Navigating the post-password landscape.
Mike Kosak: Now the good news is we are seeing it become more available, and you know, we've seen Google start to offer it, we've seen Amazon offer AWS, the use of passkeys for authorization, so you know, I think we're heading in the right direction.
Dave Bittner: Hello, everyone, and welcome to N2K Cyberwire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hi, Joe.
Joe Carrigan: Hi Dave.
Dave Bittner: We've got some good stories to share this week, and later in the show, Mike Kosak, senior principal intelligence analyst at LastPass, is talking about password managers, and securing your identity online. [ Music ] Alright, Joe, before we dig in here, just a little quick follow-up. What have you got for us?
Joe Carrigan: So I was wondering if any of our listeners who are trying to get into the cybersecurity industry would be interested in a free entry-level cybersecurity exam certification, and the accompanying training for it. So the ICS Squared, the ICS2 is offering a -- they have a new certification called the Certified in Cybersecurity, the CC.
Dave Bittner: Okay.
Joe Carrigan: So these are the people that do the CISSP and all the other more experienced certifications, but this is their new -- I don't want to say competitor, but kind of counterpart to Security Plus.
Dave Bittner: Okay.
Joe Carrigan: And they are trying to get 1 million people to get this certification and they are offering it free. They are giving you a free training course, and a free exam voucher. They only give you one exam voucher, so you got to pass on the first try.
Dave Bittner: [laughs] Okay.
Joe Carrigan: I saw this and said, hey I like free stuff.
Dave Bittner: [laughs] Okay, sure.
Joe Carrigan: Even though I'm not an entry-level person in this industry. I took the test and went through the training, all the way through the training.
Dave Bittner: Okay, yes.
Joe Carrigan: Pretty good training.
Dave Bittner: Okay, good.
Joe Carrigan: It's pretty good. And I passed the test, so now I am --
Dave Bittner: Phew.
Joe Carrigan: -- certified -- [ Laughter ] Whew! I was worried. Certified in cybersecurity. But the training is well-done. I'll say this was well-put together. And I enjoyed the experience, and the test was -- the test voucher worked just fine. So I have gone through this process. I recommend anybody who wants to go into this field who is looking for something, here is something that costs you absolutely nothing and can get you certified. Now this is not recognized by like the department of feds here in the US, like the Security Plus is.
Dave Bittner: Right.
Joe Carrigan: At least not yet. It may be down the road.
Dave Bittner: Okay.
Joe Carrigan: I would be unsurprised to see that happen.
Dave Bittner: And the other thing I like about these sorts of things and even better when they're free is that it's a nice way to see if this sort of thing actually is for you.
Joe Carrigan: Right.
Dave Bittner: You know, going through this process gives you a good sense of what you're in for.
Joe Carrigan: But I will say this, after you're done, and you pass the exam and you become a member, there is like a $50 a year membership fee.
Dave Bittner: Okay.
Joe Carrigan: That you'll have to pay when you pass the test.
Dave Bittner: Okay.
Joe Carrigan: So it's --
Dave Bittner: They like hold your certificate hostage or something for 50 bucks?
Joe Carrigan: I think so, yes. Something like that.
Dave Bittner: [laughs] Okay. Alright. So nothing is actually free in this world, Joe.
Joe Carrigan: Right, right. They're making you a member and paying 50 bucks a year, but the certification is -- I mean getting the certification, going through all that process, is completely risk-free for anybody that wants to take it.
Dave Bittner: Yes. Sounds like a good value.
Joe Carrigan: I would say so, yes.
Dave Bittner: Alright. Alright, very good. We'll have a link to that in the show notes.
Joe Carrigan: Yes, we will.
Dave Bittner: Joe, we want you to kick things off for us here. What's your story?
Joe Carrigan: So I -- my story comes from The Washington Post. And it's actually a follow-up to one of our stories for last week. It's a follow-up to Maria's story about Charlotte Coles, from the magazine in New York, the fashion magazine?
Dave Bittner: Right.
Joe Carrigan: You know, the one I never read? But --
Dave Bittner: [laughs] Just looking at you Joe, I can tell you never read that magazine.
Joe Carrigan: You're always wearing the same quarter-zip in the winter, Joe. It's -- and the thing is, I actually have a closet full of them, Dave. If I like this, I'm going to buy 10 of them.
Dave Bittner: There you go.
Joe Carrigan: So last year, consumers reported losing more than $10 billion in fraud, which is a big increase. And the FTC said some of the largest losses came due to investment scams. And another $2.7 billion of losses came from imposter scams like the one that Coles fell for, Charlotte Coles fell for. So this article is from Michelle Singletary. And she points out in this article that natural-born skeptics -- "natural-born" is kind of hard to say. Natural-born skeptics might shake their heads and view someone who falls for one of these scams, especially a scam where you lose $50,000 like Charlotte did, and be like, how could you do that? I mean, it's -- and I understand that reaction. It's a natural reaction. But you've got to understand how these things work. And one of the key things that Singletary is talking about here is, she had to stifle her own self-righteousness after reading Charlotte's article, because she reminded herself of how she got scammed 23 years ago. So what happened to Michelle Singletary, she was going to the gym to I think do some kind of aerobics.
