Freaky Clown: [00:00:00] Having a great security culture in a company is your best asset. It really is. People always say, like, humans are the weakest link. No, they're the weakest link until you train them. And then they are your strongest link.
Dave Bittner: [00:00:12] Hello, everyone. And welcome to the CyberWire's Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:32] Hi, Dave.
Dave Bittner: [00:00:32] Later in the show, we've got the second part of Carole Theriault's interview with the hacker who goes by the name Freaky Clown. But first, we've got a quick word from our sponsors at KnowBe4. Step right up and take a chance. Yes, you there. Give it a try and win one for your little friend there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they, A, my late husband wished to share his oil fortune with you or, B, please read important message from HR or, C, a delivery attempt was made or, D, take me to your leader? Stay with us, and we'll have the answer later. And it will come to you courtesy of our sponsors at KnowBe4, the security awareness experts who enable your employees to make smarter security decisions. And we are back. Joe, I'm going to kick things off this week. I've got a story. This comes to us from WXYZ, out of Detroit. That's an ABC affiliate. And the story is Michigan energy company warns of increase in imposters trying to enter homes. So what's happening here is folks who are pretending to be representatives of the local energy company - they're knocking on people's doors, and they're saying, I have to come in your house. It's an emergency. And if you don't let me in your house, I'm going to shut off your power or your gas or your utilities. I'm going to shut them all off. So the urgency that they're injecting there...
Joe Carrigan: [00:02:03] Right.
Dave Bittner: [00:02:03] ...Is, if you don't do what I say and let me in your house, you're not going to have any power.
Joe Carrigan: [00:02:08] Right.
Dave Bittner: [00:02:08] And this time of year in Michigan...
Joe Carrigan: [00:02:09] Yeah, it's pretty cold.
Dave Bittner: [00:02:10] ...It's cold.
Joe Carrigan: [00:02:12] (Laughter) Right.
Dave Bittner: [00:02:12] So the specter of having your power shut off in the wintertime - and probably when you when you did nothing. They're saying this is an emergency. Plus the pressure of saying there's an emergency. If you don't let me in, your house is probably either going to blow up or burn down.
Joe Carrigan: [00:02:26] Right.
Dave Bittner: [00:02:26] And I'm sure they have some sort of fake ID badge or something like that - probably wearing an orange vest or a hard hat or something like that.
Joe Carrigan: [00:02:33] Everything to make them look official.
Dave Bittner: [00:02:35] There you go. I mean, it's a good reminder to be wary of these folks. The folks from the actual power company said their folks will always have an ID badge. Of course, as we said, that's not hard to reproduce.
Joe Carrigan: [00:02:45] Right.
Dave Bittner: [00:02:45] They said there are times when they have to shut down electricity. But they will never threaten to shut off your service if you don't comply with their immediate demands.
Joe Carrigan: [00:02:54] Right. I imagine that if there is an emergency, they don't go to your house and say, I'm going to shut off your power if you don't let me in your house. They just shut off your power.
Dave Bittner: [00:03:01] That's a good point. I would also think that if there were an emergency, they would probably have someone from law enforcement with them.
Joe Carrigan: [00:03:06] Correct.
Dave Bittner: [00:03:07] Don't you think?
Joe Carrigan: [00:03:07] I would think so.
Dave Bittner: [00:03:08] I would think so too.
Joe Carrigan: [00:03:09] But, again, you could have somebody impersonating a law enforcement officer.
Dave Bittner: [00:03:11] Well, that's a little - I think that's a little more high risk than...
Joe Carrigan: [00:03:13] It is.
Dave Bittner: [00:03:14] ...Going door to door...
Joe Carrigan: [00:03:16] Sure.
Dave Bittner: [00:03:16] ...In a vest and hard hat.
Joe Carrigan: [00:03:18] So what do these guys do once they get inside?
Dave Bittner: [00:03:20] Well, they steal things. So they get in the house, and they say, oh, I got to look around. And they go, and they look for jewelry. They look for basically anything they can get their hands on. Some people think they might even be just casing the joint to see if it's a place to come back to later.
Joe Carrigan: [00:03:34] Right.
Dave Bittner: [00:03:34] But they're up to no good. This reminds me of back probably a decade ago. Did you ever get the folks coming around to your office, and they'd say, I want to lower your long-distance call charges? Can I look at your phone bill? We got this all the time.
Joe Carrigan: [00:03:47] Did you?
Dave Bittner: [00:03:47] Yeah. They'd say like - I'm going to use Bell Atlantic because they don't exist anymore.
Joe Carrigan: [00:03:50] Right.
Dave Bittner: [00:03:51] (Laughter) They'd come around, and they'd say, hi, I'm from Bell Atlantic. And they had a lanyard that said Bell Atlantic and a little ID thing. And they'd say, we'd like to lower your long-distance phone service charges. Can I look at your phone bill? And, of course, I'd look at them and go no.
Joe Carrigan: [00:04:04] Right (laughter).
Dave Bittner: [00:04:04] Have you lost your mind? I don't know you. You're a stranger. I'm not letting you look at my phone bill.
Joe Carrigan: [00:04:10] Well, what would they do when they got the phone bill information?
Dave Bittner: [00:04:11] Well, they - I have no idea because I never let them look at it.
