A

You're listening to the Cyberwire network. Powered by N2K.

B

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVrising.com to secure your spot. Hello, everyone and welcome to N2K CyberWire's Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hi, Joe.

C

Hi, Dave.

B

And our N2K colleague and host of the T Minus Space Daily podcast, Maria Ramazes.

A

Maria hi, Dave. And hi Joe.

B

We've got some good stories to share this week. We'll be right back after this message from our show sponsor. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. AllowListing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cyber criminals with world class endpoint protection from Threat Locker. And we are back. No follow up this week, so we're going to go right into our stories.

C

Talk about my chickens.

B

What?

C

I don't get to talk about my chickens?

B

Oh, well, you're always talking about your chicken.

A

I'm sorry, do you need prompting, Joe?

B

I spoke too soon.

C

No, the coop has arrived.

B

Oh.

C

And I just need to spend like a week putting it together.

B

Okay. It sounds like code for something, you know.

A

The coop has arrived.

B

The coop has arrived. How long do you. How. How big a lift is assembling a chicken coop?

C

I imagine it's about as big of a lift as assembling a very complex IKEA desk.

B

Okay.

C

I'd probably. That. That's my initial, so whatever the time they say will take, just double it.

B

Okay. Okay. So medium. Yeah, medium level of difficulty.

C

Right. But I mean, I can handle it.

B

When you take on something like this, is this a solo project or do you have helpers?

C

I will probably do this by myself because I'm the kind of guy that when somebody says, do you need help? I'm like, no, I got it.

B

Yeah.

C

Mom sent me out here to help you. Well, tell her I said go back inside.

B

Okay. That was where I was getting. It's like, are you good at accepting help? It doesn't sound like.

C

No, I'm not.

A

And an hour later, I'm in too deep. I need help.

B

Right, Right.

C

Nobody's supporting me.

B

Why? Right out here all by myself right after I sent everybody away? Yeah. All right, well, best of luck with it, Joe.

C

Thank you.

B

Expect updates. I shall no longer say we have no follow up because there's always follow up. As long as Joe has chickens, there's follow up.

C

Yep.

B

All right, Maria, why don't you start things off for us? Yeah.

A

So instead of doing a news story, I thought I would talk about anecdotally something that happened to me yesterday regarding a Facebook scam, possibly one of the. Yes. So this is a very American lead into a story, but it's just. Stay with me for this one. As of the day of this recording, yesterday in my neck of the woods, there was a shooter. Yeah, this is really dark, but, yeah, there was a shelter in place order at the. A university very close to me, University of Massachusetts Lowell. And there was video circulating of a person not just brandishing a rifle, but literally holding it and looking to aim it at people wandering around the campus. It was terrifying. And a shelter in place order was put in at the university. And as somebody who lives pretty close to the university, that this all was going down at the same time that my daughter's elementary school was being dismissed for the day, and lots of little kids would be just sort of shepherded around from activity to activity or in large groups at playgrounds and the like. So it was horrific for I think everybody involved. It was also the first day of school for the university students, so just really terrible way to start their university year. So I did what I think a lot of people would do in my situation and go and went on Reddit and Facebook trying to find any local chatter about what the heck was going on. Was anyone injured? Like, has anyone seen this person? What's. What's happening? I didn't want to contribute to the panic, but I was also trying to figure out, like, what do I need to know as somebody who's not on the campus but lives close by? You know, how. How much is there a handle on what's happening here? So, as I think I mentioned some episodes ago, I had re upped my Facebook account, so I was like, okay, let me try and figure out what's happening in the local news communities, which pretty much only exist for me on Facebook. There's really nowhere else for me to go. And I did find some posts that some students at UMass Lowell had posted about the shelter in place order that they were under. And a lot of them had made their posts public. A lot of them were communicating with family members who were posting things like, this is scary. Please stay safe. And, you know, I didn't comment on any of this, but these are public posts. And I noticed at the bottom of all of these posts that were happening within minutes of, you know, me looking for this information were some comments that were saying things like, shot by someone present at the scene. Peep it on something that sounded very obviously fake, like, you know, big crime investigation page or another comment with a shocked face emoji. This angle was never shown on the news. Here's what I caught with a link to another Facebook page. And of course I'm going, all right, this has clearly got to be scammy. But I mean, this is the worst type of ambulance chasing I can possibly imagine when there is an active situation where people are trying to figure out what the heck is going on. And within minutes the scammers are showing up on the public comments and trying to divert people to very obviously scammy pages. So this was very personal for me because I literally was trying to figure out what the heck is going on, you know, especially with all the kids being dismissed at that time. And I noticed that a lot of these pages were, if you clicked on them. And I know I was like, I'm now infamous for clicking on links that I shouldn't. But I knew these were going to other Facebook pages. So to be fair, they were going to other Facebook pages. So I just wanted to see what the profiles looked like. And they all had newsy sounding names, these Facebook pages that made it, you know, live news or news live, that kind of thing. And they would embed what was, I'm sure going to be the next step, the phishing link. They would embed a link that put an image that looked like a video preview in their Facebook post. So it had like the little play button overlay, but if you click it, it would take you to the Facebook page. I didn't go that far, so. I didn't go that far. But this might be familiar for people, I'm sure, who are on Facebook a lot and are keeping track of breaking news stories. But. And I know these are not new. I'm not saying that this is new, but for me, this Was, again, very personal. And I had never encountered one in the wild, so to speak, because I'd never needed to find information this quickly through Facebook. So I just. I don't know. I'm just. I'm just out here saying, what the heck? Thankfully, all is. All is well. The person was apprehended. There were no shots fired, no one was injured. Ends up it was a. A kid with an airsoft gun having too much fun. So, gladly, gladly, all is well.

C

My dad used to tell me, you're gonna get killed with that, because I had a water gun that looked like an Uzi.

B

Oh, yeah.

C

And this is the kind of thing that gets people killed. I mean, this guy walking around a college campus, he's lucky he's alive. The campus police didn't respond and just shoot him.

A

Yeah. Because I will tell you, it was campus police, local police, state police, and the FBI with at least five helicopters. We're all looking for this person. It was. I can't even begin to imagine. Yeah.

B

And just imagine him walking around looking at. Looking at all the stuff and going, gosh, I wonder what's going on.

C

Right.

A

Well, again, he wasn't just, like, carrying this around. He was holding it up, like, to look through the site and. And. And looking very much like he was looking to shoot it at somebody. I've seen the video of it. It was kind of like, wow. So I just. This was a what the heck moment for me of like, I. I can't believe