Hacking Humans 3.21.19
Ep 41 | 3.21.19

Kids are a great target.


Dave Bittner: [00:00:00] Hey, everybody. Before we start the show, just a quick thank you to everybody who took the time to leave a review for us on iTunes and wherever else you listen to "Hacking Humans." We asked, and you delivered. Joe and I are overwhelmed at the outpouring of kind words from all of you. We do appreciate it, and it is one of the best ways you can help spread the word about our show. So thanks. Here's this week's show.

Frances Dewing: [00:00:21] If somebody wanted to gain access to the parents' devices' account data, kids are a great target for that.

Dave Bittner: [00:00:28] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:48] Hi, Dave.

Dave Bittner: [00:00:48] We've got some fun stories to share this week. And later in the show, we'll have my interview with Frances Dewing. She's the CEO and co-founder of Rubica. They recently published a report on how crooks are accessing parents' mobile devices via apps that their kids load.

Dave Bittner: [00:01:04] But first, we've got a word from our sponsors at KnowBe4. Step right up and take a chance. Yes, you there. Give it a try and win one for your little friend there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they, A, my late husband wished to share his oil fortune with you; or B, please read important message from HR; or C, a delivery attempt was made; or D, take me to your leader? Stay with us, and we'll have the answer later. And it will come to you courtesy of our sponsors at KnowBe4, the security awareness experts who enabled your employees to make smarter security decisions.

Dave Bittner: [00:01:50] Joe, we have got a little bit of follow-up before we get into our stories this week. We got a note from a gentleman named Joe (ph). He wrote in. He said, Dave, in the last two podcasts, you and Joe were discussing the spoof Transition Assistance Program website. In the first conversation, Joe made the comment to the effect, I would like to check it out, but I'm not going to...

Joe Carrigan: [00:02:10] (Laughter) Right.

Dave Bittner: [00:02:10] ...Which is good advice. This person writes in, and he says, while most of the time I check potential phishing and malware sites with a sandboxed VM - it's a virtual machine...

Joe Carrigan: [00:02:18] Right.

Dave Bittner: [00:02:19] ...When I need a quick look, I use the site screenshot.guru, which allows me to view a .png image file of a website to help quickly determine if it's legit or not. If you visit one of those fake tech support pages, you'll know what it is immediately. And we went and checked out screenshot.guru, and the person who sent this in also checked it out that screenshot.guru checks out with a lot of malware companies...

Joe Carrigan: [00:02:43] Right.

Dave Bittner: [00:02:44] ...So that it's legit. It's not trying to do anything on its own. And so basically, what happens here, Joe, with the screenshotting thing?

Joe Carrigan: [00:02:50] First, I tried it with the website that's being referenced to your DOD - tap.com - which is not the right website. And fortunately, it says that that website's no longer available. So I'm glad to hear that.

Dave Bittner: [00:03:00] Yeah.

Joe Carrigan: [00:03:01] I did try it with Google. And what it does is it goes out, and it takes a screenshot of the website and then shows you the picture of it...

Dave Bittner: [00:03:06] Right.

Joe Carrigan: [00:03:07] ...Which is pretty cool...

Dave Bittner: [00:03:08] Yeah. So...

Joe Carrigan: [00:03:09] ...'Cause now I get an innocuous view of the website and see what it's up to.

Dave Bittner: [00:03:12] And you load in somebody else's machine.

Joe Carrigan: [00:03:14] Exactly.

Dave Bittner: [00:03:15] (Laughter) Now, this is also useful, you know, if you need to take screenshots of websites. I think what this is originally designed for is being able to get a shot of the entire screen without having to scroll and patch together images of a website. So if you have a website that takes up more than one screen...

Joe Carrigan: [00:03:32] Right.

Dave Bittner: [00:03:32] ...It's a great way to grab a screen of that. But a side use of it is, you can go visit a website without actually having to run it on your own machine.

Joe Carrigan: [00:03:39] Yep, that is pretty good.

Dave Bittner: [00:03:40] Yeah - screenshot.guru. So Joe, thanks for sending that in to us - seems like a useful tool. Well, my story this week, Joe - this comes from AARP. And I have to say as an aside, the last time I used an AARP story, I got a lot of heat about it.

Joe Carrigan: [00:03:56] Yeah, and you keep doing it.


Dave Bittner: [00:04:01] Right. Fool me once and all that kind of stuff. So yes, I would just like to say for the record, I am not quite old enough to have an AARP membership. I am moments away from being old enough to...


Dave Bittner: [00:04:13] ...Have an AARP membership, but not quite there yet.

Joe Carrigan: [00:04:16] How old do you have to be?

Dave Bittner: [00:04:17] I believe 50 is when they start sending you stuff.

Joe Carrigan: [00:04:20] Really?

Dave Bittner: [00:04:21] Yeah.

Joe Carrigan: [00:04:21] OK.

Dave Bittner: [00:04:22] Yeah. So at any rate, AARP actually does a great job of alerting folks to scams and frauds. And of course, their focus is on older folks, retired people.

