Episode Eight: Paul’s High Touch Hacker Transcript

What the Hack Paul

Adam Levin:

So guys, did you hear the thing about CNA insurance? We know about the pipeline that got hacked.

Adam Levin:

There was a moment of silence and then a, well, CNA got hit. Nobody really knew about exactly how much they paid, but it came out. They paid $40 million. That’s a whole lot of money.

Beau Friedlander:

It’s not a bad payday. It’s pretty good. So how do we think that one happened?

Travis Taylor:

I’m not sure. I think they’re still investigating it, and CNA is keeping pretty mum at present. But that’s just a fancy way of me shrugging.

Adam Levin:

Shrugging oftentimes is the way to go in situations like this. Because sometimes it could take months to figure out how someone got in, where they got in, and what they got.

Beau Friedlander:

And meanwhile, they’re having a great time somewhere with their 40 million bucks.

Adam Levin:

Without question, somewhere. And of course, I also was reading not too long ago, that the DarkSide disappeared for a while. Now we don’t know whether, there’s been debate or the, whether they were shut down by law enforcement, or they were simply exiting with their cash, ready to reconfigure themselves into a new hacking organization, within the next few months. Nobody really knows. But that’s the mystery of when you’re dealing with all things dark web, and ransomware related. I’m Adam Levin and welcome to What the Hack. I’m the former director of the New Jersey division of consumer affairs, founder of CyberScout, and author of the book Swiped: How to Protect Yourself in a World Full of Scammers Phishers and Identity Thieves.

Beau Friedlander:

I’m Beau Friedlander. I am a what you call a cyber jockey. No, I like to write about cyber security. I like think about it. And if Adam and I are on the phone for more than two seconds, we’re pretty much only talking about it.

Travis Taylor:

I’m Travis Taylor, resident tech guy and occasional voice of God. It could have just been a test run, if you think about it. That if they just said, since DarkSide was a pretty new ransomware group. I think they’d been around for less than a year. And if their first real major outing, as it were, did that much damage. Brought the entire Eastern Seaboard’s fuel supply to a screeching halt. And then they made $5 million off of it. They could have just said, “Let’s practice and think about going on to bigger and better things here.” And that’s the thing that really, I found to be concerning.

Beau Friedlander:

I thought it was lame. Because they had a… what did they call it, Adam? Like a-

Adam Levin:

Code of ethics.

Beau Friedlander:

… code of ethics.

Adam Levin:

Call it that.

Beau Friedlander:

Yeah. And it was like, do no harm, right? They’re basically medical doctors. Except that I don’t know about you, but I consider $5 a gallon harm to a lot of people.

Adam Levin:

It’s enormous harm. And it’s one of those things where even if you have one or two hacking groups that have a “code of ethics.” And there were some that came out and said that, under no circumstances during COVID, were they going to attack a medical facility, a funeral facility, an educational facility. So many others said, “Well, that’s nice for them. But we’re not going by that one.”

Beau Friedlander:

Well also, because it was ransomware as a service. They may have just leased this out to somebody who was like, “Nah, I don’t really agree with your code of ethics. We’re going to shut down the oil supply in the East Coast.”

Adam Levin:

Well, they did make one statement. The dark side grew up saying, “It really wasn’t us. But it sounds like it might’ve been one of our subcontractors.”

Beau Friedlander:

Right.

Adam Levin:

They sound like a defense contractor. This is crazy.

Travis Taylor:

Ireland’s Healthcare system got hacked with a ransomware attack. And a ransomware group said, “We’re sorry.” And then gave them the decryptor to get their files back. But said, “Also, by the way we’re still going to sell all of your data.”

Adam Levin:

So we won 20 million bucks-

Travis Taylor:

Right.

Adam Levin:

… in Bitcoin. Whenever you’re ready, feel free.

Travis Taylor:

They’re running the decryptor right now. So they’re restore access to their files, and everything that can take a while. But again, I think the thing that was just funny about it is, that phone niceness they received from ransomware gangs, like, “Oh, we do have a code of ethics. See, we don’t want anyone to not get healthcare. But we’re going to sell all their files anyway.”

