Marcus Carey: [00:00:04] Most people view cybersecurity as a cost center. If it don't make dollars, it don't make sense. And so sometimes security has to take the backseat to profit.
Dave Bittner: [00:00:13] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:31] Hi, Dave.
Dave Bittner: [00:00:32] We've got some good stories to share this week. And later in the show, my conversation with Marcus Carey - he's an enterprise architect at ReliaQuest and he's also author of the book "Tribe of Hackers." He's wondering if we might be living in a cybersecurity Groundhog Day. Stay tuned for that.
Dave Bittner: [00:00:48] But first, a word from our sponsors KnowBe4. Have you ever been to security training? We have. What's it been like for you? If you're like us, ladies and gentlemen, it's the annual compliance drill - a few hours of PowerPoint in the staff break room. Refreshments in the form of sugary donuts and tepid coffee are sometimes provided, but a little bit of your soul seems to die every time the trainer says, next slide. Well, OK, we exaggerate. But you know what we mean. Stay with us, and in a few minutes, we'll hear from our sponsors at KnowBe4, who have a different way of training.
Dave Bittner: [00:01:29] And we are back. Joe, before we get going, we have some follow-up.
Joe Carrigan: [00:01:34] Yes.
Dave Bittner: [00:01:35] There was a gent on Twitter who took issue with a couple of things that we said in recent shows. How do we respond here?
Joe Carrigan: [00:01:42] Both of his comments come from the Wallet Inspector episode, which I think is, like, three episodes ago from this one. First, he says, Joe's discussion of the biometrics miss the listener's point, I think. Fingerprint U2F is a similar use case to phone unlocking. It unlocks a key used for authentication. No biometric data leaves the device. If you're already using your fingerprint to unlock your device, there is zero additional risk of losing fingerprint data to using it with U2F for other services.
Joe Carrigan: [00:02:12] I agree there is no additional risk to unlocking your universal two-factor app on your phone if you're already using that to unlock your phone - with your fingerprint, rather. I should make clear about that. And I think I said that in the discussion of this - that I'm OK with this use case of unlocking your phone with your fingerprint because that is not actually sending the information across on the internet. It's all local, and it's happening right there.
Joe Carrigan: [00:02:38] But my point is still that biometric data cannot be changed like a public/private key pair can, a password or even a hardware token. If my hardware token were somehow compromised through some unforeseen risk, then I could dispose of it and get a new one and be fine. I think that problem of immutability disqualifies biometrics as a whole as a good second factor. Additionally, if you're unlocking your phone or unlocking your universal two-factor app with your fingerprint, the universal two-factor is still the second-factor authentication, not your fingerprint. You're not actually - all you're doing is using your fingerprint to unlock it. And in fact, on my YubiKey, it doesn't use a fingerprint. I tested this before we went. I used a finger I never use, and my YubiKey just worked fine. It's not looking for a fingerprint; it's just looking for a touch.
Dave Bittner: [00:03:27] How interesting.
Joe Carrigan: [00:03:28] Yeah. So I don't know if that's related to what Jim (ph) is saying here. But I still think that, by and large, biometrics are not a good multifactor answer.
Dave Bittner: [00:03:37] I suppose the nuance that you're pointing out here - I don't know that there's, at its core, a disagreement between you and Jim. It's that, if you're unlocking your phone with your fingerprint, that's fine because your fingerprint's not being captured. It's just being used as the thing that unlocks the phone. It's not being sent anywhere...
Joe Carrigan: [00:03:54] Right.
Dave Bittner: [00:03:54] ...Where it could be released or breached.
Joe Carrigan: [00:03:57] Intercepted, right. It couldn't...
Dave Bittner: [00:03:58] Right, right.
Joe Carrigan: [00:03:58] ...Be used in some kind of, like, pass the hash attack or anything like that.
Dave Bittner: [00:04:02] OK.
Joe Carrigan: [00:04:02] In the original listener's question, he was talking about sending inform - using it to move across networks. And I don't know how you'd do that without - use that as a multifactor without passing some data unless you're, again, using it to unlock a universal two-factor authentication on your phone which, again, I'm OK with that use case. But by and large, I'm not a big fan of biometrics.
Dave Bittner: [00:04:24] OK. What else did Jim have to say for us?
Joe Carrigan: [00:04:26] Jim also said your report on the Bitcoin QR scam misunderstood what it's doing. And that is correct. We talked about possibly uploading your keys to this scam. This scam is way simpler than this. And Jim, we have to issue a correction here. Thank you for pointing this out. What's going on is when you put your public key into the QR code generator, it generates a QR code for their Bitcoin address. So let's say, Dave, I wanted to send you a bitcoin - right? - because I like you a lot and I want to give you, like, 8 grand right now.
Dave Bittner: [00:04:55] OK.