Dave Bittner: Okay.
Joe Carrigan: Right? She puts her purse, leaves her purse in the car, and then while she's in the gym, the gym gets a phone call, and they're paging her by name. So she goes to the front desk and she gets the -- answers the phone, and the guy identifies himself as the manager of her bank, of a branch of her bank. And he says, are you missing your purse. And she goes, [gasp] I don't know. So she runs out to her car. Her window is broken, purse is gone.
Dave Bittner: Oh no! Wow.
Joe Carrigan: Right? So she goes back in and she goes as a matter of fact, I am missing your purse. And this guy on the phone says, well, we caught the guy who stole your purse when he came to the bank and he tried to use your ATM card to get money out.
Dave Bittner: Okay.
Joe Carrigan: So we have him here. Just to make sure, how much money did you have in your wallet before you were gone -- before your purse was stolen. She says I had X number of dollars. And they're like, well that money is no longer in here. What else was in your purse? And she starts listing off items. Now this guy sounds very professional. He says, one of the things that tipped us off was the broken glass in the purse. Just for verification, could I get the PIN number on your ATM card? And she is already in the loop with this guy. Needless to say, all of our listeners know, the guy calling her is the same guy that broke the window.
Dave Bittner: Wow.
Joe Carrigan: Right? He watched her go into the gym, smashed the window, and then came out -- all he had to do is look up or know the phone number of the gym. He got all of her personal, identifiable information.
Dave Bittner: Oh right. He's got her driver's license --
Joe Carrigan: Driver's license, her wallet, her credit card. Knows what bank he's supposed to impersonate. Very simple scam.
Dave Bittner: Right.
Joe Carrigan: Right? Not as complex as the one that affected Charlotte Cowles or Coles. I'm sorry, I'm butchering your last name. But not as complex as the one that affected Charlotte, where they kept her on the phone for five hours.
Dave Bittner: Yes.
Joe Carrigan: This guy was probably on the phone with her for, like, 15 minutes. And then he runs and he immediately withdraws $500 out of the bank account and gets an extra 500 bucks out of her.
Dave Bittner: Right. And at no point did it strike her that it was odd that her bank knew to call her at the gym.
Joe Carrigan: Never occurred to her that that was odd.
Dave Bittner: Yes.
Joe Carrigan: Right. How'd they know that she was at the gym? That is -- that should have been a red flag, right? Yes, how do you know I'm here?
Dave Bittner: But I can see her easily letting that go upon the person on the other end of the line telling you --
Joe Carrigan: Yes, I'm from your bank.
Dave Bittner: You're from the bank and we're here to help, right? Right.
Joe Carrigan: So Michelle Singletary's big thing here is that she shared her story back in 2001, and received similar feedback from what Charlotte Cowles is saying [inaudible 00:08:37] right? Like, how could you be so silly to fall for this? And she says a couple of good sentences towards the end of this article. "We silence victims by shaming them. We need more people willing to come forward to help combat this epidemic of financial crimes. But they won't talk about how they fell for the fraud if we are judgmental."
Dave Bittner: Yes.
Joe Carrigan: Every story serves as a cautionary tale to others, which is something you and I have been saying on this show for a long time. So Michelle Singletary is 100% correct here. And the last line of this article is, you should put away your smugness because there are swindles out there that are going to work on you.
Dave Bittner: Yes.
Joe Carrigan: Put Away Your Smugness is the title of this, which I really think is a great title for this headline -- for this article.
Dave Bittner: It is.
Joe Carrigan: It's kind of an opinion piece, and I don't -- you know, like I say, I don't like reading opinion pieces, but I guess when they agree with my opinion, Dave, I sure like reading them.
Dave Bittner: [laughs] That's right. [ Laughter ] You know, just earlier today I was saying -- I was chatting with somebody over on Mastodon about how one of the things that I like least about the online cybersecurity community is that there is a small subset of folks who have this sense of smug superiority.
Joe Carrigan: Yes. Yes, there is.
Dave Bittner: And I just can't stand it. [ Multiple speakers ]
Joe Carrigan: It's counterproductive. It's counterproductive.
Dave Bittner: And it's become a stereotype.
Joe Carrigan: Yes.
Dave Bittner: I don't know if you remember the bits on Saturday Night Live?
Joe Carrigan: Yes, I was just thinking about those.
Dave Bittner: The IT guy who would come and be --
Joe Carrigan: Move!
Dave Bittner: -- would say, move [laughs]! Yes. Right.
