Hacking Humans 6.6.19
Ep 52 | 6.6.19

The best way to break in is to walk through the front door.


Sherri Davidoff: [00:00:00] If one thing has shocked me over the past almost two decades, it's that passwords and patching are still such a huge problem. And it's not so much technical as it is organizational and management-related.

Dave Bittner: [00:00:13] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: [00:00:31] Hi, Dave.

Dave Bittner: [00:00:32] We've got some good stories to share this week. And later in the show, we've got my interview with Sherri Davidoff. Now, we've spoken of her previously on this show when we had author Jeremy Smith on. He discussed his book "Breaking and Entering: The Extraordinary True Story of a Female Hacker Called 'Alien.'" Well, Sherri Davidoff is that hacker named Alien.

Joe Carrigan: [00:00:51] Awesome.

Dave Bittner: [00:00:51] And she joins us later in the show. But first, a word from our sponsors KnowBe4.

Dave Bittner: [00:00:58] So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.

Dave Bittner: [00:01:25] And we are back. Joe, why don't you kick things off for us this week?

Joe Carrigan: [00:01:28] Dave, I'm not going to talk about a cyber heist this week or anything that has anything to do with the internet...

Dave Bittner: [00:01:33] OK.

Joe Carrigan: [00:01:33] ...Because I'm going back to 1925.

Dave Bittner: [00:01:36] Pre-internet for sure.

Joe Carrigan: [00:01:37] Pre-internet for sure.

Dave Bittner: [00:01:38] OK.

Joe Carrigan: [00:01:38] There was a man by the name of Victor Lustig.

Dave Bittner: [00:01:41] OK.

Joe Carrigan: [00:01:42] He was an international con artist. And eventually, he was sent to Alcatraz...

Dave Bittner: [00:01:46] Oh, wow.

Joe Carrigan: [00:01:46] ...For 20 years for his crimes. But he was fluent in five languages.

Dave Bittner: [00:01:50] OK.

Joe Carrigan: [00:01:51] And he had tons of aliases. One of his favorite cons was to pose as a producer of Broadway musicals to newly wealthy people and then prey on people's secret desires to be in show business by getting them to invest in nonexistent productions.

Dave Bittner: [00:02:06] It sounds like a movie that...

Joe Carrigan: [00:02:07] It sounds like a Mel Brooks movie.

Dave Bittner: [00:02:08] (Laughter) Right. Yes. OK. What else?

Joe Carrigan: [00:02:11] But in 1925, an article appeared in a Paris newspaper about the decaying condition of the Eiffel Tower.

Dave Bittner: [00:02:18] I don't know my history very well when it comes to French architecture and monuments, but how old would the Eiffel Tower have been in 1925?

Joe Carrigan: [00:02:25] It was about 30 years old.

Dave Bittner: [00:02:26] OK.

Joe Carrigan: [00:02:27] And it was erected for the World's Fair as the entrance gate for the World's Fair. And it was not actually intended to be a permanent structure, but it has been the icon of Paris for as long as we can remember, right?

Dave Bittner: [00:02:37] Sure. As there's anything I've learned from movies - that when there's a scene set in Paris, every window looks out onto the Eiffel Tower.

Joe Carrigan: [00:02:43] That's right.

Dave Bittner: [00:02:44] (Laughter).

Joe Carrigan: [00:02:45] But the article talked about how it was falling apart and mentioned how the French government had considered that it might be cheaper to tear it down than to fix it.

Dave Bittner: [00:02:53] OK.

Joe Carrigan: [00:02:54] So Victor sees an opportunity here. So he goes to Paris. And once he gets into Paris, his first move is to counterfeit some documents and some official government stationery.

Dave Bittner: [00:03:04] OK.

Joe Carrigan: [00:03:04] So he gets hold of a counterfeiter that he knows, and he prints these documents up. And with his name listed as the deputy director general of the ministry d' - I guess it's the post and telegraph...

Dave Bittner: [00:03:17] Yeah, in French. yeah.

Joe Carrigan: [00:03:18] I can't read French, Dave.

Dave Bittner: [00:03:19] (Laughter) Right.

Joe Carrigan: [00:03:19] I'm not very good at French. I can do German...

Dave Bittner: [00:03:21] The French version of the post and telegraph company.

