Hacking Humans 3.28.19
Ep 42 | 3.28.19

Pick a persona to match the goal.


Jeremy N. Smith: [00:00:00] She said, what do you do? And I talked about my journalism and my books. And then I said, what do you do? And she said, well, tomorrow morning I have to break into a bank.

Dave Bittner: [00:00:09] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week we look behind what, Joe?

Joe Carrigan: [00:00:15] The scams and things that are going on on the internet, Dave.

Dave Bittner: [00:00:18] That's right.

Joe Carrigan: [00:00:19] (Laughter).

Dave Bittner: [00:00:19] Social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Joe.

Joe Carrigan: [00:00:34] Hi, Dave.

Dave Bittner: [00:00:34] We've got some fun stories to share this week. And later in the show, we've got my interview with Jeremy N. Smith. He's the author of the book "Breaking and Entering: The Extraordinary Story of a Hacker Called 'Alien.'"

Joe Carrigan: [00:00:45] Sounds awesome.

Dave Bittner: [00:00:46] Yeah.

Dave Bittner: [00:00:46] But first, a word from our sponsors at KnowBe4. So how do you train people to recognize and resist social engineering? There are some things people think. Test them, and if they fall for a test scam, fire them. Or other people say, if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day. Or maybe you pass out a gift card to the one who gets the A plus for skepticism in the face of phishing. So how about it? What do you think? Carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.

Dave Bittner: [00:01:26] And we are back. Joe, we got a little bit of follow-up this week before we dig into our stories. You know, last week we were talking about ways to preview websites without actually opening them on your own browser.

Joe Carrigan: [00:01:38] Yes.

Dave Bittner: [00:01:38] And we had someone write in. He goes by @305Vic on Twitter. And he said, hi, Dave. Thought I'd share these I use regularly, couple other sites that will not only screenshot a website but do some basic sandboxing analysis. And they are urlscan.io and urlquery.net. I took a look at both of these, and pretty interesting stuff. Particularly, urlscan.io gives you a bunch of information about a website before you open it. So, you know, they open it remotely, but they do all sorts of scanning to tell you how many different places it's referencing, how many different things like Google Analytics it's opening. It scans for malware, so...

Joe Carrigan: [00:02:20] Does it look at the JavaScript and all that and tell you what it's tracking?

Dave Bittner: [00:02:21] It looks at - yeah, it looks at all kinds of stuff.

Joe Carrigan: [00:02:23] Awesome.

Dave Bittner: [00:02:24] So it's a great tool, yeah. Again, if you're suspicious about something, could be a good place to get started and pre-detonate those websites before you...

Joe Carrigan: [00:02:32] That's right. Absolutely.

Dave Bittner: [00:02:33] ...(Laughter) Before you open them on your own system.

Joe Carrigan: [00:02:34] Let somebody else deal with that problem.

Dave Bittner: [00:02:35] Yeah. So thank you to Vic for sending that in. Joe, let's dig into our stories. What do you have for us this week?

Joe Carrigan: [00:02:41] Right. My story comes from Kieren McCarthy over at The Register. And oftentimes we tell stories of regular folks getting scammed out of tons of money, and it makes us feel bad.

Dave Bittner: [00:02:50] Yeah.

Joe Carrigan: [00:02:50] But not today. Not today.

Dave Bittner: [00:02:51] OK. We...

Joe Carrigan: [00:02:52] I'm still talking about somebody get scammed out of money, but not regular folks.

Dave Bittner: [00:02:54] (Laughter) OK. Go on.

Joe Carrigan: [00:02:56] Evaldas Rimasauskas - and I am probably screwing that name up royally (laughter).

Dave Bittner: [00:03:01] OK.

Joe Carrigan: [00:03:02] But he is a Lithuanian.

Dave Bittner: [00:03:04] Yeah.

Joe Carrigan: [00:03:04] And he has been extradited to the U.S. and pled guilty in federal court for defrauding Facebook and Google.

Dave Bittner: [00:03:10] Facebook and Google.

Joe Carrigan: [00:03:11] Facebook and Google.

Dave Bittner: [00:03:12] This guy swung for the fences.

Joe Carrigan: [00:03:14] He did. He batted for six, as they say.

Dave Bittner: [00:03:16] (Laughter) OK.

Joe Carrigan: [00:03:17] Here's how he did it. He set up a fake company called Quanta Computer in Lithuania.

Dave Bittner: [00:03:22] OK.

Joe Carrigan: [00:03:22] Now, there is another company called Quanta Computer. And this company is based in Taiwan, and they make a lot of stuff, including data center equipment.

Dave Bittner: [00:03:31] OK.

Joe Carrigan: [00:03:31] Facebook and Google have data centers, right?

Dave Bittner: [00:03:34] Yeah.

Joe Carrigan: [00:03:34] Big ones.

