Podcasts
Only Malware in the Building
Ep 7
Only Malware in the Building 12.3.24
Ep 7 | 12.3.24

A cyber carol.

Show Notes
Transcript

Unidentified Person: In the cold, mysterious corners of the cyber world, where digital ghosts haunt and malicious spirits lurk, three brave souls gather around the proverbial fireplace, ready to unwrap the secrets of malware. Tonight, meet our merry malware mavens, the wise yet weary Rick, the Malware Ghost of Breaches Past, the sharp and cunning Selena, the Phantom of Threats Yet to Come, and the ever cheerful, ever curious Dave, our Ghost of Malware Present.

 

Rick Howard: Let's see what ghastly gifts the cyber specters have left under our tree tonight.

 

Selena Larson: Oh I spy a nasty ransomware attack. These have been lurking around for centuries.

 

Dave Bittner: And here's a holiday treat for us all, a shiny new malware scheme wrapped in a bow.

 

Unidentified Person: So, snuggle up tight, brave listeners as Rick, Selena, and Dave guide you through the malware stories that haunt, the ones that chill, and maybe even a few that thrill. Because remember, the Ghosts of Malware never truly sleep. [ Music ] Welcome to "The Cyber Carol", where every download could be your digital undoing. Now, who's ready for a little holiday haunt? Our journey begins with a ghostly trio of malware experts, each one bringing tales from different realms of cyber lore. First, let me introduce to you Rick, the Malware Ghost of Breaches Past.

 

Rick Howard: Yes, indeed, I've seen it all, from the very, very first viruses to the earlier ransomware that held us hostage. Think of me as the ghost that remembers where it all began. And I'm here to remind you why history has a habit of repeating itself.

 

Selena Larson: Next, guiding us through the haunted here and now, please welcome Dave, the Ghost of Malware Present.

 

Dave Bittner: I'm your guy for all the latest and greatest in malware, coming straight out of today's naughty list from phishing schemes to malware with festive new twists, I've got everything happening right now in this chilling little stocking.

 

Unidentified Person: And last, hailing from the unknown reaches of what may be, we have Selena, the Phantom of Threats Yet to Come.

 

Selena Larson: The future is a dark, winding code, riddled with exploits, zero-days, and malware we've yet to imagine. I'm the ghost with a glimpse of what's lurking ahead, so tread lightly lest you find yourself in my shadow. [ Music ]

 

Rick Howard: All right, with a nod towards the Charles Dickens classic that we're trying to emulate here, "A Christmas Carol". I am the ghost of Christmas past, your past, Dave, and these are the shadows of multi-factor authentication. Okay, and this is what they are and what they are, don't blame me. Okay and if you remember back in the old days, Fernando Corbato invented passwords in the early 1960s and ever since then, we've been trying to figure out how to make that better. We haven't fixed it yet but we've been working on it with two-factor authentication. So let me summarize, okay, how they work, and then we can talk about how secure they are. [ Music ] First up is SMS verification. If you're an Internet troll like me, the Ghost of Christmas Past, and I want to log into audible.com, the website sends a text message with a one-time code for me to use. I enter the code into the audible.com website to gain access to my account. So that's kind of the first two-factor authentication scheme. The next is email verification, very similar to SMS, except the message is sent via email and not via a text message. The next is Authenticator SOP tokens, like Google Authenticator, ID.me, Blizzard's Battle.net which I use every day, and LastPass. So Authenticators use an Internet Engineering Task Force algorithm to generate one-time codes. I want to log into my Google G Suite account. G Suite asks me for a one-time code. I open the Google Authenticator application on my smartphone and look up the listing for Google. So I have several listings to choose from, like LastPass or others. The algorithm is standard so Google's Authenticator can be used to log into other companies' apps like Microsoft or Amazon. And I noticed that for each listing, there is a countdown, like for every 30 seconds the Google Authenticator app generates a different code to use. So I try to remember the six-digit code and enter it into the Google login screen before the timer winds down. The next method is push authentication. We get this kind of thing from Google, Apple, and others. It's not SMS verification because they don't use codes. When I get summoned by my mother-in-law to fix some tech issue with her iPad, I might need to log into my Gmail account to retrieve some information. Google doesn't recognize the mother-in-law's iPad that I'm trying to use as a registered device, and pushes a notification to me via the Google application on my iPhone. I open the Google application, push a button that says, Yes, I am indeed the Ghost of Christmas past, and that's all it takes. It's way more harder to explain than it is to do. But in the end, I get to access my Gmail account on my mother-in-law's iPad. Apple's version is similar, but it's not tied to an application. It uses the operating system. So there's one more shadow in the two-factor authentication space that you may all have heard of. It's called Passkey, and it uses the asymmetric key model made famous by Whitfield Diffie and Martin Hellman back in the 1970s. Apps or websites store your unique public key. Your private key is only stored on your device, and your device authenticates your identity. The two keys combine to grant your access to your account. Usually, the device has software generating the passkeys uses a biometric authentication tool, such as Face ID or Touch ID, to authenticate your identity. Passkeys also sync across devices, making them really easy to use. And the last one on the list is universal second-factor authentication. It's kind of an open standard that uses the universal serial bus or near-field communication devices. So I want to log into LastPass password manager to access corporate accounts. I enter my user ID and password, and then LastPass asks me to insert my physical authentication USB key into the laptop, in this case my Yubico YubiKey. I touch the button on the outside of the physical key and LastPass grants access. And the way this works is that USB creates a public-private key pair for each website like LastPass. The user's browser verifies those keys and allows me to gain access. So those are the things at our disposal. I've gone up from very old stuff, everybody, from the original password, user ID password pair back in the 1960s, to kind of where we are today. Let me ask the Ghost of Christmas Present, did I get all that right?

