Data privacy in a consumers world.
Mark Kapczynski: You know, in the early days of the Internet, it was like a race to everyone has got to be on the internet, and you got to have a presence, and you have to be able to be found, and now, all of a sudden, we've kind of grown up through that, and now we're at the spot of like, wait a sec, I don't want to be found.
Dave Bittner: Hello everyone, and welcome to the Cyberwire's Hacking Humans Podcast, where each week, we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan, from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe!
Joe Carrigan: Hi, Dave!
Dave Bittner: We've got some good stories to share this week. And later in the show, Mark Kapczynski, who is Senior Vice President of Strategic Partnerships at OneRep. He is talking about consumer and data privacy. Alright, Joe, before we jump in here, we've got a couple of bits of follow up.
Joe Carrigan: Yes!
Dave Bittner: Actually, before we get to our follow-up, I just want to make note that we are now into our sixth season.
Joe Carrigan: How about that! Congratulations, Dave.
Dave Bittner: Yes, we'll say, right back at you there, my friend.
Joe Carrigan: So we've been doing this for like five years now.
Dave Bittner: Yep.
Joe Carrigan: And this is the beginning of the sixth year?
Dave Bittner: That's right. That's right. And we're not sick of each other yet [overlapping speakers and laughter]. I'll speak for myself, right?
Joe Carrigan: Yes, and nor am I sick of you [laughter]. I would say that, yes.
Dave Bittner: Okay [laughing]. There was a pregnant pause, there, Joe.
Joe Carrigan: No, well I was [laughter]-we talked over each other, I've used one of my common jokes that I talk about, and-never mind.
Dave Bittner: Okay, alright. Well, let's dig into our follow-up here.
Joe Carrigan: Yes.
Dave Bittner: Do you want to start things off for us?
Joe Carrigan: Sure! John writes in, with some comments about our last show, he says "Hi guys, loving the show and all that," blah, blah, blah.
Dave Bittner: Mm-hmm.
Joe Carrigan: Funny, I don't really think of your podcast as a show, more like an entertaining way to patch across developments in cyber security. In general, the tap interface, now this is talking about last week, where we talked about the tap interface, with ATMs?
Dave Bittner: Right, credit cards that have tap to pay.
Joe Carrigan: Right, it's an NFC. In general, the tap interface is safer than the slot interface, because you actually put your card away by the time you interact with the computer to make a withdrawal. Which is a good point.
Dave Bittner: Hm! Mm-hmm.
Joe Carrigan: The tap interface should be a very limited interface, that allows you to make one withdrawal up to a certain amount, within a certain period of time. Perhaps you can set this when using the slot interface. If you want to make more transactions, you should be required to put the card in the slot. The tap interface should not have the same functionality as the slot. This way, the tap interface becomes a less risky option, the only risk you take is with the cash you take out, and the slot interface, should perhaps be limited to interior halls of banks, where there is good surveillance, and perhaps even a guard. Which would be nice [laughter]. As for AI, because we were talking about AI last week as well-
Dave Bittner: Yeah.
Joe Carrigan: Truly it's time for some kind of legislation. I am really surprised that AI companies are allowed to make this kind of thing anyway. I mean, allowing AI to generate screaming and "oh my god, help me!" voice is negligent to the extreme. They should be held accountable. Kind regards, John.
Dave Bittner: Hmmm...
Joe Carrigan: So I don't know-I mean, I get what John is saying here, because the malicious intent, or the malicious use case is really impactful here.
Dave Bittner: Yeah.
Joe Carrigan: But I don't know that we should be legislating how AIs can produce voices. Because I can see a use case, like, for example in generating cheap and affordable dialogue, where you need to have certain emotions put into the voice.
Dave Bittner: Right, let's say you're making some kind of radio play or a podcast with, you have a character who is the middle of a horror movie or something.
Joe Carrigan: Right.
Dave Bittner: There's not going to be a legit use case for something like that, sure-
Joe Carrigan: It would be.
Dave Bittner: Yeah, yeah. I, too, did just a little brief bit of digging with the tap interface, and found that from a tech point of view, it's really the same as the chip and PIN. It's using the same technology as chip and PIN, from the security point of view, so-
Joe Carrigan: But it does a challenge response?
Dave Bittner: [Stammering] Joe, it uses the same as the chip and PIN.
Joe Carrigan: Okay [laughing].
Dave Bittner: That's what I found out, so, to the degree that the stuff that I said was saying that is the same degree of security as a chip and PIN transaction.
Joe Carrigan: Okay.
Dave Bittner: Yep. Yep. Alright, so we have another listener, who wrote in, who asked to remain anonymous. And they say, "lately I've been plagued by an ethical dilemma."
Joe Carrigan: Ah, good! We're good at that, right Dave?
Dave Bittner: [Laughs] I have had some education and info sec, especially social engineering, however, I've switched majors some time ago, and now I want to return to the field of pen testing, after my non-security major. So I've been educating myself on social engineering techniques, and practicing them. However, I find myself slowly driving from pen testing to shadier practices, such as taking the bus for free. I notice myself rationalizing this, as if it's okay, since I'm training to help people later on [laughter]. I don't want this, as this goes against my principles, but I also really want to practice. As you said in one of the episodes of this year, it's fun for the hacker to see what the defender's got. I like to see how good the physical security and alertness is, and how to improve this. I know there are white hat hackers who start as hobbyists, but how can you do that ethically with social engineering, and how can I practice without harming people? Haggle on the market? Become a salesperson? Make my college essays more persuasive? I'd love to know what you think.
Joe Carrigan: I like all of those suggestions about that.
Dave Bittner: Mm-hm.
Joe Carrigan: Yeah, but I understand absolutely what you're talking about here. You-if you get these tools for social engineering, you can absolutely use them for your own benefit.
Dave Bittner: Yeah.
Joe Carrigan: Yeah, and that's probably not ethical. I mean, you're taking a bus for free, that's-probably doesn't have a lot of impact. But how do you practice these skills, to get better at them? I would definitely say haggling in a market is a good-is a good way to do it.
Dave Bittner: Mm-hmm.
Joe Carrigan: But how do you practice these skills to-to get better at them? I would definitely say, haggling in a market is a good-is a good way to do it.
Dave Bittner: Mm-hmm.
Joe Carrigan: Another one-I don't know, being a salesperson? Maybe. I don't know how that works, though, I mean, my wife is a fantastic salesperson. I've often said that she would make a great social engineering pen tester.
Dave Bittner: Mm-hmm.
Joe Carrigan: I would see if you can find a job with a company that does physical pen testing.
Dave Bittner: Yeah.
Joe Carrigan: And see if you can start talking your way into these things, or if you really want to try, see if you can reach out to companies, and say, "Can I just try to physically pen test your company?" I don't know if that's going to go well [chuckles].
Dave Bittner: Yeah, I don't know what would be in it for their-you know, there's-the risk reward probably wouldn't-some stranger calls you up and says hey, can I break into your company?
Joe Carrigan: Yeah, yeah.
Dave Bittner: I'm not working for anybody, I just want to see how good I am at it.
Joe Carrigan: Right [laughter].
Dave Bittner: Right? I don't think it's going to go over very well [laughter continues].
