Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:02
You're listening to the CyberWire Network, powered
0:04
by N2K. Hello
0:15
everyone and welcome to N2K CyberWire's Hacking
0:17
Humans podcast, where each week we look
0:20
behind the social engineering scams, phishing schemes,
0:22
and criminal exploits that are making headlines
0:24
and taking a heavy toll on organizations
0:26
all over the world. I'm Dave Bittner
0:29
and joining me is Joe Kerrigan from
0:31
the Johns Hopkins University Information Security Institute.
0:33
Hey, Joe. Hi, Dave. We
0:35
got some good stories to share this week
0:38
and once again we are joined by our
0:40
N2K colleague and host of the T-minus Space
0:42
Daily podcast, Maria Vermosis. Maria. Hi,
0:44
I'm back. I'm here. We
0:47
are excited to have you back and
0:50
we will be right back after this message
0:52
from our show's sponsor. But
1:02
first, a word from our sponsors at Know
1:04
Before. We're not talking conspiracy
1:06
theory when we say it's all connected.
1:09
When it comes to InfoSec tools,
1:11
effective integrations can make or break
1:13
your security stack. Though not
1:15
as common, the same should be
1:18
true for security awareness training. Not
1:20
only does Know Before deliver the world's
1:22
largest library of security awareness training, but
1:25
they also provide a way to integrate
1:27
the various elements of your existing security
1:29
stack to help you strengthen your organization's
1:32
security culture. Stay with
1:34
us and in a few minutes we'll
1:36
hear from our sponsors at Know Before
1:38
about how you can integrate security awareness
1:40
with your tech stack like never before.
1:50
All right, Joe and Maria, before we jump
1:53
into our stories this week, we have a
1:55
bit of follow up here. Joe, you want
1:57
to take us through what we got? Yes,
1:59
Dave. Raul wrote in, he said,
2:01
hi, David and Joe and Maria, absolutely
2:03
love, love, live and breathe the
2:06
show. I love it when listeners love, live
2:08
and breathe the show. Okay. It's my favorite.
2:11
I witnessed the infamous Facebook post of the
2:13
fake car crash. Dave, you were talking about
2:15
this a couple months ago. It's
2:18
still making the round. Still making the round.
2:21
I've seen it recently. Yeah. With
2:23
the person's account saying, I can't believe he's gone.
2:25
I'm going to miss him so much. I
2:28
did not click on the link, but I did
2:30
report this post as a scam or a spam
2:32
rather. Yeah. Facebook instantly closed
2:34
the report and did nothing with it. Yeah.
2:38
So, and he, that
2:40
Raul sent along screen caps of
2:42
the, of the report that he sent and it
2:45
said right underneath the bit closed. Yeah.
2:47
I mean, there are several versions of this. And
2:49
I think one of the things is that you,
2:52
there is no perfect category
2:54
to list this under when
2:56
you report it to Facebook. And
2:58
I think that's intentional. Yeah. Because
3:01
they certainly wouldn't list click bait
3:03
as a category, would they? No, I
3:05
mean, it could
3:07
say misinformation, but it
3:09
really doesn't. Yeah. So
3:11
I stopped reporting this because
3:14
something clicked in my head where I thought, oh,
3:16
wait a minute. If I keep reporting this, is
3:19
Facebook going to consider this to be
3:21
engagement and give me more of
3:23
them? Right. So every time it comes
3:25
up for me now, I just click and say, please
3:27
show me less of this. Please show me less of
3:29
this. Right. Interesting. You're gaming
3:31
the algorithm. That's smart. Well,
3:34
I'm trying. The problem is the
3:36
algorithm is so fricking aggressive. You
3:40
know, it's like, Oh, wait a minute. You stopped
3:42
and looked at sunglasses for five seconds. So for
3:44
the next week, it's going to be all sunglasses
3:46
all the time. Oh,
3:49
great. Thanks. That's really useful.
3:52
Dave, I love hearing about how, how happy you are
3:54
that you came back to Facebook. You
3:57
can hear it. It's just dripping from his voice.
3:59
Oh yeah. It's been time well
4:01
spent. Absolutely. All right.
4:03
What else we got Joe? We got we got
4:06
one from that's a follow-up on the episode 286
4:09
it says David Joe hello last summer. I
4:11
was in London for a conference. I got
4:13
harassed. This is talking about the The
4:16
con woman at the Piccadilly Circus
4:19
or Piccadilly station in okay in
4:21
London Uh-huh, I don't know if
4:23
that's a an underground station
4:25
or if it's like just a train station. I
4:27
have no idea. Okay I
4:30
got harassed slash scam that Piccadilly station
4:32
as well being alone in
4:34
nonchalant I guess I was quite approachable I
4:36
lady walked up to me and started giving
4:38
me a story about herself being an immigrant
4:40
and not having enough money to make It
4:43
to the next station. She too
4:45
asked me if I could buy her tickets showing
4:47
me an app Although it did not
4:49
have any money in it. She promised that she could
4:51
have money Hmm. I
4:53
I tried to decline but she was pushy
4:55
about it and followed me. Eventually I gave
4:58
in walked over to Walked
5:00
over and bought a bought her physical
5:02
tickets at a machine for about 20
5:04
pounds. Hmm. I Recall
5:07
her not being quite happy but not
5:09
entirely disappointed I figured if she was
5:11
having a tough time getting money Then
5:14
I could help her and it maybe if she was
5:16
also also if she was scamming me the guilt of
5:19
someone Being genuinely kind without
5:21
expecting money back would make her change
5:23
her ways. That's adorable. I like right
5:28
That is not what's happening if
5:32
you're being a scam know these people Maybe
5:34
it's a bit poor me to think that way. I don't think
5:37
so Alex Anyways forgot about
5:39
this story until the other and the other
5:41
listeners shared their Piccadilly story Thanks for the
5:43
podcast and many happy years ahead I don't
5:45
mean to give Alec a hard time because
5:47
I've said many times on here that you
5:50
know, I I to
5:52
am a soft touch for Scammers
5:55
I tend to give people the benefit of
5:57
the doubt and My attitude is I
5:59
would rather. Go through life losing some
6:01
money every now and then then. Brutally.