Dave Bittner: [00:03:35] Yeah.

Joe Carrigan: [00:03:35] So they buy tons of data center equipment. Next, this guy goes out, and he sets up bank accounts in Lithuania and in Cyprus. Now, because he has actually set up a business called Quanta Computer in Lithuania, it looks like a legitimate business is coming in to set up these bank accounts. So he doesn't have a problem doing that.

Dave Bittner: [00:03:54] He has all the supporting paperwork and documentation...

Joe Carrigan: [00:03:58] Right.

Dave Bittner: [00:03:58] ...To set up a real bank account...

Joe Carrigan: [00:04:00] Right. And...

Dave Bittner: [00:04:00] ...Under this name.

Joe Carrigan: [00:04:01] And you could probably do this in the U.S. If there isn't already a Quanta Computer in the U.S. or in your state...

Dave Bittner: [00:04:05] Yeah.

Joe Carrigan: [00:04:05] ...You can probably set up a company like this and set up an account. It's not that hard. It requires a lot of paperwork.

Dave Bittner: [00:04:09] Right.

Joe Carrigan: [00:04:10] But you can do it. And here's where the scam begins. He starts sending Facebook and Google invoices for equipment.

Dave Bittner: [00:04:16] OK.

Joe Carrigan: [00:04:16] And he provides documentation like forged contracts, forged invoices, equipment lists and all this stuff. And the documentation is apparently very, very good, well-forged.

Dave Bittner: [00:04:26] So he's doing his homework, I guess...

Joe Carrigan: [00:04:28] Right.

Dave Bittner: [00:04:28] ...Figuring out what sort of equipment are Facebook and Google buying from the real Quanta in Taiwan.

Joe Carrigan: [00:04:35] Right. And then he's billing them for equipment and demanding that they send payment to his banks in Lithuania.

Dave Bittner: [00:04:40] They're filling out the checks or transferring the money to...

Joe Carrigan: [00:04:43] They're doing money transfers.

Dave Bittner: [00:04:44] ...An organization called Quanta...

Joe Carrigan: [00:04:46] Yep.

Dave Bittner: [00:04:46] ...Computer (laughter).

Joe Carrigan: [00:04:47] And it's - in the Register article, it goes on to say that the banks were even fooled by this, that Facebook and Google's banks looked at the documentation and said, this looks legit. And they sent the money.

Dave Bittner: [00:04:56] Oh. So he made it through several layers of scrutiny.

Joe Carrigan: [00:05:00] Right.

Dave Bittner: [00:05:00] OK.

Joe Carrigan: [00:05:01] And he got close to $100 million out of Facebook and $23 million out of Google.

Dave Bittner: [00:05:09] Wow.

Joe Carrigan: [00:05:10] That's a lot of money. And he did this over the course of two years.

Dave Bittner: [00:05:13] Wow.

Joe Carrigan: [00:05:14] It makes me wonder why I'm doing what I do, Dave.

Dave Bittner: [00:05:16] (Laughter) For - I mean...

Joe Carrigan: [00:05:17] I mean, maybe the 30 years in prison (laughter).

Dave Bittner: [00:05:20] Well, there's that. Yes.

Joe Carrigan: [05:21] Right.

Dave Bittner: [00:05:21] Thirty years - that's...

Joe Carrigan: [00:05:22] Because he is looking at 30 years.

Dave Bittner: [00:05:23] ...Plenty of time to think about what he's done. The other thing that gets me about folks like this is - OK. He got 100 million bucks from Facebook, $22 million from Google. When do you quit while you're ahead?

Joe Carrigan: [00:05:34] Right.

Dave Bittner: [00:05:35] You know?

Joe Carrigan: [00:05:35] Yeah.

Dave Bittner: [00:05:45] Crooks always - I guess it's part of the thrill of what they're doing. And - but when you have enough money to fulfill all of your needs for the rest of your life...

Joe Carrigan: [00:05:45] Right.

Dave Bittner: [00:05:45] Go buy an island somewhere and...

Joe Carrigan: [00:05:47] Yeah, disappear. I don't know that he would have ever let up on this, though.

Dave Bittner: [00:05:50] Yeah.

Joe Carrigan: [00:05:50] You know, he did it immediately as soon as the money was transferred into his accounts. He did start moving it around other accounts out of the country and moving it around the world. Typically, money laundering - so he's also up on money laundering charges.

Dave Bittner: [00:06:01] But two years - that's...

Joe Carrigan: [00:06:02] Two years, yeah - $122 million out of both of these companies. We talk about the scams and things that happen to regular people. And one of the things we frequently say is this can happen to anybody. And here you have two of the world's largest tech companies, Facebook and Google, getting scammed out of a big pile of money. This can literally happen to anybody.

Dave Bittner: [00:06:21] Yeah. Yeah, those are the largest tech companies in the world.