Joe Carrigan: Might not be the best thing, but if you have a network [laughter continues], you know, if you have a network of people and you know people at these, at these organizations-
Dave Bittner: Yeah.
Joe Carrigan: Bring it up, as an option.
Dave Bittner: I would also say there are a lot-there's lots of community out there for these sorts of things.
Joe Carrigan: There is.
Dave Bittner: So find your local hacking community, you know, your B-sides, you know, there's-the folks, you know, there's lots of stuff leading up to big events like black hat, and the big ones that you've heard of. There's lots of community there, and most of these groups have local chapters.
Joe Carrigan: All over the world.
Dave Bittner: Yeah.
Joe Carrigan: Yeah.
Dave Bittner: So, I would say, start with that, and then find the pen testers, and start picking their brains.
Joe Carrigan: Yeah. Ask them how they, you know, it-maybe you can even find a job out of it.
Dave Bittner: Yeah.
Joe Carrigan: You know? If you're good at it, and it sounds like you are getting free bus fare, I've never been able to do that [laughter] I always get some angry guy yelling at me about it.
Dave Bittner: [Laughing] Right, right. Yeah, I mean, I've told you how my, you know, my wife is a fantastic-as you mentioned with your wife-my wife is also a fantastic pen tester [laughing].
Joe Carrigan: Right [laughs].
Dave Bittner: I told you the time she talked her way into Disney World.
Joe Carrigan: Which is amazing.
Dave Bittner: Yeah, she's just got a knack for it. I've seen her do it many, many times. There's times when I just say, "Alright dear, do your magic." I step aside, and she does her magic, and she comes over to me, and she'll literally say those magic words, "We're in."
Joe Carrigan: [Laughing] We're in, right, she puts up her hoodie [laughing], the green numbers start scrolling in the background.
Dave Bittner: I suspected that our listener has picked up on the truth, that a huge percentage of all this is just carrying yourself with confidence.
Joe Carrigan: Right.
Dave Bittner: You know, if you walk into a place like you own it, it-a lot of times, people are not going to stop you.
Joe Carrigan: Yeah.
Dave Bittner: I am curious, you know, I think they bring up a really good point of at what point does the act of persuasion cross over into something dishonest?
Joe Carrigan: Yeah, that's a very gray area.
Dave Bittner: You know?
Joe Carrigan: Yeah, if you're scamming people out of money, then yeah, that's where-that's definitely, definitely bad, right? To quote Rain Man [laughter]. But it's, if you're-you're talking someone down in price on something-
Dave Bittner: Yeah.
Joe Carrigan: Yeah? Maybe not.
Dave Bittner: I saw a video, this is years ago now, probably a decade ago now, where there was a guy who went around to retail stores, and every time he bought something, he would say, "Hey, can I get a good guy discount?"
Joe Carrigan: Right.
Dave Bittner: Do you remember that video?
Joe Carrigan: I do remember that video.
Dave Bittner: And sometimes they'd say sure, yeah [laughter], right? They give, you know 10%, 15%, who knows? What it was-some would push back and say, "I'm sorry, what?" You say, "I'm a good guy. You got any sort of good guy discount?" And sometimes they'd say, "No."
Joe Carrigan: [Laughing] Right.
Dave Bittner: But, you know, he wasn't asking them to do anything illegal, he wasn't asking, he was just-just saying, I'm a good guy and do you have any discounts that you could apply to me?
Joe Carrigan: Yeah, they probably just gave him the senior discount.
Dave Bittner: Ah, yeah, there you go.
Joe Carrigan: Have you gotten that yet, Dave [laughter]?
Dave Bittner: No, I have not.
Joe Carrigan: I've gotten that.
Dave Bittner: [Laughing] I have not. I have not. I am-I am AARP eligible, of course, which I think comes frighteningly early in your life [laughing].
Joe Carrigan: I'm agreed. It is way too early.
Dave Bittner: I do not yet have a senior discount. But--
Joe Carrigan: Yeah, I've gotten the senior discount at Arby's [laughter], I've walked in, ordered a sandwich, and looked at my receipt, and there it is, 10% off.
Dave Bittner: Wow!
Joe Carrigan: Didn't ask for it. Just got it.
Dave Bittner: Okay.
Joe Carrigan: Yeah, that's because my hair is so gray, and your hair is still dark, and beautiful and [laughter]-
Dave Bittner: Wavy.
Joe Carrigan: Long, and flowing. Mine is thinning, and gray and [laughter continues].
Dave Bittner: Well, I don't know. My day will come, Joe, my day will come [laughter].
Joe Carrigan: We'll see.
Dave Bittner: Yeah, it's been a long time since anybody's carded me for liquor, let's put it that way.
Joe Carrigan: Right, yeah, that-that has not happened to me either.
Dave Bittner: That train has left the station and it ain't coming back [laughs].
Joe Carrigan: And this was years ago that I got that discount. Years ago [laughing].
Dave Bittner: Ah, alright. Alright, well again, our thanks to our listeners for writing in. We love to hear from you, if you have something you'd like us to share on air, you can email us. It's hackinghumans@thecyberwire.com. Alright, Joe. Let's jump into our stories this week. I'm going to start things off for us. This is a story from the folks over at Bleeping Computer, written by Axe Sharma and it's actually kind of a "twofer" here. It's about folks using QR codes both to fake parking tickets, and also for surveys, to steal your money.
Joe Carrigan: Mm-hm!
Dave Bittner: And I'm going to come at these in reverse order. So, there is a woman, it says it's a Singapore-based woman, I don't-I suppose that means she lives in Singapore? Yeah, or if she's from Singapore, living here. I think in the story, she lives in Singapore. Let's go with that.
Joe Carrigan: Okay.
Dave Bittner: She lost $20,000.
Joe Carrigan: Twenty thousand dollars!
Dave Bittner: After visiting a Bubble Tea shop. Have you ever had the Bubble Tea, Joe?
Joe Carrigan: I have, I love it, Dave.
Dave Bittner: I have never had Bubble Tea, but my sister is a big fan. I can't say I've ever tried it, so--
Joe Carrigan: I love it. It's one of my favorite things. And like, a lot of people in my family don't like things floating around in your tea [laughter], but for some reason, I'm a big fan of it.
Dave Bittner: Okay, it's sort of the tapioca version of tea, right?
Joe Carrigan: Yeah, yeah.
Dave Bittner: [Laughing] Okay.
Joe Carrigan: I've got one with little coconut strips-delicious!
Dave Bittner: Alright now, see, that's a bridge too far for me. I like the flavor of coconut, but I can't stand the texture.
Joe Carrigan: Ah!
Dave Bittner: Like shredded bark [laughter].
Joe Carrigan: This did not-this was like gelatinized, or like-pickled, almost, or maybe not pickled. It was not-it didn't have the texture of coconut.
Dave Bittner: Yeah. Like, you want to ruin a cake for me? Put shredded coconut on it-on that puppy, and I will-I will say good for you, enjoy. I will go get a brownie.
Joe Carrigan: [Laughing] More cake for me!
Dave Bittner: [Laughing] That's right, that's right. So anyway, this woman was at a Bubble Tea shop, and she saw a sticker on the door that was inviting people to scan a QR code, and fill out a survey, for basically free product, a free cup of milk, or tea, or bubble tea, or whatever.
