Site icon Easy Prey Podcast

Former FBI Agent Shares Cybercrime Trends with Eric O’Neill

“The pandemic introduced vulnerabilities that we are still trying to overcome. Spies and cyber criminals have had a field day.” - Eric O’Neill Share on X

Working from home has increased the ability for cyber criminals to exploit companies. Listen on for how to be sure that the email you received isn’t from someone impersonating someone else. Today’s guest is Eric O’Neill. Eric is a security expert and author that presents keynotes internationally about espionage, national security, cyber security, fraud, corporate diligence and defense, and of course, hacking. Eric has worked as an FBI counterterrorism and counterintelligence operative, national security attorney, and a corporate security consultant. He founded The Georgetown Group, a premier investigative and security business firm. Eric is also the national security strategist for Carbon Black, the leader in next gen endpoint security and serves on the general council for global communities and international security.

“The most common attack right now is using email as a way to compromise the trust of someone to get them to do something they wouldn’t normally do.” - Eric O’Neill Share on X

Show Notes:

“Ransomware attacks are attacking critical infrastructure at a previously unseen rate.” - Eric O’Neill Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Eric, thank you so much for coming on the Easy Prey Podcast today.

Chris, it is my pleasure to be here. I appreciate you having me on.

Thank you. Can you give myself and the audience a little bit of background about who you are and how you got involved in the cybersecurity field?

Absolutely. I think the most interesting part about my background is probably my time in the FBI. I was an undercover operative for the FBI. I did counterintelligence and counter-terrorism. Counter intel is catching spies, and counterterrorism—that’s pretty self-explanatory. I worked fully undercover for over five years, which means I never came out of cover. I didn't even have a name in the FBI; I had a codename.

My claim to fame was my final big case in the FBI, which was to go directly undercover in FBI headquarters—something that had never been done before—to catch the individual who turned out to be the most damaging spy in US history, Robert Philip Hanssen. Hanssen was a 25-year veteran of the FBI. He was a supervisory special agent, who was also Russia's top mole in the US intelligence community.

For 22 of his 25 years, he sold some of the most egregious secrets that have ever been sold to a foreign intelligence service, including nuclear secrets and so many other things. I can spend an entire 45 minutes just on what he did.

I was sent to go undercover and find information that would lead to (1) us knowing that this was the spy we'd been after, this legendary spy that everyone in the FBI had spent a career trying to catch, named Gray Suit. (2) Once we did identify that, I was able to find the information that would lead us to catch him redhanded so we could put the pressure on him to say everything he did. He was given the code name Gray Day, and that was my final case in the FBI.

Since then, I’ve worked as a national security attorney for DLA Piper, one of the biggest law firms. I also serve as a general counsel for Global Communities, one of the big humanitarian charities. That's how I still practice law after getting my law degree. I didn't want to let that go.

I run a company called the Georgetown Group, which does investigative services. I'm the national security strategist for VMware. I'm also a dad and a husband, so I got lots going on.

Lots of titles.

My background in cybersecurity really began as somebody who was interested in security and computer systems when computer systems were still new, and you were buying parts and building them yourself. To get software to work, you were talking to friends in person before they're even on bulletin boards to figure out how to change little bits of the code.

I can remember the first video games I bought when I was a teenager; none of it would run out of the box, because the game companies couldn't test what it was going to run on, because everyone's building their own systems. You would go to the game store, talk to the guy there, and learn how to code just so you could fix your game and get it to work.

Coding and computers were always interesting to me, and that lent me to, “How can you break these things? What kind of interesting things can you do to code to?” That's what we might have called a hacker back then. Not doing anything wrong or illegal, but just interested in not only how software works for security, but how you could maybe make it stronger by learning how to break it.

In the FBI, I was going undercover against Robert Hanssen in the information assurance section. This was built to defend computer systems in the FBI. They put the biggest spy in US history and our top hacker in the FBI, our top cyber espionage, cyber spy, in charge of it. (1) That was to keep him from retiring and (2) to give him his dream job. But he was an expert at computer systems and certainly was a cyber attacker.

He'd been leveraging computer systems and penetrating them for all his time with the FBI in order to steal the information he stole. I think that it's a little tongue in cheek, but it's kind of true. The FBI looked around to find the only guy who knew how to catch a spy and turn on a computer in the FBI, and that happened to be me. They threw me in the room with them, kind of shook it up and down, hoping that I came out OK and caught the guy.

