Darknet Diaries - 122: Lisa
Episode Date: August 23, 2022In this episode we hear some insider threat stories from Lisa Forte.SponsorsSupport for this show comes from Axonius. Securing assets — whether managed, unmanaged, ephemeral, or in the clou...d — is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Support for this show comes from Snyk. Snyk is a developer security platform that helps you secure your applications from the start. It automatically scans your code, dependencies, containers, and cloud infrastructure configs — finding and fixing vulnerabilities in real time. Create your free account at snyk.co/darknet.AttributionDarknet Diaries is created by Jack Rhysider.Editing by Damienne. Assembled by Tristan Ledger. Sound designed by Andrew Meriwether.Episode artwork by odibagas.Mixing by Proximity Sound.Theme music created by Breakmaster Cylinder. Theme song available for listen and download at bandcamp. Or listen to it on Spotify.
Transcript
Discussion (0)
Here's a question. What's the biggest threat facing music venues, sports stadiums, and theaters?
Well, I don't know. But I'm going to go out on a limb and guess that it's insider threats.
What I mean is I think there are a ton of people who want to get free entry into all these places.
And they do get in without paying all the time by using an insider.
I've seen it with my own eyes. I've been to the movie theater and saw someone pay their way to go in,
and then once inside, open up one of the side doors
and let their friends in who are outside.
And I've also seen the same thing at a baseball stadium.
Someone was standing outside the exit,
and they were just waiting for someone inside to leave,
and as soon as that door opened on the stadium, boom,
they grabbed the door right before it closed and went inside
and quickly blended into the crowd.
They just got free entry into a sporting event,
all because someone on the inside let them in.
Insider threats are a major problem that companies have to face.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless. And it's not a fair fight. But I realized I don't need to be fighting this
alone anymore. Now I use the help of Delete.me. Delete.me is a subscription service that finds
and removes personal information from hundreds of data brokers websites and continuously works
to keep it off. Data brokers hate them because Delete.me makes sure your personal profile is
no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners.
Today get 20% off your Delete.me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries
and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries.
Use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work. If you want to improve the security of your organization, give them a call. I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make
Black Hills Information Security world-class in security training. You can learn things like
penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com to learn more about what services they offer and find
links to their webcasts to get some world-class training. That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Let's start with just you telling us your name and what do you do? Infosec.com. deliver training and insider threat program development companies. And in my personal life, I climb, cave and explore abandoned mines.
So do you have a degree? What did you get your degree in?
So I did my degree in law. And then I did a master's in international law and maritime law.
So I was very legally focused and then decided that, well, actually, by accident,
I got involved in security
and sort of more physical security. And that's how my career sort of took off. And I abandoned
law completely. So. Okay, so a degree in maritime law, where did that take you?
So I actually got a job working for private security companies, as they liked to be called, who put sort of
eventually armed guards on board ships to protect them from pirates and sort of fortified the ships
to protect them from pirates. Whoa, Lisa's job out of college was to help secure ships from pirate
attacks? That's wild. Apparently, there are a lot of ships that need
to move cargo past dangerous waters like the coast of Somalia. Now, Somalia has been characterized as
a failed state in the past, with insurgents currently controlling a portion of the country.
There are parts of Somalia that have no organized government. And so, for a while, it was a dangerous
area for ships to pass by, since there were Somali pirates that would try to come and take over the ship.
When a pirate attacks you out to sea,
nobody is around to rescue you if you get in trouble out there.
So ships were increasingly trying to find ways to protect themselves.
But legal questions started to come up.
Are they allowed to carry weapons and put armed guards on ships?
Well, sure, it's out there in the ocean.
Who's going to enforce laws out there?
But what about when you're docking into ports in countries where weapons are banned?
Lisa was helping this shipping company navigate the maritime laws
to learn what they were legally allowed to do to protect themselves.
But this soon got her interested in making their ships more secure,
like adding defense mechanisms to thwart pirate attacks.
She started thinking through all the scenarios
of what could go wrong out in open waters
and how to protect against it.
And this interested her more than the law stuff.
So she moved into the operations side of things,
helping boats secure themselves from
pirates. And just loved it and just loved working on security and managing risk. And that's basically
what kickstarted my love of security. Yeah. Tell me more about this pirate stuff. What were some
of the tasks you were given and what were you doing there? It sort of started really in the 90s in the sort of Somalia area.
So the Horn of Africa, as they called it.
And it actually started because the Somali people were sort of attacking ships and tackling illegal fishing that was happening in Somali waters.
