Joe warns of scammers taking advantage of natural disasters, Dave explores romance scams, and gets a strange voice mail.
Stephen Frank from the National Hockey League Players Association joins us to share how professional athletes protect themselves from online scams.
Stephen Frank: [00:00:00] As we all build out our social media profiles and online presence and gain followers and, you know, have more information about us published online, we will in some ways approach where these celebrities are today within the next 10 years.
Dave Bittner: [00:00:18] Hello, everyone, and welcome to The CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from The CyberWire. And joining me, as always, is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:39] Hi, Dave. How are you?
Dave Bittner: [00:00:40] I'm doing great. And, as always, we've got some interesting stories to share. Later in the show, we'll have my interview with Stephen Frank. He's the director of technology and security at the National Hockey League Players' Association. But before we get to all that, a quick word from our sponsors, our friends at KnowBe4.
Dave Bittner: [00:00:59] So who's got the advantage in cybersecurity - the attacker or the defender? Intelligent people differ on this, but the conventional wisdom is that the advantage goes to the attacker. But why is this? Stay with us, and we'll have some insights from our sponsor, KnowBe4, that puts it all into perspective.
Dave Bittner: [00:01:21] And we're back. Joe, got some interesting stories to share this week. I want to start off by asking you, have you ever had someone contact you online with the promise of romance?
Joe Carrigan: [00:01:31] I have never had anyone contact me online or offline with the promise of romance.
Dave Bittner: [00:01:38] (Laughter) You're a happily married guy.
Joe Carrigan: [00:01:39] Yes. I am.
Dave Bittner: [00:01:40] It must've happened sometime along the lines, I guess, right? (Laughter) Back in college, or something? But, at any rate, I have certainly received friend requests on Facebook from...
Joe Carrigan: [00:01:50] Yes. I have gotten those friend requests and Instagram requests.
Dave Bittner: [00:01:54] Yes. Young women, usually with alluring photos, who are telling me how lonely they are. You know, and they're just looking for someone to talk to. Someone to...
Joe Carrigan: [00:02:05] (Laughter).
Dave Bittner: [00:02:05] A shoulder to cry on. Right?
Joe Carrigan: [00:02:06] I'm sorry. My youth has made me jaded and suspicious towards this.
Dave Bittner: [00:02:10] Yes. Well, and then inevitably, those accounts are brand-new accounts with no common friends, and so, you know, they go right into the trash bin. But imagine it happened in a different direction. Imagine someone started impersonating you online using your image and your identity as the foundation for a romance scam.
Joe Carrigan: [00:02:27] Hmm.
Dave Bittner: [00:02:28] Now, lucky for both of us, neither of us are strapping, you know, tall, chiseled, good-looking guys.
Joe Carrigan: [00:02:35] (Laughter) Right.
Dave Bittner: [00:02:35] They'd probably use us as the basis for a romance scam.
Joe Carrigan: [00:02:39] Talk about something going right in the bin.
Dave Bittner: [00:02:40] There you go. But there's a gentleman named Bryan Denny. He's a career Army officer. He's a veteran of Desert Storm, Operation Iraqi Freedom and Operation Enduring Freedom. And this story came to us from the Task and Purpose website, which is a site that caters to folks in the military. It's written by David Leffler. And so Bryan Denny started getting messages on LinkedIn and on other social media sites from strangers. And these were women that he'd had no previous relationship with, and they were asking why he failed to show up for a planned meeting.
Joe Carrigan: [00:03:10] Hmm.
Dave Bittner: [00:03:12] Turns out that the scammers had been using photos of him that they'd gathered online, and they created hundreds of fake accounts for him. Some of them used his real name, some didn't. So imagine you've got this handsome man in uniform. And everybody loves a man in uniform.
Joe Carrigan: [00:03:12] Right.
Dave Bittner: [00:03:28] And they'd create these fake accounts on Facebook and other places, and they'd just reach out to women. And they'd say similar to what I described earlier - you know, I'm a guy looking for some companionship. I'm lonely. And in this article, they actually contacted one of the women that was a victim of this. Her name was Sharon Hughes. She's a 65-year-old retired nurse and divorcee. And she got drawn into this. She got divorced back in 2003...
