Password Perils: The threat of credential stuffing exploits.
Frank Riccardi: SIM jacking is getting to be a big problem again. And SIM jacking is one way that cybercriminals can bypass a multi-factor authentication. So an authenticator app is the best way to go. But still, you know, text-based MFA is better than no MFA.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week, and later in the show, author Frank Riccardi joins us. He's talking about password reuse. [ Music ] All right, Joe, before we jump into our stories here, we have a couple of items of follow-up. You want to kick things off for us here?
Joe Carrigan: Yeah, Steve writes in to say, talking about our episode with the 23andMe breach, he says, I do want to push back to some degree on the statement that 23andMe has no responsibility for the recent hack. Now, if you recall, this is going to tie into our interview today, but 23andMe had a data breach. But the data breach was caused by users having their passwords reused on other sites.
Dave Bittner: Right.
Joe Carrigan: And people performed a -- some malicious actor performed a credential stuffing attack that wound up leaking DNA data of 23andMe users out.
Dave Bittner: Right.
Joe Carrigan: 23andMe said this is not our responsibility because we didn't lose control of the passwords. The users just had bad password hygiene.
Dave Bittner: Yeah.
Joe Carrigan: Steve takes issue with that stance.
Dave Bittner: Yeah.
Joe Carrigan: He says, I contend a company that has sensitive information, such as DNA, have a responsibility to check for common and hacked passwords on accounts these days. If they ran a small internet forum on some subject, then yes, there's no need to be that vigilant. But when you make sensitive information like this available, there's more responsibility to protect it.
Dave Bittner: Mm-hmm.
Joe Carrigan: He said there are methods for checking passwords from breaches and common usage to prevent them for forced changes. He then goes on to cite his personal experience, saying the company platforms he worked on for the past five years, they've implemented functions on their business systems that do this. Amazon does this, Dave.
Dave Bittner: Oh, yeah?
Joe Carrigan: Amazon will notify you if your password is in a breach. And they don't know your password. What they're doing is they're using some of their massive cloud infrastructure, and they're just hashing passwords. You know, they're acting as if the breach has happened. And they're seeing if your password shows up on a list of known passwords.
Dave Bittner: So they're comparing hashes, basically?
Joe Carrigan: Well, you can't really compare hashes. What they actually have to do is they have to take your salt, because Amazon stores it as a salted hash.
Dave Bittner: Uh-huh.
Joe Carrigan: Sounds delicious, but it's actually a good security practice.
Dave Bittner: All right. Well, going into the weeds alarm --
Joe Carrigan: Yeah, yeah.
Dave Bittner: -- she's screaming at me.
Joe Carrigan: Amazon tests your passwords. They don't know your password. They just test the bad list and see if they can figure it out. If you get a match, they notify you, and they say change your password. It's been breached.
Dave Bittner: I don't think Steve's point is unreasonable.
Joe Carrigan: I don't think it is either.
Dave Bittner: I think certainly, for any new account, he's right. The resources are there. They're readily available.
Joe Carrigan: Right.
Dave Bittner: That if you try to put something in that has shown up in a password breach, you know, probably the most famous database is Have I Been Pwned.
Joe Carrigan: Yeah, Troy Hunt's database.
Dave Bittner: Yeah.
Joe Carrigan: Troy actually offers, I don't know if he offers it to everybody, but he does have a list of SHA-256 hashes of all those passwords.
Dave Bittner: Yeah.
Joe Carrigan: Now, that, you can just look up hashes against.
Dave Bittner: Okay. Yeah. So it's not hard to -- there's no great barrier to do that.
Joe Carrigan: No, there is no great technical barrier to do this. This is a simple technical solution that Steve is talking about, so I think he's right.
Dave Bittner: Yeah.
Joe Carrigan: It's not hard.
Dave Bittner: Timing-wise, it's interesting. Just today, over on the CyberWire podcast, I was talking about some of the pushback that 23andMe has gotten with their statement that they have no responsibility for the hack. People are accusing them of victim-blaming, similar to what Steve is saying, but also stating, you know, they should have required more robust passwords to start with.
Joe Carrigan: Perhaps require multi-factor authentication.
Dave Bittner: There you go.
Joe Carrigan: Just by doing that, too, just by saying, no, no, you're going to have to have multi-factor authentication, you could have stopped this attack in its tracks.
Dave Bittner: Yeah. Well, I think the good news is I think we're headed that way. You know, either the requirement of that or things like, what are they, key -- key -- pass -- passkeys.
Joe Carrigan: Passkeys.
Dave Bittner: I wanted to say key phrases. That's not right. Passkeys. Yeah. So many combinations.
Joe Carrigan: We're going to be saying that word later in the show too.
Dave Bittner: There you go. All right. Well, thank you, Steve, for writing in. We got another piece of email here from Michael, who said, "Happy New Year, gents. Hope you had a safe and relaxing festive season."
Joe Carrigan: I did.
Dave Bittner: I did as well. He says, "Not only is it the season for missed package delivery scams but also for increased interstate travel and encounters with toll roads, which brings me to the point of my email. My wife and I traveled to visit family. And as we entered a toll road, she said she'll get a scam unpaid toll SMS pretty soon. Sure enough, a few minutes later, it came through. The fact she got the SMS so quickly got me curious. I'm trying to eliminate variables to narrow down what could be triggering them and wondering whether you have any thoughts. The vehicle is registered in her name, and the eTag, the toll pass, in my name."
Joe Carrigan: Okay.
Dave Bittner: So in Michael's name. "I suspect it's either triggered by the license plate being scanned as we pass through the toll or her mobile phone location being detected on that section of the road. I don't think it has anything to do with the eTag, as I don't get an SMS. Given the short time frame, I expect live license plate data is a less likely source than mobile phone location. I'll take note of whether she gets an SMS when I pass through tolls with her, which should rule that out. I'll contact the toll operator if she still gets them." He says, "My wife is pretty diligent about location data permissions. We'll try to eliminate different things, hopefully isolate what is sharing her live data with these scammers. All the best for 2024, Michael." I got this yesterday.
Joe Carrigan: That's a weird one.
Dave Bittner: It is. And I have to say I spent some time trying to puzzle through this.
Joe Carrigan: You went down the rabbit hole, didn't you?
Dave Bittner: I did. So the first thing I tried to determine was how easy is it to buy people's personal information correlated to their license plates.
Joe Carrigan: Right.
Dave Bittner: Right? Because as, you know, you can buy information on people for just about anything.
Joe Carrigan: Sure.
Dave Bittner: And it didn't seem to be that easy to do. Now, license plate scanning is a part of most professional level security systems these days. Like it's an option you can buy.
Joe Carrigan: Yeah, they have ALP -- automatic license plate readers.
Dave Bittner: Right.
Joe Carrigan: ALPRs.