And it sort of evolved to a point where they became essentially as sophisticated as we now see ransomware groups in the cybersecurity
space. So they were sort of running insiders in big insurance companies in Europe. They
were doing OSINT. They were running sort of motherships to have lots of attack boats out
on the water. And they were hugely, hugely well funded. I think at one point, it was like 13
billion annually that they were making. It was, you know, an insane industry.
She studied what these pirates were doing.
And typically they had ways of finding out what ship would be passing by
and where it was located off the coast of Somalia out in the Indian Ocean.
Then the pirates would dispatch a few small, fast motorboats, skiffs,
to catch up to one of these massive cargo ships.
And they'd get alongside of it and throw grappling hooks on board the ship and climb
on board with assault rifles. So they would take control of the ship. They would get to the bridge.
They would take control of the ship and then they would hold the ship and its cargo for ransom.
So that's how they do it. And then typically that ransom would be paid and they'd
release the vessel. But yeah, it was obviously horrible for the crew. There were many situations
where people were killed. The crew were killed from the boardings that happened. And, you know,
it's a very, very difficult situation to be on a ship. You definitely don't want to be having a gun battle inside a metal ship.
That's, you know, not an optimal situation for that.
Okay, so if that's the typical attack scenario they're facing,
Lisa had to figure out ways to straight put an end to these attacks,
which would also save lives of the people on board her ships.
When you're thinking that scenario through,
you need to sort of put barbed wire up around the ship
to make it harder to get on board.
You need to weld internal doors shut in the right order
so that you can slow their advance through the ship
if they do get on board.
And we'd also build a citadel in the middle of the ship,
which would be a bit like a panic room for the crew of that vessel to go into if the pirates boarded the ship.
Because obviously the main priority at that point is to save the lives of the crew.
We'd also put water cannons around the ships.
And there was this really cool device that lots of shipping companies implemented on their ships called an LRAD.
LRAD. Well, that sounds intriguing.
And you know me, when I'm intrigued, I want to know more.
So I looked up what LRAD is, and it's got an interesting origin story.
It was invented because of what happened to USS Cole.
This is a Navy destroyer, a warship.
And in the year 2000, USS Cole was parked in Yemen,
resupplying, while a barge came up alongside it and it detonated a bomb right next to it,
causing a major hole in the hull of this destroyer. Al-Qaeda took credit for this attack,
which was 11 months before 9-11. And so what the Navy needed was for a way
for ships to warn or communicate or to protect themselves from potential enemies without having
to be lethal. I mean, this was a warship that was attacked. They could have easily defended
themselves by just opening fire on any ship that got too close. And that's just not practical to
shoot at any ship that gets too close. So what's just not practical, to shoot at any ship that gets too close.
So what the Navy wanted was a way to stop other ships from approaching
unless they were approved.
And this is why LRAD was invented.
LRAD is an acronym. It stands for Long Range Acoustic Device.
Simply put, it's an MP3 player, but with a wicked set of speakers.
Speakers that can be pointed in a specific direction
and heard up to two miles
away. So if a boat is approaching, you can play it a message in whatever language you have on the
MP3 player to warn them, don't come closer or else. Okay, so LRAD's a directional speaker,
but it's also a weapon. Some call it a sound cannon because this thing is capable of pumping out noises of up to 160 decibels at range
your car horn is somewhere around 110 decibels and i'll tell you if you stood right in front of your
car while it's honking it'll start to hurt your ears pretty quick and you'll want to leave the
area or cover your ears 160 decibels is more like a train horn and if the l-rad is pointed right at
you playing sirens as loud as a train horn,
your ears are going to start to hurt and you're going to want to get out of there.
Even if you cup your hands over your ears, it only reduces it like 25 decibels.
So it's still uncomfortable.
And even if you put really good earplugs in,
well, now you're pretty much deaf.
If you continue to approach, you can't talk on the radio or chat with the person next to you.
And you really can't hear anything of what's going on. So once this technology became commercially
available, cargo ships who were passing by dangerous waters were equipping them to try to
push back any suspicious boats that were approaching. First, by giving them a verbal
warning in different languages, and then turning on a siren if it got closer, which would push
them away if they
couldn't take the noise. And it's supposed to be like so incredibly painful if this sound wave
hits you that's sort of disorienting. And that was used really successfully because obviously
the last thing we want to use is force, right? We don't want to be firing at human beings. But we also recognize that we had
to have that capability. I mean, for a while, pirates were often targeting ships that had no
armed guards, and they knew which ships did and did not have the armed guards on. So over time,
that became mandatory. So we put armed guards on board the ships that would have, well, for the last
company I worked for, they would have M4 carbines. And they had a whole set of rules of how you would
escalate force, you know, with lethal force being the absolute last resort if necessary.