Joe Carrigan: [00:06:24] That's right.

Dave Bittner: [00:06:24] And they got hit big by just a regular guy...

Joe Carrigan: [00:06:28] Yup.

Dave Bittner: [00:06:28] ...(Laughter) who was clever.

Joe Carrigan: [00:06:29] It looks like he had a little bit of help. But I don't think he needed much help in this.

Dave Bittner: [00:06:33] Doesn't seem like it.

Joe Carrigan: [00:06:34] Yeah. If he made this his full-time job, this could have been something that he could have done by himself with maybe some aides for laundering money.

Dave Bittner: [00:06:41] Well, the long arm of the law caught up with him, so...

Joe Carrigan: [00:06:43] Yeah, he got - he was picked up in Lithuania and extradited to the U.S. and pled guilty last week.

Dave Bittner: [00:06:48] Wow. That's a good story - good, good lesson that it can happen to anybody.

Joe Carrigan: [00:06:52] Yup.

Dave Bittner: [00:06:52] Right? Well, my story this week comes from the folks over at Rapid7. And this is a story about what happens to your devices when you're done with them. We all have old computers, old devices, even old, like, thumb drives.

Joe Carrigan: [00:07:08] Old USB drives.

Dave Bittner: [00:07:09] Old USB drives.

Joe Carrigan: [00:07:09] Yeah. There was a discussion about that on last week's episode of "Smashing Security."

Dave Bittner: [00:07:13] Yes. Yes, indeed. Yes, indeed. And particularly, you know, old hard drives you have - as hard drives get bigger and bigger...

Joe Carrigan: [00:07:20] Right. Your old ones...

Dave Bittner: [00:07:20] What do you do with your old ones?

Joe Carrigan: [00:07:21] Well, you want to know what I do with mine, Dave?

Dave Bittner: [00:07:24] Well, we'll get to that in a minute.

Joe Carrigan: [00:07:25] OK (laughter).

Dave Bittner: [00:07:26] I can't wait to hear what you do with your hard drives, Joe.

Joe Carrigan: [00:07:28] OK.

Dave Bittner: [00:07:28] But (laughter) this blog over on Rapid7 - this is written by Josh Frantz. And what Josh did - he wanted to see what sorts of data he could get off of devices that people had disposed of, so he searched all over his town. He happens to live in Wisconsin. And he visited 31 businesses to get his hands on used equipment.

Joe Carrigan: [00:07:52] Right.

Dave Bittner: [00:07:53] So he bought about 40 desktop or laptop computers. He bought almost 30 flash drives or memory cards, 11 hard drives and about half a dozen cellphones. What he discovered was that out of the 85 devices he purchased - take a guess, Joe. How many of the devices out of 85 were properly scrubbed of their data?

Joe Carrigan: [00:08:16] Two.

Dave Bittner: [00:08:18] You are on the money.

Joe Carrigan: [00:08:19] Am I really?

Dave Bittner: [00:08:19] Yes, congratulations.

Joe Carrigan: [00:08:20] Awesome.

Dave Bittner: [00:08:21] And here's...


Dave Bittner: [00:08:22] Here's my lovely assistant to tell you what you've won. Yes, two devices - the Dell laptop and a Hitachi hard drive were erased properly. Also, it's worth noting that only three of the devices were encrypted, which - these days, when you format a hard drive, it's very easy to say, hey, while you're at it, encrypt this drive.

Joe Carrigan: [00:08:41] Correct.

Dave Bittner: [00:08:42] And that'll protect you from folks being able to get their hands on the data after the fact.

Joe Carrigan: [00:08:47] Yes.

Dave Bittner: [00:08:47] It's certainly a extra step of security. So what this guy did - he went and he had several scripts that he ran on these devices. And he had it go through the devices and look for things like images, like documents...

Joe Carrigan: [00:08:59] Right.

Dave Bittner: [00:08:59] ...Like emails. And he found over 600 email addresses, over 50 dates of birth, 41 Social Security numbers...

Joe Carrigan: [00:09:07] Oh, my God.

Dave Bittner: [00:09:08] ...Nineteen credit cards, six driver's licenses and two passports.

Joe Carrigan: [00:09:12] Wow.

Dave Bittner: [00:09:13] Yeah (laughter). And most of the credit cards and passport things were image scans of those documents.

Joe Carrigan: [00:09:20] OK.

Dave Bittner: [00:09:21] That makes sense to me...

Joe Carrigan: [00:09:22] Yes.

Dave Bittner: [00:09:22] ...Because someone asks for your...

Joe Carrigan: [00:09:25] Yeah.

Dave Bittner: [00:09:26] Your work needs a copy of your...

Joe Carrigan: [00:09:27] Of your passport for your job.

Dave Bittner: [00:09:28] ...Passport or your driver - yeah.

