go to the World Bank and put some USB drives in the parking lot there and see what happens.

Dave Bittner: Right, right.

Joe Carrigan: I don't know if that relationship still exists, I don't know if the Filipino government is the one they're going after.

Dave Bittner: Yeah.

Joe Carrigan: But it's, you know, that's how, that's what I think is going on here. And then the command and control is, looks like it's in China.

Dave Bittner: Yeah.

Joe Carrigan: They're attributing to China.

Dave Bittner: There's, I remember a few years back that there were lots of organizations, it was trending that there were lots of organizations that wouldn't even allow you to plug a USB device into your computer at all.

Joe Carrigan: Yeah, there's a number of organizations that still have that requirement.

Dave Bittner: Yeah.

Joe Carrigan: I know that the United States Department of Defense, there are some organizations that say yeah, you can't put a USB device into this computer at all and what they do with the external facing ones is just fill them with epoxy.

Dave Bittner: Right. Wow.

Joe Carrigan: So you can't physically put one in.

Dave Bittner: Yeah. Yeah, I remember one time, this was years ago in a previous career, I was at an event and I was back in the, you know, the AV table where all the-- it was just a, like an executive's meeting, you know, annual meeting for executives at a big, multinational corporation.

Joe Carrigan: Right.

Dave Bittner: So they're in a big hotel and they've got, you know, presenters and screens and projectors and sound, and all that kind of stuff, and I was one of the folks back in the back, we know, at the table that runs all that equipment. And I was sitting there by the computer that was running all the slides and one of the participants just, you know, one of the executives who was there, just casually walks up with his phone and just plugs it into my computer that was running the presentation. Doesn't ask, just plugs it in. And I gave him a look like, what are you doing?

Joe Carrigan: Yes.

Dave Bittner: He's like, my phone needs to be charged. No, no, no, no, no, I don't care. Like, at this moment, this is the most important computer in the building, right? Like yeah, it just, people.

Joe Carrigan: Do not let the guy on stage or the girl on stage, I mean?

Dave Bittner: That's a good question.

Joe Carrigan: Yeah. I mean maybe he was trying to hose that presentation up.

Dave Bittner: I don't know. I don't know. The other funny thing I remember from that presentation, it was like, evidently company wide, this organization had some sort of system in place where all their computers would be updated at a certain time of day, like let's just say like 3 o'clock in the afternoon.

Joe Carrigan: Right.

Dave Bittner: Right?

Joe Carrigan: Great time to update.

Dave Bittner: Yeah. So, we're in this big meeting, this big offsite meeting and I'm using one of their computers to run the presentation, and sure enough, at 3 o'clock up pops the window to update, and everybody in the audience just laughs their butts off. Because they have all experienced the pain of being interrupted by a mandatory update at 3:00 pm. Like all business screeched to a halt at 3 o'clock every day. So anyway, I digress.

Joe Carrigan: I think we do a lot of digression on this show lately, Dave.

Dave Bittner: It's part of our charm. Alright, well we will have a link to that story in the show notes. My story this week comes from the folks over at Yahoo! Finance. This is an article written by Jeannine Mancini, and it's titled, "Tech Executive Falls Victim to $450 Thousand Scam on Dating Site: The Cruel 'Pig-Butchering' Scheme Going Around." Now, you and I have talked about pig-butchering before.

Joe Carrigan: Yes, we have.

Dave Bittner: Which you want to give us a quick explanation of that, Joe?

Joe Carrigan: So pig-butchering is kind of like a combination of a romance scam and a crypto scam. So, you start with a romance scam, and then after you've got the person hooked, the target hooked, you then start saying hey, by the way, I'm making tons of money in crypto.

Dave Bittner: Right.

Joe Carrigan: And then you have an entirely fake setup for dealing with crypto and you can even show the people when they deposit crypto in their account.

Dave Bittner: Right.

Joe Carrigan: Account in air quotes, right? It's not really their account. You're just giving them a wallet that you control, but you can then make it look like they're earning money and some of these guys even send back the profits, like the victim may first say okay, well I'm going to send you 50 bucks--

Dave Bittner: Yeah.

Joe Carrigan: --and see how this goes. And they'll send them back $100-$200 dollars.

Dave Bittner: Right.

Joe Carrigan: And then the person will say cool man, now I trust you. I'm going to send you $10 thousand. And that's when they exit.

Dave Bittner: Well, this is one of those stories, this is about a woman named Shreya Datta, who was a successful executive at a tech company here in the U.S. Now I'm going to read the first two paragraphs of this story and I just want to be clear here, that I'm not trying to, you know, victim shame Miss Datta, but I just want to kind of play red flag bingo with you, Joe.