And one day, I would just sort of run these people and they would call in and check in and sort of tell me what was going on and whatever.
And if there was an approach made by the skiffs, made by the pirates, they would call me on the satellite phone and alert me to it because the company had to be appraised of how this situation was escalating.
So one day I'm driving back from a barbecue with
another colleague and the phone goes and I answer it and it's one of my team leaders on board the
ship and he says we've been approached we're being approached by three vessels we've you know
sent them warnings we've tried to raise them over the the vhf we're not getting any
response they're kind of heading straight for us um we're just letting you know so i was like okay
thank you that's great um just you know escalate the force as usual which would typically be fire
the water cannons set off the lrad um if still didn't work, you'd fire shots well clear of the target,
so into the water around the boat to give them a warning. So they did all this escalation of force.
And then one of the other guys comes on the phone and he says, they've just fired an RPG at the
boat. And I remember I had them on speakerphone and I looked at my colleague. My colleague looked back at me and we just thought, what on earth do we do now?
And the pirates had an RPG on their boat and they'd fired it and hit it at the ship.
It hadn't actually hit the ship.
It hit a cargo container on board the ship. And to say that this shocked me well
out of my comfort zone in about the space of 30 seconds would be a huge underestimate of how I
felt at that moment in time. Well, clearly these approaching boats were escalating the situation, so the cargo ship returned fire on the smaller boats.
My team who were on board the ship, they fire their weapons, they hit the skiff, and the skiff stops dead in the water.
And this could have been a bit of a risk because the ship that they were on was slow, it wasn't very maneuverable.
Assuming they would possibly have more RPGs on board that boat,
they could have done a lot of damage.
But thankfully, it didn't go any further.
But that moment for me was,
it just sort of catapulted me into a whole world of now what?
And it was, yeah, I don't think I've ever had anything quite like that since,
to be honest, and hopefully not again.
That story reminds me of the classic quote from Mike Tyson.
Everyone has a plan until you're punched in the mouth.
I like that quote because I feel like it carries over into cybersecurity.
You can and should make all kinds of plans for when you get attacked,
but there will still be an incident that hits you in a place that hurts bad.
And if whatever plan you have doesn't guide you through that situation,
you're having to figure out things on the fly, which is not good.
Yeah, and I think the other thing was that in a very similar way to ransomware groups,
the pirates' tactics developed quite quickly.
And the other problem was they were very well funded because they were receiving all these ransom payments.
So they had the ability to do things that we couldn't do on our side because obviously it would be hugely illegal or at least incredibly frowned upon by the international community. Yeah, that's another interesting concept, that attackers don't stick to what's legal or play by
the rules, yet defenders do have to remain legal on how they defend, which gives these kind of
battles a type of asymmetry in how the battle is waged and how companies secure themselves online.
So after Lisa helped secure ships from pirate attacks,
she decided to move on to something else.
So I actually took a job working for UK counterterrorism intelligence.
It's essentially run by the UK police,
their counterterrorism intelligence capacity, I suppose,
which was interesting. I learned a lot,
definitely, really appreciated the experience and learned a lot about
online radicalization, particularly, and how that worked and why it was so successful.
So it was a really good learning experience. And it very much got me interested in the sort of cyber OSINT online space.
And then I moved into one of the UK police cybercrime units as a cyber protect officer,
helping basically give advice to companies on how best to protect themselves and sort of spreading that message.
And that was really what kickstarted my cyber-specific
type of career. It was after that when she left that job and started her own cybersecurity company
called Red Goat, which is when I started following her on social media and such. Her company does
cybersecurity crisis exercises. A bit like what I used to do with the ships, essentially, you know,
running through what we would do if an attack happened. But also been doing a lot of work in the insider threat space,
helping companies develop their programs, helping companies develop their responses
to insider threat attacks. And that's been a really interesting journey for me.
Insider threats. This intrigues Lisa a lot. And she's been focusing on this particular
aspect of cybersecurity for a while. Sometimes cyber attacks come from inside the company by somebody who works in maybe accounting or in a
science lab. And this is very dangerous since these people have trusted access. So why is that?
Why would someone attack the very company they work at? And how can companies even defend
themselves against this? Well, to understand this, let's hear a story of how one of these attacks happened.
So I have one story that I can talk about, which I've had to, full disclosure,
I've had to change a couple of details in it to obfuscate who the company was.
It starts out with her going to a company to have a meeting.
And at that meeting, one of the guys there says
he's read Lisa's report on insider threats
and he wants to run something by her to get her take on it.
So I said, okay, yeah, sure, no problem.
He said, it's about insider threats,
but I kind of need to have this conversation in a different room.
