WEBVTT 00:00:00.240 --> 00:00:05.029 JACK: Here’s a question; what’s the biggest threat facing music venues, sports stadiums, 00:00:05.029 --> 00:00:06.029 and theatres? 00:00:06.029 --> 00:00:12.170 Well, I don’t know, but I’m gonna go out on a limb and guess, but it’s insider threats. 00:00:12.170 --> 00:00:16.660 What I mean is I think there are a ton of people who want to get free entry into all 00:00:16.660 --> 00:00:22.050 these places, and they do get in without paying all the time by using an insider. 00:00:22.050 --> 00:00:25.760 I’ve seen it with my own eyes; I’ve been to the movie theatre and saw someone pay their 00:00:25.760 --> 00:00:30.410 way to go in and then once inside, open up one of the side doors and let their friends 00:00:30.410 --> 00:00:31.680 in who were outside. 00:00:31.680 --> 00:00:35.680 I’ve also seen the same thing at a baseball stadium; someone was standing outside the 00:00:35.680 --> 00:00:39.850 exit and they were just waiting for someone inside to leave, and as soon as that door 00:00:39.850 --> 00:00:43.850 opened on the stadium, boom, they grabbed the door right before it closed and went inside 00:00:43.850 --> 00:00:45.880 and quickly blended into the crowd. 00:00:45.880 --> 00:00:51.010 They just got free entry into a sporting event, all because someone on the inside let them 00:00:51.010 --> 00:00:52.350 in. 00:00:52.350 --> 00:00:57.790 Insider threats are a major problem that companies have to face. 00:00:57.790 --> 00:01:05.420 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:05.420 --> 00:01:10.119 I’m Jack Rhysider. 00:01:10.119 --> 00:01:13.920 This is Darknet Diaries. 00:01:13.920 --> 00:01:21.710 [INTRO MUSIC ENDS] 00:01:21.710 --> 00:01:28.660 JACK: Let’s start with just you telling us your name and what do you do? 00:01:28.660 --> 00:01:29.660 LISA: Okay. 00:01:29.660 --> 00:01:32.780 [MUSIC] Do you want me to – are you good to start now? 00:01:32.780 --> 00:01:34.780 JACK: Yeah. LISA: Okay. 00:01:34.780 --> 00:01:35.780 Hi, I’m Lisa Forte. 00:01:35.780 --> 00:01:41.869 I’m a partner at Red Goat Cyber Security, and professionally I run cyber-crisis exercises, 00:01:41.869 --> 00:01:47.380 deliver training, and insider threat program development companies. 00:01:47.380 --> 00:01:50.930 In my personal life, I climb, cave, and explore abandoned mines. 00:01:50.930 --> 00:01:52.270 JACK: So, do you have a degree? 00:01:52.270 --> 00:01:53.549 What did you get your degree in? 00:01:53.549 --> 00:01:59.600 LISA: So, I did my degree in law and then I did a masters in international law and Maritime 00:01:59.600 --> 00:02:00.600 law. 00:02:00.600 --> 00:02:06.530 So, I was very legally focused and then decided that – well actually, by accident I got 00:02:06.530 --> 00:02:12.800 involved in security and more physical security, and I – that’s how my career sort of took 00:02:12.800 --> 00:02:14.990 off and I abandoned law completely. 00:02:14.990 --> 00:02:15.990 So… 00:02:15.990 --> 00:02:18.860 JACK: Okay, so a degree in Maritime law. 00:02:18.860 --> 00:02:20.560 Where did that take you? 00:02:20.560 --> 00:02:28.030 LISA: So, I actually got a job working for private security companies, as they like to 00:02:28.030 --> 00:02:34.431 be called, putting – you put eventually armed guards onboard ships to protect them 00:02:34.431 --> 00:02:38.360 from pirates and fortified the ships to protect them from pirates. 00:02:38.360 --> 00:02:44.730 JACK: [MUSIC] Whoa, Lisa’s job out of college was to help secure ships from pirate attacks? 00:02:44.730 --> 00:02:46.490 That’s wild. 00:02:46.490 --> 00:02:51.200 Apparently there are a lot of ships that need to move cargo past dangerous waters like the 00:02:51.200 --> 00:02:52.380 coasts of Somalia. 00:02:52.380 --> 00:02:57.460 Now, Somalia has been characterized as a failed state in the past, with insurgents currently 00:02:57.460 --> 00:02:59.120 controlling a portion of the country. 00:02:59.120 --> 00:03:02.440 There are parts of Somalia that have no organized government. 00:03:02.440 --> 00:03:08.010 So, for a while, it was a dangerous area for ships to pass by, since there were Somali 00:03:08.010 --> 00:03:10.990 pirates that would try to come and take over the ship. 00:03:10.990 --> 00:03:16.620 When a pirate attacks you out to sea, nobody is around to rescue you if you get in trouble 00:03:16.620 --> 00:03:17.620 out there. 00:03:17.620 --> 00:03:23.600 So, ships were increasingly trying to find ways to protect themselves, but legal questions 00:03:23.600 --> 00:03:24.660 started to come up. 00:03:24.660 --> 00:03:28.820 Are they allowed to carry weapons and put armed guards on ships? 00:03:28.820 --> 00:03:31.050 Well, sure; it’s out there in the ocean. 00:03:31.050 --> 00:03:32.890 Who’s gonna enforce laws out there? 00:03:32.890 --> 00:03:37.940 But what about when you’re docking into ports in countries where weapons are banned? 00:03:37.940 --> 00:03:42.460 Lisa was helping this shipping company navigate the Maritime laws to learn what they were 00:03:42.460 --> 00:03:45.140 legally allowed to do to protect themselves. 00:03:45.140 --> 00:03:50.260 But this soon got her interested in making their ships more secure, like adding defense 00:03:50.260 --> 00:03:53.150 mechanisms to thwart pirate attacks. 00:03:53.150 --> 00:03:57.530 She started thinking through all the scenarios of what could go wrong out in open waters 00:03:57.530 --> 00:03:59.670 and how to protect against it. 00:03:59.670 --> 00:04:05.790 This interested her more than the law stuff, so she moved into the operations side of things, 00:04:05.790 --> 00:04:09.140 helping boats secure themselves from pirates. 00:04:09.140 --> 00:04:14.210 LISA: And just loved it, and just loved working on security and managing risk. 00:04:14.210 --> 00:04:18.289 That’s basically what kickstarted my love of security. 00:04:18.289 --> 00:04:21.650 JACK: Yeah, tell me more about this pirate stuff. 00:04:21.650 --> 00:04:24.500 What were some of the tasks you were given and what were you doing there? 00:04:24.500 --> 00:04:28.610 LISA: It sort of started really in the nineties in the Somalia area, so the Horn of Africa, 00:04:28.610 --> 00:04:30.780 as they called it. 00:04:30.780 --> 00:04:37.169 It actually started because the Somali people were attacking ships and tackling illegal 00:04:37.169 --> 00:04:42.401 fishing that was happening in Somali waters, and it sort of evolved to a point where they 00:04:42.401 --> 00:04:48.099 became essentially as sophisticated as we now see ransomware groups in the cyber-security 00:04:48.099 --> 00:04:49.099 space. 00:04:49.099 --> 00:04:53.849 So, they had – they were running insiders and big insurance companies in Europe, they 00:04:53.849 --> 00:05:00.530 were doing OSINT, they were running motherships to have lots of attack boats out on the water. 00:05:00.530 --> 00:05:05.509 They were hugely, hugely well-funded; I think at one point it was like $13 billion annually 00:05:05.509 --> 00:05:06.569 that they were making. 00:05:06.569 --> 00:05:08.569 It was an insane industry. 00:05:08.569 --> 00:05:13.009 JACK: [MUSIC] She studied what these pirates were doing, and typically they had ways of 00:05:13.009 --> 00:05:17.770 finding out what ship would be passing by and where it was located off the coast of 00:05:17.770 --> 00:05:19.990 Somalia out in the Indian Ocean. 00:05:19.990 --> 00:05:25.999 Then the pirates would dispatch a few small, fast motorboats, skiffs to catch up to one 00:05:25.999 --> 00:05:27.909 of these massive cargo ships. 00:05:27.909 --> 00:05:33.279 They’d get alongside of it and throw grappling hooks onboard the ship and climb onboard with 00:05:33.279 --> 00:05:34.389 assault rifles. 00:05:34.389 --> 00:05:36.790 LISA: So, they’d – they would take control of the ship. 00:05:36.790 --> 00:05:40.580 They would get to the bridge, they would take control of the ship, and then they would hold 00:05:40.580 --> 00:05:42.999 the ship and its cargo for ransom. 00:05:42.999 --> 00:05:47.780 So, that’s how they do it, and then typically that ransom would be paid and they would release 00:05:47.780 --> 00:05:48.830 the vessel. 