A

You're listening to the Cyberwire Network, powered by N2K.

B

Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey there, Joe.

C

Hi, Dave.

B

And and our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes.

A

Maria Hi, Dave. And hi Joe.

B

We've got some good stories to share this week, but first let's get to our follow up.

C

No follow up section is complete without a chicken story.

A

Our listeners demand it, Joe.

B

They do.

C

They do.

A

They really do.

C

I was listening to last week's episode and I was like, I didn't know that people are that vested in our chickens.

A

Oh, they are.

C

Yeah. So it might. So I installed the automatic door on my chicken coop, and last week I said that it has a photo sensor. It actually has a photo sensor and a timer. Oh. So I set the photo sensor to open the door and I set the timer to close the door. Because I set the photo sensor all the way down to zero sensitivity, which means it gets completely dark before it closes. But as soon as it gets there, as soon as it detects the light at the level of zero, it's zero to 99. And I don't know what that means internally, but it just means that when that sensor reads what comes out as a zero, it shuts the door. And even with the sensor turned down to zero, that door was shutting with one or two or three chickens outside. So I'd go out like an hour after dark and there'd be chickens sitting on the perch going like, well, I guess we're just going to sit outside tonight.

B

Okay.

C

So I'd open the door up, put them back inside. So I set the timer. Now the door closes at 6pm and that has worked well. So it opens with 20% light and it closes at 6pm oh, so you.

B

Can choose either for any situation. Correct. That's surprisingly versatile for something like that.

C

It is surprisingly versatile for something that is 50 bucks. Yeah, I was really, really happy with it. It's also solar charged, solar powered.

A

So what kind of watch do your chickens wear that they know what time it is?

C

Well, they just go inside when it gets dark, but apparently they go inside a little after the door closes.

A

Okay.

C

But I go out there every night. Like I went out last night at like quarter to six and they were all sitting in the coop ready to go. But I'm gonna leave it at 6 because I'm not gonna go out there and update it for every sunset and sunrise. This will keep me good for probably around two months.

B

Oh, yeah, I think.

C

Anyway, so one morning I went out there. It was a Saturday. I went out there on Saturday, and I look, and there's a chicken sitting on the water container. And I'm like, what are you doing on the water container? I look and I'm like, this chicken is upside down, and she has caught her foot in the hook. Yeah. That holds the water container up off the floor of the ground. You can't have the water container on the ground. They will just make an absolute mess of it.

A

Ew.

C

So same with the food container. So they're both hanging from wires through the roof of the run, are they? Okay, well, I pulled her off. I held her a little bit. I checked her foot. It didn't seem like it was broken.

B

Her new name is Stumpy.

C

Right. And I put her in the. I put her back in the Cooper, and she was, like, limping around really, really bad. And I'm like, oh, no. I'm like, what's going on here? So I go inside real quick, and I went to Thingverse, which is a 3D printing site where you can get models, and I found, believe it or not, a chicken splint.

A

I believe it. You can find anything on there.

B

Oh, man. That's my favorite part of the chicken.

C

The chicken splint.

B

Chicken splints. Save me the chicken splints.

A

There's some good collagen around that chicken splint.

B

Yes.

A

It's a delicacy in some countries. Yeah.

C

Printed that up. Took about two hours, and by the time I printed it up, chicken was walking around fin.

B

So.

Now. Well, but, you know, now you've got a. Just in case you got one just when needed, you're ready to spring into action. Next chick. Now, did you do anything to make the area safer?

C

Yes, I did. I closed the loops on these little things a little bit better.

B

Future poultry inversions.

C

Right. There will be no future poultry inversions.

A

Is it like with horses where you got to put them down if they break an ankle or whatever?

C

I don't know. I saw a YouTube video where somebody said they had an injured chicken and they built a splint out of pencils or a pencil and some tape and some gauze, and they said that chicken got better in two weeks. So they're fairly resilient animals. I Don't know.

B

Do you remember this? Surely you guys have seen the story about the headless chicken who lived for several years.

C

I've seen that. Yep.

A

Maria, I have heard of that. Yes.

B

Yeah. Okay. Yes.

A

That is legendary. Yep.

B

Yeah. For our listeners, if you're not aware, just, I guess, google headless chicken and it'll pop up and there are pictures. It's quite a tale.

C

Yeah. It's horrifying.

B

The pictures are horrifying.

C

Right.

B

But it's a story of resilience and perseverance in the face of unbelievable adversity, namely having your head chopped off.

Which goes to show that chickens don't really need their brains, I guess. Right.

C

Or at least not most of them.

B

Yeah.

A

Yeah.

B

All right. So all's well with the chickens? All's well with the chickens.

C

Yeah.