6:04
Assuming that everybody is out to scamming. Yeah, ah
6:06
yeah. I mean if if you buy a ticket
6:08
for twenty pounds or twenty bucks. Then.
6:12
You're You're You're. You're. Out
6:14
twenty bucks Right now it's not a big loss. You
6:16
know your loss is going in. Ah, maybe
6:19
you're helping somebody and you can think that
6:21
I feel. Like I should mention here. For
6:23
people who don't know about Piccadilly, that's like
6:25
the Times Square of London, So. There are
6:27
a lot of scammers walk around that area. So
6:30
it's a suffer any on your like that is in
6:32
London. On this isn't doesn't know this like that
6:34
is a hotbed of a lot of not
6:36
the great activities. Are so that they're
6:38
on the lookout for. A
6:40
Run. Outside you walk in
6:43
there with the straw hat and pieces
6:45
pieces grass to get your mouth. Success
6:47
or a hundred years and I'm overall
6:49
the process. Rice with a map and
6:51
Europe printed map and your hand running
6:54
around five I have learned man around
6:56
here. Ah,
6:59
In I've never been to a
7:02
Piccadilly circle, but I think my
7:04
most vivid. With. A well the
7:06
image that pops up and in my mind
7:08
is the final scene and American Werewolf in
7:10
London. Was.
7:12
Off as I don't know the final
7:14
scene but I go to a different
7:16
movie or go down to Wayne's World.
7:18
Ah at the where they had his
7:20
references they had a couple of obvious
7:22
bob body doubles standing it onto the
7:24
Billie circuits. Are the circle going? well?
7:26
way worse. Piccadilly Circus office? it's it's.
7:30
Hilarious. Yeah, Hopefully.
7:32
Someday I'll get there, but does. So far I've never had
7:34
the pleasure. Or. it we got
7:36
one more bit of follow up you know
7:38
what are we got paula said that we
7:40
mentioned people being on their phones after of
7:43
like gets cancelled and polemic see astute observation
7:45
that some these people probably have concierge services
7:47
with their employers of the required to go
7:49
through so that's why they go on their
7:51
phones and called the concierge service in our
7:53
the wait in line they get it done
7:55
immediately right or nice that's live in that
7:57
is a are you know i used to
7:59
I worked for a company that had this kind of thing, but
8:02
I never had to use it. Actually,
8:04
no, I never had to use it. I
8:07
missed a plane once, but it was prior to that.
8:10
Yeah, but I never had a problem with it.
8:14
I have been around folks who have this
8:16
sort of thing or organizations where
8:18
this is, I guess, a
8:20
perk of being at the executive level. I've
8:23
never been at that level. No. No.
8:26
That's funny because the places I've worked as, lower
8:29
folks had to use the booking
8:32
service and it was the executives that could book direct.
8:35
Oh, isn't that interesting? Maybe
8:37
things have changed a little bit, but us lower
8:39
rung folks were the ones that had to go
8:42
through the travel agency. All
8:44
right, well, it could be that my perception is
8:46
completely upside down. When
8:48
we booked through the agency, all
8:51
of our expense reporting got done automatically, which
8:54
was nice. That is nice. I didn't have to fill out
8:56
an expense report for every trip I went on, but
8:59
they were numerous at one point. Yeah. All right,
9:01
well, our thanks to Raul, Alec, and Paula
9:03
for sending in these kind notes. We do
9:05
appreciate it. And of course we would love
9:07
to hear from you. You can
9:10
email us. It's hackinghumans at n2k.com.
9:14
All right, let's jump into our stories here. And
9:16
Maria, as our special guest, you wanna kick
9:18
things off for us? Oh my goodness, my
9:20
pleasure. Okay, so rhetorical, real question
9:23
for you, but not rhetorical, an actual question
9:25
for you both. Do you
9:27
use or have you heard people sort
9:29
of short handing a service that one
9:31
can call when one is
9:33
having trouble with one's computer or electronic devices
9:35
at home? Geek
9:39
Squad. Yeah. Yeah, Geek Squad. Is
9:41
it Geek Squad or? Right. Right,
9:43
or Joe and Dave's lifetime technical support. That's just for
9:45
our parents. I was gonna say like, in my family
9:47
it's called Maria. Yeah, but Maria
9:50
is the Greek Squad, Geek
9:52
Squad in my family, but that's. But
9:54
I would say Greek Squad. That's
9:56
great. You're welcome. Uh,
10:00
thank you. Thank you. Please tip your waiters.
10:02
Try the veal. Um, I would say in
10:07
my mind, geek squad is, is
10:09
the Vaseline, the Q-tip, the, the,
10:11
um, you know, the
10:13
generic name for this sort of thing, the big
10:16
corporate provider of this sort of thing. It
10:18
is the phrase that I hear a
10:20
lot, uh, that people just use as that short, exactly
10:22
that shorthand for I need technical help with some
10:24
kind of house call. Um, so I
10:27
guess it's, it's good job best buy on getting that
10:29
branding out there like that. Um, so,
10:31
uh, this, that was a term in
10:33
mind for one gentleman, Charles Gibbs of
10:35
Ontario, Canada. Uh, he thought he
10:37
was getting geek squad help when he had a
10:39
printer. It's always a printer, isn't it? That was
10:41
being very troublesome at home. They are printers who are
10:44
the worst. They are the worst. They are
10:46
actually the worst ever. Uh,
10:48
so my, my sympathies, Mr. Gibbs. So he did
10:51
what a lot of people in this situation would
10:53
do. He didn't have a Maria to call on
10:55
for it support. So he just Googled best buy
10:57
in geek squad. Uh, you know, why not?
11:00
And the first result he got in his
11:02
search results, again, this was a Google search was
11:05
a very legitimate looking website, official
11:07
logo, the location lookup services
11:09
working and pointed him correctly to his
11:11
nearby best buy that he knew was his. Um, and
11:14
it confirmed that store was real and it even gave him a
11:16
phone number to call. So there was
11:18
nothing alerting him that this was a scammy
11:20
website or something that he shouldn't trust. It
11:22
looked completely legitimate. So on that cursory
11:24
glance, he called the number that he saw on that website.
11:27
And I'm sure many of
11:30
our listeners and you to know
11:32
exactly what happened next. Uh, what
11:34
unfolded was very familiar. Mr. Gibbs,
11:36
thank you for calling geek squad. Oh,
11:39
it looks like there's a $349
11:41
refund balance on your account. That's just sitting there.