Dave Bittner: Right. And you'll see, like I know, in our community, several of the police cars have those built in.
Joe Carrigan: Yeah. I always get a warm, fuzzy feeling when I'm driving by those guys.
Dave Bittner: But I've also seen them for parking enforcement, like down at the University of Maryland. They have them that drive through the parking lots and read license plates. And there are private companies who do that to just gather the information of where people are but also for private security and things like that. I tend not to think that that's what is at play here. I suspect that it is just some rogue app that she has on her phone that's doing some kind of geofencing. And when it gets pinged with her location as being within the confines of a toll road, it just triggers a text being sent to her.
Joe Carrigan: I think that's the more likely option.
Dave Bittner: Yeah, that's what I think.
Joe Carrigan: The other -- the other less likely option that is still possible is somebody has penetrated a state system.
Dave Bittner: Yeah.
Joe Carrigan: And they have access to your information.
Dave Bittner: Right.
Joe Carrigan: And they're laying low. They're just reading the events as they come across the wire. And because they have access to the system, they know your cell phone number or your wife's cell phone number. And did Michael say that his wife is the one that has the account?
Dave Bittner: He has the eTag account.
Joe Carrigan: He has the eTag account.
Dave Bittner: So he has the eTag account -- Yeah, she's the one getting the SMS.
Joe Carrigan: She's the one getting the SMS. Okay, so yeah, then it's probably not that because then he would get it anytime it happens. I'll tell you how you suss this out, Michael.
Dave Bittner: Okay. I have a theory, too, but I want to hear yours. Go ahead.
Joe Carrigan: Well, my theory is there's an app on the phone.
Dave Bittner: Yeah.
Joe Carrigan: So leave your wife at home with her phone.
Dave Bittner: [Laughing] Okay.
Joe Carrigan: And go on the same toll road and see if she gets a scam text message. If she doesn't, you've isolated it to your wife.
Dave Bittner: Right. Well, yes. I have another -- I have another way to do it.
Joe Carrigan: Okay.
Dave Bittner: Where his wife still gets to come along.
Joe Carrigan: Oh, okay.
Dave Bittner: [Laughing] That would be if they want to test this, go on the toll road where they know that she gets messaged, right? Before they go on the trip, either leave her phone at home.
Joe Carrigan: Right.
Dave Bittner: Or turn it off so that it's not able to ping back her location of being within the confines of this geofence.
Joe Carrigan: Yeah, being geofenced.
Dave Bittner: Right. And so if they drive through that area and then either when they're long away from that area, she turns on her phone, and there's no SMS. Or they get home, and she checks the phone, and there's no SMS, that means that it was probably the phone being geotagged.
Joe Carrigan: Right.
Dave Bittner: That's my guess.
Joe Carrigan: I'm thinking that they live in a state like Maryland where I can just go down to the ICC, the Intercounty Connector, Dave.
Dave Bittner: Right.
Joe Carrigan: And hop on it and see if, you know, I mean, that would be a short trip for me to do.
Dave Bittner: Yeah. Yeah, absolutely. Absolutely. Yeah. Well, Michael, good testing, and let us know how it goes. [Laughs]
Joe Carrigan: I'd like to know what this is.
Dave Bittner: Right, right. And if any of our listeners know what this is, if you have some behind-the-scenes information that's more than the same sort of educated guessing that we're doing, we'd love to hear from you as well. You have one other bit of business here you want to address before we jump into our stories here, Joe. What do you got?
Joe Carrigan: Dave, I left -- I forgot to -- I left my tinfoil hat at home, but I really wanted to bring it in today.
Dave Bittner: Okay.
Joe Carrigan: Because something really weird happened at home today.
Dave Bittner: Oh.
Joe Carrigan: So, for Christmas, my son gave my wife a HexClad pan.
Dave Bittner: Yes.
Joe Carrigan: Are you familiar with HexClad?
Dave Bittner: I am.
Joe Carrigan: It's -- Gordon Ramsay pitches it.
Dave Bittner: Yeah, it's a premium cooking system, but a pan.
Joe Carrigan: Right.
Dave Bittner: So it's supposed to be quite nice. Yes.
Joe Carrigan: I cooked something with it tonight, today, rather.
Dave Bittner: Yeah.
Joe Carrigan: I made my wife a fried egg sandwich. I don't know if you've ever had those.
Dave Bittner: Sure.
Joe Carrigan: Pretty good. It's okay.
Dave Bittner: Okay.
Joe Carrigan: I'm not in love with it yet. I don't know. But my big thing about cooking systems is, or pots and pans, is what you pay for them versus how long they last.
Dave Bittner: Okay.
Joe Carrigan: Like, do you remember T-fal? T-fal was all the rage back in the early '90s, late '90s.
Dave Bittner: Sure.
Joe Carrigan: We bought some, or we actually got some of that as a gift. And three years later, it was unusable. And I'm pontificating about this to my wife. I said, we really don't know because we only have one of these pans. These pans are not cheap.
Dave Bittner: Yeah.
Joe Carrigan: Right? They're pretty expensive. I said, I won't know how good of a value this is until I've used this thing for a year or two later.
Dave Bittner: Yeah, that's fair.
Joe Carrigan: Right? Now, I'm saying this to my wife out loud. So you know where I'm going with this?
Dave Bittner: Of course I do. [Laughs]
Joe Carrigan: Because I go upstairs and I get a phone call from my wife, and my wife goes, I just got a Facebook ad for a HexClad after a year. Now, it's really weird that we're talking about two specific things here. We're talking about a product. Okay. Well, maybe we do all this stuff about, maybe we do this research about, maybe my son did the research about HexClad on the same network they know, in the house, that we have a HexClad -- one HexClad pot.
Dave Bittner: Sure.
Joe Carrigan: But how do they know that we were just talking about the time that this stuff is good?
Dave Bittner: So I'm going to -- if I understand here, the ad had something to do with being time-based?
Joe Carrigan: It had. And is your HexClad still good after a year or after a year of using HexClad?
Dave Bittner: Huh. And what were they trying to sell you?
Joe Carrigan: Well, it was like one of those viral marketing people, but it was from the HexClad people. It was a Facebook ad with a video from HexClad.
Dave Bittner: Yeah.
Joe Carrigan: And they're saying it still works great after a year.
Dave Bittner: Wow.
Joe Carrigan: That's oddly specific. I mean, like really oddly specific.
Dave Bittner: Right. [Laughing]
Joe Carrigan: Like enough for my wife to call me and go, you're not going to believe this.
Dave Bittner: Right.
Joe Carrigan: But here's the ad. She sent me the ad, and I'm like, that's weird. Now, if --
Dave Bittner: Well, now you've reinforced it by doing it.
Joe Carrigan: Right. Yeah, of course.
Dave Bittner: Right.