Joe Carrigan: [00:03:23] Right. I can do Spanish, but I can't do French.

Dave Bittner: [00:03:25] OK. Don't ask me to do it for sure (laughter)...

Joe Carrigan: [00:03:27] Right.

Dave Bittner: [00:03:29] ...As our listeners know.

Joe Carrigan: [00:03:30] So then he sent letters out to some prominent scrap dealers in Paris and the surrounding area, and the letters were vague but official-sounding. He invited these men to meet with him at a fancy hotel. And once they all come in, he has them all have dinner and drinks. And then he announces the government has decided to tear down the Eiffel Tower, and the resulting 7,000 tons of scrap metal will be for sale to the highest bidder. So this guy is going to sell the Eiffel Tower.

Dave Bittner: [00:03:59] (Laughter) Aim high.

Joe Carrigan: [00:04:00] Right.

Dave Bittner: [00:04:00] Yeah. OK.

Joe Carrigan: [00:04:01] As part of his pitch, he reminds everybody that this was supposed to be a temporary structure. It was built in 1889 and now it's falling apart. He quotes Alexander Dumas, who once called the tower a loathsome construction.

Dave Bittner: [00:04:13] Not everybody liked it.

Joe Carrigan: [00:04:13] No, not everybody - a lot of people thought it was an eyesore. So he gave an emotional performance, and then in a resigned tone, he explains the cost of maintaining the tower's too high. We're going to tear it down, but we need to keep it quiet because we don't want this information getting out to the public because there are people out there who like it. And they think it has become an icon of our city.

Dave Bittner: [00:04:33] Right, so let's just keep this between us.

Joe Carrigan: [00:04:35] Right. Exactly. Remember. Last week, I was talking about...

Dave Bittner: [00:04:37] Right. That's what I was just thinking about.

Joe Carrigan: [00:04:39] ...A red flag.

Dave Bittner: [00:04:39] Right. OK.

Joe Carrigan: [00:04:40] So a few days later, these guys submit their bids. And he's already chosen his mark, the guy he's going to scam - an Andre Poisson...

Dave Bittner: [00:04:46] OK. Hon, hon, hon.

Joe Carrigan: [00:04:47] ...I think. I'm saying that with my French accent.

Dave Bittner: [00:04:49] Hon.

Joe Carrigan: [00:04:50] And he informs Poisson that he's won the bid to the Eiffel Tower, but there's a small problem. Victor tells Poisson that public servants like himself are expected to be well-dressed and entertain lavishly, but they make a meager salary. And Poisson understands that he's being asked for a bribe to secure the deal, and he pays the bribe to Victor here, at which point in time Victor takes the money and runs.

Dave Bittner: [00:05:12] (Laughter) OK.

Joe Carrigan: [00:05:14] That's the con. What is really interesting to me in this is that he doesn't ask for the big pile of money, right? He doesn't say, OK. Well, you won the contract. Give me the money now. He goes for, like, an oblique attack here. He asked for a bribe. So if Poisson has any reservations about - this might be a scam or something, when a government official demonstrates the corruption that he has and it's a plausible story now...

Dave Bittner: [00:05:39] Right.

Joe Carrigan: [00:05:39] ...That - this guy's not looking for the money. I'll probably write that check to the city of Paris, but I have to give this guy a bribe in order to get that business or that deal.

Dave Bittner: [00:05:48] We're all going to be rich.

Joe Carrigan: [00:05:49] Right. Exactly. Now, the story I just talked about I found from Mental Floss, but the Smithsonian has another great article on him as well. And we'll put a link to both these articles in the show notes. And the Smithsonian talks about Victor Lustig's "Ten Commandments of the Con," and there's some interesting things in here - some that are not applicable to modern day with internet scams. But be a patient listener. It's this not talking fast that gets a con man his wins. Never look bored. I don't know how that would apply over the internet, but...

Dave Bittner: [00:06:15] Build rapport, I guess.

Joe Carrigan: [00:06:16] Right. Wait for the other person to reveal any political opinions and then agree with them. Right? That's a pretty good one.

Dave Bittner: [00:06:22] Yeah.

Joe Carrigan: [00:06:23] Let the other person reveal religious views - we've talked about that before - and then espouse the same religious views.