11:43
Don't you want this money? We'll happily get it to
11:45
you. If you just let us know your banking info,
11:47
we can just have that sent direct deposit. So it's no
11:49
trouble for you whatsoever. You know, you've got enough to deal
11:52
with. Here you go. Oh, and oh,
11:54
oops. Oh no, we sent you $10,000 instead.
12:00
That happens all the time. So yeah, right
12:04
That's what I hang up That
12:06
is that is wise. I'm not surprised that you
12:08
knew that go out and spend ten
12:10
thousand dollars It's going to do something useful with
12:12
that money. Yeah listeners. No,
12:15
this is a common script We've covered
12:17
it y'all have covered everybody knows but
12:19
yeah So the scammers sent mr Gibbs on
12:21
little errands between the bank and a Bitcoin
12:24
ATM to supposedly return that excess money to
12:26
the best buy And after all
12:28
was said and done that supposed $349 refund that was due to mr Gibbs
12:31
ended up costing him twenty five
12:33
thousand Canadian dollars, which is like 18,000
12:37
US dollars which a lot So
12:39
because of his experience mr. Gibbs actually went
12:41
to CTV and told his story to let others
12:43
know about his experience So good job and
12:46
how excellent thank you mr. Yes, and hopefully the other
12:48
people will learn from it Especially other seniors like
12:50
himself and he said this quote
12:52
when they said I needed to pay even more
12:54
money for currency conversion I figured that that was
12:56
enough and I didn't give them any more while
12:59
it was happening It was almost like I was
13:01
in a trance and I kept thinking
13:04
it was me that called best buy ghee
13:06
squad And they are reputable companies Which
13:09
is which is a very interesting quote. I think
13:11
that's a very relevant quote here So
13:14
in your expert opinions to me,
13:16
this sounds like SEO poisoning a classic technique
13:19
So bad guys gaming the search engines to make
13:21
sure they're scammy websites ranked higher than the legitimate
13:23
ones Not in your was it
13:25
an ad that he clicked on we don't see that's the
13:27
thing I was trying to figure out was it a sponsored was
13:30
it an ad or was it just at the top of the
13:32
search results? I don't know because that wasn't in the article. I
13:34
would be very interested in that well. Yeah,
13:36
I mean I would think these days of Anything
13:40
you Google search an ad is gonna be at the
13:42
top of the search results And
13:44
since Google is doing such an awful
13:46
job these days of differentiating between ads
13:48
and actual content in the least. Yeah
13:51
Yeah, I that's you know, I've I
13:54
Will cynically put some of this on there. I
13:56
think you're right on I actually tried to replicate
13:58
this and I got a legitimate looking
14:00
website that was like an off-brand
14:02
geek squad in my area that it didn't it
14:04
didn't look like the Best Buy website but it
14:07
looks close enough no I just
14:09
thought that was just amazing it wasn't the same service I'm
14:11
sure that mr. Gibbs found but it was something else in
14:13
my area trying to do the same exact thing
14:15
I have no idea if it's legit or not or if it's just
14:19
counterfeit but either way
14:21
it's amazing somebody's selling fake geek
14:23
squad franchises yeah it was called
14:25
like friends or something I was
14:27
like what is really really keeps
14:29
friends yeah I don't want to
14:31
be friends honestly I wasn't lonely
14:33
geek there
14:35
you go in your area no so yeah it
14:37
was it sounded like a pretty classic SEO
14:39
poisoning attack and the
14:41
reminder for everyone of course is always be wary
14:43
what you click that search engines are not nearly
14:46
as trustworthy as it used to be
14:48
and of course yeah Best Buy knows
14:50
about this many companies like
14:52
this that their brands are getting hijacked they know about
14:54
this kind of thing but as we've covered before it's like
14:56
whack-a-mole you take one of these websites down a bunch of
14:59
them replaced pretty quickly so
15:02
what can you do to protect yourself what
15:04
can you do to protect yourself yeah what can you
15:06
do to protect yourself getting
15:09
fooled by attacks like this vigilance
15:12
I mean that's really the only
15:14
thing well don't click
15:16
through to a site
15:19
a big name site that you're trying to
15:21
get at like for example if you want
15:24
to go to Best Buy type in
15:27
Best Buy calm don't
15:29
click on the link after
15:31
a Google search for Best Buy I
15:34
think that's valid and I think that is the advice
15:36
and I'm gonna just be a little annoying
15:39
if you are not the most technically
15:41
savvy person and maybe you've got a
15:44
lot of advice bouncing around your head about
15:46
how scary the internet is I'm just remembering
15:48
when White House comm was a website you really did not want
15:50
to go to I mean
15:54
it just sometimes people get really freaked out like I don't know
15:56
which one's the right one maybe I'll Google search it to figure
15:58
out which one I should use and then At this
16:00
point in their see a result I think it's
16:02
an excellent point. I mean I have good dear
16:04
friend of mine. Pointed out
16:07
to me that his sister. Believes.
16:11
That. The. Google home page is
16:13
the front door to the internet. Like
16:16
so. Other words when she
16:18
brings up of a browser. It.
16:20
Defaults to Google Google which is
16:23
I think is really really common.
16:25
And to her, that's where you begin.
16:28
Ah, You don't put the name of
16:30
where you're going up in the bow the
16:33
U R L bar you put it. Into
16:36
Google and then Google takes you
16:38
their rights. So I think that's
16:40
a. Pretty. Common. Reality.
16:42
For lot of folks. Who. Were just
16:45
runs in a who aren't sophisticated
16:47
tech folks. Why I got a
16:49
busy day and this is my
16:51
first makes sense and it works.
16:53
It works as a model there
16:55
right at you know I I
16:57
use of since that way about
17:00
yahoo. They. Are not knowing that
17:02
was not the front page but whenever
17:04
I loaded Miami this is way back.