B

Okay.

C

And now that my classes are over, I'm going to start working on a bigger run for them.

B

Okay. Have you seen any signs that any neighborhood predators are interested in your chickens? Are there any, like, fox footprints or anything?

C

I have not seen any of that. But this morning in the shed when I was getting the food into the. Into the coop, I did see mouse droppings and a little bit of gnawing going on on my chicken food container in the shed.

B

Okay.

C

So I will be sprinkling the entirety of the shed with peppermint oil to see if that makes them go away.

B

Yeah. I had a friend who had a chicken coop and he had a black snake that lived in the coop.

C

Right.

B

And so the deal was, I guess that in exchange for keeping rodents away, the snake enjoyed a delicious egg from time to time.

C

Right.

B

So, you know, and the snake wasn't bothered by people being around.

C

Right. Yeah. Black snakes are pretty chill.

B

Yeah. The people weren't bothered by the snake being around other than the first time they came upon it.

C

Right.

B

Surprise. Snakes are never fun, but it's unnerving. Yeah, but. So maybe you'll end up with a chicken coop snake. That would be.

C

I wouldn't mind having a chicken coop snake.

B

Yeah.

C

They don't eat much.

And I don't know if they will. They will never out eat the mice. With the way mice reproduce, they'll never do that. Yeah. But their smell might keep them away.

B

Yeah. All right, well.

Stay tuned next week. Next week, Joe's Chicken Coop Corner. And.

Keep the stories coming.

C

Yep.

B

And now a word from our sponsor. Threat locker. The powerful Zero Trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast Ring fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

All right, I tell you what, let's get to some stories here. I'm going to lead things off for us. Let me start off with a question here for both of you. Have either of you ever received a nasty gram from a company who's claiming that you have violated someone's copyright or digital rights online?

C

I have not.

A

No, I have not either. Okay.

B

I have.

C

Okay.

A

All right.

B

This is decades ago when I had my previous company and on our website, we had inadvertently left a preview image from some stock photo company and got a nasty gram from them, saying, hey, you're using our photo illegally. Please pay us. My recollection is we did not pay them. We just swapped it out and we never heard from them again. But. But that was decades ago. So the tale I'm gonna share today has to do with fonts.

A

Oh, it turns in. Oh, yeah, okay.

B

It turns into a fishing caper and ends with a little bit of a victory for typography nerds everywhere. So imagine this. You're minding your own business. Right. Which is what I like to do best.

C

That's what you do on Facebook.

B

That's right. Everywhere you go, you're running websites for your company and you get a message on LinkedIn. It has an urgent tone and an official sounding title, and it says, hey, we found your company using our fonts without a license. Please respond immediately. Now, I'm sure there are people in our audience who are saying to themselves, fonts have licenses.

A

Oh, my gosh.

C

That's my first question.

A

Yes. Yes, they do. Oh, my goodness. And they are way more expensive than you think they should be.

B

That's right.

A

Way, way more expensive.

B

That's right.

C

How much is wingdings?

A

Good question.

B

The thing here is, I guess real quick, is that some of the most famous fonts that you see from day to day are owned by people and they license them out for use. I think part of the confusion comes is that we also have lots of fonts that we use for free every day because they come with our computers or they've been open sourced. So there's a variety of fonts out there, but some of them absolutely are legally licensed, and in order to use them legally, you have to pay to use them. So nothing unusual there. That is a standard thing in business. So this letter came to a gentleman who is the kind of the hero of our story. He's actually a self described typography nerd. His name is Emil. And he got this message on LinkedIn from Monotype, which is one of the big font companies, and they say they've been trying to email you, but you never got their messages. And Emile thinks to himself, that's strange. I don't think we use any Monotype fonts. And he knows about these sorts of things, right? So he starts checking his digital footprint. And his corporation uses Open Sans, which is a free, open source, no license font. He checks their regional sites.

He finds one commercial font in play, which is a font called Proxima Nova, but that doesn't come from Monotype, so he doesn't think Monotype should be involved with that. So he reaches out to his team and he says, look, only one person's gonna reply to this. We're gonna double check all of everything, and only one. I will be the person who will reply. Okay? Because I should back up and say Monotype. He isn't the only person at the company who's getting these urgent messages from Monotype. Monotype's basically going through LinkedIn, finding everybody from the company and just saying, hey, hey, hey, please pay us.

C

Is it actually Monotype or am I reading ahead?

B

Stay with me, Joe.

C

Okay, so.

B

So Monotype does not have a lot of patience. They start again, messaging people all across the company, LinkedIn style, and they're saying, you owe a licensing fee. Let's settle this quickly. So, Joe, quickly, quickly.