Joe Carrigan: [00:04:31] Right.

Dave Bittner: [00:04:31] But interesting bit of research they published here - this is an article called "Research Shows When Phone Scammers Are Most Likely to Succeed." It was written by Doug Shadel. He's from AARP. And they actually reached out to our friends over at Social-Engineer LLC - good old Chris Hadnagy.

Joe Carrigan: [00:04:47] Oh, good.

Dave Bittner: [00:04:48] Have had him on the show a few times. And his team called over 20,000 employees of their client companies, and they were posing as HR folks. And they successfully got through to, oh, just over 5,600 people. And they were able to get 53 percent of the people to hand over personal information like Social Security numbers or computer passwords or things like that.

Joe Carrigan: [00:05:11] Wow.

Dave Bittner: [00:05:11] Yeah. Now, you got to think that Chris's team is going to be...

Joe Carrigan: [00:05:15] Pretty good at it.

Dave Bittner: [00:05:15] ...Particularly good at this.

Joe Carrigan: [00:05:16] Yeah.

Dave Bittner: [00:05:16] But still, over half - that's a high rate. But what this article points out that I think is interesting is that there are certain times of the day and certain times of the week where they are much more successful.

Joe Carrigan: [00:05:27] Now, we talked about this last week with what they called Friday-Monday scams.

Dave Bittner: [00:05:30] Right. This is different from that. This is during the work week itself.

Joe Carrigan: [00:05:33] Right.

Dave Bittner: [00:05:34] So what they found was that Monday morning is the hardest time to get someone to fall for a phone scam.

Joe Carrigan: [00:05:40] Really?

Dave Bittner: [00:05:40] Only 29 percent of people took the bait. By Tuesday, more than twice as many people succumb to the scam. Friday was when it peaked (laughter).

Joe Carrigan: [00:05:49] Right.

Dave Bittner: [00:05:49] I don't think this is too surprising that Friday afternoon - maybe you've had a long week. You're tired. Your defenses are down. Sixty-five percent of people gave away secure information on a Friday afternoon.

Joe Carrigan: [00:06:01] That's amazing.

Dave Bittner: [00:06:01] Yeah. And they also found that calls later in the day were more successful. If you call someone around 5 o'clock - quitting time.

Joe Carrigan: [00:06:09] Right.

Dave Bittner: [00:06:09] Two in three respondents were duped at the end of the day. They just want to get out of here.

Joe Carrigan: [00:06:14] They've spent a lot of time working.

Dave Bittner: [00:06:16] Right.

Joe Carrigan: [00:06:16] And they're probably exhausted. That - the fatigue probably has something to do with it.

Dave Bittner: [00:06:20] I suspect it does. Another interesting detail here - they found that women were better at scamming people than men were. A woman's voice was more successful than a man's voice.

Joe Carrigan: [00:06:31] That is an interesting finding.

Dave Bittner: [00:06:33] Yeah, it is. And I know - for example, I - now, going way back, I remember research with the voice systems on aircraft.

Joe Carrigan: [00:06:41] Right.

Dave Bittner: [00:06:41] Like, jet planes and fighter jets and things like that - you know, when they'd have those emergency announcements so the pilot - pull up. Pull up.

Joe Carrigan: [00:06:48] Right.

Dave Bittner: [00:06:49] Pull up, you know? They use women's voices because they found that the pilots - in the heat of the moment, when they're in the chaos of something going wrong, they're more likely to follow a woman's voice. It's more likely to break through the noise...

Joe Carrigan: [00:07:04] Right.

Dave Bittner: [00:07:05] ...The mental noise than a man's voice is.

Joe Carrigan: [00:07:07] Interesting.

Dave Bittner: [00:07:07] Yeah, it is interesting. And I don't know. I mean, correlation is not causation. But it does seem to align with what they found here, that...

Joe Carrigan: [00:07:14] Yep.

Dave Bittner: [00:07:14] Folks are more likely to fall victim to a woman trying to scam them than a man.

Joe Carrigan: [00:07:20] I think this is an excellent opportunity for a psychology researcher out there to try to find out and quantify this.

Dave Bittner: [00:07:27] Why this might be.

Joe Carrigan: [00:07:28] Right, why this might be.

Dave Bittner: [00:07:29] Yeah. All right. Well, the story's over on the AARP website, which I would again like to point out, I do not frequent at all. So...


Joe Carrigan: [00:07:37] Sure you don't.

Dave Bittner: [00:07:38] Yeah. Right. So what do you got for us this week, Joe?

Joe Carrigan: [00:07:41] Dave, this week, I want to talk about a kind of attack that is called credential stuffing.

Dave Bittner: [00:07:45] OK.

Joe Carrigan: [00:07:45] And we hear about this frequently. In fact, I hear you mention credential-stuffing attacks on the CyberWire probably about once a week.

Dave Bittner: [00:07:51] Yeah.