Joe Carrigan: [00:04:55] So I say, Dave, do you have a QR code for your Bitcoin address? And you say, yes, I do. I went to this handy-dandy website, and they turned my Bitcoin address - or I used this app and they turned my Bitcoin address into an easy-to-read QR code. And I send the bitcoin to that Bitcoin address. It doesn't send the bitcoin to you; it just sends it to the attackers because there is very little discernible difference for humans between one QR code and the next.
Dave Bittner: [00:05:19] Right, right.
Joe Carrigan: [00:05:20] You can't look at a QR code and go, oh, this means that, right?
Dave Bittner: [00:05:23] Yeah.
Joe Carrigan: [00:05:23] So that's how this is working. So thank you, Jim, for pointing that out. That was - that's a correction we needed to issue.
Dave Bittner: [00:05:29] Right. We were overthinking it.
Joe Carrigan: [00:05:30] Yeah, we were. It's really, really simple.
Dave Bittner: [00:05:34] Yeah. Yeah. Again, thanks, Jim, for pointing it out. We want to get it right. And when we come up short, we appreciate folks letting us know so we can try to get the good information out there. So thanks to him.
Joe Carrigan: [00:05:45] So far, we have not made a mistake that has not been corrected by a listener to my knowledge.
Dave Bittner: [00:05:49] We can count on our listeners to let us know when we make errors. That's for sure. All right.
Joe Carrigan: [00:05:55] But I actually do appreciate it. Thank you very much, Jim.
Dave Bittner: [00:05:58] Well, let's move on to our stories. Joe, why don't you kick things off for us this week?
Joe Carrigan: [00:06:01] Dave, today I have the tale of two phishing campaigns. The first one comes from Votiro, and they have a great story about a well-crafted phishing campaign that is spoofing UPS, FedEx and DHL email addresses.
Joe Carrigan: [00:06:18] So these are the three major carriers. When you think of a carrier - a package delivering system, these are the guys you think of. What these malicious actors are doing is they're actually sending emails and they're spoofing the email address, which is something you can do in email, particularly if you are in control of the mail server. Now, a lot of times we see phishing campaigns that come in looking like, you know, email@example.com. Right? Google does a really good job of securing the Gmail servers so you cannot spoof an email address.
Joe Carrigan: [00:06:48] I don't know. I may have told this story at one point in time. But a friend of mine who was working at a company that I later went to sent me an email, and he was able to - in his settings on his email client was able to make it look like it came from - I think it was firstname.lastname@example.org or something like that - which is Spanish for big cheese, right?
Dave Bittner: [00:07:09] (Laughter).
Joe Carrigan: [00:07:10] The only thing that happened to him was he got a phone call from the system administrator going, hey, somebody down there is spoofing email addresses out of your area. And he goes, well, I'll have to stop that person from doing that. And that was the end of it. But I mean, this was back in the '90s. You could, in your email client, just go ahead and set a different reply-to address, and it would look like that's who sent it. I don't know how hard that is to do now, but it's really - almost impossible to do it without breaking into the systems with any of these web clients. But if you own a mail server, you can set these settings however you please.
Joe Carrigan: [00:07:44] So these messages all look like invoices, and they say view and pay your invoices. And they have pictures of the email in the article. We'll put a link in the show notes. And when you open the attachment, the attachment is a malicious Excel file that then runs a PowerShell script in hidden mode. And that PowerShell script downloads and installs the Dridex ransomware, which is bad news. Right? So now you've got ransomware. What's really interesting about this is that Votiro says the phishers are using a tool called Evil Clippy to hide the macro.
Dave Bittner: [00:08:17] Is there any other kind of Clippy?
Joe Carrigan: [00:08:21] Good question, Dave.
Joe Carrigan: [00:08:25] Right. And they have a link in the article about - to Evil Clippy. You can go right out to GitHub and get this tool. And what it is - it's a tool that hides and obfuscates the malicious code in a Microsoft Office document. So even if you do static analysis on it or you have some kind of automated process to look at it, you may not catch the maliciousness of this attachment.
Joe Carrigan: [00:08:47] So these guys have gone through a lot of effort here. And you know, they've probably set up their own mail server so that they can spoof email addresses. They've used a really good tool for hiding macros in Office documents. And they're sending out what seems like innocuous stuff, like an invoice from UPS. And if it's coming from a UPS address - you know, we always say check the sending address before you click on the link. If you check the sending address and that was your only form of protection, you might very well run this ransomware.
Joe Carrigan: [00:09:13] Again, another thing you can do to protect your organization is make sure that users don't have access to PowerShell. If a user can't start a PowerShell script, that might protect against this. I don't know about the internal workings about this - of this particular campaign and this particular malware. But I would imagine that setting a policy so that users can't run PowerShell 'cause most users do not need to run PowerShell. And it is an incredibly powerful tool that Microsoft has developed that's really good. But most users don't need it. So just disable it for people.
