Shielding your inbox.
Seth Blank: Email's front door has been wide open, and what we're saying now is you require a front door. There's many other security things you need to do at home. But first -- have a door and lock the door and manage the security with that key.
Dave Bittner: Greetings to all and a warm welcome to the "Hacking Humans" podcast brought to you by the CyberWire. Each week we delve into the world of social engineering scams, phishing plots, and criminal activities that are grabbing headlines and causing significant harm to organizations all over the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week. And later in the show my conversation with Seth Blank. He is Chief Technology Officer at Valimail. We're talking about email security. All right, Joe. Before we dig in here, we have a little bit of followup. What have we got?
Joe Carrigan: Yes. First, Blunt and Horowitz from The Wall Street Journal are reporting that New Mexico's Attorney General, Raul Torrez, is suing Meta --
Dave Bittner: Hmm.
Joe Carrigan: -- basically saying that Instagram recommended sexual content to underage users. This is a followup from our last story -- last week's story, actually both from Blunt and Horowitz as well.
Dave Bittner: Okay.
Joe Carrigan: He's saying that Instagram recommended sexual content to underage users and promoted minor accounts to apparent child predators.
Dave Bittner: Wow.
Joe Carrigan: The suit holds Zuckerberg personally responsible --
Dave Bittner: Hmm.
Joe Carrigan: -- for decisions that put kids at risk. Now Torrez is a former prosecutor of cases that were like internet crimes against children.
Dave Bittner: Okay.
Joe Carrigan: And he says that Meta has both hidden the scales -- the scale and the dangers that children face on the platform, and failed to address even obvious sex trafficking.
Dave Bittner: Wow! That's quite an allegation.
Joe Carrigan: Yeah. So I put a link in -- we'll put a link in the show notes to the next Wall Street article about this, but at -- at least one Attorney General is coming down on this -- what we were talking about last week, not just the -- you know, the marketing to kids and exploiting their psychology.
Dave Bittner: Yeah, and it's just -- do you know offhand if this is criminal or civil that they're coming after?
Joe Carrigan: It is civil.
Dave Bittner: Okay.
Joe Carrigan: It is civil. That -- that is one of the things that's clear in the -- in the article. It's a civil case.
Dave Bittner: Okay. Wow.
Joe Carrigan: And the next thing I wanted to talk about, Dave. They almost got me again, Dave. They almost got me.
Dave Bittner: Okay.
Joe Carrigan: Here's a story from my person -- personal events. I don't know if you are a subscriber to Peacock. Are you a subscriber to Peacock?
Dave Bittner: I have no idea. For the -- you know, there's so many of them --
Joe Carrigan: Right.
Dave Bittner: -- and they're changing their names and they're merging and they're splitting apart and --
Joe Carrigan: Soon they're going to be bundling, Dave. I've heard that, too.
Dave Bittner: Great.
Joe Carrigan: Yeah, wonderful. Back to the cable providers, but only now they're on the internet.
Dave Bittner: Exactly.
Joe Carrigan: Right.
Dave Bittner: Exactly.
Joe Carrigan: So what happened is I got this email. You know what? Let me -- let me even pull the email up for you.
Dave Bittner: Okay.
Joe Carrigan: And I'll show it to you.
Dave Bittner: Yeah.
Joe Carrigan: There it is, Dave. If you look through my little tank window here you'll see --
Dave Bittner: Oh, yeah.
Joe Carrigan: -- it --
Dave Bittner: Right. Your membership has expired. That looks legit.
Joe Carrigan: Right. It does. Now here's the thing. I've recently had -- had to cancel a couple of credit cards. Remember last when I -- or a couple weeks ago I talked about how they actually did get me --
Dave Bittner: Yeah.
Joe Carrigan: -- with -- and I had to cancel a -- a Capital One credit card. And I was thinking to myself -- did I have my Peacock coming out of my Capital One credit card? And I started to get the -- I started -- I moused over this thing that says "Extend for Free." And I'm like -- wait a minute, because here it says, "But for part -- as part of our loyalty program, you can now extend for 90 days free." That was my red flag because I was, like, wait a minute. That doesn't sound like something Peacock would do. And sure enough then I look at the -- the "From" address and it's from some rando on the internet.
Dave Bittner: Yeah.
Joe Carrigan: And it is -- it is a phishing email.
Dave Bittner: Okay.
Joe Carrigan: I did not click the link, Dave --
Dave Bittner: All right.
Joe Carrigan: -- which will feed into my story today.
Dave Bittner: Well that -- feeds into my story as well.
Joe Carrigan: Okay.
Dave Bittner: All right. So speaking of which, I'm going to kick things off for us with our stories this week. And my story actually comes from Cybernews --
Joe Carrigan: Mm-hmm.
Dave Bittner: -- and it is about an email brand impersonation attack and this is focusing on Disney Plus.
Joe Carrigan: Hmm.
Dave Bittner: So do you have Disney Plus?
Joe Carrigan: I do.
Dave Bittner: I do, too. Yeah. I -- I -- that's where all the Star Wars stuff is.
Joe Carrigan: And the Bluey stuff, Dave.
Dave Bittner: And the Muppets stuff.
Joe Carrigan: Right. The Muppets stuff.
Dave Bittner: And the Marvel stuff.
Joe Carrigan: Yes.
Dave Bittner: But mostly they -- you know, they had me at Star Wars and also Muppets and all the other stuff -- yeah. So there's lots of stuff on Disney Plus for my family. So this story focuses on an analysis by the folks at Abnormal Security, which is a security company with a fun name.
Joe Carrigan: Mm-hmm.
Dave Bittner: And what they tracked here was that -- there are highly personalized emails and a lot of attention to detail which is making these emails hard to identify just -- just like the one you pointed out with -- with --
Joe Carrigan: Peacock.
Dave Bittner: -- Peacock, yeah.
Joe Carrigan: Yeah. My email -- that email was, I think, a random email that just so happened to line up with me --
Dave Bittner: Yeah.
Joe Carrigan: -- and my situation --
Dave Bittner: Okay.
