Hacking Humans 3.7.19
Ep 39 | 3.7.19

Don't assume younger people get it.


Dale Zabriskie: [00:00:00] Phishing becomes where everybody is still going. It's still human, right? We - sometimes, we want to make this thing all technical. But in reality, we're still human on each end of the scope right here.

Dave Bittner: [00:00:13] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:33] Hi, Dave.

Dave Bittner: [00:00:34] We've got some good stories to share this week. And later in the show, we'll have my interview with Dale Zabriskie from Proofpoint. He's going to be telling us all about their recent "State of the Phish" survey.

Dave Bittner: [00:00:44] But first, a quick word from our sponsors at KnowBe4. So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.

Dave Bittner: [00:01:18] And we are back. Joe, we're going to start off with a little follow-up.

Joe Carrigan: [00:01:21] Uh-oh.

Dave Bittner: [00:01:22] We got a note from a listener. Turns out last week, we made a little mistake. And by we, I mean you.

Joe Carrigan: [00:01:27] Yes.

Dave Bittner: [00:01:27] (Laughter).

Joe Carrigan: [00:01:28] I made numerous mistakes on last week's podcast. I was listening to it. I listen to all of our podcasts because I tend to be my harshest critic.

Dave Bittner: [00:01:36] Yeah. We had a listener reach out on Twitter. And he said, Joe himself got confused by TLDs. Those are top-level domains.

Joe Carrigan: [00:01:45] Yep.

Dave Bittner: [00:01:45] In the latest "Hacking Humans" - we don't have a .com.uk here in Blighty. It's .co.uk.

Joe Carrigan: [00:01:51] Oh, .co.uk. And he is 100 percent correct. That was my mistake. And also, they are not two-level TLDs. They are two-letter TLDs (laughter).

Dave Bittner: [00:02:00] All right. Well, let's move on to our stories. We got a kind note from a listener named Todd. And he followed up with us from - I think, it was last week's show. He said, I caught the show for today, and I heard the dodtap.com segment.

Joe Carrigan: [00:02:11] Yep.

Dave Bittner: [00:02:12] He said, I had to get on dodtap.mil for my job as a commanding officer signing for people getting out and then I used myself as I was retiring. I'm going to send a warning back to my last unit and the transition readiness civilians who run that program to spread the word. Thanks for the tip - very nice.

Joe Carrigan: [00:02:29] Very good, Todd.

Dave Bittner: [00:02:30] Yeah. Nice...

Joe Carrigan: [00:02:30] I think that's wise.

Dave Bittner: [00:02:31] Yeah. So - but Todd also sent along link to a story that I am highlighting this week. And this is a tough one. This involves a U.S. Army veteran who had PTSD. And he was targeted by some folks who are running a scam out of a prison. And this was a sextortion scam. And the way it worked is these folks in prison - somehow, they got their hands on contraband phones that were snuck into the prison. And they would look around on dating sites. And they seemed to be targeting folks in the military.

Joe Carrigan: [00:03:06] Right.

Dave Bittner: [00:03:07] And they would send messages out to these military folks on the dating sites and pretend to be a young lady...

Joe Carrigan: [00:03:16] Right.

Dave Bittner: [00:03:16] ...And start a conversation, start interacting with them. And they would send some nude pictures and ask for nude pictures back.

Joe Carrigan: [00:03:26] Right.

Dave Bittner: [00:03:26] And then after the photos were exchanged, they would then reach out to the victim and say, hey. I'm this person's father. And that person is underage.

Joe Carrigan: [00:03:36] Right. And now you're in trouble.

Dave Bittner: [00:03:37] You are in big, big trouble.

Joe Carrigan: [00:03:39] Have we covered this scam before?

Dave Bittner: [00:03:40] I think we've covered a version of it.

Joe Carrigan: [00:03:42] Yeah.

Dave Bittner: [00:03:43] Yes.

Joe Carrigan: [00:03:43] This seems all very familiar.

