Podcasts
Hacking Humans
Ep 92
Hacking Humans 4.2.20
Ep 92 | 4.2.20

Shedding light on the human element.

Show Notes
Transcript

Tom Miller: [00:00:00] The key ways in which organizations pick up on these issues today tends to be through face-to-face contact and direct interaction from one person to another in an office. And when that doesn't exist anymore, I think organizations just need to be thinking creatively right now. 

Dave Bittner: [00:00:17]  Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: [00:00:36]  Hi, Dave. 

Dave Bittner: [00:00:37]  We've got some good stories to share this week. And later in the show, my conversation with Tom Miller from ClearForce. We're going to be talking about continuous discovery in the workplace and the human side of protecting your business. 

Dave Bittner: [00:00:49]  But first, a word from our sponsors at KnowBe4. Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill, a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary doughnuts and tepid coffee are sometimes provided. But a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate, but you know what we mean. Stay with us. And in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training. 

Dave Bittner: [00:01:29]  And we are back. Joe, before we get to our stories, last week, we opened a bit of a Pandora's box, I fear... 

Joe Carrigan: [00:01:35]  Oh, did we? 

Dave Bittner: [00:01:35]  ...When we talked about misuse of various words. 

Joe Carrigan: [00:01:38]  Right. 

Dave Bittner: [00:01:40]  (Laughter) We got a lot of folks writing in. One person in particular, a friend of the show - his name is John (ph). He sent us a nice little list of things here. I'll just go through quickly. We see if we - see how we feel about these things. 

Joe Carrigan: [00:01:52]  Right. 

Dave Bittner: [00:01:53]  He said flaunt does not mean flout. 

Joe Carrigan: [00:01:55]  Right. 

Dave Bittner: [00:01:56]  I'm on board with that. 

Joe Carrigan: [00:01:57]  Yeah. Me, too. 

Dave Bittner: [00:01:58]  He said to beg the question is to commit an informal fallacy in which an argument's conclusion figures as one of the argument's premises. It does not mean to raise the question. 

Joe Carrigan: [00:02:08]  That is 100% correct. John is absolutely correct here. 

Dave Bittner: [00:02:12]  (Laughter). 

Joe Carrigan: [00:02:12]  This is one of the things that makes me crazy. 

Dave Bittner: [00:02:14]  Yeah? 

Joe Carrigan: [00:02:15]  I hate this, Dave. 

Dave Bittner: [00:02:16]  Oh, OK. 

Joe Carrigan: [00:02:16]  I really do. 

Dave Bittner: [00:02:16]  Yeah. 

Joe Carrigan: [00:02:18]  And when people say, well, that begs the question, this. No, that's not what begging the question is. 

Dave Bittner: [00:02:23]  (Laughter) Yeah. I got called on this once by a listener long time ago. And this person had actually created a website called - it was something like tobegthequestion.org or something. 

Joe Carrigan: [00:02:34]  Right. 

Dave Bittner: [00:02:34]  And it had the description of why everyone's using this wrong. 

Dave Bittner: [00:02:38]  Something could not be more unique or most unique. To be unique is to be the only thing of its kind, and that doesn't admit of degrees. Yeah, that's... 

Joe Carrigan: [00:02:47]  Yeah, that's true. 

Dave Bittner: [00:02:48]  That's good, yeah. There's a whole segment on "West Wing" about this where President Bartlet reminds someone that can't be - that unique is a singularity, I suppose. 

Joe Carrigan: [00:02:58]  Yes. 

Dave Bittner: [00:02:58]  So I'm on board with that one. All right, here's the last one. John writes in, and he says, and we should die in the last ditch before admitting that data is a singular noun. It is plural. The singular is datum. If people want a mass noun to do the work of a singular data, they should try information, which seems close enough. My initial response is Lieutenant Commander Data is a singular noun. 

Joe Carrigan: [00:03:23]  (Laughter) Right. That's his name, though. That's a proper name. 

Dave Bittner: [00:03:24]  (Laughter). 

Joe Carrigan: [00:03:27]  I don't generally use datum. I will say a piece of data - right? - or... 

Dave Bittner: [00:03:31]  Yeah, a bit of data. 

Joe Carrigan: [00:03:32]  ...A data point, right? And that way, point or piece or bit are the singular. And data is - it's the object of the preposition. But I will disagree with information being synonymous with data or a datum. Data is just a large collection of data. I mean, there's really no other way to describe it. Information is what happens when you process data, right? 

Dave Bittner: [00:03:55]  OK. 

