0:02

You're listening to the CyberWire Network, powered

0:04

by N2K. Hello

0:15

everyone and welcome to N2K CyberWire's Hacking

0:17

Humans podcast, where each week we look

0:20

behind the social engineering scams, phishing schemes,

0:22

and criminal exploits that are making headlines

0:24

and taking a heavy toll on organizations

0:26

all over the world. I'm Dave Bittner

0:29

and joining me is Joe Kerrigan from

0:31

the Johns Hopkins University Information Security Institute.

0:33

Hey, Joe. Hi, Dave. We

0:35

got some good stories to share this week

0:38

and once again we are joined by our

0:40

N2K colleague and host of the T-minus Space

0:42

Daily podcast, Maria Vermosis. Maria. Hi,

0:44

I'm back. I'm here. We

0:47

are excited to have you back and

0:50

we will be right back after this message

0:52

from our show's sponsor. But

1:02

first, a word from our sponsors at Know

1:04

Before. We're not talking conspiracy

1:06

theory when we say it's all connected.

1:09

When it comes to InfoSec tools,

1:11

effective integrations can make or break

1:13

your security stack. Though not

1:15

as common, the same should be

1:18

true for security awareness training. Not

1:20

only does Know Before deliver the world's

1:22

largest library of security awareness training, but

1:25

they also provide a way to integrate

1:27

the various elements of your existing security

1:29

stack to help you strengthen your organization's

1:32

security culture. Stay with

1:34

us and in a few minutes we'll

1:36

hear from our sponsors at Know Before

1:38

about how you can integrate security awareness

1:40

with your tech stack like never before.

1:50

All right, Joe and Maria, before we jump

1:53

into our stories this week, we have a

1:55

bit of follow up here. Joe, you want

1:57

to take us through what we got? Yes,

1:59

Dave. Raul wrote in, he said,

2:01

hi, David and Joe and Maria, absolutely

2:03

love, love, live and breathe the

2:06

show. I love it when listeners love, live

2:08

and breathe the show. Okay. It's my favorite.

2:11

I witnessed the infamous Facebook post of the

2:13

fake car crash. Dave, you were talking about

2:15

this a couple months ago. It's

2:18

still making the round. Still making the round.

2:21

I've seen it recently. Yeah. With

2:23

the person's account saying, I can't believe he's gone.

2:25

I'm going to miss him so much. I

2:28

did not click on the link, but I did

2:30

report this post as a scam or a spam

2:32

rather. Yeah. Facebook instantly closed

2:34

the report and did nothing with it. Yeah.

2:38

So, and he, that

2:40

Raul sent along screen caps of

2:42

the, of the report that he sent and it

2:45

said right underneath the bit closed. Yeah.

2:47

I mean, there are several versions of this. And

2:49

I think one of the things is that you,

2:52

there is no perfect category

2:54

to list this under when

2:56

you report it to Facebook. And

2:58

I think that's intentional. Yeah. Because

3:01

they certainly wouldn't list click bait

3:03

as a category, would they? No, I

3:05

mean, it could

3:07

say misinformation, but it

3:09

really doesn't. Yeah. So

3:11

I stopped reporting this because

3:14

something clicked in my head where I thought, oh,

3:16

wait a minute. If I keep reporting this, is

3:19

Facebook going to consider this to be

3:21

engagement and give me more of

3:23

them? Right. So every time it comes

3:25

up for me now, I just click and say, please

3:27

show me less of this. Please show me less of

3:29

this. Right. Interesting. You're gaming

3:31

the algorithm. That's smart. Well,

3:34

I'm trying. The problem is the

3:36

algorithm is so fricking aggressive. You

3:40

know, it's like, Oh, wait a minute. You stopped

3:42

and looked at sunglasses for five seconds. So for

3:44

the next week, it's going to be all sunglasses

3:46

all the time. Oh,

3:49

great. Thanks. That's really useful.

3:52

Dave, I love hearing about how, how happy you are

3:54

that you came back to Facebook. You

3:57

can hear it. It's just dripping from his voice.

3:59

Oh yeah. It's been time well

4:01

spent. Absolutely. All right.

4:03

What else we got Joe? We got we got

4:06

one from that's a follow-up on the episode 286

4:09

it says David Joe hello last summer. I

4:11

was in London for a conference. I got

4:13

harassed. This is talking about the The

4:16

con woman at the Piccadilly Circus

4:19

or Piccadilly station in okay in

4:21

London Uh-huh, I don't know if

4:23

that's a an underground station

4:25

or if it's like just a train station. I

4:27

have no idea. Okay I

4:30

got harassed slash scam that Piccadilly station

4:32

as well being alone in

4:34

nonchalant I guess I was quite approachable I

4:36

lady walked up to me and started giving

4:38

me a story about herself being an immigrant

4:40

and not having enough money to make It

4:43

to the next station. She too

4:45

asked me if I could buy her tickets showing

4:47

me an app Although it did not

4:49

have any money in it. She promised that she could

4:51

have money Hmm. I

4:53

I tried to decline but she was pushy

4:55

about it and followed me. Eventually I gave

4:58

in walked over to Walked

5:00

over and bought a bought her physical

5:02

tickets at a machine for about 20

5:04

pounds. Hmm. I Recall

5:07

her not being quite happy but not

5:09

entirely disappointed I figured if she was

5:11

having a tough time getting money Then

5:14

I could help her and it maybe if she was

5:16

also also if she was scamming me the guilt of

5:19

someone Being genuinely kind without

5:21

expecting money back would make her change

5:23

her ways. That's adorable. I like right

5:28

That is not what's happening if

5:32

you're being a scam know these people Maybe

5:34

it's a bit poor me to think that way. I don't think

5:37

so Alex Anyways forgot about

5:39

this story until the other and the other

5:41

listeners shared their Piccadilly story Thanks for the

5:43

podcast and many happy years ahead I don't

5:45

mean to give Alec a hard time because

5:47

I've said many times on here that you

5:50

know, I I to

5:52

am a soft touch for Scammers

5:55

I tend to give people the benefit of

5:57

the doubt and My attitude is I

5:59

would rather. Go through life losing some

6:01

money every now and then then. Brutally.