Joe Carrigan: Okay.

Dave Bittner: Alright?

Joe Carrigan: Okay.

Dave Bittner: So it's, the article starts and it says, "Shreya Datta spent months swiping through dating apps searching for a connection when she encountered "Ancel Mali," a self-proclaimed wine trader from France, on Hinge."

Joe Carrigan: Okay.

Dave Bittner: "Mali claimed he had recently relocated to West Philadelphia. Once they transitioned their conversation to WhatsApp--"

Joe Carrigan: Uh huh, there's one.

Dave Bittner: Ding, ding, ding, ding, ding.

Joe Carrigan: Right.

Dave Bittner: "--Mali swiftly deleted his Hinge profile--"

Joe Carrigan: There's another one.

Dave Bittner: "--expressing a desire to prioritize their connection and focus solely on Datta."

Joe Carrigan: Interesting.

Dave Bittner: Yeah.

Joe Carrigan: Okay, recently relocated to West Philadelphia from France.

Dave Bittner: Right. We are from France.

Joe Carrigan: Right. You go with that one. I'm going, "in West Philadelphia born and--." And that's kind of a red flag, but that's plausible.

Dave Bittner: Sure.

Joe Carrigan: But then there's the platform change.

Dave Bittner: Yep.

Joe Carrigan: Which is a big red flag, it should be a big red flag.

Dave Bittner: Right.

Joe Carrigan: And then the deleting of the Hinge profile. Now Hinge, if I believe their marketing, which I don't know if this is true or not, but I've seen ads for them and they say they're the dating app that's meant to be deleted.

Dave Bittner: Oh.

Joe Carrigan: Right? So, when your data is gone from Hinge, it's gone.

Dave Bittner: Oh, I see.

Joe Carrigan: And then if you want to go back, you have to create a new profile.

Dave Bittner: Oh. So they're claiming an enhanced level of privacy.

Joe Carrigan: Correct.

Dave Bittner: Okay.

Joe Carrigan: So while this is great for people who are dating, right, you don't want whoever it is, the dating app to have your data while you're not there.

Dave Bittner: Right.

Joe Carrigan: You know, why would you even have a dating app if you're in a monogamous relationship?

Dave Bittner: Yeah, sure.

Joe Carrigan: Right? So it seems like it's a good idea, but it's also a, and it is a good idea, I'm not disputing that it is, but it's also an area that's ripe for scammers. Because their data, first off, Hinge doesn't want these people on their platform. And I'll bet that Hinge does a lot to keep them off. And maybe the reason this guy's profile got deleted is because Hinge said, okay, this guy's a scammer.

Dave Bittner: Yeah.

Joe Carrigan: And they deleted it. It could be the case.

Dave Bittner: Could be. Could be that this person is just cycling through profiles--

Joe Carrigan: That could also be the case.

Dave Bittner: That's what I would suspect.

Joe Carrigan: He said, I'm guessing it's a he because these guys usually are hes. Interesting that his last name is Mali, the name of a country.

Dave Bittner: Mm hmm.

Joe Carrigan: I guess that's believable.

Dave Bittner: It's a common name. Yeah.

Joe Carrigan: Yeah. So, those are my red flags, Dave. Switching the profile, profile gone, and saying that I'm a wine trader from France.

Dave Bittner: Yeah. Yeah, so they had online conversations back and forth for a couple of months. Said there were lots of flirtatious emojis, and Miss Datta said she felt like she had found her soul mate.

Joe Carrigan: Right.

Dave Bittner: And as you alluded to, the bad guy convinced here to venture into crypto trading.

Joe Carrigan: Right.

Dave Bittner: And provided her with a download link to what seemed to be a legit version of SoFi, which is a, that's a legit crypto app.

Joe Carrigan: I thought SoFi was a lending platform.

Dave Bittner: Is it?

Joe Carrigan: Yeah.

Dave Bittner: Okay. Well, anyway, it says there's two-factor authentication and customer service. So the point is that this was a copy of that app but it wasn't the real app.

Joe Carrigan: Right. It's designed to look like it. SoFi's a personal finance company.

Dave Bittner: Yes. Yes. You are correct, you are correct, in fact, this article points out that it is a reputable provider of loans and select banking services in the U.S. and Hong Kong.

Joe Carrigan: Okay.

Dave Bittner: And also that it's often a target for impersonation by scammers because that's where the money is.

Joe Carrigan: Right. And people have heard of it.