So I thought, okay, fine.
We sort of, you know, Chatham House rules,
agree to kind of keep it quiet and sort of redacted.
He goes on to say that the company he's working for is in the middle of dealing with an insider threat themselves and starts explaining what happened to Lisa.
And he said, well, he's a scientist who works at this company.
And basically he'd written a long LinkedIn post.
And when we went back onto his LinkedIn to look, you know, you could see the long LinkedIn post.
And this comment from this profile that was a woman who asked this kind of fairly leading, maybe slightly provocative question.
LinkedIn is turning more and more into a social network now. Not only does your profile show you where you work and where you live and what skills you have,
but you can make posts and write articles and share pictures and comment on other people's posts too.
The post that the scientist made didn't have anything wrong with it per se,
like it wasn't revealing any private data about the company or anything.
But the comment he got from this woman was interesting. Well, to him at
least. So he clicked on her LinkedIn profile. Oh, she's a scientist just like him. And she works in
the same field as him too. And this combination of having similar skills and interests and her
comments on his post was enough to get him to direct message her and begin chatting.
They started by pointing out their common interests and learning more about each other.
And they seemed to be interested in each other.
Chats continued going back and forth for a while.
Eventually, they exchanged email addresses.
And he started emailing her from his work email account.
Now, this is interesting because the company he worked at was able to later pull up these emails and see what they were talking about.
So Lisa was actually shown what these emails looked like.
When we review them, it's sort of saying things like
talking about how much he hates his manager, how frustrated he was.
So this was at the very start of COVID.
And because of the nature of his job, he'd been asked to still come into the lab, whereas other colleagues could work from home. And that caused him a lot of irritation,
shall we say. And his manager was, you know, being rude and, you know, the normal, I suppose,
problems that we have in a workplace, nothing particularly untoward. Then she says to him, do you want to come and visit me? I'm in Kazakhstan.
And having been, or, you know, been looking at flights to that area of the world, they're about,
from the UK, roughly about £500 for a flight. So for someone who's a relatively successful scientist in this kind of organization,
that's not a lot of money for someone that's on that sort of salary. Yet his response is,
I really can't afford that. I can't afford to take a trip. I can barely afford to service my car,
which is quite interesting, but also sort of alludes to the fact that potentially he's having some sort of
financial trouble, personal trouble that's draining his finances in some capacity.
So she sort of then has this amazing idea that there's a job role that she might be able to get
him in Russia. And her company spans all these different countries. And there's a job opening
for a scientist of his description there. And she's pretty certain she can get him the job,
but she needs to see proof of some of the things he's been working on, just to kind of make sure
his experience is sufficient, etc, etc. So he proceeds to send her large quantities of files, documents, projects, things that he's been working on that are obviously hugely packages and remuneration packages and things like this, all of which were exceptionally generous.
Hmm. Imagine being in this position. Yeah. You're offered a significantly higher paying job in another country with all moving expenses paid.
It sounds and looks good to you.
You want the job.
But they say, okay, but show us that you have the skills to do what it takes.
And you might say, well, just look at my LinkedIn profile.
It shows all the things I'm good at.
But then they say, yeah, but we want to see examples of your work.
Is there any research that you've done that you can show us?
And the scientist thought that was a good opportunity.
Of course, he wanted to show off his work, right?
This is a big chance for him to move up in the world.
And so he starts sending them work he's done.
Formulas he's created, compounds, mixtures,
and some of the actual scientific work he was doing at this company.
Of course, they had more questions
and wanted to know more about what he was doing at the company. And course, they had more questions and wanted to know more about what
he was doing at the company. And so he starts sending them other research and is now approaching
the line of sending these people some of the intellectual property of the company he worked for.
I mean, as Lisa explains it to me, it almost sounded like this scientist was giving up some
of the secret recipe of what goes into the company's product. Sending proprietary information that your company doesn't want to be public
is a form of a data breach.
And since this was a scientist working in the lab of that company
who was leaking the data,
then this is classified as an insider threat,
actively exfiltrating private information.
And this goes on for a while,
and she actually sends him some documents too,
to get his opinion on some scientific documents she's working on. The validity of which is very
difficult to establish, I suppose, because they're in Cyrillic, you know, you don't know whether
you've just made it up or stolen it from somewhere else, you know, who knows how genuine it was. And this is sort of common for the scientific
community to get their work peer reviewed. So nothing was really out of normal for him to see
some other research that another scientist was working on. Yeah. So he sent all this stuff,
she sent some stuff back to him. So I'm presuming from his perspective, he's thinking it's, you know, there's some sort of level of reciprocity going on. And then something happened that really diverted the company's investigation. And I'm not sure, and I still to this day, I'm not completely sure whether I think it was coincidental or whether it was a deliberate act to obfuscate what else had been going on.