00:05:48.830 --> 00:05:52.720 But yeah, it was obviously horrible for the crew. 00:05:52.720 --> 00:05:59.629 There were many situations where people were killed, crew were killed from the boardings 00:05:59.629 --> 00:06:00.629 that happened. 00:06:00.629 --> 00:06:05.340 It’s a very, very difficult situation to be on a ship. 00:06:05.340 --> 00:06:10.159 You definitely don’t want to be having a gun battle inside a metal ship. 00:06:10.159 --> 00:06:13.849 That’s – you know, there’s not an optimal situation for that. 00:06:13.849 --> 00:06:19.219 JACK: Okay, so if that’s the typical attack scenario they’re facing, Lisa had to figure 00:06:19.219 --> 00:06:23.969 out ways to straight put an end to these attacks, which would also save lives of the people 00:06:23.969 --> 00:06:25.669 onboard her ships. 00:06:25.669 --> 00:06:31.120 LISA: When you’re thinking that scenario through, you need to put barbed wire up around 00:06:31.120 --> 00:06:33.059 the ship to make it harder to get onboard. 00:06:33.059 --> 00:06:39.659 You need to weld internal doors shut in the right order so that you can slow their advance 00:06:39.659 --> 00:06:41.879 through the ship if they do get onboard. 00:06:41.879 --> 00:06:47.900 We’d also build a citadel in the middle of the ship which would be a bit like a panic 00:06:47.900 --> 00:06:54.889 room for the crew of that vessel to go into if the pirates boarded the ship, because obviously 00:06:54.889 --> 00:06:59.389 the main priority at that point is to save the lives of the crew. 00:06:59.389 --> 00:07:05.069 We’d also put water cannons around the ships, and there was this really cool device that 00:07:05.069 --> 00:07:09.050 lots of shipping companies implemented on their ships called an LRAD. 00:07:09.050 --> 00:07:10.229 JACK: LRAD. 00:07:10.229 --> 00:07:14.279 Well, that sounds intriguing, and you know me; when I’m intrigued, I want to know more. 00:07:14.279 --> 00:07:19.229 So, I looked up what LRAD is, and it’s got an interesting origin story. 00:07:19.229 --> 00:07:22.650 It was invented because of what happened to USS Cole. 00:07:22.650 --> 00:07:28.430 [MUSIC] This is a Navy destroyer, a warship, and in the year 2000, USS Cole was parked 00:07:28.430 --> 00:07:30.029 in Yemen, resupplying. 00:07:30.029 --> 00:07:37.530 Well, a barge came up alongside it and [EXPLOSION] it detonated a bomb right next to it, causing 00:07:37.530 --> 00:07:40.800 a major hole in the hull of this destroyer. 00:07:40.800 --> 00:07:45.539 Al-Qaeda took credit for this attack, which was eleven months before 9/11. 00:07:45.539 --> 00:07:52.129 So, what the Navy needed was for a way for ships to warn or communicate or to protect 00:07:52.129 --> 00:07:55.789 themselves from potential enemies without having to be lethal. 00:07:55.789 --> 00:07:58.789 I mean, this was a warship that was attacked. 00:07:58.789 --> 00:08:03.400 They could have easily defended themselves by just opening fire on any ship that got 00:08:03.400 --> 00:08:08.289 too close, and that’s just not practical to shoot at any ship that gets too close. 00:08:08.289 --> 00:08:12.380 So what the Navy wanted was a way to stop other ships from approaching unless they were 00:08:12.380 --> 00:08:13.439 approved. 00:08:13.439 --> 00:08:15.490 This is why LRAD was invented. 00:08:15.490 --> 00:08:19.559 LRAD is an acronym; it stands for Long-Range Acoustic Device. 00:08:19.559 --> 00:08:24.039 Simply put, it’s an MP3 player, but with a wicked set of speakers, speakers that can 00:08:24.039 --> 00:08:28.189 be pointed in a specific direction and heard up to two miles away. 00:08:28.189 --> 00:08:32.120 [MUSIC] So, if a boat is approaching, you can play it a message in whatever language 00:08:32.120 --> 00:08:36.339 you have on the MP3 player to warn them ‘don’t come closer or else.’ 00:08:36.339 --> 00:08:41.669 Okay, so LRAD’s a directional speaker, but it’s also a weapon. 00:08:41.669 --> 00:08:47.459 Some call it a sound cannon because this thing is capable of pumping out noises of up to 00:08:47.459 --> 00:08:50.620 160 decibels at range. 00:08:50.620 --> 00:08:55.190 Your car horn is somewhere around 110 decibels, and I’ll tell you, if you stood right in 00:08:55.190 --> 00:08:59.470 front of your car while it’s honking, it’ll start to hurt your ears pretty quick, and 00:08:59.470 --> 00:09:02.089 you’ll want to leave the area or cover your ears. 00:09:02.089 --> 00:09:07.290 160 decibels is more like a train horn, and if the LRAD is pointed right at you playing 00:09:07.290 --> 00:09:11.450 sirens as loud as a train horn, your ears are going to start to hurt and you’re gonna 00:09:11.450 --> 00:09:12.899 wanna get out of there. 00:09:12.899 --> 00:09:16.380 Even if you cup your hands over your ears, it only reduces it like, twenty-five decibels, 00:09:16.380 --> 00:09:18.570 so it’s still uncomfortable. 00:09:18.570 --> 00:09:22.330 Even if you put really good earplugs in, well, now you’re pretty much deaf if you continue 00:09:22.330 --> 00:09:23.330 to approach. 00:09:23.330 --> 00:09:27.510 You can’t talk on the radio or chat with the person next to you, and you really can’t 00:09:27.510 --> 00:09:29.260 hear anything of what’s going on. 00:09:29.260 --> 00:09:33.740 So, once this technology became commercially available, cargo ships who were passing by 00:09:33.740 --> 00:09:38.579 dangerous waters were equipping them to try to push back any suspicious boats that were 00:09:38.579 --> 00:09:43.889 approaching, first by giving them a verbal warning in different languages, and then turning 00:09:43.889 --> 00:09:49.089 on a siren if it got closer, which would push them away if they couldn’t take the noise. 00:09:49.089 --> 00:09:55.389 LISA: It’s supposed to be so incredibly painful if this sound wave hits you that it’s 00:09:55.389 --> 00:10:01.180 disorienting, and that was used really successfully because obviously the last thing we want to 00:10:01.180 --> 00:10:03.480 use is force, right? 00:10:03.480 --> 00:10:08.339 We don’t want to be firing at human beings. 00:10:08.339 --> 00:10:12.019 But we also recognize that we had to have that capability. 00:10:12.019 --> 00:10:16.810 For the while, pirates were often targeting ships that had no armed guards, and they knew 00:10:16.810 --> 00:10:20.070 what ships did and did not have the armed guards on. 00:10:20.070 --> 00:10:23.250 So, over time, that became mandatory. 00:10:23.250 --> 00:10:29.220 So, we put armed guards onboard the ships that would have – well, for the last company 00:10:29.220 --> 00:10:35.560 I worked for, they would have M4 carbines, and they had a whole set of rules of how you 00:10:35.560 --> 00:10:43.860 would escalate force with lethal force being the absolute last resort if necessary. 00:10:43.860 --> 00:10:48.540 One day it was – I would run these people and they would call it and check in and sort 00:10:48.540 --> 00:10:54.850 of tell me what was going on and whatever, and if there was an approach made by the skiffs, 00:10:54.850 --> 00:11:01.170 made by the pirates, they would call me on the satellite phone and alert me to it because 00:11:01.170 --> 00:11:04.790 the company had to be appraised of how the situation was escalating. 00:11:04.790 --> 00:11:11.990 [MUSIC] So, one day I’m driving back from a BBQ with another colleague and the phone 00:11:11.990 --> 00:11:12.990 goes. 00:11:12.990 --> 00:11:16.319 I answer it and it’s one of my team leaders onboard the ship. 00:11:16.319 --> 00:11:21.040 He says we’ve been approached; we’re being approached by three vessels. 00:11:21.040 --> 00:11:28.250 We’ve sent them warnings, we’ve tried to raise them over the VHF, we’re not getting 00:11:28.250 --> 00:11:29.620 any response. 00:11:29.620 --> 00:11:31.639 They’re kind of heading straight for us. 00:11:31.639 --> 00:11:33.190 We’re just letting you know. 00:11:33.190 --> 00:11:35.970 So I was like okay, thank you; that’s great. 00:11:35.970 --> 00:11:42.460 Just escalate the force as usual, which would typically be fire the water cannons, set off 00:11:42.460 --> 00:11:44.320 the LRAD. 00:11:44.320 --> 00:11:48.130 If still that didn’t work, you’d fire shots well clear of the target, so into the 00:11:48.130 --> 00:11:51.100 water around the boat to give them a warning. 