Scoring cybersecurity in the NFL.

Joseph Oregon: They've partnered with CISA in order to kind of put on a tabletop exercise that not only covers what they do within the NFL to manage particular incidents but also to understand what private sector and public sector entities in the location of their event, how they manage an incident.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, Joseph Oregon. He is chief of cybersecurity for CISA in area Region 9. We are discussing the recent tabletop exercise that CISA conducted with the National Football League. All right, Joel. Before we get into our stories here, we've got a couple little items of follow-up. What have you got for us?

Joe Carrigan: Yes. First, I wanted to say thank you to Tiffany for stopping by the booth at Grace Hopper. She did not know who I was until I said my name. And, once I told her who I was, it was the first time somebody actually said, Oh, it's you. Never had that happen before in my life.

Dave Bittner: Did she recognize your voice?

Joe Carrigan: She did not.

Dave Bittner: Okay.

Joe Carrigan: That hasn't happened yet. Once I said my name, she was looking at the CyberWire swag that you sent me down with.

Dave Bittner: Okay.

Joe Carrigan: She's, Oh, I love these shows. I'm like, Well, what's your favorite one?

Dave Bittner: Ah. Did she say

Joe Carrigan: With Danielle? No. She said it was Hacking Humans, actually.

Dave Bittner: Okay. Very good.

Joe Carrigan: So I was like, ah. That's very good.

Dave Bittner: Right. That's the ding, ding, ding, ding. Very good. Very good.

Joe Carrigan: So thank you, Tiffany, for stopping by. It was the highlight of my event at down there.

Dave Bittner: That's nice. That's nice.

Joe Carrigan: I also want to thank Jason. Jason made a recommendation for Microsoft PowerToys because he heard me complaining that I'm not entering a bitcoin address to see if anybody's been scammed from an image.

Dave Bittner: Oh. Okay.

Joe Carrigan: So he recommended PowerToys, which will let you snap a picture of an image on your screen and then will convert it to text. It does a whole mess other things, too, some really cool stuff. So if you're a Windows user, I recommend checking it out.

Dave Bittner: Is it sort of a utility program that has a lot of different functionality?

Joe Carrigan: It is.

Dave Bittner: Okay.

Joe Carrigan: It is. There was -- there was something similar that Microsoft had years ago.

Dave Bittner: Yeah.

Joe Carrigan: I remember one of the things it did was turn your -- give you in the command prompt to give you -- gave you an Ls command that was very similar to a Linux ls command.

Dave Bittner: Okay.

Joe Carrigan: But I can't remember what that was called, but they don't make it anymore. They don't distribute it.

Dave Bittner: Okay.

Joe Carrigan: Finally, Rory wrote in about my -- our tinfoil hat discussion a couple of weeks ago where I was talking about the -- my car, every time I drive by the dealership --

Dave Bittner: Right.

Joe Carrigan: -- I get an email. And he said, Well, they could be using an automated license plate reader that looks up your license plate. You don't have to have anything in the car.

Dave Bittner: Oh.

Joe Carrigan: But that he says, it seems that it's much less expensive just to be sending people emails who've bought cars from you in the past. Probably a coincidence.

Dave Bittner: Right, right.

Joe Carrigan: So I'm going to take my tinfoil hat off and go with the Occam's razor explanation.

Dave Bittner: Okay. Well, it makes sense.

Joe Carrigan: That's probably correct.

Dave Bittner: Yeah, yeah. All right. Well, thanks to everyone who wrote in to us. Of course, we would love to hear from you. It's hackinghumans@n2k.com. All right, Joe. Let's jump into our stories here. Why don't you kick things off for us.

Joe Carrigan: Dave, we have conducted a cybersecurity survey at the Information Security Institute.

Dave Bittner: Oh. Go on.

Joe Carrigan: I want to talk about that survey.

Dave Bittner: All right.

Joe Carrigan: This was commissioned by the Maryland Cybersecurity Council. And we had some funding from the National Cryptologic Foundation as well as ISI, the Information Security Institute.

Dave Bittner: Okay.

Joe Carrigan: This is a pilot study --

Dave Bittner: All right.

Joe Carrigan: -- which, in other words, what we're -- what we're hoping on, what we're hoping comes out of this is another more formalized study.

Dave Bittner: I see.

Joe Carrigan: Because we conducted this survey using Amazon's MTurk. Are you familiar with MTurk?

Dave Bittner: The Mechanical Turk?

Joe Carrigan: Mechanical Turk. Right.

Dave Bittner: Yeah.

Joe Carrigan: But they call it MTurk now.

Dave Bittner: Oh. How streamlined.

Joe Carrigan: That's right. Yeah. They have the -- that's the market guys. I'm sure there's some marketing guy that got a big raise for that.

Dave Bittner: Right, right.

Joe Carrigan: So the way this works is people sign up on MTurk for -- to be workers, and then people sign up to be requesters. And you can send a request for some human intelligence task or a hit, as they call it --

Dave Bittner: Okay.

Joe Carrigan: -- out to the workers. And then the workers get paid some amount of money for doing it. And this is actually pretty common for doing surveys like this.

Dave Bittner: Okay.

Joe Carrigan: One of the things that we were able to do was limit the audience or the respondent list to Maryland residents over the age of 18, and we got 549 valid responses back.

Dave Bittner: Okay.

Joe Carrigan: Some of the interesting findings from the survey is that two-thirds of people, 66, 67% said they had had some form of security awareness training in the past year.

Dave Bittner: Okay.

Joe Carrigan: Which I think is interesting.

Dave Bittner: Yeah.

Joe Carrigan: Does that mean that everybody else is getting targeted, that everybody else is falling for these, falling for these scams? I want to say falling for scams but getting -- getting tricked by these scams is in that other 33%? Probably not.

Dave Bittner: No. But I would say they're at a disadvantage probably.

Joe Carrigan: I would agree.

Dave Bittner: Yeah.

Joe Carrigan: I would agree they're at a disadvantage. We asked about people's data backups, how they back up their data. There was one interesting piece of information that came out of this. There's a small portion of people who say they don't back up their data. Some people say they send it off site, but 39% of people say they use a cloud service like OneDrive or Google Drive or Carbonite or something like that.