Joe Carrigan: That's exactly what I'm thinking of.
Dave Bittner: Right, right. But it's this idea that, you know, you're not a victim, you're an idiot.
Joe Carrigan: Right.
Dave Bittner: And oh God.
Joe Carrigan: There's a reason that SNL skit was hilarious.
Dave Bittner: Right.
Joe Carrigan: It's because it's true.
Dave Bittner: Yes.
Joe Carrigan: It's -- I mean, you might add that it's stereotypical. That not all the cybersecurity practitioners are like that. I certainly try not to be.
Dave Bittner: Yes. But enough of them are --
Joe Carrigan: Enough of them are --
Dave Bittner: That we got the joke.
Joe Carrigan: That we got the joke. Exactly.
Dave Bittner: Yes, yes. I do feel like it's changing. I feel as though with the continued professionalism that is coming to cybersecurity where it's no longer that superhero person who is a national treasure, who you know, has been doing this since they were a teenager, and they had a -- you know, like wrestlers and rappers, they have a code name.
Joe Carrigan: Right.
Dave Bittner: You know?
Joe Carrigan: That has lots of 7s and plus signs in it.
Dave Bittner: Yes. Space wizard or something. But that because we're falling out of that era, and we're falling into the era where it's just a traditional job. You're coming up through -- you're getting trained, you know, either a trade school or college or whatever. And businesses aren't just going to go with that anymore. You can't act that way towards your coworkers.
Joe Carrigan: No, you can't. If you think about the plumber, you know, the plumber that comes to your house when you've got a clog down there, you know, I know plumbers that work in commercial business, and when they come into residential, they are like that. They're like why, why did you put the grease down the sink like that? Why did you do that? The residential plumbers are like, aw, it's okay. I'll take care of it.
Dave Bittner: Yes.
Joe Carrigan: Because they know, that'll be $300.
Dave Bittner: Right. [ Laughter ] Right, right. Yes. What is -- I mean -- anyway. I could complain about this all day, and it is something that just gets under my skin.
Joe Carrigan: Yes, I'm with you on that 100%.
Dave Bittner: It's just unnecessary. It's a shame, and it's not helpful. There's no reason --
Joe Carrigan: They got to realize that the reason we do this is to protect the people doing their business or going about their lives. d; Yes. And it doesn't serve anybody, either in the industry or out of it to ridicule those people when they are victimized by a scammer.
Dave Bittner: Right. Right. They've gone through enough.
Joe Carrigan: Yes. Absolutely. That's one wringer. Don't put them through another one.
Dave Bittner: Right. Right. Absolutely. Alright, interesting stuff. Well, my story this week is actually about Costco. Joe, do you have a Costco membership?
Joe Carrigan: I do, Dave.
Dave Bittner: Okay.
Joe Carrigan: They let me wear my sunglasses when I took my picture for the back of the card.
Dave Bittner: That's adorable, Joe [laughs].
Joe Carrigan: Big cheesy smile.
Dave Bittner: There you go.
Joe Carrigan: The only picture on any ID card I'm actually smiling.
Dave Bittner: Okay.
Joe Carrigan: I'm not smiling in my driver's license, Dave.
Dave Bittner: Okay.
Joe Carrigan: That's because I'm at the MVA.
Dave Bittner: So for folks who may not be familiar, Costco is certainly, I don't know, they may be the largest membership club in the US. Certainly one of them. there's Costco. There's BJ's. There's -- are there any other ones? I can't --
Joe Carrigan: Sam's Club.
Dave Bittner: Sam's Club. There you go.
Joe Carrigan: That's the one that's run by the Walton family. It's Walmart.
Dave Bittner: Right. Right. Right. So this is one of those big warehouse stores where you pay an annual membership fee and then you go in and you can buy a six-pack of lawn tractors.
Joe Carrigan: Right. Right.
Dave Bittner: Right?
Joe Carrigan: And Dave, you can get a foot long hotdog and a Pepsi for $1.50.
Dave Bittner: There you go.
Joe Carrigan: Awesome.
Dave Bittner: It's a great country or what?
Joe Carrigan: Yes.
Dave Bittner: Yes. So it's an article pointing out that there's a Costco membership email scam that is targeting members' credit card information. And evidently, this is a highly effective phishing scam.
Joe Carrigan: Really?
Dave Bittner: So what happens is, you get an email. It tends to be from Costco. Very well-formatted, very well-worded. There really aren't any red flags about this. And they're claiming that your Costco membership has expired. And then they urge you to sign up for a free 90-day membership extension.
Joe Carrigan: Ah! So that would be the first red flag for me.
Dave Bittner: Yes?
Joe Carrigan: Because I know that's not -- part of Costco's business model is the membership fee.
Dave Bittner: Right.
Joe Carrigan: Right? They're not giving away that membership for free.
Dave Bittner: Yes. So when you go for this free extension, they want you to enter your credit card information and all of your personal information.