Joe Carrigan: I mean, now it's not about, you can't do any more valid experiments on it.
Dave Bittner: If the ad said, is your HexClad still good after a year, Joe and Lisa?
Joe Carrigan: [Laughing] Right.
Dave Bittner: Then, then I would be convinced that something was going on.
Joe Carrigan: And there's a part of me that goes, that says, you know, I know this isn't the case. Because I get on there and I start Googling. I start looking around, and everybody's like, no, no, no, it's not -- they're not listening to you. It's much scarier than that because they're able to predict your stuff. But Dave, I can't imagine an ad campaign.
Dave Bittner: I know. I've experienced the same thing, Joe. I talked about this on Grumpy Old Geeks a few weeks ago.
Joe Carrigan: Did you?
Dave Bittner: Yeah, I had basically the same thing happened. It was -- I was driving to work every day. I saw one of these self-contained like video surveillance units that has -- it's like a trailer that they sit in the median of the road, has a bunch of solar panels, and like a mast that goes up with a bunch of cameras at the top.
Joe Carrigan: Oh, I've seen those.
Dave Bittner: And they use them, yeah, they use them for traffic surveys. They use them for security in parking lots. You know, all sorts of different uses. And I was driving by it every day for about a week and thinking to myself, huh, that's interesting. I wonder what they're using that for. Is it for a traffic survey? Is it for security? You know, I don't know. But every day, I'd drive by, and I'd see this thing, and it would be there. And I'd wonder about it because it was out of the ordinary. And then I logged on to Facebook and there was an ad for one of them. And I went, what? I mean, I hadn't -- I hadn't --
Joe Carrigan: But you hadn't said anything.
Dave Bittner: No, I hadn't said anything. So now I'm convinced Facebook is reading my mind.
Joe Carrigan: Right. That's far less likely --
Dave Bittner: Yeah. So -- -
Joe Carrigan: -- than them listening in on you.
Dave Bittner: But what is most likely, as I thought about it, was this company who sells these things put in an ad with Facebook and said, we want to put our product in front of security professionals.
Joe Carrigan: Right.
Dave Bittner: And that's me, right? I mean, I'm certainly tagged as that. I'm not, you know, I'm not like I'm a mall cop or anything. But you could legitimately tag me as a profile as being someone who works in the security arena. So it's probably no more complicated than that. Combined with the, what's the -- what's the syndrome where you think, you know, you see things, but you get reminded of things. What is it?
Joe Carrigan: Pareidolia?
Dave Bittner: No, no, no. That's when you see faces.
Joe Carrigan: Right.
Dave Bittner: Something bar. I forget. Anyway, we talked about it on Grumpy Old Geeks. So go look up the -- I'm sure our listeners are yelling at their devices now saying it's la-la-la-la, and it's that, yes, you are correct. It is that. That is the thing that it is. Yeah. It's the thing where, you know, if you buy a car, all of a sudden, you see lots of cars that are the same model that you bought.
Joe Carrigan: Yeah. It's very similar to figure-ground perception.
Dave Bittner: Yeah.
Joe Carrigan: Right? When you hear it, when you hear your name in a crowd, you always hear it.
Dave Bittner: Right. So yeah. So it's -- Now, the other part of this is that in the past month, there was the story about the advertising agency that was advertising being able to sell their customers the ability to listen to conversations, to covertly listen to conversations.
Joe Carrigan: Ah, I missed this story.
Dave Bittner: You're probably better for it.
Joe Carrigan: Yes, actually. Now I'm going to go look that up and discuss it with my wife when I get home and go, this is why.
Dave Bittner: And I think, like the folks at the 404 Media, Joseph Cox, the usual suspects who dig into these sorts of things, tried to follow up on it and pretty much decided that it was a bit of overreach that they were bragging about things that they really couldn't do.
Joe Carrigan: I see.
Dave Bittner: So take that for what it's worth. But I'm still not convinced that there are any devices that are actually listening to our conversations for advertising purposes, mainly because they don't need to. And it's far easier for them to do other things. And our brains are such pattern-matching machines that they ignore the unusual, and they latch on to the -- or they ignore the usual and latch on to the unusual.
Joe Carrigan: But this was particularly anomalous.
Dave Bittner: I know. I'm -- believe me. I know how that feels.
Joe Carrigan: Talking about a specific brand of pot, concerned about the longevity of the pot.
Dave Bittner: Yeah.
Joe Carrigan: And then, within 10 minutes, an ad like that shows up on my wife's phone after I've been loudly pontificating about it.
Dave Bittner: Yeah. Yeah. Yeah. I'm with you, man. [Laughs] I don't have an explanation.
Joe Carrigan: You know how I loudly pontificate about things.
Dave Bittner: Well, it could have been your neighbor's phone that was being listened to, Joe.
Joe Carrigan: Oh, wow. Joe's really talking about this. Better send this in to Lisa.
Dave Bittner: Yeah, exactly. All right. Well, let's move on to some stories here.
Joe Carrigan: Indeed.
Dave Bittner: You have our first one. Why don't you kick things off for us?
Joe Carrigan: Yeah. My story comes from Sarah Al-Arshani at USA Today. And we're talking about virtual kidnapping.
Dave Bittner: Yes.
Joe Carrigan: Now, Dave, kidnapping has a lot of overhead with it, right? First, you have to go out and find somebody.
Dave Bittner: Right.
Joe Carrigan: Then you have to get a bag to stuff them into and a white van --
Dave Bittner: Old van.
Joe Carrigan: -- that says free candy on the side.
Dave Bittner: Sure. Free hugs.
Joe Carrigan: Right?
Dave Bittner: Mm-hmm.
Joe Carrigan: But what if we can get rid of all of that stuff, as bad guys, and just have a virtual kidnapping where we convince somebody to behave as if they've been kidnapped and then tell them, tell his family that we have -- that we have them and we need ransom money?
Dave Bittner: Yes.
Joe Carrigan: Well, that is what has happened. The latest victim is in the news right now. His name is Kai. I'm probably going to butcher this last name because it's a Chinese last name, Kai Zhang.
Dave Bittner: Yeah, Zhang, I think.
Joe Carrigan: Kai Zhang.
Dave Bittner: Yeah.
Joe Carrigan: He's a 17-year-old exchange student. I'm going to start this off. Kai is fine. Everybody is fine.
Dave Bittner: Yeah.
Joe Carrigan: Nobody has gotten hurt.
Dave Bittner: Yeah.
Joe Carrigan: Which is great. But here's how it works. Kai is in the United States. He is away from his family.
Dave Bittner: Yeah.
Joe Carrigan: And someone gets in touch with Kai. And these bad guys scare him to the point where they say -- but the way they scare him is they say, somebody's going to harm your family if you don't do what I say.
Dave Bittner: Right.