Dave Bittner: Right.

Joe Carrigan: But, when we asked how frequently they back up, only 16% of people said that they back up continuously, which is interesting, I think, because, if you're using OneDrive or Google Drive or I'm not sure how Carbonite works but I think it backs up -- their literature says they back up continuously. Whenever a file changes, that file gets uploaded to the storage provider.

Dave Bittner: Okay.

Joe Carrigan: So I think there's some kind of technical misunderstanding on a fundamental level.

Dave Bittner: Yeah. I mean, that's interesting because, like, I use Time Machine, which is Apple's --

Joe Carrigan: Right.

Dave Bittner: -- built-in backup utility. And it probably backs up two or three times an hour, I'd say. It runs its little routine to --

Joe Carrigan: That's probably as close -- I call that continuous.

Dave Bittner: Well, that was my question. Would you -- so, yeah. So would you consider that to be continuously?

Joe Carrigan: Yeah. I would consider that to be continuous.

Dave Bittner: I would.

Joe Carrigan: Here's the thing. When we do this other -- the next survey, the follow-on survey, we're going to be a little more clear on our questions.

Dave Bittner: Okay.

Joe Carrigan: I'm hoping, what I'm really hoping, Dave, is that we can do interviews with people --

Dave Bittner: Oh.

Joe Carrigan: -- so we can suss this out --

Dave Bittner: Okay.

Joe Carrigan: -- and get better, finer, granular answers.

Dave Bittner: Right.

Joe Carrigan: I don't know how that's going to work. I don't know what this looks like, but that's really what we're hoping. Ninety percent of respondents said that they had verified their backups within the past year. I'm a little dubious of that claim.

Dave Bittner: Well, I guess part of me wonders if -- if the verification was needing to go to their backups because something bad had happened, right?

Joe Carrigan: Right.

Dave Bittner: You know, not just checking for the sake of checking but like, Oh, crap.

Joe Carrigan: Right.

Dave Bittner: Right.

Joe Carrigan: I hope these backups worked.

Dave Bittner: Oh, yeah, yeah. So that that does seem high to me. But, if it's true, that's a good number.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: I would -- I would imagine that a lot of those people are people who use those online services and just rely on them for storage.

Dave Bittner: Yeah.

Joe Carrigan: That could be considered a back -- I use them, and I consider it one of my forms of backup. The problem with it is that, if you fall victim to ransomware, a lot of times those are also encrypted as well.

Dave Bittner: Right.

Joe Carrigan: Now, I don't know what -- since I've never fallen for ransomware, I've never had to go through this process myself. I don't know what the recovery options are from the cloud provider. They might be good. I don't know.

Dave Bittner: Yeah.

Joe Carrigan: We asked some knowledge-base questions. So -- and I'm going to -- I'm going to get on a soapbox here. The very first one is I asked what is the definition of social engineering in an information security context.

Dave Bittner: Okay.

Joe Carrigan: Twenty-five percent of the respondents got it right. There were four possible options plus an I don't know. So --

Dave Bittner: Okay. Is I don't know considered wrong?

Joe Carrigan: I don't know. That's a good question. I would say yes, they did not get it correct.

Dave Bittner: Okay. Ding, ding, ding. Okay.

Joe Carrigan: Only 25% of people got this right. This points to one of my biggest pet peeves in all of what we do here and that's the jargon. I don't think this is a good term. I don't think social engineering is a good term. I think it brings to mind something else. It doesn't -- it's not really descriptive. You have to be in the information security environment or at least familiar with it or adjacent enough to it to know that social engineering is essentially scamming people.

Dave Bittner: What would you call it? What would you prefer it be called?

Joe Carrigan: That's an excellent question, Dave. I've complained about this so long, I should have an answer to that question. But I don't.

Dave Bittner: I see.

Joe Carrigan: Next week, I'll try to have an answer. Hey. You know what? Let's solicit listener input here.

Dave Bittner: Oh, nice.

Joe Carrigan: Instead of calling it social engineering --

Dave Bittner: Nice pivot, Joe. Nice. Nice. Offload it. Offload it onto our listeners. I love it.

Joe Carrigan: I love doing this stuff, man.

Dave Bittner: Okay.

Joe Carrigan: Like, okay.

Dave Bittner: Yeah.

Joe Carrigan: Joe has asked me for something.

Dave Bittner: Okay.

Joe Carrigan: Spearphishing, about 50% of people, 49% knew what spearphishing was.

Dave Bittner: Okay.

Joe Carrigan: Phishing, 61% of people knew what that was. What's interesting is this is the only question we asked that lines up pretty much directly with one of the Proofpoint questions --

Dave Bittner: Okay.

Joe Carrigan: -- from the last time I talked about the Proofpoint State of the Phish Report.

Dave Bittner: Right.

Joe Carrigan: And they said 58% of people knew what phishing was. So we're pretty close there, 61, 58. It's only three points of difference.

Dave Bittner: Yeah.

Joe Carrigan: Right. So that gives me some confidence in -- in what we collected here. Here's the biggest surprise. Seventy percent of people knew what multifactor authentication was --

Dave Bittner: Okay.

Joe Carrigan: -- which is great.

Dave Bittner: That is great.

Joe Carrigan: We asked some cybersecurity hygiene questions. We asked, Where do you use multifactor authentication, and we let people choose one. And some people said -- 42% said they use it on their important accounts, 25% of people said they use it on most accounts, and 23% said they use it wherever it's offered.

Dave Bittner: Okay.

Joe Carrigan: So I don't know how I feel about this one. I mean, I'm okay if you only use it to protect your -- your important accounts.

Dave Bittner: Right.

Joe Carrigan: There are accounts I don't use multifactor authentication on.

Dave Bittner: Me too.

Joe Carrigan: Right. So, I mean, what happens if I lose access to that account? I can call that company and say I've lost access to the account. Somebody has changed -- somebody's changed my password.

Dave Bittner: Right.

