Hacking Humans 3.14.19
Ep 40 | 3.14.19

When we rush we make bad decisions.


Dave Bittner: [00:00:00] Hey, everybody. Dave here. I've got a quick request for you all. If you could leave a review for our show on iTunes or wherever you listen, that would be great. We don't have a whole lot of reviews up now, and we'd like to have more positive reviews out there. So if you could take the time, leave us a positive review. We would appreciate it. Thanks.

Gary Noesner: [00:00:17] You know, just protect yourself and slow things down. If something seems too good to be true, in almost all cases, it is.

Dave Bittner: [00:00:24] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the one and only show where we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:44] Hi, Dave.

Dave Bittner: [00:00:45] We've got some good stories to share this week. And later in the show, we're going to have my interview with Gary Noesner. He's author of the book "Stalling for Time: My Life as an FBI Hostage Negotiator."

Dave Bittner: [00:00:56] But first, a word from our sponsors at KnowBe4. Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill - a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate. But you know what we mean. Stay with us. And in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training.

Dave Bittner: [00:01:36] And we are back. Joe, what do you got for us this week?

Joe Carrigan: [00:01:39] So this week, Webroot, who is a company that makes security software for businesses and individuals.

Dave Bittner: [00:01:44] Yep. Yep. Friend of the show.

Joe Carrigan: [00:01:45] Yep. David Dufour's frequently on from Webroot.

Dave Bittner: [00:01:47] Yeah, over on CyberWire. Yeah.

Joe Carrigan: [00:01:48] Yeah. And they released their 2019 Webroot threat report.

Dave Bittner: [00:01:52] OK.

Joe Carrigan: [00:01:53] It has a lot of interesting information in it, and I would encourage everyone to read it. We'll put a link in the show notes.

Dave Bittner: [00:01:57] OK.

Joe Carrigan: [00:01:58] A lot of companies release these kind of reports annually. For example, Verizon releases an annual data breach investigation report, or a DBIR...

Dave Bittner: [00:02:06] Yep.

Joe Carrigan: [00:02:06] ...That is much looked forward to in the security community.

Dave Bittner: [00:02:09] Yeah, very well-known.

Joe Carrigan: [00:02:10] And, you know, if you start reading these kind of reports that come out from these companies, you kind of get a good feel for what's going on. So I recommend people - when they see these reports come out - just pick them up and peruse them, if nothing else.

Dave Bittner: [00:02:19] Yeah.

Joe Carrigan: [00:02:20] It's good. But back to the Webroot report. One of the key statistics in this report that was pretty interesting, I thought, was that 40 percent of malicious links are hosted - what the report calls benign - but basically good websites.

Dave Bittner: [00:02:39] OK.

Joe Carrigan: [00:02:40] OK. So what has happened here in one of these cases? The first thing that's happened is somebody has gone out and compromised a web server that somebody else is running.

Dave Bittner: [00:02:49] OK.

Joe Carrigan: [00:02:49] And then they've gone in, and they've put some malicious webpage on that server. So this is the attacker's own content, and they're essentially in control of it because they have this kind of access.

Dave Bittner: [00:03:00] OK.

Joe Carrigan: [00:03:00] The entity that controls the web server is probably not aware that there's malicious web pages there.

Dave Bittner: [00:03:06] Right. So if I was the bad guy, I would take a folder full of my stuff, try to find some place deep inside your webpage that I've gained control of...

Joe Carrigan: [00:03:15] Right.

Dave Bittner: [00:03:16] ...And tuck it away there.

Joe Carrigan: [00:03:17] Right.

Dave Bittner: [00:03:17] A place where nobody goes to look.

Joe Carrigan: [00:03:19] Right. And we've seen this, actually - that one of the things they do - these attackers will do - is they will put a really deep directory structure in there, which just means that there's a lot of slashes - you know, like, characters slash characters slash characters - so that if somebody were to go looking for it, it would be really hard for them to find it because it's got so many directories...

Dave Bittner: [00:03:37] Yeah.

