Cyberattack chaos and the impact on families.

Catherine Murphy: We need a backup plan. One of the things that parents of chronically ill kids have is that you have a care plan with your hospital. And I think that this now needs to be a part of it.

Dave Bittner: Hello, everyone, and a warm welcome to the "Hacking Humans" podcast brought to you by N2K CyberWire. Every week, we delve into the world of social engineering scams, phishing plots and criminal activities that are grabbing headlines and causing significant harm to organizations all over the world. I'm Dave Bittner and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share and, later in the show, my conversation with Catherine Murphy. She's one of my colleagues here at N2K. She's talking about the personal impact of the cyberattack on the Lurie Children's Hospital. [music] All right, Joe, we are going to jump right into our stories this week. And I saw an article from The Washington Post here that caught my eye. And this is one of their travel writers who is talking about, well, how hard it is to get the correct phone number for airline customer service these days.

Joe Carrigan: Well, Dave, why would a company that you give thousands and thousands of dollars to ever want to talk to you?

Dave Bittner: Well, once they get the money.

Joe Carrigan: Right.

Dave Bittner: Right.

Joe Carrigan: I mean, they got the money, Dave.

Dave Bittner: Yeah.

Joe Carrigan: Why do you need --- why do you need to talk to customer service?

Dave Bittner: True.

Joe Carrigan: Just get on the plane, Dave.

Dave Bittner: Right. What a world.

Joe Carrigan: Right.

Dave Bittner: What a world. Get on the plane and hope that we put all the bolts in it. Right?

Joe Carrigan: Hope that the doors don't fly off.

Dave Bittner: Quit your belly aching, that's right.

Joe Carrigan: As we ascend. Don't sit --- now nobody wants to sit in the exit rows anymore.

Dave Bittner: Well, that --- oh, yeah.

Joe Carrigan: Have you noticed that?

Dave Bittner: That's true.

Joe Carrigan: Yeah.

Dave Bittner: That's funny. So, what's happening here is something we've described before, but I don't think we've ever addressed it directly with airlines themselves. And that's part of what caught my attention here is that if you go to Google and you say, you know, "customer service Delta Airlines," ---

Joe Carrigan: Right.

Dave Bittner: There is a good chance that one of the first things, if not the first thing, that's going to pop up is a paid advertisement ---

Joe Carrigan: To a scam site or to a scam number.

Dave Bittner: Right. But it'll say, you know, "Delta Airlines customer service, we are looking forward to taking your call," or something like that, and then it'll have a phone number.

Joe Carrigan: And that should be the red flag, "we're looking forward to taking you for a ride." I'm being facetious here.

Dave Bittner: So, what happens if you call that number is someone will answer the phone and they will likely say, "Hello. Thank you for calling, you know, Delta Airlines. Your call is important to us. How may I help you today?" And, by --- and, by the way, I'm just using Delta randomly here. Obviously, I'm not, you know, pointing them out as being better or worse than any of the other airlines.

Joe Carrigan: Right, right.

Dave Bittner: But you'll get this person on the line who will sound to all the world as if they are a Delta Airlines representative and they will be happy to take your information or try to work with you with whatever is going on. And odds are, over the course of that conversation, they're going to say to you something like, "Well, listen, just to verify your identity, I need to get a little information from you."

Joe Carrigan: Yes.

Dave Bittner: Right?

Joe Carrigan: Of course.

Dave Bittner: Including your credit card number ---

Joe Carrigan: Yeah.

Dave Bittner: Or your Social Security number or your ---

Joe Carrigan: What credit card did you use to book this flight?

Dave Bittner: Right. Your passport information ---

Joe Carrigan: Yeah.

Dave Bittner: Anything that they could use to --- you know, the personal information that they could then try to sell. Sorry, I've got to --- I've got to get Fred --- Fred, get out of my trashcan. Fred the dog is with us here today. And, all right, Fred.

Joe Carrigan: I'm sorry.

Dave Bittner: It's okay. Fred's welcome. Fred's just --- Fred's a big dog and he's also very insistent. Fred now has his head resting on my leg because he wants me to pet him.

Joe Carrigan: Oh, yeah. And he'll leave it there until you stop petting him and tell him to go lay down.

Dave Bittner: Fred is Joe's dog ---

Joe Carrigan: Yes.

Dave Bittner: And he's visiting us here today in the studio. And he's very welcome. All right. So, the folks from Washington Post, they reached out to Google to say, "Hey, why is this still a thing?"

Joe Carrigan: Right.

Dave Bittner: Right?

Joe Carrigan: Isn't --- now, hold on just a minute. Does Washington Post --- you think the people in Washington Post listen to this podcast where we constantly yell to Google, "Hey, why is this still a thing"?

Dave Bittner: I don't know, but I'll go out on a limb here and say that Google is more likely to take The Washington Post's phone call than ours.

Joe Carrigan: Yes.

Dave Bittner: Just because of that banner ---

Joe Carrigan: Right.

Dave Bittner: Up on the masthead.

Joe Carrigan: Yes.

Dave Bittner: Google says that these sorts of scams are extremely rare, but they did not want to define what constitutes an acceptable rate of occurrence.

Joe Carrigan: Right.

Dave Bittner: I would say zero.

Joe Carrigan: Yeah, that would be acceptable to me. And they're so rare, Dave, I've actually dialed the number like three --- dialed a scam number three or four different times.

Dave Bittner: Yeah.

Joe Carrigan: And, so, no, they're not rare. They're a frequent occurrence.

Dave Bittner: Yeah. And, of course, they recommend what we've talked about here many times, which is go to the airline's website that you are aware of, type it in manually if you have to and look for customer service from there.

Joe Carrigan: Right.

Dave Bittner: One of the things that this points out that I hadn't really thought about is quite often if you're trying to get a hold of an airline, you are in a situation of some stress.

Joe Carrigan: Yes.

Dave Bittner: In other words, maybe your flight was just cancelled ---

Joe Carrigan: Right.

Dave Bittner: Maybe you missed a flight, maybe you missed a connecting flight. And, so, you're trying to set things right as quickly as possible. And that's something that these scammers take advantage of is your heightened emotional state when you are trying to make this phone call.