Dave Bittner: [00:06:29] Right.

Joe Carrigan: [00:06:29] He says, hint at sex talk, but don't follow up unless the other person shows strong interest. Hint at it...

Dave Bittner: [00:06:36] Kind of locker room talk...

Joe Carrigan: [00:06:37] Right.

Dave Bittner: [00:06:38] ...Collegiality.

Joe Carrigan: [00:06:38] Exactly. But this, I think, works in romance scams - right? - where somebody hints at something, and if you follow up with a stronger interest in it, then bam.

Dave Bittner: [00:06:48] Right.

Joe Carrigan: [00:06:48] They're going to start engaging you in that because they know that's a hook for you.

Dave Bittner: [00:06:51] Right. But there's plausible deniability if the other person...

Joe Carrigan: [00:06:54] Right.

Dave Bittner: [00:06:55] ...Doesn't go down that line of conversation.

Joe Carrigan: [00:06:57] You can just skip over it, and then it's not really a real bump in the conversation.

Dave Bittner: [00:07:01] Right. Right, right, right.

Joe Carrigan: [00:07:02] Never discuss illness unless some special concern is shown. Never pry into a person's personal circumstances. Eventually, they'll tell you. This goes back to the first one, be a patient listener. So if you just sit there and listen, people will tell you their personal circumstances.

Dave Bittner: [00:07:16] Rather than putting them off-guard by peppering them with questions, I suppose.

Joe Carrigan: [00:07:19] Right. Exactly. And you'll get the information.

Dave Bittner: [00:07:21] Yeah.

Joe Carrigan: [00:07:21] Then he says, never boast. Just let your importance be quietly obvious. And never be untidy and never get drunk are the last two.

Dave Bittner: [00:07:28] (Laughter) OK.

Joe Carrigan: [00:07:29] So like I said, those don't really apply to modern day, but we see a lot of these things in modern-day scams. So again, we talk about, you know, social engineering not being a new art form. The only risk that we have is now we're all exposed to it. These con men are out there. In the past, they were out there looking for individuals they had to personally interact with on a one-to-one basis or maybe on a one-to-20 basis. But now they can act on a one-to-a-billion basis, right? It's a lot more risky, and that's what makes it worse today.

Dave Bittner: [00:07:57] Yeah. Boy, it's interesting how some of these things are just timeless.

Joe Carrigan: [00:08:01] Yeah.

Dave Bittner: [00:08:01] Human nature...

Joe Carrigan: [00:08:02] Yeah, absolutely.

Dave Bittner: [00:08:03] That doesn't change.

Joe Carrigan: [00:08:04] That's why I wanted to go back in time for this week. I thought this was a pretty good story.

Dave Bittner: [00:08:08] Yeah, I like it. I like it a lot. Well, my story this week comes from one of our listeners, Leo. He writes in to say, my wife and I recently ran into a scam where the scammers seemed to have found a loophole in the bank's transaction dispute process. Here's what happened. He says, my wife was looking to buy some magical shake powder that has been very popular over the last year or so. Of course, it's overpriced, but she found that shakeologydeals.com offered the cheapest price. Admittedly a questionable website name, but the site looked legit to her, and she decided to buy some from them. They offered payment through PayPal using her credit card. She received a receipt, but, after a couple of days, did not receive any shipping confirmation. She contacted them about this and got no response. She tried several times. After five or six days, she further studied the site and found some more indications that this site may be suspect, so she contacted PayPal to dispute the charge. This all sounds right. So far, so good.

Joe Carrigan: [00:09:02] She paid with a credit card, though, right?

Dave Bittner: [00:09:03] Well, she says they gave her a direct email and told her to try that before they entered the dispute. She emailed this email, and again, got no response. PayPal then started the dispute process, and this is where it got interesting. They contacted the vendor using the same email, and they got an immediate response with a UPS tracking number provided as proof the vendor delivered the goods. My wife investigated the tracking number online. It was valid but was for a package that went to our city. But while UPS doesn't share exact delivery addresses for privacy purposes, it did provide info that indicated the package did not go to our home. It was reported to be left at a front desk and signed by some person not at our house. He says, we let PayPal know this, but they still closed the dispute in favor of the vendor because the vendor provided a valid UPS tracking number and the - PayPal's policy was to accept that. So next, they recommended we contact our credit card company.