6:04

Assuming that everybody is out to scamming. Yeah, ah

6:06

yeah. I mean if if you buy a ticket

6:08

for twenty pounds or twenty bucks. Then.

6:12

You're You're You're. You're. Out

6:14

twenty bucks Right now it's not a big loss. You

6:16

know your loss is going in. Ah, maybe

6:19

you're helping somebody and you can think that

6:21

I feel. Like I should mention here. For

6:23

people who don't know about Piccadilly, that's like

6:25

the Times Square of London, So. There are

6:27

a lot of scammers walk around that area. So

6:30

it's a suffer any on your like that is in

6:32

London. On this isn't doesn't know this like that

6:34

is a hotbed of a lot of not

6:36

the great activities. Are so that they're

6:38

on the lookout for. A

6:40

Run. Outside you walk in

6:43

there with the straw hat and pieces

6:45

pieces grass to get your mouth. Success

6:47

or a hundred years and I'm overall

6:49

the process. Rice with a map and

6:51

Europe printed map and your hand running

6:54

around five I have learned man around

6:56

here. Ah,

6:59

In I've never been to a

7:02

Piccadilly circle, but I think my

7:04

most vivid. With. A well the

7:06

image that pops up and in my mind

7:08

is the final scene and American Werewolf in

7:10

London. Was.

7:12

Off as I don't know the final

7:14

scene but I go to a different

7:16

movie or go down to Wayne's World.

7:18

Ah at the where they had his

7:20

references they had a couple of obvious

7:22

bob body doubles standing it onto the

7:24

Billie circuits. Are the circle going? well?

7:26

way worse. Piccadilly Circus office? it's it's.

7:30

Hilarious. Yeah, Hopefully.

7:32

Someday I'll get there, but does. So far I've never had

7:34

the pleasure. Or. it we got

7:36

one more bit of follow up you know

7:38

what are we got paula said that we

7:40

mentioned people being on their phones after of

7:43

like gets cancelled and polemic see astute observation

7:45

that some these people probably have concierge services

7:47

with their employers of the required to go

7:49

through so that's why they go on their

7:51

phones and called the concierge service in our

7:53

the wait in line they get it done

7:55

immediately right or nice that's live in that

7:57

is a are you know i used to

7:59

I worked for a company that had this kind of thing, but

8:02

I never had to use it. Actually,

8:04

no, I never had to use it. I

8:07

missed a plane once, but it was prior to that.

8:10

Yeah, but I never had a problem with it.

8:14

I have been around folks who have this

8:16

sort of thing or organizations where

8:18

this is, I guess, a

8:20

perk of being at the executive level. I've

8:23

never been at that level. No. No.

8:26

That's funny because the places I've worked as, lower

8:29

folks had to use the booking

8:32

service and it was the executives that could book direct.

8:35

Oh, isn't that interesting? Maybe

8:37

things have changed a little bit, but us lower

8:39

rung folks were the ones that had to go

8:42

through the travel agency. All

8:44

right, well, it could be that my perception is

8:46

completely upside down. When

8:48

we booked through the agency, all

8:51

of our expense reporting got done automatically, which

8:54

was nice. That is nice. I didn't have to fill out

8:56

an expense report for every trip I went on, but

8:59

they were numerous at one point. Yeah. All right,

9:01

well, our thanks to Raul, Alec, and Paula

9:03

for sending in these kind notes. We do

9:05

appreciate it. And of course we would love

9:07

to hear from you. You can

9:10

email us. It's hackinghumans at n2k.com.

9:14

All right, let's jump into our stories here. And

9:16

Maria, as our special guest, you wanna kick

9:18

things off for us? Oh my goodness, my

9:20

pleasure. Okay, so rhetorical, real question

9:23

for you, but not rhetorical, an actual question

9:25

for you both. Do you

9:27

use or have you heard people sort

9:29

of short handing a service that one

9:31

can call when one is

9:33

having trouble with one's computer or electronic devices

9:35

at home? Geek

9:39

Squad. Yeah. Yeah, Geek Squad. Is

9:41

it Geek Squad or? Right. Right,

9:43

or Joe and Dave's lifetime technical support. That's just for

9:45

our parents. I was gonna say like, in my family

9:47

it's called Maria. Yeah, but Maria

9:50

is the Greek Squad, Geek

9:52

Squad in my family, but that's. But

9:54

I would say Greek Squad. That's

9:56

great. You're welcome. Uh,

10:00

thank you. Thank you. Please tip your waiters.

10:02

Try the veal. Um, I would say in

10:07

my mind, geek squad is, is

10:09

the Vaseline, the Q-tip, the, the,

10:11

um, you know, the

10:13

generic name for this sort of thing, the big

10:16

corporate provider of this sort of thing. It

10:18

is the phrase that I hear a

10:20

lot, uh, that people just use as that short, exactly

10:22

that shorthand for I need technical help with some

10:24

kind of house call. Um, so I

10:27

guess it's, it's good job best buy on getting that

10:29

branding out there like that. Um, so,

10:31

uh, this, that was a term in

10:33

mind for one gentleman, Charles Gibbs of

10:35

Ontario, Canada. Uh, he thought he

10:37

was getting geek squad help when he had a

10:39

printer. It's always a printer, isn't it? That was

10:41

being very troublesome at home. They are printers who are

10:44

the worst. They are the worst. They are

10:46

actually the worst ever. Uh,

10:48

so my, my sympathies, Mr. Gibbs. So he did

10:51

what a lot of people in this situation would

10:53

do. He didn't have a Maria to call on

10:55

for it support. So he just Googled best buy

10:57

in geek squad. Uh, you know, why not?

11:00

And the first result he got in his

11:02

search results, again, this was a Google search was

11:05

a very legitimate looking website, official

11:07

logo, the location lookup services

11:09

working and pointed him correctly to his

11:11

nearby best buy that he knew was his. Um, and

11:14

it confirmed that store was real and it even gave him a

11:16

phone number to call. So there was

11:18

nothing alerting him that this was a scammy

11:20

website or something that he shouldn't trust. It

11:22

looked completely legitimate. So on that cursory

11:24

glance, he called the number that he saw on that website.

11:27

And I'm sure many of

11:30

our listeners and you to know

11:32

exactly what happened next. Uh, what

11:34

unfolded was very familiar. Mr. Gibbs,

11:36

thank you for calling geek squad. Oh,

11:39

it looks like there's a $349

11:41

refund balance on your account. That's just sitting there.

