Hacking Humans 9.12.19
Ep 65 | 9.12.19

An ethical hacker can be a teacher.


Zoe Rose: [00:00:00] You're never going to be 100% secure. You're never going to be the best. And so that's OK. 

Dave Bittner: [00:00:06]  Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:24]  Hi, Dave. 

Dave Bittner: [00:00:24]  We've got some good stories to share this week. And later in the show, Carole Theriault returns. She's got an interview with Zoe Rose, who shares her experience as an ethical hacker. 

Dave Bittner: [00:00:34]  But first, a word from our sponsors at KnowBe4. So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show. 

Dave Bittner: [00:01:07]  And we are back. Joe, we're going to start this week's show with some follow-up. 

Joe Carrigan: [00:01:11]  OK. 

Dave Bittner: [00:01:11]  We got some follow-up from a listener who prefers to remain anonymous, so we'll respect that. But he wrote us and he said (reading) in regards to the belief that if there is a warrant for your arrest you won't get notification in advance, I would simply like to point out some information as it relates to the federal system in which there are instances when it is in fact possible that you might get some advance notice of an arrest warrant situation. 

Joe Carrigan: [00:01:34]  Really? 

Dave Bittner: [00:01:35]  (Reading) There are scenarios in the federal system where the local U.S. Marshal will mail out what is called a notice before arrest. In locations where there is a lot of federal property and jurisdiction, like the D.C. area... 

Dave Bittner: [00:01:46]  That's where you and I live. 

Joe Carrigan: [00:01:48]  Right. 

Dave Bittner: [00:01:48]  (Reading) There are many, many of these notices of arrest received by the local U.S. Marshals. They are almost always for very minor federal offenses, such as swimming in an unauthorized area, speeding on the GW Parkway, possession of an alcoholic beverage, driving an unregistered vehicle on federal property and so on. At the time the person is given a ticket, a notice to appear, the officer may enter information on the ticket that specifically requires a court appearance. And it may even provide a specific date, time and location of said appearance. A failure to appear by an individual at the designated date, time and location can result in the clerk of the court automatically issuing what is called a notice before arrest. This multiple-form document called notice before arrest is forwarded to the local U.S. Marshals office attached to an actual copy of the original arrest warrant. As a practical matter, nobody is ever going to come out and arrest you for that particular violation. The arrest warrant is not entered into any wanted persons database. However, when I was running a local U.S. Marshals office inundated by these notices before arrests that were required to maintain on file, I developed a form letter on the U.S. Marshal letterhead that I called final notice before arrest. In this letter, I made the statement that the list of open arrest warrants has now made it to your case, and a team of deputy U.S. marshals will be dispatched to apprehend you. The response of people showing up at the U.S. Magistrates Court was stunning, so much that it almost overwhelmed the court system, and I was ordered to stop. 

Joe Carrigan: [00:03:14]  (Laughter) So in other words, he's social engineering in compliance with the law or... 

Dave Bittner: [00:03:18]  Well, yeah, it is. (Reading) So in short, getting a notice before arrest in the mail is something that actually happens in the federal system and receiving a phone call was not entirely impossible to have happen either. 

Dave Bittner: [00:03:30]  So there you go, Joe. 

Joe Carrigan: [00:03:31]  OK. So - OK, so the U.S. Marshals may notify you... 

Dave Bittner: [00:03:34]  Leave it to the feds. 

Joe Carrigan: [00:03:35]  ...Before your arrest if you speed on the GW Parkway repeatedly and don't show up for court. OK. So there is an exception to this rule. 

Dave Bittner: [00:03:41]  Yeah, yeah. 

Joe Carrigan: [00:03:41]  But generally speaking, if they're coming to get you, they're not calling you. 

Dave Bittner: [00:03:45]  Seems like if they're coming to get you for something serious... 

Joe Carrigan: [00:03:47]  Right. 

Dave Bittner: [00:03:48]  ...And it seems like in this case they're still not coming to get you. But I think he's pointing out that this is a thing. It is possible to be notified. It's sort of - I don't know. It's sort of a technicality, I guess, because it's a notice before arrest, but he makes the point nobody's coming to arrest you. 

Joe Carrigan: [00:04:01]  Right. 

Dave Bittner: [00:04:01]  Seems like maybe a side effect of some of the particularities of the federal system and the type of paperwork that they do and so on and so forth. But we can always count on our listeners to point out when we've made mistakes no matter how minor they might be. 

Joe Carrigan: [00:04:14]  Right? 


Dave Bittner: [00:04:17]  Anyway, we appreciate this listener writing in. 

