Know and spot the patterns.
Michael Coates: [00:00:00] We have to build technology that doesn't let a human mistake be the total point of failure. And we have to rely on continual training, which is hard, to let them know the patterns, to be able to spot them.
Dave Bittner: [00:00:11] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:30] Hi, Dave.
Dave Bittner: [00:00:30] We've got some interesting stories to share this week. And later in the show, we have my interview with Michael Coates. He is the former chief information security officer at Twitter. And he was also head of security at Mozilla. These days, he heads up a company called Altitude Networks. It's an interesting interview. But first, a word from our sponsors at KnowBe4.
Dave Bittner: [00:00:53] Step right up and take a chance. Yes, you there, give it a try and win one for your little friend there. Which were the most plausible subject lines in phishing emails? Don't be shy. Were they, A - my late husband wished to share his oil fortune with you, or B - please read; important message from HR, or C - a delivery attempt was made, or D - take me to your leader. Stay with us, and we'll have the answer later. And it will come to you courtesy of our sponsors at KnowBe4, the security awareness experts who enable your employees to make smarter security decisions.
Dave Bittner: [00:01:32] And we are back. Joe, before we get to our stories, we've got some quick follow-up. A listener named Richard wrote in. And he said - this is a follow-up on our previous conversations about YubiKeys and iOS devices. Richard wrote in. He said, hello. I want to write in to let you know that there is a work around to using YubiKey with iOS before the official lightning YubiKey is released. If you purchased a standard YubiKey and configure it on a standard PC, you can then purchase the lightning to USB 3.0 camera adapter and then plug the YubiKey into the USB port on the adapter. I have tested this with our systems at work and have had success without requiring any additional work.
Joe Carrigan: [00:02:10] Well, thank you, Richard.
Dave Bittner: [00:02:11] Yeah, that's good.
Joe Carrigan: [00:02:11] I think this is a great work around. This is wonderful. I would still like to see the lightning YubiKey come out so that you don't have to do this work around.
Dave Bittner: [00:02:18] Yeah.
Joe Carrigan: [00:02:18] I'd like to see that come out a little faster.
Dave Bittner: [00:02:20] Well - and these days, I mean, the rumors are that, perhaps, the next round of iPhones will just go to USB 3.0.
Joe Carrigan: [00:02:27] Oh.
Dave Bittner: [00:02:27] So...
Joe Carrigan: [00:02:28] Apple's going to go with standard.
Dave Bittner: [00:02:30] Problem solved.
Dave Bittner: [00:02:31] Problem solved. We'll see. I don't know.
Joe Carrigan: [00:02:33] Not going to go to their own proprietary solution then (laughter).
Dave Bittner: [00:02:33] I don't know. We'll see. We'll see, yeah. So who knows? Might be a short-term thing. But at any rate, Richard, thanks for writing in. That's...
Joe Carrigan: [00:02:40] Yeah, thanks for the heads up.
Dave Bittner: [00:02:41] ...Good information. Joe, why don't you kick things off with stories this week?
Joe Carrigan: [00:02:44] Dave, you know I like my stories dark.
Dave Bittner: [00:02:47] (Laughter) Yes, you do.
Joe Carrigan: [00:02:47] And this is probably the darkest story we've ever covered...
Dave Bittner: [00:02:49] OK.
Joe Carrigan: [00:02:50] ...On "Hacking Humans." So this comes from Safia Samee Ali at NBC News.
Dave Bittner: [00:02:55] OK.
Joe Carrigan: [00:02:55] We'll put a link in the show notes. But you know what cat fishing is, right?
Dave Bittner: [00:02:58] Yeah, go on.
Joe Carrigan: [00:02:59] It's when you completely fabricate a social media profile and then use that to exploit your victims.
Dave Bittner: [00:03:04] OK.
Joe Carrigan: [00:03:04] Usually, the persona is completely fictitious. Sometimes, it's stolen identities, but usually, it's fictitious. And in this case, it's a terrible story that comes out of Alaska and Indiana. There's a guy named Darin Schilmiller, who's 21 from Indiana. And he created a fake online persona as a millionaire from Kansas. He called himself Tyler. And Schilmiller began a relationship with a young woman named Denali Brehmer, 18 years old from Alaska. And he began this relationship as Tyler, and he sent Denali photos of another person that he said were him but actually, in fact, were not him. This is standard cat fishing stuff. Quickly, the relationship progresses, right? They start sending each other I love you messages and calling each other babe and all that typical 18-year-old dumb stuff, right?
Dave Bittner: [00:03:52] (Laughter) You're such an old softy, Joe.
Joe Carrigan: [00:03:53] Right, exactly.
Joe Carrigan: [00:03:56] This is exactly what I would have done at 18 too.