Joe Carrigan: And then, you know, maybe I'll -- if it's somebody I pay, I'll just stop paying them.

Dave Bittner: Yeah.

Joe Carrigan: Create a new account. Not a big deal, right? It's not it's not a big loss.

Dave Bittner: Part of your risk assessment, your personal risk assessment.

Joe Carrigan: Part of my risk assessment. Exactly. Now, if it's my bank where I'm going to lose money --

Dave Bittner: Right.

Joe Carrigan: -- yeah. That's a different -- a different risk. That's a different level of risk. That's a different level of misery should something go wrong?

Dave Bittner: For me, there are accounts that I consider to be disposable, you know, like one and done.

Joe Carrigan: Yep.

Dave Bittner: Or I will rarely interact with this organization, and I know it.

Joe Carrigan: Right.

Dave Bittner: And they don't have any of my financial information or anything like that. And, for those sorts of things, I hate to say it but the extra sort of pain in the butt that multifactor can be --

Joe Carrigan: Right.

Dave Bittner: -- makes me not do it --

Joe Carrigan: Yeah.

Dave Bittner: -- because, in my risk assessment, it's not risky enough to make it worth the extra steps.

Joe Carrigan: Streaming services are a great example of this.

Dave Bittner: Right. Interesting.

Joe Carrigan: So if I'm -- if I'm trying to log in on my -- on my television --

Dave Bittner: Right. Oh, boy.

Joe Carrigan: -- am I going to walk up and put my YubiKey in the back of the TV's USB drive and hope that it works?

Dave Bittner: Yeah.

Joe Carrigan: Hope that -- hope that thing goes, Okay. Put -- you know, let's set up a YubiKey. No.

Dave Bittner: Right.

Joe Carrigan: No. I'm not going to do that. I'm not even going to go so far as to enter a code. I'm just going to -- to use a pretty good password.

Dave Bittner: Yeah.

Joe Carrigan: One that I can still enter with, like, click, click, click, click, click, click, click. I hate that.

Dave Bittner: Right, right.

Joe Carrigan: You know, I'll tell you, if -- if there anybody from a streaming service listening, some of you guys are doing it right where you have -- you take a picture with your phone, you can log in on your phone. And some of you guys are doing it wrong. Looking at you, Disney. You're not doing it right.

Dave Bittner: Well, I'll give you a hard time and say one of the nice things about being on planet Macintosh is that, if you were using, like, an Apple TV, you can actually use the keyboard built into your phone to enter those sorts of passwords. So you don't have to click, click, click around. You can actually use a virtual keyboard.

Joe Carrigan: Yeah. Well, that is -- that is one of the big advantages with going to Apple is the user experience is top notch.

Dave Bittner: Right.

Joe Carrigan: I can't dispute that.

Dave Bittner: Right.

Joe Carrigan: It is a great user experience if you're a cult member. No, seriously. It's a good user experience. And that's always been the focus of the company.

Dave Bittner: Yeah. What else?

Joe Carrigan: What form of multifactor authentication do you use? This was check all that apply. Only 7.5% of people said they're using a hardware token like a YubiKey. We've seen that in other reports be higher.

Dave Bittner: Yeah.

Joe Carrigan: So I think we've seen it up to like 11%. I don't know if we're outside of the margin of error here. Probably not.

Dave Bittner: Yeah.

Joe Carrigan: But it doesn't shock me because there's a cost associated with it, use a multifactor authentication device of some kind. How do you choose your password? Twenty percent of people said they use the same password for most of their accounts, and 10% of people said they use their same password for all of their accounts.

Dave Bittner: Yeah. That doesn't surprise me at all.

Joe Carrigan: It doesn't. Now, these were not mutually exclusive. They could have selected both. But that means at least 20% of these people are just asking for credential stuffing attacks.

Dave Bittner: Right.

Joe Carrigan: That is a terrible, terrible way to go about your password management.

Dave Bittner: Yeah.

Joe Carrigan: Twenty-six percent said they use long and complex passwords. And then we followed on and said, How do you remember your passwords? And 28% said they use a password manager, which kind of goes in line with the 26% who use long and complex passwords.

Dave Bittner: They kind of go hand in hand. Right?

Joe Carrigan: You're using a password manager, why not use the feature of password manager that generates a great account -- great passwords.

Dave Bittner: And one makes the other tenable.

Joe Carrigan: Yeah. Exactly.

Dave Bittner: Yeah.

Joe Carrigan: Twenty-nine percent said they write their passwords down.

Dave Bittner: Okay.

Joe Carrigan: I'm okay with that --

Dave Bittner: Yeah. Me too.

Joe Carrigan: -- for a lot of things. You know, don't leave it out in the open. Keep it in a notebook. But nobody is going to break into your computer and steal your physical notebook sitting next to your computer.

Dave Bittner: Right. That's very unlikely.

Joe Carrigan: It is.

Dave Bittner: Yeah.

Joe Carrigan: If they break into your house, that's a different issue.

Dave Bittner: Yeah.

Joe Carrigan: Forty-one percent say they remember them, which means that that's how they -- that's -- they're remembering all their passwords; they're probably using weak passwords.

Dave Bittner: Just memorizing them. Yeah. They -- I wonder how many of them have what they believe is a brilliant system of variation on their passwords that is, in reality, very easy for any type of automation to unpack and break.

Joe Carrigan: Of that 41%, I'll bet it's close to 100%.

Dave Bittner: Yeah. Sadly. What else did you guys look at?

Joe Carrigan: So we looked at victimization, as well, which was kind of a -- we were surprised but not terribly surprised. Twenty percent of people who responded say that they've been some kind of victim of ransomware. Forty-five percent, this is -- this is one of the shocking features of the report of the data. Forty-five percent said that their information had been breached, and 38% said that their information had not been breached. And the 17% said they didn't know. So 17 plus 38 is 55% of people, and that is 55% of people who are probably wrong --

Dave Bittner: Yeah.

Joe Carrigan: -- because that should be 100%.

Dave Bittner: Right.

Joe Carrigan: So this is a significant finding from this report, that people just don't understand. One in two people, pretty close to one in two people do not understand that their data is out there and available. It is. That's something that we have to get the message out about.