17:06
Remember it though? Yeah yeah yeah yeah
17:08
for google existed on. Your. Yahoo
17:10
would be my front end page and I'd
17:12
be like well let's see what's out there
17:14
and look at and it when I open
17:16
a web browser came up to Yahoo and
17:18
that's how I thought about it. right now
17:20
it comes up to the default unloaded paid
17:22
says why do every single time. Or
17:24
and I do that parts of the drink
17:26
remind me that. This is not
17:29
to some. Search. Sites and Go
17:31
and are just some search engine is
17:33
course my main browsers Chrome a such
17:35
as it has the before to the
17:38
same sorts of says right in front
17:40
and then I'm. Serious. I mean I'm not sure
17:42
if he was on a desk tops or if he was
17:44
on his own. Them succeed like if you're on your phone.
17:46
it as a whole. Other level of difficulty their
17:48
to. Yeah. There's a bright realist
17:50
a problem on phones. Yeah. So I
17:53
know they're The advice is, as you said, you know
17:55
go directly to the website, but then we've also kind
17:57
of a little bit freaked people out of support. That
18:00
metamucil as is brought him a hard place on
18:02
that one. For shirts for Joe, you nailed it
18:04
with a never. Give out your bank info. Just.
18:06
Disconnect the phone right there. That is always
18:08
the reddest of red flags. I was trying
18:10
to say that I would hang up as soon as
18:13
they put the ten thousand dollars in the my job
18:15
a distributor matter is they never put ten thousand dollars
18:17
in disguise kill. There's. There's
18:19
not a risk that and if
18:21
if the guy is online with
18:23
them, what they're doing is they're
18:25
manipulating a web pages he's watching
18:27
Mom was going on. The.
18:30
Or it's it's a it's a social engineering attacked.
18:32
By you. Know with the
18:34
way to handle this is years when when
18:36
somebody says hey we have a we have
18:38
a we have a i of a balance
18:40
here that we knew transfer you him your
18:42
baggage out to six israeli attack. Isn't
18:44
from in second mailed to me and. I.
18:47
Don't need that money right now. It's fine, But
18:50
then again, maybe maybe dude. Maybe
18:53
duty that money right now? Well, chances are
18:55
this is a scam and there is no
18:57
money and that you're only gonna wind up
18:59
in greater need of money this point time.
19:02
So. Yeah, Tom right, Your check? Until
19:05
the checked ounces. Okay, now a sort of the process.
19:08
Of success at a set of upsides, but
19:10
circle never show up I guess. I guess.
19:13
The. Problem I have with Write Me
19:15
A Sec is that even at that
19:17
level, it's engagement right? And. You're
19:19
on Tuesday, puts you in a narrowing way or
19:21
what's your address? Yeah Riley when you're on your
19:23
hands and now they send you a check and
19:26
there's a problem with attack but the tech has
19:28
a tech support call number on as ssssss Oh
19:30
we forgot to sign that said hey no problem
19:32
lit tell you why couldn't it is becoming set
19:34
announcing scam where they send you a check for
19:36
too much money. Brightens,
19:39
That and then it could be again writing thing all over
19:41
Than always said he would send our guard. Second set of
19:43
three hundred forty nine. Means.
19:46
Yeah, business. Model.
19:48
from there right in front of the us
19:50
story are alma opposite of your fantasizing about
19:52
how to deal with this guy's injured you
19:55
got the right answer various terminate the call
19:57
for me realize the freezer still not working
20:00
Right. No, he's
20:02
going to fix his printer. Printers don't work.
20:04
Yeah. Except throw it out the window.
20:06
Yeah. Right. Go
20:08
buy another one. Yeah. I
20:10
got so frustrated one time with the printer. It didn't work. I just
20:12
went out and bought another one. You didn't just always made it great.
20:15
Yeah. I'm
20:17
going to office. We've office based a few things in
20:19
my house. There was a bunt
20:22
pan that would tear my wife's cakes apart
20:24
and back out office. You office space the
20:26
bunt pan. My kids did.
20:29
Yeah. Were there explosives involved or
20:31
just hammers? Just baseball bats and
20:34
some ghetto boys music in the back.
20:36
Yeah. Absolutely. That
20:39
was it. Absolutely. They made a vine of
20:41
it. That's how long it was. Oh, geez. Funny
20:43
rip. Wow. All
20:46
right. Yeah. I'm actually friends
20:48
with the person who shot that scene. Are
20:50
you? Yeah. Yeah.
20:53
It was shot way after the movie was wrapped also. Like
20:55
the movie was shot in California and that scene was shot
20:57
in New Jersey or something like that. That's
20:59
what actual lore is. But yeah, that's
21:01
a great movie though, by the way. The movie is
21:03
office space. If you haven't seen it, it's
21:06
a Mike judge movie and scene is the
21:08
whole movie is great. In my opinion, I
21:10
think it's just, it's, I love Mike judge
21:12
and just about everything he does. Yeah.
21:15
All right. Well, uh, Maria, good advice.
21:17
And of course we will have a link to
21:19
that story in the show notes. Uh, Joe, what
21:22
do you have for us? I have two things,
21:24
uh, Dave Maria, but the first was really quick.
21:26
Dave, you remember way back in episode 272. Sure.
21:32
Yeah. In January, there was a
21:34
listener named Michael who wrote in about getting scam
21:36
texts for toll roads. Yes.
21:39
Well, the FBI has through the, through the
21:41
internet crime complaint center has released
21:44
a public service announcement. Uh,
21:46
and we can put a link to this in the
21:48
show notes. It says smishing scam regarding debt for toll
21:50
road services. So apparently this is
21:52
a common thing. Uh, they're,
21:55
they're calling it a new scam, uh, since
21:57
early March of 2024. However,
21:59
Dave. We've been talking about it since
22:01
January Twenty twenty Four, right? Go. On
22:03
So it's. They've. Received
22:06
over two thousand complaints about dismissing
22:08
tax the say the recipient owes
22:10
money for unpaid tolls and contains
22:12
almost a delicate Dunkel language of
22:15
with the outstanding amounts. So.
22:17
Interesting about this advisory. Understand if you
22:19
get these texts there's a stamps or
22:21
to try to get you to pay
22:23
the twelve hours before the mythical fifty
22:25
dollar bills approaches right? The these the
22:27
mystery that I think is still out
22:30
there when it comes to this. That.
22:33
I did not see addressed in the
22:35
information from the F B I. Was.
22:38
The part that Michael shared with us
22:40
about how a text message would com.