Joe Carrigan: [00:10:01] PayPal recommended this?

Dave Bittner: [00:10:02] Yup. We did and we went through the same process by them, and they also closed the dispute in favor of the vendor even though we told them about the fake UPS number that PayPal got. And now, they did allow us to reopen the case after a long discussion, and we provided them signed hard-copy proof that the UPS tracking number was not provided. The vendor didn't ship us anything, so eventually, we received a credit back for the charge.

Joe Carrigan: [00:10:25] Right.

Dave Bittner: [00:10:25] He says, it seems this practice of accepting a UPS tracking number as proof of delivery with little investigation into the tracking number is common practice in the banking industry, and the scammers seem to know about this loophole and must somehow be collecting UPS tracking numbers to use as proof. They probably can get quite a few transactions completed and win the disputes before getting shut down - definitely seems like the banks need to change their confirmation of delivery process.

Joe Carrigan: [00:10:50] I would agree.

Dave Bittner: [00:10:51] And that's from Leo. He says he's a CyberWire and "Hacking Humans" fan. Well, Leo, thanks for sending this in. This is an interesting one.

Joe Carrigan: [00:10:58] This is interesting.

Dave Bittner: [00:10:59] Yeah. I did a little digging, and I found some discussion about this very thing over on one of eBay's community forums.

Joe Carrigan: [00:11:06] OK.

Dave Bittner: [00:11:07] And this is a real thing that is happening. And evidently, what some of these folks are doing is they will put something up for sale - something that's worth, let's say, a few hundred dollars.

Joe Carrigan: [00:11:18] Right.

Dave Bittner: [00:11:19] You will pay them for that thing. They will send a piece of junk mail to someone in your ZIP code, and they will have that piece of junk mail be trackable - right? - via UPS or whatever. And that way, they get a valid tracking number...

Joe Carrigan: [00:11:33] Right.

Dave Bittner: [00:11:33] ...That has proof of delivery. Somebody signed for that package. And on the other side of the coin, the banks and places like eBay - well, there are privacy reasons why UPS just doesn't release all of the information about addresses and so on and so forth.

Joe Carrigan: [00:11:49] Right.

Dave Bittner: [00:11:49] So it seems like these scammers have found a loophole and a way to go at this. Now, one of the folks on this forum said that a way around this, if this happens to you - rather than saying that you never got the item that was shipped to you, go back to eBay - in this case, they're talking about eBay. They say, go back to them and say, what was delivered was not what was promised because that is true...

Joe Carrigan: [00:12:18] Right.

Dave Bittner: [00:12:19] ...from a certain point of view.

Joe Carrigan: [00:12:20] Right.

Dave Bittner: [00:12:21] (Laughter) Even though the delivery was made...

Joe Carrigan: [00:12:23] Right.

Dave Bittner: [00:12:23] Right? If what you got was not what was promised, then eBay will continue with the investigation.

Joe Carrigan: [00:12:30] Right.

Dave Bittner: [00:12:31] Right? - because they don't care about the delivery notification.

Joe Carrigan: [00:12:34] Correct.

Dave Bittner: [00:12:34] They care that you got what you paid for.

Joe Carrigan: [00:12:36] Right.

Dave Bittner: [00:12:37] I don't know what the ultimate solution to this is, and I don't know necessarily how you would look out for this when you are buying something.

Joe Carrigan: [00:12:45] Yeah. This is a tough one.

Dave Bittner: [00:12:47] It really is.

Joe Carrigan: [00:12:48] I'd have to talk to somebody I know that used to work at UPS to find out if there is anything that can be done here.

Dave Bittner: [00:12:54] Yeah.

Joe Carrigan: [00:12:55] Because, you know, UPS can't just provide addresses willy-nilly.

Dave Bittner: [00:12:58] Right.

Joe Carrigan: [00:12:59] Right?

Dave Bittner: [00:12:59] Sure.

Joe Carrigan: [00:13:00] That's going to be a huge violation of privacy, but something has to be done.

Dave Bittner: [00:13:04] Yeah. I don't have a sense for the frequency of this sort of thing happening...

Joe Carrigan: [00:13:08] Right.