Joe Carrigan: -- which I think -- yeah, I didn't actually mention that but that -- that's why it almost worked on me because I have Peacock and I've recently canceled two credit cards.
Dave Bittner: Right.
Joe Carrigan: So --
Dave Bittner: So what this does is it emails the recipient. It talks about a pending charge for a new Disney Plus subscription. It indicates that they will be billed automatically with an option to contact support if it's an unauthorized sort of thing. But what's interesting here is that it's quite personalized. Each of the emails had a PDF attachment and the PDF was personalized with the recipient's name.
Joe Carrigan: Hmm.
Dave Bittner: And a charge of $49.99 which is way higher than a Disney Plus subscription fee.
Joe Carrigan: Yes.
Dave Bittner: So I suppose that's there to -- it's a large enough amount that it's going to attract your attention.
Joe Carrigan: Right.
Dave Bittner: Probably even if you have Disney Plus, you're going to go, "What!??" Wait a minute!
Joe Carrigan: What streaming service costs this much?
Dave Bittner: Right. Exactly. Of course, there's a customer support phone number that's in the PDF which, of course, does not go to Disney.
Joe Carrigan: No, it does not.
Dave Bittner: So when -- when you go to the site, if you click through, they're looking for information like your banking details, login credentials, and they'll actually also provide instructions to download some software which could lead to malware infection.
Joe Carrigan: Really!
Dave Bittner: Yeah. Yeah.
Joe Carrigan: These guys are distributing malware, too --
Dave Bittner: Right.
Joe Carrigan: -- the fiends.
Dave Bittner: Yeah. So they said that it was a legitimate-looking sender email that was similar to the actual Disney Plus address. You know, I would imagine that Disney having that Plus in the name makes it easier to come up with email addresses that look legit.
Joe Carrigan: Yes.
Dave Bittner: Like, you could put the Plus before the word Disney and I bet a lot of people would just think it's Disney -- oh, look, isn't that clever the way Disney Plus puts the Plus before the name. You know?
Joe Carrigan: -- Polish notation, they call it.
Dave Bittner: What's that?
Joe Carrigan: Reverse Polish notation.
Dave Bittner: Oh! All right. I did not know that.
Joe Carrigan: It's a math thing. You have to learn it for building compilers and using those HP calculators. Remember the HP calculators?
Dave Bittner: Yes, yes.
Joe Carrigan: -- use reverse Polish notation.
Dave Bittner: Yes. All right. My -- my -- college roommate was an electrical engineer and he had one of those HP calculators.
Joe Carrigan: Right.
Dave Bittner: Did some fun things with it. The email uses Disney Plus's branding and colors. They point out that there's no language errors in this. And, of course, we've talked about in this era of large language models, that's probably going to be a thing of the past.
Joe Carrigan: Yup.
Dave Bittner: They are also tracking some variations in the language of the email, and it seemed like they were testing different versions to see what was most effective.
Joe Carrigan: Really.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Like A/B testing.
Dave Bittner: Exactly. Exactly. So, again, the folks at Abnormal Security, they're just reminding everybody that this sort of thing -- brand impersonation -- is very common. In fact, they had tracked 265 different brands who were impersonated in credential phishing attacks in a six-month period back in 2022 in their own research. So -- and it's only getting worse.
Joe Carrigan: Yes.
Dave Bittner: So -- you know, recommendations here. Vigilance, of course.
Joe Carrigan: Vigilance. Yeah. Don't -- don't click the link which is going to be the theme of my -- my discussion.
Dave Bittner: Right. And if someone gives you a phone number, don't assume that that phone number is correct for customer support.
Joe Carrigan: Look up the phone number for Disney Plus support.
Dave Bittner: Yeah. Yeah. Look it up online.
Joe Carrigan: Right.
Dave Bittner: Yeah. But other than that, I think it's pretty straightforward here. Just a standard phishing kind of thing where they're trying to get your -- trying to get your info and it -- it is interesting how sophisticated this one is and that they're also trying to drop some malware on your machine. So --
Joe Carrigan: Yeah.
Dave Bittner: -- extra vigilance.
Joe Carrigan: Yeah.
Dave Bittner: But this was the first time that Abnormal, anyway, had seen someone trying to impersonate Disney Plus --
Joe Carrigan: Hmm.
Dave Bittner: -- so keep an eye out. Spread the word. All right. That's what I've got. Joe, what have you got for us this week?
Joe Carrigan: Dave, my story comes from the Department of Justice, justice.gov.
Dave Bittner: Mm.
Joe Carrigan: Right?
Dave Bittner: Mm-hmm.
Joe Carrigan: And this is the U.S. Attorney's Office, the FBI, and the local and state law enforcement officials release second "Don't click December" PSA. Now this is based out of the -- the Idaho region of the Boise -- you know, the Boise office of the Department of Justice and FBI --
Dave Bittner: Uh-huh.
Joe Carrigan: -- and U.S. Attorney Josh Hurwit is the -- the guy who's in charge out there --
Dave Bittner: Okay.
Joe Carrigan: -- of -- of the domain. Now they have a -- a video here of what not to click. Right? But I like -- I wanted to highlight this one because one of the things that came out of my recent -- the recent survey that we've done is we've gotten a little -- a little bit of attention here in Maryland --
Dave Bittner: Okay.
Joe Carrigan: -- from some -- some people in the Maryland government. And we were actually starting to think about -- how do we convey something simple like "Give a Hoot, Don't Pollute," right?
Dave Bittner: Yeah.
Joe Carrigan: Or "Only You Can Prevent Forest Fires." But in cybersecurity terms. And I think this idea of "Don't click December" is a pretty good idea.
Dave Bittner: Hmm.
Joe Carrigan: Now they're focusing here on package delivery scams.
Dave Bittner: Yeah.
Joe Carrigan: And they have -- I think the Sheriff -- one of the local Sheriffs is standing there, goes I get these things all the time. No, don't click on the link and don't call the number that they give you.