Joe Carrigan: [00:04:15] Right, OK.
Dave Bittner: [00:04:16] I sent them away. And they seem very surprised. What do you mean? Don't you want lower bill? No, go away. You're bothering me. Leave me alone.
Joe Carrigan: [00:04:23] I already did my research. Begone.
Dave Bittner: [00:04:26] (Laughter) Exactly.
Joe Carrigan: [00:04:26] Get off my lawn.
Dave Bittner: [00:04:26] Anyway, so be careful of these folks coming around trying to get in your house. And as always, I think the people who are probably most likely to fall for this are either the elderly or children.
Joe Carrigan: [00:04:38] Yeah, absolutely. I envision this - the risk of my house being that I'm not home, and my kids are there. I mean, they're older now. But, you know, when they were teenagers, they might have just let somebody in.
Dave Bittner: [00:04:49] That's right.
Joe Carrigan: [00:04:49] You know.
Dave Bittner: [00:04:50] That's right. Yeah. So get the word out there. Remind your kids. Remind your elderly folks or friends or neighbors that these sort of things happen. And there's nothing wrong with calling the police, calling 911 if you're suspicious. Even if there's an emergency, call.
Joe Carrigan: [00:05:05] Right.
Dave Bittner: [00:05:06] They will never be mad at you for checking it out and making sure. So that's my story this week. Joe, what do you have this week?
Joe Carrigan: [00:05:13] All right, Dave. My story comes from Tara Lepore over at iNews.
Dave Bittner: [00:05:17] OK.
Joe Carrigan: [00:05:18] We're going to put a link to this one in the show notes...
Dave Bittner: [00:05:19] Yeah.
Joe Carrigan: [00:05:20] ...Because this one is long and convoluted.
Dave Bittner: [00:05:22] OK.
Joe Carrigan: [00:05:22] And it's about a woman named Sarah Hudson in the U.K. She had recently refinanced a property through National Westminster Bank - or Natwest, as they call it...
Dave Bittner: [00:05:32] OK.
Joe Carrigan: [00:05:32] ...Over there in the U.K. And she had a large amount of money just sitting in a savings account, and she was going to use it for some repairs on this property.
Dave Bittner: [00:05:39] OK.
Joe Carrigan: [00:05:40] I don't know if this was a rental property or whatever. But she had the money in her account.
Dave Bittner: [00:05:43] Right.
Joe Carrigan: [00:05:44] She gets a phone call while she's driving home. And it comes up as the NatWest number that she has saved in her phone.
Dave Bittner: [00:05:50] OK.
Joe Carrigan: [00:05:51] And the woman on the line says that she's from the NatWest fraud department and needed to check about two direct debits that were made with a Manchester address that have been set up from Sarah's account.
Dave Bittner: [00:06:02] OK.
Joe Carrigan: [00:06:02] And Sarah says no, those aren't mine. And the caller goes, well, I'll cancel them.
Dave Bittner: [00:06:07] OK.
Joe Carrigan: [00:06:07] So Sarah's about to say, hey, thanks, goodbye. And the caller says, there's some other activity I need to run through with you.
Dave Bittner: [00:06:13] OK.
Joe Carrigan: [00:06:13] And the caller asks Sarah to log into the banking site. And Sarah says, I'm driving. I can't do that.
Dave Bittner: [00:06:19] OK.
Joe Carrigan: [00:06:20] So then the caller says, well, can you give me the last four digits of your online banking password? And Sarah's like, no, I can't do that for you, right?
Dave Bittner: [00:06:27] Good, good, good.
Joe Carrigan: [00:06:28] All good so far, right?
Dave Bittner: [00:06:30] (Laughter) Right.
Joe Carrigan: [00:06:30] So then the caller tells Sarah, we really need to sort this out because we believe fraudsters are active on your account right now, and your accounts have been suspended. Right?
Dave Bittner: [00:06:41] So the heat is on.
Joe Carrigan: [00:06:42] The heat is on, exactly.
Dave Bittner: [00:06:43] OK.
Joe Carrigan: [00:06:44] So Sarah gets home. And she gets another call from the same woman who again asks if she'll log into her accounts.
Dave Bittner: [00:06:50] Right.
Joe Carrigan: [00:06:50] Sarah logs in. And when she logs in, she sees that every single one of her accounts is indeed suspended.
Dave Bittner: [00:06:56] Oh.
Joe Carrigan: [00:06:56] OK? And it looked like she had no money whatsoever.
Dave Bittner: [00:06:59] Wow.
Joe Carrigan: [00:06:59] The caller then says, I know how we can resolve this. But if you don't move money into a safe account, NatWest can't guarantee you'll get the money back. I'm going to go ahead and spoil this for anyone who's listening right now, even though you've probably already picked up on this. This caller is a fraudster.
Dave Bittner: [00:07:15] Yeah.
Joe Carrigan: [00:07:15] It's a fraudulent call. So then she receives - Sarah receives a text message from NatWest saying that someone's changed the phone number on her account. And the caller says, have you changed the phone number in your account? And she goes, no, but I just got a text message that said I did.
Dave Bittner: [00:07:28] Oh.
Joe Carrigan: [00:07:29] Right, so this is starting to look like something's really going on on her account.