22:42
Moments. After they were on a toll road
22:44
yeah good seem to be some heads he
22:46
of fenced. right? That. Was
22:48
all this the mysterious to me?
22:51
Yeah, still mysterious isn't. Because.
22:53
I can understand just a generic, you know?
22:56
Spray. And pray send everybody
22:58
we can. A thing that says
23:00
you owe you have a balance on a toll. right?
23:03
Back. To. Me that's run of the
23:05
mill. Just out there for kind
23:07
of fact that we can you know scenario
23:10
right? But. The part that Michael
23:12
shared where he was seem to be somehow
23:14
d of fenced to actually being on a
23:16
toll road. That. Is still
23:18
intriguing to me. Says is interesting, doesn't
23:20
quite the wrinkles as story has. Been.
23:23
Us in our what else you got
23:25
jumped so I got have a story
23:27
that is kind of been in the
23:29
news developer news and I'm going to
23:31
talk about software development so. Buckle.
23:34
Up everybody are so good! To
23:37
see of just if a. There
23:39
is a there's a utility This included with
23:41
a lot of linux distributions called as Z
23:44
u to was. A Linux? I'm kidding.
23:46
I'm. Kidding. Right? A subset of.
23:50
Suffice, that's like a unique says
23:52
yes very much as. I
23:54
get on internet. Is this a year of the Linux
23:57
on Desktop? Sorry okay other. Assistance.
24:00
Let's hope that'll never happen. So
24:03
anyway, these utilities were developed by one
24:05
guy, essentially, as is the case
24:07
with a lot of these open source projects. And
24:10
he was developing them in his own spare
24:12
time. And on his, um,
24:15
on one story I read about this, he was saying that,
24:18
um, there were, there were, he was
24:20
saying, he's getting kind of worn down and getting kind of
24:22
exhausted. And somebody said, Hey, I'm
24:25
happy to help take over this, this
24:27
project and help you, help you work
24:29
on it. Um, and his name is Jia Tan.
24:32
And he positioned himself as
24:34
a, or actually they, this
24:37
report says they positioned themselves cause they believe this
24:39
is actually a group of people from a nation
24:41
state. Um, they positioned
24:43
themselves to be able to put a
24:46
back door into this product,
24:48
into these libraries, these, um, these
24:51
XZ libraries. And these
24:53
XZ libraries have to do with file compression. So
24:57
there are Linux distributions that use that
24:59
these file compression libraries. And
25:02
there was not widespread distribution
25:04
of the back
25:06
door because it was detected before it
25:08
could be, uh, before it could
25:10
be widely distributed, but it was there and it
25:13
was heavily obfuscated, which means it was hard to
25:15
see. Well, there
25:17
is an organization called, uh, the
25:20
open source security foundation,
25:23
which is, um, they,
25:25
they work on the security of open source software.
25:28
And there's a company called or another organization,
25:30
open JS, who is the, uh, the
25:33
open JavaScript foundation. They're issuing
25:36
a security alert for
25:38
all open source projects to watch out
25:41
for social engineering takeovers of their projects.
25:44
So apparently someone is really
25:46
targeting open source projects because
25:48
if you can get into an open
25:50
source project and put a backdoor into
25:52
it successfully and
25:54
undetected Chances are over
25:57
time, that project is going to
25:59
be distributed. With so much other software,
26:01
if you think about the log for j
26:03
vulnerability. I don't know that was deliberate
26:05
and I don't think it was loses a bug. Bites
26:08
Lot. For Jay is so
26:10
ubiquitous. That. I
26:12
remember using it back in the early
26:15
or late two thousand. And.
26:17
It's been. Just. A round
26:19
of for. For. That
26:21
long as it's it's a library that
26:23
everybody has in just about every job,
26:25
a project that they they produce, So.
26:28
There are some suspicious social engineering patterns
26:30
to look for. Ah, That
26:33
that the of the open.
26:36
The. O S S S and Open
26:38
J as people say, slow for
26:40
one friendly yet aggressive and persistent
26:42
pursuit of. Of maintain
26:44
or. Of the maintain
26:46
her. By. A relatively unknown
26:48
member of the community. So a new person
26:51
comes up and says hey, I need to
26:53
be part of this system. He put me
26:55
in charge me, give me a position of
26:57
authority, younger, do the best job on this
27:00
thing. Maybe that is a guy that is
27:02
working for somebody who wants to protect on
27:04
your software request to be elevated to maintain
27:06
her status. By. Newer unknown persons.
27:10
Endorsement coming from other unknown of numbers
27:12
of the community who may also be
27:15
using false identities and ever term for
27:17
this is called sock puppets. Which.
27:21
I love that term. Then.
27:23
It says up pull request
27:25
contending blogs or as artifacts
27:27
so. Ah, this is where
27:29
I have gotten developers stuff so a
27:32
pull request some you want to get
27:34
get hub where somebody is cloned your
27:36
repository and they may be changed in
27:38
they've uploaded to their repository. Any issue
27:40
a pull request for you to pull
27:43
their changes in your repository. And.
27:45
If they have large. Of
27:47
will blobs which are binary large
27:49
objects. Are in their in their
27:52
code as artifacts. Chances are that could
27:54
be the back door masquerading as something
27:56
like a test as it wasn't the
27:58
case of those compressing utilities. It's basically
28:00
bits of code. We don't know quite what it does and
28:02
we're not sure it should be there. Right,
28:05
and it's not in source codes. You can't just
28:07
read it. You actually have to reverse engineer it.
28:09
Right, you have to do the reverse engineering on
28:12
it, which is not a task that
28:14
every single developer can do. That there
28:16
are some security researchers are really good at
28:18
it. That's what they do. Vulnerability
28:21
researchers or malware researchers in particular, they go
28:23
after it and they're good at doing it.
28:25
But most developers I've met have been very
28:27
good at writing the code into the machine
28:29
code, but not great at getting it back
28:31
out. Just because
28:33
that's not where they spend their time. That's not what
28:35
they do. It's a different area. It's a different thing. Right,
28:38
it is. It is. Intentionally obfuscated
28:40
or difficult to understand source code, so if
28:42
you get source code that is not plain
28:44
and not clear, that should be a
28:46
red flag anyway. That may be bad development. It
28:49
may be a developer that's not that skilled. Could they be using
28:51
AI? Right.