Joe Carrigan: [00:07:51] It's something that's picking up in frequency. And, basically, what it is - it's the exploitation of a human behavior that I and many other security professionals have been talking about for years, and that's password reuse. And here's how it works. There's a data breach somewhere, and user IDs and hashed passwords are stolen. Hopefully, they're hashed. Right?

Dave Bittner: [00:08:10] Right.

Joe Carrigan: [00:08:11] There's no guarantee that they're hashed. But let's say they're hashed.

Dave Bittner: [00:08:13] And for those who don't understand what hashing means, just quickly - what is - hashing is a way to obscure the password. Yeah.

Joe Carrigan: [00:08:19] Excellent point, Dave. I'm going to make sure everybody understands. If I'm going to store a password, I have an option. I can put the password in plain text in the database. That's very bad.

Dave Bittner: [00:08:25] Right.

Joe Carrigan: [00:08:32] Right? Or I can do something called hashing it, which is, essentially, a one-way encryption algorithm for purposes of passwords.

Dave Bittner: [00:08:32] OK.

Joe Carrigan: [00:08:32] It's more than that. But for the purposes of passwords, you can certainly think of it as a one-way encryption algorithm. I can take the password. I can hash it. I wind up with a hashed digest. And the next time the user enters the password, I get the same hashed digest. And I know that the user has entered the correct password.

Dave Bittner: [00:08:50] So it's a way of protecting that password while you have it in storage.

Joe Carrigan: [00:08:50] Correct. So if it gets stolen, it's difficult to reverse-engineer it.

Dave Bittner: [00:08:54] OK.

Joe Carrigan: [00:08:54] So these password hashes, when they get breached, they have to be cracked. Now, that's another kind of technical term. But you can think of cracking as working the hash backwards. It's, actually, technically, not working the hash backwards because that's part of the algorithm is that you should not be able to look at the hash and derive the password. But there's nothing that stops me from, essentially, brute-forcing and guessing until I get the right result.

Dave Bittner: [00:09:16] OK.

Joe Carrigan: [00:09:16] Then I know what the password is.

Dave Bittner: [00:09:18] OK.

Joe Carrigan: [00:09:18] So that's what password cracking is.

Dave Bittner: [00:09:20] There's a lot of computational power available...

Joe Carrigan: [00:09:24] Correct.

Dave Bittner: [00:09:24] ...Inexpensively these days.

Joe Carrigan: [00:09:26] Correct.

Dave Bittner: [00:09:26] So being able to brute-force these things is not really an exotic thing to have to be able to do anymore.

Joe Carrigan: [00:09:30] It is not. If you buy a GPU, like a modern GPU, you can crack passwords at an alarming rate.

Dave Bittner: [00:09:36] OK.

Joe Carrigan: [00:09:36] It's pretty powerful. So now the attacker has a username and password pair that gets them into some system.

Dave Bittner: [00:09:41] Right.

Joe Carrigan: [00:09:42] But if this is your username and password and you reuse your password on another site, you are vulnerable to a credential-stuffing attack. This is where automation takes over. The attacker will take a bunch of these username and password pairs and run a script that attempts to log into a bunch of different systems out there on the internet that they have access to. If the log-in is successful, then the script tells the attacker that it found a valid pair and the system it found it for, right? So for example, let's say your website - Dave's website gets breached. And you get somebody's username, which is a Gmail address and their password.

Dave Bittner: [00:10:18] Right.

Joe Carrigan: [00:10:18] And then that person has reused that password on Gmail. They run the script. And one of the sites it attacks is Gmail. And it says this user name and password pair is valid for the site Gmail.

Dave Bittner: [00:10:28] Right. We got a hot one.

Joe Carrigan: [00:10:40] We got a hot one. Then the attacker can log in and take over the account, extract personal information or compromise an email address or whatever that system allows them to do. The attacker, essentially, has access to that system...

Dave Bittner: [00:10:40] Right.

Joe Carrigan: [00:10:40] ...As the user.

Dave Bittner: [00:10:41] OK.

Joe Carrigan: [00:10:42] All right. Now, I know this sounds like it's not really a big problem, but it really is. Password reuse is a real problem. Earlier this year, Troy Hunt, who is a researcher - security researcher - found something called collection one, which was an aggregation of a bunch of breaches of email addresses and passwords. And he found that there were, like, 1.1 billion email addresses in here and a very large number of email/password combinations. The fact that there were more email/password combinations than there were email addresses indicates that this collection contains multiple passwords for some email addresses. If you couple that with the research from last year out of Virginia Tech that found that if you reuse passwords but slightly change them, they can guess your password in 10 guesses. So now I have an email address, two or three passwords and an algorithm that will let me guess another 40 passwords for that user. And I can automate that, and I can script it.

Dave Bittner: [00:11:38] It's a really good point, and I think we've all probably fallen victim to this at some point in our lives in our journey in technology where we think we're being clever by slightly varying a base password.

Joe Carrigan: [00:11:50] Yes.