 

Dave Bittner: Well, it seems to me like you did, and what I wonder is, is the username and password combination, is that the Ghost of Security Past? And then multi-factor authentication is the Ghost of Security Present, and passkeys is the Ghost of Security Future.

 

Rick Howard: I really think it is. I think passkeys are the future for most of the things we need to do on the internet. If you have to be really secure, like if you're a spy or if you're protecting corporate secrets, you should be using the hard token for your most important secrets, right? But for everything else, I think Passkeys is going to be the thing. Selena, what do you think?

 

Selena Larson: Absolutely, and unfortunately, though, I think there are many people that are still living in the past, right? I mean, I think that MFA everywhere is --

 

Rick Howard: Where I live, which I'm okay with.

 

Dave Bittner: Your words, not mine, Rick. Your words, not mine.

 

Selena Larson: Rick is haunting the computers of everyone that doesn't use MFA. Yeah, I mean, it's interesting because everything has gotten a lot easier, right? I feel like back in the day, it used to be this when everyone was adding a second factor to their login and password, and typically using SMS authentication, it was like, Oh my goodness, yet another thing that I'm going to have to remember to do, yet another box that I'm going to have to click. But I think we've seen a shift in human behavior where it's a little bit more accepted now, where it's like, Oh, okay, I know that I have to do this, it's still a bit of a pain. But with the, like you're mentioning, Rick, like with the YubiKey, a physical key that you just it's something that you have, it's so easy to incorporate into your wake up in the morning and you log in and you touch something and you're all ready to go. So I think being more secure is also a little bit more streamlined in many ways.

 

Rick Howard: Well, you say that but, you know, and I love the hard token authentication method but I'm going to lose that device, okay? As the Ghost of Christmas Past, there's no way I'm going to keep track of that thing for the rest of my life, so that's the one downside.

 

Dave Bittner: That's why they send you two. So you put one on your key chain, and then you put one somewhere in your home where later you can't remember where in your home you put it.

 

Rick Howard: Exactly, do you live in my house, Dave? That's exactly how that works.

 

Dave Bittner: Yeah and you know what? I mostly agree that things have gotten easier but I have to say, as much as I love hardware keys and the security and simplicity that they provide, if I'm sitting on my couch and I try to log into something and it demands my hardware key and I have to get off of my couch and walk over into the kitchen where I keep my keys, like the drawer, the junk drawer where I plop my keys when I get home, I am PO'd about that.

 

Rick Howard: Yeah that's not getting done that day, okay?

