LPRC - CrimeScience Episode 61 – Ransomware, Social Engineering, & Physical/Digital Skimming Featuring Nolen Scaife (University of Colorado, Boulder)

Episode Date: October 13, 2020

Nolen Scaife, Assistant Professor of the Department of Computer Science of the University of Colorado, Boulder, rejoins our podcast to discuss ransomware detectors, when organizations pay the ransom,... social engineering, malware countermeasures, password management, and much more with our host, Dr. Read Hayes. The post CrimeScience Episode 61 – Ransomware, Social Engineering, & Physical/Digital Skimming Featuring Nolen Scaife (University of Colorado, Boulder) appeared first on Loss Prevention Research Council.

Transcript
Discussion (0)
Starting point is 00:00:00 Hi everyone, welcome to Crime Science. In this podcast, we aim to explore the science of crime and the practical application of this science for loss prevention and asset protection practitioners, as well as other professionals. We would like to thank Bosch for making this episode possible. Be a leader in loss prevention by implementing integrated solutions that enhance safety, reduce shrink, and help to improve merchandising, operations, and customer service. operations, and customer service. Bosch integrated security and communication solutions span zones one through four in the LPRC zones of influence while enriching the customer experience and delivering valuable data to help increase retail profitability. Learn more by visiting Bosch online at boschsecurity.com. Welcome everybody to another episode of Crime Science, the podcast. I'm excited to talk again. Really, this is a redux in a way, the second version of Dr. Nolan Scaife of the University of Colorado at Boulder.
Starting point is 00:00:57 Nolan and I go back two, three years while he was doing some graduate work at the University of Florida. In other words, getting his PhD. But he's a cybersecurity expert. And we've really relied on his expertise and some of the other members of that time of FICS, including Patrick Treanor and Kevin to name two. But what we thought we'd do, Nolan, is tap into your expertise on just an ever-present and presumably growing problem out there with cybersecurity. So, Nolan, welcome.
Starting point is 00:01:38 First of all, let me say welcome to you. Thanks. It's great to be back, Reid. All right. So, Nolan and I were just chatting before we started the on-air recording, if you will, about 2020, the year that many of us, if not everybody, will hopefully want to forget. But, you know, talking about now forest fires on top of everything else that we've been experiencing and just the sheer number. And in
Starting point is 00:02:05 the state of Florida, we've had some very serious ones in the past, but knock on wood right now, for some reason, not participating in the current one. It's probably because we're having torrential rains all day, every day. So Nolan, let's talk a little bit, if we could, about what you're working on at University of Colorado in your area, what's some of your focal points that you're allowed to share with us at Crime Science? Sure. So I have some students that are working with me on a project to better test ransomware detectors. And I think last time i was on here read we talked a little bit about uh the ransomware problem and this really started from you know in the academic literature now there are hundreds of papers about um ransomware of course this is this is an attack
Starting point is 00:03:00 where if you haven't heard of it uh an attacker runs some software on a computer, and it goes through and it encrypts the files in a way that the only way to recover from those files is to pay the ransom. So in this way, it's kind of an extortion attack. And, you we've we we did some uh some work on ransomware uh while i was at university of florida i guess it's probably been five years or so ago now and in fact that was one of um that was one of university of florida's first uh startup companies crypto drop for for security and um you know in the meantime I've seen this problem continue to grow. You know, it's grown in some sense from just a crime of opportunity to more of a targeted attack. And so you're seeing, you know, these big companies and even government agencies, the city of Atlanta,
Starting point is 00:04:03 Garmin, and so forth that have been in the news recently and get hit by these and get extorted for millions of dollars. And we were curious why if there's been all this work that's been going in to research and ransomware. Why does this continue to be a problem? It seems like we're getting a pretty good handle on this attack and the kinds of ways to stop it. So the students and I here at CU Boulder have been working on a way
Starting point is 00:04:42 to better evaluate these detectors, if you will, to try and figure out where are the gaps in our coverage to maybe hopefully in the future be able to build a better detector. So that's one thing. So that's one thing. And, you know, we continue to work on different devices into our home, how can we have better guarantees of, better guarantees that devices are doing what they say they're going to do on the package? So that's another project that we're working on. Hopefully that answers your question, Reed. No, that's fantastic. And I thought if we could maybe start with ransomware
Starting point is 00:05:46 and dig a little deeper. And, you know, we all, I can sense in your voice and I can read that in the literature even that while ransomware continues to be a very serious issue for some organizations, including law enforcement agencies, city municipal governments, we know, have been shut down and so on. But yet yourself and others in the cybersecurity realm are saying, wait a minute, I think we've got some good tools. We can get better. We are getting better. But maybe tell us a little bit more about what's going on with ransomware, Nolan. Why is this so difficult? And are there some things that we should be looking at in our behavior as well as the tools that we might use?