Joe Carrigan: [00:09:30] Right.

Dave Bittner: [00:09:30] ...For your driver's license. What are you going to do? You're going to scan it, take a picture of it and email it over to them.

Joe Carrigan: [00:09:35] Yup.

Dave Bittner: 0:09:35] Yeah. Now, all this equipment cost him about 600 bucks. And he ran the numbers. And he found that if he were to sell this information online - we reached the point where PII...

Joe Carrigan: [00:09:47] Right.

Dave Bittner: [00:09:47] ...Personally identifiable information really isn't worth that much.

Joe Carrigan: [00:09:50] Right.

Dave Bittner: [00:09:50] So he would not get his $600 back if he was selling this information because all of these are worth less than a buck apiece...

Joe Carrigan: [00:09:57] Sure.

Dave Bittner: [00:09:57] ...Online. But the point is that folks are not doing a good job of scrubbing these devices before they dispose of them.

Joe Carrigan: [00:10:05] That's right.

Dave Bittner: [00:10:06] And there are ways to dispose of this technology. There's a list here. But before we get to that, Joe, you were - you promised us a story. How do you dispose of these things?

Joe Carrigan: [00:10:16] So here's what I do. First off, I actually haven't disposed of any cellphones. I still have them. And I'm waiting - every cellphone I've ever owned, I still, actually, have in a box.

Dave Bittner: [00:10:24] (Laughter).

Joe Carrigan: [00:10:25] I don't know how I'm going to get rid of them. But for hard drives, what I do is I open them up. And I take out the platters. And the platter - it's a nonmagnetic material. Usually, it's aluminum. But in the case with smaller hard drives, it might be glass.

Dave Bittner: [00:10:37] OK.

Joe Carrigan: [00:10:37] So you've got to be careful.

Dave Bittner: [00:10:38] Yeah.

Joe Carrigan: [00:10:38] And then I just - I bang them up with a hammer or I will keep them and just let them sit as little hard drive disks after I've touched all over them and made it almost impossible to get it - get them. What they used to do in the military...

Dave Bittner: [00:10:52] Paperweight.

Joe Carrigan: [00:10:52] Right. What they used to do in the military is they would take the hard drive platters out and then sand the magnetic medium off of the nonmagnetic...

Dave Bittner: [00:11:00] Oh, yeah.

Joe Carrigan: [00:11:00] ...Material. And that's a good option too.

Dave Bittner: [00:11:02] Yeah. I used to have a client who would incinerate all of the old hard drives.

Joe Carrigan: [00:11:06] That - you can do that. But that's...

Dave Bittner: [00:11:07] Yeah.

Joe Carrigan: [00:11:10] That's kind of energy-intensive, I think.

Dave Bittner: [00:11:10] (Laughter) Yeah.

Joe Carrigan: [00:11:11] I do keep them around because they are aluminum. And I do want to try to melt down some aluminum at some point in time. And I can think of no better thing to melt down than old hard drive platters.

Dave Bittner: [00:11:18] (Laughter) OK. Well, there's a list here that they have in this article. And they say you could use a hammer. You could...

Joe Carrigan: [00:11:25] And that's what I've done.

Dave Bittner: [00:11:25] Yeah. You can incinerate them. You could use industrial shredding.

Joe Carrigan: [00:11:29] That's another good option.

Dave Bittner: [00:11:30] Use a drill or a drill press. I've seen people just put a nail through a hard drive.

Joe Carrigan: [00:11:36] Yeah. That doesn't destroy all the data, though.

Dave Bittner: [00:11:37] Yeah.

Joe Carrigan: [00:11:38] It makes it costly to recover it. Now it's the point where...

Dave Bittner: [00:11:40] Right, (laughter) just slow it down.

Joe Carrigan: [00:11:42] Yeah. Nobody's going to pay that much money.

Dave Bittner: [00:11:44] Yeah.

Joe Carrigan: [00:11:44] And really, the only kind of people that can recover data from that are nation-states.

Dave Bittner: [00:11:48] Yeah. Acid, electrolysis, microwaves and my favorite, thermite.

Joe Carrigan: [00:11:52] Right.

Dave Bittner: [00:11:53] (Laughter).

Joe Carrigan: [00:11:54] Thermite.

Dave Bittner: [00:11:55] Thermite (laughter). They actually include a video here of someone destroying a hard drive with thermite.

Joe Carrigan: [00:11:58] Microwaves are really good for old CDs. If you have an old CD, just put it in the microwave for 30 seconds. It makes a really cool crackling noise, and all your data is destroyed off of that.

Dave Bittner: [00:12:08] Maybe you use that old microwave down in your basement that you don't actually use to cook food in anymore.

Joe Carrigan: [00:12:12] Doesn't matter.