00:11:51.100 --> 00:11:55.860 So, they did all this escalation of force, and then one of the other guys comes on the 00:11:55.860 --> 00:12:01.240 phone and he says they’ve just fired an RPG at the boat. 00:12:01.240 --> 00:12:05.262 I remember I had them on speakerphone and I looked at my colleague. 00:12:05.262 --> 00:12:13.779 My colleague looked back at me and we just thought, what on Earth do we do now? 00:12:13.779 --> 00:12:21.490 The pirates had an RPG on their boat and they’d fired it and hit it at the ship. 00:12:21.490 --> 00:12:27.180 It hadn’t actually hit the ship; it hit a cargo container onboard the ship. 00:12:27.180 --> 00:12:32.910 To say that this shocked me well out of my comfort zone in about the space of thirty 00:12:32.910 --> 00:12:41.389 seconds was – be a huge underestimate of how I felt at that moment in time. 00:12:41.389 --> 00:12:47.380 JACK: Well, clearly these approaching boats were escalating the situation, so the cargo 00:12:47.380 --> 00:12:50.440 ship returned fire on the smaller boats. 00:12:50.440 --> 00:12:57.160 LISA: My team who were onboard the ship, they fire their weapons; they hit the skiff and 00:12:57.160 --> 00:13:00.759 the skiff stops dead in the water. 00:13:00.759 --> 00:13:05.250 This could have been a bit of a risk because the ship that they were on was slow. 00:13:05.250 --> 00:13:06.670 It wasn’t very maneuverable. 00:13:06.670 --> 00:13:11.300 Assuming they would possibly have more RPGs onboard that boat, they could have done a 00:13:11.300 --> 00:13:16.300 lot of damage, but thankfully it didn’t go any further. 00:13:16.300 --> 00:13:24.740 But that moment for me was – it just sort of catapulted me into a whole world of now 00:13:24.740 --> 00:13:25.740 what? 00:13:25.740 --> 00:13:28.720 It was – yeah, I don’t think I’ve ever had anything quite like that since, to be 00:13:28.720 --> 00:13:30.759 honest, and hopefully not again. 00:13:30.759 --> 00:13:34.339 JACK: That story reminds me of the classic quote from Mike Tyson. 00:13:34.339 --> 00:13:37.779 MIKE: Everyone has a plan until you punch them in the mouth. 00:13:37.779 --> 00:13:42.930 JACK: I like that quote because I feel like it carries over into cyber-security; you can 00:13:42.930 --> 00:13:47.199 and should make all kinds of plans for when you get attacked, but there will still be 00:13:47.199 --> 00:13:51.110 an incident that hits you in a place that hurts, bad. 00:13:51.110 --> 00:13:56.339 [MUSIC] If whatever plan you have doesn’t guide you through that situation, you’re 00:13:56.339 --> 00:13:59.060 having to figure out things on the fly, which is not good. 00:13:59.060 --> 00:14:05.649 LISA: Yeah, and I think the other thing was that in a very similar way to ransomware groups, 00:14:05.649 --> 00:14:09.910 the pirates’ tactics developed quite quickly. 00:14:09.910 --> 00:14:13.870 The other problem was they were very well-funded because they were receiving all these ransom 00:14:13.870 --> 00:14:14.870 payments. 00:14:14.870 --> 00:14:20.579 So, they had the ability to do things that we couldn’t do on our side because obviously 00:14:20.579 --> 00:14:26.350 it would be hugely illegal or at least incredibly frowned upon by the international community. 00:14:26.350 --> 00:14:31.610 JACK: Yeah, that’s another interesting concept, that attackers don’t stick to what’s legal 00:14:31.610 --> 00:14:38.129 or play by the rules, yet defenders do have to remain legal on how they defend, which 00:14:38.129 --> 00:14:43.980 gives these kind of battles a type of asymmetry in how the battle is waged and how companies 00:14:43.980 --> 00:14:45.660 secure themselves online. 00:14:45.660 --> 00:14:51.029 So, after Lisa helped secure ships from pirate attacks, she decided to move on to something 00:14:51.029 --> 00:14:52.029 else. 00:14:52.029 --> 00:14:56.660 LISA: So, I actually took a – I took a job working for UK counter-terrorism intelligence 00:14:56.660 --> 00:15:04.269 for – it’s essentially run by the UK police, their counter-terrorism intelligence capacity, 00:15:04.269 --> 00:15:07.579 I suppose, which was interesting. 00:15:07.579 --> 00:15:10.879 I learned a lot, definitely. 00:15:10.879 --> 00:15:17.029 Really appreciated the experience and learnt a lot about online radicalization, particularly, 00:15:17.029 --> 00:15:22.579 and how that worked and why it was so successful. 00:15:22.579 --> 00:15:28.680 So, it was a really good learning experience and it very much got me interested in the 00:15:28.680 --> 00:15:32.110 cyber OSINT online space. 00:15:32.110 --> 00:15:39.709 Then I moved into one of the UK police cyber-crime units as a cyber-protect officer helping basically 00:15:39.709 --> 00:15:45.519 give advice to companies on how best to protect themselves and spreading that message. 00:15:45.519 --> 00:15:48.930 That was really what kickstarted my cyber-specific type of career. 00:15:48.930 --> 00:15:54.139 JACK: It was after that when she left that job and started her own cyber-security company 00:15:54.139 --> 00:15:58.680 called Red Goat, which is when I started following her on social media and such. 00:15:58.680 --> 00:16:01.300 Her company does cyber-security crisis exercises. 00:16:01.300 --> 00:16:04.910 LISA: A bit like what I used to do with the ships, essentially; running through what we 00:16:04.910 --> 00:16:10.699 would do if an attack happened, but also we’ve been doing a lot of work in the insider threat 00:16:10.699 --> 00:16:15.410 space, helping companies develop their programs, helping companies develop their responses 00:16:15.410 --> 00:16:19.649 to insider threat attacks, and that’s been a really interesting journey for me. 00:16:19.649 --> 00:16:23.889 JACK: Insider threats; this intrigues Lisa a lot, and she’s been focusing on this particular 00:16:23.889 --> 00:16:26.360 aspect of cyber-security for a while. 00:16:26.360 --> 00:16:31.670 Sometimes cyber attacks come from inside the company by somebody who works in maybe accounting 00:16:31.670 --> 00:16:37.600 or in a science lab, and this is very dangerous since these people have trusted access. 00:16:37.600 --> 00:16:39.029 So, why is that? 00:16:39.029 --> 00:16:43.629 Why would someone attack the very company they work at, and how can companies even defend 00:16:43.629 --> 00:16:45.009 themselves against this? 00:16:45.009 --> 00:16:49.290 Well, to understand this, let’s hear a story of how one of these attacks happened. 00:16:49.290 --> 00:16:57.519 LISA: [MUSIC] So, I have one story that I can talk about, which I’ve had to – full 00:16:57.519 --> 00:17:02.819 disclosure, I’ve had to change a couple of details in it to obfuscate who the company 00:17:02.819 --> 00:17:03.819 was. 00:17:03.819 --> 00:17:08.471 JACK: It starts out with her going to a company to have a meeting, and at that meeting, one 00:17:08.471 --> 00:17:12.630 of the guys there says he’s read Lisa’s report on insider threats and he wants to 00:17:12.630 --> 00:17:15.380 run something by her to get her take on it. 00:17:15.380 --> 00:17:17.669 LISA: So I said okay, yeah, sure, no problem. 00:17:17.669 --> 00:17:21.000 He says it’s about insider threats, but I kind of need to have this conversation in 00:17:21.000 --> 00:17:22.150 a different room. 00:17:22.150 --> 00:17:24.169 So I thought okay, fine. 00:17:24.169 --> 00:17:30.860 We sort of chat on house rules, agree to keep it quiet and sort of redacted. 00:17:30.860 --> 00:17:36.530 JACK: He goes on to say that the company he’s working for is in the middle of dealing with 00:17:36.530 --> 00:17:40.650 an insider threat themselves, and starts explaining what happened to Lisa. 00:17:40.650 --> 00:17:46.760 LISA: He said well, he’s a scientist who works at this company and basically he’d 00:17:46.760 --> 00:17:48.450 written a long LinkedIn post. 00:17:48.450 --> 00:17:53.040 When we went back onto his LinkedIn to look, you could see the long LinkedIn post and this 00:17:53.040 --> 00:18:00.700 comment from this profile that was a woman who asked this kind of fairly leading, maybe 00:18:00.700 --> 00:18:02.370 slightly provocative question. 