Dave Bittner: [00:03:44] It is. Unfortunately, the tragedy here is that this gentleman named Jared Johns committed suicide.

Joe Carrigan: [00:03:53] That is awful.

Dave Bittner: [00:03:54] Yeah. And it was right after this sextortion scam was pulled on him. And, of course, the police and his family have the messages that were sent back and forth. And it doesn't even look like Jared was involved with any of the exchange of photos or anything like that. He was on a dating site. He's a father of two young children and was not married but was, you know, looking to connect with someone, to date someone.

Joe Carrigan: [00:04:19] Right.

Dave Bittner: [00:04:19] And these folks reached out and started this scam. And he exchanged messages with them. And his messages said, I don't know what you're talking about. I'm confused. Please help me understand. He asked for proof. And the scammers on the other side said, no. You know what you did. And you're going to be going to jail. You're in a lot of trouble. And according to the records that the police collected, it was not long after he got some of these messages that Jared took his own life.

Joe Carrigan: [00:04:50] Do they have any idea who was sending him the messages?

Dave Bittner: [00:04:53] They're working on that. Police are investigating. Like I said, there are indications that it is some folks who are running this scam out of prison...

Joe Carrigan: [00:05:01] Right.

Dave Bittner: [00:05:02] ...Which is remarkable in itself.

Joe Carrigan: [00:05:04] It is.

Dave Bittner: [00:05:05] And actually, Jared's mother reached out to the folks who are running this scam via text and, you know, expressed her horror and said, how can you live with yourself? These are the consequences...

Joe Carrigan: [00:05:18] Right.

Dave Bittner: [00:05:19] ...Of what you've done. And they responded once and said they didn't feel that they were responsible. And then they blocked the number.

Joe Carrigan: [00:05:25] Right.

Dave Bittner: [00:05:26] There's a lot to unpack here.

Joe Carrigan: [00:05:27] There is. This is an absolutely horrible case - absolutely terrible. There was a case a while ago where somebody swatted somebody else, and that person got killed.

Dave Bittner: [00:05:36] Yeah.

Joe Carrigan: [00:05:36] They swatted the wrong person.

Dave Bittner: [00:05:38] Yeah, yeah. We covered it on the CyberWire quite a bit.

Joe Carrigan: [00:05:41] Yeah.

Dave Bittner: [00:05:41] It was tragic.

Joe Carrigan: [00:05:42] The person who made the fraudulent call that resulted in the police showing up at the house has now been indicted for murder, I believe.

Dave Bittner: [00:05:47] Yeah, I think that's right.

Joe Carrigan: [00:05:48] And I'm wondering if that is a possibility in this case.

Dave Bittner: [00:05:51] Yeah, I don't know. I mean, you have the circumstances where I think it's fair to say Jared had some fragile parts of his personality.

Joe Carrigan: [00:05:59] Yeah.

Dave Bittner: [00:05:59] He was dealing with PTSD.

Joe Carrigan: [00:06:01] Yeah.

Dave Bittner: [00:06:01] According to the stories I've read, he was doing quite well with it. He was getting help and...

Joe Carrigan: [00:06:05] He was doing everything he should be doing.

Dave Bittner: [00:06:07] He was working through it. He had had some injuries. He served in Afghanistan, but he was sort of getting his life on the right track.

Joe Carrigan: [00:06:15] Yeah.

Dave Bittner: [00:06:15] And...

Joe Carrigan: [00:06:16] These guys come in and mess it all up.

Dave Bittner: [00:06:17] It was too much for him to bear, and I suspect this probably wasn't the only thing that he was dealing with. But it seems like this might've been the thing that put him over the edge.

Joe Carrigan: [00:06:27] Yeah.

Dave Bittner: [00:06:27] So in terms of direct responsibility for his death, that might be difficult to prove. But, boy, I...

Joe Carrigan: [00:06:35] I'd like someone to pay for this.

Dave Bittner: [00:06:37] Yeah. I hope they track these folks down and justice is served.