Joe Carrigan: [00:03:54] OK.
Dave Bittner: [00:03:55] ...And she was looking for someone.
Joe Carrigan: [00:03:57] So she's been single for quite some time.
Dave Bittner: [00:03:58] She's been single for a while, and she was - she'd put herself out there. She was hoping to find someone. So imagine, in her inbox come these pictures of a handsome gentleman - man of great character, who, you know, helps defend our country, upstanding guy - and just starts with regular, just casual conversation.
Joe Carrigan: [00:04:19] And it doesn't seem too good to be true, does it? It seems highly plausible.
Dave Bittner: [00:04:23] Well, I suppose the random contact, out of the blue...
Joe Carrigan: [00:04:23] Right.
Dave Bittner: [00:04:28] ...From someone you don't know would certainly tip someone off. But you can understand how someone who is maybe lonely and looking for companionship, someone pops up out of the blue and says, hey, I came across your account here on Facebook, and I'm just wondering if maybe we might chat a little bit...
Joe Carrigan: [00:04:43] Yeah.
Dave Bittner: [00:04:44] ...What could possibly go wrong?
Joe Carrigan: [00:04:45] Right.
Dave Bittner: [00:04:46] So over time, she developed an online relationship, what she thought was an online relationship. And she actually ended up sending him over $35,000 in cash and electronics.
Joe Carrigan: [00:04:59] Wow.
Dave Bittner: [00:05:00] Yeah. Reached out to him and wondered why he didn't show up for their first meeting because as far she was concerned, the two of them were engaged.
Joe Carrigan: [00:05:08] Huh.
Dave Bittner: [00:05:10] So - never met, online relationship, tens of thousands of dollars.
Joe Carrigan: [00:05:14] Yep.
Dave Bittner: [00:05:14] The promise of an intimate relationship.
Joe Carrigan: [00:05:17] Yeah.
Dave Bittner: [00:05:18] And the whole thing was a scam.
Joe Carrigan: [00:05:20] That's sad.
Dave Bittner: [00:05:21] It is sad. It's interesting how they can amplify it online.
Joe Carrigan: [00:05:26] Right. And how it can lead to the point where people have sent tens of thousands of dollars to people they've never met just because these scammers provide the victims with something they need, some kind of affirmation.
Dave Bittner: [00:05:40] Right.
Joe Carrigan: [00:05:40] They influence them.
Dave Bittner: [00:05:41] Well, and they make them feel good.
Joe Carrigan: [00:05:42] Right.
Dave Bittner: [00:05:43] And if you're lonely, and here's someone reaching out, and you look at the pictures and you start to create this story in your mind. This woman said that her friends were telling her it was too good to be true. She was out house shopping for the two of them.
Joe Carrigan: [00:05:55] Really?
Dave Bittner: [00:05:55] Yeah.
Joe Carrigan: [00:05:56] Wow.
Dave Bittner: [00:05:56] She couldn't bring herself to believe that this was a scam. And this is - you know, this was an educated woman. She's a nurse. Like we say, you know, everybody has something that they could fall for.
Joe Carrigan: [00:06:07] That's what Chris Hadnagy was saying in our very first episode - was that there's something out there that's going to get - that will work on any of us.
Dave Bittner: [00:06:14] Right. Right.
Joe Carrigan: [00:06:15] So if you're a scammer and you go out there - you can look at it from the sales point of view. I had a very brief and failed sales career early in my career.
Joe Carrigan: [00:06:24] But one of the points in sales was if you ask enough people, one of them will say yes.
Dave Bittner: [00:06:29] Yeah.
Joe Carrigan: [00:06:30] Right.
Dave Bittner: [00:06:30] Yeah, and it's a numbers game.
Joe Carrigan: [00:06:31] Yeah.
Dave Bittner: [00:06:32] I mean, think of hundreds - and, of course, this gentleman Bryan Denny - now he's dealing with the fallout.