Starting point is 00:06:34 So the ransomware problem is a particularly challenging one for security researchers. challenging one for security researchers because this is a behavior encrypting your own files that a user might do themselves. So, you know, unlike a lot of other malware that's trying to perhaps exfiltrate data or other kinds of attacks, this is a somewhat benign looking activity in a lot of cases. So if you think about having data on your own laptop, for example, you might choose to encrypt that data to either email it out safely, or maybe to just protect it on your disk. And really, there's not much of a fundamental difference between what ransomware is doing and you doing that to your own data,
Starting point is 00:07:31 which makes it difficult to decide. If I say I'm going to write a program to detect this type of attack, for example, it makes it difficult because I can't necessarily determine the intent of the action that's happening on the machine. And, you know, there's a lot of belief, I think, that circles around. And you can see this if you look, you know, when there are these types of attacks in the media, for example, with not to pick on Garmin, but the Garmin attack that happened just a few weeks ago, that, well, you should have had better backups, for example. You should have had a better recovery plan. And the challenge with those types of criticisms is that even if you have a backup, I mean, if you think about, you know, a large-scale organization like what I think probably your listeners here are in, that having a backup, having that copy of that data, and actually being able to restore it
Starting point is 00:08:58 and do a full disaster recovery when you're attacked on a scale like, say, Garmin was, recovery when you're attacked on a scale like, say, Garmin was, is really challenging and time consuming and expensive to do. And so what we're seeing is that the ransomware market, in some sense, is able to bear the costs of these ransoms. So if you're a large company and you get hit with one of these large scale attacks, and the ransom demand is $10 million, we're starting to see companies really seriously consider and even paying those ransoms. that cost is less than the cost of either they don't have the ability to recover or the cost of recovery is substantially more expensive than the ransom. Interesting. So I thought we could talk a little bit about social engineering and asset protection loss prevention. It's been a topic and an issue and it's been tackled to a certain extent over the years, but it seems more important than ever. And that seems you're alluding a little bit to social engineering. We know we've long had people calling the stores and saying or doing certain things and setting up scenarios.
Starting point is 00:10:22 doing certain things and setting up scenarios. But there's been a few, and I thought we could run through these a little bit, where some of the ways it might lead to ransomware that might lead to other cyber issues. And maybe you as the doc, if you will, could talk to us about it. But an example are when customers email customer service or to the retailer's corporate office or an outsource place location or even to the store sometimes, and they include a downloadable file that's their receipt or proof of purchase.
Starting point is 00:10:57 They've scanned it with their phone or a printer or something like that. or a printer or something like that. Any thoughts around that type of social engineering, a way to, is there anything we can do to scan or lock down or validate? I'm not sure, just a question though. So a lot of systems, especially large enterprise systems that accept unsolicited user input, or not unsolicited, that accept unfiltered user content. So, for example, like you said, a customer service portal where somebody can upload a file, and that file might be a receipt or a screenshot or a copy of an email or something like that.
