Podcasts
Hacking Humans
Ep 271
Hacking Humans 1.4.24
Ep 271 | 1.4.24

The DNA dilemma: Unraveling a 23AndMe breach.

Show Notes
Transcript

Alethe Denis: The majority of us won't be changing our primary email address anytime soon or our phone number, for example. So, it just comes down to adding more layers of protection around those accounts.

Dave Bittner: Hello, everyone, and a warm welcome to the "Hacking Humans" podcast brought to you by CyberWire. This is the show where every week we delve into the world of social engineering scams, phishing plots, and criminal activities that are grabbing headlines and causing harm to organizations all over the world. I am Dave Bittner and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, we're joined by Alethe Denis from Bishop Fox and we're going to talk about the 23andMe breach. Joe, before we dig into our stories here, we have quite a bit of follow-up this week. Kind of clearing out the follow-up folder, by the way. So, what have we got here?

Joe Carrigan: Well, the first one is from Michael who wrote in about our "Catch of the Day" last week which was the -- or last episode because this episode drops after the holidays, Dave.

Dave Bittner: Yeah.

Joe Carrigan: But it was a voicemail purporting to be from Spectrum. And Michael writes in, "Hi, Dave and Joe. So, more information on this scam. I live in Southwestern Connecticut and Spectrum does not service my direct area but does service the adjacent locale. I receive quite a lot of phone calls about 'if I'm tired of high bills because I'm about dropping down my bills' from a group professing to be Spectrum. This is despite the fact that a quick phone number search on the Spectrum site shows that Spectrum does not service my address as well as the search on the site displays the fact that my local number is listed as a Comcast number. They refer each other for service in the area when there's no service apparently." So, in other words, he's saying that if he were to put his number in, they'd say, no, you're going to have to call Comcast. So, he goes on to say they may be calling all numbers in an area serviced by smaller ISP holders rather than targeting actual customers just like normal spam calls it would result in a high number of false starts given that they won't reach actual Spectrum customers or people capable of signing up for Spectrum. Similar to this in my area is the lack of specificity as well. At times, they will only say that they are with your "TV services", right? "I am from your TV provider." Who is that?

Dave Bittner: We're from the government.

Joe Carrigan: Right, yeah. I've gotten these calls before where it's, "Hey, this is Bob from your phone company." And I'd be like, "Oh, yeah. What's my phone company?" I'm immediately suspicious of these people. But they will only identify as Spectrum when pushed to identify the actual company name. I think that any call from any cable company offering you discounts is as suspicious as a stranger with a golden fiddle. I will agree.

Dave Bittner: Yeah. Yeah. I mean, and it's all in the numbers game, right? I mean, they're just spraying and praying.

Joe Carrigan: That's exactly what it is. In fact, you know, they may not even be -- my thinking is some of these are scams, right, where it doesn't matter who you're with, they're just going to scam you. But it could also be the -- you know, essentially what Michael is saying, these were just spam calls to try to get you to switch providers. And you may not even be able to switch to the provider but, you know, the calls are cheap, essentially free really.

Dave Bittner: Do you remember the early days of high-speed internet when high-speed internet was hard to get and it was a fancy thing and you couldn't get it everywhere? Do you remember that?

Joe Carrigan: I do. And I remember having it and loving it, and being like what I thought was the coolest guy on the block. But nobody else cared.

Dave Bittner: So, I had an office in a place that for some reason would show up on somebody's map, you know, some service provider's map as being able to get high-speed internet. But we couldn't. We actually couldn't. When they came out and tried to run it, it couldn't -- it just didn't work, you know. But I would get a call at least once a week from somebody promising me the world that, you know, "Good news, we're going to install high-speed internet." And I'd say, "No. No, you can't." And they'd say, "No, look, right here on this map, I have -- " I'd say, "Yes, I know. But you can't."

Joe Carrigan: You can't.

Dave Bittner: And so, I just got to be like -- after a while, I got tired of them and I said, "Have at it."

Joe Carrigan: Right.

Dave Bittner: Good. If you can do it, I'm all behind it. Go ahead, give it a shot. Give it -- you know, proceed.