Joe Carrigan: [00:09:45] One other interesting aspect about this campaign is that in the DHL phishing emails, they purport to come from a person who actually has a LinkedIn account where he is listed as a supervisor at DHL. And they don't know if this is actually linked to an account set up by the attackers or not or if the attackers just went out and searched LinkedIn for a supervisor name and took this guy's name. There's no way to know that. But it's interesting that they at least did the research to find somebody who worked at DHL or went so far as to go ahead and set up a LinkedIn account for him. So that's the first story.
Joe Carrigan: [00:10:18] My second story comes from Zeljka Zorz over at Help Net Security. And she has a story about a very widespread phishing campaign targeting financial organizations. And the email purports to come from FINRA, which is a nongovernmental agency here in the U.S. for regulating financial institutions. And it says that it's coming from two guys named Bill Wollman and Josh Drobnyk. And if you go to FINRA's website, there are two guys named Bill Wollman and Josh Drobnyk who are actually VPs at FINRA. And the email came from broker-finra.org. So these guys went out and they bought up a domain that was broke.finra.org.
Joe Carrigan: [00:10:58] And the email could contain one of three things. It could contain a malicious attachment or a malicious link or a PDF that would direct a user to a website to steal their Microsoft credentials - their Microsoft Office and their SharePoint passwords. Or it could just be a way to elicit a response. You know, they send this thing in and go, hey, I need some - I'm going to send you a document. And they essentially establish a rapport. This is actually kind of another - I would say more sophisticated socially than technically. I'm going to go out, and I'm going to find two guys that you probably know or you've probably heard of. Or if you haven't heard of them, you can verify who they are. And I'm going to send you a link from a similar-looking URL or a similar looking email address, rather, I should say, domain name - and hopefully establish some rapport in eliciting the response from you. And then I'm going to send you a malicious payload. I chose these two stories because I think they kind of show two sides of, I'm going to say, 20-sided die of phishing.
Dave Bittner: [00:11:55] (Laughter).
Joe Carrigan: [00:11:57] I would say coin, but there is no way that there's only two ways to do this.
Dave Bittner: [00:12:01] Right. You got yourself a D20.
Joe Carrigan: [00:12:03] Right, yeah. Exactly. And I think these are two very different ways of going about it. But it's fascinating that these are very effective phishing techniques, one where they impersonate people or say - you know, just pretend to be people that they aren't that actually exist - and the other, where they actually go through all this effort of just saying, hey, here's your invoice, but there's a lot of effort behind - before they sent that email out.
Dave Bittner: [00:12:26] Well, and I think it sort of reflects that trend that we've been seeing, certainly over the last year and I guess a little bit longer, where the scammers are putting the work in. They're putting the effort in. This isn't like the old days of spamming, where it's just sort of a spray-and-pray kind of thing. These folks, they see that they get a return on their investment.
Joe Carrigan: [00:12:46] Yeah, they're making a business decision here. It's definitely becoming the case that people are a little bit more leery of, like, the Nigerian prince scams. That kind of stuff almost is noise now. But when somebody targets you with specific information relative to what you do for a living and invokes the name of some regulatory authority, that's very powerful. And you're right. They are targeting this, and they're doing their research. They're coming up with a good plan, and then they're executing that plan. And it's somewhat effective.
Dave Bittner: [00:13:17] Yeah, absolutely.
Joe Carrigan: [00:13:18] And even if it's only somewhat effective, it's very profitable.
Dave Bittner: [00:13:22] Sure. Yeah. Well, and, you know, that's another thing we see is how much these folks - they iterate. And they A/B test, and they see what works, and they see what doesn't. So these campaigns have evolved and become highly efficient.
Joe Carrigan: [00:13:34] Yep.
Dave Bittner: [00:13:35] All right. Well, we're running a little bit long this week because of our feedback, so I'm going to hold my story for next week. And it's time to move on to our Catch of the Day.
0:13:45:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:13:49] Our Catch of the Day comes from Reddit user VioletVerae (ph). And this is a back-and-forth between a scammer and this user. Joe, I will play the part of the scammer. It starts off like this. (Reading) Hello, baby. Will you be my sugar baby?
Joe Carrigan: [00:14:07] (Reading) LMAO. This is a scam, right?
Dave Bittner: [00:14:10] (Reading) No, baby.
Joe Carrigan: [00:14:11] (Reading) OK. Send me some money so I know you're for real, and then we can talk. I'm not dumb.
Dave Bittner: [00:14:15] (Reading) Money is the problem, baby.
Joe Carrigan: [00:14:18] (Reading) How so? Can't have a sugar baby without money.
Dave Bittner: [00:14:20] (Reading) Good. Where are you from, baby?