Starting point is 00:11:46 A lot of these systems have the capability to perform basic virus scanning or the ability to limit certain types of files from being uploaded. But this really isn't a panacea for the ransomware attack, especially for a targeted attack. A lot of these systems are designed to detect malicious content that's been seen before. So, for example, if I were to upload a piece of ransomware that's infected thousands of other people, then maybe your system would catch that and stop it. The real challenge comes when I want to target your environment. And so I'm going to make sure that I send something in that I know nobody, your vendors,
Starting point is 00:12:37 your employees, nobody has seen this before. And so these kinds of heuristic-based checks for malware are likely to not pick it up. And so what you want to make sure that you have is that if you need a customer, for example, to upload a PDF, then your system should only allow PDF uploads, for example. And then when that gets to your employee who's going to view that, one way to do this might be to change that into a different format, like change it into a picture instead of a PDF programmatically
Starting point is 00:13:20 so that what they're viewing is not this executable content that might lead to something like a ransomware attack. But in general, this is the kind of thing where your developers for these types of applications should be in close contact with your security teams in close contact with your security teams to make sure that there isn't this path between, for example, the general public and an employee system where there's not a series of checks and access controls and so forth to prevent unknown malicious content from getting in. Okay. Interesting. Another that has been reported is employees finding a USB drive,
Starting point is 00:14:15 you know, on the floor in the restroom under a display fixture or in a fitting or dressing room. Any thoughts there? And then, of course, say, oh, we need to find out what's on this or who does this belong to so we can return it. Any thoughts on that type of attack? This is actually, interestingly, Reid, this is solvable in some sense at both the technical and the behavioral level. So, obviously, you want to tell your employees, don't plug in USB drives that you find,
Starting point is 00:14:51 but also you can take action on the technical side to make sure that, for example, there are products that will say only a particular brand or serial number or type of USB drive can be connected to our systems, or you can just block them altogether. So there are those access controls on the technical side. Interestingly, to read, there's a great academic paper out of the University of Illinois. I think it's called, yes, users really do plug in USB drives, they find,
Starting point is 00:15:30 where they did this campus-based study where they would drop USB drives across the campus and then track how and when they got plugged in. And it turns out that, you know, people really do do this. And so it's a behavioral thing to teach employees and customers and everybody that, you know, just because you find it doesn't mean it's safe to use. Interesting. And, you know, it's sort of topical right now, but we're all aware, or most of us, that people across the United States and perhaps other countries began receiving these mysterious seeds and packets that were mailed to us, presumably from China, according to the return address and the postage and other indicators. the postage and other indicators. And local, county, state, federal, government, media started warning and putting up, but still hundreds of individuals evidently went and planted those seeds,
Starting point is 00:16:33 not knowing if it was invasive, not knowing anything. And so it's interesting, like you say, human behavior. Yeah, I think there's a, there's a, there's a certain amount of, of curiosity that goes into it. Um, whether that's a letter or a package, um, or a USB drive, but you find something and, and you think that it is, you think it might have something interesting or fun, um, in it. And so you, you kind of naturally are just curious about what this thing might contain without thinking that perhaps this is an adversarial environment that you're in. Interesting. What about this idea? I know that Chipotle and others have experienced breaches and maybe ransomware attacks, credential stuffing or using stolen names and passwords. But part of the idea is that if you get somebody's name and a password,
Starting point is 00:17:34 that we all know we should have unique passwords for each site and keep them up to date and they should be actually good passwords. Any thoughts around this idea of credential stuffing and preventing that? This is a, it's a pretty pervasive problem. And on the part of, on the part of the company that is, that's running the service, that's having credentials stuffed into it, there's very little that you can, very little that you can conceivably do about that. In some sense, Reid, it's a lot like the ransomware attack, where this is something, you know, a user trying a handful of passwords on a legitimate account is something that you might, you know, conceivably do as a user.