Joe Carrigan: Right. Waste their time instead of yours.

Dave Bittner: Right.

Joe Carrigan: Proceed and let me know when you're done. Call me back.

Dave Bittner: And like a day later, they'd call, "No. Well, it turns out we couldn't actually." If they called back at all, you know, "We couldn't get it done, sorry. An issue has come up." I know. I know.

Joe Carrigan: I tried to tell you that yesterday but you just wouldn't listen. You insisted that you can do it.

Dave Bittner: You were so excited to make the sale, that big sale. This is the one. This is the big one. So -- We've got some more follow-up here from one of our listeners who is a regular correspondent and is a former US Marshall. He wrote in to say that the Dutch have been running a reportedly effective ad campaign using a well-known Dutch actor-director for about a decade, it's summed up as, "Hang up, click away, phone your bank." I like that.

Joe Carrigan: That's good.

Dave Bittner: Yeah. And he says as far as a better term than social engineering, just simply try scam. This works quite well for me. People always understand what a scam is, nobody doesn't.

Joe Carrigan: That's a good point.

Dave Bittner: That is -- yeah, simple is best sometimes.

Joe Carrigan: Yeah, scam, one syllable.

Dave Bittner: Yeah. We had another person write in. This was someone who goes by Liphard on Mastodon. And they wrote in to say your Valimail guest on "Hacking Humans" episode 268 stated that the Center for Internet Security, which runs all the ISACs, and this listener wanted to point out that it was worth pointing out that the ISAACs aren't all under one umbrella.

Joe Carrigan: Yeah, they're all independent organizations run by industry groups.

Dave Bittner: Yeah. So, he said there is a national council of ISAACs but there's also an ISAO or standards organization. I-S-A-O. Yeah, I know, it's an acronym bingo. Right. But they don't necessarily correspond to critical infrastructure sectors. So, this listener just thought it was important to point out and clarify that point that the ISAACs are not all under one umbrella.

Joe Carrigan: They are not.

Dave Bittner: So, it's good information. Finally, another listener who goes by the online handle Zentlon, which I kind of like, it sounds like a space bad guy or something.

Joe Carrigan: Zolten.

Dave Bittner: Yeah, right. It says, "Your latest 'Hacking Humans' discussion about corporate links and identifying scammer links. I understand DNS quite well and it doesn't matter. So many companies use bulk mailers and marketers to send emails who put links in the emails with generated tracking addresses or the address of a subcontractor. I've seen this with tech support, Zendesk.com, for example. Do I know that company contracted with Zendesk or someone else? Who knows?"

Joe Carrigan: That's a good point. Because Zendesk is a service provider, Software is a service provider for a lot of companies. Right? So, you could go in and create a fake email here and lend yourself some credibility.

Dave Bittner: Yeah. Think like Mailchimp, you know, there's just all these that they'll do your spamming for you.

Joe Carrigan: Right. Yeah, they're all on the white list too, by the way.

Dave Bittner: Right. Exactly. Well, because a lot of time you sign up for a newsletter that you legitimately want to get. It could come from one of these providers where the next account is sending out stuff that you don't want. So, yeah, it's complicated. But Zentlon makes a good point. So, thank you all for writing in. Of course, we love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. I'm going to kick things off with some stories here, Joe. And my story comes from the folks over at HackRead, this is written by Owais Sultan. And it's an article titled "How Human Elements Impact Email Security." And this is right up our alley. This is digging into some of the human factors here of email security. This article points out that over 870 million breached records occurred in October, highlighting the rising cyber threat and associated costs for companies. But also that human errors account for about 82% of breaches with things like phishing and social engineering. And they highlight this term "action bias exploitation", which we've talked about.

Joe Carrigan: That's a great term.

Dave Bittner: I don't know that we've ever used that term but we're going to now.

Joe Carrigan: Action bias exploitation. Let me guess what this means. They're exploiting the fact that someone would rather do something than not do something. Is that a good guess?

Dave Bittner: Yeah, it's pretty good. Yeah. They describe it as hackers exploiting psychological tendencies like action bias where individuals will act hastily to perceived threats leading to the unintentional sharing of sensitive data. So, yeah.