 

Dave Bittner: I mean, you know, and I guess, I keep -- when I have to do that, I try to tamp down the frustration by saying this is for security, this is for security. This is good. This is a good thing. But boy, it just, because it's a roadblock, right? It just stops you from doing what you want to do.

 

Rick Howard: It's friction.

 

Selena Larson: Are you waiting for the future of biometrics everywhere, Dave? Where if you're sitting on the couch, you can just look at your phone and it'll say, Yep, this is Dave.

 

Dave Bittner: I'd say we're most of the way there, because I love, like, Face ID on my iPhone and I loved Touch ID before that. And I think they were very effective and overall very secure, and I think passkeys are going to be the next step with that. I'm curious that it seems to me that passkeys are a little slow out of the gate, like, people are still figuring it out.

 

Rick Howard: It's so true. I mean, we say, Yeah, it's way easier, okay? But, you know, it's one thing for a bunch of security nerds to talk about how Passkey is easier to use. But I was mentioning my mother-in-law, who's 85, by the way, and slings the iPad like she's a warrior ninja somewhere, right? But explaining how Passkey works to her, we're not there yet. It's too hard for the normal average citizen to use those same things.

 

Dave Bittner: Yeah, I agree.

 

Selena Larson: I have to admit every time I use my YubiKey, in my head, I don't know why, I don't know what this says about me, but I feel like it's, you know, taking, like, a drop of blood. Like, you must sacrifice.

 

Rick Howard: We're woodland animals.

 

Dave Bittner: We should use that for our Halloween episode, Selena.

 

Selena Larson: I know, but I don't know why that's in my head every time I touch it, I'm like, What is this taking from me? You know, like what?

 

Dave Bittner: You're looking a little pale, have you been logging into a bunch of accounts this morning, Selena?

 

Selena Larson: Yes.

 

Rick Howard: You should sit down and drink some water.

 

Dave Bittner: That's right, here's some orange juice and a cookie.

 

Selena Larson: I mean, I do think reducing friction as much as possible is really the only way that we are going to be secure and get people to embrace these technologies and use them as mandatory. Because Dave, I've definitely been there too, where it's like, I don't want to go downstairs to buy this online.

 

Rick Howard: Right. You don't really need it.

 

Selena Larson: Yeah.

 

Rick Howard: You don't really need it.

 

Selena Larson: So it's really interesting. But I do think that we have come a long way in trying to make things a little bit easier. I know, for example, like, Google has implemented some ways of reducing friction in their products and helping people basically say, you know, this is mandatory. We're going to explain to you why you need this and why you want this. And we're going to walk you through the steps to get it. And hopefully it just becomes second nature. Because, I mean, look. We can learn to pick up a phone and do TikTok dances and figure out how to splice videos together immediately. You pick the phone up, right?

 

Rick Howard: You can do that, Selena.

 

Dave Bittner: Yeah, speak for yourself.

 

Rick Howard: Yeah. All I'm saying is the ghost of Christmas past, okay? We invented passwords in the 1960s. It is now 60 years have gone by before we've even started to make it slightly easier to log into things. So we have a ways to go.

 

Dave Bittner: Yeah.

 

Selena Larson: Well, and Christmas Past, because the Ghost of Christmas Past, you have seen the evolution of all of these tools in large part because the threat actors, who are really the Ghosts of the Future, keep creating new ways to figure out how to bypass these things, right? I mean, obviously username and password, that wasn't enough. Then you move to MFA, now you have SMS theft, right? Like spoofing SMS, trying to get those text codes. And then you have things like MFA phish kits. So there's like attacker in the middle phish kits that are attempting to steal those cookies and use the tokens, replay them to log into compromised inboxes. So I think that there's an evolution too, in large part, driving the broader adoption and the different ways that we have to be creative with these stuff. And ultimately, like, I think a lot of times people are like, Oh, well, no one can impersonate your fingerprint, no one can impersonate your, you know, eyeball, something. But I suspect that there is a creative Ghost of Christmas Future out there that will be able to do such a thing once that's normalized.

 

Rick Howard: Those pesky, you know, bad guys that even for the push authentication, which I really like, they do this really lowball attack sequence where they just feed you more and more options to hit the button so much that it annoys you so much that you just push the button to make it go away, thus authorizing the bad guy to get into your system. So it's so low tech that it works. It's low skills.

