Loading summary
Transcript210 lines
- [00:02]
Maria Varmazes
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
Dave Buettner
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing.
- [00:23]
Joe Kerrigan
Schemes and criminal exploits that are making.
- [00:25]
Dave Buettner
Headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner, and joining me is my co host, Joe Kerrigan. Hey, Joe.
- [00:33]
Joe Kerrigan
Hi, Dave.
- [00:33]
Dave Buettner
And my other co host, my N2K colleague and host of the T Minus Daily Space podcast, Maria Vermasis. Hello, Maria.
- [00:43]
Maria Varmazes
Hello, Dave. Hello, Joe. Hello, gentlemen.
- [00:46]
Dave Buettner
We've got some good stories to share this week, and we will be right back after this message from our sponsor.
- [00:57]
Joe Kerrigan
And now a few thoughts from our sponsors. At ThreatLocker, the tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow listing and ring fencing has your back.
- [01:25]
Dave Buettner
All right, I don't see any follow up in our rundown today, so we will jump right into our stories here. Joe, you have the honors. What do you got for us?
- [01:33]
Joe Kerrigan
I have two stories because they're both kind of short.
- [01:36]
Dave Buettner
Okay.
- [01:37]
Joe Kerrigan
But the first one is about some suspected jury duty scammers who have been arrested in Sarasota, Florida. But they managed to get 12 grand out of somebody.
- [01:50]
Dave Buettner
Hmm.
- [01:51]
Joe Kerrigan
So here's the interesting part of this. There are two of them. One is named Anthony Sanders, and the other one is Marlita Andrews. And they work together to victimize this woman out of $12,000. They called her on the phone. Anthony Sanders did. Called her on the phone and said, you owe money for missing jury duty. Now, everybody who listens to this show hopefully knows that if you miss jury duty, they're not going to call you and demand money. I don't know what the penalties are, but it's not that.
- [02:22]
Maria Varmazes
It's not, at least in the United States. That is true, right?
- [02:27]
Joe Kerrigan
That's correct. I don't know how that works outside. Yeah. This guy was able to spoof the sheriff's office phone number and knew the name of the sheriff. The interesting thing about this is while he was doing this Anthony Sanders, he was in prison.
- [02:50]
Maria Varmazes
What?
- [02:50]
Joe Kerrigan
He was on the phone in prison scamming somebody out of $12,000. And Andrews is the person that was out using the cryptocurrency. So they talked this woman into going to a. They said, you gotta go to pay your fine at the bond place. But they just sent her to a cryptocurrency ATM where she pumped in 12 grand and then transferred $12,000 to Andrew's crypto wallet. That money was immediately dispersed. So I don't think that this woman is going to get her $12,000 back. It's probably gone. But it's interesting. This guy was running it out of prison, and his girlfriend, Marlita Andrews, was working with him on the outside as, I guess, as the legs of the operation.
- [03:37]
Dave Buettner
Right.
- [03:37]
Joe Kerrigan
Moving things around.
- [03:38]
Dave Buettner
I guess we should note that they've been indicted and arrested. So these are all allegations? These are all allegations so far, that's right. But, yeah, you know, the things people sneak into prison, right? Yeah. Like, I think years ago, you know, people would talk about the war on drugs. And one of my responses was, you know, how are we going to keep drugs out of people's hands when we can't keep drugs out of prisons?
- [04:05]
Joe Kerrigan
Right.
- [04:06]
Dave Buettner
Like there's. I guess where there's a will, there's a way when there's a market. Yeah. I heard somebody, you know, I've been doing amateur radio lately, and I heard someone tell a story recently that they heard a couple of young women whispering to each other on a radio frequency recently. And he was wondering, like, why are they whispering? They're just having conversation. Whispering. And through the use of directional antennas, he figured out that they were both in the local women's prison and they were whispering to each other because they weren't supposed to have the radios. You know, it was nighttime. Right. Somehow they'd gotten in, you know, walkie talkies or something. And so this person keyed up and said, you know, ladies, you never know who can hear what you're talking about.
- [05:06]
Maria Varmazes
As loudly as possible.
- [05:07]
Dave Buettner
Right, right, exactly. And they both, you know, Cindy never heard from him.
- [05:14]
Joe Kerrigan
That's funny.
- [05:15]
Dave Buettner
Yeah. Yeah.
- [05:16]
Joe Kerrigan
So good that these folks were caught. Assuming that they, of course, did this and they are innocent until proven guilty.
- [05:24]
Dave Buettner
Yeah.