Joe Carrigan: [00:03:37] ...In there. I don't know how effective that is in finding it. I think computers are pretty good at traversing their own directory trees, but the malicious content that's on the benign server might not actually be malware. It might just be a redirecting link that takes you out somewhere to a web server that the attacker controls.

Dave Bittner: [00:03:55] Right.

Joe Carrigan: [00:03:55] So why is this dangerous to users? Let's say I'm an attacker, and I compromise a site that you normally go to. And I put my malicious link or my redirect to a malicious site on that website, and then I send out a message that says, come check out our new coupon code.

Dave Bittner: [00:04:12] OK.

Joe Carrigan: [00:04:13] You get 20 percent off your next order. And you mouse over the link, and it says it's the right link. Even if you copy the link down - right? - or enter it manually and go to this page, you're still going to get to the webpage that either loads malicious content or redirects you to a site that attempts to load malicious content.

Dave Bittner: [00:04:30] Right. Right. So the actual link is from a legit website.

Joe Carrigan: [00:04:34] Exactly.

Dave Bittner: [00:04:35] And so there's no - I mean, it looks legitimate because it is legitimate.

Joe Carrigan: [00:04:38] It looks legitimate. Well, it's...

Dave Bittner: [00:04:39] It's a legitimate website.

Joe Carrigan: [00:04:40] It's a legitimate website with illegitimate content.

Dave Bittner: [00:04:43] Right. Right.

Joe Carrigan: [00:04:44] Yep. So of course, the question is, how do you protect yourself against this?

Dave Bittner: [00:04:47] Yeah.

Joe Carrigan: [00:04:48] And beyond saying that you should have antivirus software and maybe web surfing protection software and make sure that they're up to date, I don't know what other protections you would have for that. So these things tend to lag behind - right? - at least by a couple of hours. So the malicious content will be flagged eventually and put into a web filtering program that you may have or a web protection program.

Dave Bittner: [00:05:08] Oh, I see. Yeah.

Joe Carrigan: [00:05:09] But if I'm an attacker, you know what I'm going to do - is I'm going to say, here's your coupon code only for anybody that clicks on it the next two hours, right...

Dave Bittner: [00:05:17] Oh, yeah.

Joe Carrigan: [00:05:18] ...To incentivize you to kind of put the artificial time constraint on the message.

Dave Bittner: [00:05:22] So these folks assume that this is going to be tracked down quickly, and it's just a numbers game...

Joe Carrigan: [00:05:27] Yeah.

Dave Bittner: [00:05:27] ...That they're posting bunches of these.

Joe Carrigan: [00:05:29] Absolutely.

Dave Bittner: [00:05:30] So it's, like, sort of a game of cat and mouse, I guess.

Joe Carrigan: [00:05:32] Yeah. They've compromised a web server, and they're going to make hay while the sun shines.

Dave Bittner: [00:05:37] There are some services out there that will allow you to, basically, run your web browser in someone else's virtual machine.

Joe Carrigan: [00:05:44] Yes.

Dave Bittner: [00:05:44] So you can run - I think it's a - there are some of them that are cloud-based and...

Joe Carrigan: [00:05:48] Yep.

Dave Bittner: [00:05:48] So nothing's ever actually running on your machine. And it's sort of - so I guess it's kind of sandboxed and quarantined in a way.

Joe Carrigan: [00:05:55] It is.

Dave Bittner: [00:05:55] So if something does blow up, it blows up, you know, remotely (laughter).

Joe Carrigan: [00:05:59] Right. And it blows up in something that's disposable.

Dave Bittner: [00:06:01] Right.

Joe Carrigan: [00:06:02] Right. So you can just say, oh, that machine's corrupted. Delete it, and give me a new one.

Dave Bittner: [00:06:06] Right. So those services are out there. If you're really concerned about this sort of thing...

Joe Carrigan: [00:06:10] Right.

Dave Bittner: [00:06:11] You can hunt down one of those. But it's a clever one...

Joe Carrigan: [00:06:15] Yeah.

Dave Bittner: [00:06:15] ...And hard to fight against.

Joe Carrigan: [00:06:16] It's hard to fight against, right.

Dave Bittner: [00:06:17] Well, I guess the other thing we could do is the advice we give where if someone is sending you a link from a legitimate company that you do business with, don't click the link. Just go to that company manually.

