Hacking Humans 4.25.19
Ep 46 | 4.25.19

Let's play, "Covered by cyber insurance — true or false?"


Martin Overton: [00:00:00] Of all the incidents I've been involved with, either through ethical hacking or through doing digital forensics, over 90% of them were due to human error.

Dave Bittner: [00:00:09] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast. This is the show where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:29] Howdy, Dave.

Dave Bittner: [00:00:29] We've got some fun stories to share this week. And later in the show, Carole Theriault returns. She's got an interview with Martin Overton. He's from OMG Cyber Security. And he's going to tell us how, if you fall for a phishing attack, that might void your cyber insurance. We've got a word from our sponsors at KnowBe4. But before we do, we've got a special announcement that's related to that. Joe, you and I are doing a special live version of our "Hacking Humans" podcast...

Joe Carrigan: [00:00:53] We are.

Dave Bittner: [00:00:54] ...At the upcoming KB4-CON in Orlando, Fla.

Joe Carrigan: [00:00:58] That's from May 8 through the 10.

Dave Bittner: [00:01:00] That is right. That is an event - we're going to be live on stage. We're going to be doing our show. And we'll have some special guests. We'll have Stu Sjouwerman. He's KnowBe4's CEO. But also, we're going to have Kevin Mitnick. He is one of the best-known hackers in the world. So we're super excited about that. We'd love to see all of you there. You can find out all about KB4-CON if you go to KnowBe4's website. And speaking of KnowBe4, here's a word from them.

Dave Bittner: [00:01:26] So how do you train people to recognize and resist social engineering? Here are some things people think. Test them, and if they fall for a test scam, fire them - or, other people say, if someone flunks the test, shame them. Instead of employee of the month, it's dufus of the day, or maybe you pass out a gift card to the one who gets the A-plus for skepticism in the face of phishing. So how about it? What do you think - carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.

Dave Bittner: [00:02:03] Joe, we're back. We want to kick off this week's show with some follow-up. We had a listener named Jack (ph) wrote in. He said, I love your podcast. Thank you, Jack. He said, I wanted to get your suggestion for a best practice on something. He said, I recently received an email in Spanish welcoming me to Netflix. This was odd because I don't have Netflix, and the email address this was sent to has never been associated with Netflix. I went to Netflix and reset the password to the account using my email. Once I had access, I saw it was registered to a Maria Pacheco (ph). Netflix records your login history and what IP is used. And in this case, the logins came from Santiago, Chile. I chatted with Netflix to inform them of the situation, and they said they would reach out to the owner of the account. There was no evidence of foul play, but I kept trying to think about how this was some sort of scam I wasn't thinking of. I changed the password to the email that had been used, although there was no evidence anyone had gotten access. He says, do you have any thoughts on to why my email was used in this situation? Is there anything else you guys can think of that I should've done? What do you think, Joe?

Joe Carrigan: [00:03:04] Well, I think changing the email password is a wise move. Even though there is no evidence of compromise, there's...

Dave Bittner: [00:03:09] Right.

Joe Carrigan: [00:03:10] Just change the password. If you use a password manager, this takes you no effort at all or next to no effort. It's a great step to take. This could be a typo. I'd like to know how Netflix is going to get in touch with the account owner.

Dave Bittner: [00:03:19] If that's him.

Joe Carrigan: [00:03:21] Right (laughter) - or her.

Dave Bittner: [00:03:22] Maybe - but yeah. I mean, the email address is the - that's...

Joe Carrigan: [00:03:25] Right.

Dave Bittner: [00:03:25] ...The center of the bull's-eye for how they reach out to someone with the account.

Joe Carrigan: [00:03:29] Right, unless they have an alternative contact method, like a phone number or something.

Dave Bittner: [00:03:32] Yeah. I'm with you. I suspect this was probably someone just mistyped an email address in because they'd have to put in some sort of credit card information.

Joe Carrigan: [00:03:41] Right - some payment information or they would not have gotten the account. I think that's required, isn't it?

Dave Bittner: [00:03:45] Yeah.

Joe Carrigan: [00:03:45] Oh, maybe they have a free trial. Maybe this was some kind of free trial thing.

Dave Bittner: [00:03:48] Oh, it could be - could've been using a fake credit card...

Joe Carrigan: [00:03:51] Yeah.

Dave Bittner: [00:03:51] ...Harvested up a known email address, you know, from one of the many...

Joe Carrigan: [00:03:56] One of the many breaches.

Dave Bittner: [00:03:56] ...You know, breaches. Yeah.

Joe Carrigan: [00:03:57] I've gotten emails, not from Netflix, but like this that were - we've created your account for you. Here's how you log in, you know, to verify your account. So what I did was I went in. I verified the account. I changed the password on the account. And then I closed the account because someone had signed up with my email.

Dave Bittner: [00:04:13] Right.

Joe Carrigan: [00:04:14] And I think they were just trying to sign up with any email they had. And they probably found it on some list. This is an email that is on Troy Hunt's list, so (laughter)...

Dave Bittner: [00:04:23] Yeah.