00:18:02.370 --> 00:18:06.340 JACK: LinkedIn is turning more and more into a social network now. 00:18:06.340 --> 00:18:10.070 Not only does your profile show you where you work and where you live and what skills 00:18:10.070 --> 00:18:14.960 you have, but you can make posts and write articles and share pictures and comment on 00:18:14.960 --> 00:18:16.659 other people’s posts, too. 00:18:16.659 --> 00:18:20.240 The post that the scientist made didn’t have anything wrong with it per se; like, 00:18:20.240 --> 00:18:24.080 it wasn’t revealing any private data about the company or anything, but the comment he 00:18:24.080 --> 00:18:27.049 got from this woman was interesting. 00:18:27.049 --> 00:18:31.700 Well, to him at least, so he clicked on her LinkedIn profile. 00:18:31.700 --> 00:18:37.460 Huh, she’s a scientist just like him, and she works in the same field as him, too. 00:18:37.460 --> 00:18:43.010 This combination of having similar skills and interests and her comment on his post 00:18:43.010 --> 00:18:49.240 was enough to get him to direct message her and begin chatting. 00:18:49.240 --> 00:18:55.270 They started by pointing out their common interests and learning more about each other, 00:18:55.270 --> 00:18:57.150 and they seemed to be interested in each other. 00:18:57.150 --> 00:18:59.630 Chats continued going back and forth for a while. 00:18:59.630 --> 00:19:04.120 Eventually they exchanged e-mail addresses and he started e-mailing her from his work 00:19:04.120 --> 00:19:05.130 e-mail account. 00:19:05.130 --> 00:19:09.100 [MUSIC] Now, this is interesting because the company he worked at was able to later pull 00:19:09.100 --> 00:19:11.929 up these e-mails and see what they were talking about. 00:19:11.929 --> 00:19:14.600 So, Lisa was actually shown what these e-mails looked like. 00:19:14.600 --> 00:19:18.090 LISA: When we review them, it’s sort of saying things like talking about how much 00:19:18.090 --> 00:19:21.350 he hates his manager, how frustrated he was. 00:19:21.350 --> 00:19:23.890 So, this was at the very start of COVID. 00:19:23.890 --> 00:19:28.970 Because of the nature of his job, he’d been asked to still come into the lab, whereas 00:19:28.970 --> 00:19:33.380 other colleagues could work from home and that caused him a lot of irritation, shall 00:19:33.380 --> 00:19:37.659 we say, and his manager was being rude. 00:19:37.659 --> 00:19:41.790 The normal, I suppose, problems that we have in a workplace. 00:19:41.790 --> 00:19:45.030 Nothing particularly untoward. 00:19:45.030 --> 00:19:50.360 Then she says to him, do you want to come and visit me? 00:19:50.360 --> 00:19:53.520 I’m in Kazakhstan. 00:19:53.520 --> 00:19:59.230 Having been – or been looking at flights to that area of the world, they’re about 00:19:59.230 --> 00:20:02.640 – from the UK, roughly about £500 for a flight. 00:20:02.640 --> 00:20:10.390 So, for someone’s who’s a relatively successful scientist in this kind of organization, that’s 00:20:10.390 --> 00:20:13.899 not a lot of money for someone that’s on that sort of salary. 00:20:13.899 --> 00:20:17.090 Yet, his response is I really can’t afford that. 00:20:17.090 --> 00:20:18.380 I can’t afford to take a trip. 00:20:18.380 --> 00:20:24.600 I can barely afford to service my car, which is quite interesting but also sort of alludes 00:20:24.600 --> 00:20:30.010 to the fact that potentially he’s having some sort of financial trouble, personal trouble 00:20:30.010 --> 00:20:33.040 that’s draining his finances in some capacity. 00:20:33.040 --> 00:20:42.279 So, she then has this amazing idea that there’s a job role that she might be able to get him 00:20:42.279 --> 00:20:43.920 in Russia. 00:20:43.920 --> 00:20:49.659 Her company spans all these different countries and there’s a job opening for a scientist 00:20:49.659 --> 00:20:54.580 of his description there, and she’s pretty certain she can get him the job, but she needs 00:20:54.580 --> 00:20:59.130 to see proof of some of the things he’s been working on just to kind of make sure 00:20:59.130 --> 00:21:02.680 his experience is sufficient, et cetera, et cetera. 00:21:02.680 --> 00:21:11.230 So, he proceeds to send her large quantities of files, documents, projects, things that 00:21:11.230 --> 00:21:15.730 he’s been working on that are obviously hugely sensitive that the company themselves 00:21:15.730 --> 00:21:20.470 are sinking a large amount of money into R&D. 00:21:20.470 --> 00:21:30.100 They go into loads of detail oddly over work e-mail on relocation costs and relocation 00:21:30.100 --> 00:21:36.020 packages and remuneration packages and things like this, all of which were exceptionally 00:21:36.020 --> 00:21:37.050 generous. 00:21:37.050 --> 00:21:41.750 JACK: Hm, imagine being in this position, yeah? 00:21:41.750 --> 00:21:47.460 You’re offered a significantly higher-paying job in another country with all moving expenses 00:21:47.460 --> 00:21:48.500 paid. 00:21:48.500 --> 00:21:51.490 It sounds and looks good to you. 00:21:51.490 --> 00:21:56.320 You want the job, but they say okay, but show us that you have the skills to do what it 00:21:56.320 --> 00:21:57.320 takes. 00:21:57.320 --> 00:22:00.179 You might say well, just look at my LinkedIn profile; it shows all the things I’m good 00:22:00.179 --> 00:22:01.179 at. 00:22:01.179 --> 00:22:03.779 But then they say yeah, but we want to see examples of your work. 00:22:03.779 --> 00:22:07.140 Is there any research that you’ve done that you can show us? 00:22:07.140 --> 00:22:09.830 This scientist thought that was a good opportunity. 00:22:09.830 --> 00:22:12.179 Of course he wanted to show off his work, right? 00:22:12.179 --> 00:22:14.620 This was a big chance for him to move up in the world. 00:22:14.620 --> 00:22:19.640 So, he starts sending them work he’s done, formulas he’s created, compounds, mixtures, 00:22:19.640 --> 00:22:23.700 and some of the actual scientific work he was doing at this company. 00:22:23.700 --> 00:22:28.159 Of course they had more questions and wanted to know more about what he was doing at the 00:22:28.159 --> 00:22:29.159 company. 00:22:29.159 --> 00:22:33.140 So, he starts sending them other research and is now approaching the line of sending 00:22:33.140 --> 00:22:37.660 these people some of the intellectual property of the company he worked for. 00:22:37.660 --> 00:22:42.549 I mean, as Lisa explains it to me, it almost sounded like this scientist was giving up 00:22:42.549 --> 00:22:46.510 some of the secret recipe of what goes into the company’s product. 00:22:46.510 --> 00:22:51.559 Sending proprietary information that your company doesn’t want to be public is a form 00:22:51.559 --> 00:22:52.750 of a data breach. 00:22:52.750 --> 00:22:57.830 Since this was a scientist working in the lab of that company who was leaking the data, 00:22:57.830 --> 00:23:03.320 then this is classified as an insider threat actively exfiltrating private information. 00:23:03.320 --> 00:23:09.070 LISA: This goes on for a while, and she actually sends him some documents too to get his opinion 00:23:09.070 --> 00:23:16.770 on some scientific documents she’s working on, the validity of which is very difficult 00:23:16.770 --> 00:23:24.390 to establish, I suppose, because they’re in Cyrillic, they’re – you don’t know 00:23:24.390 --> 00:23:27.430 whether you’ve just made it up or stolen it from somewhere else. 00:23:27.430 --> 00:23:29.669 Who knows how genuine it was? 00:23:29.669 --> 00:23:33.899 JACK: This is sort of common for the scientific community to get their work peer-reviewed, 00:23:33.899 --> 00:23:38.360 so nothing was really out of normal for him to see some other research that another scientist 00:23:38.360 --> 00:23:39.360 was working on. 00:23:39.360 --> 00:23:44.800 LISA: Yeah, so he sent all this stuff, she sent some stuff back to him, so I’m presuming 00:23:44.800 --> 00:23:48.830 from his perspective he’s thinking it’s – there’s some sort of level of reciprocity 00:23:48.830 --> 00:23:51.610 going on. 00:23:51.610 --> 00:23:57.550 Then something happened that really diverted the company’s investigation, and I’m not 00:23:57.550 --> 00:24:03.519 sure and I still to this day am not completely sure whether I think it was coincidental or 00:24:03.519 --> 00:24:10.269 whether it was a deliberate act to obfuscate what else had been going on. 00:24:10.269 --> 00:24:17.549 But essentially, this woman said that the person in HR in this company was going to 00:24:17.549 --> 00:24:19.610 send him some stuff to read. 00:24:19.610 --> 00:24:25.320 So, they sent him the stuff to read, he opens it on his work device – not a lab device 00:24:25.320 --> 00:24:31.799 but another work device – and surprise, surprise, it contains some malware. 