Dave Bittner: [00:13:09] ...But something to be careful about. I guess take those extra steps to make sure that you're dealing with someone who is legit. You know, look at their history.

Joe Carrigan: [00:13:18] At least there is a workaround.

Dave Bittner: [00:13:19] There is. There is. But, boy, you can see how frustrating it could be.

Joe Carrigan: [00:13:23] Yeah. I wonder what happens if you say, we never got the package, and then you changed to, what was delivered was not what was promised.

Dave Bittner: [00:13:29] Yeah.

Joe Carrigan: [00:13:29] I wonder if that complicates your case any.

Dave Bittner: [00:13:32] It could. But interesting advice from the folks over on the eBay forum. I'll include a link to that forum discussion if folks want to check that out as well. There's some interesting information in there. All right. Well, again, thanks to Leo for sending that in. That's an interesting one. It's time to move on to our Catch of the Day.


Dave Bittner: [00:13:52] Our Catch of the Day comes from a listener named Mark. He writes, hey, guys. Love your podcast. I was at KB4-CON but didn't get to see you in person. I wanted to submit a phishing attempt I received - or, actually, my 11-year-old son received - on our Xbox through the messaging portion.

Joe Carrigan: [00:14:07] Oh.

Dave Bittner: [00:14:08] He says, my son uses my Xbox account sometimes to do online gaming, but it's set up with my credentials, including my birthdate. I believe a fraudster thought that he or she was talking with a 45-year-old man, and this exchange occurred. Hi.

Joe Carrigan: [00:14:24] Hi. Who are you?

Dave Bittner: [00:14:25] I hope I didn't bug you. I was just really bored and I figured I'd take a shot and say hi. Nineteen, female here. What are you up to?

Joe Carrigan: [00:14:34] Oh. Oh, that's OK. Playing "Black Ops 3."

Dave Bittner: [00:14:39] Oh, word. I was going out with some jerk for, like, 10 months and we just broke up. I'm absolutely loving being single. My ex was way too obsessed and jealous. I like to have a good time and being with him just got really old, you know?

Joe Carrigan: [00:14:54] Yeah.

Dave Bittner: [00:14:55] All right. Well, enough about him. The question is, are you trying to have some fun?

Joe Carrigan: [00:15:00] Mark then has found out this conversation is going on, and he takes over. Stay away from this account. You're talking to my 11-year-old son. I'm reporting you right now.

Dave Bittner: [00:15:09] (Laughter) Mark goes on to say, as you can imagine, this led to another talk with my son about being safe online. We've talked in the past. And while I was disappointed that he didn't come to me about this when it happened, it was a good review on what is at stake and what could have happened if he'd taken the bait. It also shows that even online gaming is not exempt from phishing attacks. Yeah. That's a good one.

Joe Carrigan: [00:15:31] I don't know that Mark's son sounds terribly interested in this. He's being very curt with this person.

Dave Bittner: [00:15:35] Yeah. (Laughter) Mark just wants to get - Mark's son just wants to get on with the game.

Joe Carrigan: [00:15:39] Yeah, he's playing "Black Ops," man.

Dave Bittner: [00:15:41] Exactly. Who has time for some middle-aged woman trying to come at him? Yeah.

Joe Carrigan: [00:15:46] She's only 19, Dave.

Dave Bittner: [00:15:47] Oh, I'm sorry. It's my - I stand corrected. She's only 19. That's right. Yes. You're absolutely right. All right. Well, thanks to Mark for sending that in. That is our Catch of the Day. Coming up next, we've got my interview with Sherri Davidoff. We've spoken of her previously on the show back when we had Jeremy Smith on. He was discussing his book "Breaking and Entering: The Extraordinary True Story of a Female Hacker Called 'Alien.'" Well, Sherri Davidoff is that hacker named Alien, and these days, she is CEO of both LMG Security and BrightWise, Inc. So we'll talk to her when we get back. But first, a word from our sponsors, KnowBe4.

Dave Bittner: [00:16:25] And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that, where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course. But they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest.

Dave Bittner: [00:17:12] And we're back. Joe, I recently had the pleasure of speaking with Sherri Davidoff. As I said earlier, we spoke about her with Jeremy Smith with his book "Breaking and Entering: The Extraordinary True Story of a Female Hacker Called 'Alien.'" And Sherri Davidoff is the subject of that book. She has quite an interesting background and history, so here's my conversation with Sherri Davidoff.