- [05:24]
Joe Kerrigan
The next story comes from LinkedIn. And this poster is Franco Aguilera. And Franco is telling a story. We're gonna put a link in the show notes. I'll just kind of start summarizing this here. He says a few days ago, a user on LinkedIn reached out to him and said, hey, I like your stuff. Let's do a job interview, and I want to see your technical chops here. They, you know, your stuff looks good on. On paper, but I want to see if you can do it, so let's have an interview. So the guy signs up with this interview, and he, the, the person who wants to interview him says, go download this repository from GitHub. And he does that and he starts running it.
- [06:07]
Dave Buettner
And Joe, let me interrupt you real quick. Sure. For folks who aren't in this world, we should explain that. Yes, this is a pretty routine thing. Can you explain what code challenges are for somebody seeking this kind of employment?
- [06:20]
Joe Kerrigan
All right, so if you're a software engineer or software developer, you may get tasked as part of your job interview process with developing some kind of software that answers a question. Usually it's an academic or a pedantic question, or maybe it's a business question. Um, and you may also be tasked with updating some code base somewhere, or you may have to implement something that already exists in, like using a library.
- [06:51]
Dave Buettner
Right.
- [06:51]
Joe Kerrigan
So GitHub is a code repository place where all this code is stored and. Well, not all of it, but it's one of the places where it's stored. Yeah, yeah, a lot of it. You can, anybody can open up a GitHub, a GitHub account and start storing, start creating repositories, keep them private, make them public. Microsoft bought GitHub, so, so understand that if you're going to use the service. I mean, I don't know how common it is in the software engineering world. I mean, I haven't done a software engineering job interview in years. So we used to do the whiteboard exercises where somebody would say, how would you solve this problem? And then we'd have to draw it out on a whiteboard, maybe write some pseudocode or maybe write some code. But this new thing is you get on like some kind of Zoom or Google Meet or teams, and you share your screen and they watch you do the development process. But what happened with this guy is they said, I need you to go out and download this client server package and fire up the server and then we're going to try to interact with it. Well, in this server package, there was a line that prevented the server from running. And he checked that line and he found this obfuscated file. He's got pictures of all these things in here too. So, I mean, hearing me talk about it is kind of good, but seeing the pictures might make it more clear. And then he found that this script was going out and collecting information and sending it to an IP on the Internet somewhere. So in the past, this is not normal.
- [08:32]
Maria Varmazes
Right. Like, we should never expect this to be happening.
- [08:35]
Joe Kerrigan
That is correct. So on the back end, this thing was going around and what he thinks it was doing was looking for crypto keys, crypto wallet keys. And it was specifically, specifically looking for those kind of things on his computer. And he said this is on him for not doing a code review beforehand or for just firing up a VM and, and doing the code exercise in a VM where there would be nothing of any value to lose, essentially.
- [09:06]
Dave Buettner
Right. VM is virtual machine.
- [09:08]
Joe Kerrigan
Virtual machine, correct. So you can set up a virtual machine that looks and acts like a real machine, use that as your machine. If you have VMware, has a low cost version that you can buy that you can use yourself. There's also VirtualBox where you can just spin them up. VirtualBox is free, but it is an Oracle product. And then there's other Linux implementations that you can use. So if you recall a couple, about a year ago, maybe two years ago, it had to be like a year and a half ago or something like that. I was talking about a friend of mine who is a software engineer and he got tricked into running what he thought was a game because somebody had taken over one of his friends Discord accounts.
- [09:54]
Dave Buettner
Yeah, I remember that.
- [09:55]
Joe Kerrigan
And sent him a, sent him essentially a piece of malware that just went through and stole all the information, then tried to blackmail him. Now he didn't send any money, he just changed all his passwords while he, while he delayed the guy. But it was very scary to have that happen. And I'm sure this was very scary for Franco as well. Franco Aguilera.
- [10:17]
Dave Buettner
Right.
- [10:18]
Joe Kerrigan
So, yeah, when you're doing a code interview, if you're a software engineer, if they're going to ask you to download and run something, maybe do that in the vm, I think.
- [10:31]
Maria Varmazes
Not a bad idea.
- [10:32]
Joe Kerrigan
Yeah, I don't think that's something you just do. I don't think you just trust these people.
- [10:37]
Dave Buettner
No, and I think that's a big part of, or a big point of what's going on here is that you're somebody. When you're somebody who's looking for a job, the balance of power is uneven.
- [10:49]
Joe Kerrigan
Yes, it is.