Joe Carrigan: [00:06:38] Right. Now he has to deal with this as well because he's essentially been the face of this scam...
Dave Bittner: [00:06:43] Right.
Joe Carrigan: [00:06:43] ...The persona behind it. They've taken his identity in a way. They may not have stolen, you know, his social security number or any other real information that can harm him. But his good name is now out there being besmirched by these scammers.
Dave Bittner: [00:06:57] Yeah. Well, it's a cautionary tale and a reminder. Reach out to your loved ones. Particularly - these scammers tend to focus on older people who are single, and it's easy to find them online.
Joe Carrigan: [00:07:10] Right.
Dave Bittner: [00:07:11] So it's good to check in. (Laughter) Just check in on your loved ones and make sure that they're OK and that these sorts of things - just warn them about them.
Joe Carrigan: [00:07:18] Right.
Dave Bittner: [00:07:19] You know, like we said, you know, education sort of inoculates people against these things.
Joe Carrigan: [00:07:23] Yep. You know, just being exposed to how these scam artists operate can help you not fall victim to it.
Dave Bittner: [00:07:29] Yeah. Another example of how the online social media can make stuff look too good to be true, or things that are too good to be true - they can be convincing.
Joe Carrigan: [00:07:38] Right.
Dave Bittner: [00:07:38] All right. What do you have for us, Joe?
Joe Carrigan: [00:07:40] All right. So recently - last month actually - we had the second flood in Ellicott City.
Dave Bittner: [00:07:44] Right. Here in Ellicott City, Md., a historic town.
Joe Carrigan: [00:07:47] There was lots of damage. National Guard Staff Sergeant Eddison Hermond was killed trying to help somebody. These events have a big impact on us.
Dave Bittner: [00:07:55] Right.
Joe Carrigan: [00:07:55] You know, we went to Ellicott City as kids and hung out there.
Dave Bittner: [00:07:57] Yeah, this is my hometown.
Joe Carrigan: [00:07:59] Right. I've taken my kids to the railroad museum there. We are emotionally invested in the area, and it's a beautiful town.
Dave Bittner: [00:08:07] Yeah.
Joe Carrigan: [00:08:07] Now it's been damaged in the floods. So this emotional investment is really why it's important to us to understand that people are out there who will exploit that emotional investment.
Dave Bittner: [00:08:16] Right.
Joe Carrigan: [00:08:17] And WBAL's Megan Pringle had a story on their website where she interviewed Angie Barnett who is the president and CEO of the Better Business Bureau of Greater Maryland. And Angie Barnett was saying that in 2016, shortly after the floods, there were websites that were set up as charities, but they were, in fact, scams. They were just ways for you to send money to somebody, and none of that money went to help anybody in Ellicott City. It just went to enrich somebody else.
Dave Bittner: [00:08:43] Yeah, it's interesting because in the hours and days after this natural disaster, you saw lots of GoFundMe sites...
Joe Carrigan: [00:08:50] Right.
Dave Bittner: [00:08:50] ...Pop up, you know, for the workers at the restaurants who aren't going to be able to work for months while they're cleaning up the mess, for the owners of the buildings to...
Joe Carrigan: [00:08:58] Yeah.
Dave Bittner: [00:08:58] ...Fund rebuilding, for the tenants of the apartments upstairs.
Joe Carrigan: [00:09:03] Yep. Well, GoFundMe has created a page for verified campaigns and for businesses that were damaged by the flood. So you should definitely check out that portion of the GoFundMe website first before you send money to GoFundMe 'cause anybody can set up a GoFundMe page.
Dave Bittner: [00:09:18] Right.
Joe Carrigan: [00:09:18] It doesn't require any verification at all, but they are offering this verification now. So you can use it.
Dave Bittner: [00:09:25] The state of Maryland is helping out as well.