Starting point is 00:18:20 The real challenge here, in my opinion, is the behavioral aspect of using a different password at each site that you go to. And the challenge, of course, there is that we talk about, okay, you should have these. Security people, we say you should have these really long passwords that have letters and numbers and and symbols and capital letters and um and they should um and you should use a totally different one for each uh for each site that you go to the challenge with this is that in order to do that you need some you'll have to have some sort of password manager or some sort of system to manage those. Now, for the general public, there are a handful of really great ones. I wouldn't say that they're always the simplest to use. Sometimes they fail in interesting and mysterious ways and you kind of have to take over.
Starting point is 00:19:31 But, you know, what I've found is that in my industry experience over, you know, many years of working in industry is that one of the things that's overlooked is the ability for the enterprise to give that to the employees, to offer a system and training to use that system to have unique passwords at different sites or to securely share a password for a shared account for an internal application or something like that. Long term, I think we may move further and further away from passwords. And you already see this on mobile devices with, for example, face recognition, fingerprint scanners, those kinds of things. Where that hasn't really quite made the leap yet is in desktop platforms.
Starting point is 00:20:17 But I think we're inching ever closer to that every day. Very good. I know we hear about near-field communication, you know, NFC and, you know, cell phones and card readers, price scanners, you know, and that someone can scan a QR code and maybe gain access to an exclusive app. But there's evidently some risk here, But there's evidently some risk here, corruption and modification, eavesdropping. Any thoughts, Nolan, on NFC, what it is, what we could maybe do about it as a retailer? I think one thing that's overlooked is this idea that we're kind of implicitly training people to point their cameras at things. You know, take a picture of this, scan this QR code, tap your phone here.
Starting point is 00:21:29 And today, the majority of those cases are benign. You know, if you go into a store and you scan a code or you tap your phone or you take a picture of something, it's not, it's going to be, you know, a benign experience for the user. But once people are comfortable doing that, it'll be, in my opinion, relatively straightforward to start, you know, putting up QR codes that link to malicious content or NFC scanners that do a different thing than what it would appear that it does. For example, a fake payment terminal or something like that. And once we're kind of used to just working through that workflow on benign applications, I think what we'll start to see is malicious use of that increase. And so, you know, I would encourage folks that are out there considering how do we bolster our engagement with customers? Can we have them take a picture, scan a QR code, or tap their phone to really think about whether or not they've put the tools in place for the customer to be able to identify
Starting point is 00:22:32 if this is a legitimate or fraudulent situation? Good insights. I appreciate that. You know, another thing that we know back in 2013, Target a horrific breach um i understand the the terminology the attack type was ram um you know ram scraping and so forth what anything about that we should know about uh that type of pos or car transaction uh interface um in the in this type of ram scraping attack no yes so so this type of you know this type of RAM scraping attack? Yeah, so this type of payment malware works by, the workflow is sort of approximated by this. You swipe your credit card or put a payment in, a gift card, something like that.
Starting point is 00:23:24 The terminal will read that, and then it's stored briefly in the point-of-sale unit's memory while it's being processed. So you can imagine that processing being, okay, I need to package it up and send it to the payment processor or something like that. And what this malware will do is it will just constantly sit there and check the memory of the machine to see if it contains a valid credit card number or gift card number, something like that, and then when it does, it pulls it out and it stores it. Now, you know, there's a probability that any sequence of 16 digits will appear to be a valid credit card number. So the attackers don't really worry
Starting point is 00:24:06 about whether it's valid at that time. They can test them later. And so the fix for this is, and you see this now in payment terminal technology, the terminal will encrypt the card number so that the point of sale machine, for example, does not ever see or is able to store that number. So you see techniques improving on the point-of-sale side for doing that. doing that. I think one thing we don't talk about particularly often, and I understand that the rationale for this is development ease, cost of equipment, and so forth. But one thing I think is worth thinking about is, in a lot of cases, point-of-sale equipment in a store or retail environment is a general purpose computer that is able to do lots of things. It's just that the code that's currently running on it is point of sale code. And with that comes all the same challenges that are there with securing a desktop or a laptop
Starting point is 00:25:21 computer. It's a general purpose operating system that can do lots of different functions. And so I think in some sense, this is an artifact of low cost computing equipment that's able to be used for, or low cost general purpose computing equipment that's able to be used for a lot of different tasks, and we have just loaded software on it to do one particular thing.