00:24:31.799 --> 00:24:36.850 JACK: [MUSIC] Hm, this just dialed up the threat significantly. 00:24:36.850 --> 00:24:42.440 I mean, up until this point, this could have been a legitimate job offer and he was voluntarily 00:24:42.440 --> 00:24:46.140 sending them data so he could just show them how good he was. 00:24:46.140 --> 00:24:50.340 But for them to install malware on his computer? 00:24:50.340 --> 00:24:52.529 Now I don’t trust her at all. 00:24:52.529 --> 00:24:56.190 In fact, I don’t even believe any of her profile is accurate. 00:24:56.190 --> 00:25:00.019 She’s probably not a scientist, she probably doesn’t live in Kazakhstan, and maybe she’s 00:25:00.019 --> 00:25:01.340 not even a woman. 00:25:01.340 --> 00:25:06.830 This whole thing was an elaborate plan just to get access into the company that this scientist 00:25:06.830 --> 00:25:07.830 worked for. 00:25:07.830 --> 00:25:11.630 LISA: Now, the company at this point – for whatever reason, the malware didn’t execute 00:25:11.630 --> 00:25:14.660 properly or something was wrong with it. 00:25:14.660 --> 00:25:20.280 Something happened that meant that the payload wasn’t delivered successfully, which was 00:25:20.280 --> 00:25:21.820 lucky. 00:25:21.820 --> 00:25:28.279 But what happened was, which was more interesting, suddenly this set off alarm bells in the company, 00:25:28.279 --> 00:25:31.470 which was the first time they actually realized something had gone wrong. 00:25:31.470 --> 00:25:36.679 They hadn’t noticed any of this prior to this piece of malware. 00:25:36.679 --> 00:25:41.720 At that point, it diverted all of their attention and all of their resources into that. 00:25:41.720 --> 00:25:47.320 JACK: The company took a look at the scientist’s computer for any suspicious activity, then 00:25:47.320 --> 00:25:49.549 started asking the scientist questions. 00:25:49.549 --> 00:25:53.250 This eventually led them to the e-mails that were going back and forth that the scientist 00:25:53.250 --> 00:25:58.080 was sending, and there were all kinds of private information in there being sent outside. 00:25:58.080 --> 00:26:01.769 LISA: But they immediately suspended him as soon as they found out that he’d been passing 00:26:01.769 --> 00:26:03.990 files and so on and so forth. 00:26:03.990 --> 00:26:07.860 Now, interestingly, when I first came in and I started having conversations with them, 00:26:07.860 --> 00:26:09.860 I said how long has he been suspended for? 00:26:09.860 --> 00:26:13.549 They said something like two, three days, something like that. 00:26:13.549 --> 00:26:18.380 I said okay, so his account has been disabled; he can’t get in, he can’t do anything. 00:26:18.380 --> 00:26:23.020 They sort of paused and looked at me and I thought, you haven’t disabled his account, 00:26:23.020 --> 00:26:25.020 have you? They hadn’t. 00:26:25.020 --> 00:26:28.149 They hadn’t done anything at all. 00:26:28.149 --> 00:26:34.270 Thankfully he hadn’t tried to access anything from his home, so that was a piece of luck, 00:26:34.270 --> 00:26:40.789 but again, more often than not, these situations happen, you haven’t disabled that account, 00:26:40.789 --> 00:26:45.679 and then they go in in some sort of act of revenge or sabotage to do something callous. 00:26:45.679 --> 00:26:49.649 JACK: So, they fired this scientist and tried to make sense of who would target a company 00:26:49.649 --> 00:26:50.680 like this. 00:26:50.680 --> 00:26:53.700 Lisa never got to the bottom of that, but she had some theories. 00:26:53.700 --> 00:26:59.710 LISA: [MUSIC] I would say that the two most likely situations would either be corporate/industrial 00:26:59.710 --> 00:27:07.779 espionage, so a competing company in a foreign state wanting to steal R&D to get ahead. 00:27:07.779 --> 00:27:08.929 That’s likely. 00:27:08.929 --> 00:27:12.919 They’ll invest lots of time, effort, and money into doing that. 00:27:12.919 --> 00:27:22.040 Or conversely it could also be a nation state actor if they saw enough benefit in it. 00:27:22.040 --> 00:27:27.470 I know MI5 in the UK have – with another organization have launched a Think Before 00:27:27.470 --> 00:27:32.760 You Link campaign because they claim that this has become such a huge problem in the 00:27:32.760 --> 00:27:39.330 United Kingdom that they’ve launched a whole app and a whole campaign to try and raise 00:27:39.330 --> 00:27:43.960 awareness of this – pretty much this exact attack vector, in some respects; being contacted 00:27:43.960 --> 00:27:47.190 on LinkedIn by profiles asking for information. 00:27:47.190 --> 00:27:52.640 So, I think in certain industries, this could be attractive to nation states as well. 00:27:52.640 --> 00:27:57.539 But yeah, I think those are probably the two most likely, because we haven’t seen any 00:27:57.539 --> 00:27:59.390 evidence of it leaked anywhere. 00:27:59.390 --> 00:28:04.620 It hasn’t looked like it’s been up for sale anywhere to our knowledge. 00:28:04.620 --> 00:28:08.320 So, that – if I had to stab in the dark, that’s where I’d go. 00:28:08.320 --> 00:28:10.460 JACK: Hm, nation state actors? 00:28:10.460 --> 00:28:11.460 Really? 00:28:11.460 --> 00:28:15.840 Are we at that point that government spies are using LinkedIn to make connections with 00:28:15.840 --> 00:28:18.139 people and sending them malware? 00:28:18.139 --> 00:28:19.639 Well, yeah. 00:28:19.639 --> 00:28:22.540 Looking at the news recently, I saw a story that did exactly this. 00:28:22.540 --> 00:28:27.580 [MUSIC] Back in March of 2022, someone broke into a crypto company, Axie Infinity, and 00:28:27.580 --> 00:28:31.000 stole $540 million worth of cryptocurrency. 00:28:31.000 --> 00:28:34.769 This was attributed to be the work of the government of North Korea. 00:28:34.769 --> 00:28:40.039 The latest article I read about this story is that the way they got in was through LinkedIn. 00:28:40.039 --> 00:28:45.101 They targeted people who worked at Axie Infinity, enticed them with great job offers, and when 00:28:45.101 --> 00:28:49.660 the employee opened the document, malware was put on their work computer, which gave 00:28:49.660 --> 00:28:52.559 North Korean hackers access into that network. 00:28:52.559 --> 00:28:57.570 That’s how they were able to steal $540 million worth of crypto. 00:28:57.570 --> 00:29:03.840 So yes, nation state-level threat actors are in fact using LinkedIn as a way to social-engineer 00:29:03.840 --> 00:29:06.260 someone to get access into that company. 00:29:06.260 --> 00:29:08.080 It’s no wonder, right? 00:29:08.080 --> 00:29:13.480 If you want to target a specific company, it’s so easy to go onto LinkedIn, look up 00:29:13.480 --> 00:29:17.029 the company there, and see a whole list of people who work there. 00:29:17.029 --> 00:29:21.149 Then you can interact with those people right there on LinkedIn to try to manipulate them 00:29:21.149 --> 00:29:26.070 or coerce them into doing something like sending you intellectual property or getting them 00:29:26.070 --> 00:29:28.120 to install your malware. 00:29:28.120 --> 00:29:32.600 So I wonder at this point; is LinkedIn itself a vulnerability? 00:29:32.600 --> 00:29:35.760 LISA: I don’t know, because you see, this is the trouble I have. 00:29:35.760 --> 00:29:41.850 On the one hand, it’s important for my business and my career to be present online. 00:29:41.850 --> 00:29:46.200 But conversely, I appreciate that that makes me much, much more vulnerable. 00:29:46.200 --> 00:29:48.139 So, it’s a really difficult one. 00:29:48.139 --> 00:29:54.409 I’ve been contacted on LinkedIn by very strange individuals who have offered me all 00:29:54.409 --> 00:30:00.490 sorts of really strange opportunities in exchange for information on people and people I’ve 00:30:00.490 --> 00:30:01.659 worked with. 00:30:01.659 --> 00:30:04.930 You don’t have to name your clients, but tell me what they’ve been doing with this, 00:30:04.930 --> 00:30:13.539 this, and this, almost all of which have been very odd profiles; typical stock image-type 00:30:13.539 --> 00:30:14.970 profile pictures. 