Joe Carrigan: [00:09:27] The state of - correct. Well, the state of Maryland actually - Attorney General Brian Frosh and the Secretary of State John Wobensmith were advising people to be aware of these scams. And the state of Maryland actually maintains a public registry of charities that are allowed to solicit for donations in Maryland. So you can check out that site as well, and make sure that where you're sending your money is a place that is recognized by the state of Maryland and is a valid charity.
Dave Bittner: [00:09:52] In your desire to be helpful, to help people in their moment of need, you got to sort of check yourself and take that extra moment to do the research to make sure that who you're sending - before you click online. And it's so easy to do...
Joe Carrigan: [00:10:04] Right.
Dave Bittner: [00:10:04] ...That it's actually a legit organization.
Joe Carrigan: [00:10:07] Absolutely. So, you know, outside of Maryland, I guess you'd have to check with your local state government - local or state government rather.
Dave Bittner: [00:10:14] Right. Better Business Bureau.
Joe Carrigan: [00:10:15] Better Business Bureau. Absolutely, and there are organizations like CharityWatch out there that you can check and make sure that what you're giving to - or you can just make sure that you're giving to a well-established charity that you know is vetted and - something like the United Way or the American Red Cross.
Dave Bittner: [00:10:28] Sure. All right. It's a good one. Time for our catch of the day. So, Joe, I was sitting here in my office minding my own business the other day when my cellphone lit up with an incoming call. And since it was not a number in my address book, I did what I suspect most of us do these days. I sent it...
Dave Bittner and
Joe Carrigan: [00:10:46] Right to voicemail.
Dave Bittner: [00:10:47] Right.
Joe Carrigan: [00:10:47] Right. Exactly.
Dave Bittner: [00:10:50] So imagine my surprise when I check the message, and here's the message they left.
(SOUNDBITE OF ARCHIVED RECORDING)
Computer-Generated Voice: [00:10:55] …Notification regarding your tax filings from the headquarters, which will get expired in next 24 working hours. And once it gets expired - after that, you will be taken under custody by the local cops as there are four serious allegations pressed on your name at this moment. We would request you to get back to us so that we can discuss about this case before taking any legal action against you. The number to reach us is 360-680-1232. I repeat - 360-680-1232. Thank you.
Dave Bittner: [00:11:35] Well, needless to say, I got on the phone and called them right back (laughter).
Joe Carrigan: [00:11:39] And you sent the money before they arrested you, right?
Dave Bittner: [00:11:40] Well, of course. I didn't...
Dave Bittner: [00:11:41] Yes, I don't want to do any jail time. Who knows? I - yeah, I gave them everything they asked for. So what do we got here, Joe?
Joe Carrigan: [00:11:50] So they're using an automated-voice generator system to impersonate some law enforcement organization.
Dave Bittner: [00:11:57] Right.
Joe Carrigan: [00:11:57] My favorite thing is that they actually call them the cops (laughter).
Dave Bittner: [00:11:59] Yeah. Instead of law - yeah. The cops.
Joe Carrigan: [00:11:59] Instead of law enforcement, police or sheriff's office...
Dave Bittner: [00:12:03] Right. Our lingo.
Joe Carrigan: [00:12:03] ...It's the cops coming to get you.
Dave Bittner: [00:12:05] Yeah.
Joe Carrigan: [00:12:05] Cheese it, the cops.
Dave Bittner: [00:12:06] Right, with a synthesized voice...
Joe Carrigan: [00:12:08] Right.
Dave Bittner: [00:12:08] ...Which is a tip-off - which I guess speaks to, behind the scenes, this must be highly automated.
Joe Carrigan: [00:12:13] Right. Yeah. Actually, you know what? That's probably a great point - is that they can hit more people with these machines than they can by sitting on the phone and telling them. They're just trying to cast a wider net.
Dave Bittner: [00:12:23] Right. So the call to action...
Joe Carrigan: [00:12:25] The call to action - yeah, you better hurry up or it - you got 24 hours - 24 working-hours. I don't know if that means three days or one...
Dave Bittner: [00:12:32] (Laughter).
Joe Carrigan: [00:12:32] ...Cycle of the sun. I have no clue.