- [10:49]
Dave Buettner
And you want to please these people. So chances are you're going to do what they ask without putting up any kind of stink because you don't want to be seen as being difficult. And that gives them the advantage of saying, well, we just want you to install this on your computer 100%.
- [11:05]
Joe Kerrigan
There's definitely a power dynamic in play here. I mean, it may not work on guys our age. Dave, somebody says, hey, I'm going to do a job interview. I want you to run this program. I'm like there is no way I'm installing that on my computer.
- [11:19]
Maria Varmazes
Yeah, I was just thinking about that power dynamic. The more of a Graybeard you are, I doubt they're going to have you running anything, but if you're more entry level, then you really don't have much of a pushback on that. I'm married to a software developer, so I'm just thinking about what he's been through with his. With his career. So, yeah, yeah, I could totally see someone more junior having to do this. What was that?
- [11:40]
Joe Kerrigan
How gray is his beard?
- [11:41]
Maria Varmazes
It's quite gray. I actually noticed the other day he's actually been fully inducted into the Graybeard. I'm quite proud.
- [11:48]
Joe Kerrigan
So has he adopted the angry curmudgeony old attitude, old man attitude yet?
- [11:56]
Maria Varmazes
Oh, yeah, I married him with that.
- [11:57]
Joe Kerrigan
Okay.
- [11:59]
Maria Varmazes
He said it from the get go.
- [12:01]
Dave Buettner
Gotcha. Not a bug, but a feature. Oh, that's great. All right, well, we will have a link to both of these stories in the show notes. I'm gonna go next here. My story comes from the folks at Krebs on security. This is Brian Krebs, well known, I guess you'd call him an investigative reporter when it comes to cybersecurity things. And he has a post here, it's first of the new year. It's titled A Day in the Life of a Prolific Voice Phishing Crew. And this is a very interesting kind of long read, a bit of a deep dive into an organization who does exactly what he describes here, Voice phishing.
- [12:43]
Joe Kerrigan
Hey, you know, I want to stop right there and say thank you, Brian, for not using the term vishing.
- [12:49]
Maria Varmazes
My goodness. I was just thinking that.
- [12:54]
Joe Kerrigan
Voice fishing is such a better descriptor of what it is. It tells you everything you need to know. It's good wavelength.
- [13:02]
Maria Varmazes
I was just thinking that you don't.
- [13:05]
Dave Buettner
Like vishing, you don't like smishing.
- [13:07]
Joe Kerrigan
I don't know either of those.
- [13:09]
Maria Varmazes
With you 100%, man. It's like, oh, God. Yep.
- [13:13]
Dave Buettner
Yeah, I agree. I agree. So imagine this. You're. You're as. As you know, I like to say you're sitting home, you're minding your own business. You get a call or an email from either Apple or Google, and they're sending you notifications on your phone, maybe on your computer. And as far as you can tell, everything looks legit. And that is the mechanism by which these scammers are going after people and stealing money and data and that sort thing. And part of the scam is that they're using Real services from Apple and Google to trick you into thinking everything is okay.
- [13:54]
Joe Kerrigan
Right.
- [13:55]
Dave Buettner
And this article has a couple examples of folks who got hit here. There's a gentleman named Tony who's a cryptocurrency investor. He lost $4.7 million in a phishing attack. Wow. Can I just say, it must be nice to have $4.7 million to lose.
- [14:12]
Joe Kerrigan
Well, I mean, it depends. How much of his personal assets was that?
- [14:17]
Dave Buettner
Right, right.
- [14:18]
Maria Varmazes
Was it all on paper or was it real? Yeah, right.
- [14:20]
Dave Buettner
I mean, yeah, yeah, obviously I'm being flippant here.
- [14:25]
Joe Kerrigan
I mean, if he's worth 400 million. Okay, yeah, that's.
- [14:28]
Dave Buettner
Well, actually, we'll get to that with our second victim. So he got what looked like a recovery prompt from Google, which is where, you know, they say somebody's trying to break into your account or you're trying to recover your account. Right. You've forgotten your password. And then he got a fake email from google.com, and the bad guys used that to take him to a fake website that looked like a Google login. And then they stole his login details. They drained his crypto accounts. And this was all by pretending to be Google. Victim number two is a gentleman. Perhaps you've heard of named Mark Cuban. Okay, Famous billionaire Mark Cuban. He was only hit for 43,000 doll for a scam, which is, you know, the money in his couch cushions, probably.