Dave Bittner: [00:07:31] Right.
Joe Carrigan: [00:07:32] So the caller says, I'm going to pass you off to somebody else. And this time it's a man. And this person reads through a bunch of transactions to confirm this is Sarah's account. And this is where Sarah actually does something very smart. She goes, how can I confirm that I'm talking to someone from NatWest? And the guy actually says, I called you on a Natwest number, right? That should come up on your caller ID.
Dave Bittner: [00:07:53] Which it did.
Joe Carrigan: [00:07:53] Which it did. And I'm going through your account, telling you transactions. Surely that should convince you that I am from NatWest. Right? Sarah is then transferred to a third person, who is an older gentleman. And he says that he is the one responsible for suspending the accounts and that he was going to replicate all of Sarah's accounts.
Dave Bittner: [00:08:12] OK.
Joe Carrigan: [00:08:13] But Sarah needs to transfer all of the money to a safety account, something that had already been mentioned by the two previous people she'd spoken to.
Dave Bittner: [00:08:22] All right.
Joe Carrigan: [00:08:22] Right? He then says, go get your card reader. Now, here in the U.S., we're not really familiar with what this is.
Dave Bittner: [00:08:27] No, what is this?
Joe Carrigan: [00:08:28] Right? This is a piece of hardware. In the U.K. and most of Europe, they have a chip-and-pin system.
Dave Bittner: [00:08:32] Right.
Joe Carrigan: [00:08:33] And this is a piece of hardware that's not connected to anything. But you plug your card into it. And it gives you a time-based password or a time-based key. It runs through the chip on your card. And based on a secret in your card, it generates a code, like a 6- to 10-digit code.
Dave Bittner: [00:08:46] So a little extra bit of security.
Joe Carrigan: [00:08:48] Extra bit of security, exactly.
Dave Bittner: [00:08:49] Got it, OK.
Joe Carrigan: [00:08:49] So she gets the card reader. And he gives her the account number and something called a shortcode, which I'm guessing this is kind of like a routing number and an account number here in the U.S...
Dave Bittner: [00:08:57] Yeah.
Joe Carrigan: [00:08:58] ...Of where the money's supposed to go. And she notices this is to a Barclays account.
Dave Bittner: [00:09:03] Different bank.
Joe Carrigan: [00:09:04] A different bank, exactly. So she says, this is another red flag. And the guy goes, oh, well, NatWest and Barclays have a partnership for fraudulent activity of this sort. And she transfers 19,960 pounds.
Dave Bittner: [00:09:16] OK.
Joe Carrigan: [00:09:17] That's a lot of money.
Dave Bittner: [00:09:18] Yeah.
Joe Carrigan: [00:09:18] It's like 40 grand, close to 40 grand here in the U.S. And the guy says he'll call her back and provide an update about what's happening with the fraud.
Dave Bittner: [00:09:25] OK.
Joe Carrigan: [00:09:25] So as soon as this phone call ends, Sarah starts to think, I've done something wrong here. She immediately calls NatWest's fraud department and within 15 minutes is talking to somebody who verifies that, yes, you've been scammed. She gives them the Barclays account number. And the people from NatWest say, we're going to try to stop this fraudulent account number.
Joe Carrigan: [00:09:44] So she says that the account that was set up at Barclays was set up in Sarah's name. OK, so it looks like Sarah is sending money from Sarah's account to another one of her accounts at a different institution. So this doesn't set off any red flags at any of the institutions.
Dave Bittner: [00:09:59] Right.
Joe Carrigan: [00:10:00] Because somebody has opened a fraudulent account for her at Barclays.
Dave Bittner: [00:10:03] But she's the one who ultimately authorized the transfer.
Joe Carrigan: [00:10:08] She authorized the transfer using this card-reader device, right? The scammers knew everything. They knew her mother's maiden name. They knew she went to NatWest. They knew that she had recently refinanced, and they asked her about it during the course - read the article. It's very long and convoluted.
Dave Bittner: [00:10:25] Yeah.
Joe Carrigan: [00:10:26] At the time of the writing, they're still waiting to see if Barclays could stop the fraudulent transaction from going through. I'm hopeful that because she was talking with somebody within 15 minutes, that she can get her money back. But we just don't know if that's going to happen.
Dave Bittner: [00:10:38] There's a lot going on here.
Joe Carrigan: [00:10:39] There is a lot going on here. First off, it hit right after she'd done a refinance. So I'm going to speculate - and not too wildly here - that the scammers got this information or got a lot of this information about her and about the fact that she'd just done a refi from some third-party organization that was involved in the process. Here in the U.S., we have people like mortgage brokers who help people do this.
Dave Bittner: [00:11:02] Right.
Joe Carrigan: [00:11:02] I've used them in the past. We also have settlement attorneys. Here in the U.S. when you refinance your house, it's just like selling your house again. You have to go to settlement on it again.
Dave Bittner: [00:11:10] And is that a public record?
Joe Carrigan: [00:11:11] It is a public record.
Dave Bittner: [00:11:13] Ah.
Joe Carrigan: [00:11:13] But this is - yeah, and this is something that's happened but within - she's getting this phone call relatively quickly.
Dave Bittner: [00:11:17] Right.