C

Time horizon, artificial time constraint, and settle this quickly. Yeah, I'm instantly dubious.

B

Yeah. So the folks in procurement at his company are ready to pay just to make this go away.

C

Really?

B

Well, this is a nuisance kind of thing. It's not that much money and what could it possibly cost? But Jameel steps in and he says, hold on, let me take over this. And he, he digs deeper and what he finds is that Monotype's report flagged two fonts that were allegedly in use without a license. One of them was an icon set called credit cards.

C

Hmm. Okay, okay, okay.

B

But they weren't using Monotype's credit card font. They were indeed using a credit card font. And how to describe this? A credit card? The credit card font looks like the type that's on your credit card that has its number, the embossed part.

C

Right.

B

So if you're illustrating a credit card on your website, you would use this font in an image of a credit card to make it look like a credit Card.

C

Okay, so this, you said it was an icons, so I imagine that like a little set of icons is also considered a font.

B

Okay, yes, well, yes, there are fonts that are outlines of images. So you can get. There are font sets that are basically logo sets of different companies. Anyway, they're using a credit card font, but it's not Monotypes font. And Jamil goes through, he verifies it, what he finds is the font they're using has the same file name on their system as Monotype's font, but it's not Monotype's font. They bought it directly years ago.

A

Okay, okay.

B

And so he's confident, no problem there. The second one was this font, Proxima Nova, and he found that they really do use that. But the problem is Monotype doesn't even sell that font anymore. And our hero contacted the design agency who created the project site and they confirm, yes, they purchased it legitimate from Adobe years ago.

A

Oh, okay.

B

So he writes to Monotype, sends a very thorough email that has screenshots, receipts, annotations.

A

He's got receipts.

B

He's basically doing their homework for them.

C

Right.

B

And Monotype goes quiet for a few days and they finally come back with a last attempt to salvage some cash. They say, okay, we don't sell Proxima Nova anymore, but maybe you bought that credit card font from us. Can you confirm why? We don't have a record of your license. So they're asking him to prove a negative.

C

Can I confirm why you don't have a copy of my license? No, that's impossible because we didn't buy.

B

It from you is why you don't have a copy of my license. We want it from the design from someone else. So here's the thing. Monotype was not being intentionally malicious.

C

Right?

B

Fonts should be licensed. Monotype sells fonts. That is what their business is. And designers deserve to be paid. Right. But what's at issue here is that the method they were using was pretty sloppy and pressure based.

C

Yes. Right.

B

This wasn't careful auditing. This was spray and pray. Right. They use automated scans, they don't bother to verify anything and they just shotgun everybody to put fear in them and just hope that they're gonna get paid. And I'm sure a lot of people do pay them.

C

Yeah.

A

So these are legitimate emails from Monotype.

B

These were legit emails from Monotype.

C

Well, I was thinking it was a scammer.

B

Yeah, well, and the hero of our story was wondering that as well.

C

Right. So I think, you know, if I'm wondering that. I say, look, our address is on the website. Have your lawyers send us a letter.

B

Yeah. I also wonder if this isn't someone who is handling this four monotype, basically a bounty hunter. Right, Right. Who's got some kind of system using some kind of automated, dare I say, AI system.

Scan the entire Internet, find. In this case, it seems like they were just looking for matching file names.

A

Yeah, that's what I was thinking. Yeah. Just like whatever is embedded, just the font embed file name.

B

Right. And then sending nasty grams. And the third step is profit.

C

Right.

B

So I guess the point of my story here is that even though this was a legit inquiry from monotype, their methods leave a lot to be desired. Ultimately.

Their claims at obligation were not true. So technically not a scam, but at the same time, not the greatest way to go at something like this. And if you're on the receiving end of something like this, I think as both of you said first your radar went up, that this is some kind of phishing scam or that it wasn't actually monotype. In this case it was. But I would say just be really careful when you have something like this where they want you to. They're claiming that you've already violated some rule, some law, some copyright, whatever it is, and pay now or else.

C

Well, I'm going to do a little quick search because they are a publicly traded company.

A

Yeah, they're a big company. I actually interviewed for a job with them many, many, many, many, many years ago. And I had a very negative experience. And so I kind of have a beef with monotype.

B

Okay.

A

So when you're telling me that they're doing something a little untoward, I'm like, yeah, that tricks. And this is just based on absolutely nothing but a bad interview experience that I had with them.

C

Perhaps they are not publicly traded.

B

Right, right.

C

Or at least not anymore.

B

Yeah, yeah. You know, I think most people out. Most people who aren't professional designers or into typography don't really think twice about fonts. They just scroll down, they choose Comic Sans and they get on with their life.

C

Yes. That's what I do. It's on my resume.