00:30:14.970 --> 00:30:21.580 I wouldn’t say hugely clever, but that may be because I’m tuned into this type of attack 00:30:21.580 --> 00:30:25.210 vector that I can spot that in a way other people might not be able to. 00:30:25.210 --> 00:30:28.610 So, I’m well aware that this is clearly going on. 00:30:28.610 --> 00:30:34.380 I’ve got a friend, Philip Ingram, who used to work in the British military, and he gets 00:30:34.380 --> 00:30:41.029 contacted all the time by people who he, at least, believes are from China who are trying 00:30:41.029 --> 00:30:48.350 to get information or invite him to very suspicious-type events to sort of lure him, I suppose, into 00:30:48.350 --> 00:30:50.409 maybe handing over some information. 00:30:50.409 --> 00:30:57.140 So, I think it’s – it definitely makes you more vulnerable, but that’s the society 00:30:57.140 --> 00:31:01.029 we live in, so I think we probably need a little bit more healthy paranoia. 00:31:01.029 --> 00:31:05.890 It would also be great if on LinkedIn you could turn off direct messages. 00:31:05.890 --> 00:31:11.820 That would be an amazing functionality to have on LinkedIn, because you can do that 00:31:11.820 --> 00:31:14.880 on Twitter, you can do it on Instagram, but you can’t do it on LinkedIn. 00:31:14.880 --> 00:31:19.130 JACK: It’s true; if someone has LinkedIn Premium, they can direct message any user 00:31:19.130 --> 00:31:20.130 they want. 00:31:20.130 --> 00:31:24.210 But I think fixing that alone isn’t enough that it’s gonna stop this kind of attack. 00:31:24.210 --> 00:31:28.059 Anyone can still comment on your posts and see your profile, and perhaps work out what 00:31:28.059 --> 00:31:30.630 your e-mail address based on your name and where you work. 00:31:30.630 --> 00:31:33.419 So, I’m not sure if that’s the best fix for this. 00:31:33.419 --> 00:31:38.460 Personally, I don’t like putting any personal information online, especially listing my 00:31:38.460 --> 00:31:40.320 whole resume on LinkedIn. 00:31:40.320 --> 00:31:44.740 I’m on LinkedIn myself, but I’ve redacted all the names of the companies I’ve worked 00:31:44.740 --> 00:31:46.769 for and all the locations. 00:31:46.769 --> 00:31:51.560 I used to say I’m a podcaster, but I get contacted by a lot of PR companies and shady 00:31:51.560 --> 00:31:55.260 marketers who want to pitch me a guest or game the podcast charts for me. 00:31:55.260 --> 00:32:00.309 So, now I don’t even say I podcast, but I can see clearly that the more information 00:32:00.309 --> 00:32:07.240 you put up on LinkedIn, the more someone can use that to their advantage, not yours. 00:32:07.240 --> 00:32:12.450 [MUSIC] We’re gonna take a quick break here, but stay with us ‘cause when we come back, 00:32:12.450 --> 00:32:18.450 Lisa’s gonna tell us another insider threat story. 00:32:18.450 --> 00:32:31.130 LISA: So, I think one of the most powerful stories for me that I’ve come across in 00:32:31.130 --> 00:32:40.980 my work was actually a situation where there was a young girl who worked for this company. 00:32:40.980 --> 00:32:45.680 The company worked in the extractive industry, so sort of oil and gas, that sort of situation. 00:32:45.680 --> 00:32:49.269 People think that the oil and gas industry is not very innovative, but it’s actually 00:32:49.269 --> 00:32:53.679 really innovative and it has a lot of very valuable commercial licenses and information 00:32:53.679 --> 00:32:59.549 that is incredibly saleable. 00:32:59.549 --> 00:33:06.500 This girl had sort of come out of university, she’d traveled around South America, she’d 00:33:06.500 --> 00:33:10.650 done humanitarian, environmental projects, things like that, and she’d accepted this 00:33:10.650 --> 00:33:17.820 job within this company and was on their environment impact team. 00:33:17.820 --> 00:33:25.540 She was contacted on Facebook, actually, so a different platform to the usual ones. 00:33:25.540 --> 00:33:32.269 She was contacted by this girl who claimed to be in Peru. 00:33:32.269 --> 00:33:38.460 This girl actually claimed to work for the same company and she said oh, I see that you 00:33:38.460 --> 00:33:40.940 work for the same company as me. 00:33:40.940 --> 00:33:47.240 I’m really interested in learning and practicing English, I’m really interested in British 00:33:47.240 --> 00:33:51.480 culture, traveling to the UK and things like this. 00:33:51.480 --> 00:33:57.210 It would be great to connect, be friends on Facebook, whatever. 00:33:57.210 --> 00:34:02.190 JACK: Huh, what a soft and gentle approach to start this out with, huh? 00:34:02.190 --> 00:34:07.820 The woman who worked at this oil and gas company had done some volunteer work in Peru and is 00:34:07.820 --> 00:34:12.929 now being contacted by a Peruvian woman who’s claiming to also work for the same company, 00:34:12.929 --> 00:34:16.099 but wants to know more about the British culture and language. 00:34:16.099 --> 00:34:20.730 I mean, I wouldn’t immediately flag this as suspicious if I was receiving this as a 00:34:20.730 --> 00:34:21.770 private message. 00:34:21.770 --> 00:34:25.899 I’d find it interesting, actually, that we had some commonalities. 00:34:25.899 --> 00:34:29.919 As they got chatting, it turned out they both had a lot of similar interests; they both 00:34:29.919 --> 00:34:35.040 cared about environmental issues and had traveled to many places in South America and did volunteer 00:34:35.040 --> 00:34:38.540 work and had similar degrees and worked for the same company. 00:34:38.540 --> 00:34:41.669 Pretty cool to meet someone who has all these similar interests as you, right? 00:34:41.669 --> 00:34:45.929 LISA: Now in hindsight, looking at it, it was fairly obvious where these similarities 00:34:45.929 --> 00:34:49.419 had come from because this girl’s Facebook profile was wide open. 00:34:49.419 --> 00:34:56.130 All of her antics and voluntary work in South America was photographed, catalogued, and 00:34:56.130 --> 00:34:57.130 on Facebook. 00:34:57.130 --> 00:35:05.880 Pretty easy to work out what her political ideological interests, et cetera, were. 00:35:05.880 --> 00:35:08.432 This profile mirrored almost all of them exactly. 00:35:08.432 --> 00:35:15.180 JACK: So, their relationship was building up over time and more trust was being formed, 00:35:15.180 --> 00:35:20.960 and even a friendship, all through the Facebook chat app which is text only; no audio or video. 00:35:20.960 --> 00:35:26.060 One day, this fake profile Peruvian woman contacted the woman who worked at this company 00:35:26.060 --> 00:35:27.060 and said… 00:35:27.060 --> 00:35:31.420 LISA: [MUSIC] And she said I’ve been hugely distressed because the company that we work 00:35:31.420 --> 00:35:39.770 for has been leaving the site that they used in Peru unsafe, and it’s causing people 00:35:39.770 --> 00:35:42.060 to have all sorts of illnesses. 00:35:42.060 --> 00:35:45.480 These people are – they’re poor, they can’t afford legal help, they can’t afford 00:35:45.480 --> 00:35:50.910 medical care, and it’s part of the company’s plan to do this. 00:35:50.910 --> 00:35:54.120 They don’t care about my people in my country and it’s horrific. 00:35:54.120 --> 00:35:57.130 JACK: Well, this hit this woman hard. 00:35:57.130 --> 00:36:02.349 She was horrified to hear that the company she worked for was causing people to get sick 00:36:02.349 --> 00:36:06.150 and to be unsafe work conditions and was contaminating the environment. 00:36:06.150 --> 00:36:12.040 In fact, she was so upset by hearing this news that she suggested they both quit working 00:36:12.040 --> 00:36:13.569 for this company. 00:36:13.569 --> 00:36:16.310 She wanted to quit her job over this. 00:36:16.310 --> 00:36:18.790 This was just too awful for her to be a part of. 00:36:18.790 --> 00:36:22.220 LISA: The Peruvian lady said no, no, we’re not going to quit. 00:36:22.220 --> 00:36:27.720 What we should do is try and expose what they’re doing to a journalist. 00:36:27.720 --> 00:36:31.540 [MUSIC] So, she thought this is a good idea; okay. 00:36:31.540 --> 00:36:33.359 Well, how are we gonna find a journalist? 00:36:33.359 --> 00:36:39.250 The Peruvian girl said well actually, I know one and he lives here in Peru. 00:36:39.250 --> 00:36:42.890 He’s an American guy and he worked on the Wikileaks story. 