Joe Carrigan: [00:11:18] So I don't know how long it takes in the U.K. to put these things in the public record. Here in the U.S., it takes, like, two months. But she's getting this, like, within two weeks of having the refinance happen.
Dave Bittner: [00:11:27] So they could have an inside person at the refi place.
Joe Carrigan: [00:11:29] They could have that.
Dave Bittner: [00:11:30] That would also be a great way to get a lot of this personal information.
Joe Carrigan: [00:11:33] That's correct.
Dave Bittner: [00:11:34] Including bank account information.
Joe Carrigan: [00:11:36] Yeah, they could have a mortgage - the mortgage broker could have an inside person. Or they could just be compromised.
Dave Bittner: [00:11:43] Yeah.
Joe Carrigan: [00:11:43] And have somebody in their system that they don't know about.
Dave Bittner: [00:11:45] Right, right, right.
Joe Carrigan: [00:11:46] They spoofed the bank's number.
Dave Bittner: [00:11:48] Yeah.
Joe Carrigan: [00:11:48] That's another - another big point. You can never trust caller ID. It's just - you just can't do it anymore.
Dave Bittner: [00:11:52] Right.
Joe Carrigan: [00:11:53] The only thing that a telephone number provides you is that, OK, I don't know this person. It never confirms that you do know this person.
Dave Bittner: [00:12:01] (Laughter) OK.
Joe Carrigan: [00:12:02] And that's unfortunately the way it is.
Dave Bittner: [00:12:04] But I can see the reinforcement here because especially - like, on your mobile device, when you have someone's name in there and it's not just a familiar phone number that pops up. But...
Joe Carrigan: [00:12:13] Right, their name pops up.
Dave Bittner: [00:12:14] The name pops up. So if it says your bank...
Joe Carrigan: [00:12:17] Right.
Dave Bittner: [00:12:17] ...And the bank's name's there, to me that's an even stronger confirmation, at least on the fly...
Joe Carrigan: [00:12:25] Absolutely.
Dave Bittner: [00:12:25] ...That this is probably legit.
Joe Carrigan: [00:12:26] Yeah.
Dave Bittner: [00:12:27] And it doesn't have to be, as you say.
Joe Carrigan: [00:12:28] You're right. It's not. Her accounts were suspended. They actually were suspended.
Dave Bittner: [00:12:32] Right.
Joe Carrigan: [00:12:33] So this is probably from the scammers trying to get into her account. When they try to transfer money out fraudulently and they can't get it to happen, they go to this plan. Or maybe this was their plan, where they go in and they mess up her account and get them to lock it up.
Dave Bittner: [00:12:45] Yeah.
Joe Carrigan: [00:12:45] I don't know how this - I'm not...
Dave Bittner: [00:12:46] Right, yeah.
Joe Carrigan: [00:12:47] ...Sure how this works, but...
Dave Bittner: [00:12:47] The details are a little fuzzy on that part, yeah.
Joe Carrigan: [00:12:50] But because she used the card reader and she authorized the transaction, if they can't get it stopped, NatWest may not be on the hook for anything.
Dave Bittner: [00:12:57] Because she actually sent a code...
Joe Carrigan: [00:12:59] Because she used a card reader and sent the money. So, you know, there was tons of security that NatWest put in place here that was just circumvented by some really, really persistent and good social engineering here.
Dave Bittner: [00:13:11] Yeah.
Joe Carrigan: [00:13:12] Good by quality of social engineering, not good as in you're a good person.
Dave Bittner: [00:13:15] (Laughter) Right, right.
Joe Carrigan: [00:13:15] You know, these people are horrible monsters of people.
Dave Bittner: [00:13:17] Right, right. It strikes me the amount of manpower they threw at this job. She talked to three different people.
Joe Carrigan: [00:13:23] Three different people.
Dave Bittner: [00:13:24] Now, this could easily be a bunch of people at a phone bank who just pass off one to another.
Joe Carrigan: [00:13:29] Yeah.
Dave Bittner: [00:13:30] And it likely is.
Joe Carrigan: [00:13:31] We've talked about this in previous episodes, how these organizations are set up like businesses. So they view this as a business. And they're moving money around. And these are essentially three salespeople that she spoke to.
Dave Bittner: [00:13:43] And imagine - I mean, if they get one of these a week, if they are successful with one of these a week...
Joe Carrigan: [00:13:48] Right.
Dave Bittner: [00:13:48] At 40 grand a pop.
Joe Carrigan: [00:13:50] Yep.
Dave Bittner: [00:13:51] There - that's that's a living.
Joe Carrigan: [00:13:52] Yeah. Yeah, they're making - making millions.
Dave Bittner: [00:13:55] All right. Well, we'll have a link to this one in the show notes. There's a lot of...
Joe Carrigan: [00:13:58] I'd encourage everyone to read it.
Dave Bittner: [00:13:59] A lot of detail.
Joe Carrigan: [00:13:59] It's - there's a lot more that I can't go into on this show.
Dave Bittner: [00:14:01] It's a good one.
Joe Carrigan: [00:14:02] Yep.
Dave Bittner: [00:14:03] All right, Joe, well, it's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:14:09] Our Catch of the Day comes to us from a listener named Lily (ph). And Lily says, big fan. I never thought that I will send any phish to the podcast. But this one I found interesting because it came from one of our vendors. The phish uses actual architect information. And Lily is from a architectural firm. And it's a company who's provided services to their firm before. Lily says, my boss called me to verify the legitimacy of the email, and I'm glad he did.