Joe Carrigan: [00:04:23] ...It's probably from some breach.

Dave Bittner: [00:04:25] Yeah.

Joe Carrigan: [00:04:25] Something similar happened to me.

Dave Bittner: [00:04:26] Yeah. I had an email address, and I kept getting invoices that were meant for someone else who had an email address that was very similar to my email address.

Joe Carrigan: [00:04:34] Right.

Dave Bittner: [00:04:35] And I couldn't seem to get through to them to tell them, this is not me. This is who - I think this is who you want...

Joe Carrigan: [00:04:40] Right.

Dave Bittner: [00:04:41] ...This other person. And that person's email address is similar to mine. It was actually someone who was in a similar business to me.

Joe Carrigan: [00:04:46] Really?

Dave Bittner: [00:04:47] Yeah. And anyway, it was just a typo. But they can be tough to track down. My gut feeling on this is - for Jack is that I don't think this was any sort of high-powered attempt to get at anything of his. I...

Joe Carrigan: [00:04:59] Right.

Dave Bittner: [00:04:59] I suspect, at the very worst, they were probably just an opportunistic person trying to maybe get some free Netflix. But they weren't after Jack's credit card or anything like that.

Joe Carrigan: [00:05:08] Right.

Dave Bittner: [00:05:08] So sounds like Jack did everything right here.

Joe Carrigan: [00:05:10] Yeah, I agree.

Dave Bittner: [00:05:11] Yeah, including...

Joe Carrigan: [00:05:12] I think you're fine, Jack.

Dave Bittner: [00:05:13] Including sending it in to us.

Joe Carrigan: [00:05:14] Yes, that's right. Thank you.

Dave Bittner: [00:05:15] (Laughter) Thank you very much for doing that, Jack. All right, let's move on to our stories. Joe, why don't you kick things off for us this week?

Joe Carrigan: [00:05:21] Dave, you're on the Nasty List.

Dave Bittner: [00:05:24] Really - along with Janet Jackson?

Joe Carrigan: [00:05:26] That's Ms. Jackson 'cause you're nasty.

Dave Bittner: [00:05:28] (Laughter) That's right.

Joe Carrigan: [00:05:31] The Nasty List - it's - is a phishing attack that's going around Instagram right now.

Dave Bittner: [00:05:35] OK.

Joe Carrigan: [00:05:35] And this is coming from BleepingComputer. We'll have a link in the show notes. Here's how it works. You get a direct message that reads, oh, my God. Your - Y-O-U-R - that's one of the things that makes the hair on the back of my neck stand up.

Dave Bittner: [00:05:48] (Laughter).

Joe Carrigan: [00:05:48] You're actually on here. And it has an Instagram name - @thenastylist*underscore*xx. Your number is 26. It's really messed up. So if you click on the username, you're taken to an Instagram profile where the description is set to, wow, you're on here, or, people are putting all of us on here. And there's a link on the profile that says, if you want to view the list, you can go to this domain - nastylist-instatop50.me, right?

Dave Bittner: [00:06:15] OK.

Joe Carrigan: [00:06:15] So it kind of looks like it says Instagram in there, Insta-something.

Dave Bittner: [00:06:19] Yeah.

Joe Carrigan: [00:06:19] Right?

Dave Bittner: [00:06:19] Right.

Joe Carrigan: [00:06:20] And if you click on the link, it takes you to a page that looks exactly like the Instagram login page.

Dave Bittner: [00:06:27] Oh, OK.

Joe Carrigan: [00:06:27] If you are going along with this and you enter your username and your password into the site, then they've harvested your credentials. And the first thing they do is, they log into your account and they send the same message to everyone in your contacts that they can send the message to. All right? So it's kind of like a viral, spreading, phishing, SMiShing - I don't know. It's definitely on a localized Instagram. And they're definitely trying to harvest Instagram credentials.

Dave Bittner: [00:06:50] OK.

Joe Carrigan: [00:06:50] Somebody is sucking these up for some reason. It doesn't look like people are losing access to their accounts. But they are essentially getting hacked somehow.

Dave Bittner: [00:06:58] And we don't know yet what the end game is on this.

Joe Carrigan: [00:07:00] We don't know what the end game is.

Dave Bittner: [00:07:01] OK.

Joe Carrigan: [00:07:02] My guess is the end game is to suck up these accounts and credentials.

Dave Bittner: [00:07:05] And sell them or...

Joe Carrigan: [00:07:06] And sell them, right.

Dave Bittner: [00:07:07] Yeah. OK.

Joe Carrigan: [00:07:08] So let's unpack the social engineering components here.

Dave Bittner: [00:07:10] Yeah.

Joe Carrigan: [00:07:11] First, the message alarms you with the term nasty list. If the first thing you're thinking is, did someone post a photo that I thought was private, immediately your fear kicks in.

Dave Bittner: [00:07:22] Yeah.