Joe Carrigan: [00:06:41] Yeah.

Dave Bittner: [00:06:41] ...Because, you know, you think about the consequences of some of these scams. And you think, oh, well, somebody lost some money.

Joe Carrigan: [00:06:46] Right.

Dave Bittner: [00:06:47] Maybe they have insurance or anything like that. But this is a case where, no, a life was lost.

Joe Carrigan: [00:06:52] Yeah, and there's no recovering from that.

Dave Bittner: [00:06:54] No. Right. So a tragic story - a sad story. Again, thanks to our listener for sending this in - our listener Tod. A sad story to share but worth sharing. It's an important lesson, I think, that some of these scams have serious consequences. Well, Joe, that's a hard story to follow.

Joe Carrigan: [00:07:14] Yeah (laughter).

Dave Bittner: [00:07:14] I know, but we're going to do our best here. So what do you have for us this week?

Joe Carrigan: [00:07:17] So my story comes from Toni Ryder-McMullin over at todaysconveyancer.co.uk.

Dave Bittner: [00:07:24] That's what - dot what?

Joe Carrigan: [00:07:25] Dot-co, .co.

Dave Bittner: [00:07:25] Dot-co.uk.

Joe Carrigan: [00:07:25] Dot-uk.

Dave Bittner: [00:07:26] I see. Right.

Joe Carrigan: [00:07:28] This is a website that, I guess, is talking about people who are in charge of conveying money to other people.

Dave Bittner: [00:07:34] Oh, I see.

Joe Carrigan: [00:07:35] The title of the article is "Are Law Firms Wising Up to Conveyancing Scams?" But we've talked about these kind of scams before. This is where someone gets into a firm's email system and then monitors the email for the right time to strike.

Dave Bittner: [00:07:46] Right.

Joe Carrigan: [00:07:46] And they send an email with new account information to some victim, and the victim then wires money to the wrong account. And the money's gone because the hackers have told them to do this, right?

Dave Bittner: [00:07:56] Yeah.

Joe Carrigan: [00:07:56] Or they're fraudsters. I don't know that they're hackers. But...

Dave Bittner: [00:07:58] Right.

Joe Carrigan: [00:07:58] Law firms have taken to telling their customers at the beginning of a transaction, here's our account information; it will not change, and you should disregard any emails to the contrary - right? - as a way of protecting against this...

Dave Bittner: [00:08:10] Right.

Joe Carrigan: [00:08:11] ...Because imagine you're buying a house.

Dave Bittner: [00:08:12] Yeah.

Joe Carrigan: [00:08:13] And the law firm says, OK, go ahead and wire the money to our account; but at the same time, we've changed our account; wire it to this account instead. And you get an email from the law firm that says this, but you're actually sending it to a scammer's account.

Dave Bittner: [00:08:23] Right, yeah.

Joe Carrigan: [00:08:24] And the money's gone, right? Now you can't buy your house. All your savings and your time is lost. It's terrible.

Dave Bittner: [00:08:29] Yeah.

Joe Carrigan: [00:08:31] So law firms say here's our information at the beginning of the transaction. And they also say it won't change. But there's another side of this operation, right? The client has bank information as well. And if the scammers compromise their email and monitor that email traffic, they can tell the law firm send the payment here, right? So now this is money leaving the law firm going to a client, and the client's been compromised.

Dave Bittner: [00:08:55] OK.

Joe Carrigan: [00:08:55] So it's kind of like you can do this both - one of two ways, right?

Dave Bittner: [00:08:59] Right.

Joe Carrigan: [00:09:00] We can compromise the law firm and have the client send us the money. We can compromise the client and have the law firm send us the money.

Dave Bittner: [00:09:05] Right.

Joe Carrigan: [00:09:06] The solicitors regulation authority, the SRA in the U.K., says that losses from this are around 10 million pounds a year. That's $13.3 million right now...

Dave Bittner: [00:09:16] Wow.