Joe Carrigan: [00:14:36] Very good.
Dave Bittner: [00:14:37] All right, so I will read the first part here.
Joe Carrigan: [00:14:39] OK.
Dave Bittner: [00:14:39] It starts off like this. (Reading) How are you doing? Please, may I ask for an urgent favor from you? Let me know if you can help. And then the manager of the architectural firm says, hi, Eric. I'm OK, thank you. How can I help you? Glad you replied back at this moment, and I am so sorry to intrude into your privacy. I need to make some transfer to my friend in Spain who needs to undergo knee surgery. I am out of cash at this moment. I want you to help me transfer the some of $650 dollars - that's some, S-O-M-E - via Western Union I will refund it back to you next week Friday. That is one long run-on sentence.
Joe Carrigan: [00:15:16] (Laughter).
Dave Bittner: [00:15:16] Let me know how much you can spare me. I will refund your money back to you. Regards, Eric. And then it has the name of a design firm. It sounds to me like they got into...
Joe Carrigan: [00:15:28] Someone's account.
Dave Bittner: [00:15:29] This person's account, right. They were able to take over this person's account, email from his account to a client.
Joe Carrigan: [00:15:35] Yep.
Dave Bittner: [00:15:35] So the boss at this architect firm recognized the name. This is someone they do business with regularly...
Joe Carrigan: [00:15:42] Yeah, you can tell by the response.
Dave Bittner: [00:15:43] Yeah, some sort of business relationship - and is trying to scam them out of money.
Joe Carrigan: [00:15:48] Yep.
Dave Bittner: [00:15:48] So the boss did the right thing. (Laughter).
Joe Carrigan: [00:15:50] Yep.
Dave Bittner: [00:15:51] And asked - did exactly what we say. Ask somebody.
Joe Carrigan: [00:15:53] Right.
Dave Bittner: [00:15:53] Just pause. Ask somebody else.
Joe Carrigan: [00:15:56] Does Eric really know somebody in Spain that needs knee surgery? Hmm.
Dave Bittner: [00:15:58] Probably not. Probably not. No, it's a little fishy. But thanks to Lily for sending it into us. That is our Catch of the Day. Coming up next, we've got the second part of Carole Theriault's interview with the hacker who goes by the name Freaky Clown. But first, we've got this message from our sponsors at KnowBe4.
(SOUNDBITE OF CARNIVAL AMBIENCE)
Dave Bittner: [00:16:20] And what about the biggest, tastiest piece of phish bait out there? If you said A, my late husband wished to share his oil fortune with you, you've just swallowed a Nigerian prince scam. But most people don't. If you chose door B, please read important message from HR, well, you're getting warmer. But that one was only No. 10 on the list. But pat yourself on the back if you picked C, a delivery attempt was made. That one, according to the experts at KnowBe4, was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked D, take me to your leader? No, sorry, that's what space aliens say. But it's unlikely you'll need that one unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing's twists and turns, the new-school security awareness training from our sponsors at KnowBe4 can help. That's knowbe4.com/phishtest.
Dave Bittner: [00:17:24] And we are back. Joe, we've got part two of Carole Theriault's interview with the hacker who goes by the name Freaky Clown. We're going to dive into some more of his exploits. Here's Carole Theriault's story.
Carole Theriault: [00:17:36] Well, I'm sure most of us remember part one interview with Freaky Clown. This is part two. In the first part, he explained what he did for companies and how he tested the physical defenses. We get a bit more in depth here on the wacky methods he might employ in order to break in legally to a company. Now, if you haven't already heard part one interview with Freaky Clown, please go and find it. It's available on the "Hacking Humans" webpage. If you have already heard it, buckle in. This is a good one.
Carole Theriault: [00:18:13] OK. So now you've got your letter. You've never needed to do that, but it's in your back pocket - your get-out-of-jail-free card. And then what? You're heading to - do you go directly to your source or to your goal, or do you sometimes have to figure out a roundabout route?
Freaky Clown: [00:18:27] So generally with these assessments, we always sit down with the client and say, OK, right, what is it you want to get out of this, right? This type of assessment is no good if you want to test your whole security. You just want to, like, test one particular thing.
Carole Theriault: [00:18:39] Right.
Freaky Clown: [00:18:39] So is there a particular file that I need to get from a cabinet somewhere? Is it a gold bar I need to get out? Is it access to a certain area or room?
Carole Theriault: [00:18:49] Let's say it was the server room. Say that was our goal.
Freaky Clown: [00:18:51] OK. Right. So you have to work out where that server room is. There's loads of clues on the outsides of the buildings. You can look at where telephone cables come into the building. That's probably going to be very close to it. Look for air conditioning units. They're going to be...
Carole Theriault: [00:19:04] Of course.
Freaky Clown: [00:19:04] ...Everywhere, especially for a high-power server room. So you can kind of work out roughly where in the building even from the outside where it is. So that's part of the reconnaissance. And then once you get the map of the building, you can kind of start to work out where it is, what floor it is, et cetera. They generally don't put server rooms on high floors because they're full of heavy equipment.