Joe Carrigan: Yeah. When I miss a connecting flight or miss a flight out of a place, I usually talk to the people right there in the airport though. But I've noticed that when I'm doing that, there are people around me on the phone.

Dave Bittner: Right.

Joe Carrigan: You know?

Dave Bittner: Yeah.

Joe Carrigan: It's amazing.

Dave Bittner: Yeah, well, you know, everybody's got a system, everybody's got the way that they think works for them ---

Joe Carrigan: Yep.

Dave Bittner: And there's nothing wrong with that. And I suppose the folks who are on the phone are taking some of the load off of the people who are there at the counter.

Joe Carrigan: Oh, absolutely, absolutely.

Dave Bittner: And maybe they think there's a shorter line on the phone than there is with the folks of the customer service, so.

Joe Carrigan: I just want to look into the face of one of the airline company employees so they can see how angry I am. You should say --- and they --- you --- I don't know if you could tell this, Dave, but I'm not a big fan of airline companies. And the problem ---

Dave Bittner: Yeah.

Joe Carrigan: I have with them is that all their advertisements are all like, "Hey, come on and get on our plane, it's going to be great, it's going to be great." No, it's --

Dave Bittner: Right.

Joe Carrigan: Always going to just be terrible. It's going to suck. It's just a Greyhound bus with wings on it. That's all it is.

Dave Bittner: Yeah.

Joe Carrigan: And it's --

Dave Bittner: Have you ever heard the phrase, Joe, "you get more flies with honey than vinegar"?

Joe Carrigan: Yes, yes. My wife -- at this point in time, my wife is the one that does the negotiating with these folks when something happens.

Dave Bittner: I see.

Joe Carrigan: She goes, "Hi."

Dave Bittner: So, you know your limitations.

Joe Carrigan: I know my limitations. So, when --

Dave Bittner: So, you're the backup. If you need to bring in the big guns --

Joe Carrigan: Right.

Dave Bittner: The anger --

Joe Carrigan: She's ---

Dave Bittner: If the honey doesn't work, you're ready there with your vinegar super soaker.

Joe Carrigan: You see that -- you see that very angry man over there leaning up against that post?

Dave Bittner: Right.

Joe Carrigan: If you don't give me what I want, you're going to have to do with him.

Dave Bittner: Right. I don't want to have to bring him over here.

Joe Carrigan: Right.

Dave Bittner: But I will if I need to.

Joe Carrigan: Right.

Dave Bittner: So, we can do this the easy way or the hard way.

Joe Carrigan: And I'm just over there scowling.

Dave Bittner: Yeah.

Joe Carrigan: Oh, yeah.

Dave Bittner: What I wonder is is there ever going to be a point where Google has liability for this.

Joe Carrigan: And that's an excellent question. I think that is a better question for Ben Yelin --

Dave Bittner: Yeah.

Joe Carrigan: Because I think -- I can absolutely envision a situation where somebody Googles something and gets scammed out of some amount of money and they are furious and they just turn around and sue Google for not protecting them with their ad revenue.

Dave Bittner: Yeah.

Joe Carrigan: Maybe Google's already done that calculus and they say, "We'll settle with them for however much it takes because we're making money hand over fist selling these ads to these cyber criminals."

Dave Bittner: Yeah. I mean, I would guess that somewhere in the ULA that it says, "We do not guarantee the accuracy of any information that you get on our site, that you use it at your own risk," and that sort of thing. But --

Joe Carrigan: I'm sure it says that, which means --

Dave Bittner: I would --

Joe Carrigan: Our site is useless, you shouldn't use it.

Dave Bittner: Well, you know, I was kind of wondering like -- you know, you know I love my analogies and I was trying to go back old school with this, like what would happen in the old days if the phone company printed up the phone book and some scammer managed to put ads in the phone book that were, you know, scam listings for things like airlines.

Joe Carrigan: Right. Sb So, when you went to your phone book to look up who should I call and you saw that scam airline, would the publishers of the phone book have any liability for not having verified that the person who placed the ad was who they say they are? Yeah. I don't know.

Dave Bittner: I don't know either.

Joe Carrigan: That -- you know, that would be a question again for Ben.

Dave Bittner: Yeah. It's just --

Joe Carrigan: I don't -- I wish I -- sometimes I wish I was a lawyer.

Dave Bittner: Yeah. I will say on behalf of the rest of us, we're glad you're not --

Joe Carrigan: Right?

Dave Bittner: Because then you -- then you'd actually -- I'm just imagining, "Yes, our Honor, I am back" --

Joe Carrigan: Right. "After spending a couple days in jail for contempt of court, yes, here I am. I promise not to call you a dunderhead again."

Dave Bittner: Mr. Carrigan. All right. Well, that is my story. We will have a link to that in the show notes there. Joe, what do you have for us this week?

Joe Carrigan: So, Dave, my story actually comes from Mallory Sofastaii up at WMAR News.

Dave Bittner: Oh, great.

Joe Carrigan: And this story is about a continuation of the story that we have been talking about with the reporter from New York who was scammed out of $50,000 and put it into a shoe box for someone to come and get.

Dave Bittner: Right.

Joe Carrigan: So, Mallory is covering a similar scam that's going on and is hitting people in Maryland. And get this, Dave, the ICCC, the Internet Crime Complaint Center --

Dave Bittner: Yeah.

Joe Carrigan: Has said that they have -- they are tracking this and they're -- they've lost -- this particular scam in the last half of last year, from like May to December of last year, $55 million.

Dave Bittner: For this particular scam?

Joe Carrigan: For this particular scam, this one scam.

Dave Bittner: Wow.

Joe Carrigan: And seven people in Maryland lost a combined total of $3.8 million.

Dave Bittner: Holy smokes.

Joe Carrigan: That's more than half a million dollars a person. This is -- these losses are absolutely devastating and life changing.

Dave Bittner: Yeah.

Joe Carrigan: So, Mallory quotes the special -- Supervisory Special Agent, SSA, Keith Custer with the FBI who is -- and I like what Special Agent Custer says here.