Dave Bittner: [00:03:58] Right, OK. Sure. Yeah.
Joe Carrigan: [00:04:01] I'm not saying these people are idiots because of this. I'm just saying this is just the way 18-year-olds are (laughter).
Dave Bittner: [00:04:06] Yeah, OK.
Joe Carrigan: [00:04:07] And it's OK. But eventually - this is where it becomes not OK. Schilmiller tries to get Denali to commit murder and sexual assault and send him the photos and videos of the crimes. And he promises her $9 million - right? - 'cause he's allegedly a millionaire. He's posing as a millionaire. He has tons of money. So allegedly, Denali shot her best friend Cynthia Hoffman, who was 19 years old, in a park in Alaska for this. And it was not until after she committed this terrible crime, the murder of her friend, that she found out that she'd been cat fished by Schilmiller. This is just awful.
Dave Bittner: [00:04:43] Yeah. It's mind-boggling. I don't understand.
Joe Carrigan: [00:04:45] It is mind-boggling.
Dave Bittner: [00:04:46] I don't understand.
Joe Carrigan: [00:04:47] I don't understand either.
Dave Bittner: [00:04:48] Was it the promise of money? - I guess money and love, right?
Joe Carrigan: [00:04:51] I guess, yeah. I mean, it's - normally, we see romance scams where it's just, give me your money...
Dave Bittner: [00:04:57] Yeah.
Joe Carrigan: [00:04:57] ...Not go out and kill somebody. That's just terrible.
Dave Bittner: [00:05:01] Right.
Joe Carrigan: [00:05:01] The article talks about Ahmed Banafa, who's a professor and cybersecurity expert from San Jose University. And he's talking about the way young people interact with the internet. Internet predators are everywhere, but young people always aren't tuned into the red flags because so many of the relationships are online that they don't think to question the validity or the veracity or whatever of the people they're talking to.
Dave Bittner: [00:05:24] Because being online is so reflexive to them.
Joe Carrigan: [00:05:27] Correct.
Dave Bittner: [00:05:27] It feels completely natural.
Joe Carrigan: [00:05:28] They're digital natives. And there's a blurred line between real life and virtual life.
Dave Bittner: [00:05:32] Yeah.
Joe Carrigan: [00:05:32] You make the jump between the two worlds without realizing how risky it is to do that. Of course, old guys like us....
Dave Bittner: [00:05:40] (Laughter).
Joe Carrigan: [00:05:40] Right?
Dave Bittner: [00:05:40] Yeah.
Joe Carrigan: [00:05:40] Realize that online, there's no way to verify who's on the other end.
Dave Bittner: [00:05:43] Right. We're much more skeptical...
Joe Carrigan: [00:05:45] Right.
Dave Bittner: [00:05:46] ...Because naturally, we're...
Joe Carrigan: [00:05:47] Yeah. And these younger people will become more skeptical when they become victimized by these things.
Dave Bittner: [00:05:52] Right, as the weight of the world crushes their spirit.
Joe Carrigan: [00:05:54] (Laughter) Yes, exactly. With all these different capabilities that we have with Photoshop and creating filters and even with - what's the site?
Dave Bittner: [00:06:01] There's the deep fakes.
Joe Carrigan: [00:06:02] Yeah.
Dave Bittner: [00:06:03] Yeah, that's - yeah.
Joe Carrigan: [00:06:03] Deep fakes - thispersondoesnotexist.com.
Dave Bittner: [00:06:05] Oh, right. Right.
Joe Carrigan: [00:06:06] Right? I can create a completely fictitious persona, and people will be none the wiser. Nathan Wenzler is quoted in the article as well. He's from Moss Adams. It's hard for young people to see the red flags, he says, and that they are so used to communicating over the technology, when someone reaches out to them online, they don't think much of it because everybody does this. Additionally, huge data breaches that have come out have made it more possible for me to pose as someone you might know - right? - because I have all this
Joe Carrigan: [00:06:34] information on you, I can go out and say, I know Dave. I know where Dave lives. I know who Dave's parents are, who his wife is. I can convince Dave that I know him, that we've talked before because I can ask him about his wife.
Dave Bittner: [00:06:48] You can make the catfish really convincing...
Joe Carrigan: [00:06:49] Right.
Dave Bittner: [00:06:50] ...Just by tossing in little, random details that are true.
Joe Carrigan: [00:06:53] Right, exactly - and that you'll identify and latch on to. So, of course, whenever I talk about something as terrible as this, what do you do? The article has a couple of things that we've talked about before. Be wary of someone who's online that wants to switch to a different media. That means, like, if you're on Tinder dating site, be wary of somebody who wants to quickly move that off Tinder and onto text messaging because that's out of the dating apps control, right? - or if they want to move it from Facebook to text messaging or, really, if - the one that is in the article they talk about is Snapchat because Snapchats will disappear after a period of time. You won't be able to see them anymore, so the forensic evidence may be gone. I'm going to bet it probably still exists on Snapchat's servers just because I don't have any faith in social media companies (laughter).