Dave Bittner: [00:12:34] They probably don't care very much as long as you call back.
Joe Carrigan: [00:12:36] Right.
Dave Bittner: [00:12:37] They've invoked the IRS...
Joe Carrigan: [00:12:39] The IRS.
Dave Bittner: [00:12:39] ...And the police.
Joe Carrigan: [00:12:40] And the police. And you've got four charges against you. You better hurry up. You know, it's obviously a scam.
Dave Bittner: [00:12:46] Yeah.
Joe Carrigan: [00:12:47] But the thing is that - we know that someone out there is still responding to these calls because they're still making them...
Dave Bittner: [00:12:54] Right.
Joe Carrigan: [00:12:54] ...'Cause if these calls were not productive, they would not make them, right?
Dave Bittner: [00:12:59] Yeah.
Joe Carrigan: [00:12:59] There are still these economic forces that are in play. So they're sending these calls out, and somewhere it's working.
Dave Bittner: [00:13:05] (Laughter) Right. Right. Well, listen, like we say, it's a numbers game. If I send out - you know, if 1 in 10,000...
Joe Carrigan: [00:13:10] Right.
Dave Bittner: [00:13:11] ...Because the cost to make the call is practically zero...
Joe Carrigan: [00:13:14] Right.
Dave Bittner: [00:13:15] ...So why not?
Joe Carrigan: [00:13:17] Yeah. And if I get 1 out of 10,000 people, I've made a couple thousand dollars.
Dave Bittner: [00:13:20] Right. Right.
Joe Carrigan: [00:13:21] And I can make a thousand calls - 10,000 calls in a day maybe.
Dave Bittner: [00:13:25] Yeah. So...
Joe Carrigan: [00:13:26] I mean, it's the voiceover IP that's really - you know, the capability of somebody to have a telephone number anywhere in the U.S. - and I did look up area code 360. And that's in Washington state. So that is an American area code.
Dave Bittner: [00:13:38] Yeah.
Joe Carrigan: [00:13:38] It looks like an American telephone number.
Dave Bittner: [00:13:40] You know, I was - originally, I was thinking we would bleep out the number but no.
Joe Carrigan: [00:13:44] No. Go ahead. Give them a call, everybody.
Dave Bittner: [00:13:45] If anybody wants to give them a call - you know, we've considered calling them and putting them on the air. But being in Maryland, we're in a two-party consent state. So we can't just record phone calls.
Joe Carrigan: [00:13:45] Right.
Dave Bittner: [00:13:58] But if you want to have fun with these folks, please (laughter)...
Joe Carrigan: [00:14:02] I don't know if we can even encourage that to happen.
Dave Bittner: [00:14:04] Yeah, probably not. Never mind.
Joe Carrigan: [00:14:05] (Laughter).
Dave Bittner: [00:14:06] Never mind.
Joe Carrigan: [00:14:06] So don't call them.
Dave Bittner: [00:14:07] Right. Please...
Joe Carrigan: [00:14:08] Don't call them.
Dave Bittner: [00:14:09] ...Whatever you do, don't call them. Do not call them. All right. That's our catch of the day. So coming up next, we've got my interview with Stephen Frank. He's the director of technology and security at the National Hockey League Players' Association - very interesting conversation. But first some words from our sponsors, KnowBe4.
Dave Bittner: [00:14:30] Now let's return to our sponsors' question about the attacker's advantage. Why did the experts think this is so? It's not like a military operation where the defender is thought to have most of the advantages. In cyberspace, the attacker can just keep trying and probing at low risk and low cost. And the attacker only has to be successful once. And as KnowBe4 points out, email filters designed to keep malicious spam out have a 10.5 percent failure rate. That sounds pretty good. Who wouldn't want to bat nearly 900? But this isn't baseball. If your technical defenses fail in 1 out of 10 tries, you're out of luck and out of business. The last line of defense is your human firewall. Test that firewall with KnowBe4's free phishing test, which you can order up at knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:15:32] All right, Joe. We are back. And earlier this week, I had the opportunity to speak with Stephen Frank. He is the director of technology and security at the National Hockey League Players' Association. That's the organization that takes care of the players. I guess that's the union side of the hall, right?
