Hackers play the evasion game.
John Hammond: Oftentimes, the implementation or those other options and functionality of the securities mechanisms offered to you, which of those could be abused and in what way and how?
Dave Bittner: Hello everyone and welcome to the CyberWire's ""Hacking Humans"" podcast where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week and later in the show, my conversation with John Hammond. He's a principal security researcher at Huntress. He's taking us through the various levels of multi-factor authentication. All right, Joe, before we jump in with our stories here, we got a little bit of follow-up.
Joe Carrigan: Yes. Last week, I had a story about Doug's website.
Dave Bittner: Yeah.
Joe Carrigan: And I didn't plug it because I wasn't sure if Doug would be okay with it, but I did hear back from Doug and he said he'd be fine with me sharing the website, but he has deleted his buy me a coffee account.
Dave Bittner: Okay.
Joe Carrigan: So I don't know if that has anything to do with all the fraudulent transactions, but anyway, the website is machinerysafety101.com.
Dave Bittner: Oh.
Joe Carrigan: Check it out if you have any interest in machining. I was a machinist assistant when I was in high school. Really?
Dave Bittner: Yeah. Really cool field. They do a lot of interesting stuff. My father was a machinist for a little bit of time.
Joe Carrigan: Really?
Dave Bittner: Yeah. When he first got out of the Navy, he was a machinist for the Continental Can Company in Baltimore, Maryland. Yeah. Yeah. Didn't last long, but he did it.
Joe Carrigan: Right. Yeah.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: It depends on the work. If you're writing the program for the machines and testing those and doing things, that's kind of interesting, but if you're just sitting there in front of a lathe while it cuts off one part after another, that gets kind of mind-numbing.
Dave Bittner: I think in my dad's day, there was no program.
Joe Carrigan: Right.
Dave Bittner: It was just standing in front of the lathe, so.
Joe Carrigan: If you're working with your hands, that's one thing.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: But these were machine parts. Humans can't be trusted with these movements.
Dave Bittner: I see. Right. Right. Right.
Joe Carrigan: At least not quickly.
Dave Bittner: Yeah.
Joe Carrigan: And it was really, really interesting stuff.
Dave Bittner: Yeah. What else we got?
Joe Carrigan: We got John who wrote in with a question. He says, hello, Dave and Joe. I'm a big fan of the show and have been listening every week for two years now. I have one question about the passkey discussion you had in the last episode. Was this last episode or two episodes ago now?
Dave Bittner: Yes.
Joe Carrigan: Okay. Who enforces the passkey standard and verifies the source code on both ends of all transactions is properly implemented? This seems like a label that could be too easily applied to a product and might be subject to failures similar to storing passwords in plain text. As a coder myself, I can certainly imagine myself accidentally sending the private key over the wire instead of the public key. And if nobody audited my code closely or inspected the network traffic, that security hole might be accidentally released to customers. Thanks for the great social engineering stories. To answer your first question, it's a standard that's maintained by the FIDO Alliance as part of what they do.
Dave Bittner: Right.
Joe Carrigan: And you can go to fidoalliance.org to see what they do. With the devices, with the hardware devices, you never actually have access as a developer to those keys.
Dave Bittner: Yeah.
Joe Carrigan: The devices handle the key management part of the protocol.
Dave Bittner: Right.
Joe Carrigan: So you don't have to worry about that. So there's no risk of you sending the private key across the wire. If you were developing another product that was compliant, like some kind of key management software, yeah, you'd be running that risk. I would say don't do that, especially if you're not a cryptographer.
Dave Bittner: Right, right.
Joe Carrigan: There's all kinds of horror stories about rolling your own cryptography. Never do that.
Dave Bittner: Yeah.
Joe Carrigan: But use the standard. You can check out the standard at fidoalliance.org/passkeys.
Dave Bittner: Yeah. There's a lot of good information there. One of the things I like about their website is that you can dial in what you want to see based on your level of expertise. So everything from basic videos on how you'd use this as a consumer to white papers for your professionals like John.
Joe Carrigan: Right.
Dave Bittner: So I agree. I think most of this is being handled behind the scenes, and it's certainly above my pay grade to really understand how it all works. But coming from an organization like the FIDO Alliance, I'm pretty sure they've taken care of these details and possibilities, especially with big organizations like Apple and Google and Microsoft all on board.
Joe Carrigan: Yeah. They're all behind this.
Dave Bittner: There's been a lot of scrutiny.
Joe Carrigan: Right.
Dave Bittner: Yeah. Yeah. All right. Well, thank you, John, for writing in. We do appreciate it. Joe, you want to jump into our stories here?
Joe Carrigan: Yeah. My story comes to me courtesy of my boss again, Tony DeBurra, Dr. DeBurra, sent me this thing on Reddit that he found. This post is on r/legal advice, and the post has been locked. The moderator has locked it. You know the reputation of Reddit mods going through and locking posts, and this is done disgusting because I wanted to ask a question, but I couldn't.
Dave Bittner: Okay.
Joe Carrigan: The title of the post is Wedding Caterer Is Charging Us $5,000 Post Wedding For Their Accountant's Error. And if you read the post, it's kind of -- I think somebody may have written this on a mobile device. I don't want to disparage the poster.
Dave Bittner: Okay.
Joe Carrigan: But it's not exactly the best grammar and spelling on here.
Dave Bittner: Okay.
Joe Carrigan: But they were married back in July, and they had paid their final invoice for the caterer a couple of days before the wedding. About a week after the wedding, they went on their honeymoon, and a staff member from the catering company reached out and said they owed an additional $5,209 due to an accounting error and them failing to charge the wedding couple for umbrellas. I don't know what that means. Maybe a little cocktail umbrellas?