But essentially, this woman said that the person in HR in this company was going to send him
some stuff to read. So they sent him the stuff to read. He opens it on his work device,
not a lab device, but another work device.
And surprise, surprise, it contains some malware.
Hmm. This just dialed up the threat significantly.
I mean, up until this point, this could have been a legitimate job offer,
and he was voluntarily sending them data so he could just show them how good he was. But for them to install malware on his computer?
Now I don't trust her at all.
In fact, I don't even believe any of her profile is accurate.
She's probably not a scientist.
She probably doesn't live in Kazakhstan.
And maybe she's not even a woman. This whole thing was an elaborate plan just to get access into the company that this scientist worked for.
Now the company at this point, for whatever reason, the malware didn't execute properly or
something was wrong with it. Something happened that meant that the payload wasn't delivered
successfully, which was lucky. But what happened was, which was more interesting,
suddenly this set off alarm bells in the company, which was the first time they actually realized something had gone wrong.
They hadn't noticed any of this prior to this piece of malware.
And at that point, it diverted all of their attention and all of their resources into that.
The company took a look at the scientist's computer for any suspicious activity,
then started asking the scientist questions.
This eventually led them to the emails that were going back and forth that the scientist was sending,
and there were all kinds of private information in there being sent outside.
But they immediately suspended him as soon as they found out that he'd been passing files and so on and so forth.
Now, interestingly, when I first came in and I started having conversations with them, I said, how long has he been suspended for? And they said something like two, three days,
something like that. And I said, okay, so his account has been disabled. He can't get in. He can't do anything. And they sort of paused and looked at me. And I thought, you haven't disabled
his account, have you? And they hadn't. They hadn't done anything at all.
And thankfully, he hadn't tried to access anything from his home.
So that was a piece of luck.
But again, more often than not, these situations happen.
You haven't disabled that account.
And then they go in in some sort of act of revenge or sabotage to do something else.
So they fired the scientist and tried to make sense of who would target a company like this.
Lisa never got to the bottom of that, but she has some theories.
I would say that the two most likely situations would either be sort of corporate slash industrial espionage.
So a competing company in a foreign state wanting to steal R&D to get ahead, that's likely.
They'll invest lots of time, effort and money into doing that.
Or conversely, it could also be a nation state actor if they saw enough benefit in it.
I know MI5 in the UK with another organization have launched a Think Before You Link campaign because they claim that this has become such a huge problem in the United Kingdom that they've
launched a whole app and a whole campaign to try and raise awareness of this, pretty much this
exact attack vector in some respects, being contacted on LinkedIn by profiles asking for
information. So I think in certain industries, this could be attractive to nation states as well. vector in some respects being contacted on linkedin by profiles asking for information so
i think in certain industries this could be attractive to nation states as well
um but yeah i think those are probably the two most likely because we haven't seen any evidence
of it leaked anywhere it hasn't looked like it's been up for sale anywhere to to our knowledge
so that if i had to stab in the dark, that's where I'd go.
Nation state actors, really? Are we at that point that government spies are using LinkedIn to make
connections with people and sending them malware? Well, yeah. Looking at the news recently, I saw a
story that did exactly this. Back in March of 2022, someone broke into a crypto company, Axie Infinity, and stole $540
million worth of cryptocurrency. This was attributed to be the work of the government
of North Korea. And the latest article I read about this story is that the way they got in
was through LinkedIn. They targeted people who worked at Axie Infinity, enticed them with great
job offers. And when the employee opened the document,
malware was put on their work computer, which gave North Korean hackers access into that network.
And that's how they were able to steal $540 million worth of crypto. So yes, nation state level threat actors are in fact using LinkedIn as a way to social engineer someone to get access
into that company. And it's no wonder,
right? If you want to target a specific company, it's so easy to go onto LinkedIn, look up the
company there, and see a whole list of people who work there. Then you can interact with those
people right there on LinkedIn to try to manipulate them or coerce them into doing something like
sending you intellectual property or getting them to install your malware.
So I wonder, at this point, is LinkedIn itself a vulnerability?
I don't know, because you see, this is the trouble I have.
You know, on the one hand, it's important for my business
and my career to be present online.
But conversely, I appreciate that that makes me much, much more vulnerable.
So it's a really
difficult one. I've been contacted on LinkedIn by very strange individuals who have offered me all
sorts of really strange opportunities in exchange for information on people and people I've worked
with. And you don't have to name your clients, but tell me what they've been doing with this, this and this. Almost all of which have been very odd profiles, you know, typical stock image type profile
pitches. I wouldn't say hugely clever, but that may be because I'm tuned into this type of
attack vector that I can spot that in a way other people might not be able to.