11:43

Don't you want this money? We'll happily get it to

11:45

you. If you just let us know your banking info,

11:47

we can just have that sent direct deposit. So it's no

11:49

trouble for you whatsoever. You know, you've got enough to deal

11:52

with. Here you go. Oh, and oh,

11:54

oops. Oh no, we sent you $10,000 instead.

12:00

That happens all the time. So yeah, right

12:04

That's what I hang up That

12:06

is that is wise. I'm not surprised that you

12:08

knew that go out and spend ten

12:10

thousand dollars It's going to do something useful with

12:12

that money. Yeah listeners. No,

12:15

this is a common script We've covered

12:17

it y'all have covered everybody knows but

12:19

yeah So the scammers sent mr Gibbs on

12:21

little errands between the bank and a Bitcoin

12:24

ATM to supposedly return that excess money to

12:26

the best buy And after all

12:28

was said and done that supposed $349 refund that was due to mr Gibbs

12:31

ended up costing him twenty five

12:33

thousand Canadian dollars, which is like 18,000

12:37

US dollars which a lot So

12:39

because of his experience mr. Gibbs actually went

12:41

to CTV and told his story to let others

12:43

know about his experience So good job and

12:46

how excellent thank you mr. Yes, and hopefully the other

12:48

people will learn from it Especially other seniors like

12:50

himself and he said this quote

12:52

when they said I needed to pay even more

12:54

money for currency conversion I figured that that was

12:56

enough and I didn't give them any more while

12:59

it was happening It was almost like I was

13:01

in a trance and I kept thinking

13:04

it was me that called best buy ghee

13:06

squad And they are reputable companies Which

13:09

is which is a very interesting quote. I think

13:11

that's a very relevant quote here So

13:14

in your expert opinions to me,

13:16

this sounds like SEO poisoning a classic technique

13:19

So bad guys gaming the search engines to make

13:21

sure they're scammy websites ranked higher than the legitimate

13:23

ones Not in your was it

13:25

an ad that he clicked on we don't see that's the

13:27

thing I was trying to figure out was it a sponsored was

13:30

it an ad or was it just at the top of the

13:32

search results? I don't know because that wasn't in the article. I

13:34

would be very interested in that well. Yeah,

13:36

I mean I would think these days of Anything

13:40

you Google search an ad is gonna be at the

13:42

top of the search results And

13:44

since Google is doing such an awful

13:46

job these days of differentiating between ads

13:48

and actual content in the least. Yeah

13:51

Yeah, I that's you know, I've I

13:54

Will cynically put some of this on there. I

13:56

think you're right on I actually tried to replicate

13:58

this and I got a legitimate looking

14:00

website that was like an off-brand

14:02

geek squad in my area that it didn't it

14:04

didn't look like the Best Buy website but it

14:07

looks close enough no I just

14:09

thought that was just amazing it wasn't the same service I'm

14:11

sure that mr. Gibbs found but it was something else in

14:13

my area trying to do the same exact thing

14:15

I have no idea if it's legit or not or if it's just

14:19

counterfeit but either way

14:21

it's amazing somebody's selling fake geek

14:23

squad franchises yeah it was called

14:25

like friends or something I was

14:27

like what is really really keeps

14:29

friends yeah I don't want to

14:31

be friends honestly I wasn't lonely

14:33

geek there

14:35

you go in your area no so yeah it

14:37

was it sounded like a pretty classic SEO

14:39

poisoning attack and the

14:41

reminder for everyone of course is always be wary

14:43

what you click that search engines are not nearly

14:46

as trustworthy as it used to be

14:48

and of course yeah Best Buy knows

14:50

about this many companies like

14:52

this that their brands are getting hijacked they know about

14:54

this kind of thing but as we've covered before it's like

14:56

whack-a-mole you take one of these websites down a bunch of

14:59

them replaced pretty quickly so

15:02

what can you do to protect yourself what

15:04

can you do to protect yourself yeah what can you

15:06

do to protect yourself getting

15:09

fooled by attacks like this vigilance

15:12

I mean that's really the only

15:14

thing well don't click

15:16

through to a site

15:19

a big name site that you're trying to

15:21

get at like for example if you want

15:24

to go to Best Buy type in

15:27

Best Buy calm don't

15:29

click on the link after

15:31

a Google search for Best Buy I

15:34

think that's valid and I think that is the advice

15:36

and I'm gonna just be a little annoying

15:39

if you are not the most technically

15:41

savvy person and maybe you've got a

15:44

lot of advice bouncing around your head about

15:46

how scary the internet is I'm just remembering

15:48

when White House comm was a website you really did not want

15:50

to go to I mean

15:54

it just sometimes people get really freaked out like I don't know

15:56

which one's the right one maybe I'll Google search it to figure

15:58

out which one I should use and then At this

16:00

point in their see a result I think it's

16:02

an excellent point. I mean I have good dear

16:04

friend of mine. Pointed out

16:07

to me that his sister. Believes.

16:11

That. The. Google home page is

16:13

the front door to the internet. Like

16:16

so. Other words when she

16:18

brings up of a browser. It.

16:20

Defaults to Google Google which is

16:23

I think is really really common.

16:25

And to her, that's where you begin.

16:28

Ah, You don't put the name of

16:30

where you're going up in the bow the

16:33

U R L bar you put it. Into

16:36

Google and then Google takes you

16:38

their rights. So I think that's

16:40

a. Pretty. Common. Reality.

16:42

For lot of folks. Who. Were just

16:45

runs in a who aren't sophisticated

16:47

tech folks. Why I got a

16:49

busy day and this is my

16:51

first makes sense and it works.

16:53

It works as a model there

16:55

right at you know I I

16:57

use of since that way about

17:00

yahoo. They. Are not knowing that

17:02

was not the front page but whenever

17:04

I loaded Miami this is way back.