Dave Bittner: I know Keith.

Joe Carrigan: Oh, do you know Keith?

Dave Bittner: Yeah. I've interviewed him, I'm pretty sure. Yeah.

Joe Carrigan: Okay. Yeah, he's from the Baltimore bureau. Yeah. So, I --

Dave Bittner: Yeah, the --

Joe Carrigan: Wouldn't be shocked.

Dave Bittner: The folks in the Baltimore Field Office, BFO.

Joe Carrigan: Yeah, the Baltimore Field Office.

Dave Bittner: Yeah, yeah.

Joe Carrigan: He says, "Any person can fall for this scam. People that are younger, people that are older, educated, uneducated, no one is immune." This is -- I am so happy to hear somebody else say this other than us.

Dave Bittner: Okay.

Joe Carrigan: Right?

Dave Bittner: Sure.

Joe Carrigan: Because so often I hear -- and we had a listener who wrote in last week that this could have been easily stopped by just hanging up and doing -- yeah, okay, right. Anybody can fall for this scam. It's -- and I get -- you're right, the best practice is going to stop the scam. But, still, if they get you and they flip those emotional switches in your head, that's the game.

Dave Bittner: Yeah.

Joe Carrigan: That's it. There's another quote in here from Keith. It says, "The bad guys can get as much as they can and we've had one person who's lost over $2 million."

Dave Bittner: Wow.

Joe Carrigan: That is -- that's probably their retirement savings. I mean --

Dave Bittner: Yeah, it could very well be.

Joe Carrigan: That person is now -- well, I don't know that this is the case, but I'm going to guess that their life is going to change significantly after this. All this while being lied to and told that the money is going to be kept in safekeeping. Something else that the FBI is saying is that they're seeing victims being directed to purchase gold bars or silver or some other precious metal that they can easily obtain online, then dropping this or cash into the hands of couriers that have been sent to pick up the funds from the victims. So, these people that are coming to pick up the funds may not be the criminals themselves, but just couriers that the criminals have sent. Now, are these couriers criminal -- part of the criminal element or are they just couriers that have been contracted, legit couriers that are being abused here? I don't know. But that's a good --

Dave Bittner: Let me ask you this, Joe. If -- I wouldn't even know how to buy half a million dollars' worth of gold or silver or precious metal. Would you? And I'm sure the bad guys will tell you how to do it.

Joe Carrigan: Right, yeah.

Dave Bittner: But would you if -- would you -- Know right now how to go out and buy a large --

Joe Carrigan: Like physical silver?

Dave Bittner: Yeah.

Joe Carrigan: No.

Dave Bittner: Like if I said to you --

Joe Carrigan: I --

Dave Bittner: Joe, you've got -- go -- bring me back a gold bar and you've got 24 hours to do it," would you know how to do that? I wouldn't.

Joe Carrigan: No. I would not know how to do that. I wouldn't even know where to begin.

Dave Bittner: Yeah.

Joe Carrigan: But, you know, as I'm sitting here thinking, I'm thinking those gold bars are going to end up in the bad guy's hands at some point in time.

Dave Bittner: Right.

Joe Carrigan: Right? I could build something that kind of looks like a gold bar that has a tracking device in it.

Dave Bittner: Yeah, with lead, made of lead.

Joe Carrigan: Right. Made out of lead.

Dave Bittner: Right.

Joe Carrigan: That's actually heavier than gold.

Dave Bittner: Is that right?

Joe Carrigan: Yeah.

Dave Bittner: Okay.

Joe Carrigan: Well, if you --

Dave Bittner: You hollow it out a little bit --

Joe Carrigan: Hollow it out.

Dave Bittner: To put your --

Joe Carrigan: Right.

Dave Bittner: Tracking device inside.

Joe Carrigan: Yeah, exactly.

Dave Bittner: So, there you go, so.

Joe Carrigan: That -- now it's incased in lead so you can't get the signal out.

Dave Bittner: Yeah. Oh, well. Best laid plans.

Joe Carrigan: Yeah, the problems. Maybe you can use the lead as an antenna. Who knows. Dave, yesterday, I was testifying in front of the Maryland Senate Finance Committee --

Dave Bittner: Okay.

Joe Carrigan: Down in Annapolis. And we were talking about a new bill that's come out that's being sponsored by our state senator, Katie Fry Hester.

Dave Bittner: Okay.

Joe Carrigan: That is if this bill comes -- passes into law, if it gets out of committee and goes to the floor and gets voted on and the governor signs it, what'll happen is the office of the AG will then be tasked and funded for doing a public service messaging campaign to let people know about these scams.

Dave Bittner: Oh, that's good.

Joe Carrigan: I haven't seen anything like this coming from any government organizations before. Plenty of things like this from the AARP and other advocacy groups. There, I finally got it out.

Dave Bittner: Right.

Joe Carrigan: Now I'm trying to -- I try to say it again, like a dummy. Groups like that. But there's not a lot of states and federal government doing this, which I think would be a good spend of tax dollars. I'm actually on --

Dave Bittner: Yeah.

Joe Carrigan: Board with this. That's why I --

Dave Bittner: I have seen -- because we've mentioned here, I have an elderly father and --

Joe Carrigan: Right.

Dave Bittner: So, I have seen like handouts, like little workbooks and packets of information, with these sorts of scams from I believe like the Maryland State's Attorney's Office.

Joe Carrigan: Yeah. The Attorney General's Office?

Dave Bittner: I'm sorry, yeah, the Attorney General's --

Joe Carrigan: Okay.

Dave Bittner: Office of informational kinds of things about, you know, how -- if you're a senior, how not to get scammed. So, there is some money --

Joe Carrigan: Yep.

Dave Bittner: Being spent on that sort of thing. But I -- you know, I -- to me, I think it's a good investment.

Joe Carrigan: Yeah, this would be a substantially large investment.

Dave Bittner: Yeah.

Joe Carrigan: Anyway, while we were down there testifying, the chair of the committee, who is Senator Pamela Beidle --

Dave Bittner: Okay.