Joe Carrigan: [00:03:56]  So you can look at a big thing of statistics and say that's the data. But the information is - let's say you're looking at the weight of a population - right? - the weight of the population compared to their height. So you look at that data, and you can extract the body mass index of that population. The body mass index is the information. All the weights and height are the data. 

Dave Bittner: [00:04:15]  Well, here's my take on this. First of all, I wonder how many people are even familiar with the word datum. And where I always come down on these arguments is their clarity in meaning. Is anyone going to be confused by your use of that word? And I would argue that the modern use of data, which includes using it as a singular noun, there's no loss in clarity. People know what you mean. And language evolves, so popular usages eventually become the correct usage because it switches over to being the normal usage of something. So I understand originalists. 

Joe Carrigan: [00:04:52]  Right. 

Dave Bittner: [00:04:53]  (Laughter) But for me, clarity is the No. 1 judgment here in my mind. 

Joe Carrigan: [00:04:57]  I come down more in the originalist side of this. 

Dave Bittner: [00:04:59]  (Laughter) I know you do. I know you do, Joe. 

Joe Carrigan: [00:05:01]  Particularly with things like literally (laughter). 

Dave Bittner: [00:05:03]  I know, Joe. And that's why we love you. 

Joe Carrigan: [00:05:05]  Thank you. 

Dave Bittner: [00:05:06]  All right. Well, that's enough on that, the thing that has absolutely nothing to do with our show. But (laughter)... 

Joe Carrigan: [00:05:13]  Right. 

Dave Bittner: [00:05:13]  Let's move on to our stories. What do you have for us this week, Joe? 

Joe Carrigan: [00:05:17]  Dave, I have a creepy story. It comes out of Singapore. It's a little bit old. It's old and creepy, kind of like us. 

Dave Bittner: [00:05:22]  (Laughter). 

Joe Carrigan: [00:05:23]  And it's about four years old, but I have not heard this story before, and I thought it would be a good story to discuss on this show. 

Dave Bittner: [00:05:30]  OK. 

Joe Carrigan: [00:05:31]  And the paper was The Straits Times out of Singapore. And they called the woman in the story Melissa, and that's a pseudonym. It's not her real name. She was 20 years old when this happened. 

Joe Carrigan: [00:05:40]  And one afternoon, Melissa received a Facebook Messenger message from her female friend. The message over this Facebook platform asked Melissa for help with a breast cancer project that this friend was working on. And I'm sure I'm not spoiling this for our listeners, but Melissa's friend's account had been hacked - right? - and there's some guy on the other end of this. This malicious actor said they needed photos of the front and side view of Melissa's breasts for an online project. 

Joe Carrigan: [00:06:11]  Now, here's why I think this is relevant more today than it was four years ago. We have a lot of different machine-learning projects out there that are taking information that you might not be able to suss diagnoses from and developing ways to find diagnoses. Like, there's a research project at Hopkins with Katie Henry and Suchi Saria, where they're just looking at the available sensor data, and they've been able to identify when a patient has sepsis before they're symptomatic with a very high confidence interval. OK? There was the story we had a couple weeks ago where we were talking about how we were able to train pigeons to find breast cancer cells because they're not encumbered by the idea of other pieces. They just - they're just looking for the information about the breast cancer and not the normal tissue. And mice, also, was a theoretical solution to vocal fakes, fake vocals. 

Joe Carrigan: [00:07:07]  So there's all these different kind of machine-learning things out there, so I can absolutely envision a machine-learning project that takes pictures of healthy breasts and breasts that are known to be cancerous and attempts to build a model that can diagnose breast cancer from a picture, because that would be incredibly useful, right? 

Dave Bittner: [00:07:26]  Yeah, it's plausible. 

Joe Carrigan: [00:07:27]  It is plausible. I don't know if it's possible, but somebody is probably going to do research like this. So it... 

Dave Bittner: [00:07:33]  Sure. 

Joe Carrigan: [00:07:33]  ...Makes sense now more than ever. But four years ago, it really made sense to Melissa as well. And she went ahead, and she submitted some pictures of her breasts to this attacker. Now, the attacker also incentivized her with the promise of a new cellphone and $600. You know, the study participants are getting a cellphone and $600. So she sent the pictures. But... 

Dave Bittner: [00:07:54]  Now, Melissa thought she was sending this to a friend of hers. 

Joe Carrigan: [00:07:57]  A friend of hers, correct. 

Dave Bittner: [00:07:59]  Right, right. 

Joe Carrigan: [00:07:59]  A friend of hers. 