Dave Bittner: Right. Right, so again, you, I mean you called this one, Joe, because when this woman attempted to withdraw her funds from the app, she received a message requiring her to pay a 10 percent personal tax first. Right?

Joe Carrigan: Yep.

Dave Bittner: So she reached out to her brother, who's a lawyer, who reached out to a private investigator, and between the two of them, they determined that she had indeed fallen victim to a crypto investment scam; the pig-butchering.

Joe Carrigan: Right.

Dave Bittner: Yeah. So, to the tune of over $450 thousand.

Joe Carrigan: Which is a lot of money.

Dave Bittner: It is a lot of money.

Joe Carrigan: Especially for a 37 year old.

Dave Bittner: Yes, this article points out that she had a high paying job, or has a high paying job. She has a supportive family, so she's going to be okay, but she did have to sell her car and she had to move to a more affordable apartment.

Joe Carrigan: Right.

Dave Bittner: To recover from this financially, but then of course there's all the emotional wreckage that comes from something like this.

Joe Carrigan: Oh yeah, it's going to be devastating for this lady.

Dave Bittner: Just being taken advantage.

Joe Carrigan: Yeah.

Dave Bittner: So, there's a few precautions here that they listed in this article. They say conduct thorough research, verify the other person's identity by searching for them online, checking social media profiles, or finding them on LinkedIn. Yes, that'll only get you so far, because quite often these folks will spin up those--

Joe Carrigan: They'll be there, yeah.

Dave Bittner: --profiles, yep. It says be cautious of love bombing and this is people just being really manipulative, this is something that also you hear about happening when people fall into cults, love bombed. This is an interesting one, insist on video communication. One of the things they point out in this article is that they had video chatted a couple of times but both times the bad guy hid his face, like had excuses for why he wasn't showing his face. So--

Joe Carrigan: Interesting.

Dave Bittner: Yeah. And again, now you know, I don't know if this is the solution but I guess it's a step along the way to try to make it a little safer, safeguard your personal information and stay vigilant against get rich quick schemes.

Joe Carrigan: Right.

Dave Bittner: I would say if anybody asks you for money, if anybody asks for any participation in anything financial--

Joe Carrigan: Right.

Dave Bittner: --that is such a gigantic big blinking red light.

Joe Carrigan: Yeah, yes. I feel the same way about that.

Dave Bittner: Yeah.

Joe Carrigan: You know, I think that there's, and maybe it's just because I'm jaded and have been cynical all my life, but you know, these people start a conversation with you and they say things, and I'm usually very skeptical of people who like me right out of the gate. Because--

Dave Bittner: I don't know, Joe, a handsome man like you, I think people would, lots of people would like you out of the gate.

Joe Carrigan: Well, I can be difficult.

Dave Bittner: As smart as you are--

Joe Carrigan: As smart as I think I am, that's why most people find me off-putting, I think. Anyway, when these people start doing that, when they start-- yeah, another thing that will just set the hair on the back of my neck standing up is when they say my name over and over again. Hey Joe, how are you, Joe?

Dave Bittner: Right. Right, yeah.

Joe Carrigan: I'm like, does that work on anybody? Does that not just irritate people?

Dave Bittner: I think it, well, I think there's evidence that it does. But I think there's a wide spectrum of people's skill level when it comes to those sorts of methods to establish rapport.

Joe Carrigan: Yeah. Yeah, I used to work with a guy selling computer networks and all kind of stuff that use that trick and now, he sells used cars.

Dave Bittner: Okay.

Joe Carrigan: Probably a better place.

Dave Bittner: Worked his way down the food chain.

Joe Carrigan: Yeah.

Dave Bittner: Yeah, yeah. It's interesting. You know, along with the money thing, I think if anybody asks you for money--

Joe Carrigan: Right.

Dave Bittner: --that is the point to engage with a trusted friend.

Joe Carrigan: Yes.

Dave Bittner: Friend, family member, someone who's not you, who is not in love, who does not feel like they've found the person of their dreams,--

Joe Carrigan: Correct.

Dave Bittner: --and just, just you know, humor us, right? Humor your old pals, Dave and Joe.

Joe Carrigan: Yeah.

Dave Bittner: Right?

Joe Carrigan: Right.

Dave Bittner: If someone asks you for anything financial on one of these, time doesn't matter how much you trust them or how much you think you love them--

Joe Carrigan: Talk to a friend.

Dave Bittner: --just reach out to a friend or a family member and just tell them the story. Say there's probably nothing going on here, but I just want to run this by someone because chances are that person is going to have a different perspective than you and will-- and who, you know, look maybe you're lucky and it is the person of your dreams. But the odds are, overwhelming odds are--

Joe Carrigan: Right.