Joe Carrigan: [00:04:20]  Yes. Thank you. It's enlightening, as always. 

Dave Bittner: [00:04:22]  Yeah, it's a good one. All right. I'm going to kick things off in terms of stories this week. Mine is a quick one. It comes from Popular Science, and this is about scammers who've been shifting their spamming from email to your calendar. 

Joe Carrigan: [00:04:37]  I've heard of this I think. 

Dave Bittner: [00:04:39]  Yes. 

Joe Carrigan: [00:04:39]  Did we talk about this earlier? 

Dave Bittner: [00:04:41]  We may have, but it seems as though it's on the increase. And one of the things they point out in this article is that the spammers tend to shift around. As one thing gets shut down, they shift to other things. 

Joe Carrigan: [00:04:52]  Sure. 

Dave Bittner: [00:04:52]  They move around. So what this is doing is this is taking advantage of a feature of Gmail... 

Joe Carrigan: [00:04:57]  A feature. 

Dave Bittner: [00:04:59]  ...Which allows Gmail to automatically look through your emails, and if it sees something that looks like a date, an appointment or someone requesting an appointment, it will automatically populate your calendar with the information from that email. 

Joe Carrigan: [00:05:14]  Right. And I think you can actually send a calendar invite. 

Dave Bittner: [00:05:17]  You can. 

Joe Carrigan: [00:05:18]  And Gmail will put it on your calendar, on your Google calendar. 

Dave Bittner: [00:05:20]  Right. Right. And so the spammers are taking advantage of this by basically putting calendar invites within an email that says things like this app made $1,200 in just two hours, that sort of thing. So what happens is you go to look at your calendar, and lo and behold, there are all of these spammy messages all over your calendar. 

Joe Carrigan: [00:05:42]  Right. 

Dave Bittner: [00:05:42]  So it's sort of finding a way to get your attention, where most spam these days, as we've talked about, just goes right into the spam folder... 

Joe Carrigan: [00:05:49]  Right. 

Dave Bittner: [00:05:49]  ...Because they've gotten so good at it. 

Joe Carrigan: [00:05:51]  They've worked around the spam filters, and now they're - now you're going to have to put a spam filter on your calendar. 

Dave Bittner: [00:05:56]  Right. Well, this functionality is useful because, for example... 

Joe Carrigan: [00:05:59]  Right. 

Dave Bittner: [00:05:59]  ...If I sent you a lunch invitation - say, hey, Joe. How'd you like to get together for lunch next week? - and it could automatically pop up on your calendar... 

Joe Carrigan: [00:06:07]  Right. 

Dave Bittner: [00:06:07]  ...And remind you that we're getting together for lunch. So that's not a bad thing, but if you're getting these spammy things, it's pretty easy to go into your Gmail settings and disable this functionality or only show calendar events that you have agreed to attend. 

Joe Carrigan: [00:06:23]  Yeah - that you've clicked, yes, I'm going. 

Dave Bittner: [00:06:25]  Right. Not a big deal, but I'd put this one the nuisance category. 

Joe Carrigan: [00:06:29]  Yeah. Well, nuisances add up, you know? 

Dave Bittner: [00:06:32]  Right. 

Joe Carrigan: [00:06:32]  Like you said, all these little microaggressions just increase our stress on a daily basis, and this is using a feature to get around these filters to just get a stupid message that we don't want to receive in front of our face. 

Dave Bittner: [00:06:44]  Right. And I don't know about you, but I also think of my calendar as being somewhat more personal than my email inbox, so I think... 

Joe Carrigan: [00:06:52]  Yeah. 

Dave Bittner: [00:06:53]  ...Having something pop up in there randomly is a little... 

Joe Carrigan: [00:06:56]  Yeah. 

Dave Bittner: [00:06:56]  ...More disconcerting than... 

Joe Carrigan: [00:06:57]  Because it makes you wonder, can they see what's on my calendar? Who am I sharing my calendar with? 

Dave Bittner: [00:07:01]  Right. 

Joe Carrigan: [00:07:01]  And all that stuff... 

Dave Bittner: [00:07:01]  Right. Exactly. 

Joe Carrigan: [00:07:02]  It gets irritating. 

Dave Bittner: [00:07:03]  Exactly. So we'll have a link to that story in the show notes. Joe, what do you have for us this week? 

Joe Carrigan: [00:07:07]  I have a very interesting story this week, Dave. There's an insurance company called Euler Hermes Group, and they apparently sell cybersecurity insurance. And one of their policyholders - and they haven't said who - filed a claim for 220,000 euros. That's about $243,000 in American money. And here's what happened. The CEO of a U.K.-based energy company got a phone call from his boss, who is the CEO of the parent company in Germany, and the caller asked him to send funds to a Hungarian supplier. And of course, the caller says, this is urgent, and I need you to pay this bill within the hour. 