Dave Bittner: Yeah. It's interesting.

Joe Carrigan: We asked people, if -- we asked respondents if they've lost any money due to an online scam. Twenty-three percent of people said they had lost money to an online scam, which is a big number. We were surprised by how large that number was. And when we asked them how much number -- how much number? -- how much money they had lost --

Dave Bittner: Yeah.

Joe Carrigan: -- those numbers were also shocking. We had two people that said they lost $100,000.

Dave Bittner: Wow.

Joe Carrigan: Now, those data points might not be accurate, but they are within the ballpark. You know, we were -- we'll have a story coming up soon where we're talking to somebody about losses in the hundreds of thousands of dollars.

Dave Bittner: Right, right.

Joe Carrigan: This is not unheard of. The average loss, and just by average, I mean, mean was three -- about $3,000. And if you took out the two outliers, we're still around $1,500 for an average loss. There were nine respondents who claimed to have lost tens of thousands of dollars.

Dave Bittner: Wow.

Joe Carrigan: So you do the naive calculation and extrapolate that out to the -- the rest of the population of Maryland, and you're looking at a total loss of around $2.1 billion. Now, granted, that's a naive calculation.

Dave Bittner: Right.

Joe Carrigan: But it uses a lower number. So what are we going to do next? We're going to do a more formal study with hopefully more respondents. I'd like to get up around 1000 to 2000 people queried for this, this survey. I'd like to distribute the sampling across the state a little more evenly. We had some overrepresentation from some areas like Western Maryland.

Dave Bittner: Right.

Joe Carrigan: I would like -- I would like to get a -- you know, a more random sample. And I'd like to ask some follow-on questions. And I'd really like to be -- to do this in the form of interviews.

Dave Bittner: What do you ultimately hope happens with this? Is -- is this -- is this information that you're gathering to then try to take to policymakers or --

Joe Carrigan: Yes. That's an excellent question, Dave. Why are we doing this? Why spend all this money? That's exactly what we want to do. We want to take it to policymakers and have them work on some kind of public education campaign.

Dave Bittner: Okay.

Joe Carrigan: That's what's got to happen here. The fact that more than half of the people in this state don't know that their data is out there and been breached, that's a problem.

Dave Bittner: Yeah.

Joe Carrigan: The fact that 25% of the people responded to our survey said that they had been the victim of some scam where they lost money. That's another problem. That -- those are the two biggest problems that are made evident here. And -- and that's really what I would like to see a campaign on those. Those are the two most impactful things, I think.

Dave Bittner: All right. Well, interesting results. Certainly, I mean, even just a pilot study, that's some really interesting data in there.

Joe Carrigan: Yeah. We'll have -- we'll have a paper out. And I think we're doing a talk or a panel talk at the cyber Maryland conference in December. Okay. All right. Terrific. All right. Well, my story this week comes from the folks over at CNBC. This is an article written by Greg Iacurci and it's titled How This 77-year-old widow lost $661,000 in a Common Tech Scam. See? $100,000 isn't that much.

Dave Bittner: Yeah. She said, I realized I had been defrauded of everything.

Joe Carrigan: That's heartbreaking.

Dave Bittner: This is a woman named Marjorie Bloom. She had wired -- well, let me back up and just describe what had happened.

Joe Carrigan: Right.

Dave Bittner: She had something pop up on her screen, tech support scam, type of thing we've talked about here many times.

Joe Carrigan: Right.

Dave Bittner: Microsoft needs to get in touch with you right away because there's a problem on your computer. Please call us right now. Your computer won't work until you call us right now. I described this recently, that this happened to my father on his Chromebook.

Joe Carrigan: Yes.

Dave Bittner: Right, which is not a Microsoft machine.

Joe Carrigan: It's not. They don't care. They'll put it on a Chromebook. And when somebody calls, they'll say, Oh, yeah. This is Microsoft. Oh, yeah. We do the Chromebook.

Dave Bittner: That's right. So Mrs. Bloom, who is 77 years old, she's a widow, she called and spoke to the person at Microsoft tech support who was, of course, very friendly and started asking her questions about things and was telling her all about the problems with her computer. And this person said that, by looking on her computer, he could see that there was a pending financial transfer, and the only way to protect herself against this transfer is to get that money out of the account.

Joe Carrigan: Give it to me for safekeeping.

Dave Bittner: Well, he actually went even farther than that. He connected her with a -- and I'm using big old air quotes here --

Joe Carrigan: Right.

Dave Bittner: -- a fraud investigator at her bank. So in the -- in the course of the conversation, he had asked her who she banks with. She told him. He said, Oh, good news. I can transfer you to that person.

Joe Carrigan: Right.

Dave Bittner: Put her on hold.

Joe Carrigan: It doesn't matter what bank you say.

Dave Bittner: That's right.

Joe Carrigan: They'll transfer you to that bank's fraud investigation?

Dave Bittner: That's right. That's right.

Joe Carrigan: You can even make a bank up, and they'll transfer you to Joe's New Bank of First -- Joe's Capital Bank of Maryland.

Dave Bittner: Yeah. Good news. I have one of their fraud investigators right -- right here on my speed dial. So transferred over to her or to -- rather, to the person claiming to be someone from her bank. And that, again, scammer verified that, sure enough, there was pending transfers here. And the only way that they could save her from losing this money was to move it quickly and also told her that, if she told anyone, including any of her three children, that could compromise their efforts. Right.

Joe Carrigan: The isolation -- the isolation play.

Dave Bittner: Right, right. Exactly. So that's what she did. And, long and short of it is she ended up transferring over $661,000 --

Joe Carrigan: Oh, my gosh.

Dave Bittner: -- which was her nest egg.

Joe Carrigan: Yep.

Dave Bittner: She was a professional. She had her own career. So she's not destitute now. She's still -- she has Social Security. She still has -- you know, she has some other investments.

Joe Carrigan: Right.

Dave Bittner: But she's really heartbroken. She said that, you know, she used to enjoy traveling; and she was hoping of passing on this nest egg to her children.