28:54
All the AI code that I've tried to
28:56
generate recently has all been pretty clear and
28:58
pretty concise. For now. Sorry, I'm
29:01
just thinking of everything I did now. I'd
29:03
say wait, maybe that's a red flag. Once
29:05
the AI is clean. Right. Gradually
29:09
escalating security issues. Let's
29:12
see, a deviation from the typical project
29:14
compile. So
29:16
this is again, if you start using different
29:18
chains, different compiler chains, you start
29:21
including blobs and zips and other binary
29:23
artifacts into your builds. If
29:26
you're not a software engineer, none of this matters to you, so you don't
29:28
need to worry about it. But
29:31
the final point here is a false sense
29:33
of urgency, especially if
29:36
the implied urgency focuses on,
29:38
focuses a maintainer to reduce
29:40
the thoroughness or
29:42
review of bypass control. So
29:46
this is the typical, asks
29:50
to deviate from the standard process, which we
29:53
see in a lot of social engineering attacks
29:55
just applied to a software engineering background
29:58
or a project. timeline for
30:00
Geotan, like how long were they
30:02
working this? It
30:04
was years, a month. A few years, wasn't it? Yeah, it was
30:07
about two years. It was two years, I think. It
30:09
was the accounts that
30:12
were involved in that, in
30:14
the library compromise were
30:16
old accounts by the time
30:18
the vulnerability happened. But they
30:20
were, I'll tell you another story. A
30:23
couple of years, weeks ago, I don't know, how long ago?
30:25
A month? Who knows? No. Losing
30:28
track of things. A friend of mine
30:30
had someone convince him to upload or
30:32
download malware onto his computer that turned
30:34
out to be an info stealer. And
30:37
the way they did that was by compromising
30:39
the Discord account of another person on a
30:41
development project he was working on that was
30:44
kind of like, wasn't an open source project,
30:46
but it was a collaborative free
30:49
project with a bunch of
30:51
different people on it. And one guy got
30:53
compromised and tried to spread to my friend's
30:55
account. And my friend was fortunate that
30:57
he acted quickly enough to be able to get everybody
30:59
get get everything, get the
31:02
password changed in all of his accounts before the guy
31:04
had any access to it. But he was immediately asking for
31:06
money to give him back access. I
31:09
think this, these attacks are
31:11
nation state sponsored and
31:14
they're going after they're
31:16
going after these open source projects because they know that
31:19
these open source projects are widely
31:21
distributed throughout the throughout the world.
31:23
Yeah. And if they're investing years into developing, I
31:25
mean, they know the payoff is huge. They're not
31:28
trying to rush this. I mean, I
31:30
know that I know the development cycles are not
31:32
super deeper, but still two years is a decent
31:34
amount of time. Yeah. My
31:36
concern is that what
31:38
we're seeing here is just the tip of the
31:40
iceberg and that the one capture
31:42
on the library and the other couple of things
31:45
in this article that it talks about are just
31:47
the ones that they happen to have been successful
31:49
at stopping. There may be
31:51
some out there that have not
31:54
been successfully stopped. And now
31:56
there are open source libraries that are
31:58
in distribution that have back doors in
32:00
them. Well, and
32:02
this one was found pretty much by accident,
32:05
right? Somebody was looking, someone had noticed
32:09
that there was a, that this library
32:11
had taken a speed hit. Someone
32:13
was measuring how quickly it functioned
32:16
and they noticed a difference that
32:18
for some reason it was burning up a lot
32:20
of, you know, processor time that it shouldn't have.
32:23
And so that's what got this person
32:25
curious and they started reverse
32:27
engineering it and that's how it was found.
32:29
It was a Microsoft researcher, if I recall.
32:32
It was. Yeah. And so it was just,
32:34
you know, someone had a very specific interest
32:37
in something that this did and was
32:39
curious enough and obsessive enough
32:42
to figure out or, or to want
32:44
to dig in as to why something
32:46
that should have taken a certain amount
32:48
of time took a little bit more
32:50
time than it should have. Um,
32:53
and so I think a lot of folks feel
32:55
like they dodged a bullet
32:57
with this one because it would
32:59
have been very likely that it wouldn't have
33:01
been noticed. That's, that's one of
33:03
the, uh, one of the metaphors that's used in
33:05
one of these articles I read about this. And I can't remember
33:07
if it was this article or another one, but I read like
33:09
six articles on this, but they said, you
33:11
should not be feeling happy that you've dodged
33:14
a bullet here because you've only dodged, you
33:16
only know about the bullet you dodged. Yeah.
33:18
Right. Yeah. Well, I think the, the
33:21
good news if there is any is that
33:23
this is making a lot of folks who
33:25
are working on open source projects, take a
33:27
fresh look at, right? How their security is
33:29
handled, how the, this
33:32
social engineering side of it that I
33:34
think, I think a lot of
33:36
folks who are technically minded and working
33:38
in technical, uh,
33:40
industries tend to under emphasize the degree
33:42
to which pure social
33:44
engineering play
33:49
could work on. Yes. Right. Yes. Yep. Yeah.
33:52
And there's a lot of social trust that goes into these
33:54
kinds of projects too. So, um, you
33:57
have to trust your collaborators on these kinds of things to
33:59
some degree. I mean, but
34:01
yeah, that's it's it's definitely worth making sure
34:03
there's some kind of process in place or
34:06
some protocol I would hope there would
34:08
be more but if you don't have any it's
34:10
time to get some together for sure Yeah
34:13
Well, and there are countless projects like this that
34:16
are just some really, you know, it's that what
34:18
is it the XCS comics? XKTD. Yes. Yeah, exactly
34:20
what I was thinking about There's
34:23
always an XKTV comic for anything too, right?