Joe Carrigan: Okay.
Dave Bittner: And so she did that. And the QR code took her to a site that-wait for it-downloaded a third party app onto her Android phone--
Joe Carrigan: Okay.
Dave Bittner: In order for her to complete the survey. She completes the survey. She goes to bed. While she's asleep, her phone lights up, as if in a movie, the survey app siphons $20,000 out of her bank account.
Joe Carrigan: Wow!
Dave Bittner: Yeah. So, basically by being tricked into side-loading this app, this app, and I should say, providing the app with access to her phone--
Joe Carrigan: Right, so she had to disable the-because I'm assuming it was an android phone-
Dave Bittner: Yes.
Joe Carrigan: She had to enable, like debugging you know, allow apps from third party locations.
Dave Bittner: Right.
Joe Carrigan: Which is disabled by default.
Dave Bittner: Right.
Joe Carrigan: So, the website, I'm assuming the website instructed her to do these things.
Dave Bittner: Yeah, it seems like giving access to the Android accessibility services was kind of the keys to the kingdom here.
Joe Carrigan: Right.
Dave Bittner: Yeah, because that lets an app, you know, control-gives the app control of the phone.
Joe Carrigan: Yes.
Dave Bittner: So, she was out $20,000. So that's story number one, and let's hold off on our comments, until I tell you story number two.
Joe Carrigan: Okay.
Dave Bittner: Story number two is about fake parking tickets.
Joe Carrigan: Mm-hm.
Dave Bittner: So, this is in San Francisco, a city I was in not that long ago--
Joe Carrigan: Right, to the airport-
Dave Bittner: Imagine you got to your car, and you find on your car a parking citation.
Joe Carrigan: Yep!
Dave Bittner: From the City of San Francisco. And on that parking citation is a QR code, that will allow you the convenience of paying your parking ticket online. So you scan that, you go to a website that looks to be the legit San Francisco City Government Website, you pay the parking ticket, get on with your life.
Joe Carrigan: Right.
Dave Bittner: Turns out, it ain't the City of San Francisco [laughing].
Joe Carrigan: And was it even a real parking ticket?
Dave Bittner: Not even a real parking ticket, no. So, I got to say, this is a clever scam.
Joe Carrigan: Yes.
Dave Bittner: You know? Nobody is getting hit over the head, nobody is getting, you know, it's still a scam. People are losing money. But part of what interests me about this scam is that you might not even know you were scammed.
Joe Carrigan: Right! You might just think you paid a parking ticket.
Dave Bittner: Right. Right. Which-which means, for the scammers, it lowers the incentive of people coming after them, of someone hunting them down.
Joe Carrigan: Right!
Dave Bittner: Yeah.
Joe Carrigan: But if I find out about this, I'm still going to try to hunt them down.
Dave Bittner: [Laughing] Well, you are, of course [laughing].
Joe Carrigan: Right.
Dave Bittner: You will find-you will chase them to the ends of the earth!
Joe Carrigan: [Laughing] I have a very particular set of skills.
Dave Bittner: There you go [laughter]. So, but I want to get to the bigger picture here, which is QR codes.
Joe Carrigan: Right.
Dave Bittner: And I feel like we've sort of swung back and forth with QR codes over time. You know? They started out being this very easy, clever thing, to allow people to access websites using your camera, and then security folks are like [speaking in high-pitched voice] don't ever use a QR code, because you don't know where it will send you.
Joe Carrigan: Right.
Dave Bittner: And then, the pandemic happened. And suddenly we had QR codes on tables, instead of menus.
Joe Carrigan: Yep.
Dave Bittner: Right?
Joe Carrigan: Oh yeah, I'm going to tell a story that you're going to go "of course you do" [laughs].
Dave Bittner: Okay, okay [chuckling].
Joe Carrigan: But on my phone, I have a free product, you can go out and download this on Android. I don't know if it's available for Apple, either, but it's from Trend Micro, and it's the QR code analyzer.
Dave Bittner: Oh!
Joe Carrigan: And I scanned this with-and I-I tell everybody on the table with it, don't scan this until I verify that it's safe [laughter].
Dave Bittner: Like that guy in the old Warner Brother's cartoon, "Stand back, folks! It might be radioactive!"
Joe Carrigan: [Laughter] Right [laughter continues]. That's me, with my wife and kids.
Dave Bittner: [Laughing] That's right.
Joe Carrigan: And boy, it goes over great every time.
Dave Bittner: Oh, you must be a hit at parties.
Joe Carrigan: I am [laughter]. So I do that, and scan it, and I'm surprised that Trend Micro has done a really good job of-these are like mom and pop restaurants that I go to, and it says "this one's safe."
Dave Bittner: Oh.
Joe Carrigan: Sometimes it says "unanalyzed." But it doesn't say "malicious," I've never seen one that says it, or I've never gotten one that says "this is malicious."
Dave Bittner: Right.
Joe Carrigan: But they are out there.
Dave Bittner: Yeah.
Joe Carrigan: And I wonder if Trend Micro knows about this. Oh, there's a picture of this QR code, right here-
Dave Bittner: Mm-hmm.
Joe Carrigan: A quick scan of the barcode says "unverified." We have not determined if this website poses a danger, open at your own risk.
Dave Bittner: Uh huh!
Joe Carrigan: So, it doesn't say "safe."
Dave Bittner: Okay.
Joe Carrigan: But it also doesn't say "malicious." And the link is actually just a, like a link shortener service.
Dave Bittner: Right.
Joe Carrigan: For QR link-QR.link, and then some random text afterwards.
Dave Bittner: And you're scanning the QR code that was on this parking citation.
Joe Carrigan: Yes. That's correct.
Dave Bittner: Yeah, okay. So, where do you land with QR codes, then?
Joe Carrigan: I don't like them.
Dave Bittner: Okay.
Joe Carrigan: I mean, I think they're a great way to compress information.
Dave Bittner: Yeah.
Joe Carrigan: You know, it's simply a multiplex barcode.
Dave Bittner: Right.
Joe Carrigan: And there-there's use cases for all kinds of good use cases for multiplex bar codes, like in inventory control and, logistics, and all of that. But in terms of you and me using multiplex bar codes, there's just way too much information that can be crammed into this thing.
Dave Bittner: Mm-hmm.
Joe Carrigan: And you know, you can put an entire query string into this barcode, that tells the attackers where you are. Right? You know, it's all conceivable. This is all attacks that could happen.
Dave Bittner: Yeah.
Joe Carrigan: Even if you're just using this link-shortening service, I can print up a different QR code for every location I want to put things at, and I could find out where people are.
Dave Bittner: Right.
Joe Carrigan: When they visit my site.
Dave Bittner: Yeah.
Joe Carrigan: Which, by the way, legitimate barcode providers are probably doing [laughter], so don't-don't think that just because someone's bad they're doing some of the malicious-and that isn't normally what happens. That is probably also what happens with the legitimate ones. I'm really not a fan of the, you know, take a look at our menu. First off, I'm going to look at the menu on my phone, and I hate reading things on my phone.
Dave Bittner: Uh-huh--
Joe Carrigan: That aren't designed to be right on my phone.
Dave Bittner: Uh-huh--
Joe Carrigan: Maybe I'm just an old man?