17:06

Remember it though? Yeah yeah yeah yeah

17:08

for google existed on. Your. Yahoo

17:10

would be my front end page and I'd

17:12

be like well let's see what's out there

17:14

and look at and it when I open

17:16

a web browser came up to Yahoo and

17:18

that's how I thought about it. right now

17:20

it comes up to the default unloaded paid

17:22

says why do every single time. Or

17:24

and I do that parts of the drink

17:26

remind me that. This is not

17:29

to some. Search. Sites and Go

17:31

and are just some search engine is

17:33

course my main browsers Chrome a such

17:35

as it has the before to the

17:38

same sorts of says right in front

17:40

and then I'm. Serious. I mean I'm not sure

17:42

if he was on a desk tops or if he was

17:44

on his own. Them succeed like if you're on your phone.

17:46

it as a whole. Other level of difficulty their

17:48

to. Yeah. There's a bright realist

17:50

a problem on phones. Yeah. So I

17:53

know they're The advice is, as you said, you know

17:55

go directly to the website, but then we've also kind

17:57

of a little bit freaked people out of support. That

18:00

metamucil as is brought him a hard place on

18:02

that one. For shirts for Joe, you nailed it

18:04

with a never. Give out your bank info. Just.

18:06

Disconnect the phone right there. That is always

18:08

the reddest of red flags. I was trying

18:10

to say that I would hang up as soon as

18:13

they put the ten thousand dollars in the my job

18:15

a distributor matter is they never put ten thousand dollars

18:17

in disguise kill. There's. There's

18:19

not a risk that and if

18:21

if the guy is online with

18:23

them, what they're doing is they're

18:25

manipulating a web pages he's watching

18:27

Mom was going on. The.

18:30

Or it's it's a it's a social engineering attacked.

18:32

By you. Know with the

18:34

way to handle this is years when when

18:36

somebody says hey we have a we have

18:38

a we have a i of a balance

18:40

here that we knew transfer you him your

18:42

baggage out to six israeli attack. Isn't

18:44

from in second mailed to me and. I.

18:47

Don't need that money right now. It's fine, But

18:50

then again, maybe maybe dude. Maybe

18:53

duty that money right now? Well, chances are

18:55

this is a scam and there is no

18:57

money and that you're only gonna wind up

18:59

in greater need of money this point time.

19:02

So. Yeah, Tom right, Your check? Until

19:05

the checked ounces. Okay, now a sort of the process.

19:08

Of success at a set of upsides, but

19:10

circle never show up I guess. I guess.

19:13

The. Problem I have with Write Me

19:15

A Sec is that even at that

19:17

level, it's engagement right? And. You're

19:19

on Tuesday, puts you in a narrowing way or

19:21

what's your address? Yeah Riley when you're on your

19:23

hands and now they send you a check and

19:26

there's a problem with attack but the tech has

19:28

a tech support call number on as ssssss Oh

19:30

we forgot to sign that said hey no problem

19:32

lit tell you why couldn't it is becoming set

19:34

announcing scam where they send you a check for

19:36

too much money. Brightens,

19:39

That and then it could be again writing thing all over

19:41

Than always said he would send our guard. Second set of

19:43

three hundred forty nine. Means.

19:46

Yeah, business. Model.

19:48

from there right in front of the us

19:50

story are alma opposite of your fantasizing about

19:52

how to deal with this guy's injured you

19:55

got the right answer various terminate the call

19:57

for me realize the freezer still not working

20:00

Right. No, he's

20:02

going to fix his printer. Printers don't work.

20:04

Yeah. Except throw it out the window.

20:06

Yeah. Right. Go

20:08

buy another one. Yeah. I

20:10

got so frustrated one time with the printer. It didn't work. I just

20:12

went out and bought another one. You didn't just always made it great.

20:15

Yeah. I'm

20:17

going to office. We've office based a few things in

20:19

my house. There was a bunt

20:22

pan that would tear my wife's cakes apart

20:24

and back out office. You office space the

20:26

bunt pan. My kids did.

20:29

Yeah. Were there explosives involved or

20:31

just hammers? Just baseball bats and

20:34

some ghetto boys music in the back.

20:36

Yeah. Absolutely. That

20:39

was it. Absolutely. They made a vine of

20:41

it. That's how long it was. Oh, geez. Funny

20:43

rip. Wow. All

20:46

right. Yeah. I'm actually friends

20:48

with the person who shot that scene. Are

20:50

you? Yeah. Yeah.

20:53

It was shot way after the movie was wrapped also. Like

20:55

the movie was shot in California and that scene was shot

20:57

in New Jersey or something like that. That's

20:59

what actual lore is. But yeah, that's

21:01

a great movie though, by the way. The movie is

21:03

office space. If you haven't seen it, it's

21:06

a Mike judge movie and scene is the

21:08

whole movie is great. In my opinion, I

21:10

think it's just, it's, I love Mike judge

21:12

and just about everything he does. Yeah.

21:15

All right. Well, uh, Maria, good advice.

21:17

And of course we will have a link to

21:19

that story in the show notes. Uh, Joe, what

21:22

do you have for us? I have two things,

21:24

uh, Dave Maria, but the first was really quick.

21:26

Dave, you remember way back in episode 272. Sure.

21:32

Yeah. In January, there was a

21:34

listener named Michael who wrote in about getting scam

21:36

texts for toll roads. Yes.

21:39

Well, the FBI has through the, through the

21:41

internet crime complaint center has released

21:44

a public service announcement. Uh,

21:46

and we can put a link to this in the

21:48

show notes. It says smishing scam regarding debt for toll

21:50

road services. So apparently this is

21:52

a common thing. Uh, they're,

21:55

they're calling it a new scam, uh, since

21:57

early March of 2024. However,

21:59

Dave. We've been talking about it since

22:01

January Twenty twenty Four, right? Go. On

22:03

So it's. They've. Received

22:06

over two thousand complaints about dismissing

22:08

tax the say the recipient owes

22:10

money for unpaid tolls and contains

22:12

almost a delicate Dunkel language of

22:15

with the outstanding amounts. So.

22:17

Interesting about this advisory. Understand if you

22:19

get these texts there's a stamps or

22:21

to try to get you to pay

22:23

the twelve hours before the mythical fifty

22:25

dollar bills approaches right? The these the

22:27

mystery that I think is still out

22:30

there when it comes to this. That.

22:33

I did not see addressed in the

22:35

information from the F B I. Was.

22:38

The part that Michael shared with us

22:40

about how a text message would com.