Joe Carrigan: [00:07:22] Right? Let's say that you've shared pictures that you would hope would remain private, but they don't, so you're much more likely to fall for the scam. The fake login page is very convincing. And we've talked about this on a phone before. The real estate's kind of limited, so the only indicator that you're not at Instagram is the URL, and it's written in a much smaller type face, so it's very convincing that you can fall for this. And if you reuse your password - which is another common human behavior - all the services where you use that password have now potentially been compromised.

Dave Bittner: [00:07:51] Right.

Joe Carrigan: [00:07:51] Of course, the question is, how do you protect yourself? First thing you should do is be using a password manager. And it would be really great if you could use a password manager that verifies that it's submitting the password to the proper site. Password managers have this feature. The one I recommend - Password Safe, which is free, actually - doesn't have this feature. But it would be nice if it did - but it - if your password manager does. Two, enable two-factor authentication. That may not have helped you in this case because this is a social engineering attack. They could've very well just asked for your two-factor authentication token and gotten in and spread the message the same way...

Dave Bittner: [00:08:22] Yeah.

Joe Carrigan: [00:08:22] ...To continue to harvest these credentials. But it will protect you against future attacks and prevent somebody from taking that information and then, in a future point in time, taking over your account. Don't click on links that are sent to you. That's something we commonly say.

Dave Bittner: [00:08:34] Yeah, yeah.

Joe Carrigan: [00:08:34] Go after the source yourself.

Dave Bittner: [00:08:36] Right.

Joe Carrigan: [00:08:36] Don't click on anything. So if you do fall victim to this or any similar attack, go ahead and change your password if you still have control of the account. And change the passwords to any other accounts where you use that password. And use a password manager so you can set them to all different passwords.

Dave Bittner: [00:08:48] You know, I fell victim to one of these probably about 10 years ago.

Joe Carrigan: [00:08:52] Really?

Dave Bittner: [00:08:52] I believe it was Twitter. And Twitter was still fairly new, I think. And I got a message from a friend of mine that said, hey, did you see this video of you that's been posted online? You really need to see this.

Joe Carrigan: [00:09:05] Right.

Dave Bittner: [00:09:05] And it was the same sort of thing. And I fell for it 'cause it was - I wanted to see the video of me that was posted online - didn't say if it was good or bad, but, of course, my imagination started running. Well, this could be awesome. It could be an awesome video of me or it be terrible. So I - yeah, totally hook, line and sinker.

Joe Carrigan: [00:09:24] Yeah. A call to action totally short-circuits a lot of your thinking.

Dave Bittner: [00:09:28] Yep. I think I was able to get in front of it and change my password before anything bad happened. But you know - so lesson learned the hard way.

Joe Carrigan: [00:09:34] Right (laughter).

Dave Bittner: [00:09:35] We're all susceptible. Time to move on to my story. And mine comes from Brian Krebs over at Krebs on Security. And this is about a service that is powering Airbnb scams. And it's called Land Lordz. And then this being the internet, Lordz is spelled with a Z at the end. This is a scamming as a service. So, you know, there's all sorts of things you can get on the Internet as a service.

Joe Carrigan: [00:09:59] Hacking is now available as a service.

Dave Bittner: [00:10:01] Correct. So according to this story by Brian Krebs, the folks who are running this Land Lordz subscription site - which costs over 500 bucks a month...

Joe Carrigan: [00:10:12] Wow.

Dave Bittner: [00:10:12] I guess they can charge that because you get a return on that investment. What this does is it enables you to set up hundreds of fake Airbnb accounts.

Joe Carrigan: [00:10:22] Right.

Dave Bittner: [00:10:22] And the accounts get set up on real Airbnb. It helps you set up fake reviews. It helps you manage the interactions with people who might be interested in these fake properties. Ultimately, it takes you to a fake Airbnb page - similar to what we were just talking about - where it takes you to a page that has a URL that looks very, very similar to Airbnb. In fact, in this case, it's airbnb-longterm-airbnb.co.uk. At first glance, this would not raise red flags to me that this could not be some sort of legit Airbnb subdomain.

Joe Carrigan: [00:10:58] Right, 'cause it's designed to look like a subdomain. This is actually another domain.

Dave Bittner: [00:11:02] Exactly. So what happens is the folks who fall for this, they see these fake properties that they want to book. They get in touch with the folks who have made the fake listings. They get routed to the clone site - that is, the phony site. And then they start down the path of making deposits on these places, making payments. And of course, in the end, they're cheated out of their money.

Joe Carrigan: [00:11:27] Right. They show up at the property, and there's nobody - there's a family living there. Right?

Dave Bittner: [00:11:33] (Laughter) Right. Right. Exactly.

Joe Carrigan: [00:11:33] That's probably the endgame for the victims of this.

Dave Bittner: [00:11:35] Yeah. Yeah. Now, I have to say, first of all, I have a lot of respect for Brian Krebs.

Joe Carrigan: [00:11:42] Right.

Dave Bittner: [00:11:43] I think he does great work, and he's a really good writer and just does really good stuff. And he's like a pit bull when it comes to tracking down these stories. But there's something in this article that I have to take a little bit of issue with.

Joe Carrigan: [00:11:56] What's that?