A

I am in physical pain from you saying that, Dave. Just for the record, that's. Oh, my God.

B

Right. All right, well, if you want all of the gory details of this story, we will have a link in the show notes. Let's move on here. Joe, what do you got for us this week?

C

So my story comes from Lita gore over@al.com and that is Alabama.

B

Oh, no. Litigorel.com I'm gonna guess American League, like, right.

A

Al Gore.

B

Al Gore.

C

I get it. That's where your mind went.

A

That's where my mind went. Hanging Chad's Sorry.

C

Trauma. Celebrate good times. I will. I went to right to the Simpsons reference also. Well, never mind. I'm not going to tell you how I feel about Al Gore.

I'll just say this. Not a fan and haven't been since the mid-80s.

A

All right, so you got a beef with Al Gore.

C

Okay, I do. He's a big time censorship advocate. And don't let anybody tell you that he isn't.

Really not a fan. So millions of Walmart customers are victims of a major scam is what the headline of this story is. Now. This is nothing new from what we've heard before. This is talking about a bunch of calls that are going on coming from Walmart and they're saying the scammers would call and say, hey, this is Emma from Walmart and we're just calling to authorize the $919.45 purchase of a PlayStation 5. Press 1 to speak with a representative if you want to cancel the order.

B

Right.

C

And then you. You press 1 and these people start asking for all kinds of. All kinds of personal information. It's just a scam to get you to do this.

B

Right. We just need to verify your credit card number.

C

Exactly.

A

Your Social Security number, your date of birth, your physical address.

C

My son came up. My son came up with a great idea for a website. And that is.

A credit card verification site where you say, has your credit card been released into breach? Enter your credit card details here.

A

I've seen those.

C

You're fine.

A

No, I've seen those. Yeah, those are actually. They exist.

C

Oh, no. So, okay, so he's not doing any great thinking.

A

Please do not put your credit card information on those websites.

C

Right.

A

Okay. Just feel like we need to say that.

C

Okay, so there is a link in this story to an FCEC press release. And that's where I want to focus on today.

B

Okay.

C

But before we get into this, I need to go and do a little bit of background information. So there is a company called umail that offers phone call screening services and they all. They have a mobile app and you can get like a virtual phone number if you pay for the service. But they do have a free tier service. I don't know how it integrates with your regular phone. You know, like the phone that you have, you know, like the actual phone number. Your sim Card phone number, whatever. Yeah, or if it only works with the, with the virtual phone numbers, I guess it has to work with the regular phone. I don't know if I want to try this yet because I already have the Google screening service. That does a pretty good job. Yeah, but so keep in mind that the company umail, that's one player in this story. Then there is another standard called or a suite of protocols called Stirred Shaken or Shaken Stirred. And these are a suite of protocols and procedures. This is direct from Wikipedia, a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. Right. So the way it works is it adds a digital signature to something called the session initiation protocol header. Right. So session initiation protocol is a way that you can establish, maintain and end multimedia phone calls like voice. Voice and video. Video, whatever.

A

Good thing signatures have never been faked before.

C

Well, it's, it's. I'm gonna, I'm gonna. You can, you can.

A

We're gonna put that in that. Okay, I'll put a pin in that.

C

Because that's not what's going on here. But because digital signatures provide two features right out of the gate. They provide integrity of the data. Right. You can verify that the data you received is the data that was sent by the seller. And it also provides verification of the source. And in cryptography, this is called non repudiation, which means the only person who can create a digital signature that matches that can be verified with the public key is the holder of the private key. Okay, so it's asymmetric cryptography. So now we can get back to this complaint here. This complaint says the FCC demands cessation of Walmart impersonation robocalls. So the FCC has written two documents that we'll put links in the show notes to.

They're talking about. The enforcement Bureau of the FCC has demanded that SK Telco, which is a company based in Montana, cease and desist processing these Walmart calls. And they know that this company is responsible for these calls. And they start with 29 complaints and they then go and look at the Stir Shaken data which is available. And they found, at least to them, they found that the company, this company, SK Telco, was responsible for 97% of these Walmart pre authorized calls identified by you mail between May of 2024 and March of 2025. So a little less than a year, this company was responsible for 97% of what Umail tracked as about.

9 million calls. Wow. So Umail has a small subset of the phone market for Inbound calls. So this is just a fraction of what's going on out there. These guys have probably sent out billions of calls. And it's in something else. This, this, this press release says from the FCC is that it is unlawful to place calls to cell phones containing artificial or pre recorded voice messages absent of an emergency purpose or. Or prior written consent. So.

B

Huh. I didn't know that.

C

I didn't know that either.

A

Yeah, how would we have ever known that? Because clearly nobody cares about.