Beau Friedlander:

Well, I think that that’s a perfectly horrible story to start with.

Travis Taylor:

Have you been hacked? We’d love to hear your story. Give us a call at (623) 252-1828 or emails stories @whattheheckpod.com.

Paul Toma:

Hey Beau.

Beau Friedlander:

Hey Paul. Good to see you, man.

Paul Toma:

You too. Long time.

Beau Friedlander:

I want to introduce you to my host here that I work with, Adam Levin. Who doesn’t believe that I actually went to college. So maybe you can disabuse him of that.

Paul Toma:

I actually, yeah. I am a witness.

Adam Levin:

Which college was it?

Paul Toma:

Bennington college, in Vermont. Yes.

Adam Levin:

Ah, Bennington, love it!

Paul Toma:

Yes.

Travis Taylor:

For what it’s worth., I still think they were telling stories about Beau when I got there, so.

Paul Toma:

Yeah.

Adam Levin:

Oh my God! Beau was legendary.

Paul Toma:

Yeah.

Adam Levin:

That’s true. So Paul Toma now, I don’t know if you remember. But way back then, there was a TV series about a cop-

Paul Toma:

Oh, I remember it well.

Adam Levin:

… who had a incredible arrest record. His name was Paul Toma.

Paul Toma:

Yes.

Adam Levin:

And Tony Musante was the star-

Paul Toma:

Yep.

Adam Levin:

… and this ultimately spun into Beretta, as well.

Paul Toma:

Yes, exactly, yeah.

Adam Levin:

So yeah, so I feel we’re surrounded by law enforcement royalty, in spirit.

Paul Toma:

That’s pretty amazing that you would remember that, to tell you the truth. I mean, it wasn’t a very long running a show. And he actually spun off and he went on the Circuit, because he became addicted to several… I think it was cocaine, probably at that point. And he ended up lecturing around the country with kids, talking about issues with drugs, and so on and so forth. Believe it or not, I actually haven’t have the book that he wrote.

Adam Levin:

Really?

Paul Toma:

Called TOMA, Yes. If I could ever put my hands on it. I can’t imagine… I’m not sure if I could, but I do have it here somewhere.

Adam Levin:

Well you definitely-

Paul Toma:

Yeah.

Adam Levin:

… should refresh your memory on it.

Paul Toma:

Yes.

Adam Levin:

Because it was a terrific show.

Paul Toma:

Yeah.

Adam Levin:

And you live in North Carolina?

Paul Toma:

Yep. Durham, North Carolina.

Adam Levin:

And what do you do in North Carolina?

Paul Toma:

Well, right now I’m selling solar. And so basically, helping people figure out how to improve their energy situation, and improve the environment.

Adam Levin:

So that’s why Beau said that you were the sun, the moon, and the stars. Now I get it.

Beau Friedlander:

I didn’t even know he did that. I’m going to have to talk to you after the show.

Paul Toma:

Sure.

Beau Friedlander:

Are you still making art?

Paul Toma:

I’m not, unfortunately. I had to give it up years ago, because I ended up with a family. And had to actually make a living, [crosstalk 00:07:07] and I just couldn’t do it, yeah. I was on Martha’s Vineyard, and my art was a little too weird for the people out there. I did one show, and everybody was shocked. And that was the end of that.

Adam Levin:

But it was a heck of a show.

Paul Toma:

Yes, I enjoyed it. I had a blast.

Beau Friedlander:

Now Paul, I put up a note on Facebook, and I said, “Who’s got a story?” And you immediately popped up and said, “I do.” So what happened?

Paul Toma:

Yep, so at one point I had a business. I had a big store back in downtown Durham. And I was selling all environmentally friendly building products. And, I did all kinds of really cool eco, the sustainable, and non-toxic things for everybody that use in their home. And while I was doing that business, I got hacked a couple of times. And I wanted to share, mostly because people who are in business, especially people like me who… I was a hippy kid just wanting to do something cool. And ended up with a crazy business going on. Ended up being a lot bigger than I thought it would be.