Joe Carrigan: [00:06:29] Right.

Dave Bittner: [00:06:29] Right.

Joe Carrigan: [00:06:29] But even if you enter this malicious URL manually, you'll still get the malicious content.

Dave Bittner: [00:06:35] Right, right, right. But I'm saying don't enter the whole URL. Like, if it was, say...

Joe Carrigan: [00:06:37] Right, just go to the company's website...

Dave Bittner: [00:06:39] Yeah.

Joe Carrigan: [00:06:39] And look for their code. Yeah.

Dave Bittner: [00:06:39] Like, if someone is from, you know, Johns Hopkins University...

Joe Carrigan: [00:06:42] Right.

Dave Bittner: [00:06:43] Just go to jhu.edu...

Joe Carrigan: [00:06:45] Yeah.

Dave Bittner: [00:06:45] ...Rather than the entire link.

Joe Carrigan: [00:06:46] Correct.

Dave Bittner: [00:06:47] And try to find it from there...

Joe Carrigan: [00:06:48] Yeah.

Dave Bittner: [00:06:48] ...Because if it's...

Joe Carrigan: [00:06:49] Use the interface.

Dave Bittner: [00:06:50] Yeah. If it's legit, it's going to be something that they're going to want you to find.

Joe Carrigan: [00:06:53] Right. And chances...

Dave Bittner: [00:06:54] So...

Joe Carrigan: [00:06:54] ...Are, there won't be links to it from the legitimate content.

Dave Bittner: [00:06:56] Right. All right. Well, I guess it's really interesting that is such a high percentage. That is...

Joe Carrigan: [00:07:01] That's what shocked me was that 40 percent of the malicious links are out there on benign sites. And that's because a lot of these sites are maintained by organizations or people that don't have the resources to have a full-blown security organization...

Dave Bittner: [00:07:15] Yeah.

Joe Carrigan: [00:07:16] ...To maintain the site.

Dave Bittner: [00:07:17] And I think, also, if you're in a situation where multiple people are responsible for maintaining different parts of a site...

Joe Carrigan: [00:07:23] Right.

Dave Bittner: [00:07:23] It might be harder to detect when somebody from the outside gets access.

Joe Carrigan: [00:07:29] Yeah.

Dave Bittner: [00:07:29] Yeah.

Joe Carrigan: [00:07:30] Or what if somebody on the inside is doing it too?

Dave Bittner: [00:07:32] Yeah. Yeah, that's a possibility as well.

Joe Carrigan: [00:07:34] That's always a possibility.

Dave Bittner: [00:07:34] Yeah, yeah.

Joe Carrigan: [00:07:35] (Laughter).

Dave Bittner: [00:07:35] All right. Well, that's an interesting one.

Joe Carrigan: [00:07:36] I'm sorry. I'm sorry I don't have good news on this one, that there's an easy way to protect yourself. But sometimes, that's the way life is.

Dave Bittner: [00:07:42] Yeah (laughter). Well, Joe, my story this week - you know, as a producer of several podcasts, I get regular offers from various folks to help promote our podcasts. Mostly I get them on LinkedIn. There's sort of a cottage industry out there, where people come and they reach out to me. And they say they can move our show up on the iTunes charts, which is a good thing because the higher you are on those charts, that just improves your visibility...

Joe Carrigan: [00:08:08] Correct.

Dave Bittner: [00:08:08] ...And helps bring in new listeners.

Joe Carrigan: [00:08:10] It's called podcast discovery.

Dave Bittner: [00:08:11] Yes.

Joe Carrigan: [00:08:12] Right.

Dave Bittner: [00:08:12] And Jack Rhysider over at "Darknet Diaries" did a whole episode on this.

Joe Carrigan: [00:08:16] Yeah, that was a good episode.

Dave Bittner: [00:08:17] It's called Chart Breakers. So I highly recommend it. Jack does a great job over there at "Darknet Diaries." So do check that out if this is something you're interested in. And I've never responded to any of these sorts of things. I prefer, you know, to do our chart rising the old-fashioned way, to actually earn it.