- [15:19]
Maria Varmazes
He didn't even notice.
- [15:21]
Dave Buettner
Right, right. But evidently he was on the set of Shark Tank and he got a phone call from somebody pretending to be Google.
- [15:32]
Maria Varmazes
And he happens to everybody, Right?
- [15:35]
Dave Buettner
But think about that, right? He's on the set of a television show, so he's distracted. You know, he doesn't want to be the guy interrupting the show, probably.
- [15:45]
Joe Kerrigan
Right?
- [15:47]
Dave Buettner
And somebody's asking him for something, and he gave them the one time code that the scammer sent him on his phone. Right. So when you try to do an account recovery, Apple or Google or, you know, lots of these places, they'll send you a one time code and they'll say, we're sending this code. Please put in this code. This is how we know it's you. Well, if you share that one time code, that's kind of the ball game, right? And that's what Mark Cuban ended up doing. And that's how they got into his email and they stole $43,000 in cryptocurrency. Now, to me, Mark dodged a bullet here because what you could do if you got into Mark Cuban's email.
- [16:28]
Joe Kerrigan
Yeah, yeah. These guys. Yeah.
- [16:29]
Maria Varmazes
But the bragging rights, though, even if it's only 43k. You hacked Mark Cuban, Right?
- [16:36]
Joe Kerrigan
If I'm one of these guys, I'm not telling anybody where I got $43,000, because if I say I got it from Mark Cuban, they're gonna be like, you only got $43,000.
- [16:44]
Maria Varmazes
Oh, fair. All right.
- [16:46]
Joe Kerrigan
Yes.
- [16:46]
Maria Varmazes
You could look at it that way.
- [16:48]
Dave Buettner
That's true.
- [16:49]
Joe Kerrigan
Yeah. I mean, still, that is a remarkably big loss for a scam. Somebody is having a very good day at whatever scam organization this is.
- [16:58]
Dave Buettner
Yeah. So this article talks about the groups who do this. One of them is called Crypto Chameleon. And basically they do this as a service. They rent out the fishing kits.
- [17:11]
Maria Varmazes
Are we on the same brain?
- [17:12]
Dave Buettner
Karma, karma, karma, karma kama Crypto Chameleon. Is that what you guys are thinking?
- [17:15]
Joe Kerrigan
Crypto crypt.
- [17:16]
Dave Buettner
I did not go there.
- [17:19]
Joe Kerrigan
I heard Maria singing it.
- [17:21]
Dave Buettner
I'm just like, yep, I did not go there. But now I will not be able to get it out of my mind. So these folks rent out their fishing kits. Very businesslike. And what's interesting, there are different folks who take on different responsibilities. So they have the callers who are the ones who talk to the victims. There are the operators who manage the tools, and then there's the drainers, who are the ones who steal the money. I wonder, like, what the pecking order is, you know, do you see, ultimately is like, what's the most important, hardest job to get? What do you graduate to if you make your way through this, through this chain? Or are some people just naturally attracted to different things?
- [18:03]
Joe Kerrigan
I don't know. Maybe it's like an Ocean's Eleven kind of thing where you have all the different crew members.
- [18:07]
Dave Buettner
Right, exactly, exactly. The article does go through the various steps that they take when doing this. First, they identify the target. That's pretty straightforward. But they use some tools that they call autodoxers, which are tools that can basically go through big data breaches and identify people who are interesting, likely to have assets, those sorts of things, high value targets. And then they have the initial contact, which is either a phishing email, a phone call, or some kind of notification. And this is where in this story, they're impersonating Google or Apple Support, and then they go through the building trust process. They call the victim and they pretend to be a support agent. They'll say, hi, this is Mike from Apple, or I'm from Google Account Recovery. And they reference the notifications that the victim has already received, which reinforces that illusion of legitimacy, Right. And then they guide the victim through steps to resolve the issue. In this particular case, the scammers were spoofing Apple's actual support line. So the call you got coming into your phone, if you looked it up or with a caller id, it would say it's from Apple. And if you looked it up to verify, it would say, yeah, it's Apple.
- [19:37]
Joe Kerrigan
That's it.