Sherri Davidoff: [00:17:33] My degree in college was in computer science and electrical engineering. And for my advanced undergraduate project, I thought it would be cool to look at all the network traffic at MIT and start analyzing it. And I didn't know at the time that that was something that really hadn't been done in that way before. Like, nowadays, we have flow record data. We have all kinds of different ways and tools to analyze network traffic. But at the time, it was a new thing. And so I had the opportunity to collect all of MIT's flow traffic and to analyze it. I was part of MIT's network security team, and it was always something I did until I was going to get a real job (laughter) because security wasn't originally, you know, an industry in and of itself. I'm amazed to sort of wake up and blink my eyes today and find out that it's a hot topic.

Dave Bittner: [00:18:17] What sort of knowledge did you get from that exercise? By being able to look at that flow data, what was the state of things back then?

Sherri Davidoff: [00:18:24] Well, first, I realized that speed of analysis is extremely important. I actually rewrote it three different times in three different languages. But it was very surprising. When we did the analysis, we found that a huge percentage of MIT's traffic at the time was coming from an unregistered computer. And that was a big challenge for universities and also health care organizations and any organization that has a distributed environment where, sometimes, just tracking down computers can be a challenge. And then if you have a computer that's acting up - in this case, maybe someone that's hosting wares, for example - pirated software - you have to figure out where that system is. And people aren't always good about labelling or keeping good documentation when they set up systems to begin with.

Dave Bittner: [00:19:08] I want to switch gears a little bit and talk about some of the work you've done with penetration testing. We do a lot of discussion here about social engineering and those sorts of things. Can you share some stories with us? What are some of your exploits when it comes to that?

Sherri Davidoff: [00:19:21] Sure. Well, some of my earliest experiences were in pen testing for banks. And at the time, I started off - I think I was maybe 24 or 25, so I was fairly young. And I would test bank branches, check-processing facilities, office buildings. And, you know, it's funny. The bank branches, in some ways, are the least well-defended, but they can be the hardest ones to break into because they're so small. Like, you know, they can see you coming, whereas major office buildings - they have tons of doors that people are going into and out of. And usually, there's all kinds of reasons - even at the biggest facilities, like check-processing facilities, there's all kinds of reasons for vendors to go in and out. So sometimes, those bank branches are the biggest challenge.

Dave Bittner: [00:20:00] And did you have any common techniques that you'd use to get in?

Sherri Davidoff: [00:20:03] Yeah. Well, some of the stories in the book "Breaking and Entering" include - I would pose as an auditor. I found, especially with those bank branches, the best way in is through the front door. Also, when you're a professional pen tester, they don't want you to break things, so we don't have all the same freedoms as a real burglar. Like, I can't tell you how many times I'd be like, oh, I'd pop the hinges off that thing, right? Just shatter that little glass thing and stick my hand through it. But at the time - and this was a long time ago - clients don't want you to do that. So going through the front door was a big learning experience for my clients because I would often get in. And so I would go in - first, you kind of want to stake out the facility and figure out what times people are in or out. At banks, there's usually a time that they're very busy. And then there's a time when, you know, the branch manager will typically take a break, so I would often try to target them during that timeframe. And I would end up getting left alone in the vaults in some cases, getting left alone in their file storage room. Sometimes, I could just pick up a big set of keys or see passwords or codes that are written down. I would interview them as though I was the auditor, so I'd ask them all about their security, and they would just tell me.

Dave Bittner: [00:21:08] Yeah. That's fascinating. Well, let's switch gears and talk about some of the computer pen testing that you've done. I mean, how does that contrast with the physical pen testing? Are there some lessons that learn - that transfer between the two?

Sherri Davidoff: [00:21:20] Sure, absolutely. A lot of times, you get in the door because someone is taking an action. So I think we really saw that shift around 2005 when spam started to increase, and that happened because companies, organizations got much better about installing firewalls. And so criminals had to think about, how do they get around the firewall? So you'd get somebody to take an action, get them to click on a link same as you get them to let you in the door. It's all about tricking them. With pen testing, though, we still - even to this day, we see a lot of default passwords, password reuse, weak patching. Back then, I actually wrote my own social engineering kit, and I would launch it. And so when I see things like - what is it, Gophish? - and some of these other toolkits today, I get all like, these young whippersnappers.