So I'm well aware that this is
clearly going on. I've got a friend, Philip Ingram, who used to work in the British military,
and he gets contacted all the time by people who he at least believes are from China,
who are trying to get information or invite him to very suspicious type events to sort of lure him, I suppose, into maybe handing over
some information. So I think it definitely makes you more vulnerable. But that's the society we
live in. So I think we probably need a little bit more healthy paranoia. And it would also be great
if on LinkedIn, you could turn off direct messages. That would be an amazing functionality to have on LinkedIn
because you can do that on Twitter, you can do it on Instagram,
but you can't do it on LinkedIn.
It's true.
If someone has LinkedIn Premium, they can direct message any user they want.
But I think fixing that alone isn't enough that's going to stop this kind of attack.
Anyone can still comment on your posts and see your profile
and perhaps work out what your email address is
based on your name and where you work.
So I'm not sure if that's the best fix for this.
Personally, I don't like putting any personal information online,
especially listing my whole resume on LinkedIn.
I'm on LinkedIn myself,
but I've redacted all the names of the companies I've worked for
and all the locations.
I used to say I'm a podcaster,
but I get contacted by a lot of PR companies and shady marketers
who want to pitch me a guest or game the podcast charts for me.
So now I don't even say I podcast,
but I can see clearly that the more information you put up on LinkedIn,
the more someone can use that to their advantage, not yours.
We're going to take a quick break here, but stay with us,
because when we come back, Lisa's going to tell us another insider threat story.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important SpyCloud. With major breaches and cyber attacks making the news daily, taking action on your company's exposure
is more important than ever.
I recently visited spycloud.com
to check my darknet exposure
and was surprised by just how much
stolen identity data criminals have
at their disposal.
From credentials to cookies to PII.
Knowing what's putting you
and your organization at risk
and what to remediate
is critical for protecting you
and your users from account takeover, session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime, with a mission to end criminals' ability to profit
from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about
your company's exposure from third-party breaches, successful phishes, or infostealer
infections. in the dark about your company's exposure from third-party breaches, successful fishes, or infostealer infections, get your free Darknet exposure report at spycloud.com
slash darknetdiaries. The website is spycloud.com slash darknetdiaries. so i think one of the most powerful stories for me that i've come across in my work was actually
a situation where um there was a young girl who worked for this company uh the company worked in
the extractive industry so sort of oil and, that sort of situation. And people think that the oil and gas industry is not very innovative,
but it's actually really innovative. And it has a lot of very valuable commercial licenses and
information that is incredibly saleable. And this girl had sort of come out of university. She'd traveled around South America. She'd done sort different platform to the usual, the usual ones.
And she was contacted by this girl who claimed to be in Peru. And this, this girl actually claimed
to work for the same company. And she said, you know, oh, I see that you work for the same company
as me. I'm really interested in sort of learning and practicing English. I'm
really interested in British culture, traveling to the UK and things like this. It would be great
to sort of, you know, connect, be friends on Facebook, whatever. What a soft and gentle
approach to start this out with, huh? The woman who worked at this oil and gas company had done some volunteer work in Peru
and is now being contacted by a Peruvian woman who's claiming to also work for the same company
but wants to know more about the British culture and language.
I mean, I wouldn't immediately flag this as suspicious if I was receiving this as a private message.
I'd find it interesting, actually, that we had some commonalities.
And as they got chatting, it turned out they both had a lot of similar interests.
They both cared about environmental issues and had traveled to many places in South America and did volunteer work and had similar degrees and worked for the same company.
Pretty cool to meet someone who has all these similar interests as you, right?
Now, in hindsight, looking at it,
it was fairly obvious where these similarities had come from because this girl's Facebook profile was wide open.
All of her sort of antics and voluntary work in South America
was photographed, catalogued, and on Facebook.
Pretty easy to work out what her political, ideological interests, etc. were.
And this profile mirrored almost all of them exactly.
So their relationship was building up over time,
and more trust was being formed, and even a friendship,
all through the Facebook chat app, which is text only, no audio or video.
And one day, this fake profile Peruvian woman
contacted the woman who worked at this company and said,
And she said, I've been hugely distressed
because the company that we work for
has been leaving the site that they use in Peru unsafe.
And it's causing people to have all sorts of illnesses.
These people are poor.
They can't afford legal help. They can't afford legal help.
They can't afford medical care.
And it's part of the company's plan, you know, to do this.
They don't care about my people in my country.
And it's horrific.