Dave Bittner: [00:07:59]  So she thought she was helping a friend and also helping with medical research and she was going to get some money. 

Joe Carrigan: [00:08:06]  Correct. But afterwards, she sends the photos to this attacker, who she doesn't know is an attacker at this point in time. The attacker continually messages her back, asking for pictures that included her face. 

Dave Bittner: [00:08:17]  Why? 

Joe Carrigan: [00:08:19]  Well, because he's a pervert, right? 

Dave Bittner: [00:08:23]  (Laughter). 

Joe Carrigan: [00:08:23]  He's a lowlife. He's out there collecting images of... 

Dave Bittner: [00:08:25]  Of course he is. 

Joe Carrigan: [00:08:26]  And this... 

Dave Bittner: [00:08:26]  Right. 

Joe Carrigan: [00:08:27]  This was the tipoff for Melissa, right? This is like - that's her question, too. Why do you need pictures of my face? Because I will tell you this. In a clinical situation - there are photos out there of various body parts - it doesn't matter what the body part is, the face is always obscured - right? - for the patient's privacy... 

Dave Bittner: [00:08:47]  Right. 

Joe Carrigan: [00:08:48]  ...Unless it's something about the face. And that's with, like, some kind of dermatology study or something that's unique to the face. But if it's not... 

Dave Bittner: [00:08:54]  Yeah. 

Joe Carrigan: [00:08:54]  ...About your face, your face is not in that picture. So when the guy asked for a picture of - that includes her face, that's when she gets alerted to this. So then what she does is she texts her friend over SMS and says, hey, have you been sending me messages on Facebook Messenger? And her friend said, no, I haven't. So now she's realized, and she gets this sinking feeling. And she's like, what have I done? I should've thought... 

Dave Bittner: [00:09:15]  Yeah. 

Joe Carrigan: [00:09:15]  ...Twice before doing that. Now, she did not just accept this, right? What she did was she worked with the owner of the hacked account. And they identified another victim who had also sent pictures to this attacker. And they filed a police report. And according to this article in this paper, the police managed to establish the identity of the suspect, who was arrested. 

Dave Bittner: [00:09:36]  Excellent. Wow. 

Joe Carrigan: [00:09:37]  So it's good. But I wanted to talk about this because this premise seems very plausible to me. I don't know how many women would be comfortable doing this, even for medical research. But if you ask enough of them, some of them are going to say yes, right? 

Dave Bittner: [00:09:50]  Yeah. 

Joe Carrigan: [00:09:51]  You know, then if you start asking for pictures that include their face, I mean, maybe that'll tip them off, but maybe it won't. So I would like to make people aware of this - that this is something that can and actually has happened. 

Joe Carrigan: [00:10:00]  Here's some things that - in the article that I found interesting or more disturbing. On the breast cancer claim, she said of herself, how can I have believed that? I know you can't tell if someone has breast cancer from a photo alone. And again, I think it's a plausible ploy. I think it's very believable. And I would not be surprised to actually see this kind of research being done in a legitimate setting. And then another thing she said is that her family and her boyfriend scolded her for trusting someone so easily. And then, you know, this is what happens. You can't shame the victim or blame the victim here, right? 

Dave Bittner: [00:10:34]  Right, right. 

Joe Carrigan: [00:10:34]  She was the victim of somebody going after her and a malicious actor. Don't shame the victim or blame the victim. This is one of the biggest messages of this show is stop the victim blaming. 

Dave Bittner: [00:10:46]  Yeah. 

Joe Carrigan: [00:10:46]  Instead, go after the perpetrator. And finally, she said in here - this is a great quote - I still feel so angry at the scammer. I'll punch his face if I ever find out who he is. 

Dave Bittner: [00:11:01]  (Laughter) Well, we certainly don't condone violence. But in this case, it seems like a reasonable response. 

Joe Carrigan: [00:11:05]  Right. Yeah, I can't blame her for feeling that way. 

Dave Bittner: [00:11:07]  No, no. You know, it's an understandable impulse... 

Joe Carrigan: [00:11:10]  Yeah. 

Dave Bittner: [00:11:11]  ...For sure, yeah. And it seems to me this whole thing hinges on the initial trust that she had for her friend... 

Joe Carrigan: [00:11:17]  Absolutely. 

Dave Bittner: [00:11:18]  ...When she thought she was dealing with a friend. And that's one of the things here. It reminds me, also, I remember - oh, gosh - probably decades ago, someone passed on the wisdom to me. They said, never put anything in an email that you wouldn't put on a postcard. 