22:42

Moments. After they were on a toll road

22:44

yeah good seem to be some heads he

22:46

of fenced. right? That. Was

22:48

all this the mysterious to me?

22:51

Yeah, still mysterious isn't. Because.

22:53

I can understand just a generic, you know?

22:56

Spray. And pray send everybody

22:58

we can. A thing that says

23:00

you owe you have a balance on a toll. right?

23:03

Back. To. Me that's run of the

23:05

mill. Just out there for kind

23:07

of fact that we can you know scenario

23:10

right? But. The part that Michael

23:12

shared where he was seem to be somehow

23:14

d of fenced to actually being on a

23:16

toll road. That. Is still

23:18

intriguing to me. Says is interesting, doesn't

23:20

quite the wrinkles as story has. Been.

23:23

Us in our what else you got

23:25

jumped so I got have a story

23:27

that is kind of been in the

23:29

news developer news and I'm going to

23:31

talk about software development so. Buckle.

23:34

Up everybody are so good! To

23:37

see of just if a. There

23:39

is a there's a utility This included with

23:41

a lot of linux distributions called as Z

23:44

u to was. A Linux? I'm kidding.

23:46

I'm. Kidding. Right? A subset of.

23:50

Suffice, that's like a unique says

23:52

yes very much as. I

23:54

get on internet. Is this a year of the Linux

23:57

on Desktop? Sorry okay other. Assistance.

24:00

Let's hope that'll never happen. So

24:03

anyway, these utilities were developed by one

24:05

guy, essentially, as is the case

24:07

with a lot of these open source projects. And

24:10

he was developing them in his own spare

24:12

time. And on his, um,

24:15

on one story I read about this, he was saying that,

24:18

um, there were, there were, he was

24:20

saying, he's getting kind of worn down and getting kind of

24:22

exhausted. And somebody said, Hey, I'm

24:25

happy to help take over this, this

24:27

project and help you, help you work

24:29

on it. Um, and his name is Jia Tan.

24:32

And he positioned himself as

24:34

a, or actually they, this

24:37

report says they positioned themselves cause they believe this

24:39

is actually a group of people from a nation

24:41

state. Um, they positioned

24:43

themselves to be able to put a

24:46

back door into this product,

24:48

into these libraries, these, um, these

24:51

XZ libraries. And these

24:53

XZ libraries have to do with file compression. So

24:57

there are Linux distributions that use that

24:59

these file compression libraries. And

25:02

there was not widespread distribution

25:04

of the back

25:06

door because it was detected before it

25:08

could be, uh, before it could

25:10

be widely distributed, but it was there and it

25:13

was heavily obfuscated, which means it was hard to

25:15

see. Well, there

25:17

is an organization called, uh, the

25:20

open source security foundation,

25:23

which is, um, they,

25:25

they work on the security of open source software.

25:28

And there's a company called or another organization,

25:30

open JS, who is the, uh, the

25:33

open JavaScript foundation. They're issuing

25:36

a security alert for

25:38

all open source projects to watch out

25:41

for social engineering takeovers of their projects.

25:44

So apparently someone is really

25:46

targeting open source projects because

25:48

if you can get into an open

25:50

source project and put a backdoor into

25:52

it successfully and

25:54

undetected Chances are over

25:57

time, that project is going to

25:59

be distributed. With so much other software,

26:01

if you think about the log for j

26:03

vulnerability. I don't know that was deliberate

26:05

and I don't think it was loses a bug. Bites

26:08

Lot. For Jay is so

26:10

ubiquitous. That. I

26:12

remember using it back in the early

26:15

or late two thousand. And.

26:17

It's been. Just. A round

26:19

of for. For. That

26:21

long as it's it's a library that

26:23

everybody has in just about every job,

26:25

a project that they they produce, So.

26:28

There are some suspicious social engineering patterns

26:30

to look for. Ah, That

26:33

that the of the open.

26:36

The. O S S S and Open

26:38

J as people say, slow for

26:40

one friendly yet aggressive and persistent

26:42

pursuit of. Of maintain

26:44

or. Of the maintain

26:46

her. By. A relatively unknown

26:48

member of the community. So a new person

26:51

comes up and says hey, I need to

26:53

be part of this system. He put me

26:55

in charge me, give me a position of

26:57

authority, younger, do the best job on this

27:00

thing. Maybe that is a guy that is

27:02

working for somebody who wants to protect on

27:04

your software request to be elevated to maintain

27:06

her status. By. Newer unknown persons.

27:10

Endorsement coming from other unknown of numbers

27:12

of the community who may also be

27:15

using false identities and ever term for

27:17

this is called sock puppets. Which.

27:21

I love that term. Then.

27:23

It says up pull request

27:25

contending blogs or as artifacts

27:27

so. Ah, this is where

27:29

I have gotten developers stuff so a

27:32

pull request some you want to get

27:34

get hub where somebody is cloned your

27:36

repository and they may be changed in

27:38

they've uploaded to their repository. Any issue

27:40

a pull request for you to pull

27:43

their changes in your repository. And.

27:45

If they have large. Of

27:47

will blobs which are binary large

27:49

objects. Are in their in their

27:52

code as artifacts. Chances are that could

27:54

be the back door masquerading as something

27:56

like a test as it wasn't the

27:58

case of those compressing utilities. It's basically

28:00

bits of code. We don't know quite what it does and

28:02

we're not sure it should be there. Right,

28:05

and it's not in source codes. You can't just

28:07

read it. You actually have to reverse engineer it.

28:09

Right, you have to do the reverse engineering on

28:12

it, which is not a task that

28:14

every single developer can do. That there

28:16

are some security researchers are really good at

28:18

it. That's what they do. Vulnerability

28:21

researchers or malware researchers in particular, they go

28:23

after it and they're good at doing it.

28:25

But most developers I've met have been very

28:27

good at writing the code into the machine

28:29

code, but not great at getting it back

28:31

out. Just because

28:33

that's not where they spend their time. That's not what

28:35

they do. It's a different area. It's a different thing. Right,

28:38

it is. It is. Intentionally obfuscated

28:40

or difficult to understand source code, so if

28:42

you get source code that is not plain

28:44

and not clear, that should be a

28:46

red flag anyway. That may be bad development. It

28:49

may be a developer that's not that skilled. Could they be using

28:51

AI? Right.