Dave Bittner: [00:11:56] He says, people who lose money in these scams fail big time on two things. First, they fail to notice they are not on airbnb.com. More importantly, they end up wiring money to secure the promise of a fake apartment or home in another country, and the thieves cut off all communications at that point.

Joe Carrigan: [00:12:14] Right.

Dave Bittner: [00:12:15] And then he goes on to describe someone. He says, like they did to this poor sucker, who paid $1,200 in exchange for a piece of paper which promised they'd hand over keys to the apartment at a specific date. Now, I guess I just sort of have to take issue with the way Brian is framing this...

Joe Carrigan: [00:12:30] Right.

Dave Bittner: [00:12:31] ...That these people are failing. You and I talk about this all the time.

Joe Carrigan: [00:12:34] Right.

Dave Bittner: [00:12:34] We need to have empathy for - anybody could fall for these things.

Joe Carrigan: [00:12:36] Exactly. Yeah.

Dave Bittner: [00:12:37] And I suspect this comes across stronger than how Brian meant for it to come across...

Joe Carrigan: [00:12:41] Right.

Dave Bittner: [00:12:42] ...Knowing Brian and...

Joe Carrigan: [00:12:43] I agree with you. And I kind of agree with Brian that they are missing the pointers that we're always talking about - going to the URL, the incorrect URL. You know, this is a very well-crafted site, and it works so well that the attackers are charging $500 a month for the service and getting it. So it's expensive because it's good. It's a good attack.

Dave Bittner: [00:13:02] Yup. It's a high-quality product.

Joe Carrigan: [00:13:03] Yes. It is.

Dave Bittner: [00:13:04] The point I guess I'd like to make is that let's not forget the empathy for folks who fall victim to these things. They're not falling victim because they're stupid. They're falling victim because they're human.

Joe Carrigan: [00:13:14] Right.

Dave Bittner: [00:13:14] And we just need to...

Joe Carrigan: [00:13:16] I agree with that.

Dave Bittner: [00:13:16] ...Need to keep that in mind. If someone you work with or someone, one your family members, they're already suffering enough. They already feel stupid.

Joe Carrigan: [00:13:22] Right.

Dave Bittner: [00:13:22] Don't pile on.

Joe Carrigan: [00:13:24] Yeah.

Dave Bittner: [00:13:24] Right?

Joe Carrigan: [00:13:24] Yeah, Brian.


Dave Bittner: [00:13:28] All right, Joe. Well, that is my story this week. It is time to move on to our Catch of the Day.


Dave Bittner: [00:13:37] Our Catch of the Day comes from a listener named Drew, and he spent some time in the U.S. Air Force. He received an unsolicited message on one of the social media platforms. And the photo was a woman who was dressed in military fatigues. She had the camo outfit on. Her name is Rebecca Nunnery. Interesting, Nunnery.

Joe Carrigan: [00:13:56] Yeah. Get thee to a nunnery.

Dave Bittner: [00:13:57] Get thee to a nunnery. And the message goes like this. (Reading) How are you doing? I found your profile attractive. Are you single? Would like to get to know better about you. Here is a bit about me. I am Rebecca Nunnery. I am new to this. I just register on here about a few days ago. I was born in Orlando, Fla. I work as a U.S. Army and with the armored cavalry regiment as a first lieutenant colonel. The Special Forces teams, we are among the most specialized combat forces in the Army, working under the 3rd Calvary how are with the United Nation am from United States but presently deployed in Nigeria for peacekeeping mission. We experience rigorous mental and physical training in order to carry out our missions in a quick and extremely effective manner, and we are guaranteed the opportunity to try out for special forces. I hope am not scare you away. Tell me about you. Just former information about you. And then Drew responds and says...

Joe Carrigan: [00:14:55] (Reading) Would you like me to tell you everything wrong with what you just said? (Laughter) No.

Dave Bittner: [00:15:01] I followed up with Drew. First of all, Drew, thanks for sending this in.

Joe Carrigan: [00:15:04] That's a pretty good Catch of the Day.

Dave Bittner: [00:15:05] It is pretty good. I followed up with Drew. And I said, Drew, I'm no expert on military operations (laughter). Could you send in a list of the things that are wrong with this? Then he did. Drew said, first of all, one doesn't work as a U.S. Army.

Joe Carrigan: [00:15:19] Right.

Dave Bittner: [00:15:19] The third...

Joe Carrigan: [00:15:20] Not anymore. Not since they dropped the Army of One.

Dave Bittner: [00:15:22] (Laughter). Yeah.

Joe Carrigan: [00:15:22] (Laughter).

Dave Bittner: [00:15:22] The 3rd Armored Cavalry is not a Special Forces team.

Joe Carrigan: [00:15:26] It is not.

Dave Bittner: [00:15:26] I'd just like to say, as an aside, that they used both cavalry and calvary in this.

Joe Carrigan: [00:15:31] And that...

Dave Bittner: [00:15:31] ...Pet peeve of mine.

Joe Carrigan: [00:15:31] Yeah. It makes you very angry.