Dave Bittner: [00:08:33] So the folks over at Rebel Base Media - it's a company who helps people promote their podcasts. They're actually podcasters themselves. They had a recent blog post about podcast review extortion. And one of their customers wrote in - a podcaster who goes by the name of James wrote in and said he'd been approached on Instagram by someone named Misha who claimed to be a fan of the show and was offering to help the show grow.

Dave Bittner: [00:09:00] She claimed some expertise in helping podcasts move up the charts. And the podcaster was intrigued by the offer, replied - just said he was interested but didn't - just wanted more information. And the next thing that he heard back from Misha was a response that claimed to have done a bunch of promotional work for the podcast and demanded an 800-dollar payment.

Joe Carrigan: [00:09:21] Huh.

Dave Bittner: [00:09:22] Now, there'd been no agreement. There'd been - nothing had been signed. There was no - none of that. No work was done. But so when this podcaster refused to pay the $800...

Joe Carrigan: [00:09:31] Right.

Dave Bittner: [00:09:32] Misha came back and threatened to use his network to flood the podcaster's podcast with one-star reviews on all of the directories, including Apple podcasts...

Joe Carrigan: [00:09:43] Yep.

Dave Bittner: [00:09:44] ...And also threatened to get the podcast banned, which, I guess, you could do if you wrote in a bunch of claims that the show was violating rules and so on and so forth. You could...

Joe Carrigan: [00:09:54] Right.

Dave Bittner: [00:09:55] It's possible you could have bad things happen. Now, since then, the original Instagram account has been deleted. But the folks over at Rebel Base Media wanted to help get the word out that, you know, this is the kind of scam that grows.

Joe Carrigan: [00:10:08] Right, yeah.

Dave Bittner: [00:10:09] So if you're out there, you're a podcaster, be aware of this. This is - this sort of extortion kind of thing could happen. And one of the things that strikes me is, you know, particularly with Apple, there is not a clear way to get customer support from Apple when you're a podcaster.

Joe Carrigan: [00:10:27] Yeah, it's...

Dave Bittner: [00:10:28] Apple is not a very engaging, interactive company.

Joe Carrigan: [00:10:32] No.

Dave Bittner: [00:10:32] So if someone were to do this kind of gaming, I think it's hard to get a real person on the phone or via email or whatever to respond. So that makes this threat a little more plausible, I think.

Joe Carrigan: [00:10:47] Yeah. It makes it a little more scary for podcasters...

Dave Bittner: [00:10:49] Right.

Joe Carrigan: [00:10:49] ...Out there. It's funny that this person reached out on Instagram. I had somebody do that for my podcast.

Dave Bittner: [00:10:56] Yeah.

Joe Carrigan: [00:10:56] And the funny thing was that it starts off with somebody saying, hey, sir. I'm a podcast promoter. And I know - because I've listened to Jack's show about how this works. And I'm like, no, thank you. And he's like, OK. And then a couple weeks later, the same guy reaches out to me again. So I just took a screenshot of the conversation and sent it to him. And he said, what's that? I said, that's a screenshot of the conversation the last time you asked me.

Dave Bittner: [00:11:19] (Laughter) Interesting.

Joe Carrigan: [00:11:20] And he goes, oh, OK. Then he reaches out to me a third time, Dave - a third time.

Dave Bittner: [00:11:25] Wow.

Joe Carrigan: [00:11:26] And he says, I can promote your podcast. So I sent him another screenshot. And he said, what's this? I said that's a screenshot of the screenshot of the first conversation we had. So we've now had this conversation three times.

Dave Bittner: [00:11:36] (Laughter) Yeah.

Joe Carrigan: [00:11:37] And then I blocked him. I just got tired of dealing with it, so.

Dave Bittner: [00:11:41] Well, I think part of what's going on here is that I think there's a relatively easy way people can kind of harvest up the contact information from podcasts. I think that's readily available.

Joe Carrigan: [00:11:52] Yeah. Well, this was the Instagram account for that podcast.

Dave Bittner: [00:11:55] Yeah.

Joe Carrigan: [00:11:55] So...