Joe Carrigan: [00:09:17] ...Every year getting lost this way.

Dave Bittner: [00:09:19] Yeah.

Joe Carrigan: [00:09:19] And here's the interesting part of this article that I hadn't ever been aware of or considered before. But do you know when these scams are most likely to occur?

Dave Bittner: [00:09:27] No. When?

Joe Carrigan: [00:09:28] On Friday afternoon or Monday morning. And you think about this. On Friday afternoon, your head's not in the job, right? You're thinking about the weekend. You're getting ready to go.

Dave Bittner: [00:09:37] Right.

Joe Carrigan: [00:09:38] You know, you've got plans.

Dave Bittner: [00:09:39] Everybody just wants to get out of here.

Joe Carrigan: [00:09:40] Right. Everybody wants get out of here.

Dave Bittner: [00:09:41] OK.

Joe Carrigan: [00:09:41] Plus, if you are targeted for a fraudulent wire transfer and it happens on a Friday afternoon, you may not know about it till Monday morning when you...

Dave Bittner: [00:09:49] Right.

Joe Carrigan: [00:09:49] ...Find out about it. There's a time window for the scammers to get in and move the money around so you can't get it back. And the other one is Monday morning when you show up at work. You may not be at your best. You may have been up late watching the Dragons-Ulster game. The game was Sunday night. It starts kind of late, and maybe you were at the game. Maybe you were watching the game. Suffice to say, maybe you're not at your best on Monday morning. So the fraudsters contact you, and they know that you're not at your best, so they attack at these times. I thought that was an interesting angle to this.

Dave Bittner: [00:10:15] Yeah, that is. I have heard of some of the scams where - for example, I've heard with vehicle registration scams or parking ticket scams where someone will reach out and say, basically, unless you pay this parking ticket within 24 hours, bad things are going to happen.

Joe Carrigan: [00:10:32] Right.

Dave Bittner: [00:10:32] And they send it to you on a Friday, but of course everyone at the agencies that handle parking tickets are closed for the weekend.

Joe Carrigan: [00:10:38] Right.

Dave Bittner: [00:10:38] But lucky you, you can pay online.

Joe Carrigan: [00:10:40] Yeah.

Dave Bittner: [00:10:41] Right.


Dave Bittner: [00:10:41] So I have heard of it there, but this is a little different twist on that.

Joe Carrigan: [00:10:46] Yeah. This is going after a huge pile of money. I mean, some of the stories in this article were talking about 60,000 pounds and 100,000 pounds. There are big payouts for these criminals. Clients can protect themselves by just using two-factor authentication on their email and maybe even by saying to their solicitor's office or conveyance office or their law firm or whatever that, hey. Here is my banking information. And it also will not change for the duration of this. And you should disregard any emails to the contrary as well.

Dave Bittner: [00:11:14] All right. Well, it's an interesting story. Joe, it's time to move on to our Catch of the Day.

Joe Carrigan: [00:11:18] My favorite part of the show.


Dave Bittner: [00:11:21] Joe, our Catch of the Day this week comes from a listener named T.J. He reached out to us on Twitter with this one. Now, this message claims to come from London. So you know what that means.

Joe Carrigan: [00:11:34] Dot-.co.uk.


Dave Bittner: [00:11:37] Yes, but it also means ridiculous accents.

Joe Carrigan: [00:11:41] Ah, OK.

Dave Bittner: [00:11:41] It goes like this. Dearest, my name is Shirley Taylor. I'm presently in London hospital undergoing chemotherapy and radiation therapy treatment for lung cancer. The doctor said the cancer is at its final stage, and I have few days to live. My late husband left 15,500,000 British pounds sterling in my account before his death. I'm contacting you because I want to use the fund for charitable foundation for the needy in your location. My last wish is to help the needy, motherless, less privileged and widows. I will instruct my bank through my lawyer in writing to transfer the fund to you once I receive your reply. God bless you - Mrs. Taylor. What do you think, Joe?