Since then, cybersecurity has been a passion for me. For all these years working as an attorney, working as a national security strategist, as an investigator, I've been deep into cybersecurity and thinking a lot and talking a lot as a public speaker about why we are suffering so many cyber attacks and what we can do to maybe make the world safe from them.

Let's talk about that. I know before we started recording, you and I were talking about this massive sea change in the last couple of years because of the pandemic of people starting to work from home, going to school from home, and telemedicine. While that was definitely not out of the mind that this was something that was going to happen, the pandemic definitely accelerated that to happen in an extremely short period of time. Let's talk a little bit about that transition and then where you see things going forward.

Of course. Zoom and Teams have been around for a long time. It's not like they're brand new technologies. But March 11, 2020, when the World Health Organization declared that this illness, this new thing called COVID that had reached the US, was a pandemic—everything changed.

We had individuals who were all working in an office. This is what we do. We got up in the morning, we got our coffee, we put on our clothes, and depending on whether you could dress casual or professional, what profession you were in, but you went to work.

A day later, after the WHO announced that this was a pandemic, people were home. It was probably one of the most chaotic moments in US history since 9/11. If you think about 9/11, after that event happened, everything changed about how we travel, and it has never gone back. Now look at this pandemic and what it's done to us for two years.

You might remember that we all went home. Some of us took our laptops, some of us didn't have them. I know stories about people who are working from their phones, or iPads, or their grandma's computer that they pulled out of an attic.

There were many people who were driving their cars to park outside of a coffee shop or a store where they could connect to wireless. That was good. Kids were sitting in cars and tele-learning outside of Starbucks, because their parents could get an internet connection there. It was pure chaos and we weren't ready for it.

We began an on-prem—nice situation for most companies where IT organized your computer, set it up, and had all of the security. You're within your safe environment or somewhat safe. They're never really safe.

The aircraft is safe.

Safer. Then suddenly, we're in a distributed workforce that no one was ready for. We were going there, but we had maybe 10-15 years until we got there. Suddenly, in a day, we were there. In that distributed force, you had companies who were resistant to adopting the cloud, who were now in the cloud, whether they wanted to or not, because the only way that their employees could communicate, and sometimes globally, was by leveraging the power of the cloud.

This introduced vulnerabilities that we are still trying to overcome. Spies and cyber criminals have had a field day. If you just look at some of the statistics—I think BBC News looked it up—but globally, since the outbreak of COVID-19, 81% of the global workforce, at one point in time, was working from home. It's telecommuting. That is incredible.

If you think about the sandbox that we created by changing things without preparing for attackers, that explains some of why we've seen how much cyber attacks have gone up four times as many from 2019-2020, for example, in the last couple of years.

When you talk about the massive increase in attacks, what types of attacks have increased significantly?

I'm a big fan of the FBI. Obviously, I come from the FBI. Even when they're scrutinized, I do like to say they do a good job. But if you look at the FBI's IC3, the Internet Crime Complaint Center, they've got some great statistics about cybercrime in general.

People report pretty much every kind of cybercrime, and it also is under-reported, so you can add up all these numbers. But over the last five years—that’s 2017-2021, and we don't have stats for 2022—we’re only halfway through the year, there were 2.75 billion total complaints that were lodged with the FBI for $18.7 billion in losses. That's a lot.

Just last year, in 2021, it was 850,000 complaints, which is the highest on record for $6.9 billion in losses. A good portion of that happened in one year, and it goes up year after year. From 2019-2020, it went up 69%. The number one attacks continue to be business email compromise.

The number one attacks continue to be business email compromise. -Eric O’Neill Share on X

Traditional espionage in a new technological world are exploiting the fact that people are home and learning to work in a new way in getting them to trust the email that comes across your desk, making you believe whether it's a text through Teams, or Zoom, or an email, or a text on your phone, that this is the CEO, for example, telling you to wire money here or there, but using email as a way to compromise the trust of someone and get them to do something they otherwise wouldn't do.

Here's something that's pretty interesting. Number three, it's romance fraud. Romance fraud is one of the top cyber crimes in the last two years. In 2020, it was number one. Romance fraud is fooling someone into a relationship that they believe is something that it's not, because people are lonely.