Joe Carrigan: [00:07:42]  Rudiger Kirsch is a fraud expert from Euler Hermes, and he says the attackers in this instance appear to have used AI software to successfully mimic the German executive's voice by phone, which is interesting. The U.K. CEO recognized his boss' slight German accent and the melody of his voice on the phone, which is impressive if this is, in fact, an AI impersonating him, and several officials said the voice spoofing attack in Europe is the first cybercrime they've heard of in which criminals clearly drew on artificial intelligence. 

Joe Carrigan: [00:08:15]  Euler Hermes hasn't dealt with any other claims seeking to recover losses from some AI attack, according to Mr. Kirsch, but the attackers called three times, OK? The first time they called was for the initial transfer. The second time - after the transfer had happened, they called the U.K. CEO again and said, we're going to be sending you another wire transfer to cover the funds you just transferred out. Then they called a third time. Guess why? To ask for another transfer. 

Dave Bittner: [00:08:43]  To get more money... 

Joe Carrigan: [00:08:44]  Right. They got a live one, and they're going to go after it, right? 

Dave Bittner: [00:08:46]  Yeah. 

Joe Carrigan: [00:08:46]  But this time, the CEO notices that the phone number is an Austrian phone number, not a German phone number, and the wire transfer that was promised has not yet arrived. Those things generally happen pretty fast, so he gets suspicious, and he doesn't make the second payment. 

Dave Bittner: [00:09:01]  All right. Good for him. 

Joe Carrigan: [00:09:02]  Yep. Now, Kirsch from Euler Hermes was saying that he thinks the attackers used commercial voice-generating software to carry out the attack, and he even went so far as to record his own voice using one such product and said it reproduced a very real version of his voice. 

Dave Bittner: [00:09:17]  OK. 

Joe Carrigan: [00:09:18]  Now, Bobby Filar is the director of data science at a cybersecurity company called Endgame, and he says there are few software companies out there who offer these kind of services that can quickly impersonate voices. 

Dave Bittner: [00:09:29]  Yeah. 

Joe Carrigan: [00:09:29]  And you don't have to be a Ph.D. in mathematics to use this, right? It just works. 

Dave Bittner: [00:09:33]  Right. 

Joe Carrigan: [00:09:34]  It's very simple. There is another tactic that hackers demonstrated at Black Hat last year, where they took hours and hours of voice recordings and patched them together into a believable conversation with just the sample. So they're not actually impersonating it. They're just using the voice samples. 

Dave Bittner: [00:09:48]  And this is an old prank, right? 

Joe Carrigan: [00:09:50]  Right. 

Dave Bittner: [00:09:50]  I mean, I remember hearing - I think they'd take recordings of Arnold Schwarzenegger from some of his movies. 

Joe Carrigan: [00:09:56]  Yeah. 

Dave Bittner: [00:09:56]  And they'd call up someone and just have a soundboard, and they'd use those samples and... 

Joe Carrigan: [00:10:01]  Radio shows used to do this all the time. 

Dave Bittner: [00:10:02]  Yeah - do funny conversations that way. 

Joe Carrigan: [00:10:04]  Yep. Filar says you can't go around being silent all the time. You're going to run into situations where you expose the information that you never thought could be used against you. I was telling you before we recorded this show that I was talking with my dad about this, and he goes, do you ever worry that your voice is going to be impersonated because you do these podcasts? And I said, yeah, I do worry about it. It's one of the things that concerns me. I don't know how much I worry about it, but it is something that has bugged me in the back of my mind. 

Joe Carrigan: [00:10:31]  So a couple of solutions here - I don't just like to present problems and go, what are we going to do? Here's what you can do. Corporate policy is probably the best solution for this, right? When you get a call for an urgent wire transfer that needs to happen, you need to have some kind of - like we talked about before - physical two-factor. Maybe - OK, that's fine. I'll make that transfer, but I'm going to call you back to continue this discussion, right? And that has to come from the top down, I think. If the German CEO in this company were to have said, if I ever call you or somebody higher up ever calls you to ask for a wire transfer, you call them back to validate that, then it would've been his policy. And of course, he shouldn't be opposed to that policy. 

Dave Bittner: [00:11:08]  Right. 

Joe Carrigan: [00:11:08]  And somebody who is opposed to that policy is probably a fraudster. Lots of voice-over IP vendors have phone certificates that will authenticate a caller, but I don't know how that works if somebody's calling from their own cellphone or mobile device. 