Dave Bittner: Those better be some dang fancy umbrellas for $5,000.
Joe Carrigan: Right, yeah.
Dave Bittner: I don't know. Was it raining on the day of their wedding? Maybe they were real umbrellas. I don't know. At any rate.
Joe Carrigan: Maybe they are. I don't know. I don't know what he means by umbrellas.
Dave Bittner: Okay.
Joe Carrigan: Anyway, the company is not and will not show us the math, so we're not even sure how the tax numbers work out. The contract states that we have to pay an additional fee if it arises, but these aren't additional fees. These are fees that their accountant failed to charge us prior to the final notice of the wedding.
Dave Bittner: All right.
Joe Carrigan: It isn't like we spent additional money for extra meals or alcohol, which is what I can see caterers providing.
Dave Bittner: Yeah.
Joe Carrigan: I'm not really sure how to proceed. He's looking for legal advice on this. He just got another email today that says if they don't receive any money by the 15th, which is by the time this is releasing, this has already happened, they're going to get sued.
Dave Bittner: Okay.
Joe Carrigan: The catering company is threatening legal action.
Dave Bittner: Okay.
Joe Carrigan: What's interesting about this is that not one, not two, but multiple replies, more than three replies, have all said -- the first reply is, are you sure you're dealing with the original company? Someone I know almost wrote a $25,000 check to a roofer, and it was a scammer who had hacked the email on the roofing company, so $25,000 for a roof. Have you ever had a roof put on your house, Dave?
Dave Bittner: I have.
Joe Carrigan: I have a single-family house.
Dave Bittner: Yeah.
Joe Carrigan: A simple roof. It's just one roof, not gables and everything else like that.
Dave Bittner: Okay.
Joe Carrigan: My entire roof didn't cost me half of that.
Dave Bittner: Okay.
Joe Carrigan: I don't know where anybody would come up with the idea that I owe them an extra $25,000.
Dave Bittner: Yeah.
Joe Carrigan: There were additional charges I had to pay because a lot of the wood had rotted thanks to my Gutter Guards, Dave.
Dave Bittner: Okay.
Joe Carrigan: But you know how I knew it was legit? The guy from the roofing company showed up at my house and was telling me about it.
Dave Bittner: Okay.
Joe Carrigan: He said, here's the invoice, Joe.
Dave Bittner: Right.
Joe Carrigan: You knew this might be a problem. We had to replace every single piece of wood along the front of your -- I knew this guy. I knew who he was.
Dave Bittner: Yeah.
Joe Carrigan: He didn't just email me. He showed up.
Dave Bittner: Yeah.
Joe Carrigan: It turns out they're just getting emails from this company.
Dave Bittner: Right.
Joe Carrigan: They're not getting any phone calls or anything. It seems to me like the poster, the original poster, is not doing their due diligence of picking up the phone, calling the company, and going, is this you?
Dave Bittner: Right.
Joe Carrigan: Because this doesn't make any sense to me.
Dave Bittner: It also strikes me that a wedding being a very public event, most people these days you have wedding announcements. I would say not in the newspaper anymore, I guess, because there aren't really newspapers anymore.
Joe Carrigan: Right.
Dave Bittner: But it's a very public thing when two people tie the knot. And so that would be a very easy thing for people, for scammers to latch onto.
Joe Carrigan: Right, yes.
Dave Bittner: And weddings are very expensive affairs, and there's lots of different suppliers and money being thrown around for this, that, and the other thing.
Joe Carrigan: So you could attack somebody who had just gotten married without doing anything malicious just by impersonating them, and do exactly what you're saying. Read the newspapers, find out where the wedding is.
Dave Bittner: Right.
Joe Carrigan: See if there's information about who's going to be providing the catering, see if you can do the open source intelligence gathering on this.
Dave Bittner: Right.
Joe Carrigan: And then start an email campaign where you just pester somebody into giving you an extra $500 or $5,000.
Dave Bittner: Sure.
Joe Carrigan: That would work. It seems to me what's happened here, though, is that they have gotten into the catering company's email.
Dave Bittner: Oh.
Joe Carrigan: They've compromised the email, and now they're sending things out from that catering company.
Dave Bittner: Okay.
Joe Carrigan: I think this is a case of business email compromise. Because they are a smaller business who does catering, the opportunity for attack is going to be on the customers. They've looked through the contracts. They've seen the contracts that have arrived in the email. They might have access to more than that. But it seems to me like this company has been compromised. I am speculating wildly here, because I don't have any more information than what's on this Reddit post, which is scant.
Dave Bittner: Yeah.
Joe Carrigan: But what strikes me as red flags here is that this doesn't make any sense that there would be a $5,000 fee for umbrellas and taxes.
Dave Bittner: Right.
Joe Carrigan: That seems really high, unless you spent like $150,000 on catering for a wedding, which not unreasonable.
Dave Bittner: It happens.
Joe Carrigan: That happens. That didn't happen at my wedding.
Dave Bittner: Yeah. Well, you know, there are umbrellas, and there are umbrellas.
Joe Carrigan: Right.
Dave Bittner: There are the little umbrellas you put inside of drinks, and there are the big umbrellas you put in the middle of picnic tables.
Joe Carrigan: That's a good point.
Dave Bittner: So who knows? But I agree with you that it doesn't seem like this is legit, and the people here, it sounds like they're getting good advice from some of the Redditors that they need to pick up the phone.
Joe Carrigan: Pick up the phone. Call these people.
Dave Bittner: Right.