Joe Carrigan: [00:11:33]  Right. 

Dave Bittner: [00:11:33]  I think that applies to a lot of this sort of thing as well. Unless you are, you know, really confident in the security of the communications channel that you're using, better safe than sorry, right? 

Joe Carrigan: [00:11:45]  I would agree, yep, 100%. 

Dave Bittner: [00:11:46]  Yeah. All right. Well, boy, that is an interesting story and certainly one to be on the alert for, share with your friends and family to warn them about. 

Dave Bittner: [00:11:58]  My story's a little more up to date. This is just in the past few days. This is a story from ZDNet. And it's titled, "Rare BadUSB Attack Detected in the Wild Against U.S. Hospitality Provider." So let me set the stage for you here, Joe. Imagine you are at work. And let's say you work at a hotel. Let's say you're the manager of a local hotel, maybe from one of the large chains or something like that. And you get a letter in the mail, and you open it up. And it's from Best Buy, which here in the U.S. is a large retailer of electronics... 

Joe Carrigan: [00:12:33]  Right. 

Dave Bittner: [00:12:34]  ...A popular store, big-box store, as they call it. You open it up, and there's a letter from Best Buy. It has the Best Buy logo on it. And also inside is a $50 gift card. 

Joe Carrigan: [00:12:45]  Really? 

Dave Bittner: [00:12:46]  So this letter thanks you for being a regular customer of Best Buy, offers you this gift card. But it also says that they've included a USB thumb drive, which is - sure enough, is there in the package. And that thumb drive includes a list of the items that you can use this $50 gift card on. 

Joe Carrigan: [00:13:07]  Ah, that's very clever. 

Dave Bittner: [00:13:09]  (Laughter) So I'm sure everyone is a step ahead of me here. The thumb drive is actually infected. If you plug that thumb drive into your system, you're going to be infected with some sort of malware, and they will own your computer. What's interesting about this is that we haven't seen this sort of thing in a while. This is an expensive attack - sending out an actual letter... 

Joe Carrigan: [00:13:33]  Yep. 

Dave Bittner: [00:13:34]  ...Gathering up a gift card and including a USB drive. 

Joe Carrigan: [00:13:37]  Yeah. The gift card is free, though, 'cause you can just go into Best Buy and take a bunch of gift cards off the shelf and walk out with them. Because if they're not activated, it doesn't cost you a dime. And... 

Dave Bittner: [00:13:46]  Right, right. 

Joe Carrigan: [00:13:47]  ...Nobody will stop you from doing that. It's not really a big problem. Because in order to activate the gift card, you have to go to the cash register and give them the number. So I would suspect that this gift card is either previously used or was never activated. 

Dave Bittner: [00:14:03]  Yeah, that makes sense. But, of course, the actual USB drive itself - I mean, there'd be no reason for that to be a part of this. If this were legit, they would just say, log on to our website and choose whatever you'd like to buy. 

Joe Carrigan: [00:14:14]  Right. A Best Buy gift card is not limited to the number of items you can purchase, right? It's... 

Dave Bittner: [00:14:19]  Correct. 

Joe Carrigan: [00:14:19]  You can purchase anything at a Best Buy with a Best Buy gift card. 

Dave Bittner: [00:14:23]  Yeah. Now, in this case, this was sent to a hospitality organization. I'm going to guess a hotel, something like that. And the staff did not fall for it. 

Joe Carrigan: [00:14:32]  Good. 

Dave Bittner: [00:14:33]  They knew something was up, and they sent it in, and they reported it to their local law enforcement people. And they reached out to Kaspersky Labs, who is the folks who reported this. So in this case, a happy ending. But who knows how many of these were sent out? And it's certainly one to be alert about. 

Joe Carrigan: [00:14:52]  OK, so I'm reading down the article. And this USB device is actually not a thumb drive. It's actually something called a Rubber Ducky, which is essentially a keyboard device. It registers itself as an input device. So it's not like you even need a vulnerability on your machine that some software has to exploit. This thing becomes a keyboard as soon as you plug it in. And it starts entering commands. It opens up a PowerShell, which is a very powerful administrative tool that most people don't need to have access to. But then... 

Dave Bittner: [00:15:25]  Right. 

Joe Carrigan: [00:15:26]  ...That PowerShell script goes out and downloads the malware. And there's very little that can be done to protect that computer once the user plugs that in if that user has access to PowerShell. So one of - the only administrative thing I'd say here is disable access to PowerShell for people that don't need it. Other than that, it's going to work. And if you put this in on your home computer where you're the administrator, it's going to work. 

