Hackers Don’t Hack Systems. Hackers Hack People!
NINJIO attacks end user Security Awareness in a different way. We don’t lecture your users. We entertain and educate them by telling stories about real life security breaches that have happened to real life companies. We do this using 3-4 minute long animated and gamified episodes written by Hollywood writers, and we focus on a teachable moment around a specific type of attack. A new episode is released every 30 days. It’s like “drip marketing” for Security Awareness.
Training by Storytelling Think back to your college years. Are you more likely to remember a two-hour movie that you saw, or a two-hour lecture that you sat through?
Storytelling is the most powerful way of imprinting a lesson into the mind.
Storytelling creates memories more powerfully than any other method of learning. At NINJIO the story is everything. The story creates memories, and memories solidify retention. Retention turns into action.
Combine our storytelling with real-life breaches that have happened in real-life companies, and you’ve got a formula for truly changing your Security Culture.
NINJIO is training that actually works.
Full text of radio show
Please forgive any typos, this podcast was transcribed by my typing pool comprised of volunteer stalkers.
Chuck: Welcome to an animated version, Security Guy Radio with my co, I have
two, two co-hosts today. Mr. Paul Bristow, Eve Cerda.
Chuck: Back in the studio, good for you.
Paul B: Yeah. Wearing my Tisco [phonetic] [0:00:09] shirt and tie.
Chuck: Now can we get a shot of Paul with his tie? That is so British. No, yeah
Paul B: It’s out of the box see.
Chuck: That hurts my eyes.
Paul B: You got to dress; dress out of the box, so people will notice you.
Chuck: I’m serious; this is a very British thing.
Eve C.:He’s starting a new trend. This is
okay. This can happen.
Chuck: No, it’s not, it’s not okay [crosstalk] [0:00:27]…
Paul B: It’s called fashion.
Eve C.: He can do it. He can do, he’s British.
Chuck: I’m going to go over budget and buy one of the Security Guy Radio shirts, because I can’t look at that, it hurts my eyes [crosstalk] [0:00:34]…
Paul B: Well, as long as it’s got cufflinks.
Chuck: I’ll give you cufflinks.
Paul B: Yeah, give me the cufflinks.
Chuck: I’ll get you gold plated cufflinks as long as you don’t wear stripes and horizontals in the same shirt, and then with the background for you being it must look really, really bad.
Paul B: What about stripes? There is just kind of different ways.
Chuck: Okay, all right. Oh, did I tell you, oh wait a minute you didn’t see my Facebook thing about the, I was at my son’s graduation this week.
Paul B: No, I was watching it. I was watching it on the Facebook.
Chuck: Yeah, getting a degree in math, right. So, Mr. Jarvis, he didn’t know this, so he goes up on the stage and we’re filming it and before we went up there the professor had pronounced all these very difficult names, you know“Bing Jong Pung Julule” and “Ninjen” and all of these foreign names he’s pronouncing them perfectly. He gets to Max Harold and he says, “Maximilian Herald” I’ve never heard my name…
Paul B: Well, that was probably the way it was said in the day, Ha-ruled
Chuck: I think that’s what he was saying Maximilian something…
Cherise:I think that’s a very creative way
to say your last name.
Chuck: Some ancient name, I, he was, he didn’t catch it, he didn’t care, but it was just kind of funny. I’ve never since Howard, Hubbard, you all kinds of these but Ha-ruled, so welcome Chuck Ha-ruled, Security Guy Radio. I’m going to go with that from now on. It’s easier to say. Cyber girl what’s going on, how you’ve been?
Cherise: Hi, well thank you for having me on tonight again as usual. Well, we all know Barbie and the creator Mattel, the largest toy maker, everybody knows. Well, right now Mattel is battling China, because yes even Barbie gets hacked. Mattel unfortunately was a victim of a huge phishing scam that resulted in a $3 million wire transferred to a small little town in China.
Chuck: Why, what? Our friend Brian used to be the security there, I guess he should be back then.
Cherise: So, Mattel has a huge interest in China because they do a lot of their manufacturing of their Barbie dolls and toys. Well, they recently underwent major executive changes, specifically speaking, a turnover in the CEO seat, so a month in to fill in the new position of CEO. Their Finance Director wanted to ensure and impress the CEO with staying on top of financial obligations and payments with vendors and so this suspicious email came in one day requesting for a remittance of $3 million dollars to a new Chinese vendor.
Chuck: Were they selling, were they selling toner cartridges, because that’s…
Cherise: Toner cartridges? No.
Chuck: That’s the old scam. No I’m serious, remember Paul; we used to get a fax back in the day it said, “Hey…
Paul B: Oh, yeah. Yeah.
Chuck: Your toner cartridge bill was due and we had people at our guard company, three different divisions around the country sent in checks for $2500 and they called me up and said, “Did you get one of these I said, Yeah, it’s a scam. It’s out of North [indiscernible] [0:03:13] what you’re doing?
Paul B: How do you remember that? That must be 25 years ago.
Chuck: Still [indiscernible] [0:03:20] well I’m only half kidding, but explain how, I understand the phishing tact, but explain to my nieces and nephews how somebody could be so, what’s a good word “Stupid” to do that [crosstalk] [0:03:29] I mean if it’s 300 bucks.
Cherise: You know, I wouldn’t even think stupid, I wouldn’t even say stupid because when you’re dealing with certain executives they have certain levels of let’s call it allowances that they have permission to sign for and this Finance Director obviously was in the millions and so they had, she had authorization to go ahead and remit that type of payment. The challenge is that the email came posing from her CEO and so she didn’t think twice about just obliging and making the payment and when she confirmed with the new CEO that she had completed his request as, as requested, the CEO is “What are you talking about? I didn’t order a; three million payment to China.”
Chuck: Now why didn’t this…
Paul B: That was pretty clever isn’t it?
Chuck: It is clever. Well, remember when they, they hacked the news CoreSite back in ’99 and they copied the news CoreSite and every time you send an email, you’re thinking it was going to Mr. Murdoch [crosstalk] [0:04:18] it actually went to China. Now Cherise, why wasn’t this something catch, caught under Sarbanes-Oxley? Because don’t you have to have two signatures for these kind of things?
Cherise: It depends what level I mean CEOs, Finance Directors usually have the supreme authority to, to do certain allocated amounts of remittance and so in this term, in this case there was no let’s say due diligence perhaps or authorization of confirmation and that can be typical at the executive level because who else are they going to go up one, especially if they have the final authority to remit payments of that amount, but what I’d like to note here is we actually have a happy ending. Typically when these types of phishing scam happen, you don’t get your money back, well because Mattel had such a large, has
such a large presence in China, they sent their Anti-Fraud Executive to the actual bank for which, processed the money, which is a small town in China called, I’ll make sure I try not to butcher the name Wenzhou, which is predominantly known as a criminal hub for stolen funds.
Well, since they had boots on the ground so to speak in China and they had strong relationships with the FBI and China, the Chinese government, they were able to confirm the transfer took place at that particular bank and actually get a warrant from the FBI to actually have funds paid back, so this is actually a case where you see a phishing scam go awry and they actually get their money back.