Joe Carrigan: And you know what? It never hurts just to reach out and talk to a lawyer about this. Don't go to Reddit for your legal advice. r/legal advice is -- I don't know. I don't know that you're going to get great legal advice there.
Dave Bittner: Well, true. I mean, I can't disagree with that, but at the same time, I will say that this person posting this on Reddit may have saved them the money that they stopped and asked.
Joe Carrigan: Right. That's a good thing. That's true. That's a good point, Dave. I shouldn't lambaste all of Reddit just because of this, right? It's a good point because they did. They stopped and they asked somebody, and they got a community of people around them going, no, no, no, no, slow down, which is important.
Dave Bittner: Right.
Joe Carrigan: Which is what we say all the time.
Dave Bittner: Yep.
Joe Carrigan: You know what? I retract my statement.
Dave Bittner: Okay.
Joe Carrigan: You heard it here first, folks.
Dave Bittner: Right.
Joe Carrigan: This was a good thing to post here. Even though these people say they're not lawyers, they say it would never hurt to get a lawyer. And one of the things that somebody has said on here is that the issue of them not being willing to provide you a detailed analysis or a detailed statement of what these charges are, that should be a big red flag.
Dave Bittner: Yeah.
Joe Carrigan: If you can't provide me that, I'm not paying you a dime.
Dave Bittner: I will add as just a little side tip that if you're paying for big ticket items like this, and you can use one of the major credit card providers to do so, and in this case, I'm actually going to call out American Express in particular, they will have your back, right?
Joe Carrigan: Right.
Dave Bittner: I had a friend who had a disagreement with a vendor over something and getting money back and getting a refund and whatever. And they had paid for it with their Amex card and they contacted American Express and the folks at American Express said, yeah, don't think anything else of it. We're going to credit you back. We will handle this. And so that's the premium you pay, right?
Joe Carrigan: Right.
Dave Bittner: American Express is the expensive premium credit card. But for something like a wedding where you are going to be exchanging thousands of dollars, that may be a worthwhile investment just to have your back on any of these sorts of things that could go wrong.
Joe Carrigan: Indeed.
Dave Bittner: Yeah.
Joe Carrigan: I would agree with that.
Dave Bittner: Yeah. All right. Interesting stuff. So we will have a link to that Reddit thread in the show notes. My story this week, Joe, comes from the folks at an organization called Retool.
Joe Carrigan: Retool.
Dave Bittner: Which I have to say, not an organization I had heard of before, but they're a technology company. They provide software development tools. So their whole deal is, let's say you want to develop some kind of, I don't know, B2B piece of software or something in front of consumers. You would use Retool's tools to do so in a much quicker way. So they provide a way to accelerate the development process. Okay?
Joe Carrigan: Okay.
Dave Bittner: So Retool had a data breach, and they wrote about it in an article here that's titled, When MFA Isn't Actually MFA. And I want to go through this together. There's a lot of details here. Usually, we try to kind of rephrase these articles here, but I'm going to do a lot of reading from this one because there's a lot of technical details, and I want to get them right.
Joe Carrigan: Okay.
Dave Bittner: And I want to also say that hats off to the folks at Retool for outlining this with as much detail as they have.
Joe Carrigan: Yeah.
Dave Bittner: It's hard when you've been hit with something like this, and you've got some customers who are going to be upset with you, to be this straightforward and out in the open about it. I think it's a good thing.
Joe Carrigan: We've seen this a few times recently. Dragos did this.
Dave Bittner: Yeah.
Joe Carrigan: Can't remember. Somebody else did this too.
Dave Bittner: Yeah. Yeah. So I'm going to paraphrase here and kind of jump in and out of their text. But it starts off, it says, on August 27th, 2023, we fell victim to a spear phishing attack. The attacker was able to navigate through multiple layers of security controls after taking advantage of one of our employees through a SMS-based phishing attack. Several employees received targeted texts claiming that a member of IT was reaching out about an account issue that would prevent open enrollment, which affects the employee's healthcare coverage. Here's a transcript of the message. It said, hello, person A, this is person B. I was trying to reach out in regards to your payroll system being out of sync, which we need synced for open enrollment, but I wasn't able to get a hold of you. Please let me know if you have a minute. You can also visit this website to see if it goes through. So there's a link to a website. If you go to the website, it is a fake portal, which includes a multi-factor authentication form, and the employee fell for this, went there, filled out the form, received a phone call from someone claiming to be a member of the IT team. This article claims that they used a deepfake of the employee's actual voice of someone from the IT team. They deepfaked an IT member's voice.
Joe Carrigan: Okay.
Dave Bittner: Now I personally am skeptical of that because I don't think that it's necessary to do that. Most people will get away from it either doing an impersonation or just saying that they are who they are and letting the fuzziness of a phone call take care of that.
Joe Carrigan: Right.
Dave Bittner: But we'll give them the benefit of the doubt. This says the voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication code. So the official OTP token shared over this call was critical because it allowed the attacker to add their own personal device to the employee's Okta account, which allowed them to produce their own Okta MFA from that point on.
Joe Carrigan: I see.
Dave Bittner: Okay.
Joe Carrigan: Right. So they've logged in to Okta, who is a multi-factor, third-party multi-factor provider.
Dave Bittner: Right. Like they're an authentication provider.
Joe Carrigan: Right. And they have now essentially gotten their own seed for their own device.
Dave Bittner: Right.
Joe Carrigan: That lets them generate all the MFA codes they want.
Dave Bittner: Correct.
Joe Carrigan: Right.
Dave Bittner: So once they got access to Okta, this enabled them to have an active G Suite session on their device. Google has recently started synchronizing their Google Authenticator app, so it syncs MFA codes to the cloud.