Joe Carrigan: It's still down to the very bottom layer, literally the very bottom of your brain, firing off the amygdala in the flight or fight response. That's where you're dealing, that's where you are with this. So, yeah. I mean, I don't know if I would even call this a bias. This is because people don't -- there's no way to remove this. It's not something that some people have and other people don't, it's universal.

Dave Bittner: I think perhaps it means that it is everyone's natural bias towards action when presented with certain types of things.

Joe Carrigan: Yeah, but generally, I don't know. I think of biases as cognitive things, right? Like selection bias, oh, I want to be part of this survey because this matters to me, right? But action bias I would say that's not action bias, everybody should run away when there's a bear next to them, right?

Dave Bittner: Right. But that's what they're saying is that we are biased to action, either fighting or flighting. So, we have a natural bias towards not sitting there and being eaten.

Joe Carrigan: I guess you could call it bias but I think it's horseshoeing of the -- I'm not going to mince words about this, Dave. I'm going to go ahead and say, okay, fine, call it bias.

Dave Bittner: Okay. We'll leave it to the people who wrote the article.

Joe Carrigan: We'll leave it to the psychologists.

Dave Bittner: Yeah. Perhaps they left an email address, Joe. You can write them a letter about your -- let me know how that goes.

Joe Carrigan: I don't think I it's worth arguing that.

Dave Bittner: This article points out some strategies to mitigate risks, of course, data backups, you know, you've got to have data backups. They talk about email signature management. Basically not -- you know, don't give away too much information in your email signature. The things that people can use for social engineering. Right. Of course, access control, restricting file access, you know, limited to make sure that when accounts are compromised that --

Joe Carrigan: Somebody doesn't just walk in with the keys of the kingdom where they have one set of username and password.

Dave Bittner: Exactly. Exactly.

Joe Carrigan: The principle of least privileges is what we would call this. You know, just -- you know, this was something that I used to see all the time when I was administering a system. It was a document management system. It was called LiveLink, now I think it's just called OpenText, from OpenText a company. And by default, when people created these document container folders, whatever you want to call them, there was like a pseudo file system on a website at this time. But by default, when you created it, everyone in the organization had access to it. You had to go in and limit the access to the people you wanted to have access to.

Dave Bittner: I see.

Joe Carrigan: So, you know, at the time, I wasn't steeped in the security world as I am now but were I to be doing this today, I would say we're going to set that to no permissions and you have to add the organizations you want to have access to this. And then we'll rely on group management to make sure people are in the proper groups because somebody moving from one group to another, they should lose access to the stuff they used to have access to that they don't need anymore.

Dave Bittner: How do you feel about time limits on access because I think a lot of times somebody needs temporary access to something but they end up with it forever because no one goes back and changes it.

Joe Carrigan: I will tell you the perfect example of that. We would have CMMI audits, right, and we'd have auditors in our organization who would say, "Okay. We're getting ready for a CMMI audit, we need to have access to everybody's documentation. Show us your documentation." And they wouldn't do this all the time, they'd do it like for two months out of every two years, or something like that. Or whatever the periodicity was. But it wasn't all the time. So, they would get access to everything on that server that I was just talking about, the LiveLink system because that's where we kept all of our documentation. So, yeah, I'm for it, Dave.

Dave Bittner: Yeah. You know, I mean, I guess it depends. You know, in many cases people won't even notice that it's there, and if someone needs their access extended, then they can --

Joe Carrigan: Yeah, they can just send an email or make a phone call. I mean, it's not -- that's the thing about auto-revoking access is that if you don't need it, you will never notice it's gone.

Dave Bittner: It's like that joke about, you know, the guys in the server room, they're saying, "What does this thing do?" "I don't know, unplug it, see who comes and complains."

Joe Carrigan: Right. That's right. We used to have that button or that joke, we'd say push the button and listen for the screams.

Dave Bittner: Right. Okay. Moving on. They talk about the importance of employee education. Of course, big fans of that. In fact, they call that the most effective defense strategy.

Joe Carrigan: Do they really?