Joe Carrigan: [00:12:31] (Laughter) I think that was a great accent.

Dave Bittner: [00:12:32] (Laughter).

Joe Carrigan: [00:12:34] That's one of your finest performances ever.

Dave Bittner: [00:12:35] Oh, thank you very much. Yes, I'd like to thank the academy.

Joe Carrigan: [00:12:38] Right (laughter).

Dave Bittner: [00:12:38] Go on.

Joe Carrigan: [00:12:39] Mrs. Taylor - I believe Mrs. Taylor is not actually...

Dave Bittner: [00:12:42] (Laughter).

Joe Carrigan: [00:12:42] ...Who she claims to be. She is probably not suffering from lung cancer. And she probably does not have 15 million pounds in her bank account.

Dave Bittner: [00:12:49] No. It's an interesting twist, though, that she's not trying to give the money to you. She's trying to give the money to needy people...

Joe Carrigan: [00:12:57] Right.

Dave Bittner: [00:12:57] ...And I guess sort of banking on your greed that...

Joe Carrigan: [00:13:01] Right, yeah.

Dave Bittner: [00:13:02] (Laughter) Once you get your dirty mitts on this money...

Joe Carrigan: [00:13:05] (Laughter).

Dave Bittner: [00:13:05] Oh, yeah, you might send some to less privileged and the widows. But...

Joe Carrigan: [00:13:09] Right.

Dave Bittner: [00:13:09] Fifteen million pounds sterling sitting in your account - maybe you'll take a little commission.

Joe Carrigan: [00:13:14] There is no hook in this, right? I mean, it looks like there's no hook. But what's in it for me? Why would I even respond to this? I don't understand.

Dave Bittner: [00:13:21] Well, I think to have a big pile of money sent to your bank account from across the world with someone who is soon going to be dead and not be able to claw it back...

Joe Carrigan: [00:13:31] Right.

Dave Bittner: [00:13:31] So I think it's just...

Joe Carrigan: [00:13:33] It's just relying on me being crooked.

Dave Bittner: [00:13:35] Exactly.

DAVE BITTNER AND Joe Carrigan: [00:13:35] Right.

Dave Bittner: [00:13:36] On your greed - it's greed. It's just greed.

Joe Carrigan: [00:13:38] Yeah.

Dave Bittner: [00:13:38] Relying on your greed to take advantage of a poor, dying woman.


Joe Carrigan: [00:13:44] So I guess these guys are kind of like, there's got to be people like us out there we could scam.

Dave Bittner: [00:13:49] Yeah, right. We can't be the only ones. Yeah.

Joe Carrigan: [00:13:51] Right (laughter).

Dave Bittner: [00:13:51] Talk about no honor among thieves.

Joe Carrigan: [00:13:53] Right (laughter).

Dave Bittner: [00:13:54] Boy. All right. Well, that is our Catch of the Day. Coming up next, we've got my interview with Dale Zabriskie from Proofpoint. He's going to be talking about their "State of the Phish" survey.

Dave Bittner: [00:14:04] But first, we've got a word from our sponsors at KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course. But they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.

Dave Bittner: [00:14:57] And we are back. Joe, recently, I had the pleasure of speaking with Dale Zabriskie. He is from Proofpoint. And they recently published a report called the "State of the Phish." And we're going to talk to Dale about that. Here's my interview with Dale Zabriskie.

Dale Zabriskie: [00:15:11] Email being still the main vector of attack in the world - and there's so much of it out there - that the phishing becomes where everybody is still going. It's still human, right? We - sometimes, we want to make this thing all technical. But in reality, we're still human on each end of the scope right here.

Dave Bittner: [00:15:30] What are you seeing in terms of trends? When you look at this year's report versus previous years, what's the same and what's changed?

Dale Zabriskie: [00:15:37] What continues to change and increase is that the social engineering attacks are increasing annually. We had a 7 percent increase of individuals experiencing phishing attacks from last year to this year. And then we saw increases on things like voice phishing or vishing, as we call it, and text phishing. These are things that are starting to really become commonplace in the world today. Almost half of our respondents said they experienced the voice phishing and the text phishing in 2018.