Joe Carrigan: Right. The seeds.
Dave Bittner: Yes. The folks at Retool are making the point that this is a bad thing.
Joe Carrigan: Right.
Dave Bittner: And they point to an article from Hacker News that also says this is a bad thing.
Joe Carrigan: Right.
Dave Bittner: Because if your Google account is compromised, so are your MFA codes.
Joe Carrigan: Multi-factor authentication seeds. Now the important part to understand about a seed is it's a pseudo-random number that's hopefully as close to random as you can get. It then becomes the basis for the random number generator that these Google Authenticator apps are.
Dave Bittner: Right.
Joe Carrigan: Right. So if you and I have the same seed, and we run the same time-based software, same time-based system, because it is time-based, at the same time you and I will have exactly the same multi-factor authentication one-time password code on the device.
Dave Bittner: Right. Yeah. And Bob's your uncle.
Joe Carrigan: And Bob's your uncle. So if all of your stuff is on the G Suite account, and you have a phone that's on this account with Google Authenticator backing up your seeds, everything that you have stored in that Google account is now available to somebody who has access to that Google account and logs in as you using their one-time password that they've already socially engineered out of you. And then they open up Google Authenticator, and bam, they get all that stuff imported.
Dave Bittner: Right.
Joe Carrigan: Yep.
Dave Bittner: So let's say that getting access to this employee's Google account gave the attacker access to all of their MFA codes. With these codes, the attacker gained access to their VPN and their internal admin systems.
Joe Carrigan: Right.
Dave Bittner: This allowed them to run an account takeover attack on a specific set of customers who were, wait for it, Joe, all in the crypto industry.
Joe Carrigan: Hmm. Cryptocurrency.
Dave Bittner: They changed emails for users and reset passwords.
Joe Carrigan: Really?
Dave Bittner: Yeah.
Joe Carrigan: Hmm. Wonder who this might be.
Dave Bittner: So the folks at Retool, once they found out about the attack, they reset people's accounts and so on and so forth. It sounds like about 17 of their customers fell victim to this. But I just thought this was a really interesting outline of an attack here, and I was curious what you thought about it, Joe.
Joe Carrigan: That is an interesting outline of an attack. First off, it's great. Thank you, Retool, for sharing this.
Dave Bittner: Yeah.
Joe Carrigan: I think that there's a number of things here that are important to understand. Number one, if you are somebody who is -- it sounds like these guys had a lot of intelligence behind them. I think I have an idea of who this might be. I don't want to say who it is, who I think it might be, but I think I know who this might be.
Dave Bittner: Okay.
Joe Carrigan: And the reason I think I might know who this is is because they have a lot of information about the building. They've gained a lot of intelligence. They knew that they were going after Retool, because Retool had as its customers cryptocurrency exchanges or cryptocurrency companies somehow.
Dave Bittner: Right. Sure.
Joe Carrigan: They are probably going after crypto.
Dave Bittner: Right.
Joe Carrigan: Which is another thing that points to a particular actor that does this.
Dave Bittner: Right.
Joe Carrigan: Remember when Twitter got hacked years ago?
Dave Bittner: Yeah.
Joe Carrigan: And it was just some kid that did something very similar, calling in pretending to be from IT, and got an MFA code, and was able to get in, and then started posting crypto scams to Barack Obama's page or something like that.
Dave Bittner: Right. Right.
Joe Carrigan: It was really crazy what he did.
Dave Bittner: Yeah.
Joe Carrigan: But the way Twitter handled this was they gave everybody in the organization two YubiKeys, two hardware tokens.
Dave Bittner: Right.
Joe Carrigan: Now in order to carry out that code, you can't get somebody to cough up a one-time password code. Can't get it to happen. That is why I say that these one-time password codes are secure. They're more secure than the password that you get over SMS because you can't do a SIM swap and get it.
Dave Bittner: Yeah.
Joe Carrigan: But now if I breach your Google account, I can get the seeds and essentially get the one-time password codes forever for that seed.
Dave Bittner: Right.
Joe Carrigan: So if I can get around your authentication in any way, shape, or form -- and let's say that my Google account that backs up my seeds is my personal account. I bet a lot of people have that.
Dave Bittner: Yeah.
Joe Carrigan: So if your personal account is hosting stuff on your business account for your business stuff, which I do have that, or I did actually until we upgraded our multi-factor authentication at Hopkins, I had Hopkins multi-factor authentication stuff in my Google Authenticator.
Dave Bittner: Shame on you, Joe. Shame on you.
Joe Carrigan: Well, it was the only option, Dave.
Dave Bittner: Right.
Joe Carrigan: And it started back before they did the seed backup. But when I got this phone and installed Google Authenticator with my account, all those seeds came down.
Dave Bittner: Okay.
Joe Carrigan: That was within the last year and a half, I think.
Dave Bittner: Yeah.
Joe Carrigan: And I got them.
Dave Bittner: So there's another thing at play here that I think is worth mentioning, and it kind of feeds into another thing that's been in the news this week, which is there was a ransomware attack on MGM casinos in Las Vegas.
Joe Carrigan: Right, yeah.
Dave Bittner: And the reporting that we're getting on --
Joe Carrigan: It was Caesars.
Dave Bittner: Oh, was it? Well, Caesars got hit, and then MGM got hit.
Joe Carrigan: Okay.
Dave Bittner: Caesars paid the ransom.
Joe Carrigan: Right.
Dave Bittner: So far, MGM has not, as we were recording this. But the hackers are claiming to have used social engineering to gain access. And I saw a post just today from Rachel Toback, who has been a guest on our show. And she, of course, is an expert when it comes to social engineering. And she was saying how this sort of thing of using phone calls is really a soft spot for so many organizations.