Dave Bittner: --it is not.

Joe Carrigan: Yeah. And even if it is a real person who just needs money, do you really want to date that?

Dave Bittner: Yeah. Right. Right.

Joe Carrigan: I mean, it's-- that would still be-- even if I had a-- even if I was single, which I'm not, but I was dating and I was dating somebody who said, yeah, I'm a little light this week, you got a hundred bucks I can borrow?

Dave Bittner: Right.

Joe Carrigan: If they said that at dinner, I'd be like, check please.

Dave Bittner: What if the opposite happened, and someone came to you and said, hey Joe, I'm Miss Moneybags, you know, let me pay for everything. Would that also raise your suspicions?

Joe Carrigan: Yeah, that would raise my suspicions as well.

Dave Bittner: Yeah?

Joe Carrigan: Yeah.

Dave Bittner: Okay.

Joe Carrigan: There's a story behind that, but we won't go into that.

Dave Bittner: Okay. That's a story for another day.

Joe Carrigan: Yes.

Dave Bittner: Right, fair enough. Alright, well we will have links to all of our stories in the show notes, and of course we would love to hear from you. You can email us, it's hackinghumans@n2k.com. Joe, it's time to move on to our "Catch of the Day."

[ Soundbite of Reeling in Fishing Line, Music ]

Joe Carrigan: Dave, way back in Episode 82--

Dave Bittner: Wow.

Joe Carrigan: --all the way back right before the pandemic in January of 2022, my story was about a scam involving fake license renewals from the New Zealand Transportation Agency.

Dave Bittner: Okay.

Joe Carrigan: And I remember this being much more recent. Like I thought it was like within this year.

Dave Bittner: Yes, well, there's the pandemic for you.

Joe Carrigan: Right.

Dave Bittner: The lost time. Yeah.

Joe Carrigan: Well, our "Catch of the Day" comes from Ryan, who has done a great job sending it to us. It is one of those emails from a, pretending to be from the New Zealand Transportation Agency, and Ryan writes, "Hi Dave and Joe, I'm a long-time listener from New Zealand--"

Dave Bittner: A kiwi.

Joe Carrigan: Right. A kiwi.

Dave Bittner: A kiwi. Right, or as they say, a "kayway."

Joe Carrigan: Right. Who's your favorite New Zealander, Dave?

Dave Bittner: Who's my favorite New Zealander?

Joe Carrigan: Yes.

Dave Bittner: The folks who, fine folks who made The Lord of the Rings. How about that?

Joe Carrigan: Okay.

Dave Bittner: I don't, I can't name a specific New Zealander, I'm embarrassed to say. I bet I know some, but--

Joe Carrigan: Lucy Lawless?

Dave Bittner: Yeah, fine, fine, fine woman, sure.

Joe Carrigan: But what about Bundee Aki?

Dave Bittner: No idea who that is.

Joe Carrigan: He's a rugby player.

Dave Bittner: Okay.

Joe Carrigan: And--

Dave Bittner: I'll take your word for that.

Joe Carrigan: --and probably my favorite New Zealander because I love watching Bundee play rugby.

Dave Bittner: Fair enough.

Joe Carrigan: And the Rugby World Cup's coming up. Bundee plays for Ireland though, which is why--

Dave Bittner: New Zealand is on my list of places that I would love to see, it's just really far away from here.

Joe Carrigan: It is. It is.

Dave Bittner: It's about as far as you can go that's not the Moon.

Joe Carrigan: Yes. I would like to see an All Blacks game in New Zealand, that would be, that's a bucket list item for me.

Dave Bittner: Sure. That'd be great.

Joe Carrigan: Anyway, again we digress. Dave, I love your reenactment of the "Catch of the Day," pure gold, I'll be nominating you for an Emmy.

Dave Bittner: That's very kind.

Joe Carrigan: Well, there you go Dave. Finally an Emmy for you. Anyway, an email arrived in my colleague's personal, not work related, inbox and she sought my advice, knowing that things didn't stack up. Side note, there are two phishing scams that are endlessly cycling around New Zealand; the NZ Post scam and the NZTA, which is the Transit Authority. Or Transit Agency. The attached is an example of the NZTA scam and it is really well done. The email itself looks fairly polished, the scammer even used a marketing system, knowing that it would give the email a higher probability of passing through any spam filters that may be present. However, the scammer forgot that the marketing system would also add a Portuguese unsubscribe message in the footer. So, that's present there. So, Dave, the email is a picture that Ryan has sent and it says at the top of it; Waka Kot-- I don't even know how to say that.