Dave Bittner: Ever since you started getting that senior discount?
Joe Carrigan: Right, exactly [laughter].
Dave Bittner: Yeah.
Joe Carrigan: That's why [laughs], that's what it is, Dave, the senior discount makes me hate this stuff [laughter continues], but I don't know. I think you're just opening yourself up. There's-also there's nothing to say that somebody didn't just stick a random QR code up on the-on whatever it is-
Dave Bittner: Yeah.
Joe Carrigan: Or cover up an existing QR code, with a malicious one.
Dave Bittner: That's what I worry about.
Joe Carrigan: Yeah.
Dave Bittner: And so, I particularly am wary of ones that I see anywhere where there's a financial transaction linked to it.
Joe Carrigan: Right.
Dave Bittner: For example, I go to fill my car with gas. And the local gas station has QR codes on the pumps.
Joe Carrigan: I would never use that.
Dave Bittner: To pay! Me neither [laughter]! But they're there.
Joe Carrigan: Right.
Dave Bittner: And to me, that is the perfect use case for someone to come along with their own QR code, stick it over the top of that, make it seem like it's, you know, Exxon, or Shell, or whoever it is, and make you think you're paying for gas, or authorizing the pump or whatever--
Joe Carrigan: Right.
Dave Bittner: And taking advantage of you.
Joe Carrigan: Yep, absolutely. And then, what happens is you don't get your gas. I mean-
Dave Bittner: Right!
Joe Carrigan: So you-then you have to go through the fraud rigamarole.
Dave Bittner: Sure!
Joe Carrigan: It's bad all around.
Dave Bittner: [Laughing] Alright, well that is my story this week. We'll have a link to that in the show notes. Joe, what do you have for us?
Joe Carrigan: Dave, my story comes from Dragos, you know, Robert Lee's company.
Dave Bittner: Yeah.
Joe Carrigan: Robert Lee has been on our show many times.
Dave Bittner: Yeah.
Joe Carrigan: But Dragos has published a-an incident report. And it's-this is a blog post on their website, called Deconstructing Established Security Event, and it's dated for May 10, and it was about an event that took place at Dragos, on May 8.
Dave Bittner: Yeah, now let's-just for folks who may not be deep in this stuff-Dragos is a security company who protects critical infrastructures.
Joe Carrigan: Right. They--
Dave Bittner: Things like power plants.
Joe Carrigan: They protect industrial control systems or ICS-
Dave Bittner: Yep-yep!
Joe Carrigan: And SCADA Systems, which is something-System Command and Data Acquisition?
Dave Bittner: Yeah.
Joe Carrigan: I can't remember what the acronym is.
Dave Bittner: Yeah.
Joe Carrigan: But, you know, these are the cyber physical systems that essentially run the world.
Dave Bittner: Right.
Joe Carrigan: Right. So, Dragos is a company that focuses on securing those assets.
Dave Bittner: Yep.
Joe Carrigan: But what happened on May 8, is according to this blog post, a known cyber criminal group attempted and failed at an extortion scheme against Dragos. The very next sentence in the blog post says "No Dragos systems were breached, including anything related to the Dragos platform," which is their protection tool. They have a timeline on here. And what happened prior to, at some point in time in the past, and they don't really know when this happened, but somebody-this adversary-had compromised the email account of someone that Dragos had hired.
Dave Bittner: Mm-hm.
Joe Carrigan: The personal email account.
Dave Bittner: Right.
Joe Carrigan: So, Dragos sent an onboarding-a set of onboarding instructions to this new employee, and within six hours, somebody logged in masquerading as the new person. And 45 seconds after they logged in, they began a programmatic download of the general use data from the Dragos Sharepoint.
Dave Bittner: Hm.
Joe Carrigan: So just general stuff that's available from Dragos.
Dave Bittner: Grabbing whatever they had access to--
Joe Carrigan: Grabbing whatever they can.
Dave Bittner: Yeah.
Joe Carrigan: Nineteen minutes later, they attempted to access the Dragos messaging system, but they were unsuccessful due to needing administration approval, or admin approval.
Dave Bittner: Hm.
Joe Carrigan: At 46 minutes after they got initial access, they accessed 25 Dragos intel reports, which are normally available to customers. So these are reports that Dragos generates, that they make available to their-to people that pay for them. So they got away with some information that may have been proprietary, or may have just been we only give this to our customers.
Dave Bittner: Hm.
Joe Carrigan: To a minute after that, there was an unsuccessful attempt to access the IT system, but it was blocked, because of role-based access control, or RBAC, which means, you don't have this role, therefore you don't, you know, you're not in IT, you are a salesperson, you don't need to access this.
Dave Bittner: Right.
Joe Carrigan: This is-and I'm going to break this down at the end of-- at the end of, everything Dragos did right here, at the end of this.
Dave Bittner: Mm-hm.
Joe Carrigan: There was a successful access to the Dragos Customer Support System, but they got no data, because they didn't have the right role-based access controls. Because the role-based access control stopped them, they didn't have the right role, the attackers. Unsuccessful attempt to access financial systems, RBAC again.
Dave Bittner: Hm.
Joe Carrigan: Successful access to the Contract Management System. So they could get in and see the contract management system, but then they had unsuccessful access to the RFP system, again, due to RBAC. Unsuccessful access to the Employee Recognition System, unsuccessful access to the Sales Lead System, unsuccessful access to the marketing system, and unsuccessful attempts to reset admin passwords. And then, after about 11 hours and 9 minutes of working on this, they sent an extortion email to Dragos.
Dave Bittner: Mm-hm.
Joe Carrigan: So Dragos is confident this organization was trying to install ransomware.
Dave Bittner: Right.
Joe Carrigan: They didn't get that. They did get one piece of information that had-or one of the artifacts they did manage to get from the SharePoint server included IP addresses associated with a customer. They had already notified that customer and reached out to them. They were alerted of the ongoing attack, because they had the security and information event manager, or SEM, they blocked the compromised account, shut it down, and immediately notified their incident response company that they had on retainer.
Dave Bittner: Hm--
Joe Carrigan: So, they had somebody ready to go.
Dave Bittner: Right.
Joe Carrigan: They also worked with their third party monitoring and detection-monitoring, detection and response provider, as well, and they were managing the incident response efforts. So in this blog post, Dragos has included some of the communications from these malicious actors, and they're constantly demanding money for what they have, which isn't much.
Dave Bittner: Yeah.
Joe Carrigan: They are badmouthing the FBI here, telling them the FBI doesn't care about you, so they're trying to isolate you-Dragos-from the FBI here. And then the last thing they're doing is they're reaching out to this person and asking about how their family members are doing.
Dave Bittner: Yeah.
Joe Carrigan: Right? Which is really scary. Now, some of the information was not correct about the family members, but they did a little bit of digging on the person they were reaching out to, to try to scare them a little bit.
Dave Bittner: Right.
Joe Carrigan: With this. Nobody from Dragos engaged with these guys, and in fact, now, by posting this blog posting, the jig is up, everything is out in the open.
Dave Bittner: Yeah.
Joe Carrigan: So it's-it's over. At the bottom of this, they actually released the indicators of compromise, they give you the IP addresses that the things came from. They give you the tactics, techniques and procedures-the TTPs-based on the Miter Attack Mapping. Which is-which is really nice that they put this out here.