Joe Carrigan: [00:14:23] (Reading) Don't change the subject.
Dave Bittner: [00:14:24] (Reading) I think we should know each other, right?
Joe Carrigan: [00:14:27] (Reading) Yeah, but I'm not going to give a random Instagram account all of my info unless I know they aren't effing (ph) with me.
Dave Bittner: [00:14:33] (Reading) OK, baby. Where are you from, baby?
Joe Carrigan: [00:14:35] (Reading) I'm going to block you unless you send some money over. Can't trust you till I see that.
Dave Bittner: [00:14:40] (Reading) OK, baby. I want you to trust me. I'm a man of my word.
Joe Carrigan: [00:14:44] (Reading) Good to hear it.
Dave Bittner: [00:14:45] (Reading) How old are you, baby?
Joe Carrigan: [00:14:46] (Reading) Nunya (ph), but I'm legal.
Dave Bittner: [00:14:48] (Reading) All I want right now is a good conversation, like me having someone to talk to and make me smile while I also take good care of your needs and get your bills settled. And I will be giving you a good weekly allowance.
Joe Carrigan: [00:14:59] (Reading) How much weekly? I have expensive tastes, love.
Dave Bittner: [00:15:02] (Reading) Two thousand dollars.
Joe Carrigan: [00:15:03] (Reading) You're effing with me, dude. That's so much money. How do you make a living then? Tell me about your job.
Dave Bittner: [00:15:08] (Reading) I'm a building contractor for the government, baby. What about you, baby?
Joe Carrigan: [00:15:14] (Reading) I work in fast food management.
Dave Bittner: [00:15:16] (Reading) That's cool.
Joe Carrigan: [00:15:17] (Reading) Yeah, it's all right.
Dave Bittner: [00:15:19] (Reading) How old are you?
Joe Carrigan: [00:15:20] (Reading) Send me $100 and I'll tell you.
Dave Bittner: [00:15:22] (Reading) That money is effing small. WTF? I have a lot of money to spoil you, baby.
Joe Carrigan: [00:15:28] (Reading) I would accept more than that.
Dave Bittner: [00:15:29] (Reading) I will make you happy. OK, money is not my problem.
Joe Carrigan: [00:15:33] (Reading) All right. Let's see it then.
Dave Bittner: [00:15:34] (Reading) That's what most ladies do to me after getting the payment. They don't reply to me anymore. They go for another daddy, hon.
Joe Carrigan: [00:15:41] (Reading) I don't really have any other options, LMAO. Trust me. I'll stick around if you prove you're real. That's the whole point.
Dave Bittner: [00:15:49] (Reading) OK, baby. Do you use PayPal?
Joe Carrigan: [00:15:52] (Reading) Yes.
Dave Bittner: [00:15:53] (Reading) Let me have your PayPal link right now.
Joe Carrigan: [00:15:56] And then she has sent something along, and it is - she, of course, very smartly greyed it out here. So we can't see it.
Dave Bittner: [00:16:02] (Reading) I have no way to make transactions directly to PayPal because I'm on a business trip right now, and all my cards are on hold. So make the transaction through my Google account, and your payment is on pending. That's why the card is needed to complete the transaction.
Joe Carrigan: [00:16:17] (Reading) You're on a business trip during a global pandemic?
Dave Bittner: [00:16:21] (Reading) All you need right now is an e-code on a Google Play card to activate. Then complete the transaction right now immediately.
Joe Carrigan: [00:16:28] (Reading) Oh, boy. You're definitely scamming me.
Dave Bittner: [00:16:30] (Reading) No. I'm not going to hurt you or steal anything from you, baby.
Joe Carrigan: [00:16:33] (Reading) So what exactly do I have to do? Because that's a strange way to pay someone.
Dave Bittner: [00:16:37] (Reading) All you need to do right now is to get an e-code on Google Play cards so I can use it to activate then complete the transaction immediately. You got it? You will receive the money in your PayPal account right now.
Joe Carrigan: [00:16:49] (Reading) That's not how PayPal works.
Dave Bittner: [00:16:50] (Reading) I have no way to make transactions directly to PayPal because I'm on a business trip right now, and all my cards are on hold. So I'll make the transactions through my Google account, and your payment is on pending. That's why the card is needed to complete the transaction.
Joe Carrigan: [00:17:03] (Reading) OK. But I have to pay money for the card, though. That sounds like a scam. Also, I have none.
Dave Bittner: [00:17:09] (Reading) You can get one at the nearby store.
Joe Carrigan: [00:17:11] (Reading) Yeah, but I'm broke, and I don't want a gift card. You can pay me using Zelle, CashApp, Venmo or PayPal. She's giving him every option in the book, Dave.
Dave Bittner: [00:17:19] (Laughter).