Joe Carrigan: Yeah.

Dave Bittner: And that's not going to happen now. She can't travel. She can't pass it on. You know, she's not out of her home. She -- she has -- she still can put food on the table.

Joe Carrigan: Right.

Dave Bittner: But --

Joe Carrigan: Her quality of life has been significantly impacted.

Dave Bittner: That's right.

Joe Carrigan: Yeah.

Dave Bittner: That's right. There's a couple of other sort of interesting details about this. She sued the bank.

Joe Carrigan: She did.

Dave Bittner: She did. She sued the bank and claiming that there should have been enough red flags, which was going on here, money being transferred, large amounts of money from a senior person being transferred overseas in the ways that it was done, that the bank employees should have been trained to have this be a red flag --

Joe Carrigan: Right.

Dave Bittner: -- and put a stop to it.

Joe Carrigan: Yeah, yeah. And how did that lawsuit turn out?

Dave Bittner: The bank settled.

Joe Carrigan: The bank settled.

Dave Bittner: Yep.

Joe Carrigan: Okay.

Dave Bittner: So we don't know how much she got, but the bank did settle. Actually, one of the claims got dismissed. And so there are two claims that she had against the bank, and I don't remember specifically what they were about. But one of them got dismissed. And then the other one, the bank did settle. So I don't know to what degree was she made whole. I'd be very surprised if she got everything back.

Joe Carrigan: Right. And I'd also be very surprised if she was allowed to talk about how much she got back.

Dave Bittner: Yeah.

Joe Carrigan: She says -- in the article here, there's a headline that says, Somebody should have asked. You know, I think -- I don't know if this needs to be regulatory. But it seems to me like banks would be operating in their own interests if, when somebody -- they just put some kind of monitoring system --

Dave Bittner: Right.

Joe Carrigan: -- so that when somebody started transferring money, large amounts of money out and they're going to banks overseas, there's a phone call. There's a phone call that's being made. And nothing happens. That bank doesn't leave until they talk to the customer. And they say to the customer, I need you to come in here.

Dave Bittner: Right.

Joe Carrigan: That, in order for you to do this, you're going to have to come in here.

Dave Bittner: Right.

Joe Carrigan: And we're going to have to talk about it. And you're going to have to tell us why you're transferring your own money.

Dave Bittner: Yeah. Well, and this article goes into that, too. By the way, I should say that I did -- I misspoke a little bit. I oversimplified the story here. The initial transfer of the money out of her bank account, and she lives in Maryland near us --

Joe Carrigan: Okay.

Dave Bittner: -- the initial transfer went to a bank in New York.

Joe Carrigan: New York. Okay.

Dave Bittner: So they -- the scammers, using the information they had gathered from her computer, set up a bank account in her name in New York.

Joe Carrigan: Okay. So it was going to a bank, a fraudulent bank account in her name.

Dave Bittner: Right.

Joe Carrigan: So okay. So now what about the bank in New York that allowed a fraudulent account to be created in her name?

Dave Bittner: That bank doesn't exist anymore and for good reason.

Joe Carrigan: So it would seem. Right, right.

Dave Bittner: That bank went out of business. But you -- so you could see how that could lower some of the red flags for the transfer, if you're transferring money from you to you.

Joe Carrigan: Right.

Dave Bittner: That could -- that could mean --

Joe Carrigan: Not just go right through the -- yeah, go through any filters.

Dave Bittner: Right, right. But this article also points out that, you know, there are banking regulations. There's Know Your Customer rules, things like that. But when it comes to these electronic wire transfers, it's still a part of the banking industry that it's hard to claw things back.

Joe Carrigan: Right.

Dave Bittner: And I don't understand why. I mean, there must be a practical reason for it. And if someone out there is in the banking industry and can explain it to us, perhaps it's just as simple as they don't want to introduce friction to, you know, a system that's working 99.9% of the time.

Joe Carrigan: Or maybe they don't want -- they're trying to prevent something like the double spend problem.

Dave Bittner: Yeah.

Joe Carrigan: You get your money back fraudulent -- fraudulently.

Dave Bittner: Right, right. Perhaps it would cause more problems than it solves.

Joe Carrigan: Right.

Dave Bittner: I don't know.

Joe Carrigan: Yeah. We're not bankers.

Dave Bittner: Sure seems like we could do better than we are doing now --

Joe Carrigan: I would agree.

Dave Bittner: Particularly when we see folks having these sorts of problems. So it's really a heartbreaking story. I mean, I suppose it's good that -- several good things here. I mean, she -- she's not destitute.

Joe Carrigan: Right.

Dave Bittner: Seems as though she got something back from the bank.

Joe Carrigan: Yep.

Dave Bittner: We'll never know what that is. And she's sharing her story.

Joe Carrigan: Yeah. That's really important. Marjorie, thank you very much for sharing your story. I don't know if you ever -- you'll ever hear this, but this is important to do. This is something I say frequently. You're not the only person that falls for this. You're not the only person that can fall for this.

Dave Bittner: Yeah.

Joe Carrigan: In fact, the people that can fall for this is everybody. There's something out there that works on everybody.

Dave Bittner: Yeah.

Joe Carrigan: And, you know, I've been saying that since we started this show. And one of the things I told myself I would never say is, I would never fall for any of these things.

Dave Bittner: Right.

Joe Carrigan: In fact, what I did was the opposite. And I've even identified this in the -- in this podcast of things that would work on me.

Dave Bittner: Yeah.

Joe Carrigan: Things that -- there's something that would work on me.

Dave Bittner: Yeah. Nobody's immune.

Joe Carrigan: Yeah. Nobody's immune.

Dave Bittner: Right.

Joe Carrigan: The problem here is that, when you get this alert coming up on your -- on your computer and then you call the number, and then they say, Oh, there's also a, a financial transaction happening at your bank. And they transfer you to somebody else who goes, Oh, yes. Now you're panicking, and you're not thinking clearly. And that's what their objective is. Their objective is to scare the bejesus out of you --

Dave Bittner: That's right.

Joe Carrigan: -- so that you do whatever they say.