Dave Bittner: [00:11:21]  Right. 

Joe Carrigan: [00:11:21]  Phil Zimmermann has also developed something called Zfone that's out there. That's kind of a distributed system that doesn't rely on public key infrastructure. 

Dave Bittner: [00:11:28]  OK. 

Joe Carrigan: [00:11:28]  In the future, there's going to be some things that are going to make this a lot less probable. No. 1 is that cybersecurity companies have developed products that can detect these voices when they're faked. And because most of our phones are essentially voice-over IP phones in businesses, it's technically possible to have that software analyze the voice data as it's going across and then alert the user when it detects a voice it thinks is faked. In the U.S., the telecom industry is working at the behest of the Federal Communications Commission to develop a standard for authenticated caller ID. That's called STIRRED/SHAKEN. 

Dave Bittner: [00:12:00]  Yeah. 

Joe Carrigan: [00:12:00]  You got to come up with a clever acronym. 

Dave Bittner: [00:12:01]  (Laughter). 

Joe Carrigan: [00:12:02]  It's in development and testing right now. I think AT&T and Comcast have tested it to see if it works. What do you think, Dave? This is interesting. 

Dave Bittner: [00:12:09]  I am skeptical. 

Joe Carrigan: [00:12:09]  Are you? 

Dave Bittner: [00:12:10]  I have to - yes. I am very skeptical of this story. As you know, Joe, and as our listeners know, I am a master of dialects. 

Joe Carrigan: [00:12:17]  Yes, you are (laughter). 

Dave Bittner: [00:12:19]  (Laughter) And so, to me, this whole notion of them using AI to generate the German accent of the boss - I just don't buy it. There's no evidence of that other than them saying, this is probably what happened. 

Joe Carrigan: [00:12:33]  Right. 

Dave Bittner: [00:12:34]  Instead of them just getting somebody who was a decent mimic... 

Joe Carrigan: [00:12:37]  Yep. 

Dave Bittner: [00:12:38]  ...And calling up the person and saying, you know (imitating German accent) I need you to transfer the money by the morning. 

Joe Carrigan: [00:12:43]  (Imitating German accent) Hogan. 

Dave Bittner: [00:12:44]  Right. Right. This reminds me of, for example, a bank or someone is hacked. 

Joe Carrigan: [00:12:51]  Right. 

Dave Bittner: [00:12:51]  And they lose information. The first thing they tend to say is, well, it must have been a nation state. 

Joe Carrigan: [00:12:57]  Right. 

Dave Bittner: [00:12:57]  It had to have been a nation state, so because of that, there's nothing we could do. 

Joe Carrigan: [00:13:01]  Right. 

Dave Bittner: [00:13:01]  As opposed to, it was probably Randy in his parents' basement who had too much time on his hands. 

Joe Carrigan: [00:13:06]  Some script kitty penetrated our network and we don't want you to know that. 

Dave Bittner: [00:13:09]  Right. Exactly. This rings of that sort of thing where, well, it was - what could this person have done? It was AI. It was overwhelmingly convincing and there's no possible way he could have defended against it. The easiest thing to do would be just get somebody who's a fairly decent mimic, put them on a intentionally noisy phone line and just talk them through it - social engineer them. I don't think the AI stuff would be necessary. 

Joe Carrigan: [00:13:34]  Yeah. I - you might be right. The only bit of skepticism I have from this is that the attackers have no way of knowing what the person is going to ask. So in order to respond to them quickly, they have to have a whole mess of pre-canned things like the soundboard that you were talking about earlier. 

Dave Bittner: [00:13:51]  Right. 

Joe Carrigan: [00:13:52]  Or they have to type the speech in, and I think that would create a noticeable lag... 

Dave Bittner: [00:13:57]  Yes. 

Joe Carrigan: [00:13:58]  ...In time. 

Dave Bittner: [00:13:58]  Yes. 

Joe Carrigan: [00:13:59]  Even if you had a very quick typist. 

Dave Bittner: [00:14:01]  Yes. None of the stories I've seen on this provide any evidence that it was an AI-based system other than someone saying it was an AI-based system. 

Joe Carrigan: [00:14:11]  Yeah, the person... 

Dave Bittner: [00:14:12]  There's no recordings. 

Joe Carrigan: [00:14:13]  ...The person saying it's an AI-based system is the person from the insurance company, and the insurance company paid the claim. 

Dave Bittner: [00:14:19]  Yes. 

Joe Carrigan: [00:14:19]  They reimbursed their policyholder. 