 

Selena Larson: It's a DDoS thing by being profoundly annoying.

 

Rick Howard: Yeah. [ Music ] So I think we've covered the Ghost of Christmas Past with a multi-factor authentication. Any last thoughts from anybody?

 

Dave Bittner: Well, it seems like, as you pointed out, it's been 60 years. So the gap between the invention of passwords and multi-factor authentication was probably 40 years?

 

Rick Howard: 40, yeah.

 

Dave Bittner: Right, so then we've had multi-factor for 20. Is it going to take 10 to get passkeys fully engaged?

 

Rick Howard: That is some high-order math, Dave, that I can't do.

 

Dave Bittner: Thank you very much. Thank you very much. Thank you very much. Is it accelerating?

 

Rick Howard: I don't think it's accelerating. No. I think it will take that at least a decade to get that to be normal for everybody to use. And who knows what might show up on the horizon as we are working through that.

 

Dave Bittner: So do you think that we have to mandate shutting off the old stuff before the new stuff can take hold?

 

Rick Howard: So many people just cry and scream about stuff like that, right? And so I think it's an interesting idea, but I don't think anybody would do it.

 

Selena Larson: Well, I'm also in the camp of SMS is still better than nothing. So if you, I mean, I know a lot of people want to make it, Oh, well, you can't use SMS as MFA. Well, for many people that is the easiest and most applicable way for them to have multi-factor authentication. And for most people, that's --

 

Rick Howard: I agree.

 

Selena Larson: -- good enough.

 

Rick Howard: It's better than a user ID and password, so why not, okay? Why not. And it's easy.

 

Selena Larson: Yeah, there's no catch-all easy solution. Although it would be nice if in the future there really was one, and everything had MFA by default, regardless of what you choose, you have to choose something.

 

Dave Bittner: But what if the big players, if we got let's say, Google, Apple, Facebook, who else? Who's the other big one?

 

Rick Howard: Microsoft.

 

Dave Bittner: Microsoft. We got those big players to all say, Okay, everybody, January 1st, 2027, we're going to transfer everything, we are going to migrate you to Passkeys and you have a year beforehand where we're going to try to show you how to do it and we're going to make it as easy as possible, but this is happening, this we have all decided. What if CISA said, you know, we want everyone to do this, what if, dare I say, it was regulated.

 

Rick Howard: Are you sure this is not the Halloween episode where we're supposed to be afraid of everything? Well there has been strides in that. Microsoft during the pandemic years made big pushes for their user base on their Windows clients to use -- to get away from a user ID and password to log in and so, but they didn't get rid of the old way, they just put the new way up front. So maybe that's the way it is. You know, make it easier that way.

 

Selena Larson: I also have to say, speaking of password innovation, Apple via iOS and the Apple ecosystem has their own password manager now. So with the most recent updates, you can use Apple's built-in password manager. They make it super easy to save and store and access passwords, having -- setting up MFA, things like that. So I do think that the organizations, the big technology companies, consumer in terms of Apple and enterprise in terms of Google and Microsoft, have really pushed in that direction. But to your point, Dave, I think, frankly I don't think there's really going to be any significant movement on a lot of the things that we would like to see across the security landscape, unless there is some sort of consequence for not doing so beyond just paying cyber criminals when your enterprise is hacked. So it should be interesting to see, but yeah, it's, for any Apple users, if you don't have the password manager or, you know, explaining to your family and friends that you should use one, there's at least a way to make that really easy now.

 

Rick Howard: Well as the Ghost of Christmas Past, let me put an end to this discussion. It feels like multi-factor authentication, the community still has one foot deeply in the past, so that's appropriate for me. So I think we should call that quits for this particular topic. [ Music ]

 

Selena Larson: Stay tuned, there's more to come after the break. [ Music ]

 

Dave Bittner: Alright, well, I want to talk about social engineering, and I have created for you all a social engineering carol. Are you ready?

 

Rick Howard: I'm ready.

 

Selena Larson: Ready.