Paul Toma:

And we just weren’t prepared for what we were up against. And funny enough, the hacking was one of the bigger issues. But the first one was just, our website was hacked. And it was really simple, but as a small business owner, we were totally screwed. Because we didn’t realize that we had to protect our website. This was 15 years ago. We didn’t realize that we had to keep up with all this stuff with our website, all this security, and so on and so forth. And one day someone told me that our website had been hacked, and I called it up. And it was just a picture of devils and naked women. And it just said, “You’ve been fucking hacked!” Across the screen, so.

Adam Levin:

Wow! Oops!

Paul Toma:

Yeah. And unfortunately, as a small business owner starting out. We didn’t have it all backed up, and so on and so forth. And so we had to have someone rebuild an entire website for us. Which it cost us several $1,000, at a point where we could not afford to do that. And the vulnerabilities of things like that are, it’s so simple. But a lot of people just aren’t aware of it. The main hacking situation that we ran across that was really interesting to me. Almost cost me a fortune, and would’ve put us out of business.

Paul Toma:

But it was really interesting when everything was said and done. Because we had been working with a local bank, and had a large line of credit with them. And I became friends with the guy who was running the bank. I was a small local business. And we were emailing back and forth all the time, sharing a lot of personal information. And someone was able to hack into my email. And what they did was they actually read through all of my emails, saw the correspondence with my banker.

Adam Levin:

Wow!

Paul Toma:

Took my identity, because he was in my email account. They emailed this gentleman, and asked him to deposit $40,000 in an account in Georgia.

Adam Levin:

Wow!

Paul Toma:

And what he did on top of that, was he then went into my preferences in my Gmail, and blocked any correspondence with anybody from the bank.

Adam Levin:

Goodbye.

Paul Toma:

Okay. So they couldn’t contact me, and ask me about it. Now, luckily it was a very small local bank and the… I mean, this guy was the Vice President of the entire bank. And he called me on my cell phone and said, “Paul, what the hell is this? Why do you need to transfer $40,000 to someone down in Georgia?” And I was shocked. I was like, “I don’t know why I would do that, Mark.” I mean, what do you say to that? And it took us a long time to figure out what had actually happened. Because again, there was no way to trace anything. Because I didn’t even have the email that was sent to him in my email. Because the guy had blocked everything, all communication.

Paul Toma:

And it was literally as easy, most people don’t even realize this. That in Gmail you can go into your preferences, and you can block emails from anybody. And what he had done was blocked all communication with a KeySource Bank. Which was the name of the bank. So that meant that no one with the email address that was from KeySource Bank, could actually communicate with me via email. My email would just block it completely. I was also in the middle of buying a new house, and mortgaging a new house. And the gentleman who was dealing with my mortgage was also through that bank. And I missed a bunch of correspondence, that almost screwed me on that end too.

Adam Levin:

Wow!

Paul Toma:

Yeah, it was pretty incredible. And again, I just want people to know about how simple it can be. I had a pretty strong password on my email. But unless you change it all the time, you’re susceptible. People can hack it pretty easily.

Adam Levin:

Did you have two factor authentication on your email?

Paul Toma:

I didn’t at that point. That was Gmail, and I did not realize I could do that. Now, I have something called ProtonMail. Which is completely encrypted. And I have a couple of different passwords to actually get into them, meet up my email. So I’m a lot more protected now.

Beau Friedlander:

Paul, did you get ProtonMail after this situation or?

Paul Toma:

No, what I did was I just changed my password every once in a while. Because it was my work. I don’t even know if I could have just switched it over easily from, because it was attached to my website, and Facebook, and everything. It had so many arms to it, and the whole business, everybody, all my employees and everything. Had their email through Common Ground Green Building Center.

Beau Friedlander:

I have a question. But I have a feeling Travis is going to ask the same question. Travis, I think you probably do have some questions. Go for it.

Travis Taylor:

Sure. The first one is you said you had a strong password, but were you using it anywhere else, or is it just on that account?