Dave Bittner: [00:07:39] Right, right.
Joe Carrigan: [00:07:40] But on the phones, they're gone. Watch for people who ask to meet you way too quickly or seem to get attached very early on. That's another red flag. It also helps to do some cross-referencing. Whenever someone sends me a friend request, if I don't know them on Facebook, I start asking around, who is this person?
Dave Bittner: [00:07:54] It seems to me - like, in this case, if someone were actually a millionaire...
Joe Carrigan: [00:07:59] Right.
Dave Bittner: [00:07:59] Millionaires tend to leave paths behind, you know?
Joe Carrigan: [00:08:02] Right. They have big footprints.
Dave Bittner: [00:08:03] Donations and - you know, whatever. I mean, they...
Joe Carrigan: [00:08:05] Yeah.
Dave Bittner: [00:08:05] Yeah - probably not hard to look someone up if they're...
Joe Carrigan: [00:08:08] Should be easy to find that person.
Dave Bittner: [00:08:08] ...A successful person.
Joe Carrigan: [00:08:09] They own property usually.
Dave Bittner: [00:08:10] Right, right.
Joe Carrigan: [00:08:11] Find them in a database somewhere.
Dave Bittner: [00:08:12] Yup.
Joe Carrigan: [00:08:12] From a parental standpoint, keep the communication open, be engaged and understand the technology that your kids are using. And I'll add this. Instill in your children an inherent distrust of all things online, if not just an inherent distrust of all things in humanity.
Dave Bittner: [00:08:26] (Laughter) Some healthy skepticism.
Joe Carrigan: [00:08:27] Right. Yeah, a big, healthy dose of skepticism.
Dave Bittner: [00:08:31] Like, sharing a story like this opens your kids up to the fact that this is a possibility...
Joe Carrigan: [00:08:36] Right, absolutely.
Dave Bittner: [00:08:36] ...Because I think for many of us, you hear a story like this and you wonder, how could this even be possible? How could someone convince another person to do such a horrible thing...
Joe Carrigan: [00:08:48] Right.
Dave Bittner: [00:08:48] ...With their best friend? I mean, there's so many unbelievable and bad elements to this. And yet, it's true. Well...
Joe Carrigan: [00:08:55] It's terrible.
Dave Bittner: [00:08:55] Yeah.
Joe Carrigan: [00:08:56] And it's sad. All these peoples' lives were ruined. And the family of Miss Hoffman will never be the same again. It's unspeakable horrors.
Dave Bittner: [00:09:03] Yeah. I guess you have to wonder what motivates the instigator of this. Just...
Joe Carrigan: [00:09:08] Yeah, yeah. What makes Schilmiller do this?
Dave Bittner: [00:09:10] Yeah.
Joe Carrigan: [00:09:11] Does he think that it won't happen? Does he think he's just trolling somebody? I don't get this at all. This would be something I don't know that I'd be able to live with if it was something I'd done...
Dave Bittner: [00:09:19] Yeah.
Joe Carrigan: [00:09:19] ...You know?
Dave Bittner: [00:09:19] Yeah.
Joe Carrigan: [00:09:20] Awful.
Dave Bittner: [00:09:21] All right. Well, certainly a cautionary tale; tough one to think about.
Joe Carrigan: [00:09:26] Next week, I'm going to do something brighter, Dave.
Dave Bittner: [00:09:29] I am going to switch gears and...
Joe Carrigan: [00:09:31] OK.
Dave Bittner: [00:09:32] ...Do something a lot lighter.
Joe Carrigan: [00:09:33] OK, good.
Dave Bittner: [00:09:35] (Laughter) This is about a Chinese shoe company that tricked people into swiping an Instagram ad by placing a fake strand of hair on the image of their shoes.
Joe Carrigan: [00:09:50] (Laughter) This is brilliant.
Dave Bittner: [00:09:51] Yeah, so (laughter) - so imagine you're strolling along on Instagram. I don't know about you. I am not an Instagram user.
Joe Carrigan: [00:09:59] I very rarely use it.
Dave Bittner: [00:10:01] Yeah. So you're scrolling along, and this image - an ad comes up for some shoes, says 80% off on these shoes. And - but there on the image, there's a big, old chunk of hair.
Joe Carrigan: [00:10:13] Right.
Dave Bittner: [00:10:13] What are you going to do, right? You're going to swipe that, try to get rid of that piece of hair. And these folks did it on purpose to get people to swipe the image and move on to, I guess, the next stage of the ad...