Dave Bittner: [00:15:34] It does. It does. Yeah. Drew goes on to say, there is no such thing as a first lieutenant colonel. One is either a first lieutenant or a lieutenant colonel. (Laughter). He says, we had military advisers in Nigeria, and they were not under any U.N. mission, but they were pulled out in 2014 and the 3rd Cav was in Afghanistan in 2014 to 2015. This message was sent to me in 2018. Well, that's a good one, huh?

Joe Carrigan: [00:15:56] Yeah. I love this one. I wonder if Rebecca Nunnery might actually be a real person who is in the military.

Dave Bittner: [00:16:02] Could be.

Joe Carrigan: [00:16:02] Because...

Dave Bittner: [00:16:03] We see that a lot.

Joe Carrigan: [00:16:03] ...There's a picture of a person here in fatigues. It has a plausible name. The English, of course, is terrible. It communicates, but it does not communicate well.

Dave Bittner: [00:16:12] Yeah. Well, you know, people just can't resist another person in uniform...

Joe Carrigan: [00:16:16] That's right.

Dave Bittner: [00:16:17] ...Evidently. I guess that's the whole thing they're going for here.

Joe Carrigan: [00:16:19] Yeah.

Dave Bittner: [00:16:20] So Drew, thanks for sending that in. That's our Catch of the Day. Coming up next, Carole Theriault returns. She's got an interview with Martin Overton from OMG Cyber Security. He's going to tell us about how falling for a phishing attack might just void your cyber insurance.

Dave Bittner: [00:16:36] Let's return to our sponsor, KnowBe4's, question, carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives in KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.

Dave Bittner: [00:17:24] Joe, it's great to have Carole Theriault back on the show. She recently spoke with Martin Overton. He's from OMG Cyber Security. And he's going to tell her how falling for that phishing attack might cause you to have a run-in with your insurance provider. Here's Carole Theriault.

Carole Theriault: [00:17:40] Guys, today I'm talking about the most exciting cyber topic there is - cyber insurance. OK, I'm kidding. I'm kidding. It's not the most exciting topic. But this interview with Martin Overton, who is an expert in cyber and worked in the insurance industry for years - so it was quite enlightening when we started to play Are You Insured After Certain Scenarios? The results were interesting. Check it out.

Carole Theriault: [00:18:09] So, Martin, maybe you can introduce yourself to our audience and let them know what you do.

Martin Overton: [00:18:14] Just to make it clear, I'm not an insurance specialist. I'm a techie. I've been working with IT security for over 30 years. And I have over 30 years of real-world experience in dealing with malicious code, over 15 years as an ethical hacker. So I've hacked infrastructure and humans. So I've done social engineering attacks as well. So I know about those. I also did 10 years of digital forensics, so incident response; so dealing with breaches that companies have had, so actually helping them - everything from script kiddies - so simple web defacements - right through to nation-state actors.

Martin Overton: [00:18:45] So I've dealt with all of those. But the last two years before I started my own company, I was actually working for one of the largest cyber insurance companies in the world very much hand in glove with the underwriters. So I used to help the underwriters on meetings with clients, the brokers and also the claims team. So the - sometimes, the claims team would come to me and say, Martin, what does this mean? This particular insured is actually asking for coverage or payment for this particular remediation. Is this acceptable? Or is this what we call betterment? - which means, basically, they're trying to get something for nothing.

Carole Theriault: [00:19:17] Yeah. So you are in a really unique position of understanding both the whole ecosystem of cyber and now you've got insight into the insurance, so you're perfect for this topic today.

Martin Overton: [00:19:30] Well, I would hope so, yes.

Carole Theriault: [00:19:32] We've got 20 years, more or less, of this being an industry. So what kinds of people or companies invest in cyber insurance?

Martin Overton: [00:19:40] Pretty much everybody nowadays. I mean, you cannot go through a day nowadays without seeing some form of breach on the news. It's become the norm almost. It's almost a case of, what? You mean you haven't been breached today. It's almost getting to that situation. And with all the mass data breaches, lots of these are where credentials are stolen - so user IDs and passwords. And then the bad guys are then replaying those to what we call credential stuffing to actually break into other accounts owned by that user because they're using the same password. So it's a big human issue, really. That's probably the biggest problem nowadays.

Carole Theriault: [00:20:13] But I'm guessing that with most insurance forms, there's some loopholes or complexities in it that maybe that we're not actually seeing. I mean, I would just assume if I had cyber insurance, you know, and I have AV protection - done deal, right? I'm going to get paid if I get hit.

Martin Overton: [00:20:28] It would depend on what you get hit by, exactly how it occurred. Now, cyber insurance normally works on the premise - well, certainly for the vast majority of us - that you've been hacked. OK. All right, so let's play Covered by Cyber Insurance - true or false. OK?

Carole Theriault: [00:20:43] (Laughter) OK. So are we pretending that I'm a cyber insurance person? (Laughter).

Martin Overton: [00:20:48] So someone opened an attachment and unwittingly lets in an authorization onto the network. Companies with cyber insurance - would they be covered?