34:26
Right There's you know one
34:28
little piece is holding up this whole
34:30
big structure and that one little piece
34:32
is that tired little developer who's single-handedly
34:35
keeping track of some little open
34:37
source component that everything else is built
34:39
on but Nobody knows
34:42
right. Yeah, there's nothing here for the
34:44
average person to do. This is definitely
34:46
on open source maintainers. Yeah but
34:49
my point here is that This
34:52
is the same techniques that the average person sees
34:54
the artificial time horizon the pressure the the Hey,
34:58
buddy. Hey pal. Let me help you out
35:00
those kind of things, right, right All
35:03
right. Well, we will have a link to those
35:05
stories in the show notes Before
35:07
we get to my story, we're going to take a quick
35:10
break to hear Back
35:24
to the concept of integration Moba
35:26
force security coach uses standard
35:28
API's to quickly and easily
35:30
integrate with your existing security
35:32
products From vendors like Microsoft
35:34
crowd strike Cisco and dozens
35:36
of others Security
35:38
coach analyzes alerts your security
35:41
stack generates to identify events
35:43
related to any risky security
35:45
behavior from your users With
35:47
this information you can set up
35:50
real-time coaching campaigns to target risky
35:52
users based on those events from
35:54
your network Endpoint identity or
35:56
web security vendors these
35:58
campaigns enable you to to coach your
36:01
users at the moment the
36:03
risky behavior occurs with contextual
36:05
security tips delivered via Microsoft
36:07
Teams, Slack, or email. With
36:10
35 integrations and counting, Security
36:12
Coach delivers the insight you
36:14
need to improve your organization's
36:16
security culture. Learn
36:18
more about Security Coach at
36:20
knowbefore.com slash security
36:23
coach. That's
36:26
knowbefore.com/security coach. All
36:42
right, we are back and I am
36:45
going to go out
36:47
on a limb at the outset and say that my
36:49
story is a doozy. A doozy. Love
36:52
doozies. Let's do it. So
36:55
Joe, this has some local appeal
36:57
to you and I. This actually took place
36:59
nearby at Pikesville High School. And I have
37:01
to say Pikesville is not too far from
37:03
us. In fact, it is not. My in-laws
37:05
live in Pikesville. I used to work in
37:07
Pikesville. Is that right? Yep. Where
37:10
is Pikesville? It's a suburb of Baltimore. It is
37:12
lovely. It's near Towson. It's a, uh, it's a
37:15
lovely community and probably, I don't know, 20, 25
37:17
minutes from us depending on
37:22
traffic. It is in Maryland. It is in
37:24
Maryland. Yes. The land of Queen
37:26
Mary. The land of Queen Mary.
37:30
So the principal of Pikesville
37:32
High School, whose name is Eric
37:35
Eiswert, found
37:37
himself at the center of some
37:39
controversy when a audio
37:42
recording of him saying
37:45
some terrible things started making
37:47
the rounds among the
37:49
school community. I remember
37:52
the news stories about this.
37:54
He was making racist and
37:56
anti-Semitic comments. Right. And
37:58
as you can imagine, this. audio
38:00
file would spread like
38:03
wildfire. Yes. And it did. It was
38:05
all over social media. Yes. And I
38:07
remember people were trying this guy in
38:09
the, in the social media court and
38:11
getting ready to burn him in effigy.
38:13
Right. He was
38:15
pulled from his job. Uh, but
38:18
you know, given, um, what do
38:20
they call it when they suspended
38:22
with paying? There you go. He was an administrative
38:24
leave. Administrative leave. That's the term I was looking
38:26
for. Yeah. So he was pulled from his job.
38:29
Um, and they
38:32
had to put security at his house because
38:34
folks were making threats over social media. It
38:37
was just terrible. And, and imagine
38:39
the school community by all accounts,
38:42
uh, this was a respected and
38:44
liked principle of the school, but leader
38:46
of the school community. Uh, and
38:49
suddenly, um, you know, people
38:51
felt betrayed by this audio
38:54
file, by these allegations to imagine that this
38:56
person could have done this. Uh,
38:59
people felt, I think, you
39:01
know, rightfully, um, upset if
39:03
this were true. Right. Well,
39:06
turns out, which I
39:08
think should be the name of half the podcasts that
39:10
are out there, uh, turns out
39:13
that he
39:15
did not do it. Ah,
39:18
okay. There you go. Right.
39:21
Turns out that, uh, one
39:23
of his coworkers, uh,
39:25
someone who is named Dajon
39:28
Darien, uh, who
39:31
has been arrested and charged with
39:33
using artificial intelligence to create a
39:35
deep fake to impersonate
39:37
the school principle. Now, if
39:40
I recall correctly, that
39:42
is exactly what the principal said had happened
39:44
when this initially took place. Is that right?
39:46
Yes. So Dajon Darien
39:48
was the, um, head
39:50
of athletics at the school. And
39:53
we can only imagine that, you know, must've
39:56
had some kind of beef between Him
39:59
and the principal. And. Created
40:01
this audio file allegedly and
40:03
centered around. Ah, With
40:05
evidently was selective theo. New.
40:08
As such we all know that person writes
40:10
I sent a that this person it's gonna
40:12
make the rest of. Us
40:14
from high school believes in with like that seems like
40:17
a great idea. I'm going to do that right. Wow!
40:19
And the A breast. Exam. Boards
40:21
it was the gym teacher sorry, but. Just
40:24
as. A So. Ah,
40:27
the school district got involved in
40:29
the police cannon balls. And.
40:32
The Baltimore County Police as
40:34
they started to investigate. Things.
40:37
Just didn't add up. And.
40:39
They discovered that saw. This.
40:43
Sub gym teacher had been
40:45
doing searches for a I
40:47
tools are using his computer
40:49
that was on the school
40:51
network. Ah. Ah I'm an
40:53
they found a email account that
40:55
was associated with this person that
40:58
was one of the ones that
41:00
was responsible for the initial distribution
41:02
of the audio file. Interesting yeah.
41:06
That they brought into account and science.
41:08
The stuck on that use. He's a
41:10
computer at school at the school. And.
41:14
He knows how much I think they're monitored
41:16
right? I mean, some right assess. Maybe not
41:18
as I don't know. I I don't know
41:20
that that's those specific details. It seems as
41:23
though that is the case. you know? the.
41:25
The. Specific details are are a little
41:28
sketchy here or fuzzy Anyway own the
41:30
reporting that I've seen on this but.
41:32
Evidently. There were enough bread
41:34
crumbs for the police to follow
41:37
that. They. Charged him.
41:39
Ah, Riise yeah, he's is charged with
41:41
the number of think now. One of the things that
41:43
they point out here is that. There
41:45
really aren't. Direct. Laws.
41:49
About this particular thing.