Dave Bittner: Mm-hmm.
Joe Carrigan: They have a Lessons Learned section, which is in response to this event, we have added an additional verification step to further harden our onboarding process, to ensure this technique cannot be repeated.
Dave Bittner: Hm.
Joe Carrigan: So here is one of the big problems in cyber security, particularly with social engineering attacks. You can sit there and think and think and think and think about everything that is out there. And somebody is going to hit you in a place where you haven't thought of [laughter]. It doesn't matter who you are.
Dave Bittner: Yeah.
Joe Carrigan: You can be Dragos, who is a top quality security company.
Dave Bittner: Sure.
Joe Carrigan: And there is going to be some weakness in your processes. This isn't really even a weakness in-in Dragos' systems. This is a weakness in a process that they didn't anticipate, but I don't know how you anticipate this.
Dave Bittner: Mm-hmm.
Joe Carrigan: This is one of those things you really can't anticipate. Immediately following the event, within two days, they post a blog post about it, letting everybody know what happened, which is fantastic. We had a-was it coin based, we had another similar discussion about this a couple weeks ago?
Dave Bittner: I don't recall.
Joe Carrigan: Somebody broke into-it was one of the big crypto-crypto exchanges.
Dave Bittner: Oh yeah, mm-hmm.
Joe Carrigan: Or had a similar event, where somebody tried to get in.
Dave Bittner: Yeah.
Joe Carrigan: And they posted a blog post about it. So kudos to Dragos, and to Robert Lee, for putting this out there.
Dave Bittner: Yeah.
Joe Carrigan: I want to talk about what Dragos did that really helped minimize the impact here.
Dave Bittner: Okay.
Joe Carrigan: They did a lot of groundwork. They were prepared for this thing to happen before it happened. That's number one. They had role-based access control in place. They had a SIEM in place, a Security Information and Event Management System. This is a system that reports events when they reach a certain threshold. So Dragos was aware of the event as it was happening.
Dave Bittner: Sounds to me like they probably had pretty verbose logging enabled, too.
Joe Carrigan: They did, they had really verbose logging enabled, as well. That's one of the points they make in here.
Dave Bittner: Uh huh.
Joe Carrigan: I didn't put that in here, in my list of things, but it is a point that Dragos makes.
Dave Bittner: Uh huh.
Joe Carrigan: And it's a good point to make. They had an incident response team on retainer. Because they're acting as if they're going to have an incident at some point in time, and they are going to have it, here they are, having the incident.
Dave Bittner: Yeah, yeah.
Joe Carrigan: I will bet that everybody at Dragos said, "I'm so glad that we have that Incident Response Person on retainer [laughter]."
Dave Bittner: Right, right.
Joe Carrigan: Let's call them right now.
Dave Bittner: Yeah.
Joe Carrigan: And get this to happen. You know, that kind of thing is so good to have and not need, than in comparison to needing it and not having it.
Dave Bittner: Right.
Joe Carrigan: So they also had a third party doing monitoring detection and response, and they had a contract in place for that company, and they actually managed the incident response. So again, this is going to happen to companies all over the place. It's going to happen to people. It's-what has happened here is minimal compared to what could have happened.
Dave Bittner: Yeah.
Joe Carrigan: It is-it is a really good example of how the security in-depth has helped Dragos out. How Dragos has responded appropriately. They didn't engage with these guys. They put everything out there, and it's over now. They-they've-they're just-I doubt that they'll ever hear from these guys again.
Dave Bittner: Yeah. Alright, a couple things to add. I, too, read this report with great interest. And you know, knowing Rob Lee as I do, and as you do as well, like you said, he's been a guest many times. He's someone I would consider to be a friend. Perhaps somewhere between acquaintance and friend--
Joe Carrigan: Right.
Dave Bittner: You know, we're friendly, if we passed each other in the hallway, we'd stop and say hello and--
Joe Carrigan: Yep!
Dave Bittner: Ask-ask each other how our kids are, that sort of thing. But we're not going on vacation together [laughter], right?
Joe Carrigan: Right [laughter] I don't go on vacation with any of my friends, Dave.
Dave Bittner: Right, right, but there's been additional-So, so my point there is that it does not surprise me that this is the approach that Rob as the leader of Dragos has taken, to be up front, transparent, and putting all this out there, for the benefit of the community.
Joe Carrigan: Right.
Dave Bittner: That tracks with what I know about him, and how he runs his organization, so I would say tip of the hat to him for that.
Joe Carrigan: Yeah, indeed.
Dave Bittner: I saw additional reporting this morning and I-I regret, I don't remember where it was, but someone actually interviewed Rob, and these bad guys called his 5-year-old son on the phone.
Joe Carrigan: Oh, yikes!
Dave Bittner: Yeah, so evidently his son had a phone that he uses, just to talk to his grandparents, and the bad guys found that number and called him-called the son, and the son handed the phone to his mom, and his mom hung up.
Joe Carrigan: Right.
Dave Bittner: So nothing bad happened, but you see the kind of intimidation, the kind of homework that these people will do to make you uncomfortable.
Joe Carrigan: Right.
Dave Bittner: To make you think-imagine you're a parent, and well, I mean, imagine-imagine the pressure you might get from your spouse if your 5-year-old gets a phone call from bad guys from who knows where--
Joe Carrigan: Right.
Dave Bittner: In the world, you know, I could easily imagine a spouse saying "I don't care what you have to do, make this stop!"
Joe Carrigan: Right.
Dave Bittner: Right. And that, and when you're in that emotional moment, that can change your response.
Joe Carrigan: Yeah, it can [laughter].
Dave Bittner: Right?
Joe Carrigan: It sounds like Robert maintained a cool head.
Dave Bittner: Yeah, it sounds that way. So it's just a little additional color to the degree to which first of all these bad guys are scumbags [laughter]--
Joe Carrigan: Right, yeah.
Dave Bittner: [Laughing] Right. But, as you say, your point is a good one. It seems like Dragos had plenty of things in place to minimize the blast radius of a thing like this. And you know, they learned what they need to do to harden up their defenses.
Joe Carrigan: Yeah, the thing is, though, Dave, I don't-I looked on their website. They say if any job can be a work from home job, it will be a work from home job.
Dave Bittner: Uh huh.
Joe Carrigan: So, they've instituted a new-a new step in verification for new account creations.
Dave Bittner: Mm-hmm.
Joe Carrigan: For onboarding. But my question is, how-my main question is, did these bad guys just get lucky?
Dave Bittner: Hm.
Joe Carrigan: Did they-or did they, or did they know something?
Dave Bittner: Yeah, well, we'll probably never know.
Joe Carrigan: It's an ongoing investigation with Dragos.
Dave Bittner: Yeah.
Joe Carrigan: But that's really the only question I have that I don't know if it's ever going to be answered, and it's nobody's obligation to answer it for me.
Dave Bittner: Right.
Joe Carrigan: But, it's-I-I'd like to know the answer to that question, you know?
Dave Bittner: Yeah, I think a lot of it too depends on whether someone is coming at you for like ransom, so if it's a ransomware event, and what they want is money, that's different than if they're coming at you from an espionage point of view.