Joe Carrigan: Right? Don't try to contact them, right? First thing they do is isolate him. And they instruct him then to go and hide somewhere and isolate himself. Don't talk to your family back home, or they will get harmed. And also, while you're there, take some pictures of yourself and send them to us.
Dave Bittner: Mm-hmm.
Joe Carrigan: Right? Now that, in this case, Kai has been sequestered away from his family, is hiding out somewhere in the wilderness, they contact Kai's family and say, we have your son here in the United States.
Dave Bittner: Right.
Joe Carrigan: And here's a picture of him to prove it, right? So and then they sent -- they sent him the picture of Kai.
Dave Bittner: Out in the middle of nowhere.
Joe Carrigan: Right.
Dave Bittner: Which is where he is.
Joe Carrigan: Right. The family tries to contact Kai. First thing they try to do. But because Kai has been told, don't answer the phone, he doesn't answer the phone.
Dave Bittner: Mm-hmm.
Joe Carrigan: So, as far as the family is concerned, he's not responding.
Dave Bittner: Right. And they -- and they contact the family that he's staying with.
Joe Carrigan: Right. And they say, where is he? And they're like, we can't find him.
Dave Bittner: Right.
Joe Carrigan: Right? He's -- he's missing. He ran -- What it looks like is he ran away. So these folks in China sent these virtual kidnappers around 80 grand.
Dave Bittner: Yeah.
Joe Carrigan: Which is a lot of money.
Dave Bittner: Yeah.
Joe Carrigan: And, I guess I don't have to say that, but it's still a lot of money. Now, I want to talk about this in general because the FBI has been tracking these kinds of scams for about 20 years now.
Dave Bittner: Really?
Joe Carrigan: Yep. In 19 -- or not 19. Jeez. Every time I start a date, Dave, I start with the 1900s because that's when I was born. Born in the mid 1900s.
Dave Bittner: Uh-huh.
Joe Carrigan: In 2013 and 2015, FBI agents in LA were aware of a scheme that was targeting Spanish speakers.
Dave Bittner: Okay.
Joe Carrigan: Right? The calls were coming from a Mexican prison. And what was happening was these guys would bribe a guard, get a cell phone, and they'd know the general area they were going to call because of the area code and exchange, the first three digits.
Dave Bittner: Yeah.
Joe Carrigan: And then they'd just randomly dial numbers --
Dave Bittner: Okay.
Joe Carrigan: -- until they got ahold of somebody and try to scare the -- scare the crap out of them and convince them to send money.
Dave Bittner: Right.
Joe Carrigan: If you're sitting in a prison, I imagine you have nothing but time, right?
Dave Bittner: Yeah.
Joe Carrigan: So if you can -- if you can bribe a guard to give you a cell phone and let you use that cell phone for some period of time, and you can do this and make a profit while you're sitting in prison.
Dave Bittner: Mm-hmm.
Joe Carrigan: Originally, they were contacting just Spanish-speaking people. But then they moved on to just cold calling with the system I just described. It seems now they're really targeting exchange students, though, and particularly Chinese exchange students. I don't know why they're targeting Chinese exchange students over anything else. Maybe because there's some kind of ease of moving money, or maybe because there's some kind of way to get access to the information, or maybe because Chinese exchange students are very common in this -- coming to the United States. I know a couple of people who have hosted Chinese exchange students.
Dave Bittner: The story I saw on this and the coverage we had over on CyberWire pointed out that the $80,000 went from the family in China to a Chinese bank account.
Joe Carrigan: To a Chinese bank account.
Dave Bittner: Right.
Joe Carrigan: Right.
Dave Bittner: Which made me suspect that this scheme is being run from China.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: If that's the case, I think that China has some pretty good control over the banking system, right?
Dave Bittner: Yeah.
Joe Carrigan: I mean, so --
Dave Bittner: There's very little in China that China doesn't have very good control over.
Joe Carrigan: Right, exactly.
Dave Bittner: Yeah.
Joe Carrigan: So I'd like to know -- Well, I mean, we'll never know, but it would be interesting to find out what happens to these guys.
Dave Bittner: Right.
Joe Carrigan: Eighty thousand dollars is a lot of money. And I know that China is a big law and order kind of country.
Dave Bittner: Sure.
Joe Carrigan: And when -- when they're -- when they're tough on crime that they don't like, you know, they're really tough on it.
Dave Bittner: Yeah.
Joe Carrigan: So what can you do to protect yourself in this? We all have to have code words now, right?
Dave Bittner: Mm-hmm.
Joe Carrigan: And this is not just for these kinds of scams, but for other scams, like the ones that you and I are really subject to of the deep fakes of the voice.
Dave Bittner: Oh, right.
Joe Carrigan: Right? So I've told my family. I've actually gone out and made the -- made the initial conversation to everybody and said, look, I'm never going to call you and ask you for money. If I'm going to need money, I'm going to show up in person and ask for it. [ Laughing ] I didn't say I'm never going to ask for money, though.
Dave Bittner: Right.
Joe Carrigan: But I'll be there in person.
Dave Bittner: Uh-huh. What you might ask for is cab fare --
Joe Carrigan: Right. [Laughs]
Dave Bittner: -- or a free Uber to get there to ask for the money.
Joe Carrigan: Right. I need, I need money. I need an Uber to get down there.
Dave Bittner: Right. Right. Huh. Yeah, I'll say, as you said at the outset, the good news here is that no one was hurt.
Joe Carrigan: Right.
Dave Bittner: And they got -- they got him back.
Joe Carrigan: They found Kai. He was isolating in a valley in just a tent --
Dave Bittner: Yeah.
Joe Carrigan: -- in really cold temperatures.
Dave Bittner: Right.
Joe Carrigan: So these guys didn't really care about what happened to Kai.
Dave Bittner: No.
Joe Carrigan: They didn't care that he was miserable and in danger of hypothermia.
Dave Bittner: No.
Joe Carrigan: But he's fine. He did not -- he was not hurt.
Dave Bittner: Yeah. My favorite -- my favorite part of this story is that after they got him, and they made sure he was okay. And --
Joe Carrigan: He wants a hamburger.
Dave Bittner: Yeah. A little med check. And what did, what did he want most?
Joe Carrigan: Hamburger.
Dave Bittner: He wanted a hamburger.
Joe Carrigan: A warm hamburger.
Dave Bittner: A warm hamburger. Yeah.
Joe Carrigan: They got it for him.
Dave Bittner: Yep. They did. They did. All right. Interesting story. My story this week is actually a scam that has been polluting my Facebook feed for the past couple of weeks.
Joe Carrigan: Aren't you glad you're back, Dave? [Laughing]
Dave Bittner: I was just going to say the same thing, Joe. Like I cannot tell you how often Facebook makes me angry. Like -- And you know me, I'm not --
Joe Carrigan: You're a very calm, even chill person.