Dave Bittner: Yeah. Yeah, to teach employees about the cybersecurity basics, about threat recognition, and response protocols, which I think are really important as well. What do you do if something goes wrong?

Joe Carrigan: What do you do if you have clicked on the phishing link?

Dave Bittner: Yeah, right.

Joe Carrigan: You know, that's -- you've got to tell people that.

Dave Bittner: Yeah. And you've got to have a culture where people don't feel like they're going to get punished for it so they don't try to hide it and --

Joe Carrigan: Because if you heavily disincentivize that, yeah, it's bad news.

Dave Bittner: Yeah. And then finally, looking towards 2024 in terms of an outlook, they emphasize that you should try to create a robust security culture through comprehensive employee training and awareness which will help enhance overall security posture and reduce human error-induced incidents.

Joe Carrigan: One of the things that Perry Carpenter always says -- Perry Carpenter who has a show on this network, the "8th Layer Insights" show. He's a frequent guest on our show. One of the things he says is you have a security culture whether you know it or not.

Dave Bittner: That's right. That's right.

Joe Carrigan: So, if you don't know you have a security culture, I can bet that your security culture is poor.

Dave Bittner: Yeah, that's good.

Joe Carrigan: But I mean Perry said that and I was like, "That's really good."

Dave Bittner: Yeah, it's true.

Joe Carrigan: And it's very true.

Dave Bittner: All right. Well, that's my story this week. We will have a link to that in the show notes. Joe, what do you got for us?

Joe Carrigan: I've got two stories. One, since this is more of a follow-up from the holidays, but there is a product out there called the Vanilla Gift Card, which is a gift card that you can only use once, it's not reloadable. But we were talking a lot about gift card scams last -- you know, last month. And in the City of San Francisco, their City Attorney David Chiu or "Chu", I'm not sure how you pronounce that and I'm sorry for messing that up if I did. But he is suing the issuer of these cards because their products contain lax security features on them. Lax, L-A-X. Which I think is interesting. I don't know how far he'll go with this, how far he'll get with this. It would be -- I think it would be great if somebody could be held accountable for this. But these people have had their cards just drained or essentially bought gift cards for other people. And the attorney for the City of San Francisco, the City Attorney is not having it.

Dave Bittner: Does the article say what specifically he takes issue with?

Joe Carrigan: He takes issue with the "lax security features on the card packaging." That's what he says in the article. Yeah, according to the complaint, the gift card packaging allows for easy access to the card inside.

Dave Bittner: Oh, I see.

Joe Carrigan: People can get into the card, take all the information off of it, put the card back on the shelf, and then let other people buy them gift cards. That's how it works.

Dave Bittner: Yeah, yeah. Yeah, you know, right before the holidays I saw some posting from Brian Krebs, "Krebs on Security", and he had -- he was reposting some articles from a couple of years ago that really outlined how the bad guys go after gift cards. And one of the things he highlighted was how they can manipulate the packaging that they come in, do what they need to do, and then make it look like the packaging was not manipulated. So, it sounds like that's along the same lines is what you're talking about here.

Joe Carrigan: Yeah. You know, my thinking on this is that printing equipment is not all that expensive. You can get something that essentially prints up new packaging for those gift cards that looks very similar if not exactly the same as the packaging that is on the shelf. And you could do anything you wanted to to that card, put it in a new package and put it back on the shelf.

Dave Bittner: Yeah, yeah. Interesting. What else you got?

Joe Carrigan: My second story actually comes from my good close friends at the IRS, Dave.

Dave Bittner: Okay. Sure. So, did you send them a big gift basket over the holidays, Joe?

Joe Carrigan: We're pen pals, me and the IRS, Dave.

Dave Bittner: Oh, pen pals, I see. All right. I understand. I understand. Sure.