Joe Carrigan: Right.
Dave Bittner: And I could see Dragos potentially being an espionage target.
Joe Carrigan: Right.
Dave Bittner: They do work all over the world, with many governments.
Joe Carrigan: Yep.
Dave Bittner: You know, critical infrastructure is what keeps humanity running.
Joe Carrigan: Yeah, this could have been a much worse breach.
Dave Bittner: So I've heard of stories, of you know, people receiving brand-new shrink-wrapped laptops, you know, direct from, alleged-you know, by all accounts, directly from the supplier, you know?
Joe Carrigan: Right.
Dave Bittner: From Apple or Dell, you know, whoever you get your laptop from, directly from them, and yet, somewhere along the way it had been intercepted, malware had been installed, it had been, you know, re-wrapped, and you never know, but that's an espionage kind of thing. That's spy craft.
Joe Carrigan: Yep. There was a time I was working for a part of the government--
Dave Bittner: Yeah.
Joe Carrigan: And when we would get new computers, the very first thing we would do is blow the operating system away and reinstall it.
Dave Bittner: Mm-hm, yeah, yeah.
Joe Carrigan: It's what we did.
Dave Bittner: Yeah. But what about the firmware? [Laughter]
Joe Carrigan: No, we didn't do that.
Dave Bittner: [Laughing] Yeah, see? This is the world we live in, Joe.
Joe Carrigan: Right. That was almost 30 years ago. It was a long time ago.
Dave Bittner: Yeah, yeah, alright. Okay, well interesting stuff, and we will have a link to that from Dragos on the show notes, so please do check that out.
Joe Carrigan: Yes, and I want to say, I want to make it clear, this is good work on Dragos' part.
Dave Bittner: I agree, agree. [Background music] Alright Joe, it is time to move on to our Catch of the Day [soundbite of reeling in fishing line].
Joe Carrigan: Our Catch of the Day comes from Richard, who writes, "I got the best BS email ever." Dave, this one is really good.
Dave Bittner: Mm-hmm.
Joe Carrigan: Dave, why don't you start from who it's from, Dave.
Dave Bittner: It's from Marine Corps [laughter]. And the subject is Howdy. And it goes like this. It says "Hi! I am USMC on special redeployment. I am looking an intelligent person for relationship, or a person who can accept to take custody of an amount being proceed of a raid we carried out here. If you are interested, mail me back with your picture. All communication must be through an end-to-end encrypted means. It is important that you must have WhatsApp for easy communication, and I assure you that your privacy will be protected too. I got your email contact through an opt-in consumer directory. I expect your response. A sergeant, USA, Marine Corps [laughter].
Joe Carrigan: This is the lowest effort email, phishing email I've seen in a long time, Dave.
Dave Bittner: Yeah, yeah.
Joe Carrigan: It's-[laughing]--
Dave Bittner: Yeah, pretty bad.
Joe Carrigan: I am a USMC. There is only one USMC [laughter].
Dave Bittner: Sergeant, sergeant USA, like--
Joe Carrigan: A sergeant, USA.
Dave Bittner: I don't know if this happened to you, but when I was in elementary school, once a year, the police would come and do a presentation and it was always like Officer Friendly or [laughing], they get some officer who had some kind of, you know, they made him a special name badge, that said "Officer Care," or they just gave him a phony name. This strikes me as being something like that.
Joe Carrigan: We never had the cops come. We had a guy from the phone company come in.
Dave Bittner: Okay [laughing].
Joe Carrigan: And I was very interested in that [laughter].
Dave Bittner: Okay, well that's different.
Joe Carrigan: Yes.
Dave Bittner: Yeah, yeah, I don't know, it was the cops, it was straighten up, fly right. Maybe I went to a rougher school than you did, Joe, I don't know [laughter].
Joe Carrigan: I don't know if that's the case [laughter continues]. When we were kids, there weren't a lot of rough schools around here.
Dave Bittner: Yeah, that's true, that's true. Alright, well our thanks to our listener for sending that in. Richard, we do appreciate it. Again, we'd love to hear from you. Our email address is hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Mark Kapczynski. He is Senior Vice President of Strategic Partnerships at an organization called OneRep, and we're talking about consumer and data privacy. Here's my conversation with Mark Kapczynski.
Mark Kapczynski: I think it's kind of interesting that we've gone through a spell where like, you know, I think I'm old enough to say like, you know, in the early days of the internet, it was like a race to everyone's got to be on the internet, and you've got to have a presence, and you have to be able to be found, and now, all of a sudden, we've kind of grown up through that, and now we are at the spot of like, wait a sec, I don't want to be found, and don't find my family, and my kids or anything.
Dave Bittner: Do you hear people comparing to being on Facebook as, as like being addicted to smoking.
Mark Kapczynski: [Laughing] Right, right. So, so I think a lot has changed over the years, and you know, and certainly of perception, and you know, as people are learning more about like, wow, there's actually bad stuff that can happen on the internet and social media included, if your information is so accessible, and I think now what's even happening is our society is just so polarized, like if you're not with me, you're definitely against me, and you know, if you don't take care of me, you did something wrong to me, just people are so pent up with these kind of feelings, and now, because information is so easy to access and find through a Google search, people can, you know, almost feel like empowered to take action, and that's where it starts to get scary, because now I can find, within a minute, I can find all of your information, I can find your family, your relatives, where you live, you know, if you have multiple houses, I can find everything about you. And what's even scarier about that is, some of that information probably isn't even accurate, and I could be taking action against you, and using data that's not even accurate. And so it's just this like weird scenario that we're in, where all of our information is out there, people have this proclivity to take action against, you know, the bad guy, so to speak, and you know, or the person what's against them, or wronged them in some way. And they're taking action off data that may not even be accurate, and it just completely compounds this problem.
Dave Bittner: What are people to do, then? I mean, how do you approach this from a practical point of view, but at the same time, you know, not go overboard, not become some kind of an [laughter], you know, online prepper, if you will, you know?
Mark Kapczynski: [Laughing] Yeah, you know, it's hard, I'll say, first of all, so you know anyone who thinks it's easy, it's not easy. It was funny, I had a boss, when I used to work at Experian, you know, the big, bad credit bureau, and he used to, you know, tell me how he created fake names, and fake personas, you know, based off of, you know, his different online accounts, and I was like, wow, you know, you're crazy, you're overthinking it. And now I'm like, wow, maybe he was actually onto something, he was just way ahead of his time [laughter], you know, and now it's so easy to get people's information, right? So the hard part is the information that we've all put out there to, you know, enter a sweepstakes, or download a movie trailer, or read the news, we're giving out our personal information over, and over, and over, and all of that gets accumulated or aggregated behind the scenes, and then it gets, you know, sold to people that want to buy it, and buy it in bulk, and then publish it to the internet. And so the problem is like, the cat is out of the bag on that one, right? It's hard to go back and just erase yourself entirely. Right? There's things like one rep offers that helps, you know, remove you from people search sites, and that helps eliminate some of your presence on Google, as well, but you know, you have to be thinking, it's a multi-step process, right? You've got to do the scrubbing that we do as a starting point to try to, you know, create a baseline for yourself, and then, and then from there, on a go-forward basis, you have to kind of think a little bit more strategically about like maybe I should create some fake personas, and fake data, and use that when a website that I'm interested in either subscribing to or signing up for needs my information, and you know, that's all on the consumer's side, and what we even tell companies, businesses, is you know, when you have frontline workers, whether they're in healthcare, or police, or security, or just customer service people, again, it's so easy to get their information that you have to, as a company, be thinking how do I protect my employees so that their personal information doesn't get exposed, and so you know, we do things like we advise people to have, you know, fake or burner phone numbers and burner email addresses, and you know, when you've got a burner email address, don't actually put your name on it, you know, create a fake name for it, and it's almost like we have to have this, almost like dual identity. You know, here is my real self, and I share that more sparingly, and then here's my, you know faux persona that I use when I'm on the internet, and in order to be safe and in order to have to share information with companies that, you know, want to offer me something.