Paul Toma:

Actually, at that point it was probably on several things. And I changed everything at that point. Like I said, it was 15 years ago. I wasn’t particularly tech savvy. Even though I created a strong password, I did use it everywhere. Yeah.

Travis Taylor:

Yeah. That’s always the rub there, that you can have the strongest password in the world. But if it happens to be compromised one place, it’s compromised everywhere.

Paul Toma:

Yeah.

Adam Levin:

In that situation, sharing is not caring.

Paul Toma:

Exactly! Yes.

Travis Taylor:

And it’s what they do, that our sense of cybersecurity now, unfortunately it’s come through a whole bunch of breaches. But I think people are a lot more cyber aware now, than they were 15 years ago.

Paul Toma:

Oh, yeah.

Travis Taylor:

There was the Target breach, which I think was ushered in the era of the Mega Breach. But since then, it’s just been one after another.

Paul Toma:

Yeah.

Travis Taylor:

That anytime you read the Newspaper, or you can just see something, or online News. Even if something just seeing what the latest breach is, what the latest ransomware strain is. And fortunately, I think people are getting a little bit more savvy to it. But yeah, the big one there is just password reuse, is most likely what brought you down there, unfortunately.

Paul Toma:

Yeah. That one for me, it was definitely. But it’s amazing watching the News, and seeing how easy someone with a huge pipeline, that supplies 45% of our country with fuel. Just gets an email that they click on the wrong link and it’s over. You know what I mean? That’s pretty amazing how easy it can happen.

Adam Levin:

No that’s the point is that-

Paul Toma:

Yeah.

Adam Levin:

It just takes one click, you can be completely secure at 9:00 AM in the morning. But yet one second later, if somebody clicks on the wrong link.

Paul Toma:

Yeah.

Adam Levin:

And all of a sudden, your most precious asset. Which is your information about your clients, your customers, your employees-

Paul Toma:

Everything.

Adam Levin:

… tactically be out in the wind. All right, so trivia question. What was the first iconic breach that any of you ever heard of?

Paul Toma:

Iconic breach?

Adam Levin:

Mm-hmm (affirmative).

Paul Toma:

I think [crosstalk 00:15:24]-

Beau Friedlander:

Data in for a data breach?

Adam Levin:

Data breach.

Paul Toma:

There were a lot of them that have happened, but I just keep thinking about Equifax. If something like that can be breached.

Adam Levin:

Absolutely! Actually, the first real iconic breach was ChoicePoint, in 2005. And it was the first time that California’s Breach Notification law ever really came into play. Because ChoicePoint was in Georgia. But the state that ultimately required them to release the information was California. And then 38 attorneys general banded together, and then demanded that they make the disclosure. But for California’s law, no one would have known. All the way back in 2005.

Beau Friedlander:

But a decade and a half later now, I mean, [Beas 00:16:17] was just in the process of going through the mortgage application, deal with a bank. And they are more careful now. I was expected by all parties to call up and say, “Hi, this is me. Is this your bank account? Is this your routing number? Is this where this is supposed to go?” And everyone’s in the process of doing that. And that just wasn’t the case anymore. And it’s scary to me, Paul. Because you were saved because you were banking with somebody you knew.

Paul Toma:

Yes. That’s how I feel about it. I think that most people don’t communicate, I was dealing with a very small local bank. But intimately, I became friends with this gentleman. Most people just do everything right online, and over the phone. And it’s way too easy for someone to call you and ask for your information. I mean, that’s one of the biggest scams in the world. They find out that you’re creating a mortgage through this company. They can easily call you saying they’re from that bank. And nowadays it seems like, I get a lot of spam calls, and they can seem seemingly just choose whatever number they want to call you from. You get everything-

Beau Friedlander:

Yeah.

Paul Toma:

… ever you guys, you know what I mean?

Beau Friedlander:

They can Spoof a phone number [crosstalk 00:17:32].

Adam Levin:

Spoofing.

Paul Toma:

Yeah. And so how can you protect yourself at that point?

Adam Levin:

Basically, never trust, always question, always verify.