Carole Theriault: [00:20:55] Right. So there's a user. They're, you know, just a normal employee. And they happen to have a phishing email, for example, with a link or a, you know, a malicious attachment. And they click on that, and then the whole network goes down. And the company now wants to claim for the company. So I'm going to say of course they get coverage; of course.

Martin Overton: [00:21:11] Yeah, because they've been effectively hacked and their systems have been impacted. Most cyber insurance coverage would cover that quite happily. That would cover the investigation, so the forensics, if needed. It would potentially cover the legal costs. And also, if required, PR costs. So if there's a brand-damage issue here, that, potentially, would also be covered. But again, it depends on the policy and the exact wording.

Carole Theriault: [00:21:34] So in the situation where I have been duped as an employee by a phishing email, most people would cover - most cyber insurance people would cover that.

Martin Overton: [00:21:41] Most policies should cover that because it's an act of hacking. Even though the user has actually clicked on a link and introduced malcode or hacking tools or opened a backdoor or whatever onto their system, there's an act of hacking there. So the systems have been compromised.

Carole Theriault: [00:21:55] OK, got you. So I'm 1-0 right now, right? I got that point.

Martin Overton: [00:21:59] OK, so...

Carole Theriault: [00:22:00] OK.

Martin Overton: [00:22:00] Let's say you're an international defense contractor. You've had malware deployed by an unknown capability on your infrastructure. And the bad guys have stolen intellectual property, so designs, et cetera.

Carole Theriault: [00:22:12] Eek.

Martin Overton: [00:22:12] Yeah.

Carole Theriault: [00:22:13] OK.

Martin Overton: [00:22:14] Now, would you be covered? And if so, what would you be covered for?

Carole Theriault: [00:22:16] OK. So this is like a third-party - malware has stolen my big company secrets.

Martin Overton: [00:22:22] Yup.

Carole Theriault: [00:22:23] How much are those secrets worth? So I guess I would work out how much money I'd lose because the proprietariness (ph) of it is gone.

Martin Overton: [00:22:29] Exactly.

Carole Theriault: [00:22:30] Yeah. So OK. So I'd expect - yeah, I'd expect a payout. I would be able to prove that I was affected by malware. So yeah. I'd put a claim in and expect payout.

Martin Overton: [00:22:38] Well, I'll give you half a point for that. So - because you would be covered for the investigation cost and, potentially, any downtime. But the fact is intellectual capital is generally not covered by cyber insurance.

Carole Theriault: [00:22:50] Oh.

Martin Overton: [00:22:51] There are some cyber insurance policies that have that as an addition, all right. There are some specific policies that will include intellectual property theft. Because it's an intangible, how do you know how much that's worth?

Carole Theriault: [00:23:03] Yeah, that's interesting. So presumably, if they stole, for example, next year's budget and strategic plans, and inside that, we were - the company was expecting to make 10 million turnover, let's say, how would they actually prove that?

Martin Overton: [00:23:18] Exactly. So I'll give you an example of a real case I worked on. I won't say who the company is. A large European company got hacked by some bad guys who actually went in and stole all their customer lists and their table of payments, et cetera - what they normally charge - and then sold that to one of their competitors. At first, they knew about - is when they were getting undercut all the time. Now, how do you actually cover that under insurance? It's very, very difficult.

Carole Theriault: [00:23:43] So basically, insurers just don't.

Martin Overton: [00:23:45] But generally, because it's intellectual capital, it's very, very hard to insure because how would you put a monetary value on it?

Carole Theriault: [00:23:51] So what happens if there's, like, a social engineering trick where maybe I'm called up at my desk, and someone says, hey, this is IT. Your machine's compromised. I need your password immediately. And I hand it over, thinking this is all legit. And then that leads to a huge compromise within the system. What happens then from an insurance point of view?

Martin Overton: [00:24:11] So you're turning the tables on me now. So I'm now answering insurance...

Carole Theriault: [00:24:13] Yeah (laughter).

Martin Overton: [00:24:16] It's not a - OK, that's fine. So I've got an example of this. So I'll give you a real-world example. A large payroll HR company that I was doing a social engineering attack on - so this is a fully authorized, ethical hack, OK? But let's assume this - I was a bad guy, and I was really hacking it. So I created a phishing email, also phoned them up, pretending to be from their HR department and their tech support department. They didn't fall for that dot, so I sent a phishing email to their staff.

Martin Overton: [00:24:39] Now, their staff are all perfectly trained against this type of attack, OK? So I set up a fake website that looked like their bank site, sent an email that looked like it came from their bank, saying, there's been a problem your account; please click here to validate your credentials. And I also attached a pretend malicious attachment as a fake certificate, OK? So I sent this out. Within 10 minutes, somebody had actually clicked on this. It was a very much a targeted attack against key people within their organization, OK? So they clicked on the link, and within those 10 minutes, they'd actually given me the credentials to a bank account that had millions of pounds in it.

Carole Theriault: [00:25:12] Wow.

Martin Overton: [00:25:13] So I mean, normally, like, hear people say to me, Martin, how do we know you're ethical? While I'm talking to you, I could be lying on a beach somewhere now with lots of money in a big (unintelligible) offshore. So...