Dave Bittner: [00:12:13] No. No. What? What do you mean, it doesn't matter?

Joe Carrigan: [00:12:17] I mean, it...

Dave Bittner: [00:12:19] (Laughter) No, the residue in your microwave...

Joe Carrigan: [00:12:21] You're not going to leave a residue in there. I mean, you put it in until you see - until you see all the lights, and you take it out. And there's no melting, or anything, that happens.

Dave Bittner: [00:12:28] OK.

Joe Carrigan: [00:12:28] It just fries all the aluminum on the inside of the disc.

Dave Bittner: [00:12:29] I was imagining smoke and mist and fire.

Joe Carrigan: [00:12:31] It does leave a little bit of a smell for a little while.

Dave Bittner: [00:12:33] (Laughter).

Joe Carrigan: [00:12:34] You might want to clean it out.

Dave Bittner: [00:12:35] I'm using my old microwave. You take care of your family, and I'll take care of mine.

Joe Carrigan: [00:12:40] OK.

Dave Bittner: [00:12:41] (Laughter).

Joe Carrigan: [00:12:41] I do have another suggestion for USB drives, though. These little thumb drives?

Dave Bittner: [00:12:44] Yeah.

Joe Carrigan: [00:12:44] Go out and download VeraCrypt, which is a free drive encryption software.

Dave Bittner: [00:12:50] Yeah.

Joe Carrigan: [00:12:50] What it lets you do is, it lets you create an encrypted volume on that drive that you can then mount. If you need to put a file on to give to somebody, you can just put it in the regular - you know, the VeraCrypt volume will take up a certain amount of the space, and you leave maybe a couple gigs free for files that you need to transfer a PowerPoint presentation...

Dave Bittner: [00:13:08] Right.

Joe Carrigan: [00:13:09] ...Let's say.

Dave Bittner: [00:13:09] Yeah. Well, and there are utilities out there that'll zero-out hard drives...

Joe Carrigan: [00:13:13] Yeah.

Dave Bittner: [00:13:14] ...And write multiple times, and so on and so forth. If you have a drive you're not ready to dispose of but you want to make sure that the information on it is no longer available, if someone came and stole that hard drive from you...

Joe Carrigan: [00:13:25] You can use BleachBit.

Dave Bittner: [00:13:27] Yep.

Joe Carrigan: [00:13:27] That tends to be time-consuming, though.

Dave Bittner: [00:13:29] Yeah.

Joe Carrigan: [00:13:29] It does take a little bit of time. Whereas if you just do an encrypted volume from the beginning and put everything you care about in the encrypted volume, and what if you lose the drive when you're walking around, an encrypted volume will protect you from that, as well.

Dave Bittner: [00:13:42] All right. Well, that is my story. Joe, it's time to move on to our Catch of the Day.


Dave Bittner: [00:13:50] Joe, our Catch of the Day this week is a hot one. Several people sent us this Catch of the Day. And what's interesting is there were several variations of it, where some names have been changed; some numbers have been changed. But at their core, they were all basically the same thing. And I've seen this one being mentioned a lot online. So this is a hot one, so I'm not going to credit anyone in particular. But thanks to everyone who sent it in to us. This one goes like this.

Dave Bittner: [00:14:16] (Reading) Case No. 41657289 - Distribution and Storage of Pornographic Electronic Materials involving Underage Children. My name is Garrett Byers, and I'm a technical collection officer working for Central Intelligence Agency. It has come to my attention that your personal details, including your email address, are listed in case No. 41657289. The following details are listed in the document's attachment: your personal details, home address, work address, list of relatives and their contact information. Case No. 41657289 is part of a large international operation set to arrest more than 2,000 individuals suspected of pedophilia in 27 countries. The data, which could be used to acquire your personal information - your ISP web browsing history, DNS queries history and connection logs, deep web onion browsing and/or connection sharing, online chat room logs, social media activity log. The first arrests are scheduled for April 8, 2019.

Joe Carrigan: [00:15:17] (Laughter) Sure they are.

Dave Bittner: [00:15:17] (Reading) Why am I contacting you? I read the documentation, and I know you are a wealthy person who may be concerned about reputation. I am one of several people who have access to these documents. And I have enough security clearance to amend and remove your details from this case. Here is my proposition. Transfer exactly US$10,000 - that's 2.5 bitcoin - through bitcoin network to this special bitcoin address. Upon confirming your transfer, I will take care of all the files linked to you, and you can rest assured no one will bother you. Please do not contact me. I will contact you and confirm only when I see the valid transfer. Regards, Garrett Byers, technical collection officer, Directorate of Science and Technology, Central Intelligence Agency.

Joe Carrigan: [00:16:03] (Laughter).

Dave Bittner: [00:16:04] Joe, what do you think? The CIA, Joe - it's the CIA.

Joe Carrigan: [00:16:08] It is, Dave. We're in big trouble now.