Dave Bittner: [00:14:21]  Right. And this could be coverage for them as well. It's less embarrassing for them to say, we covered this if it was an overwhelming force, rather than, you know, they got, you know, Zigfried (ph) who has a good German accent... 

Joe Carrigan: [00:14:35]  Right. 

Dave Bittner: [00:14:36]  ...To just talk them through it. 

Joe Carrigan: [00:14:37]  Maybe it was you, Dave. 

Dave Bittner: [00:14:38]  It could have been. It could've - I'm moonlighting on the side as a - yeah, so... 

Joe Carrigan: [00:14:42]  Maybe you know too much here. 

Dave Bittner: [00:14:43]  I want to know more. I'm not willing to just say that, oh, of course it was AI. There's no evidence here. My skeptical nature has been triggered. And it's interesting. I think it's possible. I don't think we're there yet. It'd just be harder to do it with AI than to just have somebody who's a good mimic. All right. Well, it's an interesting story. It certainly has been making the rounds. In my mind, this is more, beware of what may come versus this is definitely what happened in this case. Like I said, I'm skeptical. Could have been this, but I'm not so sure. 

Joe Carrigan: [00:15:16]  You make good points, Dave. 

Dave Bittner: [00:15:17]  Well, thank you. Time to move on to our Catch of the Day. 


Dave Bittner: [00:15:24]  Joe, our catch of the day this week comes from a listener named Marion (ph). And she sent us a series of messages she got via email, and it goes like this. 

Dave Bittner: [00:15:36]  (Reading) I know you are a pedophile. Yeah, I know you are a pedophile. Actually, I know way more about you than you think. I am a computer scientist with affiliation with the Anonymous group. A few months ago, you downloaded an application. That application had a special code implanted purposely. Since the moment you installed it, your device started to act like a remote desktop I was able to access anytime. The program allowed me to access your desktop, your cameras, your files, passwords and contact lists. I also know where you live and where you work. I was observing you for quite some time, and what I have collected here is overwhelming. I know about your sexual preferences and your interest in young bodies. I have secured four video files showing your preferences. Glued together, it's a pretty overwhelming evidence that you are a pedophile. I'm not here to judge the morality of your sexual preferences. I'm here to make money. Because I know you are a wealthy person and that you do care about your reputation, I'm willing to give you a chance to atone and I will leave you alone. You must fund a special address of Bitcoin. Otherwise, I'm going to send these video files to your family members, friends and your work buddies. 

Dave Bittner: [00:16:44]  Joe, this is a variation on one that we've covered here before... 

Joe Carrigan: [00:16:48]  Right. 

Dave Bittner: [00:16:48]  ...Which is basically the exact same thing, except instead of accusing the person of being a pedophile, they just say they caught you watching porn. 

Joe Carrigan: [00:16:57]  Right. It's a combination of the two sextortions we've talked about before. 

Dave Bittner: [00:17:01]  Right. Now, to me this is really stupid because (laughter) the subset of people who are actually pedophiles... 

Joe Carrigan: [00:17:08]  Right. 

Dave Bittner: [00:17:09]  ...I'm guessing - I'm hoping and - (laughter) that it's quite low, right? So the vast majority of people who may receive this... 

Joe Carrigan: [00:17:17]  Are going to be like, what? 

Dave Bittner: [00:17:18]  I'm not a pedophile. 

Joe Carrigan: [00:17:19]  Right. 

Dave Bittner: [00:17:19]  No, this is ridiculous. No, I'm not a pedophile. This must be a scam. Moving on. 

Joe Carrigan: [00:17:24]  Right. 

Dave Bittner: [00:17:24]  So... 

Joe Carrigan: [00:17:25]  Ah, but when you do hit that one guy that is a pedophile. 

Dave Bittner: [00:17:27]  Yeah, jackpot. 

Joe Carrigan: [00:17:28]  Right. 


Dave Bittner: [00:17:31]  Right, right. So (laughter) it's a numbers game, I suppose. 

Joe Carrigan: [00:17:38]  Yes. 

Dave Bittner: [00:17:38]  But I don't know. What... 

Joe Carrigan: [00:17:40]  He's asking for five grand. And, you know, I think if he hits the right person, he'll get five grand. 

Dave Bittner: [00:17:46]  I guess so. It just seems like if you got a person to respond to this, that's someone you could also go back to time and time again. I would hazard to say that someone who actually is a pedophile, in addition to being a horrible person, probably has a pretty guilty conscience and might respond to this sort of thing. But it just seems like a low return, but I don't know. 

Joe Carrigan: [00:18:07]  Yeah, spam is cheap, Dave. 