Dave Bittner: [00:11:51] You know, my password is mickeymouse1. And then for a different thing, I use mickeymouse2 or mickeymouse1974 or something like that.

Joe Carrigan: [00:12:00] That's right.

Dave Bittner: [00:12:00] And the point is, that just doesn't work anymore. You cannot do...

Joe Carrigan: [00:12:02] It does not work anymore. That is not a valid...

Dave Bittner: [00:12:05] The automation is smart enough to go through those combinations. That bit of cleverness that may have worked in the past...

Joe Carrigan: [00:12:12] Right.

Dave Bittner: [00:12:12] ...Is no longer valid. You can't use it. It won't work.

Joe Carrigan: [00:12:15] This kind of stuff is readily available to attackers who want to get out. They can go out, and they can buy the tools. They can do it.

Dave Bittner: [00:12:20] Yeah, it's cheap.

Joe Carrigan: [00:12:21] It's cheap. It's readily available. And actually, if they want to spend some time writing some Python code, they can do it in that, too. It's...

Dave Bittner: [00:12:27] Yeah.

Joe Carrigan: [00:12:27] It's easy. It's cheap and easy.

Dave Bittner: [00:12:29] Yeah.

Joe Carrigan: [00:12:30] So what can people do? That's the question, right?

Dave Bittner: [00:12:32] Yeah.

Joe Carrigan: [00:12:32] Every time I have this - last week, I didn't have much good news, but today I do have good news for you.

Dave Bittner: [00:12:37] (Laughter) OK.

Joe Carrigan: [00:12:38] And I'll say it again, Dave. Use a password manager.

Dave Bittner: [00:12:41] Yeah.

Joe Carrigan: [00:12:41] Use a password manager. Use a password manager. This will allow you to have a different password for each site that you visit, and those passwords can be long and complex. And so even if the hash does get breached, there is a much lower chance that it will get cracked, which protects you in two different ways. Use some form of multifactor authentication. This will stop a credential stuffing attack in its tracks if you have some kind of two-factor - even just a simple SMS - because a credential stuffing attack is a scripted attack.

Joe Carrigan: [00:13:10] When the script sees that it's looking for a second factor, it's just going to stop and go, I can't crack this one, because that requires a little bit more effort on the part of the attacker. They're going to have to go and social engineer their way into getting your SMS code or even the code off your RSA token or something else. That protects you immensely from these kind of attacks. And if you still don't believe this is a problem, you should go to Troy Hunt's website, haveibeenpwned.com, and see if your email is listed in any breaches. And I'll bet every listener a dollar that their email address is in this database.

Dave Bittner: [00:13:41] Oh, boy.

Joe Carrigan: [00:13:41] Right. In order for this bet to be valid, all listeners must agree.

Dave Bittner: [00:13:45] I see.


Dave Bittner: [00:13:48] Wow, you're really going out there. Boy, you're a risk-taker, Joe.

Joe Carrigan: [00:13:50] Yeah, that's right. But I'm really not. But I'm playing the number, Dave.

Dave Bittner: [00:13:54] Yeah, OK. All right. Well - yeah, go on.

Joe Carrigan: [00:13:57] One more thing - if you feel up to it, you can check Troy's password site. He has a similar thing for email addresses. If you just look across the top, it says passwords. And you can enter your password. And he has a document on how he says he's securing it. Now, I don't doubt that he's doing this. I think Troy has a real vested interest in...

Dave Bittner: [00:14:13] Yeah. Yeah.

Joe Carrigan: [00:14:13] ...Doing this properly.

Dave Bittner: [00:14:14] He's a legit good actor.

Joe Carrigan: [00:14:16] Yeah. He's - exactly. But you can see if your password is in any of his database. Now, years ago, I used to reuse passwords. You know, this was 20 years ago. And I still remember those passwords because they were kind of easy to remember. They're all in the database (laughter).

Dave Bittner: [00:14:28] Yeah. Yeah. Yeah. I had a different researcher call me up one time and read out to me a bunch of...

Joe Carrigan: [00:14:38] Yeah.

Dave Bittner: [00:14:38] ...Passwords from my past...

Joe Carrigan: [00:14:39] Yeah.

Dave Bittner: [00:14:40] ...Which is chilling and a good reminder that the way to go these days is let the password manager spin up a random string of letters and numbers. And you don't have to worry about remembering them.

Joe Carrigan: [00:14:52] Right.

Dave Bittner: [00:14:53] The password manager does it for you, and you're just going to be so much better off. It just - get over that hump of the transition of using a password manager. It is easier than you think it is. And once you start using it, believe me; you will wonder how you ever lived without it.

Joe Carrigan: [00:15:10] That's correct.

Dave Bittner: [00:15:10] That's my pitch for a password manager.

Joe Carrigan: [00:15:12] And here's my pitch for how you do it. Just start using a password manager. And every time you log in to a site for the first time since you started using it, you change your password.

Dave Bittner: [00:15:20] Yeah.