Dave Bittner: Waka Kotahi? Waka Kotahi, I guess.

Joe Carrigan: Waka Kotahi?

Dave Bittner: Waka Kotahi.

Joe Carrigan: Right.

Dave Bittner: See, you know, this is dangerous ground here for me, Joe, because-- well, not that you know, my accents are at all precise, but the difference between an Australian accent and a New Zealand accent is to the people who live there, is as clear as night and day.

Joe Carrigan: Yes.

Dave Bittner: It's like you and me knowing the difference between a Boston accent and a Southern accent.

Joe Carrigan: Yes.

Dave Bittner: But to us, it ain't so clear.

Joe Carrigan: They sound very similar.

Dave Bittner: That's right, that's right. So I am sure that I am going to, rather than merely doing bad New Zealander, I'm going to do bad Australian-New Zealand mishmash and for that I apologize in advance. I mean no offense to the great people of the southern hemisphere. Alright, it says, "Don't forget to renew your license or exemption. If you've already renewed within the last 24 hours, please ignore this reminder. It costs $109.08 for 12 months if you renew online. Here's your reminder number, renew now. Thank you." That wasn't too bad.

Joe Carrigan: No, it's not. But Ryan sent along a couple of screenshots and even a video of him interacting with the website.

Dave Bittner: Oh yeah.

Joe Carrigan: And it's a pretty sophisticated campaign. The URL is all wrong, and that's a red flag. So if you look at the click, you know, the click here button, it won't direct you to the right website.

Dave Bittner: Okay.

Joe Carrigan: Also, it does contain an unsubscribe message in Portuguese and I can't read Portuguese so I'm not going to pretend I can do it. I'm struggling learning Spanish.

Dave Bittner: Right.

Joe Carrigan: So, this is in the video that Ryan sent, he goes to the site, of course the URL's wrong, and he starts entering garbage data in and the site comes back and goes, oh no, that's not right data.

Dave Bittner: Oh, okay.

Joe Carrigan: So he enters some data that is correct and it comes back with all the correct information. It's legitimate information, so either there's some data breach that these guys have gotten ahold of, from the NZTA, or, they're scraping data that's publicly available from a webpage or some web service.

Dave Bittner: Right.

Joe Carrigan: But they're getting the information somehow.

Dave Bittner: Okay.

Joe Carrigan: And then it goes to a payment page and by the way, they don't accept Discover, Ryan discovered that.

Dave Bittner: Alright.

Joe Carrigan: Because he entered that in. You can go out and look up test credit card numbers that every credit card provider has a series of test numbers that will never get approved but are bona fide numbers in the right sequence, so you can test your regular expression against it.

Dave Bittner: Right.

Joe Carrigan: Which it makes sure that the number's in the right format is what I should say.

Dave Bittner: Okay.

Joe Carrigan: Right?

Dave Bittner: Yeah.

Joe Carrigan: So when you're writing the code, you know your code will validate it before you even bother submitting it.

Dave Bittner: Right.

Joe Carrigan: Because that costs money.

Dave Bittner: Okay.

Joe Carrigan: So validate it for free before you send it. So he uses a Mastercard and that works on the local validation and then he clicks submit and it fails.

Dave Bittner: Yeah.

Joe Carrigan: Interesting, I'm wondering if there's a way that you can DDoS this service by submitting a bunch of fake no good credit card numbers. If you have a list of known bad credit card numbers, just keep submitting them and see if that gets them shut off or maybe cost them money or shuts them down. I don't know. Somebody who is familiar with the payment card history would have to tell me that.

Dave Bittner: Right. Right.

Joe Carrigan: But it's, it would work and it would charge you $109 for 12 months and you would not get that money, that would be a fraudulent transaction.

Dave Bittner: Right. And so you're expecting to get your renewal for your vehicle--

Joe Carrigan: Right, and there's probably some couple of month time delay that lets these guys get away with things.

Dave Bittner: Right, right. Yes, yes, Departments of Motor Vehicles are not known for their promptness.

Joe Carrigan: Yes.

Dave Bittner: Although I have to say, they have gotten a lot better. It's almost a cliché but in my experience, it's a lot better than it used to be, for sure, for sure.

Joe Carrigan: Yeah.

Dave Bittner: Alright, well again, our thanks to Ryan for sending this over to us, it is very interesting and of course we would love to hear from you. You can email us, it's hackinghumans@n2k.com.