Dave Bittner: Yeah. They use the term of art in here, something with your amygdala. They refer to, like, short circuiting, short circuiting your amygdala, which is the part of your brain that handles rational thought.

Joe Carrigan: No, no. The amygdala is not -- the amygdala is down at the base of your brain.

Dave Bittner: Oh. So it's the opposite of that.

Joe Carrigan: It's the opposite of that.

Dave Bittner: So they're stimulating your amygdala.

Joe Carrigan: Yeah. Exactly.

Dave Bittner: Okay.

Joe Carrigan: They're -- the amygdala is called the -- it's called cognitive narrowing is what they're trying to induce.

Dave Bittner: Okay.

Joe Carrigan: And what happens is you perceive a threat, and immediately your -- your amygdala fires off. And it starts up the fight or flight response that dumps adrenaline into your bloodstream or signals your adrenal glands to dump adrenaline into your bloodstream.

Dave Bittner: Yeah.

Joe Carrigan: You'll actually start breathing heavier, and your heart will race. That's from the amygdala.

Dave Bittner: Oh.

Joe Carrigan: And the amygdala is actually really, really, really fast and really, really, really good at processing threats. If that threat is a bear in the woods, that's excellent, right, because it says, Okay. I'm going to run away from this bear.

Dave Bittner: Yeah.

Joe Carrigan: And that's why we've lived as long as we have as a species. But when somebody scares you and says your money is about to go away, the same thing happens. And you need to just take a breath, calm down, and step back. And so wait a minute. This isn't how this works. It's very difficult to do when you're in that situation, when you're in the condition.

Dave Bittner: Yeah.

Joe Carrigan: You know, the best thing to do in any of these situations is hang up and directly call your bank and go, Look. There's somebody trying to scam me out of money. Lock my accounts down, please.

Dave Bittner: Right.

Joe Carrigan: Call your bank at the number that you know is good. Do not call the bank on any number that anybody on an inbound phone call gives you.

Dave Bittner: Right.

Joe Carrigan: Look up the number and call it.

Dave Bittner: Right. All right. Well, we will have a link to this story in the show notes. This is -- this article is particularly good in the amount of details that it shares here.

Joe Carrigan: Yeah. It's nice.

Dave Bittner: Very often these sorts of reporting on scams are just kind of at the surface levels. But this goes into some depth. So --

Joe Carrigan: Yeah. Marjorie put a lot of time into giving her -- sharing her story here.

Dave Bittner: Yeah.

Joe Carrigan: So thank you, Marjorie.

Dave Bittner: I would recommend you check it out. This is a good one to sort of spread around with your friends and loved ones, too, because there's a lot of good stuff in here.

Joe Carrigan: Yeah.

Dave Bittner: All right, Joe. It is time to move on to our catch of the day. [ Soundbite of reeling in fishing line ]

Joe Carrigan: Dave, our catch of the day comes from Damian. The subject of this email is just, Attention. And I'm just going to let you read it because it's fantastic.

Dave Bittner: All right. It says Hello. Greetings from the Federal Reserve Bank of USA. I am Mr. Jerome H. Powell from the Federal Reserve Bank of USA. I am here to deliver your ATM card of 16.7 USD, which has been in our office since last week.

Joe Carrigan: Dave.

Dave Bittner: Yeah.

Joe Carrigan: You missed a very important word there.

Dave Bittner: What did I -- oh.

Joe Carrigan: Sixteen point seven million USD.

Dave Bittner: Oh. I'm sorry. To deliver your ATM card of 16.7 million USD, which has been in our office since last week. And there's one man that came to my office and said, You are dead, that he's your next of kin. He came to claim your ATM card from us, and I said no, that I will text you first and confirm that you are dead. What?

Joe Carrigan: Are you dead?

Dave Bittner: Really. Yeah.

Joe Carrigan: Okay.

Dave Bittner: Right. All right. Logic. Because the man is still on my office right now keep saying that you are dead, that he wanted to claim your ATM card from us. So if you know that you are not dead, kindly get back to me with your full information so that I can confirm your ATM card immediately with your information like these. Okay.

Joe Carrigan: And then it asks for full name, home address, ID card, occupation, cell number, and country.

Dave Bittner: This is like in elementary school and the teacher would say, Everybody who's not here, raise your hand, right?

Joe Carrigan: Exactly.

Dave Bittner: Yeah.

Joe Carrigan: This was great. When Damian sent this along, he actually sent -- forwarded the email that he received. And the -- all the emails this was sent to were just in the CC field. And they all started with a D. And Damian postulated, maybe the spammer only had enough money to pay for the letter D for the mail.

Dave Bittner: Right, right.

Joe Carrigan: I think -- I think what's happening is that that's just one of many emails that went out.

Dave Bittner: It's just one long run-on sentence. I mean, it's bonkers.

Joe Carrigan: It is. That's -- that's another great thing about it.

Dave Bittner: Yeah, yeah.

Joe Carrigan: And, you know, it -- correct. Jerome Powell is currently the head of the Federal Reserve Bank. So --

Dave Bittner: So they got that bit of detail right.

Joe Carrigan: But that's --

Dave Bittner: Punctuation is still a challenge.

Joe Carrigan: Yeah. Not their strong suit.

Dave Bittner: Yeah. All right. Well, thank you, Damian, for sending that in.

Joe Carrigan: It's a good one.

Dave Bittner: And, again, we would love to hear from you. You can email us at hackinghumans@n2k.com. Joe, I recently had the pleasure of speaking with Joseph Oregon. He is the chief of cybersecurity for CISA in their area Region 9. And our conversation focuses on a recent tabletop exercise that CISA had with the NFL about protecting the Super Bowl. Here's my conversation with Joseph Oregon.