 

Dave Bittner: Alright, sit back and enjoy. It goes like this. [ Music ] Click was careless to begin with. No one doubted it. Careless with his passwords, with his emails, with the relentless training reminders from IT, he swept aside with a shrug. Ebenezer Click was indifferent to cyber security, right up until the night the spirits came calling to show him the vulnerabilities of the past, present, and the chilling risks of a future unsecured. One foggy December evening, as he's working late, Ebenezer is visited by a series of phantoms. Ghosts of social engineering, to be exact. Each spirit arrives to teach him a lesson on the costly dangers of his negligence, and the profound consequences of overlooking cyber security. The first ghost, a wizened figure draped in a familiar nostalgic glow, appears and takes Ebenezer on a journey through past social engineering attacks. Look, Ebenezer, at the lessons from the past. The ghost beckons, showing him infinite breaches like the 2014 Sony hack. In this case, just a few unguarded emails from employees allowed hackers to infiltrate and exploit weaknesses within the entire company. Backdoors were found, sensitive information was leaked, and reputations were tarnished. The spirit then takes Ebenezer to a simpler time, his very own early days at the company, when he received training on password protection and phishing. Yet he recalls that he dismissed it, even using the same password across platforms. This lack of caution, the ghost points out, has put him at risk ever since, illustrating how old habits linger, silently eroding his defenses. Next comes the ghost of social engineering present, a sharp-eyed phantom who peers over Ebenezer's shoulder at his computer. Ebenezer, let us look at the present, the ghost says, showing him the stark reality of today's cyber landscape. In a blink, Ebenezer watches himself in real time clicking on a suspicious link in a fake LinkedIn invitation. The screen shows his profile, personal details, and even confidential work contacts copied and shared. Without a second thought, you let an attacker into your life and into your company, the ghost says, waving its hand to reveal an avalanche of phishing messages sent out using Ebenezer's contact list. With each click by a colleague, the attacker gains a foothold in the company network, positioning malware to extract information and map out the organization. The ghost also takes him to the world of his online presence, posts about work and conference locations, information about his family, and even a selfie he took at his desk, with passwords visible on sticky notes. All of these details fuel the attacker's arsenal. Social media, Ebenezer, is like handing your peas to a stranger, warns the ghost. Finally, a hooded figure, the ghost of social engineering future, shows him what lies ahead if he continues down this path of neglect. Ebenezer is shown a devastating scenario where his failure to heed warnings leads to a full-blown data breach. Critical company secrets are leaked and customers' trust crumbles. He sees the news headlines, the frantic calls, and the massive financial loss. His own name appears in the headlines marked by scandal and negligence. >> Ebenezer Click causes largest data breach in Christmas Carol history. Desperate to save his company's reputation, he struggles to recover, but the damage to the company's name and its customer base is irreversible. Is this truly my fate? He pleads with the ghost, who says nothing, but points toward his inbox, where he has countless unread security updates and ignored training sessions. [ Music ] When Ebenezer wakes, he's struck by the realization that he's been granted a second chance. With newfound resolve, Ebenezer rushes to his office window, throws it open and calls out to a passing intern below, What day is it? He shouts, excitement in his voice. >> Unidentified Person Why, it's Cyber Security Awareness Day, sir. The intern replied, puzzled. Then there's still time, Ebenezer exclaims, grinning. Time to secure every last device, every password, every soul here. He rushes back inside. And from that day on, he's a changed man, one who's vigilant, wise and as ready to protect his company as he is to help others understand the importance of cybersecurity. Ebenezer Click, once careless, now leads with awareness and purpose, embodying the spirit of a new kind of holiday cheer. A world of workspaces more secure, employees more aware, and systems more resilient. Today and every day that follows. [ Music ]

 

Rick Howard: Wow! Nicely done, sir. Okay, that is nicely done.

 

Selena Larson: Incredible carol, Dave.

 

Dave Bittner: Thank you, thank you very much.

 

Rick Howard: As we were preparing for this show, I went over and looked at the original "Christmas Carol". And it's a novella by Dickens. It's very short, and Dave, you managed to hit the nuances of that by making it a very compelling, in short, Christmas carol. So, nicely done, sir.

 

Dave Bittner: Well, thank you. I did my best. I did my best. By the way, while we're on the topic here, do each of us have our favorite telling of "The Christmas Carol"? Is there one that stands out to you?