Dave Bittner: [00:18:08]  Yeah, you're right. You're right. It is. Well, that's our catch of the day. Thanks to Marion for sending it in. Joe, coming up next, Carole Theriault returns. And she is going to be speaking with Zoe Rose, who's going to share information about what she does as an ethical hacker.

Dave Bittner: [00:18:24]  But first, a word from our sponsors at KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course, but they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest. 

Dave Bittner: [00:19:17]  Joe, Carole Theriault is back, and she is speaking with Zoe Rose, who is an ethical hacker. And she's going to share her story about what goes into that particular line of work. Here's Carole. 

Carole Theriault: [00:19:29]  Ethical hackers - the first thing that comes to my mind is a person or group that tricks intended targets into falling for a phishing attack. And these can be sneaky, designed to completely dupe the target into clicking on a dangerous link. Now, of course, the aim of the typical ethical hacker is good. But let's be honest, this kind of test, especially when sprung on a bunch of unsuspecting employees, risks eroding trust and openness within the company. You might not be as comfortable with your boss if you know that the ethical hacker told him or her that you were duped and clicked on the link. So it was wonderfully refreshing to hear Zoe Rose's take on this profession. Zoe is an ethical hacker based in the U.K. And not only does she explain her perspective on how to onboard computer users into being safer online, she does this in a positive, open and inclusive fashion. Check it out. And forgive the rasp in my voice. I was at the tail end of a cold when we chatted. 

Carole Theriault: [00:20:29]  So, Zoe, thank you so much for coming on "Hacking Humans." I thought you'd be really well-placed to help us understand exactly what an ethical hacker is. 

Zoe Rose: [00:20:38]  Good morning, Carole, and thank you for inviting me. I tend to explain it as a mindset because a lot of people have this assumption that an ethical hacker is somebody that is mythical, almost magic, that they can kind of look at a device and just break it in their mind before anything's happened. The reality is, you know, a lot of hacks or breaches and that, they're actually quite unsophisticated. They're generally looking at something not for what it's meant to do but what they can make it do for them. And so it's like a way of looking at something to be used for their own personal benefit versus traditionally what it's meant to do. When it comes to an ethical hacker, it's somebody that does that with the motivation of education, further securing and spreading knowledge. 

Carole Theriault: [00:21:29]  Right, so teaching people that use all this stuff, all these devices, to be better online so that they're less easily targeted. Would that be fair? 

Zoe Rose: [00:21:38]  Yeah, exactly. Yeah, that's exactly it. It's really just an ethical hacker you could think of as a teacher, just maybe less of a traditional teacher, more of a - unique, maybe (laughter). 

Carole Theriault: [00:21:52]  So how is it then that you, as an ethical hacker, teach? So I'm guessing you get booked for events and talk to groups, that sort of thing? 

Zoe Rose: [00:22:00]  Yes, there's a variety of things - participating in a phishing simulation or, you know, USB job or physical pen tests or, you know, and you break into something, break something in the environment, and then you present the findings back to the - it could be the board, it could be the general users or overall consumers, and then you talk about the positives. So you're not just saying, oh, you failed. You're saying this happened and this is how you protect yourself in the future. And these are the people that actually successfully were able to recognize this instant or recognize that it was something that shouldn't have happened. And the reason that whole positive point of view - that is so vital - is because, if you want people to do nothing, you talk about the negatives and you scare them. But if you want them to actually take action, that's when you talk about the positive and reinforce that they can do it and empower them. 

Carole Theriault: [00:22:59]  So if I were a customer calling you up and I said, look, I'm worried about my employees not being educated enough on phishing attacks, either in spotting them or how to manage them, can you help us? 

Zoe Rose: [00:23:11]  Yeah, I could do that. The example I tend to use is - when I'm training is I talk about how you could phish me, for example. And so you look on my social media, you look on my LinkedIn, and the thing that you see consistently across all of that is ferrets. So if you want to phish me, you could send me something about ferrets or ferret pictures. And even though I know it's a phishing email, I might still click on it. 

Carole Theriault: [00:23:35]  Because the temptation is too great because your love is - for ferrets is so huge. 


Zoe Rose: [00:23:42]  And then another thing I might do - like, sometimes it is a simple phishing campaign and then presenting the findings back. Quite often, it's actually - they've already done the phishing campaign because that's actually quite popular at the moment. 

Carole Theriault: [00:23:56]  Right. 

Zoe Rose: [00:23:57]  And they're - for some reason, they're not finding any traction. They're seeing it make any difference. And so, when I come in, I might run a phishing campaign, but I might also just go through the existing campaigns they've done and look at how they're measuring their metrics, how they're sharing the knowledge into the organization - specifically, how they're messaging it, you know, how they're talking about it, how they're trying to approach training. And it doesn't sound as sexy as the whole hacking bit, but it can be, if not as effective, but more effective. And it's simply down to the way - the language that we use and the way we're presenting it. 