Dave Bittner: Okay. So when you say a package delivery scam, you're saying someone contacts you and says we've got a package for you. Click here to find out.
Joe Carrigan: Right. You get a text message or you get an email.
Dave Bittner: Okay.
Joe Carrigan: Right? And I'm going to say text message and email, and I'm not going to say smishing and phishing.
Dave Bittner: Okay. Fair enough.
Joe Carrigan: Although phishing -- pretty good understanding.
Dave Bittner: Yeah.
Joe Carrigan: But you get a text message. You get -- you get an email. You might get a phone call that says --
Dave Bittner: Oh!
Joe Carrigan: -- hey! We can't deliver this package. We need a package delivery fee.
Dave Bittner: Mm-hmm.
Joe Carrigan: This is the United States Postal Service. Right? And we have a package for you. This, again, falls in line with the -- the -- the criminal calendar that, you know, they all have on their wall, Dave. I -- I envision it. Right now, because we're in December here, that it's -- it's package delivery and Christmas charity scams -- all those kind of things are going on right now.
Dave Bittner: Right.
Joe Carrigan: As soon as this holiday season is over, it's time for the tax fraud.
Dave Bittner: Yeah.
Joe Carrigan: That's what's next.
Dave Bittner: Yeah.
Joe Carrigan: But I really like the idea of "Don't click December."
Dave Bittner: Hmm.
Joe Carrigan: I would like something that was more universal, that would last throughout the entire year.
Dave Bittner: Mm.
Joe Carrigan: And I'm going to be thinking about that along with some other people much smarter than I am.
Dave Bittner: Some of your colleagues at Hopkins?
Joe Carrigan: Yes. Yes.
Dave Bittner: Okay.
Joe Carrigan: I like to think of myself as Hopkins' village idiot.
Dave Bittner: Well, you should check with some of your students, the ones who actually had to apply to get into Hopkins, so --
Joe Carrigan: Well, actually, one of the people that I was presenting with just this week at CyberMaryland was one of our students.
Dave Bittner: Okay.
Joe Carrigan: A very sharp -- very sharp young woman.
Dave Bittner: Yeah.
Joe Carrigan: And the thing I like about this "Don't click December" is that it -- it kind of goes along with other things like "No Shave November."
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: And "Dry January."
Dave Bittner: Okay, yeah, yeah.
Joe Carrigan: Which some people say I'm going to abstain from drinking for all of January because I overdid it during the holiday season.
Dave Bittner: Okay.
Joe Carrigan: By the way, that's not anything I've ever participated in.
Dave Bittner: Okay.
Joe Carrigan: But -- at least not recently, anyway. I mean, I may have gone a couple Januarys without drinking just because.
Dave Bittner: Not on purpose.
Joe Carrigan: Not on purpose.
Dave Bittner: It just worked out that way.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: I like the idea of -- of what's going on here. I will say this, though. The actual PSA that was released and put out on YouTube -- kind of dry.
Dave Bittner: Okay.
Joe Carrigan: Kind of dry. I'd like a little more punch in my PSA for this.
Dave Bittner: Yeah.
Joe Carrigan: For -- so -- I mean, really, this is just law enforcement standing there telling you don't click on the link. Make sure you call a verified number. And then the Attorney General of -- from -- from this district, this Josh Hurwit is standing there talking and -- and, you know, everybody is fine in what they're saying and they're articulating it well.
Dave Bittner: Yeah.
Joe Carrigan: It's just that it's not very memorable.
Dave Bittner: Okay.
Joe Carrigan: It doesn't stick with me.
Dave Bittner: You know, my wife often reminds me that -- that she -- as a marketing person herself, she believes that we really need to come up with a better term than "social engineering."
Joe Carrigan: Yeah. Oh, I -- I -- whoo! Your wife is on Joe's page right here. I was talking about this at the conference just -- just yesterday when we were speaking.
Dave Bittner: Yeah.
Joe Carrigan: We had a question -- what is social -- social engineering in a cybersecurity context?
Dave Bittner: Right.
Joe Carrigan: And there were four possible answers plus "I don't know." And only 25% of the people got it right.
Dave Bittner: Wow!
Joe Carrigan: Which means it's a little bit better than guessing. Right?
Dave Bittner: Right. Right.
Joe Carrigan: Which, to me, says yeah, this is a terrible term.
Dave Bittner: Yeah.
Joe Carrigan: And you and I have talked about the jargon in this -- in our industry --
Dave Bittner: Oh, yeah.
Joe Carrigan: -- many times, and I was pontificating about this up on the panel discussion yesterday.
Dave Bittner: Uh-huh.
Joe Carrigan: And I was saying this -- this needs to change. We need to have something that does a -- a better job of communicating what we're talking about. We can't, as security professionals, go up and say, "You need to watch out for social engineering attacks!" Right?
Dave Bittner: Yeah.
Joe Carrigan: People go, well, okay, what's that? And -- and -- but they think that, but they never say it. They'll never say it.
Dave Bittner: She thought "computer cons" was a good one.
Joe Carrigan: Computer cons would be a good one.
Dave Bittner: Has a little bit of alliteration there.
Joe Carrigan: Yup.
Dave Bittner: So I would put -- put this out to our listeners. If there's a particularly good one that you've heard --
Joe Carrigan: We have had a listener write in with "digital scams."
Dave Bittner: Oh, yeah, yeah, yeah. That's -- that's a good one. That's a good one. But if --
Joe Carrigan: Digital cons. Digital cons.
Dave Bittner: But if any of you want to submit some, we'd love to share them. If you -- if there's any good ones you've heard or you can come up with one that you think is catchy and easier to understand --
Joe Carrigan: Right.
Dave Bittner: -- let us know.
Joe Carrigan: Okay. So computer cons and digital cons are already taken.
Dave Bittner: That's right. So no points for those.
Joe Carrigan: Something better than that.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Send it in. We'd love to hear it.
Dave Bittner: Yeah.
Joe Carrigan: I'll -- I'll -- hey, maybe you can be part of a PSA campaign.
Dave Bittner: There you go.