Chuck: Well let me translate that for our listeners on basic terms. What happened was the Red Army came in and pointed a gun and the bank manager said — no, I’m not kidding. That’s exactly what happened, right and said, put the money back, because that’s what happens. We, when I was at Disney building, we were building Disney, China. You know, I forgot the, what Mainland it was on, but in Red China, now Taiwan, right and they called me up and say, “Oh, these guys came in with guns and little red hats and they took all our computers and left what we do?” I said, “You do nothing. You don’t do a thing. You don’t argue with them. You know, the army came in and took all the computers, we never got them back, never got a phone call, nothing ever happened right. So, I’m sure that’s what happened, but that is kind of a happy ending that, that they went their way, because they don’t want to ruin the toy manufacturing contract, you know?
Cherise: Absolutely not in that really relationship.
Chuck: I’m sure somebody was executed for that [crosstalk] [0:06:38]…
Paul B: The more you think about it now, Mattel must have a, an authorization process for that one woman to be able to authorize [crosstalk] [0:06:46]
Chuck: But, that’s wrong. That’s too much. It’s wrong.
Paul B: …that $3 million check it’s ridiculous. Isn’t it?
Chuck: Yeah, that doesn’t make any sense.
Eve: No, no, no, no. See what happens when you, when you’re dealing with a company this big is that she probably has to sign like 20 things in like one minute, every other minute, you know so she doesn’t have time to necessarily look at everything although that is her job. She probably thought that somebody else looked at it before.
Chuck: That’s very interesting.
Cherise: But what happens in phishing scams is that most people are unsuspecting of any kind of malicious intent when they’re receiving emails especially if they’re crafted very well in such a way that they look authentic. That’s the case for which, we’re going to talk about next and that is the rise in phishing attacks in terms of taxpayers and their information as we know the tax season has just closed, but there has been reportedly over 40 organizations in Q1 that have reported data theft in terms of W-2 information, due to phishing scams.
Chuck: Wow. Well, I got a phone call from the IRS and I’m being sued by them.
Paul B: Oh, I read that one.
Chuck: I said [crosstalk] [0:07:49] tick a number right.
Paul B: I’ve read that three times, actually.
Chuck: Yeah that’s a big one going around too.
Zack S.: You know who the biggest, biggest one that just happened, W-2. I’m
sorry, yeah; W-2 business email compromise was sprouts..
Cherise: Oh, wow.
Zack S.: …from this market, 10,000 records.
Cherise: Yeah and so and that’s a good point, you know, you have in the thousands records of these individuals information being stolen and I’m talking social security numbers and, information that you would typically find on a W-2 and one is thinking to themselves forty organizations that are, or have now disclosed being comp, being phished, just within Q1 alone of this year. You have to ask yourself, “How is this happening?” What is it that let’s say the employees may or may not be doing correctly to do a due diligence, to ask, you know and confirm the identity of individuals asking for information via email.
Paul B.: Now at least, is this employee information getting out or customers?
Cherise: Yes, employee information [crosstalk] [0:08:50]…
Paul B.: It’s employee okay.
Chuck: Now is this on the rise, is this, worse than last year, it keeps going
Cherise: It is. It does keep going up and actually there has been a rise in phishing scams, specifically even Spear phishing, which is where we’ve discussed in the past on this show the top — who the target is…
Chuck: Now was this Spear phishing for Mattel?
Cherise: The Spear, so actually Mattel, it turns out that they were compromised through a phishing campaign, corporate emails were, were used to gather information on the target, as well as social media, that allowed these cyber criminals to craft a particular phishing email or campaign that really targets an individual specifically, so that it looks authentic.
Chuck: Now the fact that they spilled Mattel, metal, didn’t tip anybody off, oh I see those, I see these things. You get these emails right. They spell Bank of America wrong I mean, really you guys, I mean.
Paul B: But these guys must have done a lot of research.
Chuck: But, most of those things will have misspelling, typos, you know, I
Paul B: But actually it’s evolving [crosstalk] [0:09:52]
Cherise: But, you know, you would think it’s common sense, but in all reality most organizations suffer from some type of Cyber Security Awareness.
Chuck: Well, it’s funny you should mention that, as always we just happen to have a guest in our studio. Isn’t it amazing? It’s miraculous almost. Jarvis, are you impressed again. That we happen to a guest just happens to be sitting here to talk about that. Welcome Zack Schuler of ninjio.com. Now Zack your wife called me, or contacted me on LinkedIn, and she said would you look at our product now and I looked at that and I said, this is fascinating, so what NINJIO does is make training films, well, training animation videos, short animation videos to teach people and raise awareness for cyber security, so welcome to the show, Zack. Glad to have you.
Zack S.: Thank you for having me, thanks. It’s great to be here.
Chuck: Does Zack get an applause today? [Applause] No, there we go okay.
Cherise: Little delayed.
Chuck: Now, I really, sincerely I thought this is a very cool idea, right and we talked about this before the show, so Security Guy Radio is a little long in the tooth, okay. Both age and we talk a long time we go for an hour, but I might shorten that, and the reason I may shorten it is because people short attention spans are shorter and shorter every day. So, when I saw that these are about four minutes or so. I thought that’s going to make an impact, so give me some background, your background where you came from, you have an IT background, how you got into this idea. I think it’s really cool.
Zack S.: Sure, well again thanks for having me. So, yeah, my background is in IT, I started off as a network engineer, at a pretty young age I started a business called Cal Net Technology Group, IT systems provider, Managed Service Provider based out of Los Angeles. Currently have just over a 100 employees, started that business at the age of 21, got busy, hired a guy, got busy I hired another guy grew it to about 85 to 86 employees when I sold the business in 2013.
Chuck: How long you had the business, like 20 years.
Zack S.: I had the business for 18 years.
Chuck: That’s unusual start to start that type of business back in the day.
Zack S.: Oh, its Windows 95 had just come out. So it was 1995 when I started the business and so a lot of people, the business actually started out of Circuit City, so I was selling computers, people would say, can you come to my home, set up my computer for me, show me how to use it, so I started doing that. I got myself to college then I graduated from Cal State, Northridge and then from there I went to a trade school to learn how to do computer networking and you know, started doing that, so it really started with the Windows 95 era, kind of the first home, or the first PC in the home and that’s when businesses are really computerizing themselves as well.
Paul B: I bet, as people to listen, they wouldn’t even know what Circuit City
Chuck: I think there is one sitting right here.
Cherise: I know what Circuit City is. [Crosstalk 0:12:35]
Zack S.: I gave a speech to an eighth grade class today, and I said raise your hand if you’ve heard of Circuit City and there wasn’t a hand that went up and I said it’s kind of like the Best Buy.
Chuck: Yeah, that’s true. Yeah. Now where is the spark that kind of came up with this putting what you did in the past with this idea for NINJIO…?
Zack S.: Yeah, well so, here is what’s crazy is that, in my old business we were tech guys, right. We were putting in these crazy firewalls and just all this really good security stuff and the company still does that, but I would walk through our security operations, our network operations center and we would have clients who would get hacked. I would say well how did this happen, we spend all this money securing them and the comment was well, Suzy clicked on something stupid, but it wasn’t something stupid it was SS click, Suzy clicked on stupid stuff. Right and so I was like, you know, it’s nuts like people have to understand what they’re doing and I didn’t, at that point in time, say well let me start a training business right, I was running a tech business, so sold the business, I think I was going to retire, play golf for two weeks in a row, got worse every round, we talked a little bit about this, and then about a year or so ago, a light bulb went off and I said, you know, it would be so cool if people actually knew what they were doing and they, and hackers weren’t hacking people anymore, and that’s the saying on our website is “hackers don’t hack
systems, hackers hack people” [crosstalk] [0:14:08].