Joe Carrigan: [00:17:21] (Reading) But I'm not falling for a gift card scam.
Dave Bittner: [00:17:23] (Reading) At my age, why on earth would I be scamming young ladies on social media?
Joe Carrigan: [00:17:28] (Reading) My mom is literally a cybersecurity analyst, dude. I'm not falling for it.
Dave Bittner: [00:17:32] (Reading) I know how distress and hurt you must be feeling right now, but I want to use this medium to tell you that the payment will be made into your PayPal account once you go get the cards.
Joe Carrigan: [00:17:41] (Reading) And how much money exactly will I be spending on it? Because I'm broke - no money, 14 cents in my bank account.
Dave Bittner: [00:17:49] (Reading) Just 50 buck.
Joe Carrigan: [00:17:51] (Reading) Nah, I don't have that.
Dave Bittner: [00:17:52] (Reading) Trust is the easiest thing in the world to loose (ph) and the hardest thing in the world to get back. To dream anything that you want to dream, that's the beauty of the human mind. To do anything that you want to do, that is the strength of the human will. To trust yourself to test your limits, that is the courage. To trust is the easiest thing in the world to lose and the hardest thing to get back. That is the courage to succeed.
Joe Carrigan: [00:18:14] Where did he get that? Did he just copy and paste that from some motivational speech? I have no idea.
Dave Bittner: [00:18:18] I suppose he must've.
Joe Carrigan: [00:18:20] I love her response, though. (Reading) Are you on drugs? I'm going to bet that guy on your profile isn't even you.
Dave Bittner: [00:18:25] (Reading) So have you got a Google Play card right there with you? Because that's what will be used to complete the transaction to your PayPal account. WTF?
Joe Carrigan: [00:18:34] (Reading) No, LMAO.
Dave Bittner: [00:18:35] (Reading) The choice is yours, baby.
Joe Carrigan: [00:18:37] (Reading) Take your damn cards off hold and use PayPal or I'm blocking you.
Dave Bittner: [00:18:41] (Reading) OK, no thanks for the words.
Joe Carrigan: [00:18:44] (Reading) I knew it. Get a life. Why are you video calling me?
Dave Bittner: [00:18:48] (Reading) I want to see you.
Joe Carrigan: [00:18:50] (Reading) LOL. After that whole botnet malfunction, you're going to pull that?
Dave Bittner: [00:18:54] (Reading) Bye.
Joe Carrigan: [00:18:55] (Reading) Dude, I'm not falling for your scam.
Dave Bittner: [00:18:57] (Reading) OK, baby. Bye.
Joe Carrigan: [00:18:59] (Reading) KK.
Dave Bittner: [00:19:00] (Reading) But I promise I won't let you down.
Joe Carrigan: [00:19:02] (Reading) If you video chat me and you look like the guy in your pics, I may reconsider, but not with this Google Play.
Dave Bittner: [00:19:08] (Reading) OK. Let's video call.
Joe Carrigan: [00:19:11] (Reading) KK. Well, that didn't work in your favor at all.
Dave Bittner: [00:19:14] (Reading) What do you mean?
Joe Carrigan: [00:19:15] (Reading) I didn't see you.
Dave Bittner: [00:19:16] (Reading) OMG.
Joe Carrigan: [00:19:17] (Reading) OMG what? Did I stutter?
Dave Bittner: [00:19:19] (Reading) Bye. I found another baby. You are very rude.
Joe Carrigan: [00:19:23] (Reading) I'm glad.
Dave Bittner: [00:19:25] And scene.
Joe Carrigan: [00:19:28] Right (laughter). This is marvelous. I love this. She - I actually chatted with her on Reddit, and one of the things she says in the post is that she wasted an hour of this guy's time. So that's an hour of time that he wasn't - that he didn't spend scamming some vulnerable person. So good work, Violet. That was really good. I love that scam baiting.
Dave Bittner: [00:19:48] All right. Well, that is our Catch of the Day. Coming up next, my conversation with Marcus Carey. He is an enterprise architect at ReliaQuest. He's also the author of the book "Tribe of Hackers," and he wonders if we're living in a cybersecurity "Groundhog Day." Stay tuned for that.
Dave Bittner: [00:20:04] But first, a word from our sponsors KnowBe4. And now back to that question we asked earlier about training. Our sponsors at KnowBe4 want to spring you from that break room with new-school security awareness training. They've got the world's largest security awareness training library, and its content is always fresh. KnowBe4 delivers interactive, engaging training on demand. It's done through the browser and supplemented with frequent simulated social engineering attacks by email, phone and text. Pick your categories to suit your business. Operate internationally. KnowBe4 delivers convincing real-world proven templates in 24 languages. And wherever you are, be sure to stay on top of the latest news and information to protect your organization with KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable, too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:21:08] And we're back. Joe, I recently had the pleasure of speaking with Marcus Carey. He is a well-known individual in the cybersecurity world. He is an enterprise architect at ReliaQuest. But I suppose most people in cybersecurity know him. He's the author of the book "Tribe of Hackers," which has actually been turned into a series of books. And our conversation sort of centered on this notion - whether or not we could be living in a cybersecurity "Groundhog Day." Here's my conversation with Marcus Carey.