Joe Carrigan: You'll be compensated nothing.
Dave Bittner: I think of those -- think of those -- the commercials from the original Ghostbusters movie. You know where they're, like, we're here to believe you.
Joe Carrigan: Right.
Dave Bittner: You know, that sort of thing.
Joe Carrigan: "Do you experience feelings of dread in your attic or basement?"
Dave Bittner: Right. Right.
Joe Carrigan: Why is it I can pull that line right out of my head?
Dave Bittner: I don't know! Ah -- all right. Is that it, Joe?
Joe Carrigan: That's it!
Dave Bittner: All right.
Joe Carrigan: I think it's a great -- great idea. I think it's -- it's wonderful. I think the "Don't click December" is a great marketing scam -- or marketing scam! Marketing --
Dave Bittner: Scam!
Joe Carrigan: -- marketing piece. I think that's really good. It's bite size.
Dave Bittner: Yeah!
Joe Carrigan: People can remember it. I just think that the PSA was a little dry.
Dave Bittner: Right. And then come January, click on everything.
Joe Carrigan: Right. No, don't do that!
Dave Bittner: You're going to have all this pent up clicking, Joe.
Joe Carrigan: Right.
Dave Bittner: You're -- you're -- you're going to have an itchy clicking finger. You're going to want to click on --
Joe Carrigan: Itchy clicking finger.
Dave Bittner: -- yeah. Oh! Spent the whole -- the whole month of December not clicking anything. I've got to click everything.
Joe Carrigan: Yes. Go -- go play a game that has a lot of clicking in it.
Dave Bittner: Oh, that's a good idea. All right. All right. Well, again, we would love to hear from you. Our email address is hackinghumans@n2k.com. Joe, it's time to move on to our "Catch of the Day." [ Soundbite of Reeling in Fishing Line ]
Joe Carrigan: Dave, our "Catch of the Day" comes from Mauricio who writes, "Dave and Joe, I listen to your great show every week. Love the discussion and tips. Keep up the good work. I got this phishing email, apparently via PayPal."
Dave Bittner: Hmm.
Joe Carrigan: "I'm sure I do not know a person -- this person, let alone bought anything for $600. After this email I got two more the same day prompting me for a response. Obviously, I ignored them. Good luck with your next victim." Dave, it is a PayPal invoice.
Dave Bittner: Okay. It says here's your invoice. Allen Cohen sent you an invoice for $599.99 U.S. dollars. Invoice details: amount requested $599.99. Note from seller. Invoice number. Don't recognize this invoice? Before paying, make sure you recognize this invoice. So there's not really a whole lot to read here, Joe.
Joe Carrigan: No, there isn't.
Dave Bittner: This is a standard PayPal invoice.
Joe Carrigan: It is probably a legitimate PayPal invoice. So, in other words, there's somebody who's gone into PayPal --
Dave Bittner: Yeah.
Joe Carrigan: -- signed up for a free account --
Dave Bittner: Okay.
Joe Carrigan: -- and then just started sending out $600 invoices.
Dave Bittner: Oh! I see.
Joe Carrigan: One of the things that's interesting here is that it says, "Note from seller" and then it has a number in there that looks like a -- an invoice number.
Dave Bittner: Right.
Joe Carrigan: And then immediately below that it says, "Invoice number." And then it says call this 858 number.
Dave Bittner: Oh!
Joe Carrigan: Right?
Dave Bittner: That's the same number. The note from the seller and the invoice number are the same number.
Joe Carrigan: I didn't notice that but you're right. They are the same number. But I will bet that if you call this number, you get a scammer on the line who says --
Dave Bittner: Ah, yeah.
Joe Carrigan: -- you need to pay us the 600 bucks.
Dave Bittner: Mm-hmm.
Joe Carrigan: Right? These are sent out in the hopes that you'll just pay the invoice. Maybe you're a business and you -- you see something come through and -- I mean, these guys work in, you know, call centers and scam centers where they -- they just send these out en masse. At some point in time, this is successful.
Dave Bittner: Yeah.
Joe Carrigan: It works. Somebody just sends the money. Right? This is below the threshold of anybody's attention and they just pay it.
Dave Bittner: Do you remember the -- the story? I'm pretty -- we must have covered it on the show at some point. There was a guy -- this is years ago. I want to say pre-internet days. He had cooked up a drycleaning scam where he would send letters to local restaurants and say that your waiter -- I -- I had a -- you know, a dinner at your restaurant -- and he targeted fancy restaurants. I had dinner at your restaurant a week ago and your waiter spilled gravy on my suit or my wife's dress or whatever.
Joe Carrigan: Right.
Dave Bittner: And here's my bill for the drycleaning. And, you know, it was fifteen dollars or some -- you know, not a huge amount --
Joe Carrigan: Right.
Dave Bittner: -- but this person had automated it in such a way that, you know, for the price of a stamp and a letter and this -- back then it was mailed --
Joe Carrigan: Right.
Dave Bittner: -- you know, U.S. Postal Service.
Joe Carrigan: No, I don't know that we talked about this.
Dave Bittner: Okay. Yeah. So this person had just come up with this scam and he would send this letter to restaurants all over town and all over the country, I believe, and -- and they would send him a check. So, you know, do this for a few hours every day --
Joe Carrigan: Right!
Dave Bittner: -- and your return on investment was very high.
Joe Carrigan: Yeah.
Dave Bittner: Most of the restaurants would just send him a check. Some would send him a -- a gift certificate, you know, something like that.
Joe Carrigan: Then he'd get a free meal out of it.
Dave Bittner: Right. Right. And eventually my -- my recollection, and it's a little hazy 'cause it's probably been twenty years since I remember reading about this story but, like, there was some local gathering of restaurant owners, you know, some kind of industry association meeting --
Joe Carrigan: Right.
Dave Bittner: -- and someone around the dinner table or at the bar or whatever talked about having to pay a drycleaning bill and somebody else was, like, hey, wait a minute.
Joe Carrigan: I had to do that, too!