Starting point is 00:25:50 And I think that there's some value in exploring if you're a merchant and you're working with, or a technologist that's working in retail, that it's worth thinking about how can we reduce the surface area for attack on, for example, point-of-sale machines by thinking about can we build a machine that is primarily a point-of-sale machine and doesn't have the capability or the capacity to do extra things like scrape the memory and so forth. Now, this isn't a panacea for all types of problems, but I do think that as computing has been widely deployed in these organizations, widely deployed in these organizations, that it's worth thinking about how do we build machines that are more purpose-built, which reduces that attack surface area.
Starting point is 00:26:55 Great insights. Let me ask you this, Nolan, a little bit about online, I guess we should call it web skimming. That is a problem for us consumers, but also, as you know, most of our retailers have e-commerce sites. And we work with some that that's all they have. But anything about web skimmers, and I'm not sure if I'm even pronouncing this right, is it MagCart or MageCart, MagCart? Yeah, MageCart. It's a MageCart is a particular skimmer that was targeted. Not not certain if it's still solely targeted to that, but was for the Magento shopping cart system. And the idea here is that an attacker somehow gets the ability to control what's on the website. Now, that might mean that they compromised your web servers to be able to add this code,
Starting point is 00:27:57 or maybe they compromised one of your partners. For example, if you load third-party code on your website. And in any case, they get the customer's browser essentially to load your shopping cart page and load an additional piece of code, which is the malware. And so when the customer types in their credit card number and clicks submit, this extra code also runs. And so in addition to actually successfully checking out on your website, the attacker also gets to siphon off that credit card data. So that's kind of the web skimming problem. web the web skimming problem and uh this is um this is something that um we've been looking at something that is interesting to us um and how to detect this so in some sense when we think about um when we think about what this means or how to detect this, you might say, well, I don't want third-party code to load on my site.
Starting point is 00:29:08 But in the vast majority of cases, that's not possible. For one reason or another, there is third-party code that loads that makes the widgets look just right or performs a certain kind of check on the customer's machine. And so typically, you find that websites want that functionality. So the question for us as researchers, and I don't have the answer to this yet, this is, you know, why we call it research, right, is how do we detect when the credit card data is being used in an unauthorized way. And what that looks like and how we detect that, I think are still open questions. But we're certainly interested in how to resolve this over time. Fantastic. So I guess let's kind of on these attacks, let's start, let's stop with this next one. And this is one of the ways I got to know you and Patrick and your team there,
Starting point is 00:30:10 and that is around card readers, skimmers. What's kind of the 101? A little bit about how these skimmers work. Where do they put skimmers? I guess, where do they put them? How do they work? And what's going on to affect them? And maybe is EMV actually preventative or not?
Starting point is 00:30:32 So, yeah. So, the skimmer problem is one of terminal tampering. So, the idea here is that someone is going to come into your store, into your bank, or anywhere where there's a payment terminal or an ATM, and they're going to make some sort of the card slot. These are kind of independent embedded devices. They fit right over the card acceptor, or they will put something inside the card acceptor. In other words, this is kind of a card-shaped device that they can insert and press into the card slot. But the general gist of it is the same. So what happens is a customer puts their card in,
Starting point is 00:31:30 whether it's EMV or a mag stripe, there is some mechanism on the skimmer that is going to either read the card or communicate with the card. And this can give the attacker enough information to be able to make a fraudulent payment or fraudulent withdrawal from an ATM, for example. And yeah, so a couple of years ago, we worked with the NYPD. And since then we've worked with, my gosh, countless law enforcement agencies, retailers, banks, et cetera, to work on this problem.