Joe Carrigan: Right.
Dave Bittner: So that's the scam.
Joe Carrigan: Yes.
Dave Bittner: So the article goes on and talks about how legit it looks. They got some advice from the Better Business Bureau who say you should contact Costco directly, or visit the official website to check for membership changes. In other words, don't click on any links that are in an email that you get from someone who claims to be Costco.
Joe Carrigan: Failing that, you can walk into the Member Service Center.
Dave Bittner: There you go [laughs]. I wonder how many people get this scam who aren't actually Costco members at all.
Joe Carrigan: That's an excellent question.
Dave Bittner: Probably a lot.
Joe Carrigan: Yes. Sounds like it's just one of those broad net phishing scams.
Dave Bittner: Yes.
Joe Carrigan: They send out a million of them, and if 100,000 of those people are Costco members, it's going to catch their eye.
Dave Bittner: Right. So here's the thing about this, Joe. I saw this story, and I thought this would be nice for "Hacking Humans," but I thought there's really not too much here, so I'm going to have to go hunt down a second story to flesh out, you know, my part of the show today.
Joe Carrigan: Right.
Dave Bittner: But as I was researching this, and I was on Costco's website, what I discovered is, they have an entire page on their website that's dedicated to currently known scams.
Joe Carrigan: Ha.
Dave Bittner: This is amazing.
Joe Carrigan: This -- that -- come on, let me check this out.
Dave Bittner: So this has fraudulent websites, fraudulent card notification, fraudulent Autumn giveaway email, fraudulent Facebook offer, fraudulent survey texts, fraudulent satisfaction survey. It goes -- the list goes on and on. Free television. Exclusive give away. USPS scam. Letter survey. Like -- and they have screen grabs from all of them. Amazing, right? Right! Yes! Why isn't everyone doing this?
Joe Carrigan: I don't know.
Dave Bittner: [laughs] So I was so pleasantly surprised that -- because it seems to me like many retailers pretend like this isn't happening.
Joe Carrigan: Right.
Dave Bittner: Like, but somehow by acknowledging it, somehow it's going to hurt their reputation, or I don't know, somehow align them with the bad guys.
Joe Carrigan: There are bad guys out there impersonating us. Let's pretend they don't exist.
Dave Bittner: Right. Right. We'll just stick our fingers in our ears, and whistle, and walk away.
Joe Carrigan: Yes.
Dave Bittner: So to see Costco getting in front of this.
Joe Carrigan: Right.
Dave Bittner: And as you look, scroll down, there's just screen grabs of all the different stuff that people have sent them.
Joe Carrigan: Fake interview confirmation.
Dave Bittner: Right. This is wonderful! Loyalty rewards, overcharge reimbursement text messages. Surveys with exclusive offers. Like I said, a free television. Just -- interviews. You know, like if you want a job at Costco, there are fake interview scams. Of course. And they're all right here for the looking. Joe, we could do an entire year's worth of "Catch of the Day"s just from everything that's listed here on the Costco website. So we're going to have a link to this in the show notes. I recommend folks go through, look through it. You know, this would be a great thing to send to your friends and family, because of the wide spectrum of scams that are all listed here.
Joe Carrigan: Yes.
Dave Bittner: And you know, they've got the bad things pointed out about them. This is really a nice resource.
Joe Carrigan: I have never been more proud to have a membership at a store than I am right now.
Dave Bittner: [laughs] Okay [laughs].
Joe Carrigan: This is very well done. This is excellent, and like you said, Dave, all these other retailers, like Walmart and Target and whoever else -- d; Yes. They do -- you're right, it's as if they think that if by saying, hey there's a scam, they're going to scare business away. But Costco's like hey, look, doesn't matter who you are. People are going to impersonate you. There are bad people out there trying to do that.
Dave Bittner: Right.
Joe Carrigan: Pay attention to what we have to say here about what these fake things look like.
Dave Bittner: Yes. Yes.
Joe Carrigan: This looks like a genuine customer education campaign.
Dave Bittner: Right. I would say, Joe, that you know, maybe Costco could send us a free coupon for a free hot dog or something.
Joe Carrigan: That'd be nice.
Dave Bittner: Then I'd know it's not a scam [laughs].
Joe Carrigan: How do we know it's not a scam? Right?
Dave Bittner: Exactly.
Joe Carrigan: Maybe next time I walk in, they'll go oh Joe, come with me.
Dave Bittner: Right. I'm just picturing you, you know, striding up to the hot dog stand with your coupon for the free -- [laughs] free hot dog. Very happy, pleased with yourself. And then oh, I'm sorry Mr. Carrigan, this is a scam.
Joe Carrigan: I paid $100 for this! What? I'm supposed to get free hot dogs for life!
Dave Bittner: Right. Exactly. I gave them all my credit card information. Oh my. Alright, well, that's what I have.