Dave Bittner: Yes. Yes. Yeah. So -- yeah. This actually happened to me once, not the paying the bill, but actually being a waiter and spilling gravy on someone.
Joe Carrigan: Oh, okay.
Dave Bittner: I --
Joe Carrigan: You actually spilled some --
Dave Bittner: Yes, I did. I -- when I was in college, I worked as a singing waiter on a lunch and dinner cruise boat in the Baltimore Inner Harbor. It was a boat called the Bay Lady. Anybody around here probably knows of it. Of course, since we were work -- since we worked there, we had to subvert it. We called it the "Bag Lady." But, no, it was the Bay Lady. Yeah. And, you know, I was serving somebody. We had, like, prime rib or something like that and I was leaning over to serve someone else at the table and some gravy dribbled off the plate and onto a lovely woman's dress and she was not happy about it, Joe.
Joe Carrigan: No, I --
Dave Bittner: It did not go well. It did not go well. I did get to keep my job, but -- but the boat did pay for her drycleaning.
Joe Carrigan: Okay. Did she call you names?
Dave Bittner: You know, I don't recall directly being called names. I do remember being scowled at, and of course I was very apologetic. You know, it was -- it was an accident.
Joe Carrigan: Right.
Dave Bittner: It was an honest accident but, you know, I was certainly more careful after that.
Joe Carrigan: Yes. They never let me wait tables when I worked in restaurants.
Dave Bittner: No?
Joe Carrigan: I only worked in the kitchen.
Dave Bittner: No? They -- they --
Joe Carrigan: -- the guy in the back.
Dave Bittner: -- they saw the way you walked around, they saw the way you carried yourself, and they were, like, we're going to keep him in the back room.
Joe Carrigan: Yeah. I'll tell you what I loved doing was I worked in scullery at one point in time. I thought that was awesome. I had a -- I did a great job there.
Dave Bittner: What's scullery?
Joe Carrigan: Dishwashing.
Dave Bittner: Oh, okay.
Joe Carrigan: All the dishwashing.
Dave Bittner: Okay. Yeah.
Joe Carrigan: I'm very fastidious about making sure everything is clean.
Dave Bittner: Okay.
Joe Carrigan: That's really big with me. So --
Dave Bittner: Yeah. Mm-hmm.
Joe Carrigan: -- I would -- it was a good place for me.
Dave Bittner: Okay. Yeah. That is -- that's a good spot for someone who has that particular inclination.
Joe Carrigan: Yeah. There's nothing worse for me than drinking from a glass and then you're halfway through the drink and you look in the bottom of the glass and there's breadcrumbs. Nothing makes me angrier in the kitchen than that.
Dave Bittner: What about lipstick on the glass?
Joe Carrigan: Ah -- I would not be as upset about lipstick 'cause you can see that before --
Dave Bittner: Okay.
Joe Carrigan: -- you go to -- you go to drink out of it. Right?
Dave Bittner: Okay.
Joe Carrigan: But the -- the breadcrumbs, you have to get halfway through the drink before it's apparent.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Everybody who's ever waited tables has stories. You know?
Joe Carrigan: Yeah. Well, my wife used to wait tables. She has stories.
Dave Bittner: Yeah. Yeah. It's amazing we're all still alive.
Joe Carrigan: Right.
Dave Bittner: All right. Once again, we would love to hear from you. Our email address is hackinghumans@n2k.com. Joe, I recently had the pleasure of speaking with Seth Blank. He is the Chief Technology Officer at a company called Valimail, where they specialize in email security and that is what our conversation centers on. Here's my conversation with Seth Blank.
Seth Blank: So to tell this story well, we've got to actually jump back forty years.
Dave Bittner: Right.
Seth Blank: Email was actually developed in the '70s and codified in the early '80s when it was about a trusted network of individuals --
Dave Bittner: Right.
Seth Blank: -- effectively professors -- on a trusted network. Basically college campuses before the internet was what we know it as today. And they were communicating with each other and they modeled the system after snail mail. And they had no concept of what the internet would become or what email would become or the fact that businesses would transact on email the way we do and have been for the last twenty, twenty-five years. And so ever since then -- you know, we call it email's original sin as there's no concept of trust in email because email was trusted individuals on trusted systems at the beginning. And so, since then, we've had patches on top of patches on top of patches on top of patches. And we've also just had intense amounts of, first, spam and now phishing and therefore fraud and financial damages to businesses. And since COVID and this move to remote work and, frankly, the dissolving of perimeters -- right? You're no longer protecting your network. Your employees are global. Threats are global. Email is global. A threat may never touch your network and doesn't anymore. Modern defenses aren't modern enough anymore and new things are needed. And we have this host of open standards that make a real impact on this problem, but they aren't well adopted enough and the fraud has skyrocketed over COVID. And so we're just in a new landscape today.
Dave Bittner: Well, one of these attempts to improve email has certainly been DMARC. Can you explain to us what -- what is -- what that is and -- and what it -- it attempts to achieve here?