Joe and I recently had the pleasure of speaking with Perry Carpenter. Great to have Perry back on the show.

Joe Carrigan: It is indeed.

Dave Bittner: He is discussing his book, "The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer." Here's my conversation with Perry Carpenter.

Perry Carpenter: So first, my co-author, Kai Roer, is an internationally well-known guy that has been studying security culture for most of his career. And so, one of the things that we wanted to do with that is kind of merge our voices, because Kai is well-known for his research in the security culture, I'm pretty well-known in my research for awareness in behavior and as we come together we can start to paint a lot more complete picture. But the other thing that really prompted this is nuance that's in the subtitle of the book. And I know it's a really, really long subtitle but there are three critical things in it that we tried to pack in. Number one is an executive guide. And so this is meant not necessarily for the practitioner but for the audience of a board of directors or a CIO or a CEO that really needs to understand that security culture's important. It's something that lives and breathes in every organization, whether you know it or not and so the question becomes how intentional are you about the security culture that you have. How sustainable is that, and what do you need to do about it. And so that executive piece is really critical. And our hope is that an executive picks that up, reads the first few chapters and then says, oh yeah, we need to do something intentional with this, and then they hand it down to the person they can implement the vision that's explained there. The second piece that's in the title is reducing risk, and that really comes down to the fact that the enter reason that security exists isn't for the sake of security. And the entire reason that security awareness exists isn't for the sake of security. It's actually to reduce risk in an organization and make the risk tolerable so that the organization can go forward and do the business that they've been formed to do. And so this is all about risk reduction and up leveling the conversation to that executive level or board of directors level. And then that last piece is developing your human defense layer and so this is about the human side of things because one of the charts that we show early on is that there's a lot of spending that happens on the technology side of security. Every year we spend more and more on that but data breaches are still going up and when you look at the Verizon DBIR and other reports, the reason that we see the data breaches continue to go up has to do with the human side of things. And so our argument is that we need to put more intention on this so that we can then reduce risk.

Dave Bittner: Can we take a quick step back and talk about the notion of security culture itself. I mean one of the things you explore in the book is this idea that security culture has a specific set of dimensions.

Perry Carpenter: Yeah, you mentioned that we have different dimensions that we break security culture up into. And this is drawn from the social sciences. So we believe that you can measure any type of culture with this but specifically we're looking at the security related nuance. And so we break security culture into seven different dimensions; attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities. And one of the interesting things that we say in that is yeah, as we measure that, we can see whether you're strong or you're weak in different areas, but that doesn't mean that all is lost or all is gained if you see one of those data points. So, if you look at your aggregated security culture score, and you're concerned about that. You don't have to tackle all seven of those because each of these has a gravitational effect on the other. If you're influencing cognition and giving people the right information to make the right decisions at the right time, you're probably also influencing their attitudes and you're definitely influencing their behaviors if you see that come to pass. So, you can strategically focus on one, two, or three of these and you're going to be pulling the others along the way. There's another key thing that comes out in this book and that is, and this is another reason behind why we created it in the first place, is there's a lot of, and has been a lot of talk about quote unquote, "security culture" for years. And people are using that phrase in articles and journals and conference presentations and everything else. The thing that was missing though is an actual definition of it. And what we found, we actually, we at KnowBe4, so this is separate from Kai and I, our employer, KnowBe4, commissioned the study with Forrester a couple years ago and what we wanted to understand was, do people really know what security culture is and do they value it? And we've found that 94 percent of people value security culture. They believe that it's an important thing to reduce risk in their organization, but then we started to ask the more nuanced question of; what do you believe security culture is? And what we found was a shocking fragmentation of what people believe it actually is. Some people believe security culture is following policies. Other people believe that it's the establishment of a security awareness program. Other people believe that it's shared responsibility across an organization. So the funny thing is, is that somebody like me could stand on a stage and say security culture's important, and everybody in the room can be nodding their heads, everybody believe that they're agreeing to the same thing, but everybody actually having a different conclusion of what that means.

Dave Bittner: Are those things mutually exclusive? I mean can they, is there anything that keeps them from co-existing?