C

Right. Because I get these calls all constantly.

A

Yeah, I mean that's like. That's nice. Are they going to do anything about it?

C

Hello, it's Sherry from the approval department. I don't think you're a person. And it just keeps going.

A

It just keeps going.

C

Yeah, it's a, it's a recorded message.

A

Your car is warranty, blah, blah, blah. I don't have a car.

C

Right. Somebody called my old phone number, my home. Home phone number the other day and it came in as scam likely. And they got to talk to Mabel Johnson.

Who is my old lady voice that I do. And I just started talking this woman's ear off. I don't know what happened to Joe Kerrigan. I can't find him anymore. Well, how are you today? And it was like, oh, I gotta go, Mrs. Johnson.

It's awesome to do this. I love doing this. This was actually some business that was doing that. I've gotten great results with Mabel.

A

Good stuff. Have you placed a pizza order with Mabel yet? Because that's what I want to hear.

C

I have not. Can I tell a story about it?

B

I think you're going to.

A

I think it's happening whether we want to or not.

B

All right.

C

My sister in law called her parents house and I was there and I answered the phone as Mabel and I go, hello. And she just hangs up the phone.

B

Right.

C

She figures she dialed the wrong number. So she calls again and I go, christy, why you keep calling? And she hangs up the phone a third time. And she calls the third or the second time, she calls a third time and they answer the phone and go, hello? She goes, Joe, I'm like, yes, you're at my parents house. Yes. Oh good. Cause I said, hold on, Kristi, there's someone here that wants to talk to you.

B

And I go, Christian, why you keep hanging up?

C

She hangs up a third time.

B

Oh wow. Wow. She talked to me in a panic state.

C

Yeah. She talked to me and I was like, hold on just a minute. And I do the voice and she panics and acts Up. So, yes, it's a running joke in the family. The Mabel Johnson voice. Somebody actually found an obituary from Mabel Johnson one time.

A

Oh my God. So she's speaking to us all from beyond the grave.

C

Rumors of my demise are greatly exaggerated.

The FCC has given SK Telko two days to respond or they're going to remove them from the communication system. So they will not be able to send calls with the signatures anymore. Essentially, they'll just revoke the public key.

A

Right?

C

They'll say, no, we're not accepting this anymore.

A

Why are they giving them two days? Why aren't they just revoking it? Like, what's the.

C

Well, because this is the first official governmental action. There is a. I didn't cover this. There is an FCC sanctioned group called the Industry Traceback Group which traced these sources of this call, of the 29 illegal calls that were complained about to the FCC, to SK Telco. And then the industry traceback group notified SK Telco about the illegal robocall traffic and they said nothing. So now they have two days to respond to the.

A

That's what I'm saying. We know. Everyone knows what a nuisance these things are and clearly no one's taking it seriously. And, and then giving him two days as if it's like, oops, a little mistake. No, they should. I don't understand why they don't just come down hard on him.

C

I am. I think two days is coming down hard from a government standpoint. I mean, we're going to revoke your certificates in two days if you don't give us a satisfactory answer.

B

I mean, I guess you have to have a little room in there for the possibility that the FCC made a mistake.

C

Right. Which, there, there is a, there is a strong worded letter that will also include. And I'm not going to go over this.

A

I know the FCC is flawless and would never make a mist.

C

This strongly worded letter here that was sent to the CEO directly to the CEO of the company.

And carbon copied somebody else at the company.

We'll put a link to this in the show notes too. This is worth the read. The FCC lines out their case in this letter and it's pretty good. I mean it's pretty obvious that, that, you know, we have the evidence that says this is the case and here's everything we found and here's all the references and it's like cited and I mean it's a beautiful letter. I love it. So this, this company, it's a long one.

A

Otherwise I'm sure you would Read it. But it's quite long.

C

It's like four pages.

B

Four or five pages. The implementation of Stir Shaken definitely made a difference and it cut down on this stuff and it made it easier for them to hold these folks accountable. But I think at the end of the day, it's always going to be to a certain degree a game of Whack a mole.

C

Right. This is exactly what this is. We're looking at one of these moles getting whacked.

B

Yeah. Which is kind of gratifying.

C

It is kind of gratifying.

I'd like to see some fines from these guys. I'd like to see if there's any other way to get other records from somebody other than umail. Because umail is, like I said, a small fraction. It's only their customer base that they have data on. They don't have data on everybody else.

B

Yeah.

C

So, but you know, 9 million records or something like that inside of. Inside of less than a year. And that is only a fraction of what these people were calling. If you assume that this is just randomly hitting umail customers, that's huge. Absolutely huge.

B

Yeah.

A

I'm just trying to think like how many people are in. This was written in Alabama. Is the entire state of Alabama 9 million people?