Joe Carrigan: Like I said, it can happen to the best of us. It happens to everybody, and that would be something that would work on me.
Dave Bittner: [laughs] What would it take for Joe to get scammed? A free hot dog. That's about it. [ Laughter ]
Joe Carrigan: Free hot dogs.
Dave Bittner: Free Costco hot dog [laughs].
Joe Carrigan: Let me tell you an honest, true story, Dave.
Dave Bittner: Okay.
Joe Carrigan: When I was a kid, I was watching TV and there was this car lot, like used car thing.
Dave Bittner: Yes.
Joe Carrigan: Right?
Dave Bittner: Sure.
Joe Carrigan: And he's like, hey kids, tell your parents to come on down. We got free hot dogs at this place. And I'm like hey Dad -- [ Laughter ] My dad's like, hey, what are you kidding me? For a free hot dog I got to sit and listen to a used car salesman?
Dave Bittner: Right [laughs]. Load the family in the car.
Joe Carrigan: Right.
Dave Bittner: Go down to the car dealer.
Joe Carrigan: Well. This is a lure that has worked on me already at least once.
Dave Bittner: I see. So you -- you're self-aware at least.
Joe Carrigan: Yes.
Dave Bittner: So that's good [laughs].
Joe Carrigan: Yes.
Dave Bittner: Alright well, that's my story. We will have a link to that original Costco membership emails scam, and then also the page with all of their currently known scams. And of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@N2K.com. Joe, it's time to move on to our "Catch of the Day." [ SOUNDBITE OF REELING IN FISHING LINE ] [ Music ]
Joe Carrigan: Dave, our Catch of the Day comes from Pryce. He says, as much as I want to download and click all the links, I'll leave this one alone to the experts. So it's one of those Norton LifeLock invoices.
Dave Bittner: Yes.
Joe Carrigan: Well, it's got a lot of red flags.
Dave Bittner: [laughs] Okay. It sure does. [laughs] It starts off and it says, "we have received the request of Nor Ton payment as you have made is successfull." Okay.
Joe Carrigan: Right.
Dave Bittner: One sentence, Joe.
Joe Carrigan: That's right.
Dave Bittner: First of all, Norton is Capital N-o-r, capital T-o-n, Nor Ton [laughs]. Not kilograms.
Joe Carrigan: Right.
Dave Bittner: Not ounces. Nor Tons. "As you have made is successfull," alright? Did they misspell successful? I'm a terrible speller.
Joe Carrigan: This is an image, so I can't tell.
Dave Bittner: Should successful have two L's at the end?
Joe Carrigan: I don't think it does. I think it only has one L. d; Yes, okay. I don't even know if it has two S's and two C's, but I think it has two Cs.
Dave Bittner: I think it does, yes. But I think there's only supposed to be one L on the end.
Joe Carrigan: In fact, I'm going to go ahead and say I know this not the case, because the anecdote I've always heard is that "bookkeeper" is the only word in the English language with three double letter -- or maybe it's three consecutive double letters.
Dave Bittner: Okay. It goes on. It says you do not need to take any action. We just wanted to let you know.
Joe Carrigan: Awful nice of them.
Dave Bittner: [laughs] But it's a summary. It has an order ID. Product name: total AV Ultimate Anti-virus. Payment methode -- so method --
Joe Carrigan: Like a cathode.
Dave Bittner: Right, exactly. So methode -- [laughs] you got your cathode ray, you got your methode ray --
Joe Carrigan: And your anode ray.
Dave Bittner: Your anode ray -- yes. It says auto in debit total, $566.69 US dollars. Nice.
Joe Carrigan: Right.
Dave Bittner: Order status: confirmed.
Joe Carrigan: Confirmed. Good to know.
Dave Bittner: Your recent payment will done within 24 hours on February 20th, 2024. The amount will take 24 hours to appear in your bank statements. So worth noting that this says, don't bother looking at your bank statement, because they're preloading you to think that if you don't see it there, that's normal.
Joe Carrigan: Right. It says contact us if you want to modify our cancel your plan. That part has perfect English.
Dave Bittner: It does. And then there's a phone number.
Joe Carrigan: There's a phone number that's oddly spaced with lots of parentheses, so it makes it through your spam filter.
Dave Bittner: Right. Well, and because most of the time, if you're going to put brackets around -- or I guess they're parens -- you're going to put parentheses around any part of a phone number, it's the area code.
Joe Carrigan: Correct.
Dave Bittner: Although even that is kind of falling out of publishing style, I would say.
Joe Carrigan: Yes. I just see it now with dashes.
Dave Bittner: Yes. So -- but they have parens around everything. Or each cluster of numbers.
Joe Carrigan: Yes.
Dave Bittner: No dashes. And they are oddly set apart with a ridiculous number of spaces between them.