Paul Toma:

Yeah, and-

Adam Levin:

Don’t believe the number on your phone.

Paul Toma:

Yeah.

Adam Levin:

Don’t believe if they say they’re from an institution. Just find out who they claim they’re from. And if you have any relationship with that institution, look on the back of your credit or debit card, or independently confirm the phone number.

Paul Toma:

Mm-hmm (affirmative).

Adam Levin:

Contact the institution directly. And then say, “Did somebody from you guys call me?”

Beau Friedlander:

They really are after you, you can never be too paranoid.

Paul Toma:

No.

Beau Friedlander:

Because it’s true. Everyone is out there trying to figure out a way in, into your stuff and make some money off of it.

Paul Toma:

Yeah.

Adam Levin:

And the golden rule, never authenticate yourself to anyone that contacts you.

Paul Toma:

Mm-hmm (affirmative).

Adam Levin:

Don’t click on links. Don’t open-

Paul Toma:

Yeah.

Adam Levin:

… attachments. What you do is you contact them directly. And if they ask you questions then do authenticate yourself. That really is for your protection, as opposed-

Paul Toma:

Yeah.

Adam Levin:

… to your exploitation.

Beau Friedlander:

Adam, I want to just hop in here, and talk a little bit about small businesses here. Because that first story you told about your website. I have two questions about it. The first is a quick one. So I’m going to ask them right in a row, and you can answer both. But the first one is how long after the site was hacked, did this bigger hack happen? Were they in proximity to each other time-wise?

Paul Toma:

No.

Beau Friedlander:

And then the second one was, could this have put you out of business?

Paul Toma:

So the first answer is no, they did not happen very quickly after or each other. And so I don’t think I was the same person. But both of them, the first one was a minor. It was only a few $1,000s. But at that point we were operating on a shoestring. And that was actually a lot of money, in terms of our operating costs. The 40,000 I don’t know what would have happened [crosstalk 00:19:29] at that point. You know what I mean? We’ve most likely would have gone out of business. Because I don’t know how we could’ve recoup that.

Beau Friedlander:

So Adam, how does small businesses protect themselves against cyber threats? I mean, we know how Google does it, or IBM. But what if you’re a small business?

Adam Levin:

Well, a few ways the first is that you have strict password protocols. The second that you make sure that anyone that enters your systems has a different password, than a password that they were using in their private lives. You also make sure that you continually educate your people as to the dangers. You make sure that they don’t deal with any device that you’ve been downloading apps, that you may not actually know where they originate from. It also means that you should be freezing your credit anyway. Because businesses are so tied to many people’s individual credit.

Adam Levin:

It means you should vet anyone that’s coming to work for you, or with you. To make sure that you have an idea about who they are. And if you can’t afford to have a Information Security Officer on deck for your company in-house, then you really should look to a third party, trusted technology source. Where you can go to and say, “Can you test my systems? Can you monitor what’s going on?” Because it’s all about minimizing your risk of exposure. About monitoring so you know if you have a problem as quickly as possible. And then what’s your plan to manage the damage.

Adam Levin:

And that third M, there’s a thing called Cyber Liability Insurance, now. So any small company, any medium-sized company, certainly the large companies, now. You need to have Cyber Liability Insurance, because what it does is in some cases, provided you’ve done what you promised them you would do at the time you got the insurance. You’ve shifted a lot of the risk and the liability from your business to the insurance company.

Paul Toma:

In our situation, it was all about passwords, and things like that. Because honestly, a lot of small businesses, especially what we were dealing with. Literally, we didn’t have any money at all to hire third parties to… and we didn’t know about insurances and things like that. But that’s the tough part about small business, is that when people are operating on a shoestring. It’s brutal. Because you do have to make sacrifices on what you’re paying for, and hope for the best.

Adam Levin:

And a lot of hackers bank on that.

Paul Toma:

Yeah. I wouldn’t be surprised at all.

Adam Levin:

Go after AT&T when you can graft a group of little businesses.

Paul Toma:

Yeah.