Carole Theriault: [00:19:23] Yeah.
Freaky Clown: [00:19:23] So it's going to be low down, maybe in a basement. So finding your way to where the server room is is your key goal. So there's always like - your primary goal is get to a thing, such as the server room. Then you'll have secondary goals. Can you get to these particular rooms as well? Can you get access into these areas? You're trying to do the primary one as quickly as possible. You then go for the secondary ones.
Freaky Clown: [00:19:42] And then what I try and do is get caught. All right. And there's a really good reason for this. People always, like, look at me. It's like, what; you're trying to get caught? No, I'm trying to check where the boundary is between people understanding what security is - me doing enough that they find that...
Carole Theriault: [00:19:58] OK.
Freaky Clown: [00:19:58] ...Odd. I'll give you an example of one building, right? So I broke into this building - super easy to get in. So I went in the next day dressed slightly differently, got in through a different way. So this harks back to dressing the part. So they had a very particular dress code. So I adhered to that the first day. Second day, slightly sloppier. Third day, really sloppy. Fourth day, I went in...
Carole Theriault: [00:20:20] Naked.
Freaky Clown: [00:20:23] Not naked. Oh, my God. That would be terrible. Oh, wow.
Freaky Clown: [00:20:28] So I turned up, like, you know, in ripped jeans and, like, a baggy T-shirt and just looked...
Carole Theriault: [00:20:32] Right.
Freaky Clown: [00:20:32] ...Like a real slob - you know, my normal self. And they still hadn't tweaked that I was not supposed to be there. So when you start doing things like standing on tables or moving things around or - I once got one government department to build teepees. I got them all together. I was like, let's build tepees as a team-building exercise.
Freaky Clown: [00:20:54] They had no idea who I was, but we still ended up building tepees together, which was great fun. You'd go in with like - rather than, like, sneaky little cameras trying to capture everything, go in with the biggest camera you can and start taking photos.
Carole Theriault: [00:21:06] 'Cause then you almost look official, I guess.
Freaky Clown: [00:21:08] Yeah, exactly. I had one particular one where, which I often talk about in one of my talks, is - I went in. And I hadn't brought my camera. So I actually broke out of the building. So I went by reception. And I was like, hey, I've just forgotten my pass upstairs; I'm going to come back in a minute; can you let me back in? And the woman was like, oh, yeah; it's cool - because she assumed that I had - I was officially in there because I was coming out.
Freaky Clown: [00:21:31] So I went to the car, got my massive camera, came back in. She let me through without pass because she remembered me. And I went up onto this floor. And I stood on a chair, and I started taking photos of everyone on this floor.
Freaky Clown: [00:21:44] And then suddenly, this woman appears out of nowhere. She's like, excuse me, excuse me. I was like, yeah, can I help? - thinking, oh, my God, I've actually been busted; this is great. And she's like, are we going to be in a magazine or something?
Freaky Clown: [00:21:57] And I was like, yeah, kind of.
Carole Theriault: [00:21:57] Yes. I'm a photographer for Vogue.
Freaky Clown: [00:21:57] So yeah. That was fun. There's some great photos from that.
Carole Theriault: [00:22:06] So then you're kind of testing the boundaries at this stage.
Freaky Clown: [00:22:10] Yeah, and you can get away with all sorts of really ludicrous things. I once built a bar in another government department, actually. We got together some sort of bottles of drink that shouldn't have been in the building and sort of put them together. And it was all dressed up. It was really nice. So you can genuinely just confuse people enough to think that they should be helping you.
Carole Theriault: [00:22:32] But what's interesting about all this - it does have subterfuge in it. You are setting up a bar, for instance, just to give everyone that mental calmness of, oh, he's here for a reason. He's obviously - we're having a drinks reception. He's setting up the bar - no problem. And then if they see you around somewhere, they're going, oh, yeah, that was the guy setting up the bar.
Freaky Clown: [00:22:49] The instance where we built tepees together, so that was a finance department of a government site - so really quite secure building. And I'd got in - managed to get into this area. And we'd started building tepees. I got a really great photo of it. We're building tepees with their coats.
Freaky Clown: [00:23:07] And, you know, I get what I need from that department, and I move on. And then later on, I'm showing the client round. Like, so I got in here and got in here. And I say, oh, I got into the finance area. And he's like, really? That's hard to get into. And I was like, well, no, I just walked in. And so we get in there, and they all see me. And they're like, hey, FC. And we're, like, high-fiving, and we're talking about the tepees.
Freaky Clown: [00:23:26] And then their manager appears, and they're like - they have a go at my client because he's not meant to be in that area. And yet they - they're totally fine with me being there. And he's like, how does this even happen?
Carole Theriault: [00:23:41] Because you somehow bonded with them.
Freaky Clown: [00:23:43] Yeah.
Carole Theriault: [00:23:43] You've become part of the inner circle.
Freaky Clown: [00:23:44] Exactly. And so he wasn't supposed to be there, and they knew that. But they just accepted me. It was - it was odd. People are strange.
Carole Theriault: [00:23:52] But what we're seeing here is your job is basically to dupe people. And do you have any - I don't know - advice to help companies - just little things they could do to sniff out potential bad actors...