Dave Bittner: [00:15:49]  Yeah, yeah. So don't plug in things into your computer if you don't know... 

Joe Carrigan: [00:15:53]  Right. 

Dave Bittner: [00:15:53]  ...Where they came from (laughter). 

Joe Carrigan: [00:15:54]  Absolutely, especially... 

Dave Bittner: [00:15:55]  In general... 

Joe Carrigan: [00:15:56]  And this one purports to be for Best Buy, which is preying on your trust of Best Buy. 

Dave Bittner: [00:16:00]  Right, right. And, of course, your greed, because, you know, you're going to get something free from Best Buy. 

Joe Carrigan: [00:16:05]  Right. 

Dave Bittner: [00:16:06]  So lots of elements in play here. 

Joe Carrigan: [00:16:09]  Absolutely. 

Dave Bittner: [00:16:09]  All right, well, that is my story this week. It is time to move on to our Catch of the Day. 

0:16:14:(SOUNDBITE OF REELING IN FISHING LINE) 

Dave Bittner: [00:16:18]  Our Catch of the Day this week comes from BBC reporter Jonah Fisher. He's @JonahFisherBBC on Twitter. And he was recently targeted by a Facebook Messenger scam. He decided to play along with the scam and string them along a little bit. Joe, I'll tell you what. Why don't you play the part of Jonah? And I will play the part of the scammer. And it goes like this. How are you doing? 

Joe Carrigan: [00:16:44]  Hi, Peter (ph). Or is it Rachel (ph)? 

Dave Bittner: [00:16:46]  It's good to hear from you. I have great news to share with you. Guess what. 

Joe Carrigan: [00:16:50]  New baby? 

Dave Bittner: [00:16:51]  I was wondering if you've have also been contacted by the CFDA. 

Joe Carrigan: [00:16:56]  I don't even know who they are. 

Dave Bittner: [00:16:57]  I thought you heard about the program. They helped and support people from 25 to 90 years with bonus winning offer from the Financial Domestic Assistance Agency to help people maintain the standard of living. And I thought you have heard of it already. 

Joe Carrigan: [00:17:11]  And? 

Dave Bittner: [00:17:12]  Am so excited because I am one of the lucky winner to win a sum 150,000 cash. I even thought you had been contacted already because I saw your name among the winner list when the CFDA agent brought cash to me. And I wonder if you have got yours. 

Joe Carrigan: [00:17:27]  No. 

Dave Bittner: [00:17:29]  Really? I should give you the agent text line or page link so that you will go claim and get yours. 

Joe Carrigan: [00:17:34]  I'll call you. 

Dave Bittner: [00:17:35]  OK, here is the agent link. 

Joe Carrigan: [00:17:37]  I'll just call you - easier. 

Dave Bittner: [00:17:39]  Click on the link and like the page and comment on the agent photo that you haven't got your winning money yet. 

Joe Carrigan: [00:17:44]  Calling - pick up. 

Dave Bittner: [00:17:45]  I have a speaker problem with my phone. 

Joe Carrigan: [00:17:47]  I'll call the landline. 

Dave Bittner: [00:17:49]  Oh, OK. 

Joe Carrigan: [00:17:50]  In fact, I'll pop around. You're only next door. 

Dave Bittner: [00:17:53]  I would have loved to call you, but my lawyer just collect my cellphone because many of my friends call me to give them money, and it's really pissing my lawyer off. That is why he collected it. 

Joe Carrigan: [00:18:02]  Answer the door. 

Dave Bittner: [00:18:04]  Am not at home right now. 

Joe Carrigan: [00:18:05]  I can see you are in the kitchen. I'd recognize that hat anywhere. 

Dave Bittner: [00:18:10]  Have you messaged the agents yet? 

Joe Carrigan: [00:18:12]  No, I want to talk about the holiday first. Look; you are a lame scam artist. Get a life. 

Dave Bittner: [00:18:17]  And it ends there. 

Joe Carrigan: [00:18:18]  Right. 

Dave Bittner: [00:18:18]  (Laughter). 

Joe Carrigan: [00:18:19]  So this is great. Jonah has taken this guy - first off, it's interesting when he says, I'll call you. And then the guy says, I'm having a problem with my speaker on my phone. We hear this. This is a common theme in these scams as well, right? I've undergone some surgery on my throat, and I can't talk right now. 

Dave Bittner: [00:18:36]  Right, right. 

Joe Carrigan: [00:18:37]  I can't get my phone. And then he goes to, my lawyer's collected my phone because people are trying to get money from me, right? 