Chuck: You know that’s what I said, that’s true. It’s a good point.
Zack S.: And that’s what…
Cherise: People are the weakest link.
Zack S.: People are the weakest link. For sure and that’s what’s going on today, and it’s getting worse and worse and worse, and so what I did was I thought back to all my times, taking like sexual harassment training, or whatever other corporate training we had to deploy throughout our organization, and how many times I would start the video and then I would hit the minimize button on the video, and I’d go and do my work, and I’d listen for an audio cue to when they ask me a question and I hit next, and I was like there’s got to be a better way, so took out a blank canvas, and I said if I wanted to learn about security as your average everyday employee, which is really important that I know how would I want to learn about it. Well, I wanted it to be short, three to four minutes long, we are a Facebook and YouTube generation. We cannot consume content, you know much more — think about going through Facebook now, if the video it’s a five minutes long, “I’m not watching that.” It’s just how it is, so has to be short, has to be frequent.
Security is one of those things that most corporations train their employees on it once a year, but the threats change once an hour, so if you think about how backwards that is, and so I’m like, okay it’s got to be current, it’s got to be relevant, it’s got to be on the attacks that are happening today and so we said, let’s do three to four minute long animated episodes and base them on real actual security breaches that have actually happened to real companies.
Chuck: That’s good. People put the connection in the brain, that’s great.
Zack S.: Correct and then they say,”Oh, not only is this interesting,” because I heard about this on the news, but “Oh, this can happen to me, this isn’t science fiction” and so I had a, or have a good friend from college, he was an RTVF major, actually, maybe he wasn’t, I don’t remember what he was. He was a one of this…
Cherise: He is one of this R majors…
Zack S.: He is one of those guys, anyways. He was a Forensic Sheriff for the Sheriff’s Department, and he ended up writing for Hawaii Five-0 and CSI, the guy’s name is Bill Haynes and so I went to Bill and I said, approached Bill with this idea, this is probably July, August somewhere around there and Bill is like, “I don’t know it sounds like a good idea” you can probably sell it, if anybody you can, and so he is the guy that writes the content, he writes the episodes. The episodes are written by you know, real Hollywood writers. Then I went and…
Chuck: He was a sheriff too.
Zack S.: He was a sheriff, yeah.
Chuck: [Indiscernible] [0:16:34] a cop, that’s great.
Zack S.: Exactly and then went out and found an animator and basically took our first episode and went out to a bunch of different animators, and said basically compete I paid all of them. A guy named Ben Reynolds just crushed it with the animation, Ben works for me today, he is amazing and then you know we got, we’re actually as we speak we’re recording episode seven in some voice studio in Studio City, so we have professional voice actors, we have professional music scoring, we bring it all together for this three to four minute long animated episode that focuses on one very specific attack vector like Spear phishing, and it focuses on one very specific actual security breach that’s happened.
Chuck: Now, just happen to bring one of those tapes with us, we’re going to take a look right here. Right, Jarvis, if you’re listening to this there’s narration behind this, but you got to watch us on YouTube or go to ninjio.com and look at the video there. Go ahead Jarvis; just roll that, that video.
Speaker: And you think his answer was hack the studio, who made the movie. I’m still having trouble buying it.
Speaker: Pretty obvious to me a copy of our movies leaks it gets a hold of it and decides to shut us down the only way he knows how for those Spear phishing cyber-attack.
Speaker: How much time is left?
Speaker: Whoever it was, they are smart. Make sure they gave us just enough time to not be able to do anything.
Speaker: Did you speak to Janine?
Speaker: As the Chief Security Officer it’s my job to inform you of a breach.
Speaker: I just can’t believe. I fell for it. I mean that. I’m really careful.
Speaker: That’s part of what makes Spear phishing so effective. Do you remember
getting an email from IT requesting you to click on a link for some new HR
Speaker: Here is the email I got from what I thought was our company’s IT department. Notice the email address, well the front portion say Sunny Pictures IT. If you look at the actual email address its coming Sunny Dash Pictures.com not our standard SunnyPictures.com also look at how bad the grammar is. Like most IT departments ours is very careful about proofing emails for grammar. It’s also unusual that it was sent at 3:45 a.m. What tricked me was the fact that this email was talking about HR software. I’m in the HR department so it made sense that it would come to me, but what I learned from our Chief Security Officer is that this is the very essence of a Spear phishing attack.
Speaker: Well hackers did their homework on you. Perhaps on LinkedIn or some
other social media site. They learned you work in our HR department so an email
mentioning HR is what they sent to you.
Speaker: By opening the attached excel spread sheet, an Adobe Flash vulnerability was executed and opened a back door for the hackers to gain access to our company’s entire network. I, I don’t know what to say other than I’m sorry, and am I going to lose my job over this? Did you tell are we all might lose our jobs over this?
Speaker: Here we go, cross your fingers, this was just a hoax. Oh, geez.
Speaker: Oh what’s going on, what are these files?
Speaker: They’re everything.
Speaker: What? And who is going to have access to them?
Speaker: I need to call the parent company. Tell them what’s going on.
Speaker: What are the clues that should have tipped Janine off that this wasn’t
a legitimate email?
Chuck: Oh, that’s really good.
Paul B: That’s brilliant.
Chuck: I think, I think we should go to our women on the street for an opinion on that phrasing whenever that wasn’t the right way to say, that was, but I, you do watch cartoons on Saturday morning in your Star Wars pajamas and your [crosstalk] [0:20:36]
Eve C.: Absolutely.
Chuck: So, as a cartoon enthusiast, aficionado how did this appeal to you?
Eve C.: I actually really liked that I was very into it, so that’s very good.
Chuck: Is it?
Eve C.: Yeah. I was like, “Oh my gosh I’m concerned. Don’t get, don’t get fired.
Chuck: Well and you’re the generation with the short attention span, so that’s…
Eve C.: Yeah, so this is good…
Chuck: So, this helped you for four minutes? Did you…
Eve C.: Four minutes.
Chuck: Did you want to see more?
Eve C.: Yes. I do want to see more.
Chuck: What might you want to see after that? I mean, like more answers or more in-depth descriptions or what?
Eve C.: Well, I just like the videos in general. I mean I know I know you are supposed to do the questions after, but the videos are very entertaining.
Chuck: There was some, there were some dead air you can’t see on the video, but if you, if you’re on YouTube watching there was some check offs that were going click, click and answering some questions. I, Zack, I just think it’s great.
Cherise: I, I really enjoyed watching it too because what I really appreciate about the approach as you take really technical concepts and you simplify them down for a very easy digestible way of understanding a technical complex issue.
Chuck: Now Cherise did you notice that the, the guy with the deep cop voice and the girl weren’t; they’re similar to Security Guy and a Cyber Girl. I could see, I could see Security guy, Cyber girl cartoon, Jarvis am I right.
Chuck: Okay all right, very good.
Cherise: Would love for that to happen.