Dave Bittner: You know, I think we've all gone through that routine of trying to get back in touch with someone that we've lost touch with, you know? Maybe an old buddy from high school or something like that, and you know, you start with a Google search, and as you mentioned, a lot of these sites pop up, who, you know, will promise you for the low, low price of whatever, they'll give you everything from, you know, where they live, where they've worked, if they've ever been arrested, and you know, their blood type. I'm curious, like, what is within our rights to have that information removed? Where do we stand with that?
Mark Kapczynski: Yeah, well, you know, it's, you know, it's amazing that this day and age, in America, you know, we as individuals, as citizens, we don't own our data. When we give our data to any website or any business, the business technically owns it. And so what ends up happening is, on these sites, you know, they're just basically buying the data from larger aggregators, so they're not actually even doing the heavy lifting of collecting it. They're just buying it, the way you'd buy a product, and then they're just marketing it really well through search engine optimization or SEO. And so, we don't have any rules in America, that one, a state that I, as a citizen, own my data, and two, that companies don't, you know, can't and don't sell or have the right to sell my data, and I guess, maybe thirdly, you know, how is Google allowed to index my personal home address on their website, like, how is that even allowed? So we don't have the regulations in place that, you know, give me ownership of my data, and for bid businesses, from selling it, and then thirdly, you know, preventing companies like Google from publishing it. And that's, you know, three big pieces of legislation that need to be put in place, because nearly every other country in the world has solved for this problem, right? You can't go to Europe and do this, you know? This is a uniquely U.S. problem that needs to be solved.
Dave Bittner: Yeah, I remember, you know, years ago, and I'm kind of an old timer here, I remember when Google started up, and I remember people just being all bent out of shape that you could, you know, put in someone's name or address, and it would give you a map to their house, and this was, you know, oh my goodness! You know? And today that seems kind of quaint [laughs], you know, it's-it's such a minor part of our information being bought and sold, and aggregated and combined, and you know, all of the dots being connected and all that kind of stuff. The process of dealing with any of this, I mean, is this-is it a one by one kind of thing? And when you make these requests, do the companies respect them?
Mark Kapczynski: Yeah, so what I always like to say is, you know, they-I guess they legally have to have an option, especially in states, like I'm in California, under CCPA, you know, where they have to let you opt out of having your data in their system. So, I guess on one level, they technically have to, but I like to say, that doesn't, you know, like nowhere does it describe like how fast they have to do it, you know, or, or if it has to be permanent. And-or even how easy they have to make it. So like, one of the sites that actually got a massive fine last year, one of these, they're called people search websites. They're pretty sketchy, as you can identify it as well.
Dave Bittner: Yeah.
Mark Kapczynski: One of them last year used to have this horrendous process where in order to get your data removed, you actually had to create an account on their website, and you had to jump through literally like 10 steps, and then they'd be like, oh, congratulations, we'll remove you now, just upload a picture of your driver's license [laughter]. And it's like no consumer is doing that, right? It's like, I'm trying to get off of this. But the funny thing is, if you actually submitted like a picture of your dog, you'd still get removed. They just put that up there to scare people.
Dave Bittner: Wow.
Mark Kapczynski: And so that's where, again, it's-it's they don't have to make it easy, you know, they don't have to process it fast, they don't have to make it permanent, either, because a lot of these sites, the problem is, they get a-they buy a-they're just buying data. They're not harvesting it themselves, so they're buying data from different data suppliers, and so they buy the data from their suppliers, and they get a new data feed a few months down the road, and it has your information in it again, they just publish it again, right? There's no data efficacy, there's no like, oh, Mark's already opted out, let's make sure to keep him opted out, it's sort of like, you know, just let him have to find it again, and re-remove it, you know? And that's, you know, that's where again kind of all this legislation needs to go. It's just like how is this even possible in this day and age? That this is allowed, and you know, the fact of the matter is like, most of the data that they're buying and publishing isn't even accurate, and that's where it can even get crazier, because maybe it says I'm of a particular religion or political, you know, alignment or something, right? Or a particular race or background, and that could get, you know, that could have a real harmful impact on me, if it's inaccurate, because you know, society looks at that, and is like, oh, he's so and so, and I'm going to go after him, and it's like, the data is not even accurate, and so there's no oversight, right now, to all this. And again, it's just remarkable that these sites can publish this information and Google indexes it all, and makes it available, you know, with a simple search.
Dave Bittner: I'm curious for your insights on what actually works, in terms of trying to minimize your footprint online. Are there, are there practical things that actually work, and are there things out there that are kind of myths, you know, people think you should do this, but that doesn't really work?
Mark Kapczynski: [Laughs] I mean, I think again, it's, you know, it's funny, I advise companies, especially folks in like the dating industry and consumers in that space, and it's like, I always like to tell people it's like, get yourself scrubbed first, right? So like, don't just jump into these things, and start having at it. It's like get yourself scrubbed off the internet first, which is, you can use a tool like OneRep, or do it yourself manually, but try to use a service like that, to get yourself removed first as much as possible. Then if you're going to go ahead and sign up for say an online dating service, or you're going to subscribe to various newsletters or movie sites, or you know, sign up for a trivia contest, or a sweepstakes, create a fake identity, you know, fake name, fake address, fake email, fake phone number, and just use that, and use that as much as possible, and I think that's almost like the most basic way you can at least get ahead of this thing, is get yourself scrubbed, then use a faux identity, and you know, kind of document it, so you have it consistent, right? And then, you know, you'll actually kind of be amused by it, because you'll see that fake profile come out places, and you'll be like that's actually me, but it's all fake [laughter], you know, and it's kind of ridiculous. I will also say, just one more thing, part of this is not just, you know, on the shoulders of the consumer, but businesses. You know, one of the biggest scams right now going around is we call it the CEO gift card scam, and what's happening are these fraudsters are so quick that they're finding your information on like LinkedIn, and on what are called business listing sites, like Zoom Info, and Leads 411, and Rocket Reach. So they're finding, you know, hey Mark just took a new job someplace, and they get my contact information from these business listing services, and then they, you know, email you or text you, typically early in the morning, so like right when you wake up, you see a text from the CEO of the company that you just joined, and he's at the airport, and needs a gift card of money, because he's stuck, you know? And can you quickly go buy some and send him the codes, so that he can get the money? And like, you know, you wake up at like 5:00 in the morning, 6:00 in the morning, and you see this thing and it's like oh my gosh, you know, our CEO, like, and you don't know better.