Perry Carpenter: No, there's not anything that keeps it from co-existing, but the thing that was shocking in that is the segmentation that we saw in that somebody would believe that it's wholeheartedly one thing, that it's let's say following policies and so if I believe a good security culture is following and mandating policies, I might go in pursuit of that in a way that is absent of empathy, and maybe actually alienate my people in some way because I have this more authoritarian way of approaching it. If I see it only as disseminating awareness related information, I can do that in a way that potentially again, gives me a false sense of security because I'm getting the right information in front of people but I might not be seeing the behavior follow-up with that. So again, there was this kind of shocking thing that we noticed, which was people are using this phrase over and over and over again, but without any definition behind that. And so that was leading to, I think a lot of false assumptions with people in good faith believing that they're pursuing, quote unquote, "security culture," but they were doing it in a more narrow focus than really they needed to. And so they're putting all their faith in this one thing that they believe it to be but kind of potentially ignoring a number of other things that it should be and that would have that gravitational affect to kind of move the culture where it needs to be. And so, when we define security culture, we pull it from social science, very similar to the way that we pulled those seven different dimensions of culture. And so we say security culture is the ideas, the customs, and the social behaviors of an organization that influence its security. And that's deceptively simple but within that you do hear a few key terms; ideas, so these are not just information, but things that permeate the people in the organization itself related to that security aspect of things. The customs, so that's the lived out behaviors, and the ritualized behaviors, the things that are caught rather than taught by people, so the things that you'll see and bring on through peer pressure or through on the job training that may not even be codified in a policy and the social behaviors. And very, very similar in that. Again, the things that kind of the unwritten rules of the organization, that are just dictating the way that people live their security in that organization. That can be positive or negative, so we're not being prescriptive in that, but your security culture is in each of those things and in each of those seven dimensions, positive or negative, across that. Again, the idea there is you have the security culture, whether you want it or not. It's, do you have the one that you want or not?

Dave Bittner: You know, you pointed out that in the subtitle of the book you say this is an executive guide. How important is it that this comes from the top in an organization?

Perry Carpenter: I think it's vitally important because if people don't feel like they are being consistent with the leadership of an organization in their values and beliefs and their-- the lived out behaviors, then there's a cognitive dissonance that comes in. Number one, they always want to know that they're going to be supported in the decisions that they make and the actions that they take. So, that being valued from the top naturally starts to resonate down. The other thing is people don't like class systems, especially in the age that we're growing into right now and post-COVID, people do not like to see class systems in their organizations. So if there's one standard of behavior related to security that is pushed down to everybody else but not lived out within the executive ranks, people are going to rebel in different ways against that. So I think setting tone at the top is for sure really important. But there's also some nuance that you can add by finding people in the middle of the organization, even at the very bottom of the organization, that have loud and clear voices within their social group and you want to tap into them as well.

Dave Bittner: You know, I often, I like to think in analogies, it helps me to, you know, figure things out in my own mind sometimes. And sometimes when I'm thinking about security, I think about you know, the people who have a retail shop or something like that and you'll sometimes see, you know, the person behind the cash register will say well, it's not my job to stop people from stealing things off the shelf. That's the security guard's job. You know, and I'm not going to, I have enough to do, I'm busy, my job is hard enough without having to deal with those things, and we've got people who we've hired just to do that. So why should I take my time to do that? How do we fight that mindset within you know, other organizations?

Perry Carpenter: That's a good question, so if you go into that seven dimensions that we mentioned, there's two that come to mind there. One is, attitudes and then another one is cognition. And then of course norms is there too. So you can build that in as a norm. And that goes into one of the definitions that people giving security culture before, which is when I talked about that fragmentation and the way that people understood it, one of those was security is a shared responsibility. Yeah, it is that, but it's not only that. But when you talk about the things that you were wanting to get to that shared responsibility piece of that as expressed in norms and is understood in cognition, and is rightly taken on in the attitude dimension, becomes really, really important because yeah, I don't want the cashier to just wash their hands of something that's dangerous, or I don't want in my, let's say we're physically in an office and somebody comes in without a badge, or somebody tries to tailgate behind me through the door. We don't want employees to wash their hands of that. So one of the things that you have to do is find ways to instill that social norm of the way that we do things here is we all take responsibility and you have to model that out from the top, also in the middle and in the bottom of the organization through people that have social standing. And so you model that, you build that into your norms, you at a cognitive level you teach people why it's really important that they step up and take that. You also have to make them feel really, really safe in doing that. Let's say everybody's on board and they believe that security is the right thing for the organization, they want to help manage risk. At that point you have to empower them and you have to reduce fear. And empowering is saying, if you get this wrong, and you challenge somebody that's maybe important, maybe it's a regional vice president that comes in, they just don't have their badge that day, and you challenge them and say, I'm sorry, you don't have your badge, we're going to have to take you down to security and make sure that you have clearance, that you're not going to get punished for doing that step. So you have to empower them, you have to reduce fear of punishment, and then you also, let's say there's fear of that person's own physical safety in that. I've seen somebody that's suspicious, I want to tell somebody but I'm also afraid to do something about it because I'm afraid that that person is going to come after me. So I'm not going to physically go stop them, how do I do it? So, at that point, you kind of go back to the see something say something mentality. But the one thing that's always missing in see something say something is here's the way to do that. So you have to follow-up with here's the phone number to call, here's the person to contact, at that moment, maybe it is somebody else's job to put themselves physically in the way of that other threat that they see. And so it' snot your job to be, to take on the potential for physical harm, it is your job to say, oh, there is a potential for harm there, let me contact the right person and do my part that way.