41:52
As hard as well as as it's like wire fraud
41:54
or something, what do you. Ah,
41:57
They can get you for. So.
41:59
The the charge. That he faces include
42:01
disrupting school activities fast. Are.
42:04
Retaliating against the witness and
42:07
stalking or it on pause
42:09
minutes disrupting school activities. Chargeable
42:11
sense. Is.
42:13
That new because I hope that isn't As
42:16
if as if I hope that wasn't the
42:18
case back in the eighties that it. it's
42:20
well appointed. you know, bomb threats and sort
42:22
of thing I've come to kind of understand
42:24
and bombing of is that they're all kinds
42:26
of laws on the books, right? And they're
42:28
a pro. Laws in their react of was
42:30
right. There are laws that you got there
42:33
and actively seek to enforce and their reactive
42:35
laws which are on the books just in
42:37
case you need. I'm right and I would
42:39
probably put disrupting school activities as being one
42:41
of those, and I don't know if it's.
42:43
A misdemeanor or felony or who knows what?
42:47
The sas to is because
42:49
when more scrutiny was put
42:51
on this person. Ah
42:53
Turns out that they are again
42:55
are alleged to have. Inappropriately
42:58
distributed some school funds.
43:01
Some. Thousand part of what's
43:03
going on here. So. Uncovering
43:06
other. Other actions that.
43:09
In during the investigation. Correct okay,
43:11
but nothing actually about impersonating him.
43:15
Now. While know because you know
43:17
where I don't think it's illegal. Yeah, rank
43:19
right up. Or in here. So.
43:23
Yeah. So I think. As
43:26
I read through this What? it
43:28
really brought home to me was.
43:31
Ah be. Communities
43:34
rush to judgment. Young.
43:38
Which is an understandable impulse, right? I
43:40
mean the accusation was of doing horrible
43:42
things of the saying horrible thing I
43:44
think we talked about this. When
43:47
it first happened. I
43:49
may have brought that up like I think
43:51
that we oh, this guy. I don't know,
43:53
maybe I didn't but I assume I'm thinking
43:55
we'll this guy at least. The.
43:57
Benefit of the doubt here. Okay,
44:00
put him on the Ministry of Lead to we sort
44:02
this out and. Is it comes
44:04
out that he did it. We. Can dismiss him
44:06
if it comes out that he didn't do it. Your
44:10
no harm, no foul right now except for the
44:12
damage has been done to the school community. There.
44:14
Is always who the A lingering. That
44:17
lingering doubt. I mean this is what any
44:19
accusation done as his reputation has taken a
44:21
hit through no fault of his own. Yeah,
44:23
yep, yeah, right. Yeah, I don't know if
44:26
he has kids or not, but you know
44:28
a daddy why is or their guards out
44:30
front of a rights? Yeah, no. and there's
44:32
all kinds of. Things. That come
44:34
from this but. I
44:37
think it's just a terrible example of
44:39
somebody this. so this is a new
44:41
reality that were in here is easy
44:43
to do right right. You have someone
44:45
who was a public individuals so not
44:47
hard to get a voice sample like.
44:50
Ah, And you can spin something
44:52
like this sub? Effortlessly for
44:55
free. And. That's with this person.
44:57
did. He have benefit of
44:59
the doubt is not a very
45:01
stylish thing right now Professor. So
45:03
yes, live as much as we needed
45:05
more than ever. It's not. it's not really
45:07
a thing anymore. Seem so originally from.
45:10
Yeah. I know course the other side of this.
45:12
To be fair as that. folks. Who
45:14
didn't do horrible things for say horrible things
45:16
One of the ways that they'll try to
45:18
deny it will be will say oh well
45:20
obviously that's a deeply i never said that
45:22
while back that me know you can do
45:24
that for free and and cc and yep
45:26
I'm a public official of course someone to
45:28
this to me. Isn't. My
45:30
Or and that's where we are such
45:32
play with eight. Yeah,
45:35
I mean I don't know how we work this
45:37
out. A don't know how we sort this out.
45:40
It's going to lead to. Hopefully.
45:42
More skepticism I guess. but l
45:44
Who do you believe? Who do?
45:46
Some point you to believe people
45:48
have to trust people and this
45:50
is yet another in Jackson Ovens
45:52
Uncertainty in our ability to trust
45:55
each other and struggling. And
45:57
as. An. Array. All
46:02
right, well that is my story for this week.
46:05
We will have a link to that in the show
46:07
notes. And of course, if there's something you'd like us
46:09
to consider for the show, please
46:11
email us. It's hackinghumans
46:13
at n2k.com. Joe,
46:16
the catch of the day has the week off this week.
46:18
All right. It gets intimidated by Maria.
46:20
So we'll be back next time. I've been
46:22
told. I've been told. I'm
46:24
sure it's out fishing right now. Yeah,
46:26
exactly. Right. I knew better.
46:28
So the catch of the day will return
46:31
next time. But until then,
46:33
Maria, thank you so much for joining us. It is
46:35
always a pleasure. And we are so happy
46:37
to have you take the time to be with us. Oh, thank
46:39
you for having me. I always have a great time. So
46:41
if folks want to check out some of the other things
46:44
that you're up to, what's the best way to do that?
46:46
Oh, please listen to T-minus Space Daily anywhere.
46:48
Fine podcasts are pervade. And
46:50
space.n2k.com is our website. We
47:01
want to thank all of you for
47:03
listening. And of course, we want to
47:05
thank our sponsors at Know Before. They
47:07
are experts at enabling a fully integrated
47:09
approach to security awareness training. Our
47:17
thanks to the Johns Hopkins University
47:19
Information Security Institute for their participation.
47:21
You can learn more at ISI.jhu.edu.
47:25
N2K's Strategic Workforce Intelligence optimizes
47:27
the value of your biggest
47:30
investment, your people. We
47:32
make you smarter about your team while
47:34
making your team smarter. Learn more at
47:36
n2k.com. Our
47:38
executive producer is Jennifer Iben. This show
47:40
is mixed by Trey Hester. Our executive
47:43
editor is Peter Kilpe. I'm Dave Fittner.
47:45
I'm Joe Kerrigan. And I'm Maria Varmosis.
47:48
Thanks for listening. Thanks
47:55
for listening. Please subscribe to our channel. Thank you for
47:57
watching. you
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More