Joe Carrigan: [00:15:48] Yeah.
Dave Bittner: [00:15:48] Yeah, yeah.
Joe Carrigan: [00:15:49] Players' association, typically the union.
Dave Bittner: [00:15:51] Right. So they look out for the interests of the players. And it's an interesting thing because, you know, professional athletes - they've got a big target on their back when it comes to people trying to scam them.
Joe Carrigan: [00:16:00] Right. Well, they're well-known, and everybody knows they have a lot of money. In fact, a lot of times, everyone will know exactly how much money they earn.
Dave Bittner: [00:16:07] Yeah. It's interesting. So here’s my conversation with Stephen Frank.
Stephen Frank: [00:16:11] I oversee development, infrastructure and support. So all three of those departments report up through me.
Dave Bittner: [00:16:17] Set the table for us. What do we need to know about professional athletes that's different from folks like you and me in terms of people who are trying to come at them and perhaps to trick them?
Stephen Frank: [00:16:29] Well, I've always said this - that professional athletes or people of celebrity status represent where we'll all be in 10 years’ time. And the reason I say that is because these individuals are in the public eye. They're high-net-worth individuals. Information is fairly easy to come by in terms of, you know, knowing their likes, dislikes, their hobbies, their charitable donations, et cetera, et cetera.
Stephen Frank: [00:16:53] So these are individuals where a lot of information can be gleaned online about them and used, in many ways, against them. When I comment about these are individuals that will represent where we are all in 10 years, as we all build out our social media profiles and online presence and gain followers and, you know, have more information about us published online, we will, in some ways, approach where these celebrities are today within the next 10 years.
Dave Bittner: [00:17:19] So describe to me what is it like for someone coming up through the league. Someone comes out. It's - I'm sure it's been a lifelong dream to be a professional athlete. Now they are, but I suspect this side of it - that people are going to be coming after them - is perhaps unexpected.
Stephen Frank: [00:17:34] Somewhat unexpected. I mean, for the most part, these athletes and/or - in many cases - celebrities - they're coached and receive guidance along the way through their junior career up through until they, you know, take birth into the NHL - the big leagues. But the shortcoming here is, you know, many of these players and/or celebrities really don't have what I would call a corporate affiliation. They haven't been trained in the ways of cybersecurity. They're not used to the policies that many corporations employ. So when it comes to, you know, operating on their home computer or using consumer-grade accounts or the like, they're not well-versed in the ways that, you know, normal corporate employees or stock employees are throughout their tenure or career.
Dave Bittner: [00:18:16] So take us through what you all do to help try to protect them.
Stephen Frank: [00:18:19] Well, I mean, the NHLPA has taken the stance of protecting its membership - both in terms of licensing the likeness of the individual - we uphold the collective bargaining agreement. But also when we look at the world of cybersecurity, we make available to our members various discounted software endpoint protection. But most importantly, and in the interest of the players as well, is their marketability online and maintaining good online hygiene. So this can include all their social media channels - Twitter, their Facebook, their LinkedIn.
Stephen Frank: [00:18:53] So we utilize a product that protects those social media channels - ZeroFOX, based out of Baltimore. And we use it, you know, in a way that allows the membership to receive notifications in the event there's an account breach, an impersonating account or perhaps, you know, retweeted links that contain malware - this sort of thing. And, you know, the players understand, for the most part, the value of their brand online. So it's in their expressed interest to protect that - maintain marketability with respect to activation, marketing and sponsorship deals.
Dave Bittner: [00:19:29] Can you give us some examples of the kinds of things that they have to deal with? When people want to target a professional athlete, how do they do it?
Stephen Frank: [00:19:37] Well, there's quite a few ways. I mean, one way is through, I guess, misinformation or in a way that suggests that a particular player, athlete or celebrity endorses a product when in fact they don't. You know, this is akin to an impersonation of sorts - complete league violation of the terms of service. And through the various products that we employ, it detects and notifies the player. And the player is able to execute a takedown through the platform remediating the issue.