Joe Carrigan: [00:10:24] Right.
Dave Bittner: [00:10:24] ...To visit their website.
Joe Carrigan: [00:10:25] (Laughter).
Dave Bittner: [00:10:25] Yeah. There's a subreddit called Mildly Infuriating. And this popped up on there. According to Instagram, they have taken down the ad, and they've banned the company from ever advertising on the platform again. So this plan backfired on them, I suppose.
Joe Carrigan: [00:10:43] Good luck with that.
Dave Bittner: [00:10:44] Yeah, yeah. It's funny. I mean, the reactions to this - like you said, people are saying, this is actually kind of brilliant (laughter).
Joe Carrigan: [00:10:52] Right. I have an appreciation for it.
Dave Bittner: [00:10:53] Right. One Reddit user left us with some words to live by. He said, always blow, never swipe.
Joe Carrigan: [00:11:02] (Laughter) Sage advice, that.
Dave Bittner: [00:11:03] There you go. Well, you know, don't leave fingerprints either, so there you go.
Joe Carrigan: [00:11:06] It's funny that you mention Reddit. There used to be - on r/Creepy, there used to be, like, a stain image that wouldn't move.
Dave Bittner: [00:11:15] Oh.
Joe Carrigan: [00:11:16] It's not there anymore, but it had caused me to touch my monitor and try to wipe a stain off of it...
Dave Bittner: [00:11:23] Oh (laughter).
Joe Carrigan: [00:11:23] ...Only to realize that there is no stain on the monitor.
Dave Bittner: [00:11:26] So you'd be scrolling, but the stain would stay.
Joe Carrigan: [00:11:28] The stain would stay, exactly.
Dave Bittner: [00:11:29] Oh, that's good.
Joe Carrigan: [00:11:30] It was a very nicely designed piece of dynamic HMTL.
Dave Bittner: [00:11:35] (Laughter) Right, right.
Joe Carrigan: [00:11:36] I think I realized it when I moved it to another one of my monitors and saw that the stain was the same...
Dave Bittner: [00:11:41] Yeah.
Joe Carrigan: [00:11:41] ...Exactly the same.
Dave Bittner: [00:11:42] Right.
Joe Carrigan: [00:11:42] It was really well-done.
Dave Bittner: [00:11:43] Out, out, damn spot.
Joe Carrigan: [00:11:45] Right (laughter).
Dave Bittner: [00:11:45] Yeah.
Joe Carrigan: [00:11:46] But this - using that technology for an ad swipe; that's brilliant.
Dave Bittner: [00:11:50] Yeah.
Joe Carrigan: [00:11:50] I like that a lot.
Dave Bittner: [00:11:51] Yeah (laughter). All right. Well, those are our stories. Joe, it's time to move on to our Catch of the Day.
0:11:56:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:12:00] Joe, our Catch of the Day comes to us from the folks over at 419 Eater. It's a website we've talked about before.
Joe Carrigan: [00:12:07] Yes.
Dave Bittner: [00:12:07] They specialize in stringing along these scammers. We don't have time to do the whole thing here, but I've just got some highlights from this one. This is a good one. There's a little bit of everything here - some scamming and, of course, an opportunity to do ridiculous accents. So...
Joe Carrigan: [00:12:22] Excellent.
Dave Bittner: [00:12:22] (Laughter) So I will have you kick it off. You play the part of the scammer here. Go ahead.
Joe Carrigan: [00:12:25] OK. Dear sir/madam, my name is Atuku Ali (ph), a seasoned geologist of Nigerian descent with about 20 years working experience with many reputable geophysical firms. I am 43 years old and a native of Yoruba. In the course of my job as a geologist, I stumbled into a place called Igu (ph) in Edo State of Nigeria. It is undoubtedly a land naturally endowed with lots of precious solid minerals in abundant supply. The locals of this place do not happen to know the vast potentials of these minerals. A vast majority of them are illiterate people, which has goaded me into establishing a solid mining industry. These minerals include calcite, dolomite, feldspar, barite, bentonite, kaolin, et cetera. Quite frankly, these minerals happen to be in very high demand here in Nigeria and other countries. Companies never cease to place demand on them locally. The irony is that people do not know just how lucrative the business can be. So many products can be manufactured from these minerals - products like petroleum, addictives...
Dave Bittner: [00:13:32] (Laughter).
Joe Carrigan: [00:13:32] ...Marble, tiles, ceiling, boards, paint, rubber, carpets, toothpaste, glass, cement and for drilling. Having said all this, it is clear that the venture would be very profitable and rewarding. I have invested so much here on my own to make the necessary leap I need, but I would need a partner with whom we can jointly continue because I am almost running out of funds. And more fund is needed to carry on. I would appreciate a partner who is God-fearing and dedicated to join me in establishing this industry. I look forward to hearing from you soon so we can speedily commence work. May God bless you. And he signs it Atiku Ali, which is a different spelling from the first one he said.