Joe Carrigan: Yeah.
Dave Bittner: And that's part of what happened here, in that it's really in your best interest to have some way of verifying who someone is over the phone when they say they are such and such a person.
Joe Carrigan: Yeah. And the problem with it is that the phone is so ingrained in our psyche. I mean, everybody that's alive today has been alive since phones were around.
Dave Bittner: Yeah.
Joe Carrigan: Right? I don't know if there's anybody that predates the existence of telephones.
Dave Bittner: Right. Probably not anymore.
Joe Carrigan: There may be people that are still alive that didn't have a phone growing up.
Dave Bittner: Yeah.
Joe Carrigan: I know my mom had a party line phone, if you can believe that.
Dave Bittner: Yeah.
Joe Carrigan: But it's part of everything we do. When you pick up the phone and somebody says, hey, this is so and so, and you know me, there's a certain amount of credibility already built into it.
Dave Bittner: Right.
Joe Carrigan: Also, your point about the fact that the phone has never really been an accurate way of representing someone's voice is well taken, because it's a lot easier to impersonate somebody if you only have to do so through a smaller portion of the audio bandwidth.
Dave Bittner: Right. Right. Yeah. And you could claim you have a cold or a sore throat or, you know, who knows?
Joe Carrigan: Yeah.
Dave Bittner: I mean, a good social engineer is going to have all kinds of ways to explain.
Joe Carrigan: They're going to talk you right around.
Dave Bittner: That's right. That's right. So I think that's an important part to not overlook when we're talking about the various aspects of this.
Joe Carrigan: Right. My only recommendation to Retool is start using hardware tokens instead of these one-time passwords.
Dave Bittner: Yeah.
Joe Carrigan: That's it.
Dave Bittner: Yeah.
Joe Carrigan: It's going to cost you around 100 bucks every employee to give everyone two of them. Just give them to them.
Dave Bittner: Yeah. All right. Well, we will have a link to that posting from the folks at Retool. Again, you know, tip of the hat to them for being so transparent about this.
Joe Carrigan: Yeah. I want to reiterate that. Not only is it important that they come clean for their own benefit, but, you know, in terms of telling everybody what happened, that's a very important part of it. The fact that they've put this out there and they've outlined it like this helps every other organization that reads or somebody reads this article.
Dave Bittner: Yeah.
Joe Carrigan: That is remarkably helpful. So it's not just transparent, but it's helpful.
Dave Bittner: Yeah.
Joe Carrigan: So thank you, Retool. I really appreciate these kind of posts.
Dave Bittner: All right, Joe, it is time to move on to our Catch of the Day.
Joe Carrigan: Dave, our Catch of the Day comes from the University of Alabama Department of Engineering. I'm just going to let you read this.
Dave Bittner: Okay.
Joe Carrigan: It goes like this. Hello. There is affidavit case filed against you. They are stating that using your email address filled up your personal information. You took out a payday loan for $300 from CashNet USA. You supposed to pay them back in 21 working days, but you did not. Company tried to contact you by phone and email, but there was no response from you to pay it off. Now, company want to deal this matter inside the courthouse for doing a defraud with them. They are willing to sue you legally in the courthouse under FDCPA Act so that you can pay the penalties charges and affect your credit score before the company take any kind of legal action by forwarding your file for the legal proceedings. Would you like to resolve this matter or you want to deal this inside the courthouse? Do reply ASAP. Regards, Archie C. Brown, legal department. Archie C. Brown from the legal department.
Dave Bittner: Yeah.
Joe Carrigan: Sounds like a lawyer wrote this, Dave. This might even be something that that my lawyer wrote.
Dave Bittner: Yeah.
Joe Carrigan: Caveman lawyer.
Dave Bittner: Yeah. I was going to say, yeah, you need a better lawyer if his is what they're sending out.
Joe Carrigan: Right.
Dave Bittner: What do you think's going on here, Joe?
Joe Carrigan: Oh, this is just obviously somebody trying to get 300 bucks out of you with threatening legal action.
Dave Bittner: Right. Right.
Joe Carrigan: Payday loans. I know there are people out there that use payday loans.
Dave Bittner: Yeah.
Joe Carrigan: I am not a big fan of the concept.
Dave Bittner: No. I mean, I think it's a method of last resort for some folks.
Joe Carrigan: Yeah.
Dave Bittner: I mean, everybody wants to pay those kind of fees, but that's the way it goes.
Joe Carrigan: Yep.
Dave Bittner: Well, our thanks to the University of Alabama Department of Engineering for sharing this. We do appreciate them sending this along. We would love to hear from you. Our email address is hackinghumans@thecyberwire.com. Joe, I recently had the pleasure of speaking with John Hammond. He is a principal security researcher at Huntress. He is also a very popular YouTuber.
Joe Carrigan: Yeah. One of my students just hit me to his channel a couple of weeks ago.
Dave Bittner: Is that right?
Joe Carrigan: Yeah. It's good stuff.
Dave Bittner: He's certainly entertaining and knows his stuff. So highly recommend if you're into this security stuff, go to YouTube and search for John Hammond. I think you'll get a lot out of the stuff that he shares. So my conversation with him today, I thought we'd play a little game together and have him take us through the various levels of multi-factor authentication. Here's my conversation with John Hammond. So John, you are a very experienced security researcher here. And I would love to go through a little bit of an exercise with you here of imagining that I am a person who is going about my life, minding my own business, and you are a bad guy trying to access my accounts. And let's just say for the sake of argument, it's an email account. Sound like fun?