C

Yeah, probably.

I mean, I could ask Google that question.

A

You could.

B

All right, well, we will have a link to that story as well as the documents from the FCC in our show notes. So do check it corrected.

C

It is one is 5.158 million people as of 2024. So that is more than the population of Alabama.

B

There you go. All right, I tell you what, let's take a quick break.

A

Break.

B

We will be right back after this message from our show sponsor.

And now back to our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on Endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allowlisting, Ring Fencing and Network Control. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class Endpoint protection from Threat Locker. And we thank Threat Locker for sponsoring hacking humans.

And we are back. Maria, it is your turn. What do you have to share this week.

A

Well, as Dave, as you know, and as Joe, as you just recently found out, I just got back from a trip literally yesterday. So if I sound a little under the weather, it's because I am.

B

Boy, are your arms tired.

C

Yeah.

A

Awesome.

C

My favorite joke.

A

Yep. I didn't even say I'd flew, and I just say I got anyways.

And it was 14 hours in transit each way because I was going overseas. And I still operate on a kind of outdated model of I need to make sure I've got a lot of charging cables with me because the battery on my phone will not last that trip, which is not true anymore. It definitely lasted. And I've been thinking a lot about charging my phone in public places, in countries that I don't know, in airports that are seeing a bazillion people come and go. And the reason I've been thinking about this is because just when I was on the plane yesterday coming back to the United States, I saw this story that came up on my. My Google home, the, you know, the default homepage that Google has where it services news stories that might be relevant to you or interesting to you. And it was from USA Today, which is not a minor newspaper, not a minor news source. I would dare say it's. A lot of people in the United States know USA Today and read it, and the headline was this. TSA urges travelers to avoid two tempting airport freebies. And I was like, okay, it's definitely a good clickbait headline. Because I was like, all right, what does that mean? And I. The two freebies. Do you want to guess what those two freebies are? Because I was just a gog when I read this. Any guess?

B

Freebies. Let's see. Offers for massages in the men's room.

C

Oh, no. This is airport. Airport freebies.

A

Airport freebies.

C

Is one of those. Is one of them the. The charging stations?

A

One of them is charging stations, Correct. Yep, yep.

And yes on the second one, because there's two.

C

And it's technology. Probably WI fi.

A

Yes. You got into Joe.

B

Ding, ding, ding.

A

Yeah. This story from USA Today said, according to a post from the FCC from March 2025, but still, they just reported on it early December 2025 only.

B

USA Today, right on top of all the breaking news.

A

Not. Not exactly breaking news.

B

Okay.

A

But servicing it during, you know, the holiday travel season, basically saying, don't use public WI fi at the airport and definitely do not use USB ports to charge your devices at airports. And I just sat there on the plane going, I cannot believe we are still giving people this advice. Now I understand why this advice is being given out because it used to be these are legitimate concerns. And certainly for public WI fi there are concerns about lookalike public WI fi.

Ssids where someone, you know, there's Euro Airport, I'll say for Boston's like Boston Logan WI fi, something like that, that's the ssid and someone might name it Boston Logan WI fi with a dash somewhere and fool people into connecting to an actually malicious WI fi network. I understand all that, but the reason that I was a little bit rolling my eyes at this was I had just read the week before a really great open letter to the public, to employers, journalists and policymakers. And it's titled Stop Hack Lore. And that's actually really one I wanted to talk about. And this is what the letter starts off with. We are a group of current and former CISOs, security leaders and practitioners who have seen how compromises unfold in the real world. And we write to correct a set of persistent myths about digital risk to everyday people and small businesses that continue to circulate widely online and in public advice columns. And this is the list from Stop Hackler that they're basically begging people to stop perpetuating. And number one is we aim to retire the following outdated pieces of advice. Number one, avoid public WI fi because they say large scale compromises via public WI fi are exceedingly rare today. And also that personal VPN services offer little additional security or privacy benefit for most people and don't stop the most common attacks.

C

This one is good for the most part because they're correct. Like if I get on a public WI fi spot and I go to my bank, TLS will keep the transport security layer, will keep the malicious actors hands off of my stuff, off my traffic. But if they have a DNS server set up that just redirects me to their impersonation site.

What happens then?

B

We'll get to that.

A

Keep going Mariah. Okay, again, the point about if you connect to public WI fi that is malicious or it's not the actual official public WI fi for your airport, that's a different situation. Same thing with people doing impersonations of public WI fi on planes. But the general advice that we've given people about don't use public WI fi and make sure you use a vpn this open letter is saying is just outdated advice. The second piece of advice was don't scan a QR code ever. And even I still on this train.

C

To be completely this advice last week.