Dave Bittner: [00:14:21] Well, maybe he just mistyped it.
Joe Carrigan: [00:14:23] Uh-huh - his own name.
Dave Bittner: [00:14:23] (Laughter) Yeah, yeah.
Joe Carrigan: [00:14:25] (Laughter).
Dave Bittner: [00:14:25] So here comes the fun response from the folks at 419 Eater. Dear Mr. Akitu, your message about the minerals in Nigeria has come to me. Please forgive my English - not good. I am from Sicily, Italy. I speak Italian. I live in England only little time. I use dictionary to help write this to you. My name is Pizza Pepperoni. I am from business family. We famous for food and restaurants. Many good Italian food named after my grandfather, uncle, etc. I want to move into other business. I find commodities for clients. I have client looking for very rare material. It name dilithium. It very valuable. Have you dilithium? My client from big federation. They want much dilithium. If you have big supply of dilithium, I use family money to begin a mine. Then we supply dilithium to federation for many moneys. If you interested, please reply. Grazie, Pizza Pepperoni.
Joe Carrigan: [00:15:28] Good day, Pizza Pepperoni. I got your mail. I promise to be loyal and faithful to you if we can work together as one with one mine. The mineral dilithium is very expensive to get, but it can be fetch out from the site but will include much money, which I will need your assistance. But for others like the white gold is available now in stock. Kindly tell me whatever way you know we can go about this. But as I am concerned, we can get it. I wait to hear from you immediately. Thanks, Ali.
Dave Bittner: [00:15:59] And it goes on from there. We'll have the link in the show notes - an elaborate stringing-along, including mob bosses...
Joe Carrigan: [00:16:05] Does he ever look for trilithium?
Dave Bittner: [00:16:07] (Laughter).
Joe Carrigan: [00:16:07] Because that would be a red flag for me because that puts out stars.
Dave Bittner: [00:16:10] Well, they bring up their Ferengis.
Joe Carrigan: [00:16:12] Right (laughter).
Dave Bittner: [00:16:14] And yeah - there's a mob boss. And yeah, it's a good one.
Joe Carrigan: [00:16:18] It's awesome.
Dave Bittner: [00:16:18] I do recommend - go check out the original article from 419 Eater. As always, some entertaining stuff, so appreciate it. Hat tip to them for the work they do.
Joe Carrigan: [00:16:28] It's brilliant.
Dave Bittner: [00:16:29] Yeah. So that is our Catch of the Day. Coming up next, we have my interview with Michael Coates. He is the former chief information security officer at Twitter, and these days he heads up a company called Altitude Networks. But first, a word from our sponsors at KnowBe4.
Dave Bittner: [00:16:47] And what about the biggest, tastiest piece of phish bait out there? If you said, A, my late husband wished to share his oil fortune with you, you've just swallowed a Nigerian prince scam. But most people don't. If you chose door B - please read important message from HR - well, you're getting warmer, but that one was only No. 10 on the list. But pat yourself on the back if you picked C, a delivery attempt was made. That one, according to the experts at KnowBe4, was the No. 1 come-on for spam email in the first quarter of 2018. What's that? You picked D, take me to your leader? No, sorry. That's what space aliens say. But it's unlikely you'll need that one unless you're doing "The Day the Earth Stood Still" at a local dinner theater. If you want to stay on top of phishing's twists and turns, the new-school security awareness training from our sponsors at KnowBe4 can help. That's knowbe4.com/phishtest.
Dave Bittner: [00:17:51] Joe, I recently had the pleasure of speaking with Michael Coates. As I mentioned before, he formerly was the chief information security officer at Twitter and was also the head of security at Mozilla. He has quite a lot of experience dealing with scams and pen testing and things like that. So here's my conversation with Michael Coates.
Michael Coates: [00:18:09] You know, one of the things that really attracted me to both Mozilla and Twitter was its positive place in the world, its ability to empower people - you know, fighting for the user. And, you know, at Mozilla, when I was there, we had, you know, about 400 million users of Firefox. And, you know, we focused on both browser security - the controls to make it so if you went to a malicious website, you know, your browser wouldn't be compromised - also the security of our systems, of our workstations, of our websites. One of the things that's really interesting about working at Mozilla is, because it's a community-driven organization with lots of volunteers and an open-sourced project, you have people contributing code that may or may not be employees, that may work on their personal laptop, that are located anywhere in the world. And how do you start to think about, how do we make that code secure? How do we think about security in that mode that is so different than every other "normal company setup," as I put in air quotes? Yeah, there we have just, again, a fascinating and talented team that focused both on Firefox, the web browser; something called Firefox OS at the time, an operating system for mobile; infrastructure and workstation security.