John Hammond: Oh, I'll do my best, but thank you, I'll try.
Dave Bittner: Okay. So to start off, let's just say I have a run-of-the-mill email account and I have a username and password and that's it. No multi-factor authentication. How are you going to try to break in?
John Hammond: Oh, goodness. Well, I guess I'll try at least with the level one here, a couple of different avenues. For one thing, I'll do a simple brute force, see if I can find the password that might match your email address or username just by trying one after another. I'll do a little bit of social engineering, maybe see if I can get a simple phishing email through the door. I'll see, hey, does the email client that you use or even the email server that handles a lot of the authentication maybe have some vulnerability or something that I could compromise and sort of work another way in?
Dave Bittner: Are there standard methods that you would use to try to figure out what my username might be?
John Hammond: I can do my best, yeah. Hey, taking a look for any online resources or these open source intelligence, right? And I determine maybe standard schema of, hey, the email address format, like a company that you're working with or maybe your own personal information if it's shared or maybe seen from past data breaches or accessible out and around anywhere on the internet. We could try and hunt for that on social media or anything.
Dave Bittner: Yeah. All right. Well, let's ratchet it up a level here and let's suppose that I've activated SMS passwords on my account. How are you going to come at me now?
John Hammond: So, hey, the same three prongs kind of already keep working. However, now we have that other layer of security in the mix, but I will need to probably rely a little bit more on that social engineering. Say, hey, could I fool you or deceive you into also entering a genuine invalid two-factor code? There are some neat and interesting tools that do this. Evil Jinx is one example that sort of has a reverse tunnel or proxy to, hey, try to capture and collect your SMS token or any of that two-factor component that I could still swipe.
Dave Bittner: Is this one of those ones where you could also have a website that looks exactly like the legitimate website that will ask me for that code and ask me to enter it?
John Hammond: Yes, exactly. That's absolutely the right idea. We'll try to stage or impersonate and sort of masquerade. So you think you're logging into the real service, but it's actually my nefarious little mousetrap.
Dave Bittner: Now, just to be clear here, I mean, the fact that I have SMS enabled, that's way better than nothing at all, right?
John Hammond: Absolutely, without a doubt. SMS offers a couple other idiosyncrasies. You'll hear spooky scaries of stuff like SIM jacking or, hey, could we even gain access to that phone number or that phone on its own? But absolutely, another pedestal for your authentication process is so, so much better than just one.
Dave Bittner: Well, let's continue down our pathway here. I mean, suppose that I take it to the next level and I have a security app on my phone, one of the authenticator apps, say from Google or one of the other suppliers, is that going to make things harder for you?
John Hammond: It is. I'll admit, I do tend to think those specific applications, like as you mentioned, Google Authenticator or one from Microsoft or Duo, I'm sure there are plenty of others, hey, we could still try and hope for that social engineering aspect. Maybe we could determine some unique vulnerability that you can see, oh, the seed, hey, can we even predict or know what is the possible pin code that's offered at that time? That's harder to do, but kind of rolls along the same lines as, oh, can we find other vulnerabilities in the email client or the email server? There's still options, but we absolutely need to be a bit more clever.
Dave Bittner: And well, let's take it up to the top level, I guess, in my mind, which is if I have some sort of a hardware key, you know, a YubiKey or something like that, have I stopped you yet?
John Hammond: Yes, kind of. I'll admit, hey, I personally use a hardware token, I'm a huge believer that that absolutely makes the trio. Hey, you know, for authentication, you've got something you know, maybe your password, something you have, that's your cell phone for the multi-factor authentication, the pin code and something you are. So oftentimes that biometrics of, I don't know, hey, scanning your face or your eyes or your fingerprints, a lot of those hardware tokens can at least get a fingerprint authentication. Then yeah, we got to get really scrappy. I don't know, not the silly stuff you see in the movies, but I don't know, can we track down your fingerprint or the face replica deepfake stuff? Some of those get a little bit pie in the sky, but you do have to bear in mind, oftentimes those services that you're logging into, especially for email, will sort of give you the option because maybe you're in the situation where, oh, whoops, I left my hardware token on my key chain and I don't have that with me for one reason or another. So you can opt to use another authentication method. So depending on the implementation, I might still be able to circumvent that and say, hey, let's use something else, even if you have that hardware token.
Dave Bittner: Yeah, I think that's a really good point. I mean, your security is only as good as the things that you have authorized to be fallbacks.
John Hammond: Absolutely.
Dave Bittner: Yeah. So in general, I mean, what is your guidance for folks here who want to best protect their accounts, their email, their banking accounts, those sorts of things, and they want to strike that balance between making sure that something is properly secured, but also not making it so it's so much of a burden that they're not going to keep at it?
John Hammond: That's a super good question. And I got to admit, hey, this kind of really falls down to your own threat model, how you measure risk and maybe just your level of concern for maybe your digital stuff that you tend to work with. I'd argue, hey, everything that you end up doing is still critical and valuable and you don't want that compromised. But maybe if you're a little apathetic, laissez-faire, whatever, ultimately, it's the same boring basic cybersecurity hygiene that you hear so many folks screaming and shouting about. But it's the right answer. So I tell folks, hey, yeah, I'm a believer in password managers, personally. I haven't generated a long, giant, complex, completely nonsense, 128-character thing just because I don't have to remember it and it'll manage it for me. And hey, it's different and unique for every single service. So I'm okay with that. I think that works great. Of course, multi-factor authentication, and it is called multi-factor authentication, not just two-factor authentication. So again, whatever you can do to layer up. I'm a big believer in that physical security token. Again, if we can mix in, hey, some of those biometrics, if possible. And you hear stuff like, hey, patch, seriously, update. I mentioned those vulnerabilities and those specific things to the application because that is still and always a real vector. So make sure you've got stuff updated. I know some folks think, oh, a VPN when we're trying to keep that anonymity in mind. There are a whole lot of different roads to go down, but I feel like it's such a bad and boring answer. It's all the stuff you hear for basics.