Marcus Carey: [00:21:38] I think we found ourselves in cybersecurity pretty much the same place we were probably 15, 20 years ago. There's a lot of things that we know how to fix, but it seems like the businesses are moving so fast that we can't implement many of the things that we like to implement. So it's like every day you come, you're a firefighter. You have to come in and solve the fires. So I think we're pretty much in the same position that we have been for a while. We know what we need to do, but we don't have the resources or time to do all the right things.
Dave Bittner: [00:22:12] And what do you think is keeping us from doing the right things? Is it as simple to say that it's, you know, time and money?
Marcus Carey: [00:22:18] Yeah. I think definitely time and money is a big thing. I think time is most needed thing because you have developers and businesses moving at such a fast pace that it's kind of hard to get ahead of that curve. And at the end of the day, most people view cybersecurity as a cost center. If it don't make dollars, it don't make sense. And so sometimes security has to take a backseat to profit.
Dave Bittner: [00:22:41] And so what sort of adjustments do you think organizations need to make to get a better handle on this?
Marcus Carey: [00:22:46] I think by incorporating security into the pipeline, per se - making security a part of the everyday routine and building in security - you're seeing a lot of automation and things that make that possible. So I think that we're headed in the right direction. And with this automated bill processes, you're going to see people be able to lock down networks a lot better.
Dave Bittner: [00:23:07] I'm curious about this notion of breach fatigue. As you mentioned, you know, there can be this coming in to fight fires every day, and I suppose that leads to a feeling of kind of helplessness. Like, this is the mode we're in, and this is how we have to keep doing things.
Marcus Carey: [00:23:23] Yeah, I think that breeds fatigue. And fatigue in general in cybersecurity is a real thing. But I kind of look at it like - that we just need to get better at doing our job and installing processes that are going to make us better at doing it. I think that sometimes in life in general, if you fail or you're not doing good at something, you tend to take it personal. But I believe that what you have to do is you have to separate the results sometimes from what you're doing because you end up taking things personally. And so sometimes the best we got is all that we can do, and so I'll just remember that long-run.
Marcus Carey: [00:24:05] But the best thing you can do, in my opinion, is to put good processes in place. And if you follow those processes, I think you'll be a lot better off because if you fail, at least you followed that process. What happens is when we're all over the place not focusing and trying something different every time, then we fail, and we're not making any progress whatsoever. So I'm a proponent of putting in the right processes. And then over time, you're going to get better, and don't take it personal when you fail.
Dave Bittner: [00:24:34] What sort of approach do you take when it comes to being a leader with the folks that you work with, the people that you mentor? How do you approach that? How do you provide that strong leadership?
Marcus Carey: [00:24:45] When it comes to leadership, I'm former military, so I'm kind of biased. I kind of think that when you're a leader, you have to have credibility. And one of the things that people always say is I wouldn't want, you know, you to do anything that I wouldn't do myself. And so I think that that's definitely a thing. So if people can see you leading by example and you're going out there and you're leading by example - and another thing you want to do as a leader is you want to protect your people as well. So always do right by your people. Don't throw them under the bus when things go bad. And again, just lead them and kind of show them the right way. And then what you'll see is that they'll reciprocate, and they're going to help you out, and you're going to learn from them.
Marcus Carey: [00:25:29] And so I think that leadership and leading people is cyclical, meaning that - I have a philosophy now that I wouldn't want to hire anyone that I couldn't envision myself working for because essentially, as a leader, you're actually working for everybody that you're leading. Right? And so that's kind of like - my philosophy is like I want to help people, and I want to turn them into great leaders so they can help, one day, to lead me.
Dave Bittner: [00:25:55] You know, I know that one thing that you're passionate about is kind of demystifying security and making it accessible to everyone. What are some of your efforts there? And why do you think that's an important thing to pursue?
Marcus Carey: [00:26:09] Well, I think in life in general, we tend to - if I'm good at something, sometimes we tend to hoard that information. And that's not good for us overall. So when I look at cybersecurity, I look at it like a Hippocratic oath situation, where I'm supposed to make stuff better, and I want to help people be more secure. And the best way we can do that is to make more doctors, you know? And so I think that in some countries, education's free because they want to promote more scientists and more engineers and more doctors and stuff.