Joe Carrigan: Indeed. And that is so that it does not look a phone number to the spam filter.
Dave Bittner: I see.
Joe Carrigan: That's why that is.
Dave Bittner: Yes. Alright. Well that --
Joe Carrigan: That was a good one.
Dave Bittner: Short and sweet, but fun and --
Joe Carrigan: So chockfull of grammatical errors.
Dave Bittner: It is, yes. Absolutely. Alright, well thank you, Pryce, for sending that in. We do appreciate it. And once again, if there's something you want us to consider, do email us. [ Music ] Joe, I recently had the pleasure of speaking with Mike Kosak. He is a senior principal intelligence analyst at LastPass. And we're talking about one of our favorite subjects, password managers.
Joe Carrigan: Alright.
Dave Bittner: We also talk about things like passkeys and just a general conversation about keeping yourself safe online, your identity safe online. Here's my conversation with Mike Kosak.
Mike Kosak: Passkeys, you know, are certainly the hot topic. We're -- basically we're at the start of the technology adoption lifecycle there, I think. You know? They're becoming more commonplace, but we are still in the early stages. And when we from a threat intelligence perspective look at that, and when we kind of want to look at the future and see where things are going, what we expect to see is the increasing adoption of passkeys. As people start to use them more and more, that's going to fundamentally change the cyber threat landscape because it really sort of forces threat actors off their game to move away from credential theft to legitimate credentials, which you know, as you know have played such a huge role in so many breaches. And more towards session tokens. That's more where we see them going. So we're starting to see this take place now. We're seeing the bow wave of this as session hijacking trends are starting to increase. And that's something that we expect to see continue which -- and this is really a reflection of the typical arms race that you see when one thing is -- you know, one aspect of security is addressed, you know, or changes. We see threat actors change their game to try and -- it becomes fundamentally an arms race between cyber defenders and cyber attackers as they try and find the next hole.
Dave Bittner: You mentioned session hijacking. Can we dig into that a little bit? What exactly goes into that, and why have so many threat actors pivoted to take that approach?
Mike Kosak: Sure. So you know, any time you set up a communication through HTTP, you're assigned a session token. Then that sort of identifies you and who you are and what you're talking about and that sort of thing, you know, to use colloquialism. So that session token that identifies you and who you are becomes a target, becomes oftentimes it can be used to get around authentication and kind of, you know, jump right in to an active session and allow an attacker to pick right up and access where you were and whatever you were doing on whatever site you were on, whatever account you were on. So that's fundamentally it. It allows them to kind of jump the line, jump through authentication, and kind of jump right in to your account, or whatever site you were on. So what we see already is, you know, info stealers, which have certainly grown in use, and over the last few years. We see them targeting session tokens now too. And we see them being sold on the dark web in these info stealer logs. They're being stolen from, you know, from peoples' computers. And then used and sold on the dark web so that people can -- you know, so people can use them for attacks.
Dave Bittner: And does the adoption of passkeys -- does that help protect us against session hijacking?
Mike Kosak: It doesn't necessarily. So it takes -- you know, it's one of those things where session hijacking is still a relatively small part of -- you know, of initial attack vectors. It's you know, still really the lion's share is focused on legitimate credentials. But this is where we kind of, when we start to look to the future, you know, we expect to see that ratio change, fundamentally over time. So you know, we see it now. We see the early adoption. We see the trend up. But there are other steps that companies will, you know and other organizations will probably need to take. Just to kind of check the doors and windows for, you know, their own session security. As those TTPS, those tactics, techniques, and procedures change.
Dave Bittner: Yes, you mentioned that it's still kind of early days when it comes to passkeys. And you know, my experience is, there's a lot of talk about it and I think some genuine excitement, but the adoption is a little bit slower, which I guess is a natural thing with something that's new like this. Are there any particular barriers that are keeping folks from jumping in with both feet here?
Mike Kosak: You know, I think a lot of it is just sort of comfort and familiarity. Those are probably the two biggest, LastPass and Fido did some research on this and released it late last year. And really that was a lot of what we found is sort of the biggest barrier to entry right now, at least among organizations was familiarity and comfort with it. Just learning more about it and how to adopt it and how to roll it into their existing tech stack. The interesting thing with this, too, is you know -- so that's from the defensive side. When we look in the dark web at some of the conversations that are happening in cyber criminal forums or chat rooms and stuff like that, we see threat actors talking about this too. And exactly to your point, Dave, part of what they're talking about is an expectation that they don't expect to see, particularly individuals, adopting passkeys for a while. They expect to see large enterprises sort of driving that adoption. But they're sort of relying on people not picking it up. Now the good news is, we are seeing it become more available. And you know, we've seen Google start to offer it; we've seen Amazon offer AWS, the use of passkeys for authentication. So you know, I think we're heading in the right direction.