Dave Bittner: I am not a -- I'm not a person who leans toward anger.
Joe Carrigan: You are not. I would describe you as a -- as a kind and gentle person.
Dave Bittner: Right.
Joe Carrigan: I don't think I've ever seen you angry. I've seen you irritated once or twice.
Dave Bittner: Yeah.
Joe Carrigan: But not angry.
Dave Bittner: Yeah. So, when something like this comes by once or twice, and I report it, and I block it, and then it keeps showing up over and over and over again.
Joe Carrigan: This works on Dave.
Dave Bittner: Makes me angry.
Joe Carrigan: Right.
Dave Bittner: So here's the scam. You are scrolling through Facebook, minding your own business, and you notice that you have been tagged in someone else's post. And so you go, you look at the post, and one of your friends has posted a link with an image. It looks like a video clip, like something straight from YouTube. There's a logo in the corner that says BBC News.
Joe Carrigan: Yep.
Dave Bittner: It's a picture of several law enforcement officers standing in front of what looks like a very serious car accident.
Joe Carrigan: Yep.
Dave Bittner: And it says, "Fatal road accident in the highway takes several lives." And the friend of yours who posted this, they've posted, "I can't believe he is gone. I'm going to miss him so much." Along with a string of crying emojis.
Joe Carrigan: Right. Now, let me ask you: this shows up on your feed?
Dave Bittner: Actually, the person -- the first time, no. No, I have not been tagged personally on this, but I have seen friends of mine tagged. The image that I grabbed here and put in our show notes, the person who was tagged here, that's my cousin.
Joe Carrigan: Okay.
Dave Bittner: So a family member was tagged, and that's what it is. So what do you suppose happen -- Well, first let's unpack the scam here, Joe. What do you -- what do you -- what are the things in play here that are triggering someone to respond to this?
Joe Carrigan: Well, immediately it's obviously a terrible car accident that's being covered by BBC News, which means it's of international report, right, or reporting worthiness.
Dave Bittner: Right.
Joe Carrigan: It says on the side, state trooper, which implies to me that it's United States event.
Dave Bittner: Yep.
Joe Carrigan: So this person here who is saying this, "I can't believe he's gone. I'm going to miss him so much." The first thing is I'm like, oh my gosh, what has happened?
Dave Bittner: Information gap.
Joe Carrigan: Right.
Dave Bittner: Right? There's an information gap.
Joe Carrigan: Yes.
Dave Bittner: And this is -- this is, again, it's another thing that makes me angry, Joe, [laughing] is the information gap. This is the, you won't believe this one weird trick, right?
Joe Carrigan: Oh, yeah.
Dave Bittner: It's the --
Joe Carrigan: The clickbait.
Dave Bittner: And the -- yeah -- and the YouTubers, particularly, are terrible about this, you know. Here's the one thing that you need to know about your Apple Watch to make sure you don't die, right? Like, what's the thing? What's the thing? I must know the thing.
Joe Carrigan: Stay all the way with me till the end, and I'll tell you.
Dave Bittner: Right, exactly. So they -- evidently, the term of art for that is information gap. And it is very good at manipulating people to do things you want them to do. And that's what they're doing here. They don't say who is dead.
Joe Carrigan: Right.
Dave Bittner: But it says fatal road accident takes several lives. So, oh my gosh. Someone I know, someone I love must be dead. It's not just a story. There's a picture from the accident. And it's so big, the BBC covered it. If you look at the URL --
Joe Carrigan: Yeah, the URL says BBC News dash some random number of letters, dash another random set of letters, and numbers dot xyz.
Dave Bittner: Right.
Joe Carrigan: But it's not.
Dave Bittner: For unsophisticated users, they're just going to stop after BBC News.
Joe Carrigan: Right.
Dave Bittner: And going to say that looks legit to me.
Joe Carrigan: Yeah. Well, I mean, it even looks like it has a big red YouTube button right in the middle of it.
Dave Bittner: Exactly.
Joe Carrigan: Like, I think I'm just going to YouTube.
Dave Bittner: Right. So it's a scam all the way down. From beginning to end, it is a scam. If you click on this, and I took the bullet, and I clicked on it. I spun up a secure browser --
Joe Carrigan: Okay.
Dave Bittner: -- an isolated thing and I clicked on it. And it goes to the website gainprizesnow.life. That doesn't sound at all scammy, does it, Joe?
Joe Carrigan: No. Ooh, whoa, I instantly forgot about my dead friend, and now we want some prizes.
Dave Bittner: Well, I thought about that.
Joe Carrigan: Yeah.
Dave Bittner: I thought about like how you're priming someone with this emotional thing. And then, what, they're going to go totally switch gears and be happy about the potential of winning some prize? No. I think what's happening here is they're just click farming. So they found somebody who will pay them to deliver traffic.
Joe Carrigan: Right.
Dave Bittner: And they're using this scam to just deliver worthless traffic.
Joe Carrigan: Right.
Dave Bittner: And they're collecting money on that.
Joe Carrigan: Yes.
Dave Bittner: Now, the other part of this that makes me angry is how much I have seen this over the past couple of weeks. It is popping up over and over and over again. I can't help wondering why --
Joe Carrigan: Can I guess?
Dave Bittner: Go ahead.
Joe Carrigan: You're going to -- you can't help wondering why Facebook hasn't stopped this?
Dave Bittner: Yes.
Joe Carrigan: I know why, Dave.
Dave Bittner: Well, let me just finish my sentence here.
Joe Carrigan: Okay.
Dave Bittner: So Facebook, obviously, to do some sort of image mapping with this, it's the same picture every single time, right?
Joe Carrigan: Right.
Dave Bittner: So Facebook certainly has the capability to detect this image --
Joe Carrigan: They do.
Dave Bittner: -- and block it. Right.
Joe Carrigan: Yeah. It's called, it's a neural hashing.
Dave Bittner: Okay.
Joe Carrigan: For these -- I can't remember exactly what the term of art is.
Dave Bittner: Yeah.
Joe Carrigan: But essentially, it's like Microsoft has one of these things that they use, it's for identifying CSAM images.
Dave Bittner: Okay.
Joe Carrigan: Right? Because if you change a small feature of an image, the hash will be radically different.
Dave Bittner: Okay.
Joe Carrigan: So Microsoft has come up with a way, and Apple has a way to do it too.
Dave Bittner: Yeah.
Joe Carrigan: Apple uses neural hashing technique that will hash the image such that the hash will be similar or the same if the image looks similar or the same.
Dave Bittner: Mm-hmm.
Joe Carrigan: Right? So I am sure Facebook has this capability.
Dave Bittner: Yeah.
Joe Carrigan: They could stop this image or stop this ad from happening by using a technique like this.
Dave Bittner: Right.