Stephen Frank: [00:20:08] Secondly, with respect to any player or celebrity online, they acquire quite a few followers. And this becomes a community. And they want to ensure that the various links, retweets don't include malware and that, you know, their channel remains clean with respect to the followers or the community that they've built for themselves. So that's a second way that the ZeroFOX platform helps the players - is it ensures that, you know, these malware links are efficiently removed and, you know, staves off any issues with respect to impact to the community for the player.
Stephen Frank: [00:20:41] The third way we get involved as an association is in the event that there is online impersonation - someone pretending to be that athlete. Of course, that detracts from their overall brand, as there's someone actually trying to control their brand which is not them. And in some cases, you know, players may see as many as 150 to 200 impersonating accounts. So again, you know, in the express interest of the athlete and their marketability and online hygiene, the platform was able to remediate that by removing all those impersonating accounts and, you know, provide them with that one true voice that represents, you know, their brand, their image, their likeness.
Dave Bittner: [00:21:22] Now, I suspect that, you know, you have a spectrum of players in the league. And different players probably want to have different levels of involvement in their own social media - writing their own tweets or their Facebook posts or things like that. Then other people may be, you know, having helpers to help with that. Can you sort of take us through - what is the spectrum there? And how does that play into the work that you do?
Stephen Frank: [00:21:45] Yeah, I mean, it's interesting. The players, like anyone else in the business world, are extremely busy with respect to travel and their engagement with their respective club in the league. They do resort to assistance. And in some cases, you know, some players are very hands-on with respect to their own social media. In other cases, you know, they refer back to an individual that helps them build out that online profile and presence. And I would say it's basically a 50-50 split.
Stephen Frank: [00:22:12] On the same side with respect to security, some players are very actively involved in their own manageability of their security. And they take action on their own alerts to maintain that online brand hygiene. In some cases, also on the security side, players resort to handlers and/or individuals with good security focus. In some cases, the NHLPA becomes involved in effectively - what is involved there is more of a white-glove treatment, where the player in question requests we take a particular action. And the NHLPA or handler takes that action on their behalf.
Dave Bittner: [00:22:50] Now, you've been involved with the league for quite some time - over 16 years now with the players' association. And so really, you've witnessed the coming online of social media. You've seen this change in the availability - the ability for athletes to have direct interaction with their fans - in both directions, from their fans back to them as well. So what are the things that you've noticed as these technologies have come online? How has that affected the work that you all have to do?
Stephen Frank: [00:23:18] Well, I think, you know, one important factor here is since, you know, online engagement has become so important - not only to the athlete but, you know, potential marketing and sponsorship deals - is, you know, the player's focus on that online hygiene becomes that much more important relative to - let's say - a decade, decade and a half ago. So their interest in maintaining that online hygiene is extremely important if they want the top sponsors or marketing activation deals to take place. So that's one important factor.
Stephen Frank: [00:23:50] The other important factor, if I go back a decade and a half - when as an association and/or individuals, we used, you know, dial-up to get online, our presence online was fairly intermittent. In today's world with the proliferation of mobile devices and Wi-Fi, our online access is fairly ubiquitous. And realistically, players are online in some capacity or another all the time, allowing them to, you know, engage their community online all the time. But that also puts the responsibility back on them, handlers or the NHLPA to be involved as well all the time so that in the event, you know, something happens in a nefarious way, that we can take action and remediate and make sure that that brand is far removed from any detriment that would impact the player and his brand viability.
Dave Bittner: [00:24:40] So what are some of the lessons that you've learned that you think could be applied to regular folks like you and me, folks who are not high-status professional athletes? What sorts of things would you recommend for us based on the experiences that you have from working with athletes?
Stephen Frank: [00:24:56] When I work with athletes, I inform them of a couple of things. Keep in mind here that the NHLPA, you know, operates in a capacity that isn't typical in a corporate environment. It's more of an - at an arm's length with the player. You know, we can't mandate policy. They're not a corporate staff member. So they operate fairly autonomously. So if I'm able to, you know, discuss a relationship with them, I would say, you know, any discussion I would have with them regarding security is a discussion I can also have with yourself or anyone else in the world, for that matter.