- [19:38]
Dave Buettner
Right. So obviously there's social engineering, all these things we've talked about. They convince you to log into a fake login page. Usually they'll tell you that we need you to log in in order to secure your account, right? So you're doing the safe thing, and then you enter your username, your password, and maybe your two factor authentication. And that's basically it. Then they've got access to your accounts. They log in as you. They very often will search for things like cryptocurrency accounts. And if you have that, they'll drain your wallet. Some of them will look to have persistence on your device. So even after they've gotten the initial stuff that they've grabbed, they'll install software that allows them to stay in there and be able to poke around at their own convenience. So that's something you have to worry about. And then once they're done with you, they are off and on their way. So, interesting story. It digs into a lot of the depth of how these groups operate, the various positions that people have, and some good ways to try to protect yourself against it. So we will have a link to that in the show notes. Anything in particular that grabs your attention? Maria, let me start with you.
- [20:58]
Maria Varmazes
I mean, it's just always amazing to me how sophisticated these operations are. It's fascinating. I'm always fascinated to hear about it, even though I'm also scared that I'm going to be next. I mean, I think I have these conversations with my mom a lot. She maybe listens to the show, which would be nice. Maybe she should. She's always like, oh, you're so on top of this stuff. You know about these things. And I tell her I'm actually. I get more scared the more I learn about these things, because, I mean, very, very smart people, in just a moment of being rushed or weakness or whatever you want to call it, they fall victim to these things. And it's like, today them, tomorrow me. So I don't know. I'm trying not to lose hope here about what it means for all of us, but it is really remarkable how my old mental model of this being just some lone troublemaker or something is so, so outdated. And it's just incredible to hear. Yeah. Ocean's Eleven really is. Now, I'm thinking that's you, Joe. Thanks again. That's in my head now.
- [21:57]
Dave Buettner
It's big business.
- [21:58]
Joe Kerrigan
It is.
- [21:58]
Maria Varmazes
Goodness.
- [21:59]
Dave Buettner
Yeah. Apple and Google both warn and reiterate that they will never ask you for your password or call you unsolicited. Um, so be mindful of that.
- [22:11]
Joe Kerrigan
But, yeah, never trust the inbound call and never give those codes out. Those codes are for you and you alone. If. If you see those codes coming up, that means someone's trying to break into your account.
- [22:20]
Dave Buettner
Right.
- [22:21]
Joe Kerrigan
And that's how you should think of it.
- [22:22]
Dave Buettner
Right. Those codes never need to be shared via the spoken word.
- [22:26]
Joe Kerrigan
Right?
- [22:27]
Dave Buettner
Right. That will never happen. All right, well, we will have a link to that story in the show Notes. Before we get to Maria's story, why don't we take a quick break to hear a message from our sponsor?
- [22:45]
Joe Kerrigan
So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't Want to Run, ThreatLocker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust Endpoint Protection platform deploys in a learning mode that analyzes the operations of your company, using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show.
- [23:55]
Dave Buettner
And we are back. Maria, what do you have for us this week?
- [23:59]
Maria Varmazes
Well, first, I'm gonna start with a question, gentlemen. Do either of you have your phone notifications on for apps that are not, you know, phone and mess?
- [24:10]
Dave Buettner
Yes.
- [24:11]
Joe Kerrigan
Yeah, I have a couple of them that have that.
- [24:13]
Dave Buettner
I have it dialed in.
- [24:14]
Joe Kerrigan
Right.
- [24:15]
Maria Varmazes
Me too. So you don't have it blanket off, but you don't have everything pinging you all the time?
- [24:20]
Dave Buettner
No, no, if I had everything on, I would have already thrown my phone through a plate glass.
- [24:26]
Joe Kerrigan
100% guaranteed.
- [24:28]
Maria Varmazes
But you do have A few apps that ping you that are not just messages and phone. Okay, Correct.
- [24:33]
Joe Kerrigan
Like Southwest on my phone.
- [24:36]
Maria Varmazes
Okay. So when you're flying.
- [24:38]
Joe Kerrigan
Yeah, and the problem with that is when I'm flying, that's when I want the alerts. But right now I'm getting the alerts because they're having some kind of fare sale. I'm not going anywhere. I don't need to know that. So I might just disable the alerts for that.
- [24:53]
Maria Varmazes
Yeah, yeah. I have all of my alerts off, unless it's phone or messages. And then I'm very careful about enabling them if I'm traveling, but that's it. I'm really cold turkey otherwise. But I think we are the exception for. For this kind of thing. Given that Apple, with one of its latest iOS updates, rolled out AI generated summaries of notifications. This is clearly a need that a lot of people have with the flood of notifications you get from messages and apps of all sorts of things. So what Apple is thinking AI can be helpful with is that instead of you all or us all having to read the pile of notifications coming in as they come in, why not just have AI summarize it for you and tell you the gist of what's going on?