Dale Zabriskie: [00:16:10] And additionally, we saw a major increase - a 33 percent increase in USB social engineering attacks, which was really interesting because that's - takes a physical thing, right? That takes somebody picking something up and actually physically using it as opposed to email, whereas it's not a huge threat. Only 4 percent told us that they had experienced it. That is up about 33 percent from last year.

Dave Bittner: [00:16:36] Describe to us - what are we talking about with that?

Dale Zabriskie: [00:16:39] You pick up something. You see something. How many times have you seen a cellphone sitting or a smartphone sitting somewhere in a public setting? People pick it up. They want to take a look at it. And obviously, we'd like to judge hopefully of people and say they're trying to figure out who it belongs to, try to send it to - you know, get it back to the owner. The same thing happens with USB sticks - the thumb drives. They're sitting around. Bad guys put a lot of different threats on them.

Dale Zabriskie: [00:17:05] One organization published a list of 29 different types of USB attacks that are out there last year - that things from Rubber Ducky and a smartphone-based HID attacks - all these different things that are - been put on USB thumb drives and left in strategic locations, often in the front of some corporate setting where an individual coming to work sees that on the ground, say, oh, that's interesting - picks it up. And what's the first inclination? Plug it in.

Dave Bittner: [00:17:40] Right.

Dale Zabriskie: [00:17:41] Right. Hey...

Dave Bittner: [00:17:42] Yeah. Curiosity kills the cat, right?

Dale Zabriskie: [00:17:43] It - and the credentials, as well, right?

Dave Bittner: [00:17:46] (Laughter).

Dale Zabriskie: [00:17:47] You know, it's so true. And yet, the attitude - oh, I got a free thumb drive, as opposed to, you know, what's the best practice? Take that thing, walk it into your infosec people and say, I found this outside. You know, you deal with it.

Dave Bittner: [00:18:01] What are you seeing in terms of any shifts in the sophistication of these attack? Are the social engineering schemes growing more sophisticated? Are they getting more targeted, or is it a shotgun approach?

Dale Zabriskie: [00:18:13] Well, it's across the board. But the - what we do - what we have seen over the last few years is a great deal of sophistication on a couple of fronts. And one of those is that there's been an almost 20 percent increase of spear phishing targeted at infosec professionals, OK? So a spear phishing attack - very, very focused, very sophisticated, very personal - that's sent to someone at an organization that hopefully, on the attacker's part, has some sort of access.

Dale Zabriskie: [00:18:48] You know, for years we've seen - since social networks have been out, like LinkedIn and Facebook and different things - people utilizing what they've learned about a target on, say, LinkedIn to - let's say someone on LinkedIn posted that they were at a conference recently, and they really enjoyed it. What we see are attacks of people saying, hey, Bob. I saw you. It was nice meeting you at the so-and-so conference. Here's an article I think that you'd like to see. And of course, you go to these conferences, and you meet people. You're not going to go home and remember Bob versus Ted versus Sue versus Joe. And - so yeah, I was at that conference. Oh, yeah. Let me take a look at that. That's interesting. And that's where the attack gets propagated - so much more focused and sophisticated attacks. And often, what we see in campaigns, as far as phishing attack campaigns, is that there are fewer of them, but they're more within each campaign. They're very, very targeted within the campaign that is being created. There's a lot of them out there - tens of millions beyond, you know, number of phishing attacks that are happening every year. But the sophistication and the focus of them is what we're seeing increase dramatically - getting very, very smart.

Dale Zabriskie: [00:20:00] One of the other big findings in this report is that there's been an assumption that younger workers are better at combating the threats that are out there because the millennials, or however you want to define them, are more technically savvy. They think, we've been around. They've - a lot of people have never known anything but a computer or a phone or a screen in their hand or...