Joe Carrigan: [00:15:21] You don't need to do the daunting task of going through every single account that you have and changing the passwords right away. I mean, some people might argue that you should, but I would argue that you should just use what works for you. And if that works for you - just taking the passwords in one at a time and doing this process as part of your normal life - that's easier for you to implement a more secure process - do that.

Dave Bittner: [00:15:40] Yeah, and you know what? The password manager that I use - if I try to reuse a password or if I use a password that it recognizes is being used somewhere else...

Joe Carrigan: [00:15:49] Right.

Dave Bittner: [00:15:49] ...It pops up and warns me.

Joe Carrigan: [00:15:51] Yes.

Dave Bittner: [00:15:51] And it says, hey, we noticed you're using this password somewhere else. Now would be a good time to change it. How about we do that together?

Joe Carrigan: [00:15:59] (Laughter) Right.

Dave Bittner: [00:15:59] Right?

Joe Carrigan: [00:15:59] That's a good password manager.

Dave Bittner: [00:15:59] Yeah. No, it's great. So yeah, get out there and do it, folks. It's an easy way, not expensive. It's just a better way to protect yourself. We're past the days of spinning up your own clever password. It's just...

Joe Carrigan: [00:16:09] Right.

Dave Bittner: [00:16:10] It's just not a good idea anymore.

Joe Carrigan: [00:16:11] It can't be done.

Dave Bittner: [00:16:12] No. All right, Joe. Well, it's time to move on to our Catch of the Day.


Dave Bittner: [00:16:20] Our Catch of the Day comes to us from a listener named Bennett (ph). He sent us two audio files of phone voicemails he received recently. These are fun ones, so let's just dig into it. The first file sounds like this.


Unidentified Person #1: [00:16:33] This call is from the Department of Social Security Administration. The reason you have received this phone call from our department is to inform you that we just suspend your Social Security number because we found some suspicious activity. So if you want to know about this case, just press one. Thank you.

Joe Carrigan: [00:16:52] Oh, you better press one, Dave.


Dave Bittner: [00:16:55] Just slam your finger down on that one button.

Joe Carrigan: [00:16:58] Department of Social Security Administration.

Dave Bittner: [00:17:00] Yes. And we've suspended your Social Security number.

Joe Carrigan: [00:17:03] No, no. We suspend.

Dave Bittner: [00:17:04] We - yeah, that's true.

Joe Carrigan: [00:17:06] (Laughter).

Dave Bittner: [00:17:07] Please call. Thank you. Yeah. OK. That's hilarious.

Joe Carrigan: [00:17:11] Right (laughter).

Dave Bittner: [00:17:13] I don't - I mean, can your - I don't even know what that means. Can your - your social security number can't be suspended.

Joe Carrigan: [00:17:19] Maybe it can be.

Dave Bittner: [00:17:20] Maybe your account - I don't - I...

Joe Carrigan: [00:17:22] How do you then apply for credit? You can't suspend a Social Security number.

Dave Bittner: [00:17:26] It's madness.

Joe Carrigan: [00:17:26] That's one of the problems with the Social Security numbers. It's immutable.

Dave Bittner: [00:17:30] Madness.

Joe Carrigan: [00:17:30] Right.

Dave Bittner: [00:17:31] Yeah. As if that's bad enough, here's another one that Bennett sent in to us - goes like this.


Unidentified Person #2: [00:17:37] This intimation would be considered an intentional attempt to avoid initial appearance before the magistrate judge or exempt jury for a federal criminal offense which is against your name. Your case ID is CP98898. For more information on your case, you can contact the tax and crime unit on our number. That is 202-858-9627. I repeat, 202-858-9627. We would be glad to share your case in...

Dave Bittner: [00:18:09] Yeah, so there's a sliver. It's not all there, but I think we've heard everything we need to hear.

Joe Carrigan: [00:18:12] Right.

Dave Bittner: [00:18:14] And nailed to our earlier point, it's a woman's voice.

Joe Carrigan: [00:18:17] Right.

Dave Bittner: [00:18:17] I don't know. I felt more motivated to respond. Did you, Joe? This (laughter)...

Joe Carrigan: [00:18:20] Yes, absolutely. Absolutely.

Dave Bittner: [00:18:23] A criminal case against us.

Joe Carrigan: [00:18:24] That's terrifying.

Dave Bittner: [00:18:27] Obviously synthesized - not a real person.

Joe Carrigan: [00:18:30] Yeah. I think that's probably because it's coming from a foreign country, and a lot of these actors have realized that their accent is maybe a giveaway. So they're doing this to prevent that from being the case.

Dave Bittner: [00:18:41] Yeah.

Joe Carrigan: [00:18:41] Again, if somebody - some law enforcement agency has a warrant out for you, like a failure to appear warrant like this thing says, they're not going to call you.

Dave Bittner: [00:18:51] No, they're not going to warn you. They're not going to give you a heads-up.