Romance fraud is one of the top cyber crimes in the last two years. In 2020, it was number one. -Eric O’Neill Share on X

When we were stuck in our homes, when people were locked down, two things happened. The highest incidence of divorce in the United States in history and the highest incidence of romance fraud. Either you were single and you were miserable or you were married and some of the problems that spread themselves out when you were both going to work, and were suddenly aggravated when you were together all the time.

That's scary. The numbers have shifted so much in such a short period of time. Not only has the work from home accelerated and the technological change accelerated, all the negative things associated with that transition are happening probably even faster.

Yes, they're happening very quickly. We weren't ready. Like I said, I think we had 10-15 years to get somewhere close to this. Businesses were all ready. We're talking about businesses, people who can work from a computer were already starting to give a lot more flexibility.

A big plus about what has happened through the pandemic in this tele-everything world we're going into, is that now recruitment can happen globally. You don't have to think this person has to be able to move to where my corporate headquarters is to come into work. You can now increase your talent pool exponentially, not only to just the US but anywhere in the world.

On the downside, of course, the more you disaggregate the community in your company, the more that people don't know the people they work with. The easier it is for a spy or a criminal—and I can explain how those two inner mesh—the easier it is for them to fool the person into thinking that the attacker is someone they can trust.

Do you see a time coming where there's almost going to be a specialty within the HR department of being able to kind of find out, “Is this a real person applying for this position or a criminal trying to get a job in order to act to launch scams within the company”?

It's interesting you bring that up because I talk a lot about future attacks. You know the good old CEO hack, where it's kind of like the Nigerian letter scam. Somebody pretends to be the CEO or the CFO and sends an email.

Purportedly, if you're not looking very hard, it looks like it comes from your boss and it says, “Wire this money here, or pay this invoice, or pay this bill for this procurement that we desperately need. If it doesn't happen by the end of the day, we're going to lose it, so get it done now.” They'll even follow up. “Have you got it done? Get it done.” That can cost an enormous amount of money.

With the rise of artificial intelligence, AI and deepfakes, it's now possible for someone to have your deep fake CEO show up at a Zoom conference or call you on a Teams meeting and say, “I need you to get this done right now. I'll wait until it's done.” Could you imagine that?

It's not just an email that you could reach out to. You would call and a lot of companies have put all sorts of safeguards into place. Before you send a wire, three of us have to be contacted and sign off on it. Just the CEO and the CFO can't do this anymore.

In training, we say, “If you don't trust it, pick up the phone and call the person.” Use your actual phone, not over your computer. Call the person and ask them. If they sent the email and it's very easy, “No, I didn't. What is that?” OK, now IT gets involved. Cybersecurity gets involved.

If you don't trust it, pick up the phone and call the person. Use your actual phone, not over your computer. -Eric O’Neill Share on X

Imagine if you get a call on Zoom from your boss who shows up just like we can see each other here. We've been trained for the last two years to do this—to do things not in person, but over a computer environment. You're going to trust that.

Deepfakes concern me a lot, because they're already being used to cause problems to get people to trust things or believe things that they shouldn't believe. Imagine: wait until they start using AI to pull images of people into their models and have them say whatever they want to say in real time.

We almost need to start implementing multi-factor authentication in our conversations.

Multi-factor authentication is something that we just need to implement across the board everywhere. -Eric O’Neill Share on X

Multi-factor authentication is something that we just need to implement across the board everywhere. I can spend a lot of time talking about how completely and utterly useless the password is. I have multi-factor turned on for everything.

I think that we're also going to see a future where there is no password, because passwords are already worthless. The second you change your password, it seems that some app that you've subscribed to using the same password has lost all your information in a big data breach, and it's all for sale on the dark web.

I think that we're also going to see a future where there is no password, because passwords are already worthless. -Eric O’Neill Share on X

Of course, they take our privacy and security as their number-one priority.

Everybody says that, but I think they copy and paste the same disclaimer or notice from the internet and use it for everything. Of course, you say that because you have to. I tell people all the time, they ask, “What's the number one thing I can do as a person to protect myself from a cyber attack?” I say, “Turn on MFA or 2FA—multi-factor authentication—everywhere. If you're logging into something and you're not going into your authenticator app or getting that text to your phone so that you enter that code, you have no security on that account. Zero.”