Starting point is 00:32:10 And in fact, this was, I talked a little bit about CryptoDrop, UF's first security startup. Now we have Skim Reaper, which is our second, UF's second security startup, which designs devices to check for skimmers. One of the challenges in this arena is that unless you catch somebody in the act of installing one of these, which is very difficult to do on its own, the difficult part is that a customer is almost never going to spot it.
Starting point is 00:32:46 And even trained eyes like specialized law enforcement officers and so forth can have a hard time actually detecting these, especially if they're on the inside of the machine. You know, if I stick it into the front of the card acceptor slot. side of the machine, you know, if I stick it into the front of the card acceptor slot. So what we've been trying to do over the last couple of years is bring to market and test and deploy devices that help detect these types of attacks electronically. So rather than, you know, measuring or eyeballing this problem, this is a device that can tell you definitively that there was something in the machine that did or did not attempt to, you know, read or communicate with the card that's in there. and so what the the ultimate outcome for this you know for for merchants uh it's loss of trust uh that you know consumer comes into your store and they get and you know they they believe that
Starting point is 00:33:56 they got skimmed at your store and they're less likely to come back uh and so what we've been this is the problem we've been trying to solve is how do we put these tools right in the hands of people that can give you a more definitive answer of what the problem is. That's great. And I know that you guys continue your research and the Skim Reaper's been pretty amazing. I understand there's some good activity around that, larger and larger purchases of the technology. It's just the logic that you all applied and then the engineering you put into that and then the refinements you've made. And it's got to be one of the most user-friendly technologies I've ever seen. technologies I've ever seen. It's, it was a, thanks Reed. And it was a really, it was a really fun and interesting process to go through actually looking at skimmers and seeing how they work.
Starting point is 00:34:53 And then really getting down to the, the basic physics of how these cards work. You know, I'm a, I'm a computer scientist, but you know, you know, when the work takes me into the field of magnetics and electrical engineering, I get really excited about that because it doesn't happen very often in our field. And so, you know, when we got in there and we saw how these work, and we were able to build a detector that detects them in a way that, you know, we don't believe it's possible to evade without breaking the laws of physics. That's a pretty exciting aspect of that technology. And so we took that and we wrapped it up in a package that it's easy to use.
Starting point is 00:35:38 You basically turn it on and you press a button and then you swipe it like a credit card. And then it reports back instantly. Yes, this is okay or no, it has a problem. And that can lead you to do further testing, go back. And if you're doing this kind of check regularly, then you have the ability to go back to your cameras and look to see, okay, well, it must have been installed between, you know, time X and time Y. And that can really give you a great picture of who's attacking you. I appreciate that. So let's do this. Let's go, Nolan, kind of finish up here. You've given us a tremendous amount of information on some of the more common and devious attacks that a retail
Starting point is 00:36:21 company might experience and helping the AP, LP, or law enforcement practitioner understand at the level that we need to at this point about these problems and some possible fixes. I'm really curious to understand, I'm, as you know, a criminologist, a social behavioral scientist, so I understand as much as I guess anybody can what our field looks like, both in academia, as well as companies that we work with, the government and the funding there and so on. what disciplines do cybersecurity experts come from? What fields? And what's it look like from the academia side, how you get science to practice? Of course, we have journals, we have conferences, and then we've got ways that we put that information out.
Starting point is 00:37:20 Well, it's largely the same way here, Reid. So we have conferences and we have security journals that we send our academic publications to. venues, for example, in distributed systems and operating systems and so forth, that are now excited and willing to take security works. It's been my experience that, and it's my belief that, you know, outside of kind of the basic tenets of security, access control, and confidentiality, and integrity, and these things that we want, these properties we want. The security as a whole is not really something that you build. You know, I can't go and make you a box of security. And so it's a property that we seek in other systems. And so our community is really one of collaboration, where we go in and we look at operating systems or payment systems or looking at malicious software.