- [25:37]
Joe Kerrigan
Right, Right.
- [25:38]
Maria Varmazes
Yeah. Which is sounds like a nice useful thing. And it's also baked in is the idea that if there's something that's really high priority in the giant pile of notifications, you know, you've got Facebook pinging you and Southwest pinging you and email and all that stuff, it'll tell you this. One specific thing in the pile of it is actually something you need to address right now. So all of that sounds like technology maybe making life better, but I think you can probably anticipate where this is going. I think I can. You probably can. You may also remember back in December, this feature is not brand new. It's been out for a month or two now, I think, if not a little longer. There were some headlines about the BBC complaining to Apple that Apple's AI generated summaries of news headlines were wildly inaccurate in some hilarious, darkly hilarious ways. One example was saying that the UnitedHealthcare CEO shooter Luigi Mangioni had shot himself. Not. Not true. He has not done that. And also New York Times had a similar gripe where a summary push to users said that Israeli Prime Minister Benjamin Netanyahu had been arrested. Also, that didn't happen. So even though these are in phone generated summaries, presumably it's the same AI doing all this generation of these massively distributed headlines. So a lot of people are getting these inaccurate summaries. So there are also some fun versions of these summaries going out. I remember reading, I want to say on maybe on Blue sky, maybe on Twitter, I don't know. I have since disabled my Twitter account. There were some really funny stories about people finding out that they had been broken up with through AI generated summaries, which are pretty great. Girlfriend expresses displeasure with you and breaks up with you. I mean that's just.
- [27:24]
Dave Buettner
Has moved all of her stuff out of your house.
- [27:26]
Maria Varmazes
Congratulations, you're finding out. This is how you're learning about this.
- [27:30]
Joe Kerrigan
Would you like to look for a new roommate?
- [27:32]
Maria Varmazes
AI can help you with that. It's so great. So that's more that's about the feature and it's warts and all that kind of stuff. But here's the security angle that I think is of interest for us. Blue sky posters. That's where I'm at now, by the way. Also, they are noticing that these AI generated summaries are oh so helpfully flagging priority items that are not necessarily priority. They're taking all of those notifications at face value. AI is so those final notice invoice scam emails. Apple AI goes, hey, I'm being helpful here. Oh gosh. This message is marked urgent. You'd better act right away. It's a security issue. Oh my gosh. And then, oh, that USPS parcel. Oh my. Oh no. You'd better confirm your details at this specific link to get it released. So it's really lovely that AI is now sanitizing all of those cues that we have learned to look for that would normally tell us to slow down and go, and this is probably a scam. And now AI is just surfacing it to you without any of those cues at all saying just take action. Right now this is priority.
- [28:44]
Joe Kerrigan
Isn't that coming from this trusted source?
- [28:47]
Maria Varmazes
Yeah, it's coming directly from your operating system. You're not even having to go to messages anymore. It's just right there, right in front of you. This is priority. So yay. Apparently you can, if you have Apple intelligence on your idevice, you can actually disable it for now. I don't know how long they'll let people do that, but if you can do it, if you have it, I would personally recommend that you disable it right now because it sounds like this feature is really not well baked. So I think it needs some more time before it is something that people can Responsibly. Trust I don't have it, so I have not been able to kick the tires. But frankly, if I did, I would not be using it.
- [29:26]
Dave Buettner
Well, I do have it. I would turn it off, Dave, because I am running the beta of iOS.
- [29:36]
Maria Varmazes
There you go.
- [29:37]
Dave Buettner
So I am on the sharp bleeding edge of it all.
- [29:41]
Maria Varmazes
Are you finding it useful overall or is it too buggy?
- [29:48]
Dave Buettner
I find it useful overall in that it allows me at a glance to get, like you said at the outset, to have the gist of what's going on. So what it attempts to do, like for messages, for example, is take all of a message, no matter how long it is, and condense it down to the sentence that just describes it. So that again, you glance down at your phone, that's what you see is this AI summary. And then you decide if you tap on the summary, it takes you to the actual message. So it's not like the AI version becomes the message. The summaries are just there to try to save you some time and combine multiple things. I have yet to see one that is off the mark or ridiculous or deceptive, but I'm sure it's only a matter of time. One of the things I've seen in the criticisms of these is that people are suggesting to Apple that they do a better job of flagging these things as being AI generated. So put an Apple logo next to it or something like that and so that it's crystal clear that you're not reading the original message.