Yep. To me, it's worthwhile pointing out that where you and I are coming from a cybersecurity perspective or an engineering perspective, we'll say, “Gosh, SMS is not very good. It's too hackable. It’s too interceptable, but we need to move to a position of it's better than no second-factor authentication. I'd rather you have an authenticator app or a hardware token generator with you. For most people, that might be above and beyond their comfort level, but at least SMS is better than no second-factor authentication.

SMS isn't perfect, but it is far superior than just your password. When you look at passwords, the interesting thing is to look into breaches and see all the passwords that were just pulled out of the breach. The number one is still Password1!, because it meets all the criteria: you have to have X number of characters. You have to have a capital letter. You have to have a number, and you have to have one of the special characters.

Everybody uses a password. They capitalize the P, they throw a one at the end, and then what's everybody's favorite special character in the world? The exclamation point, because we're all loud people. They throw that at the end or just a series of numbers. Even when people come up with a real brilliant password—and those of us in security do—it’s constantly impossible.

 

 

 

In security, we like these password authenticators and those kinds of things. But you come up with this great password—I like to say when I'm on stage, the first line of your favorite book as a child, but it's backwards. You memorize that sucker, and you put your exclamation point right in the center, so no one's ever going to be able to guess or crack that.

They won't, but they don't have to, because you used it to get your free ice cream after your 10th purchase on some app that was lost in a breach by some cyber criminal just looking for known vulnerabilities. That company just didn't patch. Now it's on the dark web. What people do is the attackers will go buy about a thousand usernames and passwords off the dark web. It costs them maybe $3.

They go through that data; they mined that data for interesting individuals. What they do is they find that password. Maybe it's your personal account, but they find the password and your personal account, then they figure out where you work because we're all on LinkedIn, and we put our lives all over there. Then they just know they have to put your first letter, your first name, your last name, and then at wherever you work, and then that password and 75% of the time they're in.

That's basically how Colonial Pipeline, one of our biggest infrastructure attacks in the past few years, was attacked. The attackers didn't have to do anything. They just bought a username and password for an unused VPN account for the company that they had stopped using, but they didn't delete. It still existed.

It had been lost in a prior breach. They bought it off the dark web. Suddenly, they were in the company. That's how they were able to shut down Colonial Pipeline, which was the biggest mover of petrol gasoline from the West Coast to the East Coast. They didn't get deep into the ops system, but they got far enough that Colonial Pipeline had to shut down everything, because they didn't have the ability to see where they had landed and where they had gone.

Because we know someone got in, we have to work under the assumption that they got into everything.

Right, exactly. One of the critical issues there is when it's a ransomware attack, because that's what it was—attackers who were Russian crime syndicates. We call them big-game hunters. A big company that has a central role in critical infrastructure to get them to pay a lot of money. They ended up paying a $4.4 million ransom. I think the attackers originally wanted a $5 million ransom.

The critical thing there is that Colonial Pipeline didn't have, in cybersecurity, what we call context. When you're looking at building cybersecurity for your company, for yourself, you have to have context. You have to know where your data is, you have to know all of the different ways you can connect to that data, and you have to also understand if there is an event, how that data was accessed and where the person has moved through your system.

The best cybersecurity builds all the safeguards so that as soon as an attack happens, you have context into where they landed and where they're now trying to move laterally. We're getting very technical, but in a ransomware attack, it's no good to just get one person in IT's computer locked. “All right, we'll isolate that computer, take it out of the environment, and fix the problem.” You want to take all of them down.

That's a scary thing, when it's taking down critical infrastructure. You and I were talking a little bit about earlier. Critical infrastructure is a lot more than just power grids, transferring fuel halfway across countries. There's a lot more to that. Let's talk a little bit about what they're targeting in terms of critical infrastructure.

Of course, yeah. We tend to think of critical infrastructure as power. If you ask anyone in the world, “Hey, what's the critical part of critical infrastructure?” It's power, because if my kids can't be on their iPads, then I have to be a parent. We can't have power go away.

We try to keep our kids off devices as much as possible. We want to read books around here because that's a whole other topic. But critical infrastructure is so much more. It's not just power. Of course, we're worried about lights, and we want air conditioning in the winter, but it's also gas. That's how you heat your home in the winter.

It's also telecommunications. If your cell system goes down, and we can't text and we can't call each other, that will cause significant chaos, but it's also our financial markets. It's our food industry.