Joe Carrigan: [00:18:54] They're going to show up.

Dave Bittner: [00:18:55] Yeah.

Joe Carrigan: [00:18:55] And they're going to bring friends.

Dave Bittner: [00:18:57] Right. They're going to knock on your door and...

Joe Carrigan: [00:18:59] Knock through your door, maybe (laughter).

Dave Bittner: [00:19:01] Yeah. They're not going to tell you that they're coming, so...

Joe Carrigan: [00:19:04] Right.

Dave Bittner: [00:19:05] You receive something like this, best thing to do is just hang up and ignore it.

Joe Carrigan: [00:19:09] Just - yeah, ignore it.

Dave Bittner: [00:19:10] Yeah. Yeah. Some - if it gets to this point, you'll know it by other means (laughter).

Joe Carrigan: [00:19:14] Right.

Dave Bittner: [00:19:15] All right. Well, thanks to Bennett for sending this in. These are unfortunately becoming much more common. And I know I get them probably once a week, if not more.

Joe Carrigan: [00:19:26] I don't get them very often, actually.

Dave Bittner: [00:19:27] Is that right?

Joe Carrigan: [00:19:28] Yeah. Actually, I don't answer the call. I have my Google Pixel 3, which has this call screening feature, and I use that a lot.

Dave Bittner: [00:19:36] OK.

Joe Carrigan: [00:19:36] And actually, since I started using that, I've noticed that I don't get as many spam calls.

Dave Bittner: [00:19:41] All right. Well, that's good to know. All right. Well, that is our Catch of the Day, Joe. Coming up next, we'll have my interview with Frances Dewing. She is the CEO and co-founder of Rubica. They recently published a report on how bad guys are accessing parents' mobile devices via the apps that their kids load.

Dave Bittner: [00:19:58] But before we get to that, we've got a word from our sponsors KnowBe4. And what about the biggest, tastiest piece of phish bait out there? If you said, A, my late husband wished to share his oil fortune with you, you've just swallowed a Nigerian prince scam. But most people don't. If you chose door B - please read important message from a jar - well, you're getting warmer, but that one was only No. 10 on the list. But pat yourself on the back if you picked C, a delivery attempt was made. That one, according to the experts at KnowBe4, was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked D, take me to your leader? No. Sorry. That's what space aliens say. But it's unlikely you'll need that one unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing's twists and turns, the new-school security awareness training from our sponsors at KnowBe4 can help. That's knowbe4.com/phishtest.

Dave Bittner: [00:21:09] And we are back. Joe, I recently had the pleasure of speaking with Frances Dewing. She is the CEO and co-founder of a company called Rubica, and they recently published an interesting report on how the bad guys are using parents' mobile devices to get information via the apps that they load up for their kids. Here's my conversation with Frances Dewing.

Frances Dewing: [00:21:31] As a parent myself, I have to admit I don't know how parents parented without iPads and iPhones. And parents, or just people in general - I think the statistic is we spend 80 percent of our online activities on mobile devices now. And we know that it's very common for parents to - you know, let's say you're in a restaurant - you maybe hand your device over to your kids to entertain themselves for a while or on a long car trip, giving them the iPad in the back seat. And there's really nothing wrong with that.

Frances Dewing: [00:22:02] It's just that I think, you know, a lot of us use devices and the internet without completely understanding how all of that is working and all the interrelated pieces and what vulnerabilities can lie there. So the purpose of our study and part of what we do at Rubica just consistently is to try and highlight these things for consumers so that parents can make good decisions about what they're allowing their kids to do online 'cause I think it's well-intentioned, but you don't know what you don't know, right? So we're trying to highlight things that sometimes are hiding in plain sight that people don't know to look for.

Dave Bittner: [00:22:35] Let's walk through it together, then. What are some of the risks when I hand over that iPad or that mobile phone to my kid to help fill the time? What are some of the potential risks there?

Frances Dewing: [00:22:45] So what we specifically looked at were free games marketed to kids under 12. So these are games rated E for everyone, not Teen-rated games. And the reason why we looked at games for young kids, No. 1, was - is because we know that kids and parents share devices. Seventy percent or more of kids under 12 have shared a device with another family member. They don't usually get their own device until they're around 10, 11 or 12. And the reason we wanted to look at that is that if there is a vulnerability in an activity that your child is taking, if that's on your device that you also use for work or for email or for banking, that becomes a much bigger cybersecurity issue for you as a parent or as - for your family.

Frances Dewing: [00:23:34] So we looked at games for young kids. And we looked at free games specifically because of the advertising that's in free games and this nebulous, we'll say, relationship between app developers and third-party advertisers and the kinds of information and things that are exchanged in that ecosystem. With free games, almost every free game has either an in-app purchase or upgrade option or advertisements or both. And the - to just kind of summarize the issue with advertisements is that many of them, in these games for kids, advertise other applications. So it'll be an advertisement for another game that you're then prompted to download after you watch the ad. And it's those secondary games that are advertised that we found the most security issues with.