- [31:11]
Maria Varmazes
The actual thing. Yeah. I wonder if that would happen in this case. I'm sorry if that would help in this case. If you said, hey, this is a USPS delivery notification, but this is just an AI generated notification of that notification, right? Yeah, maybe it would help. I don't know. I still stand by. I would not use it personally for. If I was recommending this to my mom, I would say turn it off personally. It sounds like a headache, but Dave, I know, I trust you, that you could discern, but some folks might go, I don't want the headache. So I would probably disable it.
- [31:48]
Dave Buettner
Yeah, I guess I'm at the point where I'm still curious about it. I'm still trying it out. It has not yet betrayed me in any way. So I'm tiptoeing around it and. Yeah, right. But I'm bracing myself for that. I mean, like I said, it's only a matter of time, so we'll see. I could absolutely live without it. It's not like there's some Empty hole in my life that's been filled by having my text messages concisely summarized. Yeah.
- [32:19]
Maria Varmazes
I mean, if there was Dave, I'd be.
- [32:23]
Dave Buettner
Imagine me, right, leaning against a window where it's raining outside, wishing to myself, if only I had summarized texts of messages.
- [32:33]
Joe Kerrigan
If only this 168, 60 characters were shorter.
- [32:37]
Dave Buettner
Right? Yeah. I don't have time to read these text messages.
- [32:39]
Joe Kerrigan
Of course, now, we all have very long text. I'm sure my wife would love to have something that summarize my text messages to her.
- [32:46]
Dave Buettner
Right.
- [32:47]
Joe Kerrigan
They can be long.
- [32:48]
Maria Varmazes
Are you an essayist on text messages or.
- [32:50]
Joe Kerrigan
Yeah, I am. Yeah.
- [32:51]
Dave Buettner
Yeah. Now, when you send a text message, do you use voice to text?
- [32:57]
Joe Kerrigan
Absolutely.
- [32:58]
Dave Buettner
I see.
- [32:59]
Maria Varmazes
Oh, you're one of those people. Okay. All right. Now a lot of things make sense. Okay. All right.
- [33:08]
Dave Buettner
Well, I mean, maybe you could use, you know, what you need to do. Joe, let me help you out here, my friend.
- [33:12]
Joe Kerrigan
Okay, I'd love to hear it.
- [33:15]
Dave Buettner
You could do this manually. So what you need to do is because I know you enjoy using some of the LLMs from time to time.
- [33:23]
Joe Kerrigan
I have a ChatGPT GPT subscription. Yeah.
- [33:25]
Dave Buettner
So let me suggest you dictate your message into ChatGPT and then say, make.
- [33:33]
Joe Kerrigan
That as concise as possible.
- [33:35]
Dave Buettner
Please summarize this for my wife and see what it does.
- [33:40]
Maria Varmazes
Saving marriages One day at a time. Love this.
- [33:42]
Dave Buettner
Right, Right. Well, but I mean, think about it. You could have a preset that said, you know, I want this to be as affectionate and warm and kind as possible. You know? Although, I mean, they'd probably blow your cover. Right? Because if all of a sudden your text messages started saying, hello to my lovely, beautiful wife from your adoring husband.
- [34:05]
Joe Kerrigan
I hope this text message finds you well.
- [34:07]
Dave Buettner
You're right. Exactly.
- [34:09]
Maria Varmazes
We must do the needful love of.
- [34:13]
Dave Buettner
My life, my sweet baboo.
- [34:17]
Joe Kerrigan
My sweet baboo.
- [34:20]
Dave Buettner
Oh, my goodness. All right, well, we will have a link to Maria's story here in our show notes. And again, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com. All right, it is time to move on to our catch of the day.
- [34:47]
Joe Kerrigan
Dave, our catch of the day comes from Keefe.
- [34:50]
Dave Buettner
I'm gonna say Keef.
- [34:52]
Joe Kerrigan
Keefe.
- [34:52]
Dave Buettner
Just Keef. Keefe.
- [34:53]
Joe Kerrigan
Okay, Keef.
- [34:54]
Maria Varmazes
Oh, yeah.
- [34:55]
Joe Kerrigan
It is a transcript of a voicemail, and it's pretty good.
- [35:02]
Dave Buettner
Okay. All right, I will read it. Yes, it says, walmart account for an amount of $919.45. To cancel your order or to connect with one of our customers support representative, please press 1. Hey, this is Amelia from Walmart. A pre authorized purchase of PlayStation 5 with special edition and Pulse 3D headset is being ordered from your Walmart account for an amount of $919.45. To cancel your order or to with one of our customer support representatives, please press 1. Hey, this is Amelia from Walmart. A pre authorized purchase of a PlayStation 5 with special edition and Pulse 3D headset is being ordered from your Walmart account for an amount of $919.45. To cancel your order or to connect with one of our customer support representatives, please press 1. Hey, this is Amelia from Walmart.