Seth Blank: Absolutely. So -- so DMARC stands for Domain-based Message Authentication Reporting and Conformance, which is a mouthful. There will not be a test at the end of this podcast. But DMARC overlays SPF, which is Sender Policy Frameworking, DKIM, which is DomainKeys Identified Mail, and makes it -- it takes them from sort of machine-to-machine anti-spoofing technologies to actual machine-to-human anti-fraud technologies. And the way that works, to give you a really simple overview at fifty thousand feet, is SPF is effectively a whitelist. Hey, I send mail from these systems that emit from these IPs. And that works great if you run your own network, have your own mail servers. But they're awful in a shared services world. If you're sending through Mailchimp or Marcato or Microsoft, everyone and their mom sends through those IPs, too. And so SPF isn't as helpful or is not helpful at all. DKIM uses PKI. We sign a message, and so when you receive the message you can actually use the DNS to figure out -- to find the public key and you can go, great, this message was actually sent by this domain and the message has not been tampered with in transit. The problem with both of these is that what they authenticate is not necessarily what is shown to the user. And so DMARC introduces, right -- there are those three letters at the end, right -- the concept of alignment. And alignment means what is authenticated is what is shown to the user. So with SPF or DKIM, I can say I am phisher.com. I authenticate as phisher.com. And then I tell the recipient I'm Dave Bittner. With DMARC, you cannot do that. That message would fail alignment. It's not authenticating what's shown to the user and we're explicitly talking about the domain name in use, not the actual text shown to the user. DMARC also gives you a report so you can see what is happening in your name -- under the name of that domain globally so that you have this unparalleled visibility. Like, this has never existed in email before. You can see globally what's happening in your name. And, you know, we talk to CISOs all the time and the first DMARC report they -- they see, almost invariably, the -- the words out of their mouth are, "I can't unsee this." Because you just have no idea the amount of just garbage being sent as everyone to everyone. And then DMARC lets you -- the third thing -- conformance lets you set policy and said -- and you get to say, for mail, send as me. If I haven't authenticated it, I want you to straight up reject it or send it to spam. And so you finally, with DMARC, get control. And what this has done is DMARC has proven its mettle as being the truly powerful anti-fraud tool. And it's become increasingly mandated. And it's becoming this -- you know, is frankly like having a TLS cert for your website. You just need it. It's sort of that bare minimum bar, and it's been a best practice for a decade but it's never been truly required outside of government mandates until now.
Dave Bittner: So what -- what is the -- the shift that's happening now? We -- we've got some big players here who are taking a fresh approach to DMARC?
Seth Blank: Exactly. So we have Google and then Yahoo and several other people in the industry who will be coming out over the next few weeks and months who will be subscribing to the same set of policies. And, effectively, what they're saying is the core concepts of DMARC -- that authentication must be aligned with the From domain. Right? What is being displayed to the user is paramount. And if you do not have aligned authentication, it doesn't count. And then they're requiring people have a DMARC policy of at least p equals none, which is effectively -- you can get reports but you're not saying yet what to do with unauthenticated mail. And -- and what this does is it means that we can now tell, as an email ecosystem, who is sending the mail. Or -- or more accurately, that when a user is looking at their inbox, the mail is from who it says it's from and that's foundationally different and it's taking, again, a decade of best practice and making it requirement that businesses do the hard work to authenticate their mail so that users cannot be deceived.
Dave Bittner: And how effective is this? How good is DMARC?
Seth Blank: So DMARC is very good. It's the front door. It's -- this is email. It's all -- nothing in security is ever 100%. It's layered defenses all the way down. The analogy I like to use is the TSA in airports. Right? When you come in, the first thing you do is you have an ID, and if you do not have ID or your ID does not validate or it's expired or you don't have a boarding pass to match, you don't even get to enter and get scanned, or walk through all the cameras and agents looking out for behavioral tics. Right? The front door is always check the ID. Validate the ID. Right? It's zero-trust identity. For as overused a term as "zero trust" is, it's, first, know who's entering because then you can make more sophisticated, effective decisions. And if you don't know who's entering, you don't have to let them enter and you don't have to worry about the rest. And so this is -- it's a foundational front door. It's not the window locks. It's not the scanning in the house. But it's -- email's front door has been wide open, and what we're saying now is you require a front door. There's many other security things you need to do at home. But first -- have a door and lock the door and manage the security with that key.
Dave Bittner: If I'm a security professional responsible for defending my organization, how is this going to affect me?
Seth Blank: So I think this is powerfully effective. You know, my -- my hope is this is really meaningful to the security professional. DMARC has become increasingly a tool that security professionals have tried to implement, but there's been a resistance and the question has been -- why now? Why this over other approaches? Right? Security professionals are inundated with the stats, the -- the FBI damages of last year there was $43 billion due to BEC. This year the FBI reported $50 billion in damages. Right? That's $7 billion in damages due to BEC over the last year alone. DMARC is part of that -- not all of it. There's been the Verizon data breach report since 2016 going 91% of all cyberattacks start from email year after year after year. But the problem is getting bigger and the effectiveness of IT teams to even take on DMARC as a project has been really low. The market stats we look at show only a 13.5% effectiveness of people actually getting protection from DMARC. And so the hope is this has changed the conversation from a pure project that IT would like to take on, that security would like to take on, to a necessity for the business that creates a significant security win for the business in the process. And that opens up other doors, especially if you're in a business-to-consumer, in a B-to-C setting where you can get a lot more ROI from marketing on top of it as well.
Dave Bittner: So is the -- is the notion here that when you have some of the big players, the Googles and Yahoos of the world, making this mandatory instead of optional, like, that really changes the playing field?
Seth Blank: It does. And I think -- to go back to the TSA analogy, right, we -- we all remember what happened about twenty years ago. Right?
Dave Bittner: Mm.
Seth Blank: Before, you could walk to the gate -- and now you need to show ID. And it was crunchy. And it was difficult. And there was a lot of friction. I don't have ID. I don't have good access to ID. I don't remember to bring my ID. I like to go to the gate. Right? I like to meet my family when they get off the plane. And all of it changes, but it changes so we can enhance security demonstrably for everyone. And for professionals who are invested in security, hopefully it makes it easier for them to talk to their business about the need for these things and the impact to the business that's not about risk reduction, but is actually about the ability to send email and transact as a business at all.
Dave Bittner: So these changes from Google and Yahoo -- in your estimation, are they going far enough?