Joe Carrigan: Perhaps Beidle, I don't know how it's pronounced, I'm sorry, I only read it, said that someone in her community had recently been scammed out of $66,000.

Dave Bittner: Wow.

Joe Carrigan: I mean, so, these kind of crimes just keep happening.

Dave Bittner: Yeah.

Joe Carrigan: And they're getting -- these attackers are getting much better at getting larger amounts of money out of people it seems.

Dave Bittner: Yeah. Yeah, I know. I wonder what -- what's it -- what is it going to take to turn the tide? You know? And I don't have the answer to that. And I --

Joe Carrigan: Yeah, I don't know either.

Dave Bittner: Right? I talk to the experts on this, they don't have the answer either. I mean, obviously, it's not easy there -- because there's so many elements to it and it is a cat and mouse game. But I just wish there was something -- you know, I've heard people say that if we -- for example, that cryptocurrency is a major enabler of this --

Joe Carrigan: Right.

Dave Bittner: Because it allows them -- you can send money around basically outside of the banking system.

Joe Carrigan: Yep, absolutely.

Dave Bittner: So, if you were able to put some kind of limits on that, that that could help slow it down. But that's not going stop somebody from handing a gold bar to somebody on their front porch.

Joe Carrigan: Right, right.

Dave Bittner: You know?

Joe Carrigan: And there's -- I mean, I don't even -- you asked if I had any idea where to get gold. I don't own precious metals. I just never have.

Dave Bittner: Yeah.

Joe Carrigan: But -- ugh. I think the best way to get around this problem -- to solve this problem is a public education campaign. Something has to happen. People need to be aware of their rights because a lot of the -- a lot of times when they're on the phone with these guys, they say, "I think I'd like to talk to my attorney." "Oh, no, no, no, no, no, don't do that." Law enforcement should never say that.

Dave Bittner: Right.

Joe Carrigan: And I think there's case law that even says that law enforcement can never say that, that once you say, "I think I want to talk to my attorney," they have to say, "Okay," and they have to stop questioning you. That's another question for Ben.

Dave Bittner: Yeah.

Joe Carrigan: We should have Ben on the show as a guest one day so I don't have to shoot my mouth off and say a bunch of incorrect --

Dave Bittner: Yeah.

Joe Carrigan: Legal stuff.

Dave Bittner: Put Ben on speed dial.

Joe Carrigan: Right?

Dave Bittner: Have a little chatbot here.

Joe Carrigan: Right.

Dave Bittner: We can check in with Ben. Yeah. I don't know. I mean, I've seen in the police procedurals, which are by no means, you know --

Joe Carrigan: Right.

Dave Bittner: Accurate when it comes to actual -- how it works, but I've seen the cops will say something like, "Well, you could go that way, but it just means that it's going to slow things down for you."

Joe Carrigan: Yeah, "I can't help you" --

Dave Bittner: You know, that sort of thing.

Joe Carrigan: "If you go that way."

Dave Bittner: Right, exactly.

Joe Carrigan: Right.

Dave Bittner: Exactly. But I don't know how accurate that is, so.

Joe Carrigan: Yeah.

Dave Bittner: Yeah. Yeah. Well, it's interesting. And we will have links to these stories here in the show notes. Joe, it is time to move on to our catch of the day. [SOUNDBITE OF REELING IN FISHING LINE] [music]

Joe Carrigan: Dave, our catch of the day comes from the Washington University in St. Louis. This is from their Scam of the Month posting. They publish monthly cybersecurity articles. I like this site. If you go to the link that we're going to put in the show notes and then click on the little news part, you get all their cybercity articles. And they're focused on University of -- Washington University in St. Louis. And, in fact, that's where our catch of the day is from. But they are applicable to everything. So, this is actually an article written by David Puzder.

Dave Bittner: Okay.

Joe Carrigan: And it has a picture of the letter that came to some recipient at the university.

Dave Bittner: Yeah. All right. And it -- the title -- so, this is an email.

Joe Carrigan: An email.

Dave Bittner: And the title is "Research Assistant Vacancy for Undergraduate." And it says, "Redefined Research Assistant Opportunity. Washington University in St. Louis, Department of Computer Science & Engineering at is looking for research assistants who are willing to work remotely for $350 a week. Students from any department at the university may participate in the study. Text Professor Patrick Crowley at this phone number with your full name, email address, department and year of study to receive the job description and additional application requirements. Many regards, Professor of Computer Science, Patrick Crowley." All right. So --

Joe Carrigan: So, this article is great because David goes through here and takes this thing apart bit by bit.

Dave Bittner: Okay.

Joe Carrigan: And, number one, the email address is from some UK car company.

Dave Bittner: Oh.

Joe Carrigan: So, it comes from a car company in the UK. Number two, the sender's name is Lexus Scott, but the email address starts with "Paul." So, whoever the sender is, they are not Patrick Crowley.

Dave Bittner: Yeah.

Joe Carrigan: Additionally, you can get Professor Crowley's contact information off the directory.

Dave Bittner: So, Professor Crowley is a real person?

Joe Carrigan: He's a real person.

Dave Bittner: Okay.

Joe Carrigan: That's correct.

Dave Bittner: All right.

Joe Carrigan: Phrasing is odd and there's typos throughout. They tell you to text some information. This tactic moves the conversation, I like what he says here, "to a medium that is not managed by WashU, making it more challenging for the infosec team to intervene." This is the classic change of platform.

Dave Bittner: Yeah.

Joe Carrigan: There is -- they're kicking it off with a change of platform. The phone number they provide is an area code from New Mexico, which may or may not be significant, I don't know. I wouldn't -- that wouldn't raise any red flags for me anymore --

Dave Bittner: Okay.

Joe Carrigan: Because I saw somebody say that area codes are meaningless except as heraldry for where you came from. Right? So, like when you -- if you were to move to a different state, you'd still keep the same phone number.

Dave Bittner: That's true.

Joe Carrigan: Right? Area codes don't mean the location you live in any.