Dave Bittner: We've seen some shifts from the government in responding to some foreign adversaries. So we've seen a lot of coverage of this Chinese threat group, Volt Typhoon. And the government has taken some additional attention towards securing passwords and credentials. What's your thoughts on where we are with that right now?
Mike Kosak: Volt Typhoon in particular is just a fascinating example. And you know, to your point, we've seen some really remarkable steps by the US government and, you know, just in the last couple weeks, the announcement of construction of the KV-Botnet. Volt Typhoon is so unique, because there's this real emphasis for a nation-state threat actor, not just on cyber espionage, which is usually what these are associated with, but really fundamentally with, you know, almost for the express purpose of being able to conduct disruptive or destructive attacks in the event of a geopolitical conflict, you know? We see Volt Typhoon targeting critical infrastructure networks, or supporting scepters, which is just fascinating, and a bit of an outlier for a lot of what you see for nation-state activity. They are also associated with these really highly effective use of living off the land techniques that make them stealthy and efficient. So you know, we've seen the Five Eyes government in the last few weeks release this guidance, both in alerts and also some joint guidance documentation. These are coming from the US, UK, Canada, Australia, and New Zealand jointly, providing really comprehensive and useful detection and mitigation strategies to defend against not just Volt Typhoon but living off the land techniques generally. And for us in particular, one of the things that's most interesting are the recommendations around password and credential management, which you know, really highlight a lot of the basic guidance that you see, but are really important. So you know, in the most recent alert, they mentioned not using -- or using complex passwords, avoiding default passwords whenever possible. This is especially a big issue with operational technology. And they specifically mention using credential managers or other means to store credentials securely on your network. Really highlighting that it's not just a matter of convenience on that credential manager aspect anymore, but really a matter of necessity.
Dave Bittner: What is on the horizon for you and your colleagues there at LastPass? As we look towards the future of password management and really managing our credentials in general, where do you suppose we're headed?
Mike Kosak: You know, I think passkeys is where we're headed. It's the way of the future and moving more towards unified credential management. So making it easy to use passkeys. Making it easier than ever to use passwords, and really sort of adopting with the market as it changes.
Dave Bittner: You know, for our listeners, what are your words of wisdom here for ways of not only protect themselves, but you know a lot of our folks are concerned about their parents, their loved ones, their friends and family? That sort of thing. Any tips for them?
Mike Kosak: Absolutely. You know, I can't stress enough the importance of protecting your credentials, you know? It's often -- it's far too easy to kind of get into the habit of just reusing passwords or using what's simple. You know, that's really -- that's the way threat actors are getting in the front door, so the more you can do to protect yourself right there, and kind of stop the cyber kill chain at that first aspect, the better off you are. And that -- you know, that's not just for individuals, that's for companies, you know, really any organization or individual out there. [ Music ]
Dave Bittner: Joe, what do you think?
Joe Carrigan: I like that passkeys are going to be implemented. I want this to happen faster.
Dave Bittner: Yes.
Joe Carrigan: I would like passwords to go away. I don't know that that's going to happen any time soon, and I'll touch more on that as we get through these comments here. But one of the things that's going to happen is, this is going to make the bad actors move to session hijacking.
Dave Bittner: Okay.
Joe Carrigan: Because phishing is pretty effective in getting user name and password. And if you're using -- just user name and password with no multi-factor authentication, they've got you. And they're going into your account and that's it. That's all. They're going to do whatever they need to do. It depends on whether or not it's a Facebook account, email account, whatever. They're just going to be abusing that account. So when it comes to session hijacking, particularly on web based systems, like let's say your social media accounts. You like Mastodon, right?
Dave Bittner: Yes.
Joe Carrigan: So that's a website you go to.
Dave Bittner: Right.
Joe Carrigan: Let me explain a little deeper what a session token is. And I'm going to not get too technical, but it's basically a cookie. So there's -- in a web application there's two main pieces. There's the web server and the web client. The web server says here's a cookie. And the web client goes, I'll give this back to you next time I send a request. And that's what happens. That's all it is.
Dave Bittner: Okay.
Joe Carrigan: There is really no session on a web application. That is all an illusion. And these cookies and these session tokens that are stored within those cookies that are just lines of text -- that's all they are -- they're the thing that creates the illusion of a session.
Dave Bittner: Okay.
Joe Carrigan: So if I can get that cookie from somebody, that session ID, I can then pretend to be that person. Usually what happens is, I'm just going to steal all their cookies, right?
Dave Bittner: Okay.
Joe Carrigan: And then set them in my browser, appropriately. Then connect to the website again. And the website will think that the user whose cookies I've just stolen has connected from a different IP address.
Dave Bittner: Is there typically any encryption or anything with these session tokens?
Joe Carrigan: The session tokens are encrypted usually, when they go across the network.
Dave Bittner: Okay.
Joe Carrigan: Right? So when everything is packed up into an HTTPS packet, that is actually just going into an HTTP packet that gets encrypted in the TLS layer, right?