Adam Levin:

I mean, the truth is you in one sense, they’d rather go after AT&T, because they can get access to millions. But the thing that people should remember also, and oftentimes people go, “I’m just a little business.” Or, “I’m a regular person, who would possibly care about me?” And so when you look in the mirror, you see you. But to a hacker, they see a large feathered cooing creature, that can be a source of gold for them. There’s a pot of gold at the end of the rainbow. And it may not even be because of the business itself. But it may be because the business does business with another business, they’re really interested. Like for instance, that HVAC contractor that was doing business with Target. That was the way in to Target.

Beau Friedlander:

It’s true. I mean, Paul your company could be like, if you got your one big contract with your city, or somewhere like that. That’s the way in for a hacker to get into the much bigger system.

Paul Toma:

Yeah.

Beau Friedlander:

And a lot of these guys, they’re not just guys. These criminals, their payday is seven grand. That was a number that kept coming up recently, 10 grand, five grand. So if they get it from you, or they get it from IBM, it doesn’t really matter. Because they know those numbers, the cops are just going to be like, “I don’t know what to tell you, sir.”

Paul Toma:

Well, so that’s the thing. For us, we’re just a joke, right?

Beau Friedlander:

Right.

Paul Toma:

But if you go after IBM, they actually have money and resources. And they might be able to actually track you down. I mean, even the banks that I was dealing with, they would just shrug their shoulders. And they were like, “We don’t know what we can do about this.” That guy just walked away, whoever tried to rip me off. And it was never [crosstalk 00:23:57].

Beau Friedlander:

Now, I know it’s the funniest thing. It’s cybersecurity by hope it doesn’t happen again.

Paul Toma:

Yeah.

Adam Levin:

Or they like to say, passion prey. But-

Paul Toma:

Yeah.

Travis Taylor:

Well that’s one of the things that stands up here, that makes it seem almost quaint by today’s standards. That someone actually took the time to break into your account, and go through your emails. Whereas, you keep on hearing about now as someone does that by the 100s of 1000s or millions, in order to compromise 100s of 1,000s or millions of other accounts, and things like that.

Paul Toma:

Yep.

Travis Taylor:

So in a strange way, it seems a little bit like a flattery. That you’ve got a lot of individual attention that most-

Paul Toma:

Yeah.

Travis Taylor:

… people don’t get from their record.

Paul Toma:

Yeah, I [crosstalk 00:24:31]-

Beau Friedlander:

True story.

Paul Toma:

Yeah. I used to definitely feel flattered. Yes.

Adam Levin:

Wasn’t there a recent statement by the IRS for instance, that they weren’t interested in looking at Bitcoin transactions under 10,000.

Speaker 7:

The White House had proposed broad new tax information reporting requirements. And the treasury department said today that would include not just cryptocurrencies, but also crypto asset exchange accounts and payment services. And for businesses that receive crypto assets of $10,000 or more.

Adam Levin:

Well, you can have a lot of under $10,000 Bitcoin transactions, if you’re-

Beau Friedlander:

Yeah.

Adam Levin:

… hitting small businesses.

Paul Toma:

Yeah.

Beau Friedlander:

Sure can.

Paul Toma:

Absolutely!

Beau Friedlander:

Paul, thank you so much for coming today.

Paul Toma:

Yeah, not a problem, man. Thanks for having me. It was actually really fun [crosstalk 00:25:14].

Beau Friedlander:

It was fun. It was nice to visit North Carolina for a second.

Paul Toma:

There you go. Yeah, it’s 85 degrees and beautiful down here, right now, so.

Adam Levin:

Now, we really appreciate it. And thank you for allowing me to travel back to memory lane about TOMA, and Beretta, and all the shows that I used love.

Beau Friedlander:

Talk to you soon, man. Thank you, man.

Paul Toma:

Excellent! Thanks guys. Take care.

Beau Friedlander:

Bye. What the Hack is Loud Tree Media production, in partnership with Larj Media. That’s L-A-R-J Media. You can find What The Hack, wherever you get your podcasts. And be sure to follow us on social media. You can find more information @adamlevin.com.

Speaker 8:

Loud Tree.