Dave Bittner: [00:19:12] And how did you come at that task or that challenge of having bits of code coming from so many different places?
Michael Coates: [00:19:19] In some regards, we try and set up developers for success by educating them on the best practices and ways to do things securely. And that helps, but we have to realize that education can only go so far. On the other side of things, we also heavily relied on something called fuzzing. And depending on, you know, audience's familiarity with that, the idea there is to take different parts of your application after the code's all been compiled and running and send it all sorts of different characters and types of data, both hundreds of the letter A or, you know, tens of thousands of this type of character or that, and through that exercise and test different paths through the code to find when there might be a problem. And so we had some really cool fuzzing technology that members of the team had both built and integrated from other open-sourced projects. And so that was kind of a pretty clever and effective way to keep testing the browser security.
Dave Bittner: [00:20:13] And now you're the co-founder and CEO at Altitude Networks. And what are you taking on there?
Michael Coates: [00:20:19] You know, one of the things I've learned along the way is that technology and the security of it is hard at a, you know, technical or academic level, but also it's very hard at a human level. Most of these security controls that companies and teams have built over the years don't give fair consideration to the human and what they want to accomplish and their natural path of action. And one of the areas that, as a result, has become very tricky is when companies start to use cloud applications that are designed for employees to share data. And while the technical security controls of that software is great, people inevitably make mistakes, or maybe they're malicious or taking some questionable actions.
Michael Coates: [00:21:03] And so you see situations where people put company data into Google Drive, and then they share it with the whole world or share it with a personal account or maybe the wrong person inside the company. And in a one-off example, that's not too hard to deal with. But when all of your company data is in there by design, in one of those platforms, and people share stuff hundreds of times a day, that gets really tricky. And so how do you mirror together the security component that you need with the reality of how humans behave? And that's the problem we're going after and one I felt specifically at Twitter and I know my peers feel - how do you protect data in this new paradigm of a cloud-sharing world? And so far it's been a lot of fun.
Dave Bittner: [00:21:41] It's interesting to me because my take is that, really, in the past year or two, it seems as though there's been a shift in emphasis from perhaps this belief that the technology is all we need to keep us secure, and it seems to me like there's a greater understanding that there really is a human element here, and it requires our attention.
Michael Coates: [00:22:03] Yeah. I've been talking about this quite a bit over the over the last years. Well, I did a keynote at the OWASP conference last year talking about usability of security. Because as we've grown up in the security profession, we first started on that academic completeness because the work we were doing was very hidden from humans. It was on protocols. It was on encryption algorithms. But now the work we do in security is very front and center to the user. Like, how do you decide how to authenticate, and what is this notion of a username and password or two-factor or a code you get on your phone? And we're running straight into the normal user desires of a person - like, I just want to do this. I just want to go to a website and buy this. I just want to check sports, or I just want to see my bank info. And just like they want to just get in their car and go somewhere, they don't want to flip switches to turn on safety mechanisms or be asked questions. They expect that with a good, quality product, that it just works. And so that's the challenge we have to work through, of how do we make security just work for humans when it is so front and center and integrated into everything they do?
Dave Bittner: [00:23:09] Yeah. What advice do you have for folks out there in terms of, you know, based on the broad experiences you've had, how can people best protect themselves from things like phishing and social engineering?
Michael Coates: [00:23:19] I guess I'll say, luckily, there's really only a handful of things you can do, and that will set you apart dramatically from most other people. One, understand what a password manager is and use one. No. 2 - for your main email and for your bank logins, understand and set up two-factor authentication. And then there's only a couple other things you really need to focus on. Next, when your machine says you have updates, apply them. You're just a sitting duck if you're browsing the web and you have not applied the updates both to your operating system and your browser. Those two things, if you don't do them, you'll just be walking down the street, so to speak, and be compromised because there is malware everywhere, to some degree, and you need to be patched. But if you do those things - a password manager, two-factor authentication and update your browser and operating system - you're going to be in a really good space compared to everyone else. And lastly, if somebody calls you on the phone and says you've been hacked, imagine that they're a bad guy because 100% they are a bad guy. Microsoft does not call you, Apple does not call you to tell you you've been hacked. It is social engineering. I've done those exact same things. So don't fall for those.
Dave Bittner: [00:24:23] Yeah, and don't click the links, right?
Michael Coates: [00:24:26] Oh, man. Well, the links - that's a tricky one.
Dave Bittner: [00:24:28] (Laughter).