Marcus Carey: [00:26:43] So I kind of look at it the same way as far as cybersecurity. But the cool thing about cybersecurity, you don't have to get a four-year or six-year or eight-year degree. I think many people, if we make it accessible, we're going to get a lot more people that can come in and do really good work in cybersecurity and learn on the job. And that's why I believe we have to give as many people opportunities as we can so they can come in and make a dent in the universe, so to say.
Dave Bittner: [00:27:15] Yeah. You know, I want to touch on your book, which is titled "Tribe of Hackers." And it certainly has made a splash within the cybersecurity community itself. Can you tell us, what prompted you to create the book?
Marcus Carey: [00:27:28] So a while ago, I was actually encouraged by a book called "Tribe of Mentors" by Tim Ferriss. And it was actually a really good book. Tim Ferriss, he has a popular podcast where he talks to a lot of celebrities, and many of these reporters are their friends. Well, in cybersecurity over the years, I have a lot of good friends. And I thought that it would be a great opportunity for people that don't know some of the people that I know - a chance to understand where they came from and some of the challenges that they faced. Some of these people are giants in our industry. I just wanted to allow people to get a chance to see what was on their mind and what they came from.
Dave Bittner: [00:28:03] Yeah. And one of the things that impresses me about the book is the breadth of folks that you talk to. There's a whole different range of experiences, lots of things to learn from.
Marcus Carey: [00:28:14] Absolutely. And I think that what happens in life in general - as we have more experience with things, our views change. And sometimes we can be new to a particular thing, and we have a different opinion. And that opinion is valid as well. Sometimes as you get older, you might get jaded. So (laughter) sometimes you get older, you get wiser. There's all kind of different things that shape our opinions.
Marcus Carey: [00:28:39] And even that book was - the questions went out about two years ago in that book. And even now, I've even changed my opinion on some of the things that I actually answered in the book. So I think that having that diversity worked out really well because we had people from all different backgrounds, genders, cultures. And they all gave their opinion. And it was great because it's an evergreen book. People can pick that book up 10 years from now and learn from it.
Dave Bittner: [00:29:04] What were some of the key takeaways for you? Were there any things in there that surprised you or changed your view on things?
Marcus Carey: [00:29:11] Well, I think that what really surprised me was the aftershock of the book. I would say in cybersecurity, we're really secretive. Back in the day, I used to work at NSA, and we're definitely super secretive from there. But I think that a lot of that culture carries over to the cybersecurity community. It's refreshing to see people open up more and get out there more. I think that the book was definitely a catalyst in the community itself to share more and to come together more as a community.
Dave Bittner: [00:29:41] Yeah, I absolutely agree with you. I think you tapped into a hunger that was there that people really wanted to have more opportunities to build that community. And in a way, "Tribe of Hackers," your book, provided that for them.
Marcus Carey: [00:29:55] Yeah. I'm really humbled but it. It's one of those situations where it was the right place and something we needed in the community.
Dave Bittner: [00:30:03] What is your advice for professionals out there who are looking to do a better job of securing their organization? Do you have any basic tips for them?
Marcus Carey: [00:30:13] The big thing is that you're not alone in what you're going through. And don't be embarrassed if you're struggling to secure your organization. Reach out to people. And there's plenty of people that can share similar stories that you're going through. I just want to let you know you're not alone. And those pressures and all that stress that you have, it would be better if you just uncompressed, talk to other people how they're solving the problems and, most importantly, what systems are they putting in place to help better secure their organization.
Dave Bittner: [00:30:45] All right, Joe, what do you think?
Joe Carrigan: [00:30:47] That's an interesting take on things - you know, whether we're in a cybersecurity "Groundhog Day" or whether we have to be in a firefighter mentality. I don't think those two things are the same. You know, the "Groundhog Day," that kind of implies that we're making the same mistakes over and over and over again. And I think that actually we have made some progress. I think the firefighter analogy is a much better analogy.
Dave Bittner: [00:31:07] That one resonates with you.
Joe Carrigan: [00:31:08] Yeah. That one resonates with me better because, you know, firefighters go to do their job every day, and they know there are going to be fires. That's going to happen. There is no shortage of kitchen fires. In fact, that's the No. 1 cause of fires - or at least according to my brother, who works with the Montgomery County Fire Department. And, you know, he and I talk about this kind of stuff frequently. There's not going to be a stop to fires. A new requirement in houses now is to have sprinkler systems in a house. That's a good system to have in a house. My house doesn't have a sprinkler system in it because it's 52 years old. But when I go to my daughter's house, it's newer. They have sprinkler systems in it. So that's kind of analogous to the security situation.
Joe Carrigan: [00:31:47] You know, 20 years ago, when I got high-speed internet service at the house, the very first thing I had to do was I had to put my own firewall on the inside of that because there was no built-in firewall in my router or my - because it wasn't even a router. It was just a cable modem. There were reports of people just hooking their computer directly to their cable modem and then being able to browse their neighbor's PCs because they were all essentially the same network. That doesn't happen anymore because now all of our cable modems are essentially routers. And that's the same kind of mentality. And that's happening a lot faster in cybersecurity than it is happening in the fire prevention realm.