Sherri Davidoff: [00:22:06] They don't have to code their own systems to track to people who click, but yeah. I mean, so often, you can just break in the front door because of a weak password. If one thing has shocked me over the past almost two decades, it's that passwords and patching are still such a huge problem, and it's not so much technical as it is organizational and management-related.

Dave Bittner: [00:22:26] In what way?

Sherri Davidoff: [00:22:27] Well, you have to make sure that you're budgeting appropriate resources - both human resources and also time and money - to upgrade your software. You know, who's going to do it? This is a big problem, in particular, for equipment that people may have. Right now, we're seeing it rear its ugly head with Internet of Things. There's all these devices, and organizations want to be able to manage those. They want the patches to be up-to-date. But early on in the contracting process, there was no negotiation about who was responsible. You see this a lot at hospitals, also banks sometimes - anywhere where you're going to have a vendor system inside your organization. And with IoT, we now have security cameras and DVRs and all kinds of other little devices littering our networks and no great way to track those or keep them updated or make sure that the passwords are going to be changed on a regular basis.

Dave Bittner: [00:23:13] Now, when you're out training people when it comes to defending themselves against social engineering, do you have any general tips that you provide? What's some of the advice you can give to our audience?

Sherri Davidoff: [00:23:23] Think before you click. That's my No. 1 advice. Think before you click, so look at those links carefully. If you can, just type a website you trust into the browser instead of clicking on a link. Really make sure that you verify the sender and think about whether it makes sense. And then the other two things I always tell people, which are not directly on phishing but security in general - there's think before you click. Make sure that you back up your data and test your backups. That's going to protect you in the event of ransomware or things like that. And then number three is use two-factor authentication. These days, you have to assume that your password has been stolen or it will be stolen. Just assume that's the case and find some second out-of-band way to authenticate yourself.

Dave Bittner: [00:24:06] So you have a new book coming out soon. It's called "Data Breaches." Tell us about that.

Sherri Davidoff: [00:24:11] "Data Breaches" has been a labor of love for me. I've studied how data breaches have evolved over the years. And, you know, the term data breaches did not come out until 2005. I still remember when it first came out after the ChoicePoint breach, so it emerged as this phenomenon. And when I started writing it four years ago, I thought I had it all mapped out, and then Yahoo was breached and Equifax was breached and ransomware became an epidemic and business email compromise became an epidemic. And so it's this very quickly changing industry, but what I found while I was writing it was that there were some fundamental and simple truths. For example, I filed a Freedom of Information Act request with the FBI, and I got the FBI files on what I believe is the first broadcast security alert from 1980. And I won't reveal too much, but what I found was that, in that case - it could have happened today. It could have happened yesterday. It involved a time sharing company - so like the modern cloud provider - and the lessons that they learned - everything from how to manage public relations to how to manage the technical piece of the investigation - are totally relevant 40 years later. So what are these simple truths? How can we prevent data breaches. And how can we react? - because things happen. And the question is, how are you going to react?

Dave Bittner: [00:25:27] It's interesting how that ties into many of the discussions we have about social engineering, which is - take a second before you react to not let your emotions get away from you. Take a walk. Take a breather. Run it by someone else. Disconnect yourself from your emotions.

Sherri Davidoff: [00:25:43] Absolutely, yeah. You have to keep a cool head. Although, one of the biggest mistakes I see organizations make after a data breach is not acting quickly enough. So they get involved in all these meetings. They pull in attorneys. They don't say anything. And the less you communicate, the angrier your stakeholders get. So one of the lessons is to act but act with a cool head.

Dave Bittner: [00:26:06] How interesting, Joe, to get to talk to Alien herself.

Joe Carrigan: [00:26:09] That's a fantastic interview, Dave.

Dave Bittner: [00:26:10] Thank you.

Joe Carrigan: [00:26:11] Couple things - one, she didn't think that she was going to be a security person and that security really wasn't a career field as recently as 15 years ago.

Dave Bittner: [00:26:19] Right.