 

Rick Howard: Oh I was fun going through them this morning as we were preparing for the show. I will defer. Okay, what do you -- what do you like, Selena?

 

Selena Larson: My favorite is "The Muppet Christmas Carol".

 

Rick Howard: Oh, yeah. Yeah, my favorite. My favorite.

 

Dave Bittner: I think it's my favorite as well. The fact that, oh, what's the actor's name in that one. Rick, help me out here.

 

Rick Howard: Michael Caine.

 

Dave Bittner: Michael Caine, yeah, thank you. The fact that Michael Caine plays it completely straight as if he is cast with Shakespearean actors.

 

Rick Howard: Yeah. Yeah.

 

Dave Bittner: Yeah. Totally makes it. I'll say a close second for me is the one with Mr. Magoo. I don't know if you've ever seen that one.

 

Rick Howard: Of course I have.

 

Dave Bittner: Rick maybe? Yeah. Probably not for Selena.

 

Rick Howard: Selena probably doesn't even know who Magoo is, right? That's how old that cartoon is.

 

Selena Larson: I can't say I do.

 

Dave Bittner: Well, there's no shame. But "The Mr. Magoo Christmas Carol" used to be in heavy rotation when I was a child, and it was -- parts of it were frightening. The Ghost of Christmas Future, you know, the hooded figure with the bony hand pointing at the gravestone, is quite chilling. Yeah.

 

Rick Howard: I will say that my second choice is the Disney version, and I thought that they did amazingly well at casting all the Disney characters in those various roles. Like, the Ghost of Christmas Past is Jiminy Cricket, right? And, which is perfect, it's just perfect, right? So, so that'll be my second choice. But Muppets, we've talked about this before. Most of those shows, the Muppet shows where they do classics, my favorite is "Treasure Island", okay? With Tim Curry, he plays it straight too, okay? And that's the way that makes those shows great.

 

Selena Larson: I just recently re-watched "Muppet Treasure Island", actually, after we talked about it last time. It's so good, it still holds up. It's fantastic.

 

Dave Bittner: I really want the Muppets to do a "Rocky Horror Picture Show".

 

Rick Howard: Oh man, that would be good.

 

Dave Bittner: Wouldn't that be amazing? I mean, it'll never happen, but that's one I would love to see.

 

Selena Larson: Time-warping Muppets, can you imagine? Yes, yes. Animal in the back, I can see it now.

 

Dave Bittner: All right, so that's social engineering. Selena, what do you have for us? [ Music ]

 

Selena Larson: So I like thinking about both of these topics, past, present, future. They kind of all play a little bit into what I was thinking about recently. In the past, we saw a lot of targeting of consumers, right? Home users, everyone had their photos that could be ransomwared. We were all using various chat apps. People were, you know, had their home computers versus their work computers, and the threat actors were targeting individuals. Everything going all the way back to the AIDS Trojan, to pop-ups and adware, you know, favorite websites, exploit kits. And then we saw the rise of targeted big game hunting within the enterprise. And so threat actors realized, you know, I could get a lot more money going after businesses than the individuals. Well, I feel like recently and perhaps looking forward, we're seeing the return to threat actors targeting people at home, on their phones, in their places where they are not conducting work. Oftentimes those overlap, certainly, and can be threats within the enterprise. But things like pig-butchering, for example, romance-based crypto scams, where someone will, you know, lure them in a long con, which is kind of the evolution of romance scamming anyways, but the payoffs can be really big and cost people their entire life savings. So it's not, you know, paying $250 to get a ransomware key, but rather potentially $250,000 into a fake crypto investment. So, you know, we've always had confidence scammers. I mean, there are certainly plenty in the days of Charles Dickens going around in their boxes selling snake oil, trying to get people to buy into things that didn't exist. And now what we see are the same confidence-based scammers trying to get people to make decisions to do bad things. And in many ways, it is coming back to the individual. And I think this plays a little bit with the MFA, it plays a little bit with the social engineering, but it's very much going and focusing on identity rather than potentially product or service. And so I think we might see that more often. [ Music ]

 

Rick Howard: Well, as the Ghost of Christmas Past, I remember those early days when bad guys were attacking the individuals, right? And what it exposed back in those days was the elaborate business process that cyber criminals had. I mean, just to imagine what you were talking about that, Selena, where some bad guy calls grandma and says, If you want your pictures of your kids and your cats back, pay us a Bitcoin. All right, but the back end of that was there were English speakers in business processes that could walk grandma through a Bitcoin transaction. Because I don't know if I still, I don't know if I could do that today, right now, without having to spend some time, right? So in a second language, explain to grandma how to get a Bitcoin so they could pay for the ransom, right? So it exposed how organized the back-end business process was of cyber criminals.