Dave Bittner: [00:11:56] Yeah. But I think through Apple's directory, you know, like, part of your RSS feed is your contact information...

Joe Carrigan: [00:12:02] Yes.

Dave Bittner: [00:12:02] ...Contact email.

Joe Carrigan: [00:12:03] It is.

Dave Bittner: [00:12:03] So I suspect people can go and harvest these things, you know, in large buckets and then just basically spam everybody with these things.

Joe Carrigan: [00:12:11] That's right.

Dave Bittner: [00:12:12] But this is the first time I've heard of someone turning it around and...

Joe Carrigan: [00:12:15] Yeah. This is kind of...

Dave Bittner: [00:12:16] ...Trying to extort someone.

Joe Carrigan: [00:12:17] And I don't doubt that there actually is a network out there capable of doing this. So maybe your best bet when you hear this, the offer for podcast promotion, is just block the user immediately.

Dave Bittner: [00:12:28] Yeah. And I think most of these podcast promotion things - well, certainly a lot of them are shady.

Joe Carrigan: [00:12:34] Yeah.

Dave Bittner: [00:12:34] So I would say that there are people who will legitimately help you market your podcast using traditional ways. And just be careful.

Joe Carrigan: [00:12:42] Yeah.

Dave Bittner: [00:12:43] As with everything, there's plenty of people out there who want to take your money and try to do things in shady ways. The shortcut is rarely the path to success.

Joe Carrigan: [00:12:50] I would agree. Yeah.

Dave Bittner: [00:12:52] All right. So that is my story this week. Joe, it is time to move on to our Catch of the Day.


Dave Bittner: [00:13:00] Our Catch of the Day this week comes from a listener. His name is Ganesh (ph), and he says, I'm a regular listener to your podcast, and I love it. Keep up the great work. I found this in the quarantine of my email, and I thought this was funny. He says, I've defanged the URL. It turns out the URL takes you to an adult website. Joe, this one comes from Russia. You know what that means? Ridiculous accents.

Joe Carrigan: [00:13:22] I do know what that means, Dave. It's time for a Russian accent.

Dave Bittner: [00:13:26] Joe, have at it.

Joe Carrigan: [00:13:27] The subject is, (reading, imitating Russian accent) how do you do? I am Karina (ph) from Petrovsk (ph), Russia.

Joe Carrigan: [00:13:32] Do I sound like a Karina, Dave?

Dave Bittner: [00:13:34] You sound like maybe a member of the 1976 Russian swim team for the Olympics. Go on.

Joe Carrigan: [00:13:40] (Reading, imitating Russian accent) As IT specialist by profession and belonging to an upper-middle-class family, both my parents are engineers, and they brought me up in a liberal way, giving me enough freedom for my thoughts and actions. Many have criticized them for that, but in my case, it did me only good, and I grew up to be a freethinking liberal, yet well-mannered and established-in-life individual. Only thing lacking in my life is the need for a loving life partner. My life is so busy in the computer labs of my software firm that I don't get time to mingle up with others in the nightclubs and other social events like my friends. So I was left behind in personal life.

Joe Carrigan: [00:14:22] (Reading, imitating Russian accent) Then, I came through this premium dating and friendship website whose primary aim is to make suitable people meet each other and to make family of their own. Though I yet haven't met my love here, I am fully satisfied with this website, as it has given me some exposure as to what I am to expect in the future. I have made many new friends, both girls and men, and now have a clear idea of what sort of man I want in my life. So if you are in search of a life partner, join the website and make sure to meet me. I assure you we will have a wonderful and interesting conversation and decide on our future. My profile - karina.rubeauty.cn.

Joe Carrigan: [00:15:08] My apologies to all of our Russian listeners.

Dave Bittner: [00:15:10] Yeah, both of them.

Joe Carrigan: [00:15:11] (Laughter).

Dave Bittner: [00:15:13] All right. Well, there's lots to unpack here.

Joe Carrigan: [00:15:15] Yeah.

Dave Bittner: [00:15:16] First of all, .cn...

Joe Carrigan: [00:15:17] Is China.

Dave Bittner: [00:15:18] China.

Joe Carrigan: [00:15:19] Right?