Joe Carrigan: So, the IRS has announced that they are going to be providing penalty relief for about 5 million people on their 2020 and 2021 tax returns. So, I don't know exactly what the details of this tax relief are but they're just -- they're not relieving people of their taxes just some of the late fees. And they're saying it's because we weren't able to send out late notices or non-payment notices when people filed their taxes but didn't pay them. So, I don't know what the benefit is going to be, you can probably go through and read this article. And that's not really what I want to focus on. What I really want to focus on is there are 4.7 million individuals who are affected by this, who are impacted by this, who are going to get some kind of benefit. That's a pretty large swath of the American public, especially the taxpaying public. That's probably somewhere around 1, 2 percent maybe. Right. The scammers are going to go after this. They're going to exploit this because these guys are watching the news. So, first off, I don't want to say how you feel, I don't -- this is not about the refund program or the forgiveness of these late fees or whatever, it's about the fact that you're going to see an email saying. "Claim your IRS fee waiver right now." And if you are someone who has not paid your -- or owes penalties, non-payment penalties for 2020 and 2021, that's going to hit you right in the money part of your brain. Right.

Dave Bittner: Right.

Joe Carrigan: And it's going to fire off the, "Hey, I heard about this on the news. Oh, here the IRS knows that I owe the money because I have to send them checks regularly or they keep sending me those annoying letters," or whatever. And, you know, they say they're going to -- they say they're going to come and get me if I don't buy gift cards for them." That's a completely different scam. But, you know, if you're in this -- if you're one of these people, you know you're one of these people, right? So, that's one of the things that we've said before is that if you have business with the IRS for collection of taxes, you know it from the correspondence you receive and from -- not really from phone calls but mainly from the correspondence you receive. They don't really call you.

Dave Bittner: No, they write you letters.

Joe Carrigan: They write you letters. And they will not call you out of the blue. The first communication from the IRS will never, never be a phone call. And the only time you'll get a phone call is when you've called and asked for them to call you back or if you have some kind of agreement with them where we're talking with them and you know somebody. But this is going to come in the form of phone scams and this is going to come in the form of phishing attacks. And probably even scams over text messages and over any other messaging platform. I don't know how the IRS would know that, you know, what my Signal account is, although they might know. But, you know, be on the lookout for this. Also, since we're now in January, it is tax scam season. So, be extra vigilant. They're going to go after businesses, they're going to go after individuals. They're going to be filing taxes, fraudulent tax returns. If that happens to you, that's going to be a pain.

Dave Bittner: Right. They've switched gears from the holidays to tax season.

Joe Carrigan: They've switched gears from the holidays to the tax fraud. Or not tax fraud, the tax fraud is when you lie to the IRS about how much you owe, but these are tax scams. I guess this is tax fraud. I don't know. These people will probably do time for tax fraud if they ever get caught.

Dave Bittner: Could be.

Joe Carrigan: So, yeah.

Dave Bittner: Yeah, hm. All right.

Joe Carrigan: The people filing the returns, I mean.

Dave Bittner: Yeah, good advice. Good advice.

Joe Carrigan: Keep an eye out. And also, I don't know how the IRS is going to notify you. If you are one of the people that receives this but they said they will notify you. And it will come probably in the form of a letter. I'll bet it comes in the letter. The letter, it's got to be the letter.

Dave Bittner: And how often do you get good news from the IRS, right? Good news, you don't have to --

Joe Carrigan: I've opened a number of letters from the IRS and haven't seen one that says good news.

Dave Bittner: I mean, I guess if you get a refund, that's a good news letter from the IRS.

Joe Carrigan: I've got a refund over a number of years now.

Dave Bittner: All right. Well, we will have links to both of your stories here in the show notes. Joe, it's time to move on to our "Catch of the Day". [ The Soundbite of Reeling in Fishing Line ] [ Music ]

Joe Carrigan: Dave, our "Catch of the Day" also comes from Mastodon, from Dodo the Dev. And it is a perfect example of a poor phishing email. He says, "Notice the spelling and the phrases not making sense and all that." Why don't you go ahead and read this one, Dave? It's down here at the bottom of the page.

Dave Bittner: All right. So, it starts off with the big old logo at the top from Google Forms. Interesting. It says, "Your score has been released for a balance $44,101. Dear user, we have noticed that you've signed up end user account in our system approximately a year ago. However, it appears that you haven't visited your account in a while. We'd like to inform you of the importance of using the platform on the platform. In order to provide opportunities for the rest of our users and keep up the current status of our system, we plan to block automatically inactive accounts in the next year future. Please be aware that your balance will be zeroed upon the account deactivation. We welcome you to access to your account and discover the latest updates and capabilities we offer. We value your participation in our system and look forward to seeing you again. Thank you for your attention and understanding. Please click the button below to access your account. Balance $44,101."