Carole Theriault: [00:24:35]  I don't think I've ever thought about that before. So what I'm hearing here is companies can effectively run their own phishing campaigns because they can do it out of a box or use a third-party service or use you, doesn't matter. But then, when they get those results, they don't necessarily know how to address the findings. It's almost like it needs an expert brain that can go through it and go, oh, I can see some patterns here in behavior, and I know the best ways to onboard those people into a new way of thinking - a safer way of thinking. 

Zoe Rose: [00:25:02]  Definitely. I've found that the biggest thing is because I understand how to, I guess, manipulate or influence a consumer into clicking my links or downloading a document, et cetera, et cetera, I can understand how to correct that behavior. So, you know, I focus in on these key human behaviors and I look at how to change them. 

Zoe Rose: [00:25:25]  Unfortunately, a lot of times, phishing is looked at - well, let's trick the users, let's manipulate them and point out how they're failing, versus saying, well, actually, let's announce that we're going to have a phishing campaign so that people are already aware and they know they should actively be looking. Or let's actually make it a simple phishing email and, you know, kind of build their confidence in their ability to address it. 

Carole Theriault: [00:25:54]  We're all a little bit nervous about being hacked - right? - or being attacked. So what are, like, some easy tips to make us a little bit less vulnerable than the rest of those? 

Zoe Rose: [00:26:04]  Yeah, of course. I mean, when it comes to personal security, the top things I say is - you know, the first one being aware or thinking about what they say or putting out there, thinking about the accounts that you have that maybe you're not using, or you are using but you're not really sure if it's as secure as possible. So you're thinking about, OK, well, what data am I putting out there? What accounts can I limit? You know, are they beneficial? And if they are, OK, how can secure it further? But if they're not, can I get rid of them? 

Zoe Rose: [00:26:37]  And most importantly, whilst everybody thinks that cybersecurity - you know, effective controls are actually going to make the difference - reality is, keeping your apps and your devices up to date is actually the most effective thing that you can do. Because those patches - those updates that are being released are fixing issues or vulnerabilities that the vendor or someone else has disclosed to the vendor and solving that before it becomes an issue. 

Zoe Rose: [00:27:07]  You know, when it comes to multifactor authentication, a lot of people - for some reason, there's this, like, either it has to be the best solution or not do it at all. And I mean things like using a authentication token or using a app generator. And people are like, oh, if you don't use that, don't bother with multifactor. Whereas people that use SMS, for example - I mean, that's a good step, even if it's not the perfect solution. Maybe a malicious hacker has your email and password, but, you know, they don't have your multifactor token and that code that you put in. And, therefore, you know, they can get part of the way, but they can't get all the way, and it takes additional work to be able to break in, whereas somebody that doesn't have that is going to be an easier target and, potentially, they might just not bother with you. 

Carole Theriault: [00:27:57]  Yeah, so just being better than everybody else, even a bit better, really lowers your - you know, your risk profile or your risk exposure, doesn't it? 

Zoe Rose: [00:28:05]  Definitely, I mean, you're never going to be a 100% secure. You're never going to be the best. And so that's OK. I mean, reality is just do what works for you because if it's not the best solution in the world but it works for you and you can maintain that, it's going to be way more effective than trying to put on, you know, the best controls, the most expensive solution that you can't maintain. 

Carole Theriault: [00:28:28]  What did I tell you? Isn't this a much smarter approach to getting people to take in cybersecurity advice? Work with them to show them what they need to do to be safer - genius. Learn more about Zoe at rosesec.com. This was Carole Theriault for "Hacking Humans." 

Dave Bittner: [00:28:46]  All right, interesting interview. 

Joe Carrigan: [00:28:48]  Yeah, I like listening to Zoe Rose when she's on. 

Dave Bittner: [00:28:51]  Yeah, I have to say that, again, as a master of dialects that I find myself a bit smitten by Zoe's accent. I could listen to her read the phone book and just be perfectly content. 

Joe Carrigan: [00:29:01]  Right. First thing she says off the bat - hacking is a mindset, and that's true, regardless of your technical skills. I've known people with very low technical skills who have been able to manipulate systems very well. It's just about how you make something work to your advantage. 

Dave Bittner: [00:29:14]  Yeah, that's a good point. 