Joe Carrigan: It is absolutely 100% technically possible.
Dave Bittner: Yes. But they don't.
Joe Carrigan: But they don't. Now, the big question is why?
Dave Bittner: Yeah. Well, I mean, answer number one is engagement, which is Facebook's North Star.
Joe Carrigan: Right.
Dave Bittner: Because engagement is how they sell ads.
Joe Carrigan: But Dave, people are clicking on these links.
Dave Bittner: Yeah.
Joe Carrigan: I mean, if Facebook shows you an ad and you don't click on it, they make a little bit of money. But if you click on an ad that they've shown you, they make a lot of money.
Dave Bittner: Yeah. I'm not sure this is an ad, though. I think this is someone's account has been hijacked.
Joe Carrigan: Ah, okay.
Dave Bittner: And so they've hacked someone's account, and they're using that person's account to post these.
Joe Carrigan: I see.
Dave Bittner: And --
Joe Carrigan: I thought this was an ad.
Dave Bittner: And then they're tagging all of that person's friends.
Joe Carrigan: You're right. I lost the bubble on this one.
Dave Bittner: Yeah.
Joe Carrigan: You're right. You can't be tagged by an ad company.
Dave Bittner: Right. So that's what's going on. And that just, you know, again, Facebook is not looking out for your best interest.
Joe Carrigan: No, they are not. No.
Dave Bittner: So I'm going to calm down now. [ Laughing ]
Joe Carrigan: Dave, is that a blood pressure monitor I see on the other side?
Dave Bittner: It actually is, Joe. It actually is.
Joe Carrigan: I'd like to take your blood pressure before and after we do one of these stories.
Dave Bittner: Yeah. Take an extra pill here and just calm down. Think about, I don't know, sitting by the ocean with a cool breeze blowing through my hair and the warm sun on my face.
Joe Carrigan: Drinking a Mexican beer that Tony Romo has handed you.
Dave Bittner: There you go. Exactly. So keep an eye out for this and spread the word with your friends. I think knowing about this technique is helpful as well anytime you see this information gap. You know, I remember, actually, the first time I ever fell for a scam like this was probably a decade ago. It was before you and I were doing this show. And we've been doing this show a while.
Joe Carrigan: Yep.
Dave Bittner: And it was someone sent me a text message that said something like, I can't believe this is you in this video.
Joe Carrigan: Right.
Dave Bittner: And that was all it took.
Joe Carrigan: Yep. Is this you in this video?
Dave Bittner: Right. Yeah. So lesson learned the hard way.
Joe Carrigan: Right. You know, I'm with you on this. It's very maddening.
Dave Bittner: Yeah.
Joe Carrigan: The picture, you're right, Facebook could stop this.
Dave Bittner: Yeah.
Joe Carrigan: But they don't. The person who has lost control of their account here will probably never get it back.
Dave Bittner: Nope.
Joe Carrigan: Facebook probably will not help them with that. That person is left screaming into the void.
Dave Bittner: Right. [Laughs]
Joe Carrigan: Probably have to start a new Facebook account. Use multi-factor authentication on your Facebook account. If you are so inclined, and I've done this, make it so that nobody can tag you in a Facebook post without your permission.
Dave Bittner: Yeah.
Joe Carrigan: You have to be approved for all the tagging. Like, Dave, you can't go in there and put a picture of me up and tag me in it without me approving it.
Dave Bittner: [Laughs] That's right. That's right. All right. Well, those are our stories for this week. We are running a little bit long today. So I'm going to say that the Catch of the Day is still on holiday.
Joe Carrigan: Okay.
Dave Bittner: We're going to skip over the Catch of the Day this week. We'll have one for you next time. Coming up next, our author, Frank Riccardi, will join us talking about password reuse. We will have that right after this message from our sponsor. [ Music ] [ Music ] Joe, I recently had the pleasure of speaking with Frank Riccardi. He is the author of the book Mobilizing the C-Suite: Waging War Against Cyberattacks. Our conversation really centers on this notion of password reuse. Here's my conversation with Frank Riccardi.
Frank Riccardi: I think one of the most famous examples of password reuse and credential stuffing, it's the infamous Colonial Pipeline cyberattack. If there's any one case you want to know about credential stuffing and reused passwords, Colonial Pipeline is it. So let me set the table for your listeners. Colonial Pipeline is a mammoth pipeline operator. They have 5,500 miles of pipeline along the East Coast of the United States. So the pipeline stretches literally from Texas all the way to Maine. And in May of 2021, Colonial Pipeline was hit with a really bad cyberattack. It was a ransomware cyberattack. And what happened is during the height of the pandemic, you know, the worst time for a cyberattack, cybercriminals injected ransomware into the billing systems of Colonial Pipeline. Now, what happened is, at the time, the leaders of Colonial Pipeline freaked out because they didn't know it was just hitting the billing systems. They thought it could hit the pipeline systems. So, out of an abundance of caution, they shut down the pipeline along the East Coast. Now, the pipeline was shut down for nearly a week along the East Coast of the United States. So people couldn't get gas. They couldn't fill up their cars. And if they could get gas, it was at enormous prices per gallon. So it was a really big cyberattack that eventually changes the zeitgeist of how people in the United States view ransomware. Further setting the table, the cybercriminals were a gang called DarkSide. They were sponsored by Russia, a nation-state threat actor. And the cybercriminals were actually inside the network for eight weeks, rummaging around, taking their time, getting the lay of the land. They stole 100 gigabytes of data, and then they encrypted the network with ransomware. Now, ultimately, Colonial Pipeline paid ransom. They paid about $4.4 million in Bitcoin to get the decryption key to unencrypt the network. But it was also a big breach. They ended up sending out breach notice letters to 6,000 employees, mostly their employees. But for the purposes of hacking humans, I'd like to describe a little bit how the cyberattack came about and why it was so successful. So Colonial Pipeline, during the pandemic, like many companies, let their employees work remote and set up VPNs for them. One of their employees left the organization, left Colonial Pipeline, got a job somewhere else. And Colonial Pipeline made a big mistake. And the big mistake was a lot of companies, when an employee leaves the organization, they terminate that employee's access to systems. In this case, however, Colonial Pipeline never closed that VPN. And it remained open and live even though the employee left the organization. Now, it's believed that the employee was reusing that VPN password for another online account. And it's believed that perhaps, nobody knows how, but perhaps DarkSide may have purchased that stolen, reused password on the dark web. But how ever they got it, they stuffed the password into the VPN, and it worked. So it essentially was a credential-stuffing attack. And another mistake that Colonial Pipeline made is that they didn't protect that VPN with multi-factor authentication. Now, had they done that, the Colonial Pipeline cyberattack never would have happened because DarkSide wouldn't have had that one-time numeric code to get in. So not having MFA was a big mistake. And this is why it's changed the zeitgeist in the United States. What happened was there were congressional hearings, there's investigative reporting, politicians are getting involved, and the public finds out how the cyberattack happened, and they're furious. And so what's happened now since Colonial Pipeline, even though people and politicians and regulators are angry and mad at cybercriminals if the cyberattack was successful because a company failed to take basic cyber hygiene into account or failed to implement the basic cyber security control, like maybe they did not enable MFA, they did not close old defunct VPNs, or maybe they didn't install patches, whatever it is, if it's basic cyber hygiene flaw, the public is now just as angry at the C-Suite leaders and the company as they are at the cybercriminals.