Dave Bittner: Right.
Mark Kapczynski: And a lot of people fall for it, and all of these things you know, they're sort of used by these fraudsters together, so like a good example, another example is like, people you know, businesses may have had data breaches, and a data breach on its own is bad, but it's-there's usually not enough information in the breach that a fraudster can do some real damage with. They need to combine it with, you know, your real personal information, and so it's funny, but like some of the best customers of these people search sites are fraudsters. So you know, they go into the dark web, they get a list of names, and some account information, and then they go look up the person's name, and information on the people search sites, and then can reverse engineer your profile, and your, you know, all your information, so that then they can try to open a credit card account, or a bank account, or other accounts where they can, you know, truly cause financial damage. And so it's not like, oh, it's a data breach, and you know, someone gave me, you know, you know, credit monitoring, so I'm good. It's-it's the fraudsters are using this data in combination to try to cause harm, build synthetic identities on people, and you know, they're pretty smart that way.
Dave Bittner: Joe, what do you think?
Joe Carrigan: I'm going to start with this. We did this to ourselves, Dave.
Dave Bittner: Yeah?
Joe Carrigan: We, as a society, ran out to get on the internet, and now we wish we hadn't done that.
Dave Bittner: [Laughing] It's too late.
Joe Carrigan: At least to some extent.
Dave Bittner: Yeah.
Joe Carrigan: I wish I hadn't put all that information on Facebook. Dave, a while ago, I went out and just deleted a bunch of stuff from Facebook.
Dave Bittner: Okay.
Joe Carrigan: You know, old posts, and everything like that. Took weeks to do it.
Dave Bittner: Yeah.
Joe Carrigan: I didn't sit down and just do it, I couldn't tolerate doing that, but it took a long time, just to get my Facebook to a minimalist level.
Dave Bittner: Okay.
Joe Carrigan: So we've gone out there and put all this information out there, and now we're trying to get it back [laughter], well you can't really get it back.
Dave Bittner: Right.
Joe Carrigan: I don't have the illusion that Facebook has actually deleted my information.
Dave Bittner: No, set visibility to zero.
Joe Carrigan: Right, exactly [laughter], but I am convinced that there are fewer people out there that can see the information, so that's probably good.
Dave Bittner: Right [laughing].
Joe Carrigan: I think I've moved to the more secure direction.
Dave Bittner: Take the win [laughing].
Joe Carrigan: Right, I'll take what I can get. The point that Mark makes, we are very polarized. And it is-I'm convinced, convinced that it's because of social media, and one of the things that he says is that polarization, he points this out, it can be used as justification by some people to do you harm.
Dave Bittner: Right.
Joe Carrigan: Just because you think differently than they do. And they believe that somehow you've done harm, or you're going to do harm to people, pair that with the ability, or the availability of our data, and you have a real problem, I think.
Dave Bittner: Mm-hm.
Joe Carrigan: And that's kind of Mark's point.
Dave Bittner: Yeah.
Joe Carrigan: We have seen people buy and then threaten to release the web browsing history of elected officials.
Dave Bittner: Yeah.
Joe Carrigan: We've seen that, and I don't know, I just don't think that's something that should be available to do. Not just for elected officials, but for anybody, right?
Dave Bittner: Remember years ago, Congress made it illegal to get people's library borrowing histories, for that very reason.
Joe Carrigan: Right. Yeah, good.
Dave Bittner: Yeah.
Joe Carrigan: I think fake personas are a great idea. I have a couple of these that I use, and they are not Joe Carrigan [laughter]. So, there are, you know, there are things out there where I have these fake personas, where I sign up for things. I just have a, you know, essentially a spam account, right?
Dave Bittner: Yeah.
Joe Carrigan: Where, I just go in, and sign up for, you know, it's a secondary Yahoo account. It's not linked to anything, and if I want to-if they say you need an email address, oh guess what email address you're getting [laughs], you're not getting my real one.
Dave Bittner: Now, let me ask you this.
Joe Carrigan: Yes?
Dave Bittner: What do you think the odds are that the data people have figured that out? About you?
Joe Carrigan: You know, that's a good question. It's probably pretty good.
Dave Bittner: I would imagine so, at this point.
Joe Carrigan: Because the amount, the overlap in interest, they may be able to-to essentially that's an attempt to de-anonymize-anonymizing myself, and they may be able to de-anonymize that data.
Dave Bittner: I would think just from location data, too.
Joe Carrigan: Yeah.
Dave Bittner: This person always logs in from the same place that Joe Carrigan does.
Joe Carrigan: Right, it comes from the same IP address. Well, I do use a VPN, Dave.
Dave Bittner: Still, physical location, same GPS, same, you know? Interesting. Works the same hours, you know, all that kind of stuff.
Joe Carrigan: Yeah, it may not be doing me much good. But I still do it [laughter]. In the U.S., we give our data to a site, and that becomes the site's property. We don't maintain ownership of our own data, which I think is wrong. We should be maintaining our ownership of our own data. It would be nice to have something like GDPR here in the U.S., the problem is getting the government to agree on what that should look like.
Dave Bittner: Yeah.
Joe Carrigan: There's a lot of conflict of interest, however, I think in cyber security, there's a lot of consensus and agreement on things, which is one of the places we're not really divided as a country-
Dave Bittner: Yeah.
Joe Carrigan: And as a government. I would like to see that spill over into privacy [laughs].
Dave Bittner: Right.
Joe Carrigan: And people realize that privacy is part of cyber security.
Dave Bittner: Right.
Joe Carrigan: This is definitely a uniquely U.S. problem, a lot of the world has already solved this issue.
Dave Bittner: Mm-hmm.
Joe Carrigan: The case where Mark talks about the company that had a user jump through all kinds of hoops, and at the end, upload their driver's license to remove all the data? That's awful, and I'm glad that company got slapped with a big fine.
Dave Bittner: Right.
Joe Carrigan: So I like Mark's advice that if you want to start-you know, if you want to take a couple of steps, scrub, scrub yourself from the internet, do what you can, of course, Mark has the-Mark's company can do that. But you can also do it yourself, just go out, remove your data from the social media sites. I think you use a Twitter app that goes through and deletes old Tweets?
Dave Bittner: Yeah, I don't know if those work anymore, because the Twitter API has been, you know, beaten within a shred of its life, you know, these days, but there was a time when you could do that. There were apps that would go through and scrub things, and have all sorts of options to do that.
Joe Carrigan: Yeah.
Dave Bittner: So it's worth taking a look at.
Joe Carrigan: And then sign up for things with fake identities, you know, even if it's companies like Facebook think that it's you, they may never have confirmation of it, so it would be harder to sell that information as bona fide information.
Dave Bittner: Yeah.
Joe Carrigan: You know, just use that as like a data firewall [music begins] if you want to think of it that way.
Dave Bittner: Mm-hm, mm-hm. Alright, well again, our thanks to Mark Kapczynski for joining us. We do appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs, and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com, and isi.jhu.edu, the Hacking Humans Podcast is proudly produced in Maryland at the Startup Studios of Data Tribe, where they're co-building the next generation of cyber security teams and technologies. Our senior producer is Jennifer Eiben. Our Executive Editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