Dave Bittner: [00:24:27] Let's walk through this. I set up this free game for my son or daughter to play, and something pops up while they're playing the game. And then that prompts them to do what?

Frances Dewing: [00:24:35] During the game - exactly - while they're playing the game, the ads can be as frequent as every two to three minutes, we found in certain games. And these - oftentimes, these are popping up, and they are required to click before they can continue gameplay. So if you imagine a young child playing - you know, if they just want to keep playing the game, they're going to click on anything and everything.

Dave Bittner: [00:24:56] Right.

Frances Dewing: [00:24:56] And sometimes the advertisements also are deceptive in terms of using enticements like, click here for free coins or for a free life, or, collect your free prize. And young children don't know how to differentiate between those ads and the game that it oftentimes looks like part of the game still. So - but yes, you're correct. What will happen is they'll click, and it will be an advertisement or some sort of a demo or prompt for another game. And then it culminates with saying, try this game. Download this game. And oftentimes, it'll even redirect you to the app store with a big button in your face to click and download this other game.

Dave Bittner: [00:25:35] And so is that where the real danger lies, then, that we're sort of - I don't know - our kids are side-loading an app without us knowing, and it's that secondary app that has the security issues?

Frances Dewing: [00:25:46] Yeah. What we found was some of the primary popular apps that we started with testing initially had some, I would say, overreaching permissions that are invasive to privacy. So for example, we found games that had access to see all - the list of all the other running applications on your device and position prompts over them. There are some legitimate uses for these permissions, but the problem is that there's also nefarious uses for permissions like that. So for example, that particular permission - if I can see the list of all the other apps you have on your device, I can see that you have a certain banking app, that you bank with a certain provider. And I could even position a prompt over that as a fake login screen.

Frances Dewing: [00:26:32] So I'm not saying that these primary games are doing that, but they could. But most of those privacy security concerns we found were not in the primary apps. They were in the secondary applications. And a lot of what's going on here is that the advertising networks that are deciding which ads to show in the games - there's a lot of subcontracting that happens in that chain. It can be easy to exploit that ecosystem and serve up an advertisement for an app that is malicious.

Dave Bittner: [00:27:08] And I guess that makes it harder to track these sorts of things down because my kid and your kid could be playing the same game but, different ads could be put in front of us. And some of them could be benign, and some of them not so much.

Frances Dewing: [00:27:22] Right. And, you know, the problem is that they can kind of hide in plain sight under this facade of legitimacy. The applications that we were prompted to download were all available in the official Android and Apple stores. So these are not, you know, rogue apps sitting out on a random website. These are apps that made it through the review process with Apple and Google and are sitting in their stores.

Frances Dewing: [00:27:48] And the problem is that, like I said, there are some legitimate uses for these permissions. They're not, per se, evil on their face. But when you stop and think - for example, we were prompted to download a puzzle game that, frankly, was a really - looked like a really bad version of Tetris, like it was made in the '90s by a 5-year-old. And the game was very simplistic, had no other kind of functionality or in-app advertising. So you kind of wonder what its revenue stream is. When you look at the permissions of that puzzle game, it had access to your contacts. It had access to your precise GPS location. It could send emails without notifying you, without your knowledge. And you have to ask, why would a puzzle game need that?

Dave Bittner: [00:28:38] Right.

Frances Dewing: [00:28:39] And it's - it was built by a obscure, no-name developer with a random Gmail address - kind of very sketchy kind of paper trail, basically. So you're right that the problem is that, you know, these games - if you looking at them as a parent, I think it's easy to say - you know, if your kid comes to you and says, mom, can I download this puzzle game? You look at it, and you think, OK, well, it's not inappropriate, you know? It's just a puzzle game - seems fine. Go ahead - because parents don't know to look at the permissions. They would never expect that these apps are gaining those types of permissions on their devices.

Dave Bittner: [00:29:14] So what are your recommendations? How do we better control these things to protect ourselves and our kids?

Frances Dewing: [00:29:20] Yeah. I think, you know, there's a kind of bigger ecosystem problem that I think a number of different entities need to be held over the fire to be a little more accountable with this. But in the meantime, what we can do as parents is, No. 1, use parental controls. If you have parental controls enabled, that will prevent your child from being able to download that secondary application without your permission and your password. But I caveat that with, make sure that that's a password your kid doesn't know. And I - you know, you can't underestimate their adeptness at figuring out your passwords.

Dave Bittner: [00:29:53] Yes. Yes.

Frances Dewing: [00:29:55] (Laughter) And then secondly, you know, don't assume an app is safe just because it appears to be an innocuous kids' game. Check the permissions and really just think - you know, use common sense. Think about, does this game need that access? And if it doesn't, either don't allow it or choose another game.

Dave Bittner: [00:30:15] With what's at stake with the amount of information that we have on our devices, maybe the best investment is to get your kid their own device so it's not on the same device where you have the keys to the kingdom.