Seth Blank: So they're not. I think they're -- they're meeting the market where it's at. So topline numbers -- and take these with a grain of salt -- about 400 million domains send email. About 100 million of those send legitimate email, and about 25 to 30 million of those send email on a regular basis. Of that, only about five to six million have DMARC today. Only about a million have DMARC in what we call enforcement which is when they're actually protecting their whole domain, and they're truly not spoofable or impersonate-able. It's about a thirteen and a half percent enforcement rate overall for the ecosystem. That's shockingly low and that's why Google and Yahoo have come out so forcefully needing this in place because they know it's the single best tool at the front door, to know who the entities sending mail are so they can assign reputation. And if they see mail from phisher.com, they can get rid of it. But the requirement is you need to have aligned SPF or DKIM and you need to have at least monitoring mode for your domain. That's great. It should give visibility to businesses but the ecosystem is not protected until the majority of domains that send email are at DMARC enforcement and protecting themselves because that's when they get herd immunity as an ecosystem. Where a bad actor spinning up a cousin domain, something random, no longer matters because it doesn't have reputation and it can't abuse the ecosystem. Too many domains don't have the authentication at all, and so the playing field is still rife with abuse. But the sooner we can get to enforcement for everyone -- the true no auth, no entry -- right? No authentication, you can't send mail -- the better off we're going to be as an ecosystem and the better we'll be at taking a significant bite out of all the fraud that happens through email.
Dave Bittner: Suppose I'm -- I'm your typical user in an organization. You know, perhaps I'm in a position of some influence. Should I be, you know, visiting my security professional's office and saying, hey, where do we stand when it comes to DMARC?
Seth Blank: Yes, you absolutely should, especially if you're in marketing and send mail or in risk compliance. Right? This is becoming an essential part of cybersecurity programs. To give you a couple of examples, the -- the U.S. Federal Government, the U.K. Federal Government, the Netherlands Federal Government, the German Federal Government, all have mandates requiring federal agencies do DMARC. The Center for Internet Security which runs all the ISACs, right -- FS-ISAC, H-ISAC, MS-ISAC, etc., now has a DMARC requirement in their guidelines. The next version, I believe it's PCI DSS 4.0 which is the rules that govern people who process credit cards, is publishing in March a DMARC requirement that will be enforced in March of 2025. Right? DMARC is becoming a mandate. It's becoming required by the major senders and receivers of email. The fact of the matter is, if you're not taking it seriously and getting started early, you're going to be in a bit of a deficit and it's just an essential security tool. And for some organizations, it's really hard to implement and you don't want to start when your back is against a wall.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, I think I've talked about this before, but I have a friend who says that if you want to learn Unix, you have to learn the history of Unix.
Dave Bittner: Hmm.
Joe Carrigan: And he --
Dave Bittner: I bet he's popular at cocktail parties.
Joe Carrigan: Yes! He actually is. He doesn't talk about computer sciences, though.
Dave Bittner: Okay.
Joe Carrigan: He's actually pretty personable. But anyway, the case in point that he -- he points out is that the -- the command in Unix and Linux and all these different things to change your password as "P-A-S-S-W-D."
Dave Bittner: Right.
Joe Carrigan: Right? Six characters. It is not "password," P-A-S-S-W-O-R-D, or "change password." It's P-A-S-S-W-D. And the reason it's only six characters harkens all the way back to the beginning of Unix where six characters was the most you could use as a command name.
Dave Bittner: I was going to guess that. Yeah.
Joe Carrigan: You couldn't have more than six units -- six characters in a command.
Dave Bittner: Right.
Joe Carrigan: So -- it's the same thing with the internet.
Dave Bittner: Uh-huh.
Joe Carrigan: And particularly with email. And Seth starts off talking here about why email is terrible now.
Dave Bittner: Right.
Joe Carrigan: Because when the people who built email started email, it was -- they knew everybody on the system -- on the -- on the -- on what will become the internet.
Dave Bittner: Mm-hmm.
Joe Carrigan: Right? All the machines on what would become the internet were trusted.
Dave Bittner: Right.
Joe Carrigan: Right? So there's no reason to build security into it.
Dave Bittner: And there were probably a lot of social pressure to -- to adhere to norms.
Joe Carrigan: Yes.
Dave Bittner: Because if you didn't, somebody would pick up the phone and tell you --
Joe Carrigan: What do you think you're doing?
Dave Bittner: -- Bob, knock it off! Yeah. Right. Exactly.
Joe Carrigan: So that has now evolved to the same kind of level of -- of -- well, not to the same kind of level, but as -- as the internet has -- what was then DARPAnet then became the internet, became publicly accessible. And by the time I was on the internet, spam was already a thing.
Dave Bittner: Hmm.
Joe Carrigan: And, you know, I was one of the first one million people on the internet, Dave.
Dave Bittner: Really.
Joe Carrigan: Yeah. I was on really early in the 1990s.
Dave Bittner: I wonder if I was.
Joe Carrigan: Probably.
Dave Bittner: Probably was.
Joe Carrigan: Yeah. So -- you know, I would get -- if I put my email anywhere, I would just get spam email from it and still that can happen today because of the nature of email that anybody anywhere can put something in your inbox.
Dave Bittner: Right.
Joe Carrigan: So we have these standards that Seth is talking about, the SPF, the DKIM, and the DMARC --
Dave Bittner: Right.
Joe Carrigan: -- and -- standards -- and they really help out getting fraudulent emails, fraudulently-sourced emails out of your inbox.
Dave Bittner: Yeah.
Joe Carrigan: Now that doesn't necessarily mean they're going to stop spam emails because if somebody's business is spamming you and they have -- they have DMARC records in the DNS system, which is how this works, and they're compliant with these other two standards, the -- the SPF and the DKIM standards, then their emails are still going to get through but what -- what is happening now is this big change with Google and Yahoo who -- I mean, do you have a Google account? A Yahoo account?
Dave Bittner: I certainly have a Google account. Yeah.
Joe Carrigan: Yeah. I have one of each.
Dave Bittner: Okay.
Joe Carrigan: And I use them both frequently. Or actually I think I have multiple. In fact, I do have multiple gmail accounts. Yeah. I have two -- two Yahoo emails but they both go to the same address --
Dave Bittner: Okay.
Joe Carrigan: -- the same inbox. But they're saying, yeah, we're not doing this anymore. We're not -- we're not just going to receive your messages anymore. If you send less than 5,000 emails to us in a day, as a -- as an email server, whatever your business model is, if you send less than 5,000 and you're not compatible or compliant with SPF and DKIM, we're just going to put your email in junk.
Dave Bittner: Less than or more than?
Joe Carrigan: Less than 5,000.