Chuck: Zack, we may contact you after that to do a little Security Guy promo video. That was very well done, very well done.
Zack S.: Well, thanks.
Chuck: All right, so let’s talk about what other types of cyber education, you’re going to be approaching in the future. You’ve done about eight videos so far.
Zack S.: So, we just voice recorded tonight, episode seven. The first video was on the Chrysler Jeep Attack that was actually done by an ethical hacker and then, and there we teach about rogue USB security.
Chuck: Oh that was for the car?
Zack S.: Correct.
Chuck: The white hats are proving that they could, hack a car, yeah.
Zack S.: That’s right. That’s right.
Chuck: Oh, interesting, okay.
Zack S.: Yeah and so we, we, we use an attack vector being a being a rogue USB device, because what people, hackers will do, they’ll leave a USB device sitting on the front steps of a, of a big company sure enough the CEO, grab and, “I wonder what this. Plugs it in and bam they’re owned, so we did that, we did the episode two and three were on the Ashley Madison Breach. That was a,
Cherise: Oh, awesome.
Zack S.: That was an interesting one.
Chuck: Oh that’s a good one [crosstalk] [0:22:41]
Cherise: Now we put in a request, how about the Ukrainian Power Outage. I’d love to see that one.
Chuck: Oh, that happened in December that was a good one.
Paul B: Yeah, tell us about the Ashley Madison [crosstalk] [0:22:51]
Chuck: Well, Paul’s concerned his emails.
Zack S.: Well, yeah, there is a [crosstalk] [0:22:55] or do we want to talk about that or [crosstalk] [0:22:57]. Do we want to talk about that one, with you on the Air? Are you sure? Okay. Okay.
Paul B.: Because I’ve got friends.
Zack S.: Okay, okay. Yeah, so the Ashley Madison Breach, the, the company that owns the site, they are based out of Canada and every email address that was ever associated with that site became public information. It was a really hard episode for us to do, especially for Bill the writer because every other company that we do an episode on like Sony, you feel bad for them. They’re breached and you feel bad for them, Ashley Madison, not so much.
Chuck: Well, yeah.
Zack S.: You didn’t exactly feel bad for them. So we had to create this really cool story with this Fortune 500 CEO has his identity stolen, through social media, so he was engineered through a social media, had his identity stolen, that was taken. They created a profile on Ashley Madison then they anonymously tipped off his wife. His wife found the profile on Ashley Madison, she walks out with baby in hand, while they’re doing like this live interview on him then it’s, it’s a great, it’s a great story. It’s a two-part-er.
Chuck: And you’ve just given every CEO in the country an, an excuse now and nowwhat [crosstalk] [0:24:02]
Zack S.: Well, so that’s right and so that…
Chuck: I’m sure that’s been used.
Zack S.: That’s exactly right and the whole point of the hack in the story was that the hacker wanted to bring down Fortune 500 CEOs. He was a Hacktivist, right he wasn’t doing it for money, just trying to bring people down.
Paul B.: Now is there a way to Chuck and stop his email getting out from that
Zack S.: No.
Paul B.: No.
Zack S.: No it’s too late.
Chuck: Okay, okay. How about, how about your flash drives full of porn do you want to start that? Really, come on.
Paul B: But they are all work related.
Chuck: Oh that’s right, the investigations, investigations, I forgot. That’s
Zack S.: So, another episode that we’re finishing animation on tomorrow is the Hollywood Presbyterian Hospital Ransomware Attack that was made public, I don’t know, six weeks or so ago and so that’s what’s really neat about our company, is that we can take something that has just happened. Write a story about it, animate it and push it out to our, to our customers.
Chuck: Give me, give me a, an idea of a timeline how, you know if, I hope, if it would happen if Security Guy Radio got hacked today, wouldn’t that be great? People are actually watching our show, how fast could you get a video out?
Zack S.: Well, I mention the Sprouts Farmers Market. That’s episode seven that was recorded tonight. Voice recording was done tonight; scriptwriting was done a week ago. So it’s a week to voice recording, animation will be done in two weeks, maybe three weeks, a week after that music scoring will be completely done, so you’re talking about a five week lag time between story to you know the entire episode to get into shop…
Chuck: Yeah, pretty fair, makes it timely. Yeah.
Zack S.: It makes it timely, yeah, yeah, for sure and by the time it hits the media, that everybody knows about it, you know it’s a, it’s right on play…
Chuck: Now tell us, for people who haven’t heard about the Hollywood
Presbyterian, tell us a little background what’s those hacks were you go through
your videos, you know.
Zack S.: Yeah, so, so you want the story?
Paul B.: Yeah, just…
Zack S.: Yeah. Okay, so Hollywood Presbyterian Hospital was a small hospital in Hollywood.
Chuck: It’s right down the street from…
Zack S.: Yeah, right here, and they had a Ransomware attack and you know the details of how the actual attack happened a lot of times people don’t talk about that, because they don’t want to show what they, like the vector was, but essentially, they contracted Ransom-ware across almost the entire organization and the, the original reporting of the story was at the, the threat act, the bad act, it’s threat actors, hackers whatever you want to call them wanted $3.7 million to unlock their machines, so they could use them again.
Paul B.: How did that get on their machines?
Zack S.: So, likely what happened was somebody just, just clicked on an email, and it said, you know, update this piece of software and they did it, and they got access to the machine and once they have access to that machine, they get in and then, they just, you know, go across the network and [crosstalk] [0:26:46]…
Paul B.: So, again it’s a physical action that started it…
Chuck: A person.
Zack S.: 99 times out of a 100 it is a person that starts it. Yes, so IBM reports that 95% of security breaches are due to human error.
Paul B.: [Indiscernible] [0:26:59] it’s all physical…
Chuck: You were seeing that back in the day, yeah.
Zack S.: What’s crazy now is when we talk about what’s called business email compromise scams, which are the wire fraud, the W-2 stuff that we’ve already talked about. Those, that, you don’t even have to be a hacker, so in, in Episode seven we’re talking about W-2 business email compromise we’re coining the term and it sounds really ugly, but it’s an ugly thing “scacker” and a scacker is half scam artists, half hacker.
Chuck: Is that your term?
Zack S.: That’s my term.
Chuck: I love it. It’s copyrighted, don’t steal it, he owns it [crosstalk]
Zack S.: Because you don’t need to be a hacker anymore, like all you have to do is spoof the email address of the CFO to the payroll processor and say, “Hey, I need these payroll records right away.” The payroll company gives them to you in one PDF file, they get released and that one PDF file gets into the hands of the wrong people, you get 10,000 tax returns filed and all of a sudden you are a worker and you’re like, “Oh my gosh, my tax return was filed on my behalf from some guy and wherever [crosstalk] [0:28:01] not the U S.
Chuck: I guess I was the scacker at one time, by myself.
Eve C.: Were you?
Chuck: I was I, unfortunately, by the way, my mother didn’t raise any dumb kids but, but I’m no genius. Okay, so let’s just say I had an incident and a business who may have a, let’s say borrowed one of my scripts that I wrote and so what I did is, I spoofed my, through Outlook, and you can go in Outlook and you can change the name as it appears you can change a bunch of things and I just put my name and it is the person who had stolen my script and I sent that email with somebody that was involved in the script stealing and they started talking to each other and I started whole conversation with them. This person thought that they were talking to that other person and I didn’t steal anything with information but back at the end, I said, “Thanks for meeting you just stole my script. Thanks a lot, right.