Dave Bittner: What about for the individual at home, you know, who's saying to themselves, well, you know, that's a big organization and shame on them. But, you know, here I am, just minding my own business at home, using my email, the various things I log in to; surely nobody's interested in me.
Frank Riccardi: Well, they are interested in you. In fact, 23andMe recently came out notifying people of a breach. And they're saying that the breach wasn't, you know, affecting their system. It wasn't a network hack. They're saying that their users, their customers, they believe, were reusing their passwords for other online accounts. And the cybercriminal, I think he calls himself the hacker Golem, allegedly just got in there through a conventional stuffing attack. So, you know, if you use 23andMe, if you use any kind of online account, and you have a password, no matter how strong it is, if you're using that password somewhere else, that other account could get breached. It could get sold on the dark web. And then your other accounts that you're reusing that password are at risk.
Dave Bittner: You know, I was at an event recently, and I was sitting next to someone. And I don't recall how, but somehow, the topic of passwords came up. And this person was very proud to share with me that they have a system where, you know, they use a base password. And then they vary it in different ways for different places that they log in to. And I paused, and I listened, and I'm curious. You know, I suspect your response to that would be similar to mine. What would your response to someone thinking that a system is a good way to go?
Frank Riccardi: According to the latest in cybersecurity research, and Dave, you've probably heard this before. A lot of cybersecurity researchers, they don't believe resetting your password -- Companies require password resets every 90 days. And what happens is is most employees, instead of resetting the entire password, a completely new password, they just reset one part of it. So if your password is tanglebangledangle, they'll just put an exclamation point at the end of it. And that's not really effective, but, you know, it's what people do. It's the human factor. It's the weakest link in cybersecurity. And if your colleague is just using a base password for all of his or her accounts and then just changing one piece of it here and there, they're still reusing their password. I mean, believe me, cybercriminals understand the human factor. And when they're coming up with, you know, their password cracking methodology, they take all of that into account. So you really need to change the entire password. It needs to be a unique password for each of your accounts. And humans are not designed and built to remember 100 passwords. You know, we're not artificial intelligence, and we're not computers. But we can use password managers. And 1Password is a good password manager. KeePass is a good password manager. But you can use password managers. And that's a lot less risky than, you know, having a base password and only changing a piece of it or reusing your passwords. So, you know, a lot of people are worried about password managers because of the LastPass cyberattack. But there are good password managers out there, and I highly recommend using them.
Dave Bittner: Can we touch a little bit on multi-factor authentication? You mentioned that earlier. I mean, that's a really critical part of this as well.
Frank Riccardi: It is. Multi-factor authentication is probably the best way to prevent a credential stuffing attack because, even if they have your stolen reused password, if they don't have access or they don't bypass your MFA, if they don't have that one-time numeric password, they can't get out. So it's probably the next best thing to not reusing your password and using strong passwords is to use multi-factor authentication whenever you can. And obviously, the best one is when you're using an authenticator app because you want to be careful when you use the text base on your cell phone because SIM jacking is getting to be a big problem again. And SIM jacking is one way that cybercriminals can bypass a multi-factor authentication. So an authenticator app is the best way to go. But still, you know, text-based MFA is better than no MFA.
Dave Bittner: Can you describe to us what SIM jacking is?
Frank Riccardi: Yeah. So SIM jacking is when you have a cell phone, and you have a SIM card. It can be a physical SIM card or an eSIM card. And what happens is a cybercriminal will contact your cell phone carrier. It could be AT&T, for example. And they will contact AT&T, or they'll go to the AT&T store, and they will pretend to be you. And they can find out information from you, maybe by social media or whatever. But they'll impersonate you, and they'll have a sob story, and they'll say, I lost my phone, or I need an upgrade. And they'll trick AT&T employees to transfer the SIM card to their device. Now, once that happens, all calls and texts go to them, and they don't go to you. Now, the beauty of installing an authenticator app on your cell phone, that resides on your cell phone. So that doesn't get taken in a SIM jacking attack but all your calls and all your texts would. So text-based MFA would be bypassed. And Dave, I'll also tell you, cybercriminals, they don't just have to impersonate you. They might blackmail a customer service rep. Or they might bribe them and pay them Bitcoin. And that's happened in the past. So that's an example of SIM jacking.
Dave Bittner: What do you say to the person who makes the case that, you know, if I use a password manager and someone breaks into that, then they have everything?
Frank Riccardi: You bet. That's the one problem. A password manager is a single point of failure. Now, a couple ways around that. If you have a password manager like 1Password or LastPass, and that's in the cloud, and they've both had breaches, but 1Password seems to -- seems to have handled it more transparently than LastPass. But first of all, if you have a cloud-based password manager, you just need to have a plan if there's ever a breach to migrate all your passwords out of there and change them and either do it into a non-cloud-based password like KeePass or just have a plan. Now, if you don't want to do that because you're like, I don't trust the cloud-based password managers. But I personally trust 1Password. I don't trust LastPass. But if you don't trust any of them, KeePass is good. That's not in the cloud. But if you're not a geek, if you're a non-geek user, it's pretty clunky, and it can be hard to use. And then another option that you can do, you can put your passwords in an Excel file. You can save the Excel file to an encrypted computer and then in, let's say, a laptop. And then in your laptop, you can put it in another encrypted file so it's doubly encrypted. And between the laptop encryption and then the encrypted file, which you can also hide, it's pretty safe. And then you want a couple of backups. So you want to put them on maybe a couple of encrypted jump drives. But that's an option if you're really worried about, you know, the single point of failure. You can keep them on your own laptop and on your jump drives. But again, you'd have to encrypt your laptop and put them in a file.
Dave Bittner: I've also made the case, I'm curious what you think about this, of saying that, you know, with your password manager, if you're going to use a hardware key anywhere, perhaps that's the best place to do it.
Frank Riccardi: Ah, probably. I mean, you're right. If there's any single point of failure, it's your password manager. And, you know, if that gets compromised and if you don't have a backup plan or you don't know what to do about it, or if you can't do anything about it, then you're in a lot of trouble. So yeah, I mean, you definitely want to put a lot of effort into securing your password manager. And that's certainly one way to do it.