Michael Coates: [00:24:30] If you've patched your machine, I mean - yeah, if you get funky links in your email, yeah, you should be wary of those, that's for sure.
Dave Bittner: [00:24:37] Now, you have some experience yourself in doing some social engineering. What stories can you share with us when it comes to that?
Michael Coates: [00:24:44] Yeah, I was fortunate early in my career to be in the role where I was the bad guy. I would hack into companies, technically or through social engineering, as a test to show them this is what can happen; let's, you know, shore up our defenses. And the social engineering part in particular was really fascinating because it boils down to, really, human behavior. In many cases, I would call someone on the phone, out of the blue, and manufacture a problem that they were in, create a sense of stress, create a sense of urgency, and then I would swoop in in that same conversation, save the day - as long as they just sort of gave me their password or something so I could help them out. And so suddenly I was a good guy. And this was really fascinating.
Michael Coates: [00:25:26] So for example, imagine I call you or someone else - you can imagine someone else - about 11:30 a.m. and say, hey, you know, I'm working with IT. I name your IT person's name because it's not hard to figure out. You know, security is really important. You probably heard a lot about that recently. We want to make sure everybody's up to date and patched with everything. I'm going to walk you through a few steps to make sure you're in tiptop shape. It's going to take about two hours. You know, are you in front of your computer? Because we're going to go ahead and get started. Now...
Dave Bittner: [00:25:53] (Laughter).
Michael Coates: [00:25:54] I pick 11:30 a.m. for a specific reason, but I tell them two hours for another reason - because at 11:30 a.m., most people are thinking, where am I going to go to lunch? And they're really excited about that because it's a nice break. And when they hear that two-hour thing, that's going to destroy their lunch. So they're conflicted. They're like, oh, yeah, we do talk about security a lot. I can't really blow this off. You know, whoever's name I dropped, they're going to know. And so now they're a little frustrated, and they're like, oh, can I reschedule? What about this? And then I - that's where I start to get a little pushy. I'm like, no, we really need to do this now. It's very important. I wouldn't want to put you on the list of machines that I couldn't - blah, blah, blah; you know, pushing on them a little bit. And so then - this is where I swoop in - I say, well, you know, I'm not supposed to do this - so here I'm doing a favor for them - but, you know, our executives, we put them on an automatic script that runs overnight. So it logs in through the computers, it runs - it does all the things I'm going to tell you to do, and it does it on their behalf. The only thing I need to do to put you on that same script is to put your information in there so it can log in as you. So if you can give me your username and password, I can put you into the system. It'll run tonight. We'll be all good, and we'll be done.
Dave Bittner: [00:26:58] Thank you so much.
Michael Coates: [00:27:00] Yeah. And they are thanking me for me doing something I'm not supposed to - to put them on the exec list. And lo and behold, of course, they give me their password.
Dave Bittner: [00:27:07] And what was your success rate with this?
Michael Coates: [00:27:10] I would say, you know, across a few different ploys, it was above 50%. You know, every other call, you would get someone to give you their information, which, I mean, that's astounding to me.
Dave Bittner: [00:27:21] Yeah.
Michael Coates: [00:27:21] Half the time I can get a random person to give me their password. Some of the other tricks are building fake websites that look like your company's website. And I would tell them, hey, we just want to know if your password's strong. Don't give it to me - that would be insecure. Just enter it into this website and tell me what score it gets. And that website, of course, it's at an IP address. So I rattle off some numbers, and most people have seen that and think it's just some internal server, so it makes sense, but it's my website on the web. And they gave me the score. They're like, 82 - is that good? I'm like, yeah, that's great. And, you know, the way the scoring works, it was, like, 75 plus the length of the password, so...
Dave Bittner: [00:27:57] Right.
Michael Coates: [00:27:58] But, yeah, lo and behold, they've entered their password into my website. I have their password. And I remember people saying, hey, I have some other passwords - should I check those, too?
Dave Bittner: [00:28:06] (Laughter).
Michael Coates: [00:28:06] I'm like, yeah, yeah, go ahead and tell - what are those for again? Yeah.
Dave Bittner: [00:28:11] (Laughter) Wow. Wow.
Michael Coates: [00:28:12] And so the thing is, like, we can't get on this rant and say, oh, man, these stupid users. Users are the weakest link. Instead we have to, again, look back to things we've talked about before, which is, like, natural user behavior, a normal pattern of trust and wanting to do the right thing. And so we have to build technology that doesn't let a human mistake be the total point of failure, and that's where two-factor is a good solution. And we have to rely on continual training, which is hard, to let them know the patterns, to be able to spot them. So when someone says, hey, I'm the CEO and I need all the tax records, you're like, oh, that is a ploy that's happening right now. I will not do that.
Dave Bittner: [00:28:46] Yeah.