A

Yeah, I'm still on that train. I'm like, I don't like QR codes. I don't like how. Dave, just at the event we were at last month where the QR codes, every year, you and I are both looking at them as scans. This letter is telling us we can just chill out.

B

So I scanned them. I did a Maria. I clicked.

A

You just clicked the link?

Yeah, I was curious. I was. Yeah. You know what? I am, too.

Number three was to never charge devices from public USB ports. And I'm just going to read what they wrote here. There are no verified cases of juice jacking in the wild affecting everyday users. Modern devices prompt before enabling data transfer, default to restricted charging modes, and authenticate connected accessories. And I've certainly seen that with at least my more modern devices. Suppose if you're using something really old, juice jacking in theory could be a concern, but I don't think this applies to most people.

C

I think this is correct, but I'm still bringing my power brick with me and using the actual power outlet.

A

I'm with you. I did the same. I had my big power brick with me, and that's what I choose to charge from. But in an emergency, I'm going to charge from a public USB port, like a USB C. Especially since I was just in Europe and I only had one travel adapter for the plug, so I needed to charge my laptop, my phone, and my headphones all at once. And I didn't have an adapter for all three. But I'll use USB for that and I'm not going to worry about it. The fourth piece of advice they say is outdated is turning off Bluetooth and nfc, which I was like, whoa. Turning off Bluetooth was considered sort of standard. Definitely just keep that off unless you really need it. And they wrote, wireless exploits in the wild are extraordinarily rare and typically require specialized hardware, physical proximity, and unpatched devices. Modern phones and laptops isolate these components and require user consent for pairing. Okay. Piece number five is to regularly clear cookies because they say clearing or deleting cookies doesn't meaningfully improve security or stop modern tracking, which now includes identifiers and fingerprinting other than cookies. So, Joe, I heard you say it doesn't.

C

Right, Right. That's correct.

A

Yep.

C

Because it's. There's all kinds of better ways they. Or ways they can make associations between the last set of cookies and. And where you are now.

A

Yeah. Yep. And then number six, the piece of advice, they're asking us to stop perpetuating. And I Mean, all, like us in general, is asking people to regularly change passwords. And that one is.

C

That is correct.

A

Big, big, big yes to that one. I just had this conversation with a neighbor this morning at my daughter's bus stop about how he cannot remember the stinking password to his online bank because it has to keep changing all the time. And I talked to him about password managers, and I just was thinking, yeah, I mean, this is a big problem. And I know in my case, a lot of the banks around where I live are very small and they're not up to date with the latest on security. And a lot of them, they just default to change your password regularly, and that's a pain.

B

So I had this conversation with my dentist yesterday about changing passwords.

A

Yep. Yeah.

B

He asked me about it, and I replied. I said.

C

But. And he goes, regularly, I shouldn't do that.

A

Okay. All right. So that was the. This is the. That was the list of six things they're asking people for. For the general public and small businesses. Enterprises are different. So people who are managing enterprise security, obviously, you guys have a different risk situation. So don't email us. Don't email us. We understand this is for the general public and for small businesses. All right. And they go through pains to emphasize that as well. So the recommendations for the public, it's easy. There's four things that people should do. Is. Number one, you can even guess it. Keep your stuff updated.

C

Right.

A

Keep them updated. Just do that, and you're really, really pretty good. Number two is to enable multifactor authentication, which we're now all calling MFA instead of 2fa. We've been beating that drum for years, so we mean it. MFA is great. Using strong passphrases. This really is familiar to mine.

B

Again, that's what I told my dentist yesterday. Same thing.

A

Yeah, that's what I was telling my neighbor this morning. Don't reuse them. Make sure everything is unique. And that's why a password manager is great. And then he was, like, messaging himself password manager.

B

Okay.

A

I don't know. I have a feeling I'll be getting a knock on my door soon, asking him to help him set that up, which will be interesting. And that was actually tip number four was use a password manager. And I'm a big fan of password managers and have been for many years. And there are a lot of them now. Many of them come built in in your phone or your computer, and they're pretty good. So, yeah, so that's the stop hack lore open letter. And that came out on November 24, right before U.S. thanksgiving, when they knew a lot of us were going to be going home and doing family IT work. So I thought that was really great.

B

Maria, I stepped on you there. I apologize. You were about to explain what the difference is between a password and a passphrase.

A

Yeah. So a password or a passphrase is. Well, it can be a short sentence of a number of words with spaces in it. So that what that can enable if you use a passphrase is length. So, like, over 16 characters is a really good. If the system you're using will allow you to put in something that long, which can also sometimes be a problem. But, yeah, length and uniqueness are both really, really helpful because if you just use the same password and add an exclamation point at the end, I'm looking at all y', all, not you. But, you know, some people, that's just what they do. I'm not going to name names, but length is really important, and a sentence can really help, even if it's a bunch of nonsensical words. And that can be very handy. So I really recommend reading this letter. I think it's. I would love to send this to USA Today. Just please, please take a look at this, guys.