Well, this hit this woman hard.
She was horrified to hear that the company she worked for
was causing people to get sick and to be unsafe work conditions
and was
contaminating the environment. In fact, she was so upset by hearing this news that she suggested
they both quit working for this company. She wanted to quit her job over this. This was just
too awful for her to be a part of. And the Peruvian lady said, no, no, no, we're not going to quit. What we should do is try and expose what they're doing to a journalist.
So she thought, this is a good idea.
Okay, well, how are we going to find a journalist?
And the Peruvian girl said, well, actually, I know one.
And he lives here in Peru.
He's an American guy.
And he worked on the WikiLeaks story.
He's worked on exposing governmental corruption and corporate corruption and all these sorts of things.
So obviously this sounds like a really convenient idea, right?
So magically this journalist shows up in the Facebook Messenger chat. And in he walks, and he's got all these ideas of what you would need, evidence-wise,
to support a story that exposed corruption, which is reasonable to assume, I would have thought.
So he's sort of saying to both of the girls equally, these are the sorts of documents I need you to go get
from your company, go and find them, you know, photocopy them, photograph them on your phone,
send them to me at this email address, whatever mode of transmission you wish to employ.
And he's saying it to both of them, but obviously only one of them actually works at the company so it's all sort of
um i suppose you could call it social proof in the sense that the the actual victim in this
situation thinks both of them are doing it so they go into the company and this went on for a long
time um i think in total it went on about nine months of requesting different
documents to be found and getting colleagues to print things off for you so that it's not
logged as you printing it off and all these sorts of fairly obvious obfuscation methods, I suppose.
But, you know, it was under a great guise because he's an investigative journalist who you'd expect to know these sorts of tricks.
Right. It all made sense.
So this girl's going in and getting all these documents.
And when she was interviewed by the company, she actually said to them that there were a few documents on that list that she was quite surprised to see. She wasn't quite sure how they
exposed sort of environmental damage and sort of corruption at an environmental human rights kind
of level. But, you know, she sort of deferred to his expert journalistic skills, I suppose,
and obtained them. Anyway, by the end of this sort of saga,
when he at least claimed he had everything he needed for the story,
what was really interesting was how they both extradited themselves from the situation.
So the journalist said, I'm going to disable my Facebook account for a while
so I can focus on writing the story.
He disappears.
Then the Peruvian girl decides that this has been hugely stressful on her and she's going to go and
spend time with her family. And she's going to log out of Facebook and, you know, be offline for a
while. So she disappears. And that's the last she hears of either of them. And it wasn't until later on that this gets discovered,
which unfortunately I can't tell you how it gets discovered because the method that
sort of happened would reveal who it was. But safe to say it was another company within the space
that obtained information in a certain way.
And this was discovered by the company and then they sort of started to unpick everything
and worked out what had happened.
So she was sort of convinced actually
that somehow her two friends who were genuine in her mind
had been silenced or somehow disappeared by her
employer for quite some while so she was actually very distressed to find out that this was actually
not this would all be a lie because it had gone on so long and I think that's part of the
hugely damaging side of some of these attacks
is that you've built this rapport, you've built this relationship, you've built this narrative
that gets yanked from underneath you. And I think it's a bit like romance fraud,
I suppose, in that respect that, you know, people get
convinced of the narrative and it's just not true.
As it turned out, the company wasn't even mistreating people
or causing people to be sick with unsafe work conditions.
That whole story was a lie,
simply to get this lady to send them company documents.
One thing they did really cleverly actually was
they kept reiterating for her not to tell anybody,
not to tell her parents, not to tell her actual friends,
not to tell her parents, not to tell her actual friends, not to tell her colleagues, because they're writing this article, this super secretive whistleblower-esque
article. It has to be kept secret. And I think that line was what enabled it to go on for as
long as it did. Because I think if she told somebody else
or started talking about it as a concern,
someone would have said, this sounds a bit odd to me.
And then it might have unraveled.
So any hunches here on who's behind this one?
So I suspect from the information that we had
that this was actually acquired by potentially an organized crime group and then sold or attempted to be sold to another competitor.
Just because the person who approached the competitor who eventually flagged it wanted money for the information.
So I suspect that this was actually acquired purely for financial gain in this
particular instance. But again, you know, potentially it could have been another group.
I don't think it would have been an activist group just purely because I think you would
have published it. And as there was no actual wrongdoing, there wasn't anything really to
sort of hang your hat on and sort of say this company's
doing this hugely immoral thing. So, yeah. We all have some kind of weakness. We all have
something we care about or have a passion for, but there's something that's just close to our heart.