I think the year before last year, in 2020, the food industry was attacked at an extraordinary rate. You remember there's the JBL meatpacking plant. Suddenly, there wasn't meat in supermarkets in the US. Of course, everybody who's into barbecue freaked out. What are we going to do if we can't grill a steak tonight?

Attackers are getting very clever at seeing that critical infrastructure isn't just lights and power. Critical infrastructure are all those things we need to live as a society, that if we don't have them, we're thrown into chaos. That's what attackers want to do.

There are two kinds of critical infrastructure attacks. There are destructive attacks, which are, by the way, up 87% in the last few years, but there are also ransom attacks. They're the extortion attacks that criminals use in order to make a lot of money. The destructive attacks are where we're going to go in a future war. That's how we're going to fight it.

We're not going to be in the Ukraine situation here in the US. I would stake my reputation on that. I think that any future war here in the United States or the majority of the world is going to be cyber attacks—attacking critical infrastructure. We know that we're vulnerable here in the US for a couple of reasons.

For the last 10 years, there have been probe attacks against our critical infrastructure. This has been happening quite a bit. Probe attacks are getting into servers that are critical to critical infrastructure within the US and just trying to maintain a presence within them. In the future, if the enemy had to, they could start shutting things down.

Also, in January,  the FBI, CISA, and the NSA all got together. They don't often get together, but they did. When they do, you have to pay attention, because they issued a joint warning that Russian cyber spies were targeting US critical infrastructure, and had not only managed to get into our critical infrastructure, but maintain presence.

That's a big deal. That means that they didn't find a way in and then they got caught quickly. It means they found a way in, and they lurked in systems for a long time. That's what you want to do if you're the enemy.

On the other side, we have ransomware attacks. Ransomware attacks are targeting critical infrastructure at a previously unseen rate. They're up year after year, because when you hit critical infrastructure, you cause chaos, and that means people will pay. Take Colonial Pipeline, for example.

I live on the East Coast. When we can't get our gasoline here, people go a little crazy if you can't drive your car. Gas stations around here were shutting down the route of fuel. What happens is people get into fights to get to the pump. People line up.

I thought this was silly. If I was out of gas, I didn't care because we were on a lockdown anyway when Colonial Pipeline happened. I wasn't driving anywhere. I could just wait it out, but other people felt differently about that.

Some people may have seen the news report of silly people on the East Coast, by the way, not too far from where I live, just outside Washington, DC, filling up things like trash bags full of gasoline. That's crazy. Anyone who's an engineer laughs when I say that, because engineers how you get that fuel from the trash bag home, and then into some container, you can use to actually put it in your car or your generator.

Trash bags are pretty unwieldy liquids, and it's also dangerous, but this is the kind of chaos. Those reports were coming out. There was a huge amount of pressure on Colonial Pipeline from the US government to get back up because it was embarrassing the White House. There was also this cross-border sniping from the US to Russia and back about, “Hey, your criminals sitting in your country are attacking our critical infrastructure.”

Dark Side, the Russian crime syndicate who was responsible for that, was disappeared probably by a Russian who said, “Hey, Putin says we do the critical infrastructure attacks, not you guys. You guys go after the little companies, and make your money, and cause America problems, but critical infrastructure’s for intelligence officers.” That would be my guess.

I would tend to agree with that.

Suddenly, they had to pay the ransom and had no other choice.

To me, I think one of the scary things about the critical infrastructures, or what you talked about, is that getting into the systems and then maintaining access, and intentionally not doing something destructive, waiting for an opportunistic moment in order to do it. It causes a gasoline shortage. It causes panic buying, which exacerbates the situation. We're unfortunately not good about responding appropriately to these sorts of events.

That's absolutely true. I actually worried quite a bit about our critical infrastructure and whether we would be seeing attacks from Russia once we started engaging in assisting Ukraine in the war that is happening there. It turns out that the Russians have been suffering so many cyber attacks on their own and having enough problems in Ukraine that I think they've been in quite a defensive posture.

I do look into the future and see another concern. Once things stabilize, Russia can be pretty vindictive. We also have the issue with China, who's benign in Taiwan. I wonder if there could be some precursor attacks against the United States to cause significant disruption here. We would call it an invasion, they would call it just a sort of peacekeeping force or something.

Special operation.

Right. Special operation. That's quite possible because it's not just Russia. Russia, China, Iran, and North Korea have all been messing around in our critical infrastructure and seeking ways to maintain presence. None of them really wish us the best in the future.