 

Selena Larson: And we still see that, and if anything, it's gotten better. It's gotten bigger, it's gotten more profitable, and it's building criminal ecosystems that function pretty much as businesses. And I think, you know, we're seeing the sort of pig butcher scammers, they're having these same businesses, they're, you know, working in groups and trying to prey on people and their emotions and their individuality to try and get them to do things. And I think, you know, that whether it's trying to get into an enterprise or trying to get personal bank information, right, you have to be creative and targeted and kind of using social engineering, using that identity that you might get from MFA bypass and to target, you know specific individuals. And it's, I don't, I think it's very interesting because people, we've gone from not trusting the internet at all to trusting it and believing it and believing everything you read, to back, oh wait, we have to not trust it again.

 

Dave Bittner: You know, I remember about five years ago or so, and I'm probably off by a year either way, but you know, at the end of the year, lots of people want to talk about predictions for the coming year, right? And when I'm talking, interviewing people about what do they think is coming next. And I remember there was pretty much consensus, and this was back in the early days of ransomware where it was about locking up grandma's computer for 50 bucks. Right? And there was consensus that in the coming year, we were going to see ransomware fade away and the real action was going to be crypto mining. Because crypto mining was kind of a victimless crime, because you could crypto mine on somebody's machine while they were asleep, and they probably wouldn't notice. So you could just have these botnets of crypto miners, and that would be the way to make money. And of course, the opposite happened, right? The ransomware folks, they went in for big money. They shifted from the home user to the whales and going after corporations and millions of dollars. So to me, it's an interesting thing to look at the past and try to predict the future, how here was something that a lot of people thought it was going to go one way and it went exactly the opposite way of what everybody thought.

 

Selena Larson: Well, and also what's interesting is, okay, if you're thinking from a threat actor perspective, I'm doing all this crime, I'm targeting these home users, I'm getting a little bit of a payout, but I will get more if I target the enterprises. Then you have law enforcement being like, oh, hold on a second, that's a lot of money that you're stealing. And that's disrupting critical infrastructure, that is disrupting finance, that is making huge waves. Wait, wait a second, we have to go after them now. So, threat actors.

 

Rick Howard: I didn't understand that until you just said this. I was saying, what made them go back to the individual? Because the money is at the big corporate gigs, right? But you're saying because they focus law enforcement on them, they need to go where they're not being paid attention to. Is that what you're saying the cause is?

 

Selena Larson: I think that might be playing a role. Because we had this year major disruptions to, law enforcement disruptions to malware ecosystems from ransomware strains to the loaders and the botnets that were enabling these sort of big game hunting. And it's interesting because since then, at least from a cybercrime perspective, the landscape has been fairly quiet. We're all wondering, like, what happens next? And then you see the evolution of things like a lot more targeted type of threats, lower volume, very specific. You have threat actors that are now calling people or sending phone numbers to get them to interact with them, to download something, to specifically text them on their phone, offering them a job, offering them a romance scam. So it's not necessarily --

 

Rick Howard: So not as much money, but a safer way to operate, is what you're saying.

 

Selena Larson: I mean, I think that could potentially be playing a role. Maybe not hitting quite as big to try and not make such a big impact. So yeah, there might be a change in calculus a little bit with all the heat paid to some of the most successful cybercrime.

 

Dave Bittner: You know, I've wondered sometimes when I'm alone.

 

Rick Howard: Dangerous pastime, I know.

 

Dave Bittner: Well, my thoughts get the better of me. And I wonder if there are white hat or gray hat hackers out there who quietly think about in their retirement years, will they adopt what I refer to as a nuisance ransomware, right? Just a low-level sort of thing where, you know what, this retirement account isn't paying off what I thought it would, and so I'm going to send out nuisance ransomware.