Joe Carrigan: And then there's a big view button. I have no idea what this is but it definitely is a scam.

Dave Bittner: Yeah. Well, I think the Google Forms, we've seen stories where --

Joe Carrigan: Yeah, Google Forms were used for data collection.

Dave Bittner: Well, but also if you get a message from Google Forms, it will usually make it through the spam filter because Google is whitelisted typically.

Joe Carrigan: They whitelisted their own services in the Gmail.

Dave Bittner: Yeah. So, you can generate this using Google Forms, have it send this out through Google Forms, and chances are it will hit the inbox. So, I think that's why it's coming through Google Forms.

Joe Carrigan: That's pretty cool. Or, well, pretty smart I should say. Not cool at all.

Dave Bittner: No.

Joe Carrigan: But, you know, this is pretty badly worded. The second to last sentence reminds me very much of Robocop. Thank you for your attention and your understanding.

Dave Bittner: Right. Stand aside, citizen.

Joe Carrigan: Right.

Dave Bittner: All right. Yeah, pretty straightforward but it's a good one. Again, we would love to hear from you. If there's something you'd like us to consider for our "Catch of the Day", you can email us. It's hackinghumans@n2k.com. [ Music ] Joe, it is our pleasure to welcome to the show Alethe Denis. She is from Bishop Fox. And we are talking about the 23andMe breach.

Alethe Denis: So, first of all, I describe this as a breach that has little to no fault for the vendor. And in this case, that's 23andMe, which is a little difficult for folks to understand. If it's their data that was leaked, then how they are not at fault? The reason that the data became accessible to the attackers was that those individuals with those accounts they actually had passwords that they were reusing on various other accounts. So while their information could have been breached from another provider of a service or an app or an account that they had and made public, through that breach, all of the attackers did hear was take those passwords and see if those individuals had recycled those email addresses and passwords with their 23andMe accounts.

Joe Carrigan: So, was this a simple credential-stuffing attack?

Alethe Denis: From what we understand yes. So, the attackers were able to not only capture a large amount of account credentials through other breaches but they were able to then systematically take those credentials and put them against the login for 23andMe's application or services, and then from there, they were able to see which of these credentials had a 23andMe account that used that same email address and password combination. So, for example, if you have me@email.com and that's my email address and I use the same email for all of my accounts that I have online whether that is banking or streaming or a variety of other different types of accounts, and I just want one password that makes it super easy for me to type it in and remember, then I'm going to use the same email and password on all of those accounts. And since 23andMe is a little bit older as far as the internet is concerned, then there's a high volume of people that haven't ever updated their password since that was common practice. It was very common practice for all of us to have a complex or long or complicated with symbols type of password that may even be like eight or 20 characters long, but we were all using the same password on all of our online accounts. And so, what these attackers were counting on is that there would be at least a few folks who had accounts that had passwords that were the same as what they were able to collect from this breached data from completely different companies and completely unrelated breaches.

Dave Bittner: That's a really interesting point about how, you know, the 23andMe users aren't probably logging in every day, you know. My experience with those sorts of platforms is there's kind of a flurry of activity when you first sign up and log on because you kind of get flooded with all of this information about, you know, oh, who am I related to? And there's a lot of excitement. But then, then it kind of trickles in after that. And so, I can see people losing interest. Not closing their accounts but just not being active participants there.

Alethe Denis: Yeah, exactly. It's one of those things where it was, you know, the new hotness a few years ago to get this test kit for your family, to set it up for your siblings, for your parents, for yourself. And a lot of people did just that, they set their account up, they sent in their samples, they got their results, they shared their results all over the internet with friends, and then they sort of forgot about it. So, with 23andMe and other DNA testing and genealogy-type websites, there is exactly that sort of "set it and forget it" type of mentality. Whereas with, you know, streaming services and banking, we get lots of reminders to update our passwords and when new security concerns arise, those are the first things that come to mind because we are interacting with them on a daily basis.