Eve C.: Did you sue him?
Chuck: I did not. I did not, but…
Zack S.: Did you beat him up?
Chuck: They, but they knew that I knew and by the way they did not make the film, they had started production with a major star and they didn’t, but not difficult to do and you know these are people at a studio. They’re not, you know they’re smart people and all they did is just look at the name, it said it’s from Chuck Harold and they said, “Oh yeah, I know Chuck Harold—email”, so this isn’t like you say, super sophisticated Russian spies doing the stuff anymore.
Zack S.: That’s right.
Chuck: It’s kind of basic stuff.
Zack S.: That’s right.
Chuck: Then if you’re smart, you know, you can click on view details and you can look at, you know where that came from loc, I think, but this is why I’m so passionate about these things. This has just been going on a long time, answering why it’s on the rise are people catching on to it, I mean, what’s, it’s just so easy to do now?
Zack S.: I think it’s just yeah, it’s just so easy to do and you know people don’t, you know, why rob a bank when you can just grab a computer and yeah, here’s the other thing that that happens. I was in FBI Conference couple of weeks ago and a buddy of mine is a special agent and he says that when something like a business email compromise crosses multiple jurisdictions across the US all of a sudden nobody is responsible and nobody will go after it and there’s so many of these things that are happening now like businesses every day are going out of business because they’ve been wire fraud, because the business email comprise wire fraud stuff, and there’s so much of it. It’s like you know he is like it’s just like, you know [crosstalk] [0:30:10] and it’s overwhelming.
Chuck: It’s like the terrorists. It takes about, what’s it Paul, 14 or 24? I
can’t remember. FBI just [crosstalk] [0:30:16]
Paul B: Oh, yeah, yeah.
Chuck: And we have hundreds of terrorists and we have 2000 FBI, that’s right, so
it’s just not possible [crosstalk] [0:30:23]
Zack S.: Well, yeah and we have millions of Scackers. So, how you are going to
follow those guys?
Chuck: Right. Now, Miss. Cherise you talked about Ransom-ware last week. What
case was that?
Cherise: Yeah. It was actually, we did, we discuss the Kentucky Hospital which is a very similar case to the Hollywood Presbyterian Medical Center and that’s basically where they just totally took down their system for several days, bringing down the hospital system for several days and it cripple, crippled any business, hospital much less jeopardize the patients that are there.
Chuck: Now here is, maybe I don’t know the background of this, but Hollywood Presbyterian it’s not a large hospital and I’m not sure if it’s part of one of the big mega hospital owners, but it’s always been kind of a clean look hospital. Not super sophisticated, right, somebody going to Saint John’s or UCLA or something. Do we know if they were successful in getting some money out of
Zack S.: They were so. It was originally reported it was $3.7 million is what they were asking for it, but that was not correct reporting. There is like some Bitcoin to U S. dollar currency screw up there. Long story short, they got, they got just under $17,000 out of them to pay the Ransom.
Chuck: Yes, see Cherise you are saying last week, it well no, really not, see it’s like, it’s like the kidnap is a Mexico right. They kidnap you they call your brother-in-law who is at the hotel and say, give me $500 and we are done, because I can give you $500. Let’s do volume; let’s do 100 kidnappings today, all right. So, Cherise, it’s really these things are getting to be a lower point, entry point for the ransom money, because, “Hey, why I want to pay $1500 so I get everybody back to work [crosstalk] [0:31:58].
Paul B: Plus that I don’t report it, it’s only [crosstalk] [0:32:02].
Cherise: Exactly and there’s so many variants of different type of Ransomware that keep coming out onto the market, and the unsuspecting user that doesn’t confirm or clicks on those links, it just it takes seconds to be compromised, but so I want to get back to utilizing this approach of training to craft a certain message that’s easy for an employee that’s non-technical to understand and maybe think twice. Zack, talk to us about how companies can utilize your training awareness courses for their own purpose.
Zack S.: Yeah, so essentially the business model is, we sell this content to major companies. We sell it on a per user, per month basis. We hope that companies view it kind of as a rounding era; it’s really not that expensive, right.
Chuck: It’s very good.
Zack S.: So, the key in the business model is to get lots and lots of companies to buy it and that’s the key, because the more companies we have, you know, the more awareness that’s out there and so that’s essentially, we’ve got kind of two different ways that it can get delivered. It can be either be delivered through our cloud, through our own learning management system, which is where the, you know, smaller companies generally less than 2500 employees that’s how they would buy it, and then deliver it that way and then they can measure like who took, you know, who watched the episode, who didn’t when did they watch it, how long did it take them to complete the answer to the questions correctly.
Chuck: Okay. That’s very important.
Zack S.: Those are important stuff, so from a compliance standpoint they can track who did what, then for our larger customers…
Chuck: That’s on your cloud doing that?
Zack S.: Correct. For our larger customers we’ll just hand them what’s called a SCORM file, which is basically like a file that gets plugged into an internal learning management system, and then they plug it in and they can do all the measurement on their own.
Chuck: Now how do you protect the copyrights maybe not the best way to say, but in essence it’s intellectual property.
Zack S.: It is.
Chuck: Once it goes on the web it’s kind of like, you know, how do you trust the
client, not to say, let me email to my buddy and show it to them for free and
stuff. I like the way you that you give the file to the big corporations,
they’re going to protect it, internally.
Zack S.: Yeah, and I think it might be an issue, I mean you can watch what we just watched. It’s public on Vimeo right now and so we don’t release every episode that we do publicly, but ones where we just want to get people’s attention, you know, then we do it – because they take that and use it as training I suppose they could. It’s going to be the same problem that you have when you buy a piece of software, and that same piece of software makes its way on to 10 different computers. You know, it’s like you just hope that people are going to do the right thing and yeah and most of the time…
Cherise: Can you do custom training development not necessarily, you know, a storyline that’s happened, that’s played out in the public eye, but let’s say a corporation has specific need or a specific scenario.
Chuck: Oh that’s a good idea yeah, customized. If somebody hack the station, we are going to sit down and do internal training and help you write a script for them.
Zack S.: That’s right. We’re not doing that yet, that will be on the roadmap of the business at some point. It does cost you know, probably 15 grand an episode for us to produce one. So, it’s not you know an in-substantial and I think as the business grows we’ll actually go into different routes, we’ll probably do custom content for really large organizations. The other thing is getting into verticals, so maybe doing a whole thing that just deals with medical. You know, dealing with just PCI, PCI compliance.
Chuck: That’s a good idea.
Zack S.: Payment Card Industry. You know so go down into those sorts of
verticals, but right now we’re just trying to do one thing, and do it really,
really well and the content we make applies to so many different companies. I
mean Ransom-ware, yes, it’s big in the hospitals right now, but every company is
getting hit with Ransom-ware.
Chuck: Now, Cherise, how do hospitals get hit with this, with all their you know HIPAA regulations and being careful about this and I don’t think it seems like they’re the worst target right now.