Yeah. To me, it makes sense that there's a threat to our critical infrastructure. Corporations have a set of actions that they need to take. What about you and I? Is there anything that we can do to prepare for critical infrastructure events?

Just to tell you how worried I am about it. In 2020, even though there was a downturn and money was a little tighter, I went ahead and my wife and I had this plan to put solar cells on our roof. One is to be a little bit more environmentally friendly. That was more of my German wife. The main reason for her—look, I love the environment too, but for me, it was really about being independent.

I don't need to be on the grid for a good part of the day, and then I have the big power wall so that I maintain power until the sun comes up again. That doesn't mean that I'll always have power, but it'll mean that I would have more power than anyone else around me who just got kicked off the grid. I didn't want to go the gas generator route, because I wanted to be completely on my own if I needed to.

I'm not saying everyone should do that, but I also don't understand why, particularly where I live, where there are so many incentives and rebates, where they almost pay for you to have solar power, people don't do more of this. Especially as I look at my energy bill, I think 25% of what it was before I installed the thing throughout the year.

The other ways to get ready for it are really just to understand what could happen and be in a position where you're prepared for it, have water in your home, know what to do in any kind of emergency, but crisis preparedness is good for anyone no matter where you are. That might be a little bit of my special ops background. Those of us who worked in special ops for years tend to worry more about things like that and prepare for it, just because of some of the things we've seen. We know that it could happen.

 

I'm the same way. I live in Southern California. The California energy system has always been a little bit suspect of being able to support electricity just in general with the spikes. Because of some events with the electrical providers, they have now taken a position of when it gets particularly windy—in Southern California, we have what are called the Santa Ana winds. It gets hot. It gets dry, and then there are fires.

It's alleged—and I'll leave it as alleged—that a lot of these fires are started not intentionally by the electrical platforms, but you get trees hitting power lines starting brush fires, which get out of control. So what they've taken to doing is, when it gets hot and windy and you want to run your air conditioner, we're going to start turning off power, because we don't want to be held liable and we don't want to cause a fire.

I did the same thing. I got to have solar, have battery backups to last indefinitely. I'm one of those people who like extra preparedness. For my home internet connection, I have a backup internet connection at home.

While I primarily use a fiber service, I've got a backup through a physically different platform. My wife and I, we both don't have the same cell provider. In case one of the major providers goes down, we've got a phone on a different provider, just in case.

Right. Yeah, that's all excellent. I think that you could take that another step too. During the pandemic, everybody has their pandemic story. Mine was that the school systems failed so badly that my wife packed up my two youngest. This was a joint decision, and took them to Germany. They went to German school, which was fully open at the time.

My kids get dual citizenship for six months. We were separated for six months. My oldest daughter was with me, but because I was still working, and her school finally opened and needed to be able to communicate, we got her a cell phone way younger than we ever would have. It was to be in contact with each other to make sure there were a lot of restrictions.

One thing I can tell parents is your children are the greatest hackers you will ever know, because finding ways around all of the protections you try to build into their IT is their life goal. When we were kids, we were just trying to figure out how to sneak out of the house without stepping on creaky floorboards. Now they're trying to get the codes to everything, particularly getting into—I can tell you a story, and you see if you can guess

I have a 14-year-old daughter, a 12-year-old son, and a nine-year-old daughter. This was last year, so reduce their ages by a year. We found the nine-year-old, who was eight at the time, watching a movie on Netflix that she should not have been using on her iPad. It's an old iPad and just Netflix on it.

We have controls on it, so she can only watch the age-appropriate stuff. But she's watching something she shouldn't see, so I grabbed the thing from her. I first asked my wife, “Did you give her permission?” She's like, “No.” I saw that she had not only had the screen time controls changed, but her Netflix privileges were elevated in the app, in my account.

Wow. I figured she had someone else's account, but in your own account.

I'm a former FBI-trained investigator. I pull all the kids together and we do an interrogation. First of all, no one knows. Then after some tears, we learned what happened. One of the kids had shoulder-surfed my wife to get the code to her phone—the passcode to the phone. Had gone in and added a fingerprint, and then used the fingerprint, the biometrics, to go into the passwords on the phone to find the passwords to Netflix.

That's clever.