Dave Bittner: [00:15:20] (Laughter) Not Russia.

Joe Carrigan: [00:15:21] Not Russia. So there's a red flag.

Dave Bittner: [00:15:24] Yeah, yeah. Also interesting, I thought where she says she's made many new friends, both girls and men...

Joe Carrigan: [00:15:31] Right.

Dave Bittner: [00:15:32] I think there's a couple of things going on here. She's sort of indicating that there's a bunch of women here, also.

Joe Carrigan: [00:15:37] Yeah.

Dave Bittner: [00:15:38] Bunch of nice gals here.

Joe Carrigan: [00:15:39] Right.

Dave Bittner: [00:15:40] Because I think on dating sites, I think there's a thought with men that it's just going to be a bunch of guys...

Joe Carrigan: [00:15:44] Right.

Dave Bittner: [00:15:45] ...You know, sort of trying to pounce on the one girl in the room - you know, that sort of thing.

Joe Carrigan: [00:15:49] That's what happened with Ashley Madison.

Dave Bittner: [00:15:50] Yeah.

Joe Carrigan: [00:15:50] That was the ruse that the hackers presented...

Dave Bittner: [00:15:53] Right. Right.

Joe Carrigan: [00:15:54] ...Was that all the women on Ashley Madison were fake women.

Dave Bittner: [00:15:56] Yeah.

Joe Carrigan: [00:15:57] That it was just all a bunch of men on the site.

Dave Bittner: [00:16:00] Yeah. Well, and I suppose that Karina is probably not authentic, as well.

Joe Carrigan: [00:16:05] I think that's a foregone conclusion, Dave.

Dave Bittner: [00:16:07] (Laughter) Yes, I think so. I think so. All right. Well, it's a good Catch of the Day. Thanks to our listener Ganesh for sending it in.

Dave Bittner: [00:16:14] Coming up next, we're going to have my interview with Gary Noesner. He's author of the book "Stalling for Time: My Life as an FBI Hostage Negotiator."

Dave Bittner: [00:16:23] But first, a word from our sponsors at KnowBe4. And now, back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing, real-world proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it. And we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:17:29] Joe, I recently had the pleasure of speaking with Gary Noesner. He's a former FBI agent. He's really had an interesting career. And he's the author of the book "Stalling for Time: My Life as an FBI Hostage Negotiator." Here's my conversation with Gary Noesner.

Gary Noesner: [00:17:44] Well, negotiators respond to a, you know, pretty wide range of incidents dealing with criminals, you know, mentally ill individuals, depressed individuals, suicidal terrorists, you name it. But one common denominator that we typically find is a high emotional state. And the first and most important task of the negotiator before we can get into understanding the other person's desires, predicament, behavior, we have to lower the emotional content.

Gary Noesner: [00:18:14] So most of the strategies that we employ as negotiators involve, first, de-escalating the interaction we're having with the individual. Hopefully, that allows us to better able - to move towards a more in-depth conversation about what it may take to resolve the situation.

Dave Bittner: [00:18:33] And what are some of the techniques you would use to do that?

Gary Noesner: [00:18:36] A calm voice is a bit contagious. It's hard to argue with somebody that's not arguing back - a demonstration of respect and even for someone to maybe engage in activity that's not particularly respectful. But every human being wants to be respected. So you project a genuine desire to not make their day worse because they're having a bad day but your willingness to help and to understand. It becomes increasingly difficult for an individual, a perpetrator, as you were, to stay angry and agitated when they're being responded to in a very thoughtful, engaging and helpful manner.

Gary Noesner: [00:19:18] There's a thing that is hard to identify that good negotiators project. And it's, essentially, likability. I mean, what is likability? It might be fairly hard to define. But I think most of us know it when we see it. And it's someone that we want to work with and we develop a certain level of trust with and we feel someone that's there to sincerely and generally try to help us in a situation.

Gary Noesner: [00:19:44] So those are sort of the general, very broad approaches that a negotiator would take in order to create a relationship that then inevitably leads us to be able to influence this person away from violence towards cooperation.