00:36:42.890 --> 00:36:47.770 He’s worked on exposing governmental corruption and corporate corruption and all these sorts 00:36:47.770 --> 00:36:49.650 of things. 00:36:49.650 --> 00:36:54.110 So obviously this sounds like a really convenient, great idea, right? 00:36:54.110 --> 00:36:59.849 So, magically this journalist shows up in the Facebook Messenger chat. 00:36:59.849 --> 00:37:01.410 JACK: [LAUGHING] Okay. 00:37:01.410 --> 00:37:09.130 LISA: And in he walks, and he’s got all these ideas of what you would need, evidence-wise, 00:37:09.130 --> 00:37:17.170 to support a story that exposed corruption, which is reasonable to assume, I would have 00:37:17.170 --> 00:37:18.170 thought. 00:37:18.170 --> 00:37:23.930 So, he’s saying to both of the girls equally, these are the sorts of documents I need you 00:37:23.930 --> 00:37:26.349 to go get from your company. 00:37:26.349 --> 00:37:31.349 Go and find them; photocopy them, photograph them on their – on your phone, send them 00:37:31.349 --> 00:37:37.050 to me at this e-mail address, whatever mode of transmission you wish to employ. 00:37:37.050 --> 00:37:44.390 He’s saying it to both of them, but obviously only one of them actually works at the company. 00:37:44.390 --> 00:37:51.280 So, it’s all sort of – I suppose you could call it social proof in the sense that the 00:37:51.280 --> 00:37:55.100 actual victim in this situation thinks both of them are doing it. 00:37:55.100 --> 00:38:01.000 So, they go into the company and this went on for a long time. 00:38:01.000 --> 00:38:07.170 I think in total it went on about nine months of requesting different documents to be found 00:38:07.170 --> 00:38:12.730 and getting colleagues to print things off for you so that it’s not logged as you printing 00:38:12.730 --> 00:38:19.300 it off, and all these sorts of fairly obvious obfuscation methods, I suppose. 00:38:19.300 --> 00:38:25.200 But it was under a great guise ‘cause he’s an investigative journalist who you’d expect 00:38:25.200 --> 00:38:28.000 to know these sorts of tricks, right? 00:38:28.000 --> 00:38:29.609 It all made sense. 00:38:29.609 --> 00:38:35.780 So, this girl’s going in and getting all these documents, and when she was interviewed 00:38:35.780 --> 00:38:40.900 by the company, she actually said to them that there were a few documents on that list 00:38:40.900 --> 00:38:44.320 that she was quite surprised to see. 00:38:44.320 --> 00:38:53.170 She wasn’t quite sure how they exposed environmental damage and corruption at an environmental 00:38:53.170 --> 00:38:55.579 human rights kind of level. 00:38:55.579 --> 00:39:03.300 But she deferred to his expert journalistic skills, I suppose, and obtained them. 00:39:03.300 --> 00:39:08.500 [MUSIC] Anyway, by the end of this sort of saga, when he at least claimed he had everything 00:39:08.500 --> 00:39:15.680 he needed for the story, what was really interesting was how they both extradited themselves from 00:39:15.680 --> 00:39:16.680 the situation. 00:39:16.680 --> 00:39:21.820 So, the journalist said I’m gonna disable my Facebook account for a while so I can focus 00:39:21.820 --> 00:39:23.560 on writing the story. 00:39:23.560 --> 00:39:25.260 He disappears. 00:39:25.260 --> 00:39:29.000 Then the Peruvian girl decides that this has been hugely stressful on her and she’s going 00:39:29.000 --> 00:39:33.960 to go and spend time with her family, and she’s going to log out of Facebook and, 00:39:33.960 --> 00:39:37.890 you know, be offline for a little while. 00:39:37.890 --> 00:39:38.890 So, she disappears. 00:39:38.890 --> 00:39:44.180 That’s the last she hears of either of them. 00:39:44.180 --> 00:39:47.760 It wasn’t until later on that this gets discovered, which unfortunately I can’t 00:39:47.760 --> 00:39:56.290 tell you how it gets discovered, because the method that happened would reveal who it was. 00:39:56.290 --> 00:40:03.430 But safe to say, it was another company within the space that obtained information in a certain 00:40:03.430 --> 00:40:05.650 way. 00:40:05.650 --> 00:40:08.740 This was discovered by the company and then they sort of started to unpick everything 00:40:08.740 --> 00:40:11.460 and worked out what had happened. 00:40:11.460 --> 00:40:22.880 So, she was convinced, actually, that somehow her two friends who were genuine, in her mind, 00:40:22.880 --> 00:40:30.839 had been silenced or somehow disappeared by her employer for quite some while. 00:40:30.839 --> 00:40:38.359 So, she was actually very distressed to find out that this was actually not – this had 00:40:38.359 --> 00:40:40.030 all been a lie, because it had gone on so long. 00:40:40.030 --> 00:40:45.720 I think that’s part of the hugely damaging side of some of these attacks, is that you’ve 00:40:45.720 --> 00:40:51.750 built this rapport, you’ve built this relationship, you’ve built this narrative that gets yanked 00:40:51.750 --> 00:40:52.890 from underneath you. 00:40:52.890 --> 00:40:59.579 I think it’s a bit like romance scams I suppose, in that respect, that people get 00:40:59.579 --> 00:41:03.710 convinced of the narrative and it’s just not true. 00:41:03.710 --> 00:41:07.630 JACK: As it turned out, the company wasn’t even mistreating people or causing people 00:41:07.630 --> 00:41:09.900 to be sick with unsafe work conditions. 00:41:09.900 --> 00:41:14.490 That whole story was a lie simply to get this lady to send them company documents. 00:41:14.490 --> 00:41:19.610 LISA: One thing they did really cleverly, actually, was they kept reiterating for her 00:41:19.610 --> 00:41:24.079 not to tell anybody; not to tell her parents, not to tell her actual friends, not to tell 00:41:24.079 --> 00:41:32.500 her colleagues, because they’re writing this article, this super-secretive, whistleblower-esque 00:41:32.500 --> 00:41:34.090 article. 00:41:34.090 --> 00:41:36.450 It has to be kept secret. 00:41:36.450 --> 00:41:43.170 I think that line was what enabled it to go on for as long as it did, because I think 00:41:43.170 --> 00:41:49.480 if she told somebody else or started talking about it as a concern, someone would have 00:41:49.480 --> 00:41:51.660 said this sounds a bit odd to me. 00:41:51.660 --> 00:41:53.410 Then it might have unraveled. 00:41:53.410 --> 00:41:58.270 JACK: So, any hunches here on who’s behind this one? 00:41:58.270 --> 00:42:04.670 LISA: So, I suspect from the information that we had that this was actually acquired by 00:42:04.670 --> 00:42:12.270 potentially an organized crime group and then sold or attempted to be sold to another competitor, 00:42:12.270 --> 00:42:18.480 just because the person who approached the competitor who eventually flagged it wanted 00:42:18.480 --> 00:42:19.720 money for the information. 00:42:19.720 --> 00:42:25.130 So, I suspect that this was actually acquired purely for financial gain in this particular 00:42:25.130 --> 00:42:26.130 instance. 00:42:26.130 --> 00:42:30.830 But again, potentially it could have been another group. 00:42:30.830 --> 00:42:35.500 I don’t think it would have been a activist group just purely because I think you would 00:42:35.500 --> 00:42:38.070 have published it. 00:42:38.070 --> 00:42:44.360 As there was no actual wrongdoing, there wasn’t anything really to hang your hat on and say 00:42:44.360 --> 00:42:47.280 this company’s doing this hugely immoral thing. 00:42:47.280 --> 00:42:50.369 [MUSIC] So, yeah. 00:42:50.369 --> 00:42:54.070 JACK: We all have some kind of weakness. 00:42:54.070 --> 00:42:58.580 We all have something we care about or have a passion for, but there’s something that’s 00:42:58.580 --> 00:43:02.930 just close to our heart, and with the right kind of message sent to us directly at the 00:43:02.930 --> 00:43:07.109 right time, it can hit us like a heat-seeking missile. 00:43:07.109 --> 00:43:11.170 In this case, because this lady cared about the environment and people’s health, this 00:43:11.170 --> 00:43:17.000 was used against her to get her to leak lots of sensitive documents from inside the company. 00:43:17.000 --> 00:43:21.520 It’s almost not fair that the bad guys out there play so dirty and manipulate those who 00:43:21.520 --> 00:43:23.520 genuinely want to do good in the world. 