Dave Bittner: [00:18:42]  So my phone's not only broken, I don't have it. 

Joe Carrigan: [00:18:45]  Right. Well, how are you messaging me right now, right? 

Dave Bittner: [00:18:48]  Right, right. 

Joe Carrigan: [00:18:48]  How are you doing this? 

Dave Bittner: [00:18:49]  Yeah, yeah. 

Joe Carrigan: [00:18:49]  Maybe you're on your computer because this is Facebook Messenger. But it's an obvious scam. And I'm glad Jonah shared this on Twitter. Thank you, Jonah. 

Dave Bittner: [00:18:56]  Yep, yep, yep. Nice to string them along. All right. Well, that is our Catch of the Day. 

Dave Bittner: [00:19:01]  Coming up next, my conversation with Tom Miller from ClearForce. We're going to be talking about this notion of continuous discovery in the workplace and also the human side of protecting your business. But first, a word from our sponsors, KnowBe4. 

Dave Bittner: [00:19:16]  And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally? KnowBe4 delivers convincing, real-world, proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news. 

Dave Bittner: [00:20:16]  And we are back. Joe, I recently had the pleasure of speaking with Tom Miller. He is from a company called ClearForce. And they do something called continuous discovery in the workplace. We're going to talk about that a little bit, and also the human side of protecting your business. Here's my conversation with Tom Miller. 

Tom Miller: [00:20:33]  Virtually every office today has levels of remote working going on, if not in its entirety, for large portions of the employee base. And I think that that's changed a lot for organizations. I think you have some organizations that it's in their DNA. So they're perhaps a gig economy company where they're used to contractors or even employees that are working remotely, out with consumers and not part of the brick-and-mortar establishment, or they're just a business that naturally has telecommuting as a core component of how they operate. 

Tom Miller: [00:21:07]  But then today, you have many organizations that just aren't used to that. And so they fundamentally have to change the way their workforce shows up every day. And you've got a lot of organizations that are figuring out how to create an environment that's not only productive but is also producing the level of culture and emotional safety and stability and support that I think a lot of people are really looking for right now. 

Dave Bittner: [00:21:39]  Well, how do organizations go about striking that balance? It seems to me like there are a lot of different elements at play here. 

Tom Miller: [00:21:47]  You start with the human side. You start with the employee. And I think that becomes the critical part. Are the individuals on your team in a position that they are emotionally, and both from a personal and a work perspective, in a situation where they can be productive and feel good about what's going on around them? I mean, nobody's feeling great about what's going on around us right now, but in a position where they can be focused and positive, and really in a position where they can ride through this virus environment and hopefully come out at the end of this in the right spot, again, both from a personal and professional perspective. And so I think beginning with the person, beginning with understanding that they're in a situation that's good for them. 

Tom Miller: [00:22:43]  And then I think from there, you build upon that to expand to good for them, good for the team, good for the organization. And it's complex because, you know, you're talking about health and wellness. You're talking about productivity. And then you're also layering in here risk management from an organizational perspective. 

Dave Bittner: [00:23:02]  In terms of, again, balancing that, when you're calling on your employees to work from home and using their own resources, their home internet connections and so forth, I suppose maybe you have to tread lightly when it comes to the amount of monitoring that you're going to do compared to what you would do in the workplace. 

Tom Miller: [00:23:21]  Yeah, maybe. I mean, I think that the first objective will always be understanding the stress levels of the individual. You know, there'll be plenty of technology and digital monitoring that can be enabled to ensure that there's information security throughout the process and the transactions and the communication with remote employees. And that's essential, I mean, to protect the intellectual property of organizations, to protect customer confidential information, financial data, et cetera. 

Tom Miller: [00:23:55]  But then, when you think, again, about the human side of this, there tends to be, you know, different elements. I mean, one is simply distraction. So are employees or would employees be making mistakes they would not normally make because they're fundamentally distracted and they're fundamentally stressed? And from a leadership perspective, do you have a way of identifying that and being able to identify individuals within the team that are more subject to that? 

Tom Miller: [00:24:27]  You know, and then the second piece is anytime an individual becomes disengaged from their colleagues, from the organization, quite frankly from a community - anytime somebody becomes disengaged and others don't notice, bad things can happen. And so if somebody is under stress, if somebody is disengaged for a long period of time and the organization doesn't have a means to understand that, to discover it and to be able to effectively address it, I think that's where a lot of organizational risk will come out. 