Dave Bittner: Okay.
Joe Carrigan: More than 5,000, you don't have to have just SPF and DKIM, but you also have to have DMARC installed.
Dave Bittner: Oh!
Joe Carrigan: And you have to have policy on it.
Dave Bittner: I see.
Joe Carrigan: What I mean -- I think Seth talked about this a lot.
Dave Bittner: Yeah.
Joe Carrigan: There's more to this restriction, though. If you send more than 5,000 emails a day to Yahoo and Google, you also have to have a one-click unsubscribe.
Dave Bittner: Ah!
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: Which is great. I think Yahoo and -- and -- and -- and Google are doing a good thing here.
Dave Bittner: Yeah.
Joe Carrigan: My question about all of this is -- why has it taken us so long to -- to get to this point where two of the biggest providers of emails -- free email services out there -- are now insisting on it?
Dave Bittner: Yeah.
Joe Carrigan: These things have been out there for ten years or more. Why did -- why did it take this long to get to this point? There's been a lot of -- of email spoofing which has led to all kinds of scams.
Dave Bittner: Yeah.
Joe Carrigan: Now this is not going to stop some of these impersonation attacks. My daughter, again today, she sent me a -- a -- an image on Facebook Messenger about another person trying to impersonate somebody at the church she goes to.
Dave Bittner: Okay.
Joe Carrigan: Right. And they're saying -- they're saying, hey. It's just another way -- hey, I need your help with something. It's another gift card scam --
Dave Bittner: Okay.
Joe Carrigan: -- opening. And it's coming from some gmail that somebody set up and -- and is impersonating somebody.
Dave Bittner: Right.
Joe Carrigan: So this is not a panacea. These -- these different standards are not a panacea, but they do stop somebody from sending an email that looks like it's coming from Peacock and pretending to come from peacock.com or NBC or Universal or whatever -- any of those valid things. Not only that, but you can get a report if you are the -- the owner of the domain and see how many times somebody attempted to spoof your domain in an email.
Dave Bittner: Yeah.
Joe Carrigan: I really like what Seth says here. He says -- the -- the -- the CISOs go, "Oh, I can't unsee this." Yeah. Now you kind of have a glimpse into how bad the problem is. Right? Or how much you're being impersonated.
Dave Bittner: Right.
Joe Carrigan: Terrifying.
Dave Bittner: Yeah. I mean, it's the lowest common denominator. Right? I mean, that -- that's the reason why we haven't had movement in this is that nobody wants to -- nobody had either the bravery or the market share to be the mover who -- who -- who had the guts to break things.
Joe Carrigan: Yeah. That -- that's true, but I think that if you were Yahoo or Google or Microsoft five years ago -- 'cause Microsoft has all kinds of email services. They have Hotmail and Outlook.com, Live, all these different email address combinations you can make. Somebody could have done this and said, yeah, we're going to lead the market on this.
Dave Bittner: Hmm.
Joe Carrigan: We're going to make sure that the people who use our email get validated emails. The problem is that -- what if your mom is on some rinky-dink little ISP out of Montana and they don't have the infrastructure to implement SPF or DKIM?
Dave Bittner: Right.
Joe Carrigan: So now you don't get your -- all your mom's emails go directly to your junk folder because they don't meet the standards.
Dave Bittner: Yeah.
Joe Carrigan: Or get rejected.
Dave Bittner: Right. And then you leave that provider -- you leave that provider.
Joe Carrigan: Yeah. You leave -- you stop -- stop using that provider.
Dave Bittner: Yeah.
Joe Carrigan: How much email do you use to communicate with family members anymore?
Dave Bittner: Oh, hmm. Very little.
Joe Carrigan: Yeah.
Dave Bittner: I mean, most of it is text messaging.
Joe Carrigan: Right. We use -- we use mostly Facebook Messenger for our -- our family communications.
Dave Bittner: Mm-hmm.
Joe Carrigan: Which is the only reason I'm still on Facebook, by the way. If it weren't for that, I would be off of Facebook so fast.
Dave Bittner: Right.
Joe Carrigan: If I could convince them to go to Signal or Telegram -- ah!
Dave Bittner: Yeah.
Joe Carrigan: How great that would be.
Dave Bittner: Yeah.
Joe Carrigan: I'm not getting my aunt on Telegram or Signal.
Dave Bittner: See? There you go. Again, lowest common denominator.
Joe Carrigan: Not going to happen.
Dave Bittner: Yup.
Joe Carrigan: I think it's interesting that the -- what did Seth say? Like, 13% of email providers are using these -- these -- are using DMARC?
Dave Bittner: Yeah.
Joe Carrigan: Very small percentage of -- of people that actually -- of domains that send out email are using them.
Dave Bittner: Mm-hmm.
Joe Carrigan: That's going to have to change with these -- these incoming things. The good -- these incoming standards from -- from Yahoo and Google. And there's a pretty short time horizon on this. And it's not -- it's not hard to do. I mean, it's -- it might take a little bit of learning and -- and expertise, you know, but it's not something that's impossible.
Dave Bittner: Yeah.
Joe Carrigan: It's -- it's pretty easy to set up. I like what Seth says about calling DMARC the "front door of email." Right? Which is a great analogy because if you're not -- if you're not using DMARC on -- on the emails you receive, then anybody can put anything into your -- into your users' inboxes.
Dave Bittner: Yeah.
Joe Carrigan: And you haven't done anything to validate them.
Dave Bittner: Right.
Joe Carrigan: So, yeah, put a front door on your house and lock it. I like -- I like that analogy, Seth. That's really good.
Dave Bittner: A barking Rottweiler.
Joe Carrigan: Right. Yeah.
Dave Bittner: All right. Well, again, our thanks to Seth Blank for joining us. He is the Chief Technology Officer at Valimail. We do appreciate him taking the time. That is our show. We want to thank all of you for listening. A quick reminder that N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and mixed by Elliott Peltzman. Our Executive Producers are Jennifer Eiben and Brandon Karpf. Our Executive Editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