Dave Bittner: You know, we've seen some talk about some developments, things like pass keys that are hoping to make the username-password combination a thing of the past. Are you hopeful that we're headed in that direction, that we're going to have solutions that are a bit easier for consumers and other folks to use?
Frank Riccardi: Yes, I think passwordless authentication is the future. I have that right now with Microsoft. My Microsoft operating system is passwordless, and I absolutely love it. I think Google is coming out with one in the near future. To be quite honest, Dave, we need to take, and this is probably controversial, we need to take cybersecurity out of the hands of the user as best we can because the human factor is the weakest link. And as long as users have passwords, they're going to be reusing them. They're going to get stolen. They'll get phished and tricked in a social engineering attack. And yes, I realize the argument is, but if we have passwordless authentication and Microsoft gets hacked, we're really in trouble. And so there's a single point of failure. But I still think, with users, you have millions of points of failure. And so I just have a lot of faith in Apple and Google and Microsoft. Even though they've got hacked and they've had their issues, I just have a lot of faith that they're doing the right thing. They're trying to come up with good security. And Microsoft, I'm very happy with the passwordless authentication that I have. So I think that's definitely the future. [ Music ]
Dave Bittner: Joe, what do you think?
Joe Carrigan: Interesting. Colonial Pipeline was technically a credential-stuffing attack.
Dave Bittner: Mm. Mm-hmm.
Joe Carrigan: The attackers were in that network for eight weeks. They gathered 100 gigabits of data or gigabytes of data.
Dave Bittner: Yep.
Joe Carrigan: It's interesting to me that they were there for eight weeks and didn't impact the operational technology network. And I wonder why that's the case. Is it that the OT security was good enough to keep them out? Or is it that these guys didn't want to go into the OT security?
Dave Bittner: Yeah, they might not want to draw attention to themselves, perhaps.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: And they may not have wanted to do a physical attack on a cyber-physical system.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Could have just been espionage.
Joe Carrigan: Yeah, because it could have just been espionage. Exactly.
Dave Bittner: Yeah.
Joe Carrigan: Colonial never closed the VPN access for the former employee.
Dave Bittner: Yep.
Joe Carrigan: And they had no requirement for multi-factor authentication on the VPN. So it's like a cascade. Not really a cascade, but like a line of failure here.
Dave Bittner: Mm-hmm.
Joe Carrigan: You have the employee reusing a password, which you really don't have any control over.
Dave Bittner: Right.
Joe Carrigan: And then you have the failure of policy where you don't immediately revoke all access to terminated employees. And then you have the failure of policy where you don't require a multi-factor authentication for a VPN when you're accessing your own network. That should always be the case. You should have that on everything, I think. That's, you know, if you can.
Dave Bittner: Yeah.
Joe Carrigan: Of course, sometimes you can't. Maybe they couldn't. Who knows? If I were Colonial Pipeline, I would have done it.
Dave Bittner: Mm-hmm.
Joe Carrigan: I would have, you know, when the pandemic started happening, I would have made sure that was happening. I don't know. I like to sit here and armchair quarterback large corporations who have undergone massive --
Dave Bittner: [Laughing] It's easy from the cheap seats, Joe.
Joe Carrigan: It is. It is, Dave. It is. And I acknowledge that. I acknowledge that. But Frank talks about people being upset with corporate leadership for these kind of basic cyber failures. I say good, you know. If there's something here that could have made this not possible, you do any of these things, but you know, the employee doesn't reuse a password. You disable the employee's account when he leaves, and you require MFA on a VPN. None of this happens.
Dave Bittner: Right.
Joe Carrigan: The cyberattack doesn't happen. You know, it's like Rick Howard is always talking about the cyber kill chain.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: It's that. You have all these different opportunities to stop this from happening. So it's a good opportunity, you know, take one of those opportunities. Does it matter to you? Yes, it does. And don't reuse passwords. The 23andMe breach we talked about last week and earlier in this show.
Dave Bittner: Yeah.
Joe Carrigan: And, you know, we're also talking about possible mitigations for those kind of attacks.
Dave Bittner: Right.
Joe Carrigan: Again, there's something -- there's a place where multi-factor authentication should have just been the requirement for those kind of -- that kind of information. If I'm going to store all of my customers' genetic data and give them access to it, they're going to need to use multi-factor authentication to access it.
Dave Bittner: Mm-hmm.
Joe Carrigan: Okay? Just I think that's a risk mitigation policy for me. Because you said that, in early on, there are now stories where people are saying, no, 23andMe, you're not without culpability here.
Dave Bittner: Right. Right.
Joe Carrigan: So, I mean, that's -- that's a very real possibility.
Dave Bittner: Yeah. They're being sued.
Joe Carrigan: Yeah. Are they being sued?
Dave Bittner: Oh, yeah.
Joe Carrigan: Oh, good. That's interesting. Don't have a system password. I hear this, I have a system. And I immediately think of the gambler who says they have a system, right?
Dave Bittner: [Laughs] Let me just interject here. I saw on January 1st on social media some security professional said, "Happy New Year. Don't forget to increment your passwords."
Joe Carrigan: Right. [ Laughing ]
Dave Bittner: Right?
Joe Carrigan: Now my password is password2024.
Dave Bittner: Right. Right.
Joe Carrigan: Yeah. So don't -- don't have a system. Just let your password manager generate it. Yes, a password is a single point of failure. But I use a hardware key to protect mine. Frank talks a lot about KeePass. I use KeePassXC, which is a derivative of KeePass.
Dave Bittner: Okay.
Joe Carrigan: It doesn't have any plugins, which have actually been a source of vulnerabilities for KeePass. Also, KeePass is -- KeePassXC is multi-platform, whereas KeePass is just Windows-based.
Dave Bittner: Okay.
Joe Carrigan: You can run KeePassXC on Apple, Linux, and Windows.
Dave Bittner: So is this an open-source project that somebody forked? Is that basically what it is?
Joe Carrigan: Yeah, they forked it. Yeah, these are both open-source projects, I think.
Dave Bittner: Okay.
Joe Carrigan: I know they're free.
Dave Bittner: Got it.
Joe Carrigan: KeePass is spelled K-E-E Pass, and then put X-Ray Charlie, XC, after the end of that.
Dave Bittner: Yeah.
Joe Carrigan: And you get the version that I use.
Dave Bittner: Okay.
Joe Carrigan: Enable multi-factor authentication, not just on your -- your password safe, but on anything you can.
Dave Bittner: Yeah.
Joe Carrigan: That will really protect you against these credential-stuffing attacks.
Dave Bittner: All right. Well, again, our thanks to Frank Riccardi for joining us. The title of the book is Mobilizing the C-Suite: Waging War Against Cyberattacks. We do appreciate him taking the time for us. [ Music ] [ Music ] That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our executive producer is Jennifer Eiben. This show is edited by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