Cherise: You know again typically Ransom-ware makes its way onto whether it’s a hospital computer, your home personal computer, corporate computer usually through the means of some kind of phishing attack, a link gets sent, they clicked on it and installs the malicious software on the back end of the host machine. You know we already seen too many claims of Ransom-ware being inserted through portable media like the description of the USB and picking it up off the street and so now that does happen, but typically the Ransom-ware that we’ve seen is usually coming through the means of phishing scams.
Chuck: You both have, you know, I will throw that to you, Zack. You both have technical questions and you can answer this. Why aren’t; the IT guys block in these things, checking them, I don’t know is there a some way, technically as a firewall thing or is it just?
Zack S.: Yeah. I mean you can’t. It’s, there’s a whole bunch of reasons why, but there is you know not every piece of software has the, even the ability to check and there is just, it’s really hard for you to put a technical solution in place sometimes. That fixes this. You got to educate the last mile on it.
Paul B: Well, I guess it’s a mixture and, because now, you know, most companies, you know, they are pulling up a scam emails.
Zack S.: Oh yeah, they try it.
Zack S.: They try, but I’m sorry there are literally 100 million phishing emails
that go out every day.
Eve C.: Wow.
Zack S.: It’s 100 million, so you made the analogy to a terrorist, right. A terrorist only has to be right once and so if you’re getting, if you know obviously one company is not getting a 100 million, but if you are getting 10,000 of these and you are filtering 99.9% of them. Great, but you know what. That means five get through. Whatever the number is, right.
Eve C.: Yeah. [Crosstalk] [0:37:54] another comment where the Ransom-ware gets on to host computers too, not also necessarily by phishing, but by let’s say an employee going to a site, even maybe a trusted site and they may click on a link within that site and that’s how the Ransom-ware or the malware get installed, so it’s going both ways. It’s, employees receiving phishing scams and then the employees going out to sites that may have the malware on those sites as well.
Zack S.: And those could be very well be legitimate sites that have been hacked
Chuck: Oh that’s a good point.
Zack S.: So, a hacker will hack a legitimate website like “The Wall Street Journal,” and there will be some piece of malware that’s on that front page of that site, Wall Street Journal will probably be pretty hard to hack, but you know, any editorial, right and you go there and all of a sudden it comes up with some sort of a prompt that says “hey click this to view the latest blah, blah, blah” and you click it and then bam, you know, you’re owned, so first of all be wary of any sites you go to in the beginning, but if they ever ask you to do something if a websites literally asking you to click a button or approve something, or whatever don’t do it.
Chuck: That’s the basic rule I follow.
Zack S.: Even if it is a very legitimate website, because that legitimate website could have been hacked.
Paul B: What about sort of iPads, because more and more companies are using iPads instead of issuing laptops. I mean is there a way, you know, you’re going on a site and you’re getting all these little pop ups which you get on them, certainly get on iPad more than anything.
Zack S.: Yeah, you can get…
Paul B: I mean can that be introduced through an iPad?
Zack S.: Sure. Yeah, I mean, could it manifest itself from an iPad over to a PC that might be a hard thing to do, but, yeah iPhones get hacked, iPad gets hacked.
Eve C.: I mean if it’s on the network. Then it’s on the network.
Paul B: Yeah, yeah that’s what I’m thinking…
Chuck: Well, no but to Paul’s point. I think What he was trying to say is, you
know what you locked my iPad, good, I’m throwing that away and buy another one,
500 bucks instead of paying you $15,00 Right?
Paul B: Yeah, yeah. Yeah, exactly.
Chuck: Why is those get into your main PC frame with your two terabytes or something.
Zack S.: Well if the iPads got all your pictures on it and you haven’t saved it to iCloud and you want those pictures back and…
Eve C.: Yeah, and there’s that.
Chuck: Now what about social media? Is this, vulnerable to these sorts of things? I haven’t seen any, well I take that back, I have seen quite a few things. That’s also been a, questionable but… Is phishing hitting social media like Twitter?
Zack S.: It is.
Chuck: There’s, some weird clicks on there [crosstalk] [0:40:13]
Zack S.: I have a great Twitter story.
Chuck: I don’t care how large an appendage is on some woman’s Twitter, I’m not
going to a click on the site, I’m very apprehensive.
Zack S.: So, you want to hear a good twit, so there is a concept I’ll call “Twitter Phishing” and so let’s say you go to Chili’s to have dinner and you’re a Twitter user and you have a bad pretty bad meal, so you leave Chili’s and you take the Twitter and you, you say, “Just had a horrible meal at # Chili’s.” Well, a hacker will look at that, they’ll create a Twitter handle called “At Chili’s with an extra “L” in it, so you don’t recognize. They’ll send you a direct message, “Really sorry about your bad meal. Please take a picture of your receipt, upload it to this website and then oh, by the way, put your credit card number in and we’re going to refund your meal for you.”
Paul B: Oh, that’s a good one.
Chuck: That is so freaking clever. This is so clever.
Paul B: [Indiscernible] [0:41:02] doing that.
Chuck: Yeah, and that is amazing.
Eve C.: To ask you for your security code in, as well.
Zack S.: Of course, and you’re going to put it in you want your credit back [crosstalk] [0:41:10]
Chuck: Well I, I could especially see people in certain demographic, certain ages, right that, you know I’m an angry white guy with white hair, right. I’ll be all burned up about it. God darn you I’m, going to go do that right.
Zack S.: Yeah, and now Chili’s is going to give me my money back.
Zack S.: That’s great [crosstalk] [0:41:21.
Chuck: Is that a fairly new thing?
Zack S.: It’s, I heard about it recently, yes.
Chuck: And so yeah, because you can create a Twitter account in five minutes and then it’s gone and they just deleted it. Nobody knows the difference.
Paul B: Well I think there’s a problem with the Twitter generation is the twits…
Zack S.: The tweets?
Eve C.: The twit generation.
Paul B: There’s a lot, of naiveté out there. I mean it’s just lot of naïve people [crosstalk] [0:41:41]
Cherise: Unfortunately the information that’s put on social media is used in a sense of profiling your victim, you’re profiling your target, so that…
Chuck: Yeah, that’s exactly right.
Cherise: You could crack whatever kind of hack, whatever kind of phishing scam directed towards, that target just based on the profiling information you get on social media.
Zack S.: Some of the really smart guys now that are really smart security guys on social media like even on LinkedIn, they’re taking everything about them off. Facebook, they’re you know its first name only, there’s no pictures, it’s getting like and this hasn’t happened in mass quantities by any stretch, but I’ve come across some security guys that you just can’t find anything about them. Go to your company’s website, you know, they are people who are taking executives off the front page of the website. It’s like what’s the benefit versus the risk if everybody knows that’s the CEO of this small company.
Chuck: I’ve thought about that a lot, I mean I, I have, to like almost 15,000 people on LinkedIn, right. Its lot of people and done with 10,000 on Facebook and I get all kinds of questionable things and I can’t keep track of it anymore, right. So, if you’re General Archibald Smith and you spelled Archibald wrong and you don’t capitalize general, I’m suspicious, but some of them are very good and they are very hard to distinguish, if that’s real and I, I do worry. I mean I have to be public. I got to put things out there to people to follow right and…
Eve C.: A lot of us do, I mean we only in, LinkedIn nowadays, they always asking for your LinkedIn no matter where you’re applying.