Freaky Clown: [00:24:07] Yeah.
Carole Theriault: [00:24:07] ...That were really trying to steal something from them.
Freaky Clown: [00:24:11] Yeah. It's really important to have a really good security culture. You know, it's one of the things that my partner Dr. Jessica Barker focuses on. So she's the socio-technical lead. She's the one that does all the human side of this. And having a great security culture in a company is your best asset. It really is.
Freaky Clown: [00:24:30] People always say like, humans are the weakest link. No, they're the weakest link until you train them. And then they are your strongest link because if someone is well-trained in understanding the threats that bad actors can have on the company, they're the ones that are always going to stop it.
Carole Theriault: [00:24:46] Right.
Freaky Clown: [00:24:46] If see some of them the massive cyberattacks that we've seen recently - like, you know, sort of a billion pounds tried to be stolen from the SWIFT network - that was stopped by one analyst.
Carole Theriault: [00:24:57] Wow.
Freaky Clown: [00:24:58] And we're seeing things like that all the time. Even some of our clients who have had massive spear-phishing attacks, like you know, CEO fraud, that was stopped because one person was like, that's odd. That doesn't sound like the way that Jeff (ph) would write an email. They understand it. If they know what can be done and how it would be done, then they're in a much better position to stop it before any technology can even get in.
Freaky Clown: [00:25:20] And this harks back to what I was saying right at the beginning - is if you've got a weak area in the physical or the human or the cyber area, then you don't have a great security culture. Whereas, the people can be a really, really strong link and can sort of overpower all the rest of it because if I get into a building, and if any person I ever interacted with had just said, excuse me, what are you doing here? - can I help you? - I'd have been screwed.
Carole Theriault: [00:25:45] Oh, no. You would have pulled out your letter...
Carole Theriault: [00:25:47] ...Tap danced your way around.
Freaky Clown: [00:25:48] Yeah, but if I was a bad actor - not a bad actor in that way. You know, I'm still going to get an Oscar one day.
Freaky Clown: [00:25:55] If I was a criminal breaking in, and someone had just asked who I was and what I was doing there, and they didn't have the experience that I have to talk their way out of it, then they're going to get rumbled really quickly.
Carole Theriault: [00:26:06] I was physically robbed once. And, you know, and I'm fairly safe in my house, right? So I lock my windows. You know, I close the blinds. I don't leave valuables around - all that kind of stuff. But what I'd done is I'd left the key in the back door - locked, but I left it there. And the reason I left it there was because I always thought, well, I need an escape route if there's fire, right? I need a quick escape route.
Carole Theriault: [00:26:26] But somehow also that meant making it much more alluring to a criminal because they just have to put a brick in, turn the door and walk through. You can't prep well against something you don't know. Like, I never thought about that, right? It never occurred to me. And that's why having third parties try out your system seems to make sense for me because suddenly you're forced to look at it from a different perspective.
Freaky Clown: [00:26:48] Yeah. And here's the thing. Like, other companies are trying to do what they're great at, right? If you're a software company, you're building software. If you're a manufacturing company, you're manufacturing stuff. If you're - whatever your role is as a company, you're doing that. You can't be expected to understand all of the security threats.
Freaky Clown: [00:27:07] So that's where a security company comes in and goes, OK, look. We understand how criminals are working because we see this day to day. We understand how the criminal organizations are working. We understand how nation-state attackers are working. So what is your threat level? Try to build up on that. So you get a better security posture because it's just like being at home. Like, you can put in all of the security issues - like, sort of things you want. You can go - when you leave your house, you lock the door, and you think, great, I'm secure.
Carole Theriault: [00:27:37] Yeah, you put the alarm on.
Freaky Clown: [00:27:38] Yeah. But a criminal will just come along and put a brick through your window because you have to have windows. So what do you do? Do you brick up all your windows? That's crazy. So you just have to be better than everyone else on the street.
Carole Theriault: [00:27:50] Exactly. Be the least attractive to rob.
Freaky Clown: [00:27:53] Exactly. That's what we need to do with companies - is if you've got all of the stuff open on your internet access, then that's going to be attractive. If it's all locked down, then it's kind of like, well, OK, I'll just move on to the next one because there's hundreds of millions of other sites. If your office is built of glass, and you can see through them, then that's going to be attractive because they can see what's going on. So always be the least attractive. That's what I've always told myself anyway.
Carole Theriault: [00:28:21] Do you think we're going to see a return to castles and moats, you know, with crocodiles (laughter)?
Freaky Clown: [00:28:26] Well, you could do, but then - you know, I did a job at a prison once. And they wanted to assess some security there. And it was great. You know, it was all really good. It's good for, like, people trying to get in and out through a fence. But they hadn't thought about drones.
Carole Theriault: [00:28:43] OK.
Freaky Clown: [00:28:43] They hadn't thought about this thing. And so it was like OK; well, this is great. So they looked at all this drone technology. And I was like, OK, this - it's really good that you've done this, but criminals aren't going to use drones; the method that we see - this is an actual thing that I've seen in use at a prison to get contraband in and out - is you get a fishing rod. And you put stuff on the end of the fishing line, and you cast it.
Carole Theriault: [00:29:07] Right.
Freaky Clown: [00:29:07] And then you cut the line. That's it.