Dave Bittner: [00:16:10] (Laughter) It's the CIA, yeah.

Joe Carrigan: [00:16:12] (Laughter).

Dave Bittner: [00:16:13] And suddenly, the CIA is interested in domestic pedophilia cases...

Joe Carrigan: [00:16:18] Right, which they are not interested in.

Dave Bittner: [00:16:21] (Laughter) Right, right. It does say that it's an international operation. So I suppose you could stretch and say this would be something the CIA be interested in. But this is not their...

Joe Carrigan: [00:16:28] Yeah, I don't know. The CIA doesn't do law enforcement. Do they?

Dave Bittner: [00:16:31] No. No. No.

Joe Carrigan: [00:16:32] They do collection of intelligence.

Dave Bittner: [00:16:34] Correct, correct. Yes. This is just a - this is just an excuse to slap a big scary logo that has an eagle on it...

Joe Carrigan: [00:16:41] Right.

Dave Bittner: [00:16:42] ...On the bottom of the email.

Joe Carrigan: [00:16:43] I noticed that the logo is just copied and pasted but kind of, like, squished a little bit.

Dave Bittner: [00:16:49] They're not known for attention to detail...

Joe Carrigan: [00:16:51] Yeah.

Dave Bittner: [00:16:51] ...These scammers. So there's some obvious stuff in here, some broken English. But this sort of scare that we've seen before, the specter of being accused of pedophilia...

Joe Carrigan: [00:17:01] Right. That...

Dave Bittner: [00:17:02] That's frightening.

Joe Carrigan: [00:17:03] That can ruin your life.

Dave Bittner: [00:17:04] Yep.

Joe Carrigan: [00:17:04] Right?

Dave Bittner: [00:17:05] Yep.

Joe Carrigan: [00:17:05] Just being accused.

Dave Bittner: [00:17:06] That is frightening. And they say they're targeting wealthy people and they want $10,000. It'd be interesting to look at these bitcoin accounts and see if anybody's falling for it. I would like to check that out. So you know, we've seen this story before. This is a new variation of it, this message from the CIA. That is new.

Joe Carrigan: [00:17:25] Yeah, this is like the sextortion emails we got...

Dave Bittner: [00:17:29] Yeah.

Joe Carrigan: [00:17:29] ...A couple months ago where somebody says, hey, I have some video of you looking at porn sites.

Dave Bittner: [00:17:33] Right.

Joe Carrigan: [00:17:33] They've essentially amped up the accusation here.

Dave Bittner: [00:17:36] Yep. Yep, they've taken it up a notch.

Joe Carrigan: [00:17:37] Right.

Dave Bittner: [00:17:38] Yep. So beware; don't fall for this one.

Joe Carrigan: [00:17:40] No.

Dave Bittner: [00:17:40] It's a fake one, but it is making the rounds.

Joe Carrigan: [00:17:42] Yep.

Dave Bittner: [00:17:42] So tell your friends and family. The CIA is not going to come after you for this.

Joe Carrigan: [00:17:47] Right.

Dave Bittner: [00:17:47] And that is our Catch of the Day. All right. Coming up next, we've got my interview with Jeremy N. Smith. He's the author of the book "Breaking and Entering: The Extraordinary Story of a Hacker Called 'Alien.'"

Dave Bittner: [00:17:59] But first, a quick word from our sponsors at KnowBe4. Let's return to our sponsor KnowBe4's question - carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture, and sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives in KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:18:52] And we are back. Joe, I recently had the pleasure of speaking with Jeremy N. Smith. He's the author of a book called "Breaking and Entering: The Extraordinary Story of a Hacker Called 'Alien'" - a pretty compelling read. Here's my interview with Jeremy Smith.

Jeremy N. Smith: [00:19:06] I didn't set out to write a book about hackers and hacking and social engineering. I set out to pick up my daughter from preschool.


Jeremy N. Smith: [00:19:13] And I went to pick her up, and she was playing with another little girl. And Mom and I started talking. She said, what do you do? And I talked about my journalism and my books. And then I said, what do you do? And she said, well, tomorrow morning I have to break into a bank. And I realized I was not the interesting person in this conversation.

Dave Bittner: [00:19:32] (Laughter).

Jeremy N. Smith: [00:19:33] And I started asking follow-up questions, and I learned that she was a professional, you know, penetration tester, digital forensic specialist, CEO. And she'd had this kind of amazing career in hacking from sort of teenager at MIT to cybersecurity CEO, and she'd kind of grown up as this new information security industry guru. So kind of following in her footsteps let me see kind of how we got to our information insecurity age.

Dave Bittner: [00:20:03] And she goes by the name Alien. What's the origin of that, and why does she choose to not use her real name?