Dave Bittner: Yeah, right, right. Can we touch on the social engineering component of this quickly? I mean, in terms of making sure that people are up on things like security awareness training and just having their radar up to be sensitive that these things may be coming at them.
John Hammond: I'll do my best, but it's interesting. I've been trying to work with a recent project that would do a little showcase and demonstration of session hijacking. So for folks listening in, that's one of those sort of hacker techniques or tricks that you could do where, hey, if you could kind of gain access to the end user or the victim's cookie, like their specific sort of, hi, my name is name tag that it talks to the service or the server with, then you don't even need their password or their two-factor key. You could, quote unquote, bypass multi-factor authentication because you've stolen their session. So I've tried to put together a little demo where you could see, hey, how could we do some session hijacking for like a Microsoft 365 environment, the same way you might access Outlook or your email if folks are using that these days? Could I send a phishing email or deceive you in some way that I could just collect your tokens or your sessions and then maybe convert them and open them up to, yes, then use Outlook or explore the cloud Active Directory environment or dig into any other apps or services that the Microsoft 365 suite lets us use? Microsoft Teams or Calendar, that can really open the door when we put phishing in the sense of cloud. And I know it's a buzzword, but there's a certain reality there too.
Dave Bittner: Can you give us some details about how someone would come at that, stealing that session information?
John Hammond: Yes. So there's a fun thing where oftentimes the cloud services could basically offer authentication with maybe some technology or functionality that they'll call like a device code. Maybe specific to, hey, we know that you could log in from this computer or this cell phone or device, right? And that's odd because it's not the username or email address and password and the usual two-factor authentication. It's when the service itself, again, Microsoft 365 is the example, could give you, here's a specific numeric ID to your device, and then you enter this to specify, hey, I want to validate and make sure that this hardware, that this actual device can be authorized to use the application. So hey, maybe a little bit of a scheme, maybe a little bit of a phishing email idea. Well, why don't we just fake the device code? Why don't we just have them enter one and, hey, go validate that with the service? And we can sort of play the man in the middle to request and work with the real genuine device code. And once we can send a phishing email to enter that, well, we've been listening in, we've been eavesdropping and snooping in on that conversation, and now we could authenticate. So again, I think we maybe briefly mentioned it earlier. It's oftentimes the implementation or those other options and functionality of the security's mechanisms offered to you. Which of those could be abused and in what way and how?
Dave Bittner: What's your advice to folks out there who may think that, you know, I don't have anything that anybody would be interested in, you know, nobody would come after me. I'm just a regular person, you know, minding my own business.
John Hammond: Hmm, interesting. Sometimes I think that mindset forgets or neglects just how much information and details are in their life or in their digital life, right? Sure, you can think of, I don't know, the things that you interact with or maybe use on a day-to-day basis, whether it's your email, whether it's social media, whether it's applications you might run on your computer or, I don't know, your iPad, stuff at home, Alexa, devices in your house. Those are all pretty well integrated and can talk to each other here and there. They often share some functionality and will work together. So whatever tidbit, whatever small breadcrumb of data or intel on a person or a company or a business, and maybe vice versa, because they can affect each other. Hey, you maybe as an individual get compromised, but hey, you bring that device into work maybe some days. Or maybe your personal cell phone connects to their Wi-Fi. Maybe sometimes you don't think of all the other things that could kind of fall over and a little bit of a domino effect if you just are so apathetic to, hey, this whole security thing, it doesn't matter to me. I'm too cool for that.
Dave Bittner: Joe what do you think?
Joe Carrigan: I like this exercise, Dave.
Dave Bittner: Okay.
Joe Carrigan: It was a good exercise to run through. It's great to hear someone practice some adversarial thinking in real time against a hypothetical situation.
Dave Bittner: John was a good sport.
Joe Carrigan: Yes. John's answer to your first question is a crash course in cybersecurity. It is most of the problems in cybersecurity in microcosm.
Dave Bittner: Yeah.
Joe Carrigan: I really like it. The first level of attack against an account that's only protected with a username and password is brute force. It's my favorite kind of force, Dave. The thing I like about this attack is it doesn't involve the victim at all, right?
Dave Bittner: Yeah.
Joe Carrigan: If your password has been leaked and you're using it, it's over. It's going to be effective and you don't even get the chance to try to stop the attacker.
Dave Bittner: Right.
Joe Carrigan: It's just they get your email account. That's how it is.
Dave Bittner: Yeah.
Joe Carrigan: The next level is a social engineering attack. Depending on how good the person is, if you're up against the aforementioned Rachel Toback, you might as well just say, is this Rachel? Yeah. Here's my username and password, Rachel.
Dave Bittner: Right. Exactly.
Joe Carrigan: Or hang up the phone.
Dave Bittner: Yeah.
Joe Carrigan: Of course, that's why we do this show, right?.
Dave Bittner: Yeah.
Joe Carrigan: It's important to understand how these things work, important to be able to recognize them. But then after talking about brute force and using social engineering, he goes on to the next attack, which is the actual attack, looking for a vulnerability. He's got to get into some hardcore action here in terms of breaking into a service, finding a vulnerability, exploiting that vulnerability. Maybe that exists. Maybe it doesn't.