Dave Bittner: [00:19:59] Now, our focus here, of course, is social engineering. What sort of advice do you have for folks to protect themselves from being influenced, from being manipulated to do things they don't want to do?

Gary Noesner: [00:20:10] Well, I think you have to be careful when people try to lead you in a certain direction by forcing you to agree. You know, there's this aspect of influence where we lock someone in. We do it as negotiators. We would say, for example, to a bank robber, you know, earlier, you said that you didn't want to hurt anybody. And I really believed you when you said that. That sounds like it's important to you. What I'm really trying to do when I respond in that fashion is lock that person into living up to their own statement that they made earlier.

Gary Noesner: [00:20:42] A lot of manipulators will look for you to say something and then try to exploit that to get you to agree with them. And you have to be cautious about that. And the best way to do that is, you know, to repeat what they're saying, to ask clarifying questions and to slow the process down. We typically think we have to make decisions right away when, often, the best course is to slow down, you know, hence the name of my book, "Stalling for Time." I mean, we make better thoughts and analyze situations more accurately when we slow it down, particularly in a highly emotional context.

Dave Bittner: [00:21:16] Yeah. I think we see that with scammers a lot, where they try to accelerate that timeline. They try to make you feel as though you need to do something right away.

Gary Noesner: [00:21:25] Well, yeah. You see it - in fact, it's funny. It's come up recently in my own life. Several friends have shared with me the fact that they've gotten these phone calls from people who pretend that they're with some legal entity, a court. And if somebody doesn't pay a fine right away, then they're going to get arrested and so forth and so on.

Gary Noesner: [00:21:44] And, you know, you're trying to convince - the perpetrator's trying to convince the person to act very quickly to come up with some money and send it right away, you know, when someone really needs to slow down and ask a lot of important questions, you know, about, who did you say you are again? How can I contact you? What's your number? And please let me write this down again. Which agency did you say you were with? And then, of course, you would know I would have to verify all this stuff before we would move forward. And then they're typically going to hang up because they're looking for the person that mostly overreacts.

Gary Noesner: [00:22:13] You know, in Latin America right now, they have what they call virtual kidnappings and - where people will call someone up. And they know the children are at school. And they'll say, I've kidnapped your child. And I want - and it's usually a reasonable amount of money, a small amount of money that someone can obtain pretty quickly. They're not asking for millions.

Gary Noesner: [00:22:32] So they say, I want $2,000, or I'm going to hurt your kid. And then they will actually grab another child who will yell on the phone, mom, mom, help me, you know? It's not even the person's real child, but your emotions trigger that parental response. And there are many occasions where people fall prey to that and go out to their ATM and get some cash and deliver it to somebody when, in fact, their kid's sitting in their classroom, no worse for wear.

Gary Noesner: [00:22:58] So again, it's that point we've been discussing here, David, about, you know, people trying to rush you into doing things. And when we rush, we typically make bad decisions. Don't be rushed into (inaudible) or making a decision. Ask open-ended questions. Listen. Defer decision-making. And nothing's ever in a rush. It's exactly the concept. Think about the car salesman. When you go into the showroom, they never want you to leave. They want you to walk out of there with a new car. And if you say, well, I'm - I've got to check some other places. I'm looking - you're more and more likely to get a better deal, or they will call you to get you back. So again, avoid that inclination to rush into an agreement on something that may not be in your best interest.

Gary Noesner: [00:23:45] You know, and when in doubt, you know, just say, well, you know, can we talk about this later, or let me re-contact you. What's a good number? I need to talk to some people. And typically, if it's a - if you're dealing with a swindler, you won't hear from them again. But, you know, just protect yourself and slow things down. If something seems too good to be true, in almost all cases, it is.

Dave Bittner: [00:24:05] You know, it's funny. Before we connected here, I was looking over your bio and reviewing your book. And the idea struck me. I thought, you know what? Gary must be pretty good at negotiating to buy a new car.