Dave Bittner: [00:20:26] Right.

Dale Zabriskie: [00:20:26] They've never known anything but - the digital natives. But what the data shows is they are - the younger you go, the worse they are at understanding, what is phishing? What is ransomware? What do I do about it? And that the baby boomers, if you will, or the older workers, are significantly better at understanding and protecting themselves - and I find that really interesting because I think assumptions are made within organizations that are - if I may use the word - are digital immigrants that have to come across the digital Ellis Island to...

Dave Bittner: [00:21:02] Right.

Dale Zabriskie: [00:21:02] ...Get stamped and processed - right? - struggle because they don't understand. And they've got a computer, and I can do a few things. But really, they're more aware of what's happening in the space, and they're less trusting of things that come in. And I think the millennials, if you will - they're continuously partially connected, right? They're always partially connected one way or the other. And that is just part of their lives. And so they just - oh, here's something else. Oh, that's interesting. Oh, I wonder what that says. Don't assume that the younger people get it. And target the training to understand who really needs what type of approach - but that as you have individuals, you know, across all age groups and understanding and experience, one thing is not going to do it all for everyone.

Dave Bittner: [00:21:54] Yeah. That's a really interesting insight. It's a - a friend of mine says, you know, never underestimate both the wisdom and guile of an older person, you know?


Dale Zabriskie: [00:22:02] Yeah, that's right. Exactly. It's very, very true.

Dave Bittner: [00:22:05] Yeah.

Dale Zabriskie: [00:22:05] And the other thing that I would say is that this is really emotional. All that we do online and with our technology carries emotion with it. We are tied to our technology in a very emotional way. The things that we do - the passwords we create are based on emotion. Look at the hack that happened a few years ago at this cheating website Ashley Madison. So remember when that came down? And...

Dave Bittner: [00:22:35] Yeah.

Dale Zabriskie: [00:22:35] ...All this stuff was exposed. If you look at some of the passwords that were there, they were like, like I'm really going to cheat. That was the password. I should not be doing this.

Dave Bittner: [00:22:49] (Laughter) Oh, wow.

Dale Zabriskie: [00:22:51] And my personal favorite, you will never find out...

Dave Bittner: [00:22:55] Wow.

Dale Zabriskie: [00:22:56] ...Which of course we did find out.

Dave Bittner: [00:22:57] Right.

Dale Zabriskie: [00:22:58] Right. And we have an emotional connection to our lives and our technology. And on the other side of the fence, if you will, the IT - the infosec people are extremely emotional about (laughter) what they're doing and how they're doing it and things that happen. And so if we start to understand and appreciate the emotion involved - that we're all approaching this from a human perspective, then we can help from a - IT infosec person can help to understand better how the user is approaching what they're doing. And the user can start to appreciate what IT has to go through. And if we can break down those barriers and not make it a sense of, well, here's the policy; and this is what you're supposed to do - and the other person saying, well, to heck with that; I want to do this - and we start to meld the minds a little bit, I think we're all going to be better off. And we'll have less issues and less breaches and a better experience across the board within the corporate space.

Dave Bittner: [00:22:58] Joe, what do you think?

Joe Carrigan: [00:23:58] I think Dale has a great voice.

Dave Bittner: [00:24:00] He does, doesn't he? Yes, he does.


Dave Bittner: [00:24:01] There's something soothing about his voice.

Joe Carrigan: [00:24:03] That's right. He could - I could listen to him all day.

Dave Bittner: [00:24:06] Right.

Joe Carrigan: [00:24:06] I love the name of the study, "State of the Phish." I think that is hilarious...

Dave Bittner: [00:24:09] Yeah.

Joe Carrigan: [00:24:10] ...And well-done. I like his first point and his last point - they kind of meld together here - that we are all human at both ends of the attack, right? They're humans on either side. That's kind of our point of this show.

Dave Bittner: [00:24:21] Yeah.

Joe Carrigan: [00:24:22] And it should be part of everybody's security process...