Carole Theriault: [00:29:09] Wow.
Freaky Clown: [00:29:10] And there's no loud drone going on. No one's using drones to get stuff in and out of prisons 'cause it's too noisy. It's too obvious. A fishing line is really super silent. You can be carrying a fishing rod anywhere. It's not illegal to carry one of those. You don't need a license for one.
Carole Theriault: [00:29:28] Yeah.
Freaky Clown: [00:29:28] It's really simple to get stuff in and out. So...
Carole Theriault: [00:29:30] So what you're telling people - so what companies out there and industries and organizations need to think about is - think about all the ways that someone could physically get into your building and what they could compromise within that because there's loads of miniscams. In all those stories you've shared with us, we see all these places where humans are duped because they are distracted or they're busy or they're making assumptions and leaps of assumptions rather than just stopping and going, this is a bit odd; what is going on?
Freaky Clown: [00:29:59] Yeah. I mean, and I'm not even saying to companies think about that yourselves. I'm saying get an expert in that knows this, that understands it. You don't try and do, like, heart surgery on yourself. You get an expert heart surgeon to come and do that. You know, so get an expert in the field that understands all of these attacks.
Freaky Clown: [00:30:19] And then have a conversation with them and say, look, here's what we think is the great target for criminals; and what do you think? And often, a lot of companies don't actually know what their valuable data is. They'll often think it's one thing. But when we come in and we talk to them, they'll be like, oh, that's why criminals would want us because we've got this really important stuff over here that we just kind of use day to day. And we see that quite a lot.
Carole Theriault: [00:30:42] This has really been so insightful. I think seeing it from the other perspective makes you realize how vulnerable we can be. Thank you for sharing your insight, FC.
Freaky Clown: [00:30:52] No problem. Thank you for having me.
Carole Theriault: [00:30:54] What did I tell you? Pretty interesting, right? I really enjoyed speaking with FC and learning about all these techniques. It was truly mind-opening for me. And I hope it was for you, too. This was Carole Theriault for "Hacking Humans."
Dave Bittner: [00:31:09] All right, Joe. A lot of fun there.
Joe Carrigan: [00:31:11] Yeah, that's great. First off, I want to say that always be the least attractive is finally a motto that I can get behind, right?
Dave Bittner: [00:31:20] You know, Joe, they say that extraordinarily good-looking people are conceited. Well, I'm not.
Dave Bittner: [00:31:30] What did we take away from this this week?
Joe Carrigan: [00:31:33] A couple of things. Number one, there are some things you'll just never be able to hide. And I think that's a great point. Like, it's going to be pretty obvious where your server room is based on the input of the phone cables and the network cables and the internet connection but more so really about the HVAC, the heat exchangers, for the cooling system inside there. It's going to be pretty obvious where they are.
Joe Carrigan: [00:31:52] And he's right. They're going to be generally on the bottom floor 'cause it's easier to install them there - generally cooler down there. I love what he talks about when he says he's trying to get caught. And I found it interesting that even as he continues to go on, he finds it more and more difficult to get caught to the point where he's degraded his outfit to something that's absolutely unacceptable in the corporate culture.
Dave Bittner: [00:32:14] (Laughter) Right.
Joe Carrigan: [00:32:15] But he's still getting inside. I don't know how valid of a test that is - right? - because you've already built a rapport with these people that you're testing.
Dave Bittner: [00:32:23] Well, but also the point that someone who's doing what he's doing - he knows how to carry himself to seem like he owns the place...
Joe Carrigan: [00:32:30] Right.
Dave Bittner: [00:32:30] ...You know?
Joe Carrigan: [00:32:31] Yeah, absolutely. No, he...
Dave Bittner: [00:32:31] And that goes a long way.
Joe Carrigan: [00:32:33] He bonds with people. I love the part of the story where he's gotten the people to build teepees, which is ridiculous, right?
Dave Bittner: [00:32:39] (Laughter).
Joe Carrigan: [00:32:39] An absolutely ridiculous thing he's gotten people to do.
Dave Bittner: [00:32:40] Right, right, right.
Joe Carrigan: [00:32:42] That's hilarious.
Dave Bittner: [00:32:43] Yeah.
Joe Carrigan: [00:32:43] But then he gets these people to challenge somebody who's not supposed to be there who they know, but they don't challenge him on the fact that he's in this area. That's fascinating to me.
Dave Bittner: [00:32:54] Yeah. It is.
Joe Carrigan: [00:32:54] That, again, goes back to - he's building the rapport. And he's built this rapport so well that this is the kind of thing he could do. This is something I could absolutely never do. My wife could do it. I couldn't do it.
Dave Bittner: [00:33:05] Yeah. Some people just have a knack for it.
Joe Carrigan: [00:33:08] Yeah.
Dave Bittner: [00:33:08] Yeah. All right. Well, again, thanks to Carole Theriault for bringing this interview to us. And thanks to FC for taking the time for us - a really interesting pair of interviews.
Dave Bittner: [00:33:18] And thanks to all of you for listening, and of course thanks to our sponsors at KnowBe4. They're the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:33:44] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik; technical editor is Chris Russell. The executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:34:01] And I'm Joe Carrigan.
Dave Bittner: [00:34:01] Thanks for listening.