Joe Carrigan: [00:29:15]  Another thing she talks about is your penetration test report has to have two areas in order for it to be beneficial - what you did right and what works and where you can improve. That may sound like an obvious statement, but, you know, companies spend a lot of money on cybersecurity products. If a penetration tester comes in and says here's all the things that stopped me, and if you didn't have these things in place, then I would have gotten in a lot easier, that lets the board know or the CEO know or the decision-makers know, hey, these things are effective. 

Dave Bittner: [00:29:44]  Right, money well spent. 

Joe Carrigan: [00:29:45]  Money well spent. And where you can improve is also very important. I wouldn't couch it in, you know, what you did wrong, you know, I wouldn't say it that way. I'd say here's where you can get better - right? - because security is a continuum. At least in my opinion I view it as this. I know a lot of people are going to say no, it's either secure or it's not secure. But I view it as a continuum. You can do something as more secure, or you can do something as less secure. So here's how you can move in the more secure direction. Zoe knows where her vulnerabilities are, that she has a weakness for ferrets, which is important to know about yourself. 

Dave Bittner: [00:30:16]  (Laughter) Right. 

Joe Carrigan: [00:30:18]  Right, for me it's chickens. 

Dave Bittner: [00:30:20]  OK. 

Joe Carrigan: [00:30:22]  I don't know. I just love chickens. 

Dave Bittner: [00:30:23]  You love chickens. 

Joe Carrigan: [00:30:23]  I do, and they're awesome. 

Dave Bittner: [00:30:25]  I remember hearing a story about a CEO who was convinced to click because he was a car collector. And the bad guys knew this. And they sent him some information that said, hey, we've started up a new car show right near you and here's all the information on that car show, click through. And this CEO was like, well, that's for me. 

Joe Carrigan: [00:30:46]  Right, exactly. 

Dave Bittner: [00:30:47]  (Laughter) You know? Right, right, so it could be anything. And it doesn't take much to figure out what you're into, besides the stuff you do at work. 

Joe Carrigan: [00:30:54]  That's right. 

Dave Bittner: [00:30:54]  Although chickens is news to me. 

Joe Carrigan: [00:30:56]  Oh, you didn't know about my affinity for chickens. Well, that's good. I'm glad. But now everybody who listens to this show is going to start sending me chicken links. 

Dave Bittner: [00:31:02]  Right. 

Joe Carrigan: [00:31:02]  Joe, check out these chickens. 

Dave Bittner: [00:31:03]  You and Gonzo from "The Muppet Show." 

Joe Carrigan: [00:31:06]  Right (laughter). You are not the first person to make that observation (laughter). 

Dave Bittner: [00:31:09]  All right. 

Joe Carrigan: [00:31:10]  Doing a phishing test is just the first step, and you need to modify the behavior. And part of the behavior modification is, as an individual, you need to know and be aware of what your online footprint looks like. And then Zoe talks about reducing that footprint or your attack surface, right? Like, maybe I have to unjoin that chicken group on Facebook. 

Dave Bittner: [00:31:28]  Right (laughter). 

Joe Carrigan: [00:31:29]  Also, she says, again, keep your software up to date. That's very important. It eliminates a lot of vulnerabilities that are out there. Keep yourself protected, multifactor authentication. And I really, really, really appreciate what Zoe said about multifactor and SMS. If SMS is all you have, use it. 

Dave Bittner: [00:31:46]  Right, way better than nothing. 

Joe Carrigan: [00:31:47]  It's way better than nothing, exactly. It's no, it's not perfect. 

Dave Bittner: [00:31:49]  What's that old saying about don't let the perfect be the enemy of the good or something along those lines? 

Joe Carrigan: [00:31:55]  Yeah, don't let the perfect be the enemy of the good is exactly right. There is no perfect multifactor authentication, right? Even the YubiKey, it's vulnerable to something, depending on how much work an attacker is willing to put in and how criminally physical they're willing to get. 

Dave Bittner: [00:32:08]  Right, they hit you over the head with a wrench and take your YubiKey (laughter). 

Joe Carrigan: [00:32:12]  Right, until you give up your YubiKey and then they're into your accounts. Yes, that's less likely. And yes, a YubiKey is more secure than SMS. But it's still not a perfect system, and you should not delude yourself into thinking that. 

Dave Bittner: [00:32:23]  All right. Well, again, thanks to Carole Theriault and thanks to Zoe Rose for joining us. Always a pleasure to have both of them on the show. We want to thank all of you for listening. 

Dave Bittner: [00:32:32]  And of course, we want to thank our sponsors KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. 

Dave Bittner: [00:32:47]  Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:33:13]  And I'm Joe Carrigan. 

Dave Bittner: [00:33:14]  Thanks for listening.