Joe Carrigan: [00:26:19] Most companies didn't have this. It was just kind of like an ancillary thing that IT people had to deal with. There weren't specialists in this field. I like her statement - the best way to break into a place is walk in the front door - because it's totally normal, right? And then when she poses as somebody from security, this is a great way to get in and get information from somebody.

Dave Bittner: [00:26:39] Right. Right.

Joe Carrigan: [00:26:40] So if you're sitting in your office and somebody goes, I'm from your security department and I want to know X, Y and Z, it's time for you to verify. First off, if you have a decent security department, they're going to appreciate that you're verifying that they're actually from security.

Dave Bittner: [00:26:54] Right. You should never get in trouble for verifying that...

Joe Carrigan: [00:26:57] Right.

Dave Bittner: [00:26:57] ...The person there is from security.

Joe Carrigan: [00:26:58] Right. And if you do get in trouble for verifying the person is from security, you need to raise that up to management and go, this is not healthy. This is how breaches happen.

Dave Bittner: [00:27:05] Yeah. Yeah.

Joe Carrigan: [00:27:06] This is not a healthy attitude. So they probably will not have that attitude. You say, let me see a business card, and then you look at the business card and you look in your corporate phone list and see if this person is actually an employee. And then call the number. Maybe they're sitting at their desk, right? So if the person who's standing in front of you answers their phone, you can say, hey, somebody telling me they're you is standing right here front of me.

Dave Bittner: [00:27:25] (Laughter) I would take it even farther and say, you know, call the person that you do know in security.

Joe Carrigan: [00:27:30] Right, that as well. You could also call anybody in security that - maybe this person says, I'm new. I haven't been here. Well, let me call somebody over and verify that you're supposed to be here.

Dave Bittner: [00:27:36] Don't call the number that the person who's standing in front of you handed you.

Joe Carrigan: [00:27:40] Right. Right. Absolutely not. You can act like you're going to call that number...

Dave Bittner: [00:27:44] Oh, yeah.

Joe Carrigan: [00:27:44] ...You know, and you can say, oh, let me look this up. And then just look up that person in your - if you have a corporate directory, like your global address list and exchange, look them up there. See if the data matches. Have some fun with it, really, is what I'm saying.

Dave Bittner: [00:27:55] OK.

Joe Carrigan: [00:27:56] Security professionals should not mind that...

Dave Bittner: [00:27:57] Right.

Joe Carrigan: [00:27:58] ...At all. When she was talking about her new book, she says, act quickly, but act with a cool head. And this is a big don't. You must never allow the appearance of a cover-up. Lanier Watkins, who's one of our professors in critical infrastructures, told me something once that has stuck with me. If you cover up a security breach, that just makes people hate you twice.

Dave Bittner: [00:28:17] (Laughter) I like it. Well, there's that old saying, you know - the cover-up's worse than the crime, and...

Joe Carrigan: [00:28:22] Right.

Dave Bittner: [00:28:22] I think emotionally, that might be true. You're certainly - you're right. It certainly is adding insult to injury.

Joe Carrigan: [00:28:28] Yeah, absolutely. I don't know that cover-ups are worse than crimes. You know, like, for example, the Equifax breach - maybe the cover-up's worse than the crime because maybe we had some insider trading based on...

Dave Bittner: [00:28:37] Depends on the crime.

Joe Carrigan: [00:28:38] Yeah, depends on the crime. It's just not a good practice to try to cover things up or even appear like you're trying to cover things up because if you're not trying to cover things up, you're just slow to get the information out, then the perspective from the outside is exactly the same, and that's bad.

Dave Bittner: [00:28:52] Yeah.

Joe Carrigan: [00:28:52] And that will make them hate you twice.

Dave Bittner: [00:28:54] All right. Well, again, our thanks to Sherri Davidoff for joining us. Once again, her book is titled "Data Breaches: Crisis and Opportunity." I believe you can preorder it now on places like Amazon or your local bookstore, so do check that out.

Dave Bittner: [00:29:07] We want to thank everyone for listening, and of course, we want to thank our sponsors KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Think of KnowBe4 for your security training.

Dave Bittner: [00:29:24] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.

Dave Bittner: [00:29:32] The Hacking Humans podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik, technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: [00:29:50] And I'm Joe Carrigan.

Dave Bittner: [00:29:51] Thanks for listening.