Dave Bittner: Yeah.
Joe Carrigan: But this is actually what you think of when you think of hacking, right?
Dave Bittner: Like in the movies or TV.
Joe Carrigan: Right. This is actually the first act of hacking into something. Everything else is just guessing a password or asking for the information. Hacking Humans -- I wonder where I've heard that before. But once you get into that level where you actually have to use some kind of technical expertise, that's a much smaller group of people that can do that, right? Anybody can run a script that does these brute forcing things. He goes into the other attacks, the brute force and, well, the brute force in particular, for a few reasons, is that it can be automated. Brute forcing attacks are really easy to automate. That's what credential stuffing attacks are. They're just brute force attacks that have an automated feature behind it or password spraying. That's the same kind of thing, except without known credentials. Not only are they automated, but they work a lot. They work really well. Like, if you get a list of passwords, username and password, you can frequently just go out and compromise other accounts because of password reuse.
Dave Bittner: Right.
Joe Carrigan: And they're much easier than the actual hacking along with the social engineering. I would say there are more people out there that would make good social engineers than there are people out there that would make good security researchers or hackers in this case.
Dave Bittner: Yeah.
Joe Carrigan: I'm focusing almost entirely on the answer to his first question here in my comments here. But when it comes time to start talking about what about an SMS token, he goes right back to social engineering. Brute force is really not going to be effective. That is the biggest advantage you get by using an SMS message. And you guys talk about this, that yeah, SMS is not the most secure way, but it is way better than nothing.
Dave Bittner: Right.
Joe Carrigan: And the reason it's way better than nothing is because it eliminates the possibility of the large-scale brute force attack.
Dave Bittner: Right.
Joe Carrigan: Takes it out of the equation.
Dave Bittner: Yeah.
Joe Carrigan: Now I have to spend focused time on one person to get in there and that's an economic cost. But then again, he also will try the hacking techniques. Things like the SIM swap or the going around and see if he can get around the system through some vulnerability. One-time password. Funny, we had an interesting story about that today.
Dave Bittner: Yeah.
Joe Carrigan: But those are also vulnerable for social engineering attacks as we heard in the story. And then once you've gotten into the account, maybe you can download the seeds and you've got them.
Dave Bittner: Yeah.
Joe Carrigan: And now you're kind of on to a more advanced hacking technique, I think. But maybe not. You're just installing an app. Hardware key, now you're causing real problems for the attacker. Now you have to rely on -- it's not really so much a user problem anymore. There's nothing they're going to do to you, the user, to get around the system. They're going to have to do something else. They're going to have to compromise your web browser session to get access to your token.
Dave Bittner: Right.
Joe Carrigan: Which is essentially just a long random text string that identifies you. Or they're going to have to go to the web interface and they're going to have to say, well, I don't have that with me right now. Can we use a different way to authenticate me? And maybe they have that. Now, I don't know if -- I can't remember which service it was that I had authenticated to with my YubiKey, but when I logged into one of them, it was either Facebook or Gmail. I talked about this a while ago, where I went to try to log in on a new machine, and it just said -- it just logged me in without the use of my device. And I had set up a device, and I can't remember where that was.
Dave Bittner: Okay.
Joe Carrigan: But that wasn't anything I did. That was something that the provider did. You don't have any control over what the provider does, which is why it's important to use different passwords for everything.
Dave Bittner: Right.
Joe Carrigan: Just remember that your security is only as good as the provider's implementation. Everyone has to do their own risk assessment. That's a great observation. The question you asked on the they're not interested in me problem, I still get these kind of responses from people when I start talking about cybersecurity. Yeah, they are interested in you. And there's a lot of reasons to protect yourself. We had a story a couple weeks ago. I can't remember, a while ago, but it was actually a story of a nation state attacker going after small businesses, because that gave them the ability to then impersonate Microsoft support on Skype, or Teams -- it was Teams. So yeah, you have something of value. Do you have a Microsoft 365 account? That's of value to an attacker for more than one reason.
Dave Bittner: Yeah, I'd say, I mean, pretty much everybody has a bank account, so that's all you need to know.
Joe Carrigan: Oh yeah, any kind of money.
Dave Bittner: Yeah.
Joe Carrigan: Money matters, right?
Dave Bittner: Yeah. You have a bank account? You have a credit card? I mean, that's all. And the answer is yes.
Joe Carrigan: Yes. Again, we hear the same three basic instructions. Use multi-factor authentication. Use a hardware token as your best option. Use a password manager and patch and update your system. Don't be the low-hanging fruit.
Dave Bittner: Yeah.
Joe Carrigan: That's really the best thing. There was a short talk about VPNs. Try not to think of VPNs as a security layer. They're actually a privacy layer, I would say. They block your cable company or whoever your internet provider is from seeing what you're doing.
Dave Bittner: Yeah.
Joe Carrigan: But remember, even if you're on a VPN and you're logged into Facebook, Facebook knows what you're doing on the VPN.
Dave Bittner: Right. Right.
Joe Carrigan: Google knows what you're doing on the VPN.
Dave Bittner: Right.
Joe Carrigan: The only way to keep that private is to not do those things when connected to the VPN and use, I don't know, maybe you can use private mode. Even then, I'll bet it's not 100% private. I'll bet there's ways around it that they can figure out who you are. I know they can do it by fingerprinting your browser.
Dave Bittner: Right.
Joe Carrigan: There are tons of different ways they can do it.
Dave Bittner: All right. Well, our thanks to John Hammond for joining us. Again, he is a principal security researcher at Huntress, and he also has a fabulous YouTube channel, so do check that out. That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. The show is edited by Trey Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.