B

I'm looking at all the people who signed onto this letter. And this is quite a lit. I mean, this is a who's who of names and cybersecurity. So this is the AV Club down the street.

A

These are no. Many of my former colleagues that I've worked with, and I trust them just explicitly they're on this list. And these are people who have guided me a lot in my own career. So I was very happy to see that they signed on. And yeah, this is definitely a who's who of really very smart people, many of whom do a lot of public messaging. That's a lot of what they do is talking about this stuff to the general public. So I hope more people will listen to them and certainly we'll do our best to amplify their message as well. And I want to give a shout out to the FTC that also put out a message saying, public WI fi networks are also like, you don't need to worry about that whole thing anymore unless you sign on to the wrong one. So they amplified the hacklore letter, which I just ftc. Nicely done. So that was nice to see.

B

Yeah. Yeah. All right, well, good stuff. And to our listeners, if you want us to consider a story for our show, you can email us. It's hackinghumans2k.com. All right, Joe, Maria, it is time for our catch of the day.

C

Dave, our catch of the day comes from the phishing subreddit.

It's a service notification.

A

Dave.

C

Apparently you're due for some service.

B

Yeah. So I will point out that this comes from service notificationervice provider update work.

C

Somebody just got one of those brand spanking new.

B

Right?

C

How old are these things now? Those new top level domains, they're probably four or five years old.

A

A couple years, yeah.

C

Everything's brand spanking new to me.

B

So it says your email account has been flagged and reported. And then there's the Microsoft logo.

C

Right.

B

And it says our system has received large number of complaints regarding your email. Your email address has been reported by other users from Microsoft, Yahoo and Google for sending spam and threatening emails. The nature of these emails suggests that either you were involved in dubious activities or your account has been abused and misused by someone. Due to the severity of these complaints and under the empowerment of terms and conditions applicable to our services, we have the right to suspend your service in case we do not receive a justifying explanation until seven business days from today. This mailbox is not monitored for replies. Please do not reply to this email. For clarification, please contact the case manager at. And then they have a phone number. We have assigned a case manager to your account to supervise you through the transitional process. You can file an appeal against the complaints either online or by directly calling your case manager. You can initiate an online chat with your case manager here.

In case you wish to speak to your case manager. Connect on phone during business hours. Like they, they're really going at it with the phone number Here please. The regards account support team. All right, so a bunch of things going on here.

C

Yeah, this is just.

Obviously this is a scam. First off, like the capitalization. We can't, you can't really see that in on the podcast, but the capitalization in this is bizarre.

B

Random.

C

Random.

B

Yeah. Some, some words are randomly. The first letter of some words is randomly capitalized for presumably no rhyme or reason.

C

Right.

B

Yeah.

C

So I mean, obviously, hey, we're going to suspend your account in seven days. There's the artificial time horizon.

It's impersonating Microsoft. It is not Microsoft, obviously because Microsoft would send you something. Well, first off, Microsoft's never going to reach out to you to provide support, nor are they going to reach out to you if, if they want your about your email. They're just going to shut your email down. And when you go to log in Again, he'll say, I'm sorry, this account has been shut down. Goodbye. Right, that'll be. That'll be the end of it. Good luck getting it back if. Even if you weren't responsible for it. But, you know, that doesn't happen unless people are actually abusing email accounts.

B

Yeah, a couple of minor grammatical errors, but nothing too bad. I mean, these are. They're definitely trending towards better. Right. Over time that we've been doing this, and obviously all the AI tools make it a lot easier.

C

The second paragraph is just one sentence. You almost ran out of breath in that one. That's right, that's right.

A

I'm also liking at the bottom and dark like a medium gray, it says, note. Do not share your password, slash security question, slash one time password with anyone, even your case manager.

C

Ooh, yeah, that's good. That way you know this is official and that these guys are nice guys who care about your security.

A

Yeah. They don't want you to give away any information that, you know, could put you at risk, so.

C

Right.

A

Good for them.

C

They just want you to install some software so they can take over your computer.

A

Yeah, I'm sure it's fine. I'm sure it's fine. Definitely trust them. Yes.

B

All right, that is our catch of the day. And again, we would love to hear from you. If there's something you'd like us to consider for the show, please email us. It's hackinghumans2k.com.

Thank you. To ThreatLocker, the powerful 0 trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com.

And that is our show. Brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilby is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Varmazes.

B

Thanks for listening.