00:43:23.520 --> 00:43:28.240 It must have felt awful for this lady to learn that the whole thing was made up and it was 00:43:28.240 --> 00:43:31.410 a lie and she didn’t have a Peruvian friend at all. 00:43:31.410 --> 00:43:36.329 They were just actors there to manipulate her into sending them documents. 00:43:36.329 --> 00:43:41.090 They even made up the lies about how the company was doing misdeeds. 00:43:41.090 --> 00:43:44.210 How does a company protect itself from this kind of problem? 00:43:44.210 --> 00:43:49.839 LISA: I think – so, insider threats is my sort of area and I think for me, if you’re 00:43:49.839 --> 00:43:54.550 building an insider threat program in your company or you’re developing one, you need 00:43:54.550 --> 00:43:57.220 to invest in training, for sure. 00:43:57.220 --> 00:44:03.680 Your staff need to be aware of these sorts of things that can happen and why they’re 00:44:03.680 --> 00:44:05.700 not things that we should be doing. 00:44:05.700 --> 00:44:10.559 But I think more importantly – and often I see companies make one really critical mistake 00:44:10.559 --> 00:44:16.109 here, and they start thinking about insider threat programs and they immediately go down 00:44:16.109 --> 00:44:19.250 Draconian monitoring of all staff. 00:44:19.250 --> 00:44:24.480 I had a company who said to me, am I able to turn on the webcams for my com – for 00:44:24.480 --> 00:44:27.090 my employees while they’re working from home? 00:44:27.090 --> 00:44:32.599 Now, there may be countries in the world where that’s permitted, but that’s not Europe. 00:44:32.599 --> 00:44:39.120 Europe is not going to allow you to turn webcams on and off on your employee’s devices. 00:44:39.120 --> 00:44:43.099 I think the problem you have if you go down that route is you’re doing it because you 00:44:43.099 --> 00:44:46.530 want to know and you want visibility on what your employees are doing. 00:44:46.530 --> 00:44:51.660 But what you’ll actually do is you’ll increase the risk that you’ll get disgruntlement, 00:44:51.660 --> 00:44:55.540 that you’ll get people who want to sabotage the business. 00:44:55.540 --> 00:45:01.650 Unhappy employees are way more likely to become insider threats than really happy and contented 00:45:01.650 --> 00:45:02.650 employees. 00:45:02.650 --> 00:45:08.540 So, my argument very much is invest in employee assistance programs, helping your employees, 00:45:08.540 --> 00:45:12.660 identify when they’re struggling, and helping them recover from that. 00:45:12.660 --> 00:45:17.079 Essentially patching the vulnerability that exists so that they can’t be blackmailed 00:45:17.079 --> 00:45:21.950 and they can’t be exploited in the way that so many of these cases have been. 00:45:21.950 --> 00:45:23.400 JACK: Mm-hm. 00:45:23.400 --> 00:45:30.099 That’s what my sentiment was too, is the happier the employee, the more loyal they’ll 00:45:30.099 --> 00:45:33.750 be and less likely to do something like this. 00:45:33.750 --> 00:45:41.819 LISA: I became semi-obsessed with – recently with secret cities that had existed in Russia 00:45:41.819 --> 00:45:43.940 when it was in – when it was the Soviet Union. 00:45:43.940 --> 00:45:51.109 There was one city in particular called City 40 which was created by the Soviet Union to 00:45:51.109 --> 00:45:53.060 create their nuclear program. 00:45:53.060 --> 00:45:58.390 They basically took hundreds of thousands of people out of their homes, moved them across 00:45:58.390 --> 00:46:03.520 the country into this city that they had built, prohibited them from seeing their relatives, 00:46:03.520 --> 00:46:07.580 their family, prohibited them from contacting anybody on the outside. 00:46:07.580 --> 00:46:13.710 Yet, these people were so happy and content and loyal because they’d actually been given 00:46:13.710 --> 00:46:17.710 this amazing quality of life in comparison to the rest of the Soviet Union at the time. 00:46:17.710 --> 00:46:22.849 [MUSIC] It’s a really extreme example, but they felt privileged. 00:46:22.849 --> 00:46:27.800 They felt satisfied and privileged and because of that, they were more than happy to keep 00:46:27.800 --> 00:46:32.619 this agreement of silence to protect the Soviet nuclear program. 00:46:32.619 --> 00:46:39.000 I think it’s a really good example of how, actually, if we’ve got that feeling of ‘my 00:46:39.000 --> 00:46:43.980 employer really supports me and I’m happy and I’m content’, people who are happy 00:46:43.980 --> 00:46:49.819 and content don’t go and sabotage their employer, by and large, right? 00:46:49.819 --> 00:46:53.310 That’s coming from someone who’s in a really dark place, typically. 00:46:53.310 --> 00:46:59.410 So, I think we have to be very aware of how humans feel, and are we making it a really 00:46:59.410 --> 00:47:06.010 nice place to work where they are supported and challenged and promoted and whatever, 00:47:06.010 --> 00:47:10.160 because that’s how you’re going to get loyalty and that’s how you’re gonna get 00:47:10.160 --> 00:47:11.650 a less vulnerable workforce. 00:47:11.650 --> 00:47:16.020 JACK: I’m trying to think if we should take some more lessons from this or if there’s 00:47:16.020 --> 00:47:17.990 things we should pay attention to. 00:47:17.990 --> 00:47:23.109 LISA: Yeah, I think the only other thing that I’d add generally; I think the – and this 00:47:23.109 --> 00:47:28.660 kinda comes from my experience in working in the piracy industry and – or stopping 00:47:28.660 --> 00:47:34.480 piracy, I suppose I should say, is that a lot of security is very much focused on the 00:47:34.480 --> 00:47:35.480 perimeter. 00:47:35.480 --> 00:47:38.690 It’s very much focused on – to use the pirate analogy – stopping the pirates from 00:47:38.690 --> 00:47:40.190 getting onboard the ship, right? 00:47:40.190 --> 00:47:46.750 But if you don’t have a plan for what happens after that, you have no way of stopping the 00:47:46.750 --> 00:47:47.750 attackers’ advance. 00:47:47.750 --> 00:47:53.130 You have no way of remediating damage or assessing damage or in – or working out what’s even 00:47:53.130 --> 00:47:54.290 been compromised. 00:47:54.290 --> 00:47:58.690 I think that it has to be a two-limb thing, and it’s the same for insider threats. 00:47:58.690 --> 00:48:02.420 It’s all well and good building all this stuff to prevent it, but you have to also 00:48:02.420 --> 00:48:10.839 be able to detect it, remediate it, investigate it quickly and efficiently, which a lot of 00:48:10.839 --> 00:48:16.280 companies haven’t invested at all in what happens, so to speak, when the pirates board 00:48:16.280 --> 00:48:17.640 the ship. 00:48:17.640 --> 00:48:22.320 So, I think that’s a really powerful lesson that people need to start taking onboard as 00:48:22.320 --> 00:48:23.320 well. 00:48:23.320 --> 00:48:26.210 JACK: Oh, I love that you brought it full circle at the end there. 00:48:26.210 --> 00:48:27.819 That was really well done. 00:48:27.819 --> 00:48:31.260 LISA: [LAUGHING] Yeah, we’ve come full circle. 00:48:31.260 --> 00:48:36.220 JACK: Okay, well then I think we’ll leave it there. 00:48:36.220 --> 00:48:37.850 LISA: Cool. 00:48:37.850 --> 00:48:43.410 (OUTRO): [OUTRO MUSIC] A big thank-you to Lisa Forte for coming on the show and sharing 00:48:43.410 --> 00:48:44.470 these stories with us. 00:48:44.470 --> 00:48:48.730 You can follow her on Twitter; her name there is @LisaForteUK. 00:48:48.730 --> 00:48:51.930 If you want to hear more from her, she’s created her own podcast called Rebooting, 00:48:51.930 --> 00:48:56.130 but she’s also given many talks at conferences, so you can just look her up on YouTube and 00:48:56.130 --> 00:48:58.109 there’s tons of stuff that she’s sharing there. 00:48:58.109 --> 00:49:01.609 You can also learn more about her company by visiting red-goat.com. 00:49:01.609 --> 00:49:05.390 This show is made by me, the outsider, Jack Rhysider. 00:49:05.390 --> 00:49:10.640 Sound design by Ponyboy, Andrew Meriwether, editing help this episode by soda pop Damienne. 00:49:10.640 --> 00:49:15.190 Mixing is done by Proximity Sound, and our theme music is by the two-bit Breakmaster 00:49:15.190 --> 00:49:16.190 Cylinder. 00:49:16.190 --> 00:49:21.030 Fun fact; if you search for a lighter on Amazon, they’ll give you 6,000 matches. 00:49:21.030 --> 00:49:22.239 This is Darknet Diaries.