Dave Bittner: [00:24:25] Yeah.

Joe Carrigan: [00:24:25] ...Is understanding that. Social engineering attacks are increasing year over year. And this all comes down to the fact that we're just emotional beings, right? That's important, I think. It shouldn't be lost on anybody.

Dave Bittner: [00:24:36] It's so easy to focus on the technical.

Joe Carrigan: [00:24:38] Right.

Dave Bittner: [00:24:39] We've been so focused on the technical for good reason...

Joe Carrigan: [00:24:42] Right.

Dave Bittner: [00:24:42] ...That the bad guys have pivoted.

Joe Carrigan: [00:24:43] Because we've actually gotten pretty good at focusing on the technical.

Dave Bittner: [00:24:46] Yeah.

Joe Carrigan: [00:24:46] You know, people don't make use of zero-day exploits all the time...

Dave Bittner: [00:24:50] Right.

Joe Carrigan: [00:24:50] ...Unless they're, like, nation-states or something. They use very old hacks. But why would I try to penetrate an organization when I could just call 10 people and wind up with a password?

Dave Bittner: [00:24:58] Right. Cheap, and it works.

Joe Carrigan: [00:24:59] Exactly. I liked that he was talking about USB social engineering. He said that's on the rise. There was a paper from the University of Illinois Urbana-Champaign, University of Michigan and Google, I think, about a year or two years ago. And we'll put a link in the show notes here. But this social engineering attack - they found that they were 45 to 98 percent successful in getting people to pick up the USB sticks...

Dave Bittner: [00:25:24] Right.

Joe Carrigan: [00:25:24] ...Or getting people to plug in the USB sticks they picked up. And if you look at the paper, it's fascinating on what actually does work and what doesn't work. If - they found out that if you have keys with an address on it and a USB stick attached, that generally, people will return it. But if you put the word confidential on it, then people open it.


Joe Carrigan: [00:25:45] Fascinating.

Dave Bittner: [00:25:45] Yeah.

Joe Carrigan: [00:25:48] Good, good study.

Dave Bittner: [00:25:50] Yeah.

Joe Carrigan: [00:25:51] Another observation they made that's kind of interesting is that not a lot of money is being spent on email security.

Dave Bittner: [00:25:56] Yeah, relative to other things.

Joe Carrigan: [00:25:57] Relative to the other things - and the other thing I wanted to touch on - he was talking about data shows that the younger you are, the worse you are at spotting phishing. And he says that younger people have - tend to be digitally connected all the time.

Dave Bittner: [00:26:07] Yeah.

Joe Carrigan: [00:26:08] I would also like to offer - that may - might be true, but I'd like to offer another reason for that. It's just that younger people haven't been abused by life as much as older folks.


Dave Bittner: [00:26:17] Yes. The weight of the world has not yet crushed their spirit.

Joe Carrigan: [00:26:20] Exactly.

Dave Bittner: [00:26:20] Yeah.

Joe Carrigan: [00:26:21] So (laughter)...

Dave Bittner: [00:26:23] (Laughter) Right. Right. They're still looking at the world through rose-colored glasses, giving everyone the benefit of the doubt, rather than the cynical, shriveled-up old men that you and I have become, right?

Joe Carrigan: [00:26:32] (Laughter) Right.

Dave Bittner: [00:26:33] Yes.

Joe Carrigan: [00:26:34] That's what I'm saying.

Dave Bittner: [00:26:35] Yeah. Good. All right. Good. This has been a really upbeat show this week, Joe (laughter).

Joe Carrigan: [00:26:38] Yeah. Yeah. We'll try to be happier next week.

Dave Bittner: [00:26:42] All right. All right. Well, everyone, thanks for listening.

Dave Bittner: [00:26:45] And of course, thanks to our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new school security awareness training. Be sure you take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training.

Dave Bittner: [00:27:02] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:27:10] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:27:27] And I'm Joe Carrigan.

Dave Bittner: [00:27:28] Thanks for listening.