Joe Carrigan: [00:32:21] So I think the firefighter analogy fits us better than "Groundhog Day" because, yeah - but when it comes to social engineering attacks, that's where I think we're dealing with a "Groundhog Day" kind of situation. One of the things that my brother says about kitchen fires is the thing they hear frequently is I put some bacon on the stove, and I forgot about it, right? That's the equivalent of I thought the link was legitimate, and I clicked on it, right?
Dave Bittner: [00:32:46] (Laughter).
Joe Carrigan: [00:32:46] It's the same kind of thing.
Dave Bittner: [00:32:47] Well, it's a situation of neglect, right?
Joe Carrigan: [00:32:50] Yeah, it's a carelessness. I wouldn't say neglect. I'd say carelessness.
Dave Bittner: [00:32:52] Yeah, inattentiveness perhaps.
Joe Carrigan: [00:32:54] Right. Exactly. Marcus makes a good point about security taking a back seat to profit. Too many people view security as a cost. That it's a cost center in a business. It doesn't necessarily show any benefits. And you know what? I'm not entirely sure that that's not a correct way of looking at it, you know, in terms of - I mean, obviously, I want you to have good cybersecurity practices, but there are no consequences for having bad cybersecurity practices, right? Like, for example, the Target breach or any of these other major breaches we've seen, there are no consequences for these things, for companies. They don't see any benefit to it. Maybe this is something for regulation, or hopefully, this is something that consumers will decide for themselves. But I don't see that happening.
Joe Carrigan: [00:33:32] I think there's going to have to be some kind of regulation that penalizes companies stiffly for failing to keep their customers' data safe. Automation is going to take us a long way, but it's not going to be a panacea. The biggest problem is still going to be the people, which is why we have this podcast, right? Marcus is right about failing. It's important to realize that failure is going to happen in this field.
Dave Bittner: [00:33:53] And it's an opportunity to learn.
Joe Carrigan: [00:33:55] Exactly. It is an opportunity to learn. And what is important is how you handle that failure and how you respond to it. And I think Marcus' biggest point and the point of most of his books here is that cybersecurity professionals should not be protective of their information. I don't think anybody should be protective of their information or unwilling to share their knowledge with people in their field. I think that's counterproductive. And I think that being unwilling to share your knowledge in the field is a non-starter for me. Marcus made the point that when he interviews somebody, he wants to see how well he would like working for that person.
Joe Carrigan: [00:34:25] One of the things that I go through when I'm interviewing people is I like to see how open they are with sharing information and their methods and their thinking about things. And I have a personal story about this. One time when I was still working in development, I got put on a new team where we were doing development with a framework that I was absolutely not familiar with. And the person who was leading the development was absolutely unhelpful in any of my questions and understanding the paradigm. When I would ask a question, the person would do things like send me a link to Let Me Google That For You, right?
Dave Bittner: [00:34:58] (Laughter) Oh, nice.
Joe Carrigan: [00:34:59] Yeah, right - which is not a way to conduct yourself in a development team when somebody who is new to the project has questions, right? That is going to happen, and that is - new people are always going to have questions, and it's imperative whatever your business is that you are, and every member of your team, is willing to help that person come up to speed as quickly as possible. And if I thought that the interview subject was going to be that kind of a person where they're not going to share their information or they're going to say, just go Google it and I'm not going to help you, then no I'm not going to hire that person. That's a person I don't hire because this has to happen organically and in a team environment. And everybody has to be a good team player. And this is I think is - the single most important thing in a team player is how willing they are to share their information and their skills.
Dave Bittner: [00:35:48] Yeah. And you have to nurture that environment where people feel safe to ask those questions.
Joe Carrigan: [00:35:55] Right.
Dave Bittner: [00:35:55] Because otherwise those questions go unanswered and then bad things can happen...
Joe Carrigan: [00:36:00] Absolutely.
Dave Bittner: [00:36:00] ...Simply because people are afraid they're going to look dumb or they're going to get ridiculed or made, you know - felt - made to feel foolish for just asking a question. And that's not helpful.
Joe Carrigan: [00:36:12] No, it is not.
Dave Bittner: [00:36:13] Well, our thanks to Marcus Carey for joining us. Again, those series of books, it's called the "Tribe of Hackers" - well worth your time, so do check those out. And we appreciate him taking the time for us. And, of course, we thank all of you for taking the time to listen to our show.
Dave Bittner: [00:36:28] And we want to thank our sponsors, KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:36:43] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:36:51] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:37:05] And I'm Joe Carrigan.
Dave Bittner: [00:37:06] Thanks for listening.