This is what your kids are doing, by the way. That's what they're already doing. Then went in and it got logged into my account, and then elevated all. This was before Netflix had—I don't even know if they have two-factor authentication at this point. It was able to just go in and elevate all of their accounts to NC-17 or whatever, which is bad. Guess which kid did it.

The youngest?

Yeah, the eight-year-old. It gave my son R-rated movies for Christmas, like bumped it up. Also, she'd started in her evolution of figuring out how to do this. She started by adding her fingerprint so she could make screen time requests for more time, run to my wife's phone before she saw it, hit the fingerprint, accept the request, and then close the phone. She's been doing that for a long time. Yes, now nobody's allowed to be on our phone and tell my wife you can't. You have to make sure that they're not watching when you're entering your code.

Yeah, get the privacy screens.

Exactly.

One of the things that Tesla did with their cars is you could have a PIN to enter the car to start the car. If I remember right, they changed the location on the screen where the PIN code thing entered, so you can't see the fingerprints. I think they may have also changed the numbers on the button. I know there are some apps that do that. Rather than having all the numbers in a traditional position, every time the PIN code is presented, it puts the numbers in a different order. That way, people can't remember patterns. They actually have to know the PIN code.

Exactly. Actually, I worry about my friend and his Tesla. I've always wondered when I haven't pulled the trigger yet. It was sort of like getting the solar and then getting the electric car. Then I've been looking at all the new ones that are coming out down the road, and I'm like, “Let the market get kind of saturated, and then there's competition, and then pick the best one.”

I do get concerned about devices in general, but especially your cars that are that connected. Anytime you create a connection to any sort of an app that is now connected to the internet, which means that it's just open to the world, you are creating a situation where an attacker has a way in. It may be very difficult and circuitous for them to get there, but there is always a way in. I just worry about a car that is driving and has some sort of self-driving capabilities that could potentially be penetrated from an attacker.

Yeah, as everything gets more connected, you always have to worry about how they're going to be abused. I know there are concerns about pacemakers and medical devices that are internet-enabled that are not just Bluetooth or Wi-Fi, but they are on the internet, ostensibly, to be managed by your physician, which should be able to be monitored by your physician.

Some of it is actually connected and can be monitored remotely by your physician. It can also be monitored by the people in your home. For example, Parkinson's patients can have a procedure called deep-brain stimulation, which is where wires, electrodes, are actually fed into the brain and to certain areas that need to be woken up to help with the unfreezing. The control device connects to a battery pack and a control unit that's embedded in the chest.

It's all subcutaneous. You don't see it, but there's a handheld device that you hold. You can raise the level or tune it to give you the stimulation that you need to affect Parkinson's and to help the motility. That could be compromised. Imagine, you're now able to change the amount of voltage in someone's brain. Those sorts of things do kind of worry me a little.

The question is if you're going to have that installed, that's going to significantly improve your quality of life, but there are now drawbacks, because attackers are not the nicest people in the world. They will do terrible things. Imagine if your brain is held in a ransomware attack, and they tell you, “We need a million dollars or we'll kill you, and you have five minutes to pay,” or something crazy like that. These are the situations that we're creating for ourselves.

The dichotomy here is that, as we dive forward into innovation, which is beautiful and wonderful, we have to constantly be thinking about security. That may stall and it may slow things down, but it is critical to build security into every new innovation, because the first individuals who are going to find ways to break that security are the bad guys, not the good guys.

As we dive forward into innovation, which is beautiful and wonderful, we have to constantly be thinking about security. -Eric O’Neill Share on X

I think in some sense, that's a mental shift as well, because for so long, technology was not designed with security in mind. You weren't worried about your kid's teddy bear being connected to the internet. “Oh, that's cute. I will talk to my kid. Who else can talk to your kid through your teddy bear?”

I think some of it is that we just don't think how someone with evil intent would try to abuse devices. I think you almost need that person on staff who can think from that perspective of, “How can I do bad things with this technology?” As opposed to the person who just thinks, “How can I secure the device?”

In the world of espionage, the best spy hunter is the best spy. You can't hunt a spy unless you know how to be one. -Eric O’Neill Share on X

Exactly true. In the world of espionage, the best spy hunter is the best spy. You can't hunt a spy unless you know how to be one. That was my training in the FBI. They taught us how to be incredible spies so we could see every tell, every bit of tradecraft that our adversary would use and beat them at.