Starting point is 00:38:31 And we take to those areas these practices that we have and this way of what I would call adversarial thinking in these other disciplines. And that's what helps us make other disciplines more secure or at least explore the problems of security in those areas. Now, from the aspect of where security folks come from and their backgrounds, it's all over. We find people that are interested in machine learning or data analytics that are interested in security. People come to us from the law school, from the business school, from the School of Arts and Sciences here at CU, that want to know more about security because these issues are not strictly, in my opinion, computer science issues. A lot of these issues are becoming more
Starting point is 00:39:36 prevalent today, especially with regards to law and policy. And so one of my goals has been to try and figure out how we can give security, how we can deliver quality content that gives people a security acumen that aren't necessarily from a security background. And the example I use, Reed, is that if you're working in finance at a company, you are not necessarily interested, perhaps, in becoming a security expert. In other words, you don't necessarily want to leave that job. You like finance. You want that career path. But that's a very security-sensitive role. But that's a very security-sensitive role.
Starting point is 00:40:36 And so what we're trying to figure out how to do here is deliver the right content to folks that are interested in having some security background. And so what I'm finding is that it's coming from all backgrounds. It's not any one. And it's certainly not only computer science. That's excellent. So, and I understand, you know, industrial systems engineers, electrical engineers, as well as, as you mentioned, computer science are involved in them. But I love the idea that social behavioral sciences and others can all do that. And I've enjoyed working with you all and trying to look at it from the human back and forth while you all are the technical people, but you certainly,
Starting point is 00:41:13 you all also have to understand the human behavior around this and everything about around these attacks and the countermeasures, the counter countermeasures and so forth. That's right. I mean, I'm a firm believer that many technical solutions are not useful if they're not usable. And so, you know, we talked a little bit earlier about password managers and, you know, password managers are a great tool they're very they're very good at keeping track of these really complex strings and and and making them accessible to you but if they're if they're complicated to use if
Starting point is 00:41:59 they don't always work and and worse if you if it adds friction to the experience, whether that's using a computer or shopping at a store or whatever, people are going to naturally attempt to avoid it. And so we're always trying to, you know, our community is always trying to look at ways to make things frictionless, you know, to add these properties of security without fundamentally damaging the user experience. This has been excellent. And I know I appreciate your time, your expertise, and really your delivery, Nolan. You take very complicated, very complex issues, and you make them understandable for us that are lay
Starting point is 00:42:46 people in this area. And much appreciated. It's a serious issue. And as you know, the asset protection LP people that we deal with, they've got a pretty broad portfolio. And sometimes they're in charge of cybersecurity or components of it, or their team provides investigative support for the IT, the IS professionals that deal with it. So thank you very much for that and your time. And I look forward to talking to you again. And I ask, stay safe out there in Colorado, but it's certainly a beautiful area there in Boulder. And I got to go out there and tour before COVID hit and can't wait to get back out there. Thank you so much, Reid. It was great to be on here. All right. Enjoy the rest of the week and to the rest of you,
Starting point is 00:43:35 thank you for listening to Crime Science, the podcast. And again, please stay safe out there. Any questions, comments, or suggestions for us at the LPRC or our UF research team, operations at LP Research is a great way to communicate, and lpresearch.org is the website. So stay safe. Thank you. Thanks for listening to the Crime Science Podcast presented by the Loss Prevention Research Council and sponsored by Bosch Security. If you enjoyed today's episode, you can find more crime science episodes
Starting point is 00:44:06 and valuable information at lpresearch.org. The content provided in the Crime Science Podcast is for informational purposes only and is not a substitute for legal, financial, or other advice. Views expressed by guests of the Crime Science Podcast are those of the authors and do not reflect the opinions or positions of the Laws Prevention Research Council.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.