Gary Noesner: [00:24:17] (Laughter) Well, those guys are pretty good, you know? And I'm not too bad. But, you know, business negotiations is a little bit different. But I think in - as in any negotiations, if you are able to walk away, it gives you a tremendous advantage, you know? You go into the car dealership at the end of the month when the salesmen are trying to get their quota, you know, and they're trying to get you to buy. And you have time. They don't. And use that to your advantage and just say, well, you know, I hear what you're saying, but I was offered pretty good situation down the road at the other dealership. And, you know, I want to go look at that some more. And you'll find that the deal continues to get better and better for you. You just have to be patient.

Gary Noesner: [00:25:00] And then sometimes you're going to hit a brick wall where they're just not going to go any lower, and then you have to make a decision. And, you know, it doesn't mean people are going to allow you to take them to the cleaners. They've got to make a living, too. But, you know, if you slow down, you're much more likely to get a better situation out of any kind of negotiations - you know, buying an appliance or a car, whatever it might be. So that would be my advice.

Dave Bittner: [00:25:30] What do you think, Joe? It's a really interesting guy, huh?

Joe Carrigan: [00:25:32] That was a really good interview, Dave. I know I say that about a lot of these interviews. And they're all good interviews. I think that you and I do quality interviews on this show.

Dave Bittner: [00:25:40] Yeah.

Joe Carrigan: [00:25:40] But I really like this one. This is a different take. Gary's job is to influence people to act in their best interest or in the best interests of other people, in the case of hostage takers, right?

Dave Bittner: [00:25:50] Right.

Joe Carrigan: [00:25:50] Which is kind of different from what we usually talk about - people whose job it is to get you to act against your own interests.

Dave Bittner: [00:25:56] Right.

Joe Carrigan: [00:25:57] I think that's just an interesting take on it. But again, we hear the same advice. Slow down. Slow down. I like the idea of coming up with a bunch of questions - open-ended questions - you can ask a scammer. You know, the guy's calling you. He's an IRS scammer. You go, OK. Let me write down the name of your agency again. IRS - and what does that stand for? That would be a great question to ask them. See if they even know what IRS stands for.

Dave Bittner: [00:26:19] Right. Yeah. Take up their time.

Joe Carrigan: [00:26:20] It's Internal Revenue Service. Normally, they just know they're running an IRS scam, right?

Dave Bittner: [00:26:24] Right.

Joe Carrigan: [00:26:24] They don't - they might not know what that means.

Dave Bittner: [00:26:26] Yeah. Yeah.

Joe Carrigan: [00:26:27] But someone who works at the IRS - they'll know.

Dave Bittner: [00:26:28] (Laughter) Right.

Joe Carrigan: [00:26:30] Finally, I'm going to use his advice next time I go to buy a car.

Dave Bittner: [00:26:34] (Laughter).

Joe Carrigan: [00:26:34] I'm going to go in at the end of the month. I just play it real cool. Maybe I'll buy a car. I don't know.

Dave Bittner: [00:26:39] Right. Right (laughter).

Joe Carrigan: [00:26:40] I got another guy up the street that's offering me something.

Dave Bittner: [00:26:43] Yeah. I just imagine him on the other end of a phone, you know, with the car dealer - seller, you know, using all of his hostage negotiating skills (laughter).

Joe Carrigan: [00:26:52] Right. And the guy doesn't know that he's a (laughter) hostage negotiator.

Dave Bittner: [00:26:53] Right. Exactly. He just has - he has no idea. You know, what is it going to take for me to get you to buy this car today, you know?


Dave Bittner: [00:27:00] Well, earlier, you told me that you wanted to give me a good deal. Is that right? You know, just...

Joe Carrigan: [00:27:05] Right. Hold - trap them into their own words.

Dave Bittner: [00:27:07] Yeah. Exactly. He just has - he has no idea. They have no idea who they're dealing with, so...

Joe Carrigan: [00:27:10] Yeah.

Dave Bittner: [00:27:11] Well, thanks so much to Gary Noesner for joining us. Again, the title of the book is "Stalling for Time: My Life as an FBI Hostage Negotiator." You can find that at all the usual places you buy books. We do appreciate him sharing his time with us. And that is our podcast.

Dave Bittner: [00:27:25] We want to thank our sponsors KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:27:52] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:28:08] And I'm Joe Carrigan.

Dave Bittner: [00:28:09] Thanks for listening.