Frances Dewing: [00:30:28] Yes. I think if that is an option for your family, I absolutely would recommend that. That kind of cross infection, you know - this is not something theoretical. We know that cybercriminals target kids as an entry point into their parents. And actually, the former head of a very elite division of the NSA - his name's Rob Joyce - couple years back, he gave an interview with WIRED magazine where he indicated that one of the favorite attack vectors of nation-states is when employees let their kids download games on their devices and then take those same devices back into work. So the same holds true in our personal lives. You know, if somebody wanted to gain access to the parents' devices' account data, kids are a great target for that. If you can separate that out and give your kids their own iPad or, you know, tablet, that is an excellent choice.

Dave Bittner: [00:31:21] Joe, some interesting stuff, huh?

Joe Carrigan: [00:31:22] Yeah. I'll tell you how we parented without iPhones or iPads.

Dave Bittner: [00:31:25] Oh, boy.

Joe Carrigan: [00:31:26] (Laughter)

Dave Bittner: [00:31:29] Yes, Joe (laughter)?

Joe Carrigan: [00:31:30] We just didn't have iPhones or iPads, and they do. I mean...

Dave Bittner: [00:31:34] Yeah, we all had singalongs in the car while we were driving on our family vacations.

Joe Carrigan: [00:31:37] We did that. Yeah.

Dave Bittner: [00:31:37] Yeah.

Joe Carrigan: [00:31:37] That was fun.

Dave Bittner: [00:31:37] (Laughter) Right. Right.

Joe Carrigan: [00:31:37] Yeah, we had the kids' music, and they loved it. We done talk, you know - or our kids would read books.

Dave Bittner: [00:31:46] Like animals, yeah (laughter).

Joe Carrigan: [00:31:47] Yeah. That was always good. I want to reference back. In 2013, there was a "Smurf" app. Like, some "Smurf" movie was coming out, and there was an app that came out with it that was charging parents huge amounts of money based on what their kids did. One parent was charged 4,000 pounds over five months with in-app purchases...

Dave Bittner: [00:32:07] OK.

Joe Carrigan: [00:32:07] ...For kids. When you're looking at permissions, no 8-year-old is going to read, let alone understand, what they're looking at in the permissions dialog that the operating system will display. A lot of adults don't do it...

Dave Bittner: [00:32:16] No.

Joe Carrigan: [00:32:17] ...Properly.

Dave Bittner: [00:32:17] Of course not. No.

Joe Carrigan: [00:32:18] So an 8-year-old's not...

Dave Bittner: [00:32:19] No. It's absurd.

Joe Carrigan: [00:32:20] Finding that advertising is deceptive - I'm shocked, Dave - shocked. And finally, the story of the app that reaches into your contacts and gets all the information out is not an uncommon thing.

Dave Bittner: [00:32:31] Yeah.

Joe Carrigan: [00:32:32] I don't know if I ever told this story, but back in 2010, I was on a job hunt, and I got a call from somebody who was looking to do just this in an Apple app. And they were looking to try to extract this and then report it up. And I was like, I'm not really interested in that job. It's...

Dave Bittner: [00:32:47] (Laughter) Right. Right.

Joe Carrigan: [00:32:48] It's one of two jobs that I've essentially told people I've - that come to my mind that I'm just not interested in working for you.

Dave Bittner: [00:32:56] I remember, similarly - this was an online thing, but I got a letter in the mail once from a company whose business model was basically getting us to send them our entire contacts list, which they would pay us for - you know, rat out...

Joe Carrigan: [00:33:09] Rat out your friends.

Dave Bittner: [00:33:10] Rat out all of our friends and contacts. Yeah. And for - you know, they'd give us some sort of flat fee so they could put it into their database that they would turn around and sell. We actually pinned that one to the bulletin board, I think, as things we will not do.

Joe Carrigan: [00:33:23] Right.

Dave Bittner: [00:33:24] So...

Joe Carrigan: [00:33:24] Yeah, somebody did it.

Dave Bittner: [00:33:25] Oh, sure. Sure. Yeah.

Joe Carrigan: [00:33:26] Somebody did it.

Dave Bittner: [00:33:26] Yeah.

Joe Carrigan: [00:33:27] Somebody took the 20 bucks.

Dave Bittner: [00:33:28] Yeah. Well, again, thanks to Frances Dewing for joining us - lots of good information and lots of stuff to think about before you toss that mobile device to your kid to get him to pipe down and, you know, mind their business while you're someplace where you want them to be quiet. Maybe take a moment to think about, how are those apps getting loaded, and what else is on that device?

Joe Carrigan: [00:33:50] Yep.

Dave Bittner: [00:33:50] So thanks to her for joining us, and of course, thanks to all of you for listening.

Dave Bittner: [00:33:55] And we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure you take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.

Dave Bittner: [00:34:11] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.

Dave Bittner: [00:34:17] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:34:37] And I'm Joe Carrigan.

Dave Bittner: [00:34:38] Thanks for listening.