Carole Theriault: [00:25:22] (Laughter) Well, unless digital forensics wouldn't have caught you.

Martin Overton: [00:25:25] They wouldn't have done. No, no, no - not very easily 'cause I would've covered my tracks.

Carole Theriault: [00:25:27] (Laughter).

Martin Overton: [00:25:27] But in that situation - because it's social engineering, OK - it would still be covered by a policy.

Carole Theriault: [00:25:35] So guys, let me interrupt the interview here for a second. So at this point, I'm thinking maybe there isn't a cyber event that I can think of that actually isn't covered by cyber insurance. Maybe they're all covered. So I asked Martin if he could give me an example of when an insurer wouldn't pay out.

Martin Overton: [00:25:54] Yeah. You're talking about what we call business email compromise or fake CEO. These are situations where somebody has found out about a transaction that's going on between the real customer and the real seller - no, provider. And they find out about it. So they then try to take over the actual transaction and tell this - the person who's supposed to be paying for it, by the way, we changed our bank account details...

Carole Theriault: [00:26:18] Right.

Martin Overton: [00:26:19] ...OK, or with - an example - I think of Pathe. There was an example where the email claimed to come from the CEO of Pathe to the CFO - yeah. And they were told to actually transfer and not to tell anybody. Now, that's a business - that's a fake CEO or business email compromise. Those are particularly - those are crime. There's no hacking involved here. Nobody broke into an infrastructure. They've just found out about it. You just have a fake domain name which looks very similar - so it's a real customer's domain name - and sent emails and taken over the actual control of that transaction.

Carole Theriault: [00:26:50] Right. So if there's no element of hacking, just duping an individual - right? - so there's no malicious link. There's no phish involved. There's just very sophisticated social engineering. That means cyber insurance is going to say, look. Sorry, you're maybe a bit of an idiot, you know? You don't get your money.

Martin Overton: [00:27:09] But basically, cyber insurance, from my understanding, would not cover that. A crime policy potentially would. So this is where the difference between them - 'cause crime policies covers fraud, irrespective whether it's an internal person or an external person that's done it.

Carole Theriault: [00:27:22] OK. So this means, then, that companies would really want to invest in cyber training for their employees to make sure they are aware of these kinds of tricks because - not only to protect the integrity of the systems, but also because their insurance will be void.

Martin Overton: [00:27:42] Indeed. So it's not just about training and users. Training them is not enough. You need to do phishing testing against your own staff, definitely.

Carole Theriault: [00:27:49] So let's say you owed me a thousand pounds, and I'm like, great. I'll send you an invoice to - for the thousand pounds. I send that invoice over. Someone hacks my email...

Martin Overton: [00:28:00] Yes.

Carole Theriault: [00:28:00] ...And sends you an email saying, hey, hey, I know the invoice is in there. Do you mind just sending it to this account? Really sorry, made a mistake on the bank account number. You fire the money to that new account, which is not mine. I'm now back in charge, saying, where's my money?

Martin Overton: [00:28:16] Where's my money? Yes.

Carole Theriault: [00:28:16] And I go to my cyber insurance. They're going to say, you were duped.

Martin Overton: [00:28:20] Yeah. You wouldn't be covered by that, but you might be covered under a crime policy.

Carole Theriault: [00:28:23] OK. So ultimately, what we're seeing here is, yes, this is yet another reason why you want to train your employees because they could potentially void cyber insurance claims.

Martin Overton: [00:28:32] Indeed.

Carole Theriault: [00:28:33] And another - obviously, we also think it's very important because they can act as your kind of - an additional layer of security because, you know - yes, you have all these different layers - firewalls and anti-malware and all these kind of things going on - but why not have them also be vigilant at the perimeter and wherever they are remotely?

Martin Overton: [00:28:51] Of all the incidents I've been involved with, either through ethical hacking or through doing digital forensics, over 90% of them were due to human error. Now, that doesn't mean malicious, doesn't mean necessarily someone clicking on links. It may be misconfiguration of devices, et cetera, leaving ports open - all the usual stuff that, you know, people do because they're trying to roll something out quickly or they're in - they're under pressure of some form.

Carole Theriault: [00:29:13] Right. So it's more of a Bacon situation.

Martin Overton: [00:29:16] Indeed, yeah. Baconing (ph) at the beginning, not at the end. And just going back to the financial aspect - obviously, if you're - you've got people who are in the payment section, make sure there are good processes and procedures in there. So not just a single person can make a payment; they have to go through two or three levels to actually approve that payment. That will hopefully reduce the risk from fake CEO and business email.

Carole Theriault: [00:29:39] Yes, and forced collusion tends to mitigate against these people thinking they'd get away with stuff, doesn't it?

Martin Overton: [00:29:44] Although it didn't say Pathe in that case because they obviously had the two guys talking to each other who said, this seems a bit strange, but we'll approve anyway.

Carole Theriault: [00:29:53] Absolutely. Martin, thank you very, very much. This was fascinating.

Martin Overton: [00:29:57] Thank you.