Dave Bittner: You know, it's my understanding that something that made this breach even worse was that if the bad guys logged in, for example, under my account, they were also able to see a good amount of information about folks that I was genetically related to. Is that on the mark there?

Alethe Denis: Yes. So, from what we understand, there were approximately 5.5 million accounts that were compromised through this brute forcing or guessing of the credentials using what was made available out there through other breaches. But from those individuals, there were about 1.4 million people who opted-in to DNA relatives and also had their family tree profile information available as well as other things like even their geographical location. Relationship labels that they had assigned to people as far as how they were connected, their display names, birth dates, and any other like self-reported location. So, if they said, "I live in this town", that would have been available to an attacker as well. So, people could, if they were able to access another person's account, see how they were connected to people, where those people were located possibly as well as the relationship labels that had been assigned. And what this does is it gives an attacker a really good understanding of how these people are connected. And we could say that this gives an attacker the ability to answer a large swath of security questions, things like what is your father's middle name, for example. But it also gives attackers a way to create really compelling, convincing pretexts that they can use to elicit a very emotional response. And a lot of the times when we get scammed on the internet or we hear about online scams, we think of things like the gift card scam and this and that, but there's a whole another layer of phone scams especially where attackers will pose as a kidnapper and they will actually call someone and tell them that they've kidnapped a child or a family member, and if that person is able to say, you know, this is your child's name and this is the school they go to, and any other data that they can collect by guessing the elementary school closest to this person or looking up the social media of say another family member who is a little bit more free with what they share on their social media, this just gives added authenticity, seaming authenticity to that scam. It makes the person who's receiving that phone call in the moment believe that this is accurate because they're saying all of this stuff that's true.

Joe Carrigan: So, the question I have about this is there are 7 million people that had their accounts compromised, almost 7 million. What percentage of the 23andMe user base is that? Is that -- my guess is that it would be 20%.

Alethe Denis: I don't have the exact numbers but I would guess it was a pretty large set of users, especially that volume I would say it's a pretty large percentage of current account holders because, again, these people would have to have active accounts in order for them to be accessed. But I'm not familiar with exactly the number of users on the platform.

Dave Bittner: Now, it's interesting also that after this breach occurred, both 23andMe and Ancestry have kind of upped their game when it comes to the requirements for their users and log-in security, right?

Alethe Denis: That's correct. I know that there is two-factor authentication made available on the majority of these platforms. That would take a little effort on the account holder's part to enable that and set it up. So, in this case, I feel like there's going to be a large number of individuals, as we discussed, that they just set this up, you know, 10 or so years ago and forgot about it. Those people aren't going to be as vigilant in protecting their accounts so these features are quite new, and they may or may not know how they work, how to set them up, how to use them, or what the benefit is to them to set them up. So, I love that these companies are kind of taking the initiative to communicate the benefits and the fact that these features are available now and encourage people to take action. But we all know humans will take the path of least resistance when given the opportunity. And I don't expect that a lot of people will take action swiftly to enable these security features on any of their online accounts unless they are someone who has fallen victim to some kind of attack.

Joe Carrigan: So, is there anything you think that 23andMe could have done better or do you think there is any culpability they may have in this? My initial thinking on that is no but I'd like to hear what you think about that.

Alethe Denis: In my opinion, and I will stress that this is my personal opinion, I do not believe that 23andMe did anything incorrectly or is responsible in any way. I do understand that the individuals who had the most information compromised opted in to share data between other people on the platform. So, they were actively looking to connect with other people who may have been related to them or had some relationship or additional information about that individual's family tree or other people that they could be related to. And that is a little tricky because, yes, that person has access to that information because all of those other individuals that they're connected to as well as themselves opted in to that. But again, I think that there could be more layers of security around how this data is being shared even within the platform. But at the end of the day, I don't believe that 23andMe is responsible for this particular leak or breach of data because of the fact that these attackers gained access by guessing the passwords of the account holders, using information that they got from a completely unrelated source.