Dave Bittner: Right. Joe, you remember when dialing an area code meant that you're probably going to get in trouble with your parents for a --

Joe Carrigan: Yes. Oh, yeah, their --

Dave Bittner: A big phone bill.

Joe Carrigan: Oh, yeah.

Dave Bittner: We're old.

Joe Carrigan: I do. I remember when we used to have to dial 301.

Dave Bittner: Yeah.

Joe Carrigan: I mean, you grew up up here. Right? Do you remember when your area code was 301?

Dave Bittner: Yeah, the whole state of Maryland was 301.

Joe Carrigan: Right, exactly. And they were changed --

Dave Bittner: And then they added 410.

Joe Carrigan: You became 410 and I stayed 301.

Dave Bittner: Right. And --

Joe Carrigan: Until I moved up here --

Dave Bittner: Yeah.

Joe Carrigan: And got a 10 area code.

Dave Bittner: My first phone number was 465, which was HO6, which the HO was for Howard County.

Joe Carrigan: Really?

Dave Bittner: Yeah, yeah. That's how it used to work. And then -- yeah. And then we took the AutoGyro to Istanbul, we wore onions on our belts, which was the fashion at the time.

Joe Carrigan: Right.

Dave Bittner: So -- all right, so what else here, Joe?

Joe Carrigan: Orders had pictures of bees on them. Oh, there is a -- there's a job application site called Handshake, apparently that's a WashU thing, where if you're going to work at WashU or do any research for them, you have to go through this system. And that's not listed here in any way, shape or form.

Dave Bittner: Oh.

Joe Carrigan: So, this is just a scam. Somebody's just trying to get personal information probably so they can start a follow-on scam after you apply for this position. If they can't get you to -- with this scam, they're still going to have your information and try to hit you with other scams.

Dave Bittner: Yeah. I have to say that other than the one obvious typo in here --

Joe Carrigan: Right.

Dave Bittner: This is a pretty clean --

Joe Carrigan: It's pretty good.

Dave Bittner: Email.

Joe Carrigan: Yeah.

Dave Bittner: Yeah.

Joe Carrigan: Yeah.

Dave Bittner: I mean, it seems plausible. It doesn't have huge red flags here. But I guess that also points out that these days you've got to really dig in and be careful.

Joe Carrigan: Oh, yeah. If you -- if I can get a large language model to just generate a phishing email, it's not going to have any red flags.

Dave Bittner: Yeah, that's true. All right. Well, we would love to hear from you. If there's something you would like us to consider for our catch of the day, you can email us. It's hackinghumans@n2k.com. [music] Joe, I recently had the pleasure of speaking with Catherine Murphy. She is actually one of my colleagues here at N2K CyberWire. She is a sales director here. And we were talking about the personal impact that the recent cyberattack on Lurie Children's Hospital up near Chicago has had on her and her family. Here's my conversation with Catherine Murphy.

Catherine Murphy: So, I have a beautiful 10-and-a-half-year-old son named Jack who was born with extreme complications. And during my pregnancy, we knew he would be born with some challenges. So, he was delivered in the hospital right adjacent to the amazing Lurie Children's Hospital. He was -- spent the first six months of his life in the ICU. And, since then, we have a very close relationship with several different departments there stemming from breathing with Pulmonary and the ENT Department and all the way to Cardiac and Kidney and Orthopedic. And his real challenges stemmed from breathing. He was born with tracheomalacia, which is the narrowing of your airway. And he's required a trachea to be surgically implanted shortly after birth along with he was ventilator-dependent for several years. So, we've kept in, to put it mildly, very close contact with all of his specialists at Lurie Children's Hospital. And that includes via MyChart, via email, via phone. Being a critical care family, having that constant contact and the accessibility to your specialist is pertinent with day-to-day life, even removing illnesses and other challenges that can pop up along the way. You need to be able to have that communication line open at all times. And that has been, for us, our biggest challenge with this current incident with Lurie's.

Dave Bittner: And, so, what is the day-to-day like, you know, as a -- I guess it's fair to say, and I don't mean this flippantly, that you a frequent flyer of that particular institution. And, so, I would imagine you are used to a certain cadence of interaction of -- like you know how things work there.

Catherine Murphy: Absolutely. We definitely have a frequent cadence, meaning multiple times a week I'm chatting with his pulmonologist, I'm chatting with his ENT. I'm putting even our specialist that we have out in the suburbs by us, his therapist, in touch with those doctors down at Lurie's multiple times a week. And what we're doing is not only -- you might make some changes to his care and then you're looking to touch base in a couple days to see like how have those changes affected him for the good or for the worse and do we need to make continual changes. And, again, that's something that is crucial to a child with -- who has chronic illnesses.

Dave Bittner: So, what was the first indication that something had gone amiss here?

Catherine Murphy: The first indication I saw was on social media. I saw a post on LinkedIn about Lurie Children saying, "Please be aware that we are having challenges with our systems, with our internet, with our email and with our phone." I was unaware, as most people were, initially what that entailed. But it was a scary thing with just the hope and assumption that it would be short term. I think nobody expected it to be what it is. I have a Lurie's care coordinator, who is somebody who works for the hospital, but stays in touch personally with me and with doctors, who had also sent me a text saying, "We're unsure of the specifics of this, but, you know, please hang tight and we'll keep in touch and let you know next steps shortly."

Dave Bittner: Well, walk me through how this played out. As the mom of someone who's depending on this hospital, how did this progress?

Catherine Murphy: So, we were very lucky. And I say "lucky" in the sense of things could have been much worse. You know, this obviously started at the end of January. And my son was thankfully in a position where initially he was not sick for a couple weeks. Which during cold and flu season is very rare for him. So, we did not need to be in constant contact with his doctors. We could kind of be in standby mode for the initial part of this. As time progressed and as Murphy's Law played out, he got sick. And it became something that I did need to speak with a specialist. And even his pediatrician is located proximity wise very close to Lurie Children's Hospital and is on the same system. So, they were having the exact same challenges as Lurie's was. And it just became where I had to put him in the car and drive at record-breaking speeds downtown to get him seen by a doctor because it was the only way to have a conversation with somebody about his care. There was no televisits, there was no MyChart or phone or even texting with the doctor at this option. So, that's what it comes down to is you either run to an ER or you take the chances of trying to manage care at home, which can be very dicey.