 

Rick Howard: Yeah, retirement job. It's a hobby.

 

Dave Bittner: You're just reaching out to people and saying, okay, look, I locked up your system, ten bucks. Ten bucks and I'll unlock it, right? And so if you do that to enough people because the other part of that, speaking about the safety part, I mean, the folks I talked to like on own "Hacking Humans", if you go to your local law enforcement and say somebody cheated me out of $50 through a social engineering thing, they're just going to be like, And?

 

Rick Howard: Yeah. Yeah. I mean, it's like $10,000 or something like that. I forget what the last time I looked.

 

Dave Bittner: So, you know, I just wonder, is there a return, as you say, Selena, is there a return to nuisance level, low threshold, but still profitable ransomware? And what's the equilibrium?

 

Rick Howard: Especially for a retiree.

 

Dave Bittner: Right. What's the equilibrium? Like, where do we hit where society says we can live with this?

 

Rick Howard: Can I just pause before you answer that, Selena? Because I think that's the first time I've heard it mentioned anywhere, that we are considering hackers to be considering retirement for themselves. Right? It's the first, right? We've never talked about that before.

 

Dave Bittner: Well, it's true. I mean, well, I mean, so you think about it, the first generation are at retirement age now and that's never happened before. That's never happened.

 

Rick Howard: Breaking news.

 

Selena Larson: If they're if they're not collecting a government paycheck in their retirement age, then that's a fine -- that's a mental thing. Yeah, I, you know, I'm not sure. This again is just Selena having a hot take, but I am seeing that the rise of pig butchering with the evolution and expansion of a lot of social engineering techniques and these scams and fraud that are a little bit, you know, less profitable, but still kind of following some of the techniques that we're seeing. I think that's definitely a possibility and I do think that right now, all different threat actors across the cyber criminal spectrum, especially those who are a lot more sophisticated, are seeing the impacts of law enforcement disruption and wondering, What do I do now? And how can I either fly under the radar or should I just be out the game entirely? Should I call it quits, stay on my yacht in the Black Sea, you know, drinking vodka and enjoying the sunshine. [ Music ] We'll be right back. [ Music ]

 

Dave Bittner: Well, gang, I have to be moving along here. I am actually getting a little hungry and I have fixed myself a festive and delicious dip for the Christmas holiday, a cranberry jalapeno cream cheese dip. That's right, cranberry and jalapeno. It's red and green for the holidays. It's a perfect mix of sweet, tart, spicy, and creamy, and it works with all the holiday flavors. So I'm going to run off and enjoy that.

 

Rick Howard: And you're sharing that with the crowd, right, Dave? Or am I wrong about that?

 

Dave Bittner: No, I'm not sharing that with anybody. It's mine.

 

Selena Larson: I am going to a white elephant party and I'll be wrapping up all of my presents as something cyber-related. So maybe I will pack up some YubiKeys and put them in various stockings.

 

Dave Bittner: I'll bet you're popular at parties. Here comes Selena with her two-factor authentication. Just smile and nod. How about you, Rick? What are your holiday plans?

 

Rick Howard: My holiday plans are to sit in front of my big fireplace, thinking about the past, and not doing a damn thing. That's what I'm going to do.

 

Dave Bittner: I think we can all get behind that.

 

Selena Larson: The perfect plan, absolutely. [ Music ] And that's "Only Malware in the Building", brought to you by N2K and CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever-evolving world of cybersecurity. If you like the show, please share a rating and review in your podcast app. This episode was produced by Liz Stokes. Mixing and sound design by Tre Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher.

 

Dave Bittner: I'm Dave Bittner.

 

Rick Howard: And I'm Rick Howard.

 

Selena Larson: And I'm Selena Larson. Thanks for listening. [ Music ]

Only Malware in the Building
Podcast Info
HOST(S):
Selena Larson
Dave Bittner
Selena Larson is a Staff Threat Researcher and Lead, Intelligence Analysis and Strategy at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced cybercriminal threats and develop actionable threat intelligence. Previously, she was a Cyber Threat Analyst for the industrial cybersecurity firm, Dragos, and a cybersecurity and privacy journalist.
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monthly
Creator: N2K