Dave Bittner: Joe, what do you think?

Joe Carrigan: I'm a big fan of Perry, yeah, I've talked to him a couple times.

Dave Bittner: Yeah.

Joe Carrigan: And actually, I think I talked to him while he was writing this book.

Dave Bittner: Okay.

Joe Carrigan: To get an idea of what it was he was doing.

Dave Bittner: He said, Joe, I need an idea for a book. And you said, Perry--

Joe Carrigan: No, he didn't need that from me. In fact, I was talking to him about an idea I have for a book.

Dave Bittner: Okay. He said, go away Joe, I'm writing a book.

Joe Carrigan: But I think it's a good idea for him to get Kai involved in this, because security awareness, which is Perry's area, is not going to do you any good in an organization if you don't have a good, positive, healthy security culture.

Dave Bittner: Right.

Joe Carrigan: You can have all the security awareness in the world, if someone is afraid to report something to you, they're going to try to hide it.

Dave Bittner: Yeah.

Joe Carrigan: So make sure you have a good healthy security culture, and I like how Perry defines that, which I'm going to get to in a minute, but Perry makes a point that should be obvious to everyone, but may not be and that's all the security business is just about risk management.

Dave Bittner: Yeah.

Joe Carrigan: Right? It's about reducing the risk or transferring the risk, or accepting the risk.

Dave Bittner: Yeah.

Joe Carrigan: Right? You have, those are the three things you can do with risk. So, it's-- that's what this is about; you're just trying to make it less risky to operate your business. Interesting that spending on tech is going up and up and up but breaches are still not stopping. And Perry cites the DBIR from Verizon.

Dave Bittner: Yeah.

Joe Carrigan: I covered that a couple weeks ago, or at least the social engineering portion of it a couple weeks ago.

Dave Bittner: Right.

Joe Carrigan: And it reminds me this whole discussion reminds me of Bruce Schneier's statement that if you think technology is the solution to your problem, you don't understand the technology and you don't understand the problem.

Dave Bittner: Okay.

Joe Carrigan: Right? Because he's right, that this is, this is a human, there's a huge part of this problem that is a human problem. And I like what they've done here, I like how Perry and Kai have broken down the security culture into these dimensions, these seven dimensions he talks about, that you can measure, this is imperative and we all know that security culture, or the culture of your security culture is important, but the discussion that Perry has here is really, really enlightening. What does that mean? The image you have in your head is going to be different from the image everybody else has in your head. Right? You can say security culture is important, and I think it's important to quantify it or define it at least, and I like his definition. The ideas, the customs and social behaviors, of an organization that influences its security. That's a great concise, but rich, very dense, definition of security culture.

Dave Bittner: Yeah.

Joe Carrigan: And another key point that Perry makes is you have a security culture at your company right now. Right?

Dave Bittner: Right.

Joe Carrigan: That's very important to realize. You need to know what it is and then you need to, before you can even start changing it. And I like how Perry describes these things in terms of social sciences and how you go about building a good healthy security culture is just as important as doing it. And I really like what he says about the gravitational affect that these things have on each other, right? Like behavior is going to have a thought on the cognitive process, or an effect on the cognitive processes. So if you just try to start influencing behavior, you're going to start influencing the thinking around it. There's the old saying, you can't think your way into right living, you have to live your way into right thinking. Right?

Dave Bittner: Interesting.

Joe Carrigan: So, you can move more than one needle on this seven, I don't know, seven panel, seven [inaudible], but you move one of those, more than one of those dimensions by just going after one of them. And I think that's a really important point.

Dave Bittner: Yeah.

Joe Carrigan: I have not read this book yet. It's been on my list. I think I'm going to pick it up.

Dave Bittner: Yeah. Alright, well, our thanks to Perry Carpenter for spending the time with us. Again, the book is titled, "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer." We appreciate Perry taking the time for us.

That is our show, we want to thank you all for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben, this show is edited by Elliot Peltzman, our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.