Dave Bittner: So, just so I understand here, you're saying that this had gotten to the point where you would basically show up unannounced because you couldn't make an appointment, you couldn't make a phone call to the hospital.

Catherine Murphy: Correct. There was zero communication. So, your only option was to show up. I know my doctor has some open hours. So, I happened to be lucky to have those. Otherwise, your option is to go straight to the Lurie's ER. The challenge there with the Lurie's ER is it was back to COVID times, there were eight to 10 hour waits to get in because it was the only option for everyone and there was nothing else. It was either that or, you know, try a local hospital, which don't really have a high comfort zone with chronically ill children.

Dave Bittner: I see. So, how did this continue to play out? And where do we stand now?

Catherine Murphy: Well, it's continued on. And what made it even more challenging was when AT&T went out because then -- and, you know, albeit a short period for most people, it felt like eternity because then you removed even the texting option with care coordinators. And since then, it's honestly just been the same thing where I have had to just bring him in, physically bring him in if he needs to see somebody. And it's continued to be the only option. I know that they're trying to get things back up and working. I had a conversation with a care coordinator yesterday who said that the internal internet for Lurie's is back up, but they are still anticipating it may not be until April until they're fully up and running. So, it's just that increased and exacerbated anxiety and vulnerability feeling all the time as a parent of a chronically ill child that I'm living day to day or even sometimes when he's sick hour to hour about can I manage this from home or can I take him in.

Dave Bittner: Yeah. How do you deal with that frustration? I mean, I'm imagining, you know, myself as a parent that I would find myself having an impulse to kind of cast blame or lash out or, you know, there would be times when I could only take so much.

Catherine Murphy: It's true. Right? Like you've -- a natural parent's is that fight or flight for your child is just to become the mommy bear and to protect your children. And it's -- the one thing I say that I have learned though through Jack's journey is patience and taking a deep breath. And we've been trained on so many things for him and I do have so many options at home for, you know, emergency breathing, you know, measures if I needed to take something or oxygen in the house. And, that said, it's also just learning that sometimes if you need to run in, you need to run in. Sometimes I have to drop everything and go. Sometimes I'm hoping I get pulled over by a police officer on the way so he can give me an escort. And it's you just -- you have to do what you have to do sometimes. And it just becomes where their health is always the first priority, but it just becomes the first priority in your day. You know, sometimes I have to put a pause on everything else, including my other healthy child, because his needs come first. And, again, for him, it can very quickly become life or death. So, it's something that you just kind of always need to be in ready to pounce mode.

Dave Bittner: Have you heard any stories from other folks in your community who have been dealing with the same situation?

Catherine Murphy: I have. So, another role that I love having is I'm a parent liaison for Lurie Children's Hospital. And what that entails is that I get to be a parent that other families can reach out to if they have challenges with insurance or nursing or care or just general questions about the journey that they're on. And I've heard some really scary stories about people who, you know, something happens and in a chronic situation you could have minutes, and they're either in a situation where they have to call 911 or they have to race to another hospital and then be airlifted to Lurie's. Or, you know, a nurse has a challenge or a question about a medication or they can't receive a medication because Lurie's can't dispense medications electronically. And, so, now they're also trying to -- you know, again, try to get what their child needs, just anything from a basic ADHD medication to a prescription to receive oxygen or a prescription to receive continued nursing services or a prescription to receive continued ventilator support and services at home. It's just -- it's sickening, it's mind blowing and it's hard to believe in today's age that this is, one, happening and, two, been happening for so long.

Dave Bittner: I'm really interested in your insights or your thoughts about the people who are responsible for this. You know, I mean, it's a technical situation here, but people did this. These are, you know, presumably people on the other side of the world who, out of a sense of greed, have come at a vulnerable system and are using vulnerable children to put the pressure on for financial gain.

Catherine Murphy: Absolutely. I have a few choice words that I am probably not allowed to use at this moment. But I do believe that there is a special place in hell for those people. I understand their motivation is financially driven. I don't understand how you sleep at night knowing that you are literally putting children's lives and health care at risk for pure financial gain. I don't understand it. I don't agree with any cybersecurity attack, but I think something where you're affecting somebody's health care, you're affecting lives on a daily basis is -- it's unfathomable to me that someone could choose to take this type of action.

Dave Bittner: Are there any things that you've learned coming out of this, I mean, any words of wisdom for other parents who may in the future find themselves up against these kinds of challenges?

Catherine Murphy: I think it's made myself, and I can imagine other families, aware that we need a backup plan. And maybe that's something similar that we have to corporations, but you need a backup plan to communication, you need a backup plan for prescription medications in case this happens again, you need a backup plan for just scheduling appointments for having a visit. You know, everyone's answer can't be to go to the ER because some are critical and some are not. And there's just got to be a Plan B in place all the time. And one of the things that parents of chronically ill kids have is that you have a care plan with your hospital. And I think that this now needs to be a part of it. It needs to be, you know, one of these "we're aware that these things can happen and they do happen," and a plan for if and when they do. [music]

Dave Bittner: Joe, what do you think?

Joe Carrigan: Dave, this was a tough listen for me.

Dave Bittner: Yeah.

Joe Carrigan: It's hard for me to listen to, you know, a personal story. I don't know. It's not -- I mean, it's not hard, like I can do it. It's just I don't --

Dave Bittner: Do you feel for them?

Joe Carrigan: Yeah, I feel for them. Exactly.

Dave Bittner: Yeah, yeah.

Joe Carrigan: And I don't like feeling things, Dave.

Dave Bittner: Okay, Fair enough.

Joe Carrigan: But, here, we get to see firsthand the impact that a cyberattack can have on patients and their families.

Dave Bittner: Right.

Joe Carrigan: And it's not -- it doesn't make life any easier.

Dave Bittner: Yeah.

Joe Carrigan: All of our systems have become so dependent on the proper operation of their underlying technology. And, when I mean systems, I mean like think of our health care system or our electrical distribution system, our water system.