Joseph Oregon: So I think we're -- as we look at it, you know, as we kind of describe, you know, some of the needs for a tabletop exercise, and I think, if I can, I'm just going to kind of talk through just a little bit of what is a tabletop exercise so you can kind of see the importance and the value that it adds to our partners like the NFL and other -- and other organizations around the United States. So a tabletop exercise, in a nutshell, It's an informational kind of a discussion-based walkthrough of different scenarios, and they're created or customized by us, by CISA to help stakeholders address their roles and responsibilities during a specific incident. So, as an example, We may help stakeholders by creating a scenario which helps them walk through how they would respond to a ransomware incident or maybe even an incident response plan or a physical incident at their location. So I take a moment just to highlight that these -- that this resource and the fact that CISA's regional offices and our headquarter elements have decided -- or have dedicated professionals who help craft tabletop exercises for partners is for free, right, and something that a lot of organizations, whether they're public or private, kind of leverage because it comes with a lot of benefits. We have an actual team that will work with organizations, that will actually deploy out to a location, help them walk through the scenario. We try to look at it from a humble approach. So we're -- we help facilitate, but we actually -- we take our cues from those partners. So NFL is one of such partners who reached out to CISA. And because of their involvement with the Super Bowl and -- and other various events, they partnered with CISA in order to kind of put on a tabletop exercise that not only covers what they do within the NFL to manage particular incidents but also to understand what private sector and public sector entities in the location of their event, how they manage an incident. So, really, it's this huge collaboration as an example of -- of private and public sector entities that are coming together and walking through a -- you know, this tabletop exercise. And to your initial point, David, it's -- with regards to, you know, why -- you know, why did they approach CISA, and it's more so as looking at as a collaborative, a collaborative relationship, right. They're -- they know that we -- that we are a government -- you know, that we are a government agency. And that's the operational lead for federal cybersecurity and national coordination for critical infrastructure security and resilience. Knowing that, they want to make sure that, you know, they're kind of checking the boxes, as well, and kind of understand the processes from a federal government perspective. And so they reach out, and they work with us and work with the local partners there to kind of get involved and provide that assistance -- or not assistance, rather, but provide that awareness of the events and what they look for as it pertains to security and security scenarios that they can walk through with both public and private sector.

Dave Bittner: What sort of insights can you share with us about how this tabletop proceeded?

Joseph Oregon: You know, I think it's -- what's important is that, as we kind of look at it, we did this exercise because we kind of like share a responsibility to secure a large event, right, for both the American people and the international friends that we have participating in these events. So at CISA we also understand that these events are supported by critical infrastructure. So we find it imperative that we work with various partners to ensure we understand the risk and help our partners plan accordingly, right. So I think they, in a collaborative approach, are -- were open to discussing with CISA and other agencies and whether they're local, whether local agencies or even private sector or industry partners to kind of -- to have this moment of collaboration and just kind of work into scenarios how we would exercise certain processes in order to mitigate or prevent any type of risk.

Dave Bittner: Yeah. It strikes me that an event like the Super Bowl, it touches so many different things. You know, there's -- obviously there's the event itself. And there's people there, and so we have to look out for their safety. But, you know, there's the stadium, which requires electricity. And there's transportation. And there's points of national pride where, you know, we could imagine our adversaries wanting to take advantage of the -- of how widely viewed this is. Can you give us an idea of what goes into planning when you have something of this massive scope like the Super Bowl? It's hard for me to imagine anything larger or more high profile.

Joseph Oregon: Yeah. Great question, David. And, as we kind of look at our -- you know, our responsibilities and -- and CISA is a very unique agency. And, as I mentioned just a second ago, you know, we're -- we are the agency that is the operational lead for federal cybersecurity. And, at that, we're a coordinator for critical infrastructure security and resilience. So, as we -- as we kind of provide those resources and those services, we do a significant amount of outreach. More and more partners leverage CISA and our resources in order to provide -- you know, to provide additional value to mitigating risk within their organizations or their locations. So, with that being said, a lot of our -- a lot of our agency has decentralized from Washington, DC; and now we have 10 regional offices throughout the United States. And what's interesting about these regional offices are that the disciplines that reside within those regional offices touch on cybersecurity. They touch on physical security, chemical security, and emergency communications. And we do a significant amount of collaboration within our particular region. So, as an example, CISA Region 9 are responsible -- we're responsible for the states of California, Arizona, Nevada, Hawaii, and the entire Pacific. With that being said, we have a number of physical cybersecurity emergency communication advisors, as well as chemical security advisors all deployed to the -- what we say the field or deployed out into different states and counties and cities. They're typically -- they're typically employees that we've hired and to the federal government from those local areas that have great connections and have education and -- and certifications required to maintain relationships with different private sector and public sector entities. Those -- that collaboration and that relationship has allowed us to message the importance of collaboration. So, when we're looking at these type of events, you can -- it's kind of quickly understood the value that an agency would bring in providing, you know, additional assistance, additional visibility, additional information and an understanding of what we're seeing trending as a potential risk throughout the United States. That add value to an organization, whether the private or industry, speaks for itself, right, especially in the -- in the nature that we're dealing with the threat landscape we have been, both on the cyber and physical side, for a number of years now. So I think we're -- you know, as we're looking at those partner sets, they become that much more attracted to working with our agency and collaborating with other private sector partners. And as it pertains to these type of events or are working very closely in order to mitigate risk, there's definitely a -- there's definitely a collaborative approach that -- that's very attractive for all partners. And, hence, I think we're -- we get a good showing when we have these types of events with a private and public sector where we have a -- we have a event where we can cross-collaborate.

Dave Bittner: What's your message to folks who aren't operating at the scale or level of someone like the NFL, you know, an organization that's in, you know, one of the 50 states and perhaps has a manufacturing facility or, you know, something of moderate scale, think that they may want to reach out and start a relationship with CISA. Is that something that you're looking to encourage?