Jeremy N. Smith: [00:20:09] That's her hacker handle. But originally, it was just her kind of user handle at MIT. You know, the sort of first scene in the book is she's a 17-year-old; she's, you know, logging in, and MIT, unlike most schools - at least, at that time - the user chooses their username, and the default was her kind of first initial and last name, and she found that totally boring and banal. And she tried ET, since those are her middle initials, and they said that was too short. So she kind of thought again for about six milliseconds and just typed in Alien, and then it said, OK. You know, at a place like MIT, especially, you know, people go by their usernames as much as by their names, even in real life, at that time. And so that was kind of her handle in the same way, you know, J. Smith might have been mine, or - you know, I don't know if you remember your first username, but, you know, Alien was hers.

Dave Bittner: [00:21:06] Yeah. Well, and there's a long history of hacking at MIT, I mean, going back even before the computer era.

Jeremy N. Smith: [00:21:12] Yeah. I mean, hacking at MIT - and this fascinated me. I wasn't totally aware of this. I was aware of a piece of it, but not all of it. Hacking at MIT predates computers, it's over 100 years old, and it refers to physical exploration and physical exploits, and by that, I mean climbing on ledges, going up elevator shafts, picking locks, going on the rooftops and domes of MIT, climbing through the steam tunnels. And there's an outward manifestation of that, which is sort of a hack, which is this elaborate, ingenious prank people can see. But there's also going hacking, which is this private, insular community activity which is just exploring for exploring's sake.

Dave Bittner: [00:21:51] Can you share some of the stories, some of her exploits there?

Jeremy N. Smith: [00:21:54] It's human hacking. It's kind of manipulating people to do what you want. That can mean charming them, that can mean scaring them, and that can be things in between. So for example, an early job - she has to break into a major Fortune 500 bank, and that includes both their corporate headquarters and individual branches. And I like that case because it exemplifies a lot of different forms of social engineering.

Jeremy N. Smith: [00:22:22] So for example, when she's trying to get into their headquarters, she plays the innocent naif. And she's sort of, I'm a new IT worker. I have to fix something. My badge isn't ready yet. And she kind of fakes calling her boss. She has fake business cards. And she's very nervous and deferential, and she sort of relies on them taking pity on her, to the guard to let her in. And she goes up, she steals a laptop, gets out, and it's a big deal.

Jeremy N. Smith: [00:22:49] When she has to break into the branch, and she's trying to get into the vault of the branch, this sort of nervous IT guise is not going to work. Everyone knows who works there. She has to have a - find a power stance. And there she prints a fake badge at Kinko's. She prepares a sort of questionnaire. She dresses in a nice suit. And she goes in, and her guise is that she is a auditor, and this is a surprise audit. And they're so on the defensive from the get-go that they sort of stammer, they answer all of her questions about security lapses, they give her a copy of the security log. They leave her alone with the customer files. And they get her into the vault, and she's in and out in, you know, 20 minutes. And she does that in branch after branch after branch.

Dave Bittner: [00:23:32] It seems like to be successful at this, you have to have a certain ability to be an actor, as well, to assume different personas.

Jeremy N. Smith: [00:23:41] Oh, absolutely. I mean, what's amazing is - and just sort of a, you know, a sort of moxie, you know, to say the least...

Dave Bittner: [00:23:50] Right.

Jeremy N. Smith: [00:23:50] ...A willingness to fail because, you know, the stakes are kind of high.

Dave Bittner: [00:23:54] I'm curious. The time you spent with Alien - her personality - it seems to me like, first of all, it takes a special kind of person to be able to do this, but also, I would imagine there must be an adrenaline rush with this. She must have a lot of fun.

Jeremy N. Smith: [00:24:08] Yeah. I mean, I said, how do you make decisions? And she just sort of laughed. And she was like, you know, I justify things I do afterward, and you can call that decision-making. But it's very instinct-driven. You know, that's her personality. And she said, you know, what you have to understand, if you ever have me, you know, in scene as a character sort of thinking things through, don't overdo it. It's usually, is this new, is this exciting, was the kind of criteria for trying things for the first 10-ish (ph) years of her career.

Jeremy N. Smith: [00:24:38] And, you know, what's fun is, you know, our image of hackers is usually frozen in time. It's often faceless, but even if there is a face, it's sort of someone pulling a particular exploit once. And what was great about this story is I could see her and follow her as she grew up. And, you know, there was a scene where she's hacking from a hospital after she gives birth. You know, she's just on a job that she has to complete as a small business owner herself. But you see that shift as she goes from a teenager to a solo hacker to entrepreneur and business owner and then mom and, you know, head of a family. You see her kind of going, as she put it, from living to hack to hacking to live. In other words, before the decision-making, it was always, what's the most fun? What's the most exciting? And now it's, what's the kind of work that can sustain the life that I want to lead in the family, you know, and kind of community I want to build?