Michael Coates: [00:28:46] But it's a really tricky balance.
Dave Bittner: [00:28:48] Joe, what do you think?
Joe Carrigan: [00:28:49] Good interview, Dave.
Dave Bittner: [00:28:50] Thanks.
Joe Carrigan: [00:28:51] I like the idea of working for the security of regular people. Then that's - that Michael has worked in Mozilla and Twitter - that's pretty much all for regular people. Academic completeness - he used that term in security. I like that term. This is one of the things that kind of causes me to bonk heads with other people, particularly with cryptographers. They will view a system as either secure or insecure. If there's any way I can get around it, it's insecure. And I like to view security from - and that's true in cryptographic protocols. If there's a way to get around a cryptographic protocol, it's insecure.
Dave Bittner: [00:29:24] Right.
Joe Carrigan: [00:29:25] But I like to view security from the user's perspective, and having a list of their behaviors as being more secure or less secure, right?
Dave Bittner: [00:29:33] So viewing it as a spectrum...
Joe Carrigan: [00:29:35] Viewing it as a spectrum.
Dave Bittner: [00:29:36] ...Rather than binary.
Joe Carrigan: [00:29:36] Right. You are more secure if you do this. You are less secure if you reuse passwords; you're more secure if you don't - you know, that kind of thing. It's just a way of moving you in the more secure direction.
Dave Bittner: [00:29:46] Right.
Joe Carrigan: [00:29:46] Get your behaviors to move to that end of the spectrum. I'm going to make a statement here that some people might not agree with - but users are always going to bear some level of responsibility for their own security. I think that's just a fact that that is going to be the case. And Michael talks about the car analogy - people just want to get in the car and go. Well, you still have to put on your seat belt, right? There's still something you have to do in order to be more safe than just driving off. If you don't put on your seat belt, you're at a much higher risk. That moves you in the less secure direction.
Dave Bittner: [00:30:16] Right, right.
Joe Carrigan: [00:30:16] The less safe direction. So Michael has four tips that he talks about in the interview. These are not anything that we haven't heard before. When he talks about his social engineering experience, I love the story about manufacturing a problem and then saving the day. This is what happened to Christine Lu, that we talked about two episodes ago. Somebody called her and manufactured a problem, and it cost her a lot of money. His story for asking for a username and password is great. I love this.
Dave Bittner: [00:30:40] (Laughter).
Joe Carrigan: [00:30:40] You know, I tell the story about my friend who did password auditing 20 years ago, and he said he would just call and get a 50% success rate.
Dave Bittner: [00:30:48] Right.
Joe Carrigan: [00:30:49] And that now you call and you get a 10% success rate. Well, he - Michael has gone back up to a 50% success rate by creating a problem and then solving it for somebody and just asking for it. I also love the idea of collecting username and password from a website. And then people go in and say, oh, can I test my other passwords?
Dave Bittner: [00:31:06] Right.
Joe Carrigan: [00:31:06] That's awesome. That's great.
Dave Bittner: [00:31:07] Right (laughter), your password strength meter, yeah.
Joe Carrigan: [00:31:12] Yeah. The funny thing is, there are websites out there. Like, Troy Hunt has Have I Been Pwned?, where you can enter your password, and it doesn't send your password across the network, it sends a hash of your password across and gets compared to the database. And I think that Troy's running a good service here, and I don't suspect it of any malicious activity. But here's a great example of using that kind of a paradigm for doing exactly what you would fear it would do (laughter).
Dave Bittner: [00:31:34] Right, right.
Joe Carrigan: [00:31:34] Collecting your password.
Dave Bittner: [00:31:35] Right. Taking advantage of people's trust.
Joe Carrigan: [00:31:38] Again, users aren't stupid, but they do need to be educated - that's my point, and that's what I mean when I say that they're always going to bear some level of responsibility for their own security.
Dave Bittner: [00:31:46] Yeah. But - and at the same time, you can set them up for success.
Joe Carrigan: [00:31:50] Yes, absolutely.
Dave Bittner: [00:31:51] Yeah.
Joe Carrigan: [00:31:51] And you should do it - you as a business owner or as - you and I as security advocates and evangelists should be doing this, and we are doing this a little bit.
Dave Bittner: [00:31:59] (Laughter) There you go.
Joe Carrigan: [00:31:59] But people should listen to the podcast.
Dave Bittner: [00:32:01] Yeah, yeah, yeah. All right, well, our thanks to Michael Coates for joining us, and thanks to you for listening.
Dave Bittner: [00:32:07] And of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:32:22] We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:32:31] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben, our editor is John Petrik, technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:32:49] And I'm Joe Carrigan.
Dave Bittner: [00:32:50] Thanks for listening.