Dave Bittner: So while it's in transit --
Joe Carrigan: While it's in transit.
Dave Bittner: It's encrypted.
Joe Carrigan: Gets encrypted.
Dave Bittner: But when it's sitting on my computer, it's not.
Joe Carrigan: It's not encrypted, and when it's on the website at the other end, it's not encrypted.
Dave Bittner: Okay.
Joe Carrigan: So if I can just get into your memory or even just open up the browser and look through what you have there, it's just text.
Dave Bittner: Right, okay.
Joe Carrigan: Just ASCII text. So that's why it's possible to steal these things.
Dave Bittner: Okay.
Joe Carrigan: And there's software out there called info stealers that do this. A couple of weeks or months ago, I had a story about a friend of mind who had his Discord taken over. And the reason that worked is because apps like Discord and Slack, there's a development environment called Electron, which is really just a development environment that sits on top of Chromium, which is the browser underneath of Chrome. It's also the browser underneath of Edge, Opera, and Brave.
Dave Bittner: Kind of the engine that --
Joe Carrigan: It's the engine.
Dave Bittner: Yes.
Joe Carrigan: Right. But that engine manages all these cookies.
Dave Bittner: Okay.
Joe Carrigan: So if I can get onto somebody's computer and get into all their Chromium instances whether that be Discord, Slack, Chrome Op, Chrome browser, Edge, Brave, whatever. I can steal their info and then impersonate them.
Dave Bittner: Okay.
Joe Carrigan: But this is a lot harder to do than just leading someone to a phishing site and collecting their user name and password.
Dave Bittner: I see.
Joe Carrigan: The big problem here is that if I'm going to impersonate you, I'm going to impersonate you after you've done your multifactorial authentication. There are some technical implementations that can be done here, but I think that will add friction, a lot of friction on the ones that come to my mind immediately would add friction for the users. I've conceived -- you know, I've been thinking about this a lot today, actually, about how would you solve this problem. And I've got a couple of ideas in my head about how you do it server side. But suffice to say it would not be an overnight migration.
Dave Bittner: Okay.
Joe Carrigan: It's interesting to me that over at LastPass, their research shows that these bad actors don't think the average person's going to use passkeys. And I don't know if I agree with that. I think there will be some kind of software solution that comes down the line that makes it easy for the average person to do. I also think that might be one of those single points of failure that could be exploited. I don't know. But if you are -- if you can get in front of the -- have the technical wherewithal to get out in front of this, and start using passkeys, do that now.
Dave Bittner: Like so if you are on the leading edge of the passkey transition --
Joe Carrigan: Right.
Dave Bittner: Does that make you less low-hanging fruit than someone who's not?
Joe Carrigan: Correct. It does. For the time being, yes.
Dave Bittner: Yes.
Joe Carrigan: When the majority of people are using passkeys, you're going to be at the same level of -- fruit-hanging? Is that --
Dave Bittner: Hangage. Danglage. Yes.
Joe Carrigan: Something Mike said in passing is very true. Using some manner of credential management is imperative, especially in operational technology. This is the cyber physical stuff. These are things like critical infrastructure, or even if you're not critical infrastructure, like manufacturing.
Dave Bittner: Yes.
Joe Carrigan: All of these data systems and industrial control systems.
Dave Bittner: All the automated valves and widgets and all the things that open and close and keep civilization purring along.
Joe Carrigan: Yes. Absolutely. And I am disheartened. I was going to say I can't believe, but I absolutely can believe this. I'm still disheartened that we have to caution people against using the default password in the operational technology world.
Dave Bittner: Yes.
Joe Carrigan: That's the basic. Another thing, while we're talking about operational technology is this alert that you guys discussed from CISA about Volt Typhoon should be a warning to everyone in the critical infrastructure industry, including the smaller companies. These guys are 100% coming after the smaller companies. So they know you don't have the big cybersecurity budgets, so don't think that you're too small that these guys don't care about you. You are exactly who they care about. There are probably people specialized in getting into your systems and they may be less experienced people on the team. But they are there to get into the smaller contributors in the critical infrastructure world. So do the things that you can do that are cheap or free. Air gap your operational technology if that's possible. That's one of the biggest things you can do. Change the password from the default password. Change your password from the default password. How many times should I have to say this, Dave? Change your password -- use a password manager, and if it's possible, use multifactorial authentication. d; Yes. That's really the best things you can do right off the bat to again, move yourself up that fruit tree so you're not hanging at the bottom of it.
Dave Bittner: There you go [laughs]. Alright, well our thanks to Mike Kosak. He is the senior principal intelligence analyst at LastPass. And we do appreciate him taking the time. [ Music ] That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. A quick reminder that N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at N2K.com. Our executive producer is Jennifer Eiben. This show is edited by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening. [ Music ]