Dave Bittner: Yeah.

Joe Carrigan: All these things are dependent on that underlying technology. And that technology being vulnerable is problematic.

Dave Bittner: Yeah.

Joe Carrigan: If you lose access to like a phone system which might be running Voice Over IP, right, and your doctor can't answer the phone because the computer network's down, now getting in touch with a necessary medical professional involves getting into the car or calling an ambulance and just going to the facility. And if you have to go in unannounced -- because you can't announce yourself, there's no communication system that's functional.

Dave Bittner: Right.

Joe Carrigan: So, it's very difficult. Going to the ER is going to be an issue as well because everybody's in the same boat. Right? There is no way to make a phone call to your doctor to ask him the question if -- especially if they're all in a similar situation, like Catherine and her son.

Dave Bittner: Yeah.

Joe Carrigan: Right? And this is going to be going on until April. That's when they think that Lurie is going to be restored to full operation.

Dave Bittner: I just saw today a news article that the ransomware gang who's claiming responsibility for this, which is the Rhysida ransomware gang, they claim to have made $3.4 million selling the information that they gathered in this ransom attack.

Joe Carrigan: So, Lurie did not pay them it sounds like.

Dave Bittner: I believe that is correct.

Joe Carrigan: Right. Okay. So, they've already gone out and compounded their atrocity with another atrocity.

Dave Bittner: Yeah.

Joe Carrigan: I do -- Catherine said this, I have a few choice words for these people. And here they are. You are monsters, inhuman monsters. A children's hospital? It is a special kind of evil person that does that.

Dave Bittner: Yeah.

Joe Carrigan: You know? In America, people that are offenders with children -- child victims do not do well in prison. And I -- that's -- so, I don't know, maybe it's a cultural thing where I have a real problem with this. You know? But --

Dave Bittner: Yeah.

Joe Carrigan: I don't know, I just think this is wrong. You're going after a children's hospital and you're -- now you're selling the data of their patients. They're kids.

Dave Bittner: Well -- and I know, you know, the way of the world right now is of course complex, but in the same way that, you know, international treaty states that in times of war you don't attack hospitals --

Joe Carrigan: Right.

Dave Bittner: And, obviously, that's not always abided by. But --

Joe Carrigan: Right.

Dave Bittner: But that is the norm. That's the established and agreed upon norm. You know, yes, we have nations who allow these sorts of criminals to function to do their business within those nations. Couldn't we, at the very least, establish an international standard where we agree with those nations, "Look, here's the line."

Joe Carrigan: Right.

Dave Bittner: You know? "And if you're coming after a children's hospital, there's going to be consequences for you."

Joe Carrigan: Right.

Dave Bittner: Because -- yeah. You know, it's one thing to -- look, it's all crime, but it's one thing to take down a -- or steal somebody's credit card number and, you know, buy a boom box --

Joe Carrigan: Right, yeah.

Dave Bittner: Right, or whatever. You know? But to --

Joe Carrigan: To jeopardize --

Dave Bittner: Actually put the children --

Joe Carrigan: The lives of children --

Dave Bittner: To jeopardize the life of children is a whole different level of atrocity. And it should simply be off the table internationally.

Joe Carrigan: Yeah.

Dave Bittner: And, yet, it is not.

Joe Carrigan: No.

Dave Bittner: Yeah.

Joe Carrigan: Yeah. There's got to be something. I don't know what we're going to do with these -- some of these. I don't know where this organization is based out of.

Dave Bittner: Yeah.

Joe Carrigan: But if they're based out of Russia, Russia does not extradite.

Dave Bittner: Right.

Joe Carrigan: So --

Dave Bittner: Right.

Joe Carrigan: They just don't --

Dave Bittner: Yep.

Joe Carrigan: Our technology makes every -- makes so many things possible, right, like the fact that we can do this podcast, right, or the fact that we can have more efficient delivery of health care services, the more -- you know, even more efficient delivery of just about all of our services.

Dave Bittner: Right.

Joe Carrigan: But that technology is vulnerable. Catherine is correct here. We need to have backup plans, better backup plans, for more resilient systems here.

Dave Bittner: Yeah. I think it's a really good point. And I saw someone just earlier this week who was making the point that, you know, it kind of -- it was sort of an end-stage capitalism rant. But, you know, they were saying that at this point where we are in our society, so many things have become single points of failures. Everything has been stripped down to be delivered just in time with the least expensive, least amount of, you know, possible backup to it because we don't want to invest in the backup.

Joe Carrigan: It's lean, Dave.

Dave Bittner: Yeah.

Joe Carrigan: It's all lean.

Dave Bittner: Yeah, exactly, exactly. That's that --

Joe Carrigan: And cool new management.

Dave Bittner: And that leads to these sorts of things.

Joe Carrigan: Yeah.

Dave Bittner: You know? And I suppose that's a result of the pace at which things run these days. But -- I don't know. I would love to see that pendulum swing in the other direction.

Joe Carrigan: Yeah, me too. You know, one of the thing -- one of the problems is -- and if I -- if anybody can hear the air quotes when I say "problems," is that the fact is these systems are actually really good. Right? They're fast, they're efficient and they work well and they get things done.

Dave Bittner: Right. When they work, they work well.

Joe Carrigan: When they -- but if go down --

Dave Bittner: Right.

Joe Carrigan: And we're reliant on them --

Dave Bittner: Yeah.

Joe Carrigan: It's like having the rug yanked out from underneath you. It's devastating.

Dave Bittner: Yeah. And, you know, in the perfect world, there would be like a broom closet that had like one of those giant scissor switches from the Frankenstein movie.

Joe Carrigan: Right.

Dave Bittner: Right? And, when the system goes down, somebody goes in there and they just throw that switch --

Joe Carrigan: Igor.

Dave Bittner: And sparks fly and it just switches over to an exact duplicate of the system, you know, that's been running backups and is just ready to go. But no one's going to spend the money to do that.

Joe Carrigan: Right. Yeah. It's -- well, now they're spending the money on their disaster recovery plan execution right here.