- [35:50]
Maria Varmazes
Can I get an AI summary of this please?
- [35:53]
Dave Buettner
Is that right?
- [35:54]
Maria Varmazes
It's Amelia from Walmart?
- [35:59]
Dave Buettner
That's a good question. I'm going to do that.
- [36:02]
Joe Kerrigan
You're going to actually copy this? Well, this is a picture, so we can't copy it.
- [36:07]
Dave Buettner
ChatGPT will take a picture.
- [36:09]
Joe Kerrigan
Okay.
- [36:11]
Dave Buettner
All right, so I'm going to say summarize this message for my lovely wife. There we go. All right. It's chugging away. Here's a summary for your wife. This message claims to be from Walmart saying there's a pre authorized purchase of $919.45 for a PlayStation 5 and accessories on your Walmart account. It urges you to press 1 to cancel the order or to speak to a representative. This is likely a phishing or scam call trying to trick you into sharing personal or financial information. If you didn't make this purchase, do not engage. Check your account directly through Walmart's official website or app. Okay, so chatgpt.
- [36:57]
Maria Varmazes
All right, for the win, I'll give him that.
- [37:00]
Joe Kerrigan
I am impressed.
- [37:02]
Dave Buettner
There you go.
- [37:03]
Maria Varmazes
I'll give them it. Yep.
- [37:04]
Dave Buettner
Wow, that far exceeded my expectations. Have either of you ever received one of these endlessly looping messages on your phone?
- [37:15]
Joe Kerrigan
No, I've never gotten the endlessly looping one, but I have gotten the fake Amazon call.
- [37:20]
Dave Buettner
Okay.
- [37:20]
Joe Kerrigan
And I pressed one to get. Then somebody came on the line and I immediately said, so I just want to know how this scam works. What happens next? And the guy just unleashed a string of profanity at me that I really didn't deserve. I mean, I probably deserve it, but not from this guy.
- [37:40]
Dave Buettner
Right?
- [37:40]
Joe Kerrigan
Right. So I just listened to it and kind of got a laugh out of it and then hung up. Yeah, I said, I don't think you're From Amazon. Because Amazon is not this mean to me.
- [37:51]
Dave Buettner
Right. Yeah. I have gotten these before and I suppose it's just some kind of technology that's randomly calling people with the intention of getting on their voicemail. And there's just some device that's looping this over and over and over again. So, you know, it's designed to have the call last a certain amount of time and then just hang up.
- [38:12]
Maria Varmazes
Yep. Just a cassette in some dusty basement.
- [38:15]
Dave Buettner
Yeah, exactly, exactly. There's an old reel to reel, old eight track. Just looping.
- [38:21]
Maria Varmazes
That's what I imagine.
- [38:22]
Joe Kerrigan
An eight track cart.
- [38:24]
Maria Varmazes
Yeah, it's right next to the hold music that somebody's still playing.
- [38:27]
Joe Kerrigan
It's just my wife and I have been on hold with a company trying to get our gas canister outside of our new house serviced.
- [38:38]
Dave Buettner
Yeah.
- [38:38]
Joe Kerrigan
And I have become more and more convinced with every. Every company I wait on hold. That music is designed to get you to hang up. It's designed to make you go, this just isn't worth it. And they just hang up.
- [38:51]
Dave Buettner
Yeah. Yeah, I think there's something to that. I mean, that's a conspiracy theory I can get behind.
- [38:57]
Joe Kerrigan
Yeah.
- [38:59]
Dave Buettner
All right, well, that is our catch of the day. Our thanks to Keith for sending that in. And if you have something you'd like us to consider, you can email us@hackinghumans2k.com.
- [39:15]
Joe Kerrigan
And of course, we want to thank this week's sponsor, ThreatLocker. Go to ThreatLocker.com HH and check out their Zero Trust Endpoint Protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices.
- [39:44]
Dave Buettner
That is our show. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Iban. We're mixed by Elliot Peltzman and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Bittner.
- [40:17]
Joe Kerrigan
I'm Joe Kerrigan.
- [40:18]
Maria Varmazes
And I'm Maria Varmazes.
- [40:20]
Dave Buettner
Thanks for listening.