And with the right kind of message sent to us directly at the right time, it can hit us
like a heat-sinking missile. In this case, because this lady cared about the environment and people's
health, this was used against her to get her to leak lots of sensitive documents from inside the
company. It's almost not fair that the bad guys out there play so dirty and manipulate those who
genuinely want to do good in the world. And it must have felt awful for this lady to learn that the whole thing was made up
and it was a lie and she didn't have a Peruvian friend at all. They were just actors there to
manipulate her into sending them documents. And they even made up the lies about how the company
was doing misdeeds. How does the company protect itself from this kind of problem?
I think, so insider threats is my sort of area. And I think for me, if you're building an insider threat program in your company or you're developing one, you need to invest in training,
for sure. Your staff need to be aware of these sorts of things that can happen
and why they're not things that we should be doing.
But I think more importantly, and often I see companies make one really critical mistake here,
and they start thinking about insider threat programs and they immediately go down sort of
draconian monitoring of all staff. I had a company who said to me, am I able to turn on the webcams for my employees while they're
working from home? Now, there may be countries in the world where that's permitted, but that's not
Europe. Europe is not going to allow you to turn webcams on and off on your employees' devices.
And I think the problem you have if you go down that route is you're doing it because you want
to know, you want visibility on what your employees are doing.
But what you'll actually do is you'll increase the risk that you'll get disgruntlement, that you'll get people who want to sabotage the business.
Unhappy employees are way more likely to become insider threats than really happy and contented employees. So my argument very much is invest in employee
assistance programs, helping your employees identify when they're struggling and helping
them recover from that, essentially patching the vulnerability that exists so that they can't be
blackmailed and they can't be exploited in the way that so many of these cases have been. That's what my sentiment was too,
is the happier the employee, the more loyal they'll be
and less likely to do something like this.
I became sort of semi-obsessed recently with secret cities
that had existed in Russia when it was the Soviet Union.
And there was one city in particular called City 40,
which was created by the Soviet Union to sort of create their nuclear program.
And they basically took hundreds of thousands of people out of their homes,
moved them across the country into this city that they had built,
prohibited them from seeing their relatives, their family,
prohibited them from contacting anybody on the outside. And yet these people were so happy and
content and loyal because they'd actually been given this amazing quality of life in comparison
to the rest of the Soviet Union at the time. And it's a really extreme example, but they felt
privileged. They felt satisfied and privileged. And because
of that, they were more than happy to keep this agreement of silence to protect the Soviet nuclear
program. And I think it's a really good example of how, actually, if we've got that feeling of
my employer really supports me and I'm happy and I'm content. People who are happy and content don't go and
sabotage their employer, by and large, right? That's coming from someone who's in a really
dark place typically. So I think we have to be very aware of how humans feel and are we making
it a really nice place to work where they are supported and challenged and promoted and whatever
because that's how you're going to get loyalty and that's how you're going to get
a less vulnerable workforce trying to think if we should take some more lessons from this if
there's things we should pay attention to yeah i think i think the only other thing that i'd sort
of add generally i think there and this kind of comes from my experience in working in the piracy industry or, you know, stopping piracy, I suppose I should say,
is that a lot of security is very much focused on the perimeter, is very much focused on, to use the pirate analogy, stopping the pirates from getting on board the ship, right? But if you don't have a plan for what happens after that, you have no way of
stopping the attacker's advance. You have no way of remediating damage or assessing damage or
working out what's even been compromised. And I think that it has to be a two-limb thing. And it's
the same for insider threats. It's all well and good building all this stuff to prevent it but you have to also be able to detect
it remediate it investigate it um quickly and efficiently which a lot of companies haven't
invested at all in what happens so to speak when the pirates board the ship so i think that's a
really powerful lesson that people need to start taking on board as well. Oh, I love that you brought it full circle at the end there.
That was really well done.
Yeah, we've come full circle.
Okay, well, then I think we'll leave it there.
Cool.
A big thank you to Lisa Forte for coming on the show and sharing these stories with us.
You can follow her on Twitter.
Her name there is Lisa Forte UK.
And if you want to hear more from her, she's created her own podcast called Rebooting,
but she's also given many talks at conferences.
So you can just look her up on YouTube, and there's tons of stuff that she's sharing there.
You can also learn more about her company by visiting red-goat.com.
The show is made by me, the outsider, Jack Recyder. Sound
design by Ponyboy, Andrew Merriweather. Editing helped this episode by Soda Pop Damien. Mixing
is done by Proximity Sound. And our theme music is by the 2-bit Breakmaster Cylinder. Fun fact,
if you search for a lighter on Amazon, it'll give you 6,000 matches. This is Darknet Diaries.