Paul B: The problem is once you’re on there and you’ve been on there for a couple of years, I don’t care what you’re, what your profile is in now. It’s all out there. I mean, we use to have this with, you know, we’ve talent. Once, once they got a name out there, your information out there, it was no good trying to, trying to close that door, the barn door of the old [indiscernible] [0:43:26]
Chuck: Now why isn’t anybody thought of two way as an occasion for phishing scams, right? In other words, I don’t know how this should work; I’m just throwing this out, because my brain is not too big.
Cherise: You bring a, you bring up a great concept and in terms of the two way, that the premise behind it is that, there’s you double check and you’re authenticating whatever is on the other end twice by two types of methods of identification. That is the due diligence part that is missing in most cases. For example, when someone gets a phishing scam or a request to disclose personal information or to do that wire transfer. Why isn’t someone asking we need to confirm this identity and figure out the right process to do so?
Chuck: Is it technically possible too? The way I would think of it and this is oversimplified would be I get some email that has a link that I can click, but you know what, my Cooper Paul says, you’re not clicking nothing, until IT looks at it.
Chuck: You know what you’re not going to get too many emails at work that you have to click something on. I’m thinking not too many, right and maybe there is
some way they could start with that kind of process that could be done right.
Zack S.: That’s a policy there and a policy has to be followed by a human. So, there again, you go you fall back under the human to act to follow the policy.
Chuck: Well, I think you can write some code that says I’m pulling your email off the server because it has a link on it and I’m going to hold it and quarantine until we verify, Cherise is that possible?
Paul B: So, I think most of us feel is it is before that comes in.
Zack S.: They do, they try and do that with technology and most of the time it works. 99.9% of the time…
Chuck: Like you said, there is a billion of them so [crosstalk] [0:44:55].
Zack S.: It only takes one. It only takes one.
Eve C.: So, Zack, I have a question for you. When I buy this, let’s say I buy this product for my company, what exactly like what should I expect out of everybody else who is working with me, what will they have learned by the end of watching all of your videos?
Zack S.: Well, you know every video just focuses on what we call “one attack vector.” So, it’s one specific kind of attack. It’s…
Chuck: Now, you say you vector, do you really mean stupidity? I can say that, I’m going to say stupidity instead of vector.
Zack S.: A vector is a way in, so it focuses on one…
Chuck: Stupidity is the way in, that’s what I’m saying.
Zack S.: Okay, sure, so “one attack stupidity”
Eve C.: “One attack stupidity.”
Zack S.: Yeah and you know and we’ll end up covering spear phishing more than once. Spear phishing is a huge thing, when it will always have a different story line behind it and so you know once a client has been a client for a while, you know, there’s a really interesting phenomenon that happens with our content. Our first episode was about USB security. We had a client who reported after two weeks of that episode being released that the number of suspicious emails getting sent to IT about spear phishing went up by three times. So, think about that. We trained on USB security and all of a sudden because we launched security training they sent three more times suspicious emails to IT that had,
that were phishing emails, so I think…
Chuck: No, actual phishing emails, they caught?
Zack S.: Actual phishing emails that the employees would forward and say this
looks suspicious and so the reason…
Eve C.: That’s good.
Zack S.: It is good.
Eve C.: That’s really good, yeah.
Zack S.: It is and so what we’re doing is we’re, we’re even though we are training on one thing, we’re just raising the general awareness, right and so people are just a little bit more suspicious and so that’s what we’re going to report and that’s why releasing it once a month, you know and then so we release it once a month, two weeks after that, we release this little three pane, what we call an “anchoring cartoon” that just reinforces the video that they saw two weeks earlier, so it’s a real quick little reinforcement that they can, you know digest an email in ten seconds and we just feel like that constant like just touching with something that’s security-related just gets the antenna up and so I would say a client that’s on our program even for three months, they’re going to notice a pretty, they should notice a pretty significant difference.
Eve C.: Do you have any beta testers at the moment?
Zack S.: What do you mean by that?
Eve C.: Like do you have anybody testing it out like before you fully release?
Zack S.: Like a before and after?
Eve C.: Yeah, like do you have any stats on, I mean…
Chuck: Are you looking for a job or something?
Eve C.: No, I, [crosstalk] [0:47:27]. I’m just, I love tax so this is interesting to me, but you know you did mention you, you had somebody already there and you had like three times the amount of emails were sent in right. So, you already have somebody that’s testing it out.
Zack S.: Well, yeah, we have, we have [crosstalk] [0:47:41]. There’s just yeah, it was a client they’re just kind of gaining analytics, right. So, we do have a potential customer right now who I’m not allowed to say who they are, but they have taken 200 people. They’re giving 100 people our training; they’re giving the other 100 people not our training, so it’s a control group.
Eve C.: That’s awesome.
Zack S.: Then they’re going to launch an attack at them to see which group of the 100, you know of the 200, if the 100 group it does better.
Chuck: Its one group, are they both blind so the one group doesn’t know the, has the training.
Zack S.: That’s right.
Chuck: Oh, interesting. That’s a great idea.
Zack S.: Yeah and so they’re going to, I’m giving them the content free of charge for them to do this study and their company, that’s a very well-established and they can do studies.
Chuck: Have you thought of putting analytics into your training somehow?
Zack S.: Well, we have. I mean, we have some analytics so I can tell you right now we have an 81% engagement rate which means that out of, when we released the Episode to a 100 employees 81% of them consume it, which is pretty good. You know, most of our clients make the training mandatory, so they have to consume it right. What else?
Chuck: So, if it, if it’s just kind of voluntary trainings, 81% is still good.
Zack S.: Oh if it was voluntary?
Chuck: No, if you say its mandatory wise at 81%.
Zack S.: Well, because…
Chuck: There’s always people that don’t bother [crosstalk] [0:49:00]
Zack S.: You’re supposed to take this training and you don’t, yeah and so you know, we’ve, I mean, we’ve got clients that are literally at a 100% participation rate after four episodes, because they made the training mandatory [crosstalk] [0:49:12]
Paul B: Now you have a little test at the end, right.
Zack S.: We do.
Paul B: Just so you know how many people take that test and pass at the first time.
Zack S.: We don’t have those stats yet on who passes the first time, because we basically made it mandatory, that you have to pass it in order to complete the episode and get your certificate.
Chuck: Is that 100% pass rate that you [crosstalk] [0:49:32]
Zack S.: You have to eventually get a 100%, so you can keep guessing until you get it right and that and then that completes the episode, so that you can…
Paul B: Now are you just in the U S or are you looking at…?
Zack S.: No, we have, we have clients outside of the U S.
Paul B: Oh, okay. What sort of countries?
Zack S.: Australia, Japan, almost the Netherlands is coming up soon. That’s
probably U K.
Paul B: So, is there, I mean is there, response there, you know you are getting
Zack S.: Honestly, we don’t have enough clients outside of the U S to tell, you
Paul B: Because it’s the same problem the world…
Zack S.: It is it is entire world yeah.
Chuck: You got to do one in Brazil and put Security Guy Radio on there.
Zack S.: There you go.
Chuck: I have a huge following in Brazil for some reason.
Paul B: You just want to go to Brazil.
Eve C.: In Brazil.
Chuck: No, we have, United States is one. U K is two; Brazil is number three for
followers. I have no idea why
Eve C.: Wow.