Dave Bittner: Right.

Joe Carrigan: Yeah.

Dave Bittner: Right.

Joe Carrigan: So, Dave, I have a question for you.

Dave Bittner: Yes.

Joe Carrigan: Does it strike you as odd that we need a prescription for oxygen?

Dave Bittner: Okay. So, first of all, I'm not convinced that we do. Now, I guess you need a prescription for medical-grade oxygen. But you can go to your local DICK's Sporting Goods and you can buy a bottle of oxygen.

Joe Carrigan: Right.

Dave Bittner: Right?

Joe Carrigan: Yeah.

Dave Bittner: So, oxygen itself is available. I guess what I'm saying is oxygen is not a controlled substance.

Joe Carrigan: Right.

Dave Bittner: And I suppose you can get it for like welding or, you know, there are all sorts of industrial uses for oxygen that you can buy it. But I guess the prescription is just because it is -- there's a danger with oxygen because it is highly flammable.

Joe Carrigan: Oh, yeah.

Dave Bittner: You know, you --

Joe Carrigan: Oh, it's really flammable, Dave.

Dave Bittner: Yeah. So, you don't want -- you know, you could see people just going -- you know, if you could go to the drugstore, buy yourself a big tank full of oxygen and come back home and then resume smoking --

Joe Carrigan: Right.

Dave Bittner: Bad things could happen, so.

Joe Carrigan: Once we're done recording, I'll tell you my oxygen story.

Dave Bittner: Okay.

Joe Carrigan: But I'm not incriminating anybody on the air.

Dave Bittner: Yeah. Yeah. I mean, I -- you know, I know towards the end of her life, my mother needed oxygen. And, so, that was a regular thing that folks would come and they'd drop off the tanks and they'd pick up the old tanks. And, you know, it was just a -- you know, it was just a regular part of her life --

Joe Carrigan: Yeah.

Dave Bittner: Towards the end there. But I guess I'm okay with it.

Joe Carrigan: Yeah.

Dave Bittner: I mean, I feel -- I guess what I'm saying is my experience was -- with that was that there were no big barriers in, you know, my loved one getting the oxygen that they needed.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Now, did they bring in the little tiny cart with the little tank of oxygen on it or did they bring in the big like acetylene -- the one that sits next to the acetylene tank in the acetylene oxygen cutter?

Dave Bittner: So, there were a couple different things. There were the little tanks that look kind of like oversized water bottles or oversized, you know, metal water bottles.

Joe Carrigan: Right.

Dave Bittner: Right? So, that was that. But then there was another machine that actually I believe was just like pulling oxygen out of the air.

Joe Carrigan: An oxygen concentrator.

Dave Bittner: Yeah.

Joe Carrigan: Yeah.

Dave Bittner: Exactly. So, she had one of each of those.

Joe Carrigan: Okay.

Dave Bittner: So, I don't know if one was a backup for the other. But -- yeah. And then I remember on the occasion of her passing, like those were one of the first people to come get their stuff.

Joe Carrigan: Really?

Dave Bittner: Yeah. They wanted their stuff back, which is fine, you know, I mean --

Joe Carrigan: Yeah.

Dave Bittner: There's nothing wrong with that.

Joe Carrigan: Right.

Dave Bittner: But it just -- it's one of those odd things you remember when you're new to that sort of situation. You know, you're like --

Joe Carrigan: Yeah.

Dave Bittner: Somebody knocking on the door, "Hi, we're here for the oxygen stuff." You're, "Oh, well, okay. Here you go."

Joe Carrigan: Yeah. You know --

Dave Bittner: It's --

Joe Carrigan: If you -- you don't really think of end-of-life care --

Dave Bittner: Right, exactly.

Joe Carrigan: But there are entire processes around it.

Dave Bittner: Yeah.

Joe Carrigan: You know, I know somebody who works in hospice care.

Dave Bittner: Right.

Joe Carrigan: And it's -- I don't know, I'm fascinated by it. You know, maybe it's some kind of morbid curiosity that I have. But, you know, there -- and there are a number of other things that fascinate me as well, like utilities and agriculture. I think those are -- but this also -- I mean, like what do we do when someone passes away?

Dave Bittner: Yeah.

Joe Carrigan: How do we take care of that?

Dave Bittner: Yeah. It's -- if you've never been through it before, and when my mom passed it was my first time being through it -- or being directly involved with it --

Joe Carrigan: Right.

Dave Bittner: It is -- I -- there is -- it is fascinating.

Joe Carrigan: Yeah.

Dave Bittner: There are all sorts of things that go against your expectations for what happens.

Joe Carrigan: And one of the things I've been impressed with is everybody I've talked to has said that everybody they've dealt with has been remarkably compassionate during that process.

Dave Bittner: Yes.

Joe Carrigan: And that, to me, means that the people that work in that field, they're a special kind of person.

Dave Bittner: I agree. I'll also note that when you officially -- my -- our experience, and, you know, this is one person's experience with one time going through this, is that when the loved one is officially put into hospice care, everything changes for the better in that the level of care that they get goes up. It's just like you -- basically, everything they need --

Joe Carrigan: Right.

Dave Bittner: Just happens because --

Joe Carrigan: Yeah.

Dave Bittner: Because they're in an end-of-life situation --

Joe Carrigan: Right.

Dave Bittner: Which I did not know going into it. So, you know, that was a pleasant surprise. It sort of -- it helps offset the emotional burden that you go through knowing that --

Joe Carrigan: Yeah.

Dave Bittner: This is the pathway -- this is the irreversible pathway that your loved one is on.

Joe Carrigan: Yeah.

Dave Bittner: All right. Well, again, thank you to Catherine Murphy for joining us. Again, she is one of my colleagues here at N2K CyberWire. So appreciative of her sharing this story and her honesty and authenticity --

Joe Carrigan: Yeah. That --

Dave Bittner: Was a real pleasure.

Joe Carrigan: That was great of her to do. I really appreciate that.

Dave Bittner: Yeah, absolutely. [music] All right. Well, that is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. A quick reminder that N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliot Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening. [music]