Jeremy N. Smith: [00:25:31] So there's a maturation, too. And I think that's happening our - in the industry, as well, that's been - you know, people still have this image of hackers as sort of amateurs or foreign agents, but it's quite professional. She traces her adversaries sometimes in forensics cases or the adversaries of her clients, I should say. And, you know, they often have 9-to-5 kind of patterns for attacking. And that might be 9 to 5 Moscow time. That might be 9 to 5 in Lahore. But these are people that are professionals, and this is a job for them, just as it's a job for her. And that was something that was new to me, too.

Dave Bittner: [00:26:05] Yeah. Well, it's a compelling read. The book is "Breaking and Entering: The Extraordinary Story of a Hacker Called Alien." Jeremy N. Smith is the author. Jeremy, thanks so much for joining us.

Jeremy N. Smith: [00:26:15] Oh, I'm so grateful. Thanks for having me.

Dave Bittner: [00:26:18] Joe, what do you think?

Joe Carrigan: [00:26:19] I remember my first username...

Dave Bittner: [00:26:21] Yeah. OK.

Joe Carrigan: [00:26:21] ...From 1990.

Dave Bittner: [00:26:22] OK.

Joe Carrigan: [00:26:23] C2mxcarr (ph). Where I went to school, we didn't go by our usernames. We weren't nearly as cool as the guys at MIT.

Dave Bittner: [00:26:31] Interesting conversation.

Joe Carrigan: [00:26:32] I find it interesting that Alien picks the persona to match the goal, right? So when she goes into a place where she's trying to acquire a laptop, she says, oh, I'm the flustered new person. When she goes into a place where she's trying to get into the vault, she adopts a power stance, you know, mentally and physically, and gets her way into the vault.

Dave Bittner: [00:26:51] Yeah, that ability to be a chameleon.

Joe Carrigan: [00:26:52] Yeah. Yeah. That's remarkable.

Dave Bittner: [00:26:54] That's important. Yeah.

Joe Carrigan: [00:26:55] It's an important feature of this job, and it's remarkable among people who can do it. It's just something I just don't have the interpersonal skills to do.

Dave Bittner: [00:27:02] Yeah, I would be able to do it because of my amazing mastery of different dialects, Joe (laughter).

Joe Carrigan: [00:27:06] I believe you would be able to do it, Dave, actually. I...

Dave Bittner: [00:27:09] My amazing mastery of dialects from all over the world, as listeners of...

Joe Carrigan: [00:27:13] Right.

Dave Bittner: [00:27:13] ...This show know. It's just something I have a knack for (laughter).

Joe Carrigan: [00:27:14] The only problem would be someone might recognize your voice. They go, wait a minute. You're Dave.

Dave Bittner: [00:27:18] Wait a minute. Yeah.

Joe Carrigan: [00:27:21] Shred bins have always seemed like a target to me. I've worked in places where they were handled internally. And these things were painted red with yellow tops so they were conspicuous, and they made a lot of noise when you moved them. They were all designed like - I mean, they were metal. But I was at the doctor's office last week, and I noticed that they had a contractor shred bin sitting there from somebody who comes in and shreds the documentation...

Dave Bittner: [00:27:44] Right.

Joe Carrigan: [00:27:45] ...That they just put into the box. And they forget about it. Somebody could walk in there with a set of keys and - or...

Dave Bittner: [00:27:50] Yeah.

Joe Carrigan: [00:27:50] ...Maybe even a pick - just pick it.

Dave Bittner: [00:27:51] Wearing some overalls.

Joe Carrigan: [00:27:52] Yep.

Dave Bittner: [00:27:52] Take that box out.

Joe Carrigan: [00:27:53] Take the box out. Put it, you know...

Dave Bittner: [00:27:54] Got a truck out in the parking lot.

Joe Carrigan: [00:27:56] I got a truck out in the parking lot. Throw it in the back of the car and drive away.

Dave Bittner: [00:27:58] Yeah, that's interesting.

Joe Carrigan: [00:27:59] If there's one place in your office that you have to put shredded things, why not just put a shredder there?

Dave Bittner: [00:28:03] Yeah. They're cheap.

Joe Carrigan: [00:28:04] And once again, we hear the mantra over and over again that everybody should pay attention here, and that is, don't be rushed. Slow down.

Dave Bittner: [00:28:12] Yep. So important, time and time again. All right. Well, thanks to Jeremy N. Smith for joining us. Again, the title of the book is "Breaking and Entering: The Extraordinary Story of a Hacker Called Alien." And that is our podcast.

Dave Bittner: [00:28:26] We want to thank our sponsor KnowBe4, whose new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training.

Dave Bittner: [00:28:45] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:28:53] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:29:12] And I'm Joe Carrigan.

Dave Bittner: [00:29:13] Thanks for listening.