Joseph Oregon: Oh, we encourage it all the time. And the fact that we work were -- for this example that we used earlier with the NFL, we work with organizations that vary in all kinds of sizes, whether they're private or public. We work through -- you know, through K-12 and cities and counties. We work with critical infrastructure such as water and wastewater. We work a number of state partners as well as private sector partners. So, as we look at smaller organizations that are looking to leverage resources that the federal government provides for free, so as, in this case, a tabletop exercise, we facilitate those resources and -- and to our partners sets across the board. So we heavily encourage our partners, if they're interested, to definitely reach out to the CISA reps that we do have in the field. Or they can go to our website at CISA.gov, identify who those points of contact might be in their respective state. I'd like to make a quick note and that we're going into Cyber Awareness Month. So, on September 29, today, CISA officially kicks off our 20th Cybersecurity Awareness Month. So throughout October, the month of October, CISA and our cooperative agreement recipients, the National Cybersecurity Alliance will focus on ways to secure our world. We educate individuals and organizations on how to stay safe online. So this is a collaborative effort between government and industry to enhance cybersecurity awareness on a national and global scale. We're trying to build off of last year's message, that is, using strong passwords and password managers; turning on multifactor authentication; recognizing and reporting phishing; and, finally, updating software. So we're building off that strong message. And as we look at CISA, what we're trying to do is help shape behavior and behavioral change by adopting and improving ongoing cybersecurity habits that reduce risk while online or on a connected device. So I would encourage our stakeholders, our partners, the listeners to find out more about Cybersecurity Awareness Month. That's CISA.gov/cybersecurity- awareness-month. And, with that being said, David, that's what I would like to get out to the team or to the listeners. So thank you very much for this opportunity. We are very appreciative for your time.

Dave Bittner: Joe, what do you think?

Joe Carrigan: I liked that Joseph starts this discussion with a definition of the tabletop exercise. It gives you an outline of what it what it is and what goes on there.

Dave Bittner: Right.

Joe Carrigan: That's helpful. Also good to hear that CISA will coordinate these and do them for free with you, at least if you're the NFL.

Dave Bittner: If you're the NFL. Yeah. If you -- if you're the organization running the single most watched sporting event in the nation.

Joe Carrigan: Right. Yeah, nationally. And large, large audience globally as well.

Dave Bittner: Sure. Sure.

Joe Carrigan: Practicing for an incident is important. You need to do this with some kind of outside organization running the tabletop exercise, whether that be CISA or some contractors skilled in this type of thing.

Dave Bittner: Yeah. I would say that, if you are part of the either the cybersecurity leadership at a large organization, you need to be doing this two times a year at least. That would be my estimate. What do I know, though. The NFL tends to have -- tends to have large -- these large events, right -- Sure.

Joe Carrigan: -- like the Superbowl, which is a great example. It's a high profile event. Like you said, it's viewed by lots of people.

Dave Bittner: Yeah.

Joe Carrigan: But it's not just that. Every week, there are 15 to 16 games. And there are cameras on all of it. You know, the NFL is above everything else an entertainment organization. You know, that's -- that's where they make their bread and butter. The fact that they have people locked into this sport that sit there and watch the TV religiously every Sunday --

Dave Bittner: Yeah.

Joe Carrigan: -- or Monday or Thursday. And I'll confess that -- that I have family members that do this.

Dave Bittner: Yeah. Me too.

Joe Carrigan: And I'll also confess that I have other sports that I'm like that with, right. Like, I'm not missing any of the Rugby World Cup games this weekend.

Dave Bittner: All right.

Joe Carrigan: So this makes all of these games, just the number of eyeballs on -- on the TV screen or in person make all of these games a target for some kind of attack, right? And if you think of that giant -- imagine if I gained control of that giant TV in AT&T Stadium in Dallas. My wife has actually been to a game in Dallas. And one of the things she said was, I couldn't look away from the TV. Or I had to force myself to look away from the big giant TV and watch the field, watch the game on the field because, I mean, this thing is huge, Dave.

Dave Bittner: Right.

Joe Carrigan: I don't know if you've ever seen it, but --

Dave Bittner: I've only seen it on TV. Yeah.

Joe Carrigan: My wife says it's imposing. I didn't go to the game with her because I didn't want to pay $350 for a ticket to go see a game.

Dave Bittner: Okay.

Joe Carrigan: Not a football game anyway.

Dave Bittner: Right.

Joe Carrigan: I'd pay that for a rugby game. Who knows? One day I might do that. Anyway, the stadium holds 80,000 people.

Dave Bittner: Yeah.

Joe Carrigan: And with a screen that you can't keep your eyes off of, imagine how, well, humorous it would be. Let's say it's a mischievous prank, right, not something horrible. If -- if something funny were to start playing on that, that the NFL or the Dallas Cowboys didn't endorse, right, somebody got control of that, you wouldn't be able to look away from it. You wouldn't be able to get it off camera. You know, you couldn't do any of the wide field shots because that screen is always on camera. I mean, it's a great target.

Dave Bittner: Yeah.

Joe Carrigan: So, yeah. Run these kinds of exercises like this. Understand what's going to happen. I liked that Joseph was talking about how they build relationships with these organizations so that other organizations can use them when they need them. It's -- it's -- it seems to me like he's doing a really good job of networking all these different people and groups together.

Dave Bittner: Right.

Joe Carrigan: And, by the way, Dave, that was a good question you asked about, smaller organizations, small- to medium-sized organizations. And Joseph says he welcomes them to reach out to CISA as well. I mean, maybe they don't have the resources to do a tabletop exercise with everybody, but they probably have some kind of resource you can use at some level.

Dave Bittner: Yeah. And they also -- they also want to be able to track the incident. So even if they can't handle your situation personally or whatever, you know, it's never a bad thing to have a relationship with these organizations.

Joe Carrigan: Yeah. And the big thing about CISA is they are the left of boom organization, you know.

Dave Bittner: Right.

Joe Carrigan: They want to help you prevent these kinds of attacks from happening.

Dave Bittner: Yeah.

Joe Carrigan: Or to be prepared for when they do happen. A lot of times, once you experience an event, that's not when you call CISA. That's when you call law enforcement.

Dave Bittner: Right, right.

Joe Carrigan: But you call CISA to help you prevent that event or to prepare for that event.

Dave Bittner: Yeah. And certainly, when it comes to the federal government, CISA is leading that charge and by all accounts doing a good job.

Joe Carrigan: Yeah. It's one of -- the one of the things that is going well.

Dave Bittner: Yeah. All right. Well, again, our thanks to Joseph Oregon for joining us. We do appreciate him taking the time. That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. The show is edited by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.