Zack S.: That’s crazy. I have good friends in, from Brazil.
Chuck: Very interesting.
Paul B: I don’t know, jut the Olympics.
Chuck: No, it was all there from the beginning, it’s from Brazil. I’m not sure what that is, very strange.
Paul B: Yeah we got some wired places, don’t we South Africa was a place.
Chuck: 93 countries lot of Middle Eastern countries unfortunately. Just kidding, we love you guys. Now when we talk, let me ask you a question about how the video runs, so Cal Chamber, California Chamber of Commerce has a website. They have a have a very good sexual harassment training module. The law says it has to be two hours, right. So, what I used to do before they fixed this was, like you said I play the video I’m doing something in the background, I go click, click, click, I get all, or I would skip forward to the answers and do a Q&A and I get them right. This is not too difficult, you know, but now what happens is
you play the video, and you have to watch every freaking minute and it goes for ten minutes and it stops and then you get to answer questions you cannot fast forward. Is your video; are your videos like that? Only four minutes not two hours.
Zack S.: It’s exactly like that. We do not have, all we have is a pause button
there’s no rewind, there’s no fast forward. It’s just the pause button you can
Chuck: See four minutes is no brainer.
Zack S.: It no brainer, no one is pausing it anyway, unless you get phone call [crosstalk] [0:51:29]…
Eve C.: You can tell the volume as well.
Zack S.: No, because it’s actually.
Eve C.: YouTube used to do that where you, it didn’t matter if you lowered that’s what I would do before the APPs, but now you can’t, if you lower the volume at all it will pause your add.
Zack S.: Oh my Gosh, I didn’t know that.
Eve C.: I know, look at me trying to be [crosstalk] [0:51:47]
Paul B: There’s, all these people working to try and get around technology instead of just sitting there watching it. You must be more time trying to around [crosstalk] [0:51:54]…
Chuck: Yeah, but they’re not getting around the bad technology by clicking on buttons and stuff, by the way [crosstalk] [0:51:59]. That’s right, right any studies on why people fall for this stuff. I mean, in 1996 when the Internet was new I could see them falling for it right, but I mean really what’s…?
Zack S.: It looks legitimate. It just looks, I mean if you get something from your boss that says we are about to lose our relationship with this vendor if you don’t wire transfer $15,000 to this bank right now and you get that from your CFO, do you question them?
Chuck: So, are those are more of the phishing attack is now more, now explain that word to me Cherise its… we social and we social hack people, we get the background.
Cherise: Social engineer you profile them [crosstalk] [0:52:35]
Chuck: We call them maybe, yeah.
Cherise: You have grab the specific attack in using all the information that you can gather for example, Mattel, it was why we publicized that there was a CEO replacement, so within that first month, the attack took place. Why would that attack be so you know get executed the way it did because the turnover, there’s change in operations. People are, you know, it catches you by off guard basically.
Chuck: So, people my question is, is there more spear phishing or phishing from individual to individual to individual, or is the Bank of America saying you’re overdrawn, send me some money. It used to be companies, right at first it was kind of companies trying to…
Zack S.: Yeah, and there are still is that, and I would say that there are still more phishing attacks because those are a lot easier to do and you can do those, you know, it get casting at much wider net.
Chuck: Put at a million and grandma [crosstalk] [0:53:33] clicks on it and
Zack S.: Right, you know what Spear phishing attack is really like, it’s hone in
on [Crosstalk 0:53:37]…
Chuck: Spear Phishing means an individual probably.
Zack S.: Yeah. Okay, well.
Chuck: All right.
Paul B: You know what the true issue is. There is an internal problem with people, you get something and this covers everything, and it doesn’t feel right, but they haven’t got the ability to say, you know, you have send this email, but there’s something wrong with it, because I guarantee the person that clicked on that you know the one for Mattel to pay the bill, thought that it wasn’t right.
Zack S.: It’s a hard stuff.
Eve C.: Well, you know the other thing with emails…
Paul B: But you got that fear, that, the old, you know the feeling of something is not right, if doesn’t feel right then don’t do it.
Eve C.: Well it’s not just that a lot of people don’t realize that it’s not illegal to email anybody’s email. It’s just like I can send you a letter to your home or I can send you a letter to email and there’s nothing illegal with that, so it’s like you just get so many things that you just don’t know what’s going on anymore I think and sometimes you get like those sales emails. Ever had any of those?
Paul B: You still, you don’t pay the Nigerian one do you?
Chuck: Some people still do.
Paul B: Well that’s true.
Chuck: I mean my basic rule is I just, delete it and guess what if it’s real and its important someone is going to call you and say, wait a minute Zack and I respond. I mean that’s… I mean, that’s what’s going to happen if you delete it, nothing. If it is legitimate you are going to, follow-up on that right.
Eve C.: That’s true. That’s very true.
Chuck: My hair cuts, have you noticed my hair is actually whiter, since I started the show [crosstalk] [0:55:06]. It was salt and pepper, it is just white. Every time I’ve done with the show I get more and more worried about all this stuff. What about mobiles, real quickly Cherise bring your own device or Zack issues with that have done new shows about bringing your own device, but that’s now where people bringing their own cell phone, or smart phone, because the cheap if the company lets you pay for your own and they give in allowance for it.
Zack S.: Yeah, I mean the BYOD is an issue because it’s much harder for you to control somebody’s personal cell phone than it is a company issued cell phone. Now that being said any smart company is going to put a piece of software on there, it’s called MDM, Mobile Device Management software and so they’ll have a requirement it you says for you to even to bring your personal device you have to install our MDM software on there so that we can monitor or manage it for you.
Chuck: But, what we’re hearing Cherise is that, what was the number fifth, the show we did a few weeks ago, over 50% of these hacks are Bring Your Own Device enabled, right. Maybe not spear phishing but I mean generally hacking a lot of it happens on the mobile stuff now.
Cherise: Yes, and unfortunately with the, what’s coined as BYOD is that you have different variants of mobile devices running on different operating systems whether that’s Apple, whether it’s an Android et cetera, and then those applications that are running on those different OS are actually the attack vectors that open up the holes to network that aren’t being secured by some software and so then you’re opening up emails, work information and exposing that on your mobile devices and you even know what applications are posing the biggest risk on those individual BYOD.
Chuck: Well, I think if you open your work email on your phone, it is not the same as sitting at your desk, because you might not notice the result because you are not in the office, it’s probably different response like you just go past it…
Eve C.: It’s a different format too…
Paul B: It should be a problem.
Chuck: No it shouldn’t be. What we got 30 seconds Mr. Jarvis? Zack Schuler ninjio.com, fascinating subject I love this product. I think it’s great.
Zack S.: Thank you.
Chuck: We’ll put this out on social medium for you. Hopefully you won’t get spear phished or anything like that.
Zack S.: I’m sure I will.
Chuck: Cherise, We got have a [crosstalk] [0:57:13]
Zack S.: Nice meeting you Cherise.
Cherise: Absolutely thank you guys.
Chuck: Cyber girl for you, Paul Bristow,
Paul B: Cheers.
Chuck: He is sort of my canary in a coal mine thanks for coming in we’ll see you
next week on Security Guy Radio.
Paul B: Cheers.