As for connected devices, an example is production floors using robotics. Nobody thought how dangerous it could be, particularly when you have humans and robots in the same production floor to connect these robots to the internet in order just to make it easy to update them, until someone was able to, in one case, break in and move the arm to knock a person to the ground.

I almost think it's more sinister if you have an industrial build shop. Let me modify the arm to create a weakness in the product that nobody knows about until it's out in the wild and cars are breaking in half, or however this product is used for nefarious purposes, someone has introduced a physical flaw in the device.

Yes. These are the things that can happen. There's so much doom and gloom. What's likely to happen, though, in this world of future technology, in this tele-everything world? The same things that happen are happening, because the thing about criminals and cybercrime is what most people have to worry about.

Cyber espionage is continually impacting the United States in ways that trickle down to every single person in the entire world in ways that trickle down to every person, and it will continue. The cyber war in espionage will continue. Where there's defense, there are attacks, and is never going to end. There's been espionage since the beginning of time.

I think what a regular person needs to worry about most is cyber crime. I think criminals are lazy. They wouldn't be criminals if they wanted to go get a job, and work a real job or be entrepreneurial, and do some of the things that they're doing in the above-board world. They want to leverage attacks that will take the least amount of energy and net the most profit for their time, which they want to spend as little time as possible.

Those are the basic things that we can control. Ninety-eight percent, 99% of all successful attacks leverage known vulnerabilities, and things that we know how to stop and could stop. Things like spear phishing. That email you get that you know you shouldn't click on the link, but you just trust it. It's done so well.

The hundreds that we get a day—most of them go into your spam filter—are terrible. They're blurry, the English is poor. Obviously, they used the translator and it was terrible. You can see it right away. Some of them are really good. The training is don't click on links ever. Just don't do it.

Known vulnerabilities are one of the number one ways that businesses and corporations are attacked. Because there's a known vulnerability, it's announced by the company who's identified the vulnerability. Microsoft does this routinely—everyone does. But the company doesn't patch, because there's so much to patch constantly.

There has to be a plan to identify which are the most critical patches and who's first in line. It is a Log4j vulnerability now that you spoke with one of your other guests about that, which is ubiquitous through software. It's open source software that's used in virtually everything. It gives you those error codes when there's a problem.

That error 401—“This website does not exist”—that’s Log4j working for you. But if you can penetrate that, then you can get into virtually any system. It was one of the most damaging known vulnerabilities that was out there for a very, very long time.

The second that it was revealed to be there, and security was actually working on it. It was discovered, but kept quiet. It was discovered by the big foreign eBay, Alibaba, and then kept quiet until Minecraft. Every single kid that we know plays that game. I realized that it was severely impacting all of their users, and potentially leaving them incredibly vulnerable to cyber attacks, and had to say, “Everybody patch, quick.”

The second that happened, cyber criminals launched attacks mercilessly everywhere on every single source using it that they could think of—big companies, small companies, small-medium businesses, individuals. Everyone was getting attacked. That's how they operate. The second that vulnerability is known, criminals pounce on it and launch attacks until it's patched. It can take some companies up to three months to install a large patch.

Those known vulnerabilities are one of the reasons, and I keep coming back to it, that ransomware has been so huge in the last number of years that the World Economic Forum announced last year that the dark web is now the third largest economy on earth. Basically goes the United States, China, and then the dark web.

That's disturbing.

It is. The dark web has no brick-and-mortar stores. It owns no land. It exists fully in cyberspace.

I guess, technically, there's a little bit of physical presence, but not in the way that most people think of it.

Yes, bits and pieces of servers all over the world.

Yeah. There are our servers somewhere, and it's distributed, redundant and…

And moves. The law enforcement is on there just as much as criminals, and it just still can't be stopped.

We'll end this episode on that absolutely disturbing note. Obviously, people can read your book, Gray Day, and can be found everywhere that you can find books, and we'll link to that. Are there any other resources that you're providing or you want people to go to?

Sure. If anyone has a question for me, I usually am pretty good about responding to DMs on Twitter. I'm @eoneill. You can also check on my website, www.ericoneill.net, if you want to learn more about me, what I'm doing, or where I'm going to be speaking next.

Awesome. Eric, thank you so much for coming on the Easy Prey Podcast today.

Chris, thank you for having me. It's been a pleasure.

Exit mobile version