Tom Miller: [00:25:03]  So it's not to say that monitoring of an individual needs to be fundamentally different. I think you have to acknowledge the fact that the key interacting points or the key ways in which organizations pick up on these issues today tends to be through face-to-face contact and direct interaction from one person to another in an office. And when that doesn't exist anymore, I think organizations just need to be thinking creatively right now about how do they pick up on those red flags or sensors, maybe in the same way that they would if they were able to walk the floor - how do you do it today? And again, I think that's where you have to look to technology to try and find capability to put you in the same position from being informed and understanding and discovering some of the risks that I'm talking about. 

Dave Bittner: [00:25:53]  So as a team leader, for example, should I be, you know, making virtual rounds with my employees and my colleagues or checking in with them electronically, having audio or video chats just to take the temperature of everyone virtually, so to speak? 

Tom Miller: [00:26:10]  Hundred percent. I think every leader's got to increase the level of communication, which may naturally or informally occur almost without - you know, in an unconscious way where you're just naturally going to have some conversations. Now you may have to schedule those checkpoints. Now you may have to set up a daily, a weekly, just more formalized engagement at an individual level and at a team level to be able to pick that up. 

Dave Bittner: [00:26:36]  All right. Joe, what do you think? Interesting stuff. 

Joe Carrigan: [00:26:39]  Interesting stuff. I've got some points from this interview. One, the emotional and psychological health of employees is very key to maintain at this point. And I've been working from home now for about a week and a half, maybe two weeks now. Oh, I don't know. Jeez, how long have I been working from home? I don't even know. 

Dave Bittner: [00:26:54]  (Laughter) It's hard to remember, right? 

Joe Carrigan: [00:26:54]  It's all... 

Dave Bittner: [00:26:55]  It's all blurring together. 

Joe Carrigan: [00:26:55]  It is all blurring together. 

Dave Bittner: [00:26:56]  (Laughter). 

Joe Carrigan: [00:26:57]  And I said that in a meeting the other day... 

Dave Bittner: [00:26:59]  Yeah. 

Joe Carrigan: [00:26:59]  ...That it's all starting to blur together. And I'm losing track of the time. And I think that's going to have some kind of impact on me. 

Joe Carrigan: [00:27:05]  When he talks about the employees using their own resources, I really don't have a problem using my own internet connection to do work from home in this kind of situation, but I don't think I would be OK with a similar level of monitoring or more monitoring from my home internet connection. I think that that would be something that would kind of upset me. Now, at work, I'm on a different network than the Hopkins network because I work for the Information Security Institute. So we actually have our own segmented piece of the network that doesn't even touch the Hopkins network. So when you're... 

Dave Bittner: [00:27:39]  OK. 

Joe Carrigan: [00:27:39]  ...On our network, to get to the Hopkins network, you have to go out to the internet and come in through a firewall. 

Dave Bittner: [00:27:43]  Interesting. 

Joe Carrigan: [00:27:44]  So I don't have a lot of those restrictions as well. There are websites I can't go to on the Hopkins network that I can go to on the MSSI network. For example, if I'm on the Hopkins network, I cannot go to the Hak5 website, which is a manufacturer of hacking devices like the Wi-Fi Pineapple - penetration testing tools, really. But our security team has said that site is a hacking site. It's on a list of hacking sites, so people on the Hopkins network are not allowed to access it. But on my... 

Dave Bittner: [00:28:13]  Right. 

Joe Carrigan: [00:28:13]  ...Site, I can access that. So... 

Dave Bittner: [00:28:15]  Yeah, that makes sense. 

Joe Carrigan: [00:28:16]  Yeah, because I actually have a legitimate business need to access that, right? 

Dave Bittner: [00:28:20]  Right, sure. 

Joe Carrigan: [00:28:21]  I purchase Wi-Fi Pineapples for our students. But if I was subject to similar restrictions here at home, I think I would find that bothersome. I also would have concerns about monitoring my traffic on my personal network. I wouldn't want that to happen. If they were going to have that kind of level of monitoring, I would like to be consistently connected with a VPN from my home location. 

Dave Bittner: [00:28:42]  Yeah, yeah. Well, it's important to be able to separate home from work, even when... 

Joe Carrigan: [00:28:47]  Right. 

Dave Bittner: [00:28:47]  ...You're at home. 

Joe Carrigan: [00:28:49]  That's correct. The other piece of that equation is I would have to have a piece of employer-provided hardware that I could work on. If you're going to monitor me, you're going to provide me with the hardware to work on and a VPN connection that keeps your traffic separate from my traffic. That would be a requirement I had. 