Stephen Frank: [00:25:30] And a couple of things - you know, in terms of your online presence, I would say - and I tell players this - is make sure you tell your community followers enough but not too much. For instance, you know, too intimate a discussion can be used against you in a nefarious way. Let's say if individuals who are nefarious and don that black hat are able to glean from your online profile very intimate information, this would make for, you know, a very well-equipped spear phishing attack in a way that, you know, players might not be able to glean the intention of the email only because the person sending the email would have used the information online against them.
Stephen Frank: [00:26:13] So, you know, one word of advice I give to players is tell your online community enough information to build that level of engagement that is meaningful to them, but don't give away too much information in terms of the information that can be used against you. So that's an important factor there. Secondly, when players are involved - and celebrities, for that matter - these are highly traveled individuals both domestically and internationally. And a person has to be extremely mindful in terms of what they do when they travel internationally. So when they travel both domestically and internationally, you know, a word of advice is when you're jumping on hotel Wi-Fi, you know, ensure that access point is a trusted access point, No. 1. And No. 2, you know, I always suggest that a player - or a celebrity, for that matter - utilize a VPN to encrypt that traffic, secure their traffic from prying eyes. That's always an important matter as well.
Dave Bittner: [00:27:06] It's natural for us to put professional athletes on a bit of a pedestal, to think that with the status that - the skills that they have, that certainly they're people that we look up to. But when it comes to this sort of targeted attacks, I mean, they're just as human as the rest of us. They have the same weaknesses to be spear phished, the same interests, the same human frailties that all of us have.
Stephen Frank: [00:27:28] Exactly. I mean, your point is well taken. They are on a pedestal. But in terms of their vulnerability, they're just like everybody else, every bit as touchable as the common person. So - and to a larger extent, I would suggest that their vulnerability is more so than the average individual only given that they're in the limelight. You know, they represent a high-value proposition target. They're not necessarily a part or affiliated with any corporation that may mandate a security policy or put software on various endpoints. So in a lot of ways, you know, they represent individuals, I would say, that may be more vulnerable than the common person. And, you know, while they are holding that status of a person of notoriety, because they are highly targeted, they learn more than the common person would only because they are that target. And they see those nefarious actions more so than the common person.
Dave Bittner: [00:28:26] All right, so interesting perspective, Joe.
Joe Carrigan: [00:28:28] Interesting indeed, yes. I like that he has the onboarding process where they have a two-day intensive security orientation for new players. I would, however, offer a suggestion. My concern is that over time, these attacks and the threats are going to evolve and change and adapt to the environment because we live in a dynamic world.
Dave Bittner: [00:28:48] Right.
Joe Carrigan: [00:28:48] So I would recommend that every year - that the players' association offer up an annual security briefing. It should definitely be something that they offer.
Dave Bittner: [00:28:57] Yeah. Yeah. And they may very well do that.
Joe Carrigan: [00:28:59] They might.
Dave Bittner: [00:29:00] It's not an area we covered...
Joe Carrigan: [00:29:00] He didn't specifically mention it.
Dave Bittner: [00:29:02] Yeah. It's interesting to hear about the things that face professional athletes - I guess something you and I don't have to worry about, right?
Joe Carrigan: [00:29:08] Well, not yet.
Dave Bittner: [00:29:09] I mean, the years - are we...
Joe Carrigan: [00:29:09] We are podcast-famous, Dave.
Dave Bittner: [00:29:12] (Laughter) Well, everyone, thanks as always for listening.
Dave Bittner: [00:29:14] Thanks also to our sponsors at KnowBe4, the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can order up at knowbe4.com/phishtest. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more about them at isi.jhu.edu.
Dave Bittner: [00:29:36] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:29:53] And I'm Joe Carrigan.
Dave Bittner: [00:29:54] Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.