Carole Theriault: [00:29:57] You see? I surprised you, didn't I? It was a pretty interesting interview. Cyber insurance is murky. And the best advice is, read your policy super carefully to make sure you're covered for the things that you think you're covered for. A good piece of advice is, beforehand, write out risk scenarios to present to your potential insurer, and ask them what would be covered under those instances. And, you know, this is the time to brainstorm, think broadly. This was Carole Theriault for the CyberWire.

Joe Carrigan: [00:30:30] Dave, I love - covered by cyber insurance, true or false?

Dave Bittner: [00:30:33] Yeah (laughter).

Joe Carrigan: [00:30:34] That sounds like a great game.

Dave Bittner: [00:30:35] (Laughter) Yeah, yeah, yeah, yeah. Can play that with your insurance agent.

Joe Carrigan: [00:30:39] Correct.

Dave Bittner: [00:30:40] Yeah, there's a lot to unpack there.

Joe Carrigan: [00:30:42] There is. I understand why intellectual property is not typically covered. There's really no way to know the value of it. If someone steals, like, a technology that you have that you're going to capitalize on, how do you know what you were going to make when you never even brought it to market before it was stolen?

Dave Bittner: [00:30:55] Right, right.

Joe Carrigan: [00:30:56] That's very difficult to do. I'm glad to hear that there are other policies that might protect it. Martin is 100% correct about setting up policies and procedures to make sure that you don't fall victim to business email compromise, and when money is moved out of your company, that there is more than one person involved in the process of moving the company. We hear this all the time where it's a conversation between two people and somebody impersonating the CEO is saying, hey, keep this under your hat, but transfer this money here.

Dave Bittner: [00:31:23] Right.

Joe Carrigan: [00:31:23] That should be an instantaneous red flag, right? That should be something that lets you know that there's something going on here. I don't know. That would always make me uncomfortable and make it so that I would have to have a meeting with somebody before I would start doing this again. I would have to meet somebody face-to-face. Business email compromise is hacking, in my opinion, I mean, 'cause you're getting access to somebody's email, probably by phishing their username and password. You're in their account. You're impersonating them. But if it's not covered by your insurance policy because it's written thus...

Dave Bittner: [00:31:52] (Laughter).

Joe Carrigan: [00:31:53] ...Then, you know, you may want to get some insurance that covers that.

Dave Bittner: [00:31:56] Well - and it's interesting that, you know, as they mentioned, it could be covered by a fraud clause in a crime writer or whatever of your insurance policy.

Joe Carrigan: [00:32:05] Right. Exactly.

Dave Bittner: [00:32:06] I mean, one of the things that struck me here is that, first of all, you need to be dealing with an insurance agent that you trust.

Joe Carrigan: [00:32:13] Right.

Dave Bittner: [00:32:13] But even beyond that, even - no matter how well-intentioned that person is, get it in writing.

Joe Carrigan: [00:32:19] Yes, absolutely.

Dave Bittner: [00:32:19] Yeah, just go through these questions and get everything in writing because even if that agent or that representative has all the best intentions, it may not be their call. It's not going to be their call when it actually...

Joe Carrigan: [00:32:29] Right. They're the sales force. They're not really the operational force. And the operational force - their job is to make sure they pay out as little as possible.

Dave Bittner: [00:32:37] Right. Right. Right.

Joe Carrigan: [00:32:38] That's their business model. So I would recommend having an attorney present whenever you're doing this, to make sure that - an attorney who specializes in insurance and works for you - if you have a company that you're trying to protect.

Dave Bittner: [00:32:52] Yeah.

Joe Carrigan: [00:32:52] Business email compromise is definitely a risk. It pays out too often and too big for it not to be.

Dave Bittner: [00:32:58] Yeah.

Joe Carrigan: [00:32:58] Definitely. If you can get insurance for it, you should probably get insurance for it.

Dave Bittner: [00:33:01] I suppose this is one of those, you can pay me now or you can pay me later, kind of things. You know, I could - I can imagine people thinking, well, it's - gosh, it's expensive to get a lawyer and all that sort of thing. Well, yeah, it is. But you - this is why you're buying insurance. You're buying insurance to protect yourself against the bigger thing, the big, smoking hole in the ground, the...

Joe Carrigan: [00:33:19] That was your company (laughter).

Dave Bittner: [00:33:20] Yeah, exactly. Right. Or, like, my - I have a friend who sells insurance. He says the Wile E. Coyote event. That...

Joe Carrigan: [00:33:26] (Laughter).

Dave Bittner: [00:33:27] That is what you are insuring against, so...

Carole Theriault: [00:33:29] (Laughter).

Dave Bittner: [00:33:30] All right. Well, as always, great to have Carole Theriault back. And thanks to Martin Overton for taking the time for us. And that is our podcast.

Dave Bittner: [00:33:38] We want to thank our sponsor, KnowBe4. Their new school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training.

Dave Bittner: [00:33:56] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:34:04] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:34:22] And I'm Joe Carrigan.

Dave Bittner: [00:34:23] Thanks for listening.