28:54

All the AI code that I've tried to

28:56

generate recently has all been pretty clear and

28:58

pretty concise. For now. Sorry, I'm

29:01

just thinking of everything I did now. I'd

29:03

say wait, maybe that's a red flag. Once

29:05

the AI is clean. Right. Gradually

29:09

escalating security issues. Let's

29:12

see, a deviation from the typical project

29:14

compile. So

29:16

this is again, if you start using different

29:18

chains, different compiler chains, you start

29:21

including blobs and zips and other binary

29:23

artifacts into your builds. If

29:26

you're not a software engineer, none of this matters to you, so you don't

29:28

need to worry about it. But

29:31

the final point here is a false sense

29:33

of urgency, especially if

29:36

the implied urgency focuses on,

29:38

focuses a maintainer to reduce

29:40

the thoroughness or

29:42

review of bypass control. So

29:46

this is the typical, asks

29:50

to deviate from the standard process, which we

29:53

see in a lot of social engineering attacks

29:55

just applied to a software engineering background

29:58

or a project. timeline for

30:00

Geotan, like how long were they

30:02

working this? It

30:04

was years, a month. A few years, wasn't it? Yeah, it was

30:07

about two years. It was two years, I think. It

30:09

was the accounts that

30:12

were involved in that, in

30:14

the library compromise were

30:16

old accounts by the time

30:18

the vulnerability happened. But they

30:20

were, I'll tell you another story. A

30:23

couple of years, weeks ago, I don't know, how long ago?

30:25

A month? Who knows? No. Losing

30:28

track of things. A friend of mine

30:30

had someone convince him to upload or

30:32

download malware onto his computer that turned

30:34

out to be an info stealer. And

30:37

the way they did that was by compromising

30:39

the Discord account of another person on a

30:41

development project he was working on that was

30:44

kind of like, wasn't an open source project,

30:46

but it was a collaborative free

30:49

project with a bunch of

30:51

different people on it. And one guy got

30:53

compromised and tried to spread to my friend's

30:55

account. And my friend was fortunate that

30:57

he acted quickly enough to be able to get everybody

30:59

get get everything, get the

31:02

password changed in all of his accounts before the guy

31:04

had any access to it. But he was immediately asking for

31:06

money to give him back access. I

31:09

think this, these attacks are

31:11

nation state sponsored and

31:14

they're going after they're

31:16

going after these open source projects because they know that

31:19

these open source projects are widely

31:21

distributed throughout the throughout the world.

31:23

Yeah. And if they're investing years into developing, I

31:25

mean, they know the payoff is huge. They're not

31:28

trying to rush this. I mean, I

31:30

know that I know the development cycles are not

31:32

super deeper, but still two years is a decent

31:34

amount of time. Yeah. My

31:36

concern is that what

31:38

we're seeing here is just the tip of the

31:40

iceberg and that the one capture

31:42

on the library and the other couple of things

31:45

in this article that it talks about are just

31:47

the ones that they happen to have been successful

31:49

at stopping. There may be

31:51

some out there that have not

31:54

been successfully stopped. And now

31:56

there are open source libraries that are

31:58

in distribution that have back doors in

32:00

them. Well, and

32:02

this one was found pretty much by accident,

32:05

right? Somebody was looking, someone had noticed

32:09

that there was a, that this library

32:11

had taken a speed hit. Someone

32:13

was measuring how quickly it functioned

32:16

and they noticed a difference that

32:18

for some reason it was burning up a lot

32:20

of, you know, processor time that it shouldn't have.

32:23

And so that's what got this person

32:25

curious and they started reverse

32:27

engineering it and that's how it was found.

32:29

It was a Microsoft researcher, if I recall.

32:32

It was. Yeah. And so it was just,

32:34

you know, someone had a very specific interest

32:37

in something that this did and was

32:39

curious enough and obsessive enough

32:42

to figure out or, or to want

32:44

to dig in as to why something

32:46

that should have taken a certain amount

32:48

of time took a little bit more

32:50

time than it should have. Um,

32:53

and so I think a lot of folks feel

32:55

like they dodged a bullet

32:57

with this one because it would

32:59

have been very likely that it wouldn't have

33:01

been noticed. That's, that's one of

33:03

the, uh, one of the metaphors that's used in

33:05

one of these articles I read about this. And I can't remember

33:07

if it was this article or another one, but I read like

33:09

six articles on this, but they said, you

33:11

should not be feeling happy that you've dodged

33:14

a bullet here because you've only dodged, you

33:16

only know about the bullet you dodged. Yeah.

33:18

Right. Yeah. Well, I think the, the

33:21

good news if there is any is that

33:23

this is making a lot of folks who

33:25

are working on open source projects, take a

33:27

fresh look at, right? How their security is

33:29

handled, how the, this

33:32

social engineering side of it that I

33:34

think, I think a lot of

33:36

folks who are technically minded and working

33:38

in technical, uh,

33:40

industries tend to under emphasize the degree

33:42

to which pure social

33:44

engineering play

33:49

could work on. Yes. Right. Yes. Yep. Yeah.

33:52

And there's a lot of social trust that goes into these

33:54

kinds of projects too. So, um, you

33:57

have to trust your collaborators on these kinds of things to

33:59

some degree. I mean, but

34:01

yeah, that's it's it's definitely worth making sure

34:03

there's some kind of process in place or

34:06

some protocol I would hope there would

34:08

be more but if you don't have any it's

34:10

time to get some together for sure Yeah

34:13

Well, and there are countless projects like this that

34:16

are just some really, you know, it's that what

34:18

is it the XCS comics? XKTD. Yes. Yeah, exactly

34:20

what I was thinking about There's

34:23

always an XKTV comic for anything too, right?