Dave Bittner: You know, immediately after this breach I was actually involved in some genealogical research on the platform, on both 23andMe and Ancestry, and to the frustration of someone who was helping me with this, 23andMe had actually disabled a bunch of features. One of them be, you know, that sharing feature that had caused them so much trouble. They turned the spigot off on that for a while. And, you know, understandably, but it was also slowing down folks who were, you know, trying to do some family research.

Alethe Denis: Right. No, it's tricky because we want to be able to freely share information to advance those types of objectives and I think I've seen this the most with clients who have had research-based job functions. I'm trying to redact things as I talk. So --

Dave Bittner: Sure.

Alethe Denis: But I've worked with clients who have to have a lot of these communication pathways open between various researchers, various locations. They might have laboratories all over the world. And so, for them to be able to share research and to collaborate with other people who are focused on the same research, it makes it very tough to remain secure because they need these conduits to exchange data and information. And what that does is that really opens them up to being vulnerable to these types of attacks because once somebody is in anywhere, it doesn't take too much to get from one point to another unless there are very strict security controls as to who can access what, where, and when. So, there was a medical research facility that was in the news recently who had individual accounts breached from their records, so patient data. And the patients were contacted by the ransomware gang and asked to pay a ransom, a small fee to keep their specific information out of the dataset that was going to supposedly be released on the dark web. So, they asked individuals to give them $50 or some nominal fee to keep their own record off the internet. And I thought that was quite interesting as well. Instead of going after just the medical research facility for a ransom, they decided to target the individuals who were included in the breached data themselves.

Dave Bittner: You know, I've taken to calling those sort of low-level attempts "nuisanceware", you know, because it's not going to change anyone's life but, you know, I guess it's effective, they do it for a reason. I'm curious, can you speak to the kind of immutable nature of this particular type of data? You cannot change your DNA.

Alethe Denis: Yes. And I know that there was a lot of fascination in the security community as to how this data was going to be stored, how it was going to be protected. And I don't know that in this case that the individuals who breached these accounts would actually have access to the DNA record because I don't know the full, you know, DNA record is available just on the online platform. However, I also don't think that while we often tend to want to focus on the conspiracy theories and the sci-fi elements of DNA being leaked and, you know, having yourself cloned, for example, I feel like the majority of us really want to focus on protecting things like the shape of our face, our fingerprints, things that we now use to access things like our phones. And I believe that for high-value targets that might be a very high priority as far as concerns go. And if you're concerned with those types of things, then you know, setting up a website and sending in your DNA -- a website account, and then sending in your DNA sample may not be the best path for you because the only secure platform is one that can't communicate with anything outside of itself. So, we're never going to reach 100% security on any of these types of services where you have individuals who are logging into accounts and you have that inner connectivity between different SAS applications as well as locations and data centers, etc. Everything is vulnerable in some way. But as far as protecting the way that your face looks for things like facial recognition on devices or protecting your fingerprints which, I mean, I saw the Matrix too, but that didn't look like a lot of fun having your fingerprints burned off. I don't know that there is anything we can really do besides adding multiple different types of factors of authentication on top of those. None of us are going to be able to change things like our social security numbers either. The majority of us won't be changing our primary email address any time soon or our phone number, for example. So, it just comes down to adding more layers of protection around those accounts and what I think is the best way to avoid these types of social engineering, phishing, or scamming schemes that lift simply the passwords or one factor is to have something else that is a device or a piece of hardware that cannot be taken away from you but can be replaced or updated. So, the universal second factor would rely on an actual device being, you know, plugged into your computer in order to allow access. And I believe there are more online accounts that are enabling the use of things like YubiKeys and other devices that provide that U2F protection when it comes to authentication of a user when they're accessing an account.

Dave Bittner: All right. Well, our thanks to Alethe Denis from Bishop Fox for joining us. We do appreciate you taking the time. [ Music ] That is our show. We want to thank all of you for listening. A quick reminder that N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. This episode was produced by Liz Irvin, mixed by Elliott Peltzman; our Executive Producers are Jennifer Eiben and Brandon Karpf; our Executive Editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.