Joe Carrigan: [00:29:05]  One of the things I'm finding is that while I'm here, I'm working longer hours than I did when I was there. I don't know that that's making me more productive or less productive. I kind of have a feeling I'm getting about the same amount done, but I am definitely putting in longer hours. 

Dave Bittner: [00:29:21]  Interesting. 

Joe Carrigan: [00:29:22]  Distraction is a big problem, and so is disengagement. And he doesn't really say this in the interview, but I'll tell you disengagement can lead to problems for you in terms of intellectual property theft and things of that nature. When you get an employee who's disengaged and has started looking elsewhere and if they're in your organization long enough, they might be more willing to do some damage that they wouldn't otherwise be willing to do. I'm not saying people are malicious. I'm just saying this could happen. 

Dave Bittner: [00:29:50]  Yeah, maybe that temptation would be there that they otherwise wouldn't have. 

Joe Carrigan: [00:29:53]  Right. I mean, 'cause you get to - you tend to feel like, hey, nobody cares. I don't see anybody on a regular basis, which kind of brings me to my next point. I had a manager who actually has since passed away. His name was Don Monroe (ph). And he had a great way of managing. He called it MBWA, which was management by walking around... 

Dave Bittner: [00:30:12]  (Laughter). 

Joe Carrigan: [00:30:13]  ...Where he would come down the cubical rows, and he would talk to our section supervisor and to us and just talk. 

Joe Carrigan: [00:30:19]  I'll give you an example of one of the things that drew him in. One day, I was reading "The Code Book" by Simon Singh, which is a great book. If anybody is looking for a good book to introduce you to cryptography, that is a great place to start. Simon Singh writes wonderful books. And "The Code Book" was the first book of his I read. And I got to the chapter on the Enigma machine. And I was diagramming the Enigma machine and showing my section supervisor how it worked. And Don walked by, and he looked down the aisle, and he says, that looks like an Enigma machine. And he came down and just started talking to us about it, right? You know, it was just a conversation. Yeah, we weren't doing work, but we were talking about something technological and germane to our field. And it interested him. And he was present there. And you... 

Dave Bittner: [00:30:59]  Right. 

Joe Carrigan: [00:30:59]  ...Do not get that - that is much more difficult to get when you have a remote workforce. 

Dave Bittner: [00:31:04]  Right, right. 

Joe Carrigan: [00:31:05]  And... 

Dave Bittner: [00:31:05]  Yeah, those watercooler conversations. 

Joe Carrigan: [00:31:07]  Exactly. And one of the things that Tom said in this interview was that maybe set up a daily meeting where you get to see people. And I'll tell you, we have a daily meeting with our organization that - or actually with Computer Science. The Information Security Institute and Computer Science attend the same stand-up meeting every day at 9:30, and that has helped. Initially, I was like, why am I going to this? I don't think I need to be here. But that meeting has helped me a lot. I found that that is great, just to see everybody, because it's a Zoom meeting. So we have pictures of each other, video of each other. And it's very helpful - helps keep... 

Dave Bittner: [00:31:41]  Yeah. 

Joe Carrigan: [00:31:42]  ...Me in touch with everybody, I think. 

Dave Bittner: [00:31:43]  It's a good tip, for sure. I think you have to - you just have to be deliberate about these things right now because... 

Joe Carrigan: [00:31:48]  Right. 

Dave Bittner: [00:31:49]  ...They're not going to happen accidentally. So if you want it to happen, you got to plan for it. 

Joe Carrigan: [00:31:54]  No, that's a good point. They are not going to happen accidentally. It's going to have... 

Dave Bittner: [00:31:57]  Yeah. 

Joe Carrigan: [00:31:57]  ...To be something that you're going to have to do. In an office setting, they will happen accidentally. 

Dave Bittner: [00:32:02]  Yeah, exactly. All right. Well, that is our show. We want to thank all of you for listening. 

Dave Bittner: [00:32:06]  And, of course, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: [00:32:31]  The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: [00:32:45]  And I'm Joe Carrigan. 

Dave Bittner: [00:32:45]  Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Maria Varmazis
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan has been a Software and Security Engineer for 25 years and has been working in the security field for more than 15 years focusing on usable security, security integrations social engineering, and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Maria Varmazis is the host of T-Minus Space Daily at N2K and a frequent guest on numerous technology and cybersecurity podcasts. She is an artist, podcaster, journalist, and content creator with over 15 years experience in telling stories that engage and delight. She is always happy to geek out over space and cybersecurity, both professionally and personally!
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.