34:26

Right There's you know one

34:28

little piece is holding up this whole

34:30

big structure and that one little piece

34:32

is that tired little developer who's single-handedly

34:35

keeping track of some little open

34:37

source component that everything else is built

34:39

on but Nobody knows

34:42

right. Yeah, there's nothing here for the

34:44

average person to do. This is definitely

34:46

on open source maintainers. Yeah but

34:49

my point here is that This

34:52

is the same techniques that the average person sees

34:54

the artificial time horizon the pressure the the Hey,

34:58

buddy. Hey pal. Let me help you out

35:00

those kind of things, right, right All

35:03

right. Well, we will have a link to those

35:05

stories in the show notes Before

35:07

we get to my story, we're going to take a quick

35:10

break to hear Back

35:24

to the concept of integration Moba

35:26

force security coach uses standard

35:28

API's to quickly and easily

35:30

integrate with your existing security

35:32

products From vendors like Microsoft

35:34

crowd strike Cisco and dozens

35:36

of others Security

35:38

coach analyzes alerts your security

35:41

stack generates to identify events

35:43

related to any risky security

35:45

behavior from your users With

35:47

this information you can set up

35:50

real-time coaching campaigns to target risky

35:52

users based on those events from

35:54

your network Endpoint identity or

35:56

web security vendors these

35:58

campaigns enable you to to coach your

36:01

users at the moment the

36:03

risky behavior occurs with contextual

36:05

security tips delivered via Microsoft

36:07

Teams, Slack, or email. With

36:10

35 integrations and counting, Security

36:12

Coach delivers the insight you

36:14

need to improve your organization's

36:16

security culture. Learn

36:18

more about Security Coach at

36:20

knowbefore.com slash security

36:23

coach. That's

36:26

knowbefore.com/security coach. All

36:42

right, we are back and I am

36:45

going to go out

36:47

on a limb at the outset and say that my

36:49

story is a doozy. A doozy. Love

36:52

doozies. Let's do it. So

36:55

Joe, this has some local appeal

36:57

to you and I. This actually took place

36:59

nearby at Pikesville High School. And I have

37:01

to say Pikesville is not too far from

37:03

us. In fact, it is not. My in-laws

37:05

live in Pikesville. I used to work in

37:07

Pikesville. Is that right? Yep. Where

37:10

is Pikesville? It's a suburb of Baltimore. It is

37:12

lovely. It's near Towson. It's a, uh, it's a

37:15

lovely community and probably, I don't know, 20, 25

37:17

minutes from us depending on

37:22

traffic. It is in Maryland. It is in

37:24

Maryland. Yes. The land of Queen

37:26

Mary. The land of Queen Mary.

37:30

So the principal of Pikesville

37:32

High School, whose name is Eric

37:35

Eiswert, found

37:37

himself at the center of some

37:39

controversy when a audio

37:42

recording of him saying

37:45

some terrible things started making

37:47

the rounds among the

37:49

school community. I remember

37:52

the news stories about this.

37:54

He was making racist and

37:56

anti-Semitic comments. Right. And

37:58

as you can imagine, this. audio

38:00

file would spread like

38:03

wildfire. Yes. And it did. It was

38:05

all over social media. Yes. And I

38:07

remember people were trying this guy in

38:09

the, in the social media court and

38:11

getting ready to burn him in effigy.

38:13

Right. He was

38:15

pulled from his job. Uh, but

38:18

you know, given, um, what do

38:20

they call it when they suspended

38:22

with paying? There you go. He was an administrative

38:24

leave. Administrative leave. That's the term I was looking

38:26

for. Yeah. So he was pulled from his job.

38:29

Um, and they

38:32

had to put security at his house because

38:34

folks were making threats over social media. It

38:37

was just terrible. And, and imagine

38:39

the school community by all accounts,

38:42

uh, this was a respected and

38:44

liked principle of the school, but leader

38:46

of the school community. Uh, and

38:49

suddenly, um, you know, people

38:51

felt betrayed by this audio

38:54

file, by these allegations to imagine that this

38:56

person could have done this. Uh,

38:59

people felt, I think, you

39:01

know, rightfully, um, upset if

39:03

this were true. Right. Well,

39:06

turns out, which I

39:08

think should be the name of half the podcasts that

39:10

are out there, uh, turns out

39:13

that he

39:15

did not do it. Ah,

39:18

okay. There you go. Right.

39:21

Turns out that, uh, one

39:23

of his coworkers, uh,

39:25

someone who is named Dajon

39:28

Darien, uh, who

39:31

has been arrested and charged with

39:33

using artificial intelligence to create a

39:35

deep fake to impersonate

39:37

the school principle. Now, if

39:40

I recall correctly, that

39:42

is exactly what the principal said had happened

39:44

when this initially took place. Is that right?

39:46

Yes. So Dajon Darien

39:48

was the, um, head

39:50

of athletics at the school. And

39:53

we can only imagine that, you know, must've

39:56

had some kind of beef between Him

39:59

and the principal. And. Created

40:01

this audio file allegedly and

40:03

centered around. Ah, With

40:05

evidently was selective theo. New.

40:08

As such we all know that person writes

40:10

I sent a that this person it's gonna

40:12

make the rest of. Us

40:14

from high school believes in with like that seems like

40:17

a great idea. I'm going to do that right. Wow!

40:19

And the A breast. Exam. Boards

40:21

it was the gym teacher sorry, but. Just

40:24

as. A So. Ah,

40:27

the school district got involved in

40:29

the police cannon balls. And.

40:32

The Baltimore County Police as

40:34

they started to investigate. Things.

40:37

Just didn't add up. And.

40:39

They discovered that saw. This.

40:43

Sub gym teacher had been

40:45

doing searches for a I

40:47

tools are using his computer

40:49

that was on the school

40:51

network. Ah. Ah I'm an

40:53

they found a email account that

40:55

was associated with this person that

40:58

was one of the ones that

41:00

was responsible for the initial distribution

41:02

of the audio file. Interesting yeah.

41:06

That they brought into account and science.

41:08

The stuck on that use. He's a

41:10

computer at school at the school. And.

41:14

He knows how much I think they're monitored

41:16

right? I mean, some right assess. Maybe not

41:18

as I don't know. I I don't know

41:20

that that's those specific details. It seems as

41:23

though that is the case. you know? the.

41:25

The. Specific details are are a little

41:28

sketchy here or fuzzy Anyway own the

41:30

reporting that I've seen on this but.

41:32

Evidently. There were enough bread

41:34

crumbs for the police to follow

41:37

that. They. Charged him.

41:39

Ah, Riise yeah, he's is charged with

41:41

the number of think now. One of the things that

41:43

they point out here is that. There

41:45

really aren't. Direct. Laws.

41:49

About this particular thing.

41:52

As hard as well as as it's like wire fraud

41:54

or something, what do you. Ah,

41:57

They can get you for. So.

41:59

The the charge. That he faces include

42:01

disrupting school activities fast. Are.

42:04

Retaliating against the witness and

42:07

stalking or it on pause

42:09

minutes disrupting school activities. Chargeable

42:11

sense. Is.

42:13

That new because I hope that isn't As

42:16

if as if I hope that wasn't the

42:18

case back in the eighties that it. it's

42:20

well appointed. you know, bomb threats and sort

42:22

of thing I've come to kind of understand

42:24

and bombing of is that they're all kinds

42:26

of laws on the books, right? And they're

42:28

a pro. Laws in their react of was

42:30

right. There are laws that you got there

42:33

and actively seek to enforce and their reactive

42:35

laws which are on the books just in

42:37

case you need. I'm right and I would

42:39

probably put disrupting school activities as being one

42:41

of those, and I don't know if it's.

42:43

A misdemeanor or felony or who knows what?

42:47

The sas to is because

42:49

when more scrutiny was put

42:51

on this person. Ah

42:53

Turns out that they are again

42:55

are alleged to have. Inappropriately

42:58

distributed some school funds.

43:01

Some. Thousand part of what's

43:03

going on here. So. Uncovering

43:06

other. Other actions that.

43:09

In during the investigation. Correct okay,

43:11

but nothing actually about impersonating him.

43:15

Now. While know because you know

43:17

where I don't think it's illegal. Yeah, rank

43:19

right up. Or in here. So.

43:23

Yeah. So I think. As

43:26

I read through this What? it

43:28

really brought home to me was.

43:31

Ah be. Communities

43:34

rush to judgment. Young.

43:38

Which is an understandable impulse, right? I

43:40

mean the accusation was of doing horrible

43:42

things of the saying horrible thing I

43:44

think we talked about this. When

43:47

it first happened. I

43:49

may have brought that up like I think

43:51

that we oh, this guy. I don't know,

43:53

maybe I didn't but I assume I'm thinking

43:55

we'll this guy at least. The.

43:57

Benefit of the doubt here. Okay,

44:00

put him on the Ministry of Lead to we sort

44:02

this out and. Is it comes

44:04

out that he did it. We. Can dismiss him

44:06

if it comes out that he didn't do it. Your

44:10

no harm, no foul right now except for the

44:12

damage has been done to the school community. There.

44:14

Is always who the A lingering. That

44:17

lingering doubt. I mean this is what any

44:19

accusation done as his reputation has taken a

44:21

hit through no fault of his own. Yeah,

44:23

yep, yeah, right. Yeah, I don't know if

44:26

he has kids or not, but you know

44:28

a daddy why is or their guards out

44:30

front of a rights? Yeah, no. and there's

44:32

all kinds of. Things. That come

44:34

from this but. I

44:37

think it's just a terrible example of

44:39

somebody this. so this is a new

44:41

reality that were in here is easy

44:43

to do right right. You have someone

44:45

who was a public individuals so not

44:47

hard to get a voice sample like.

44:50

Ah, And you can spin something

44:52

like this sub? Effortlessly for

44:55

free. And. That's with this person.

44:57

did. He have benefit of

44:59

the doubt is not a very

45:01

stylish thing right now Professor. So

45:03

yes, live as much as we needed

45:05

more than ever. It's not. it's not really

45:07

a thing anymore. Seem so originally from.

45:10

Yeah. I know course the other side of this.

45:12

To be fair as that. folks. Who

45:14

didn't do horrible things for say horrible things

45:16

One of the ways that they'll try to

45:18

deny it will be will say oh well

45:20

obviously that's a deeply i never said that

45:22

while back that me know you can do

45:24

that for free and and cc and yep

45:26

I'm a public official of course someone to

45:28

this to me. Isn't. My

45:30

Or and that's where we are such

45:32

play with eight. Yeah,

45:35

I mean I don't know how we work this

45:37

out. A don't know how we sort this out.

45:40

It's going to lead to. Hopefully.

45:42

More skepticism I guess. but l

45:44

Who do you believe? Who do?

45:46

Some point you to believe people

45:48

have to trust people and this

45:50

is yet another in Jackson Ovens

45:52

Uncertainty in our ability to trust

45:55

each other and struggling. And

45:57

as. An. Array. All

46:02

right, well that is my story for this week.

46:05

We will have a link to that in the show

46:07

notes. And of course, if there's something you'd like us

46:09

to consider for the show, please

46:11

email us. It's hackinghumans

46:13

at n2k.com. Joe,

46:16

the catch of the day has the week off this week.

46:18

All right. It gets intimidated by Maria.

46:20

So we'll be back next time. I've been

46:22

told. I've been told. I'm

46:24

sure it's out fishing right now. Yeah,

46:26

exactly. Right. I knew better.

46:28

So the catch of the day will return

46:31

next time. But until then,

46:33

Maria, thank you so much for joining us. It is

46:35

always a pleasure. And we are so happy

46:37

to have you take the time to be with us. Oh, thank

46:39

you for having me. I always have a great time. So

46:41

if folks want to check out some of the other things

46:44

that you're up to, what's the best way to do that?

46:46

Oh, please listen to T-minus Space Daily anywhere.

46:48

Fine podcasts are pervade. And

46:50

space.n2k.com is our website. We

47:01

want to thank all of you for

47:03

listening. And of course, we want to

47:05

thank our sponsors at Know Before. They

47:07

are experts at enabling a fully integrated

47:09

approach to security awareness training. Our

47:17

thanks to the Johns Hopkins University

47:19

Information Security Institute for their participation.

47:21

You can learn more at ISI.jhu.edu.

47:25

N2K's Strategic Workforce Intelligence optimizes

47:27

the value of your biggest

47:30

investment, your people. We

47:32

make you smarter about your team while

47:34

making your team smarter. Learn more at

47:36

n2k.com. Our

47:38

executive producer is Jennifer Iben. This show

47:40

is mixed by Trey Hester. Our executive

47:43

editor is Peter Kilpe. I'm Dave Fittner.

47:45

I'm Joe Kerrigan. And I'm Maria Varmosis.

47:48

Thanks for listening. Thanks

47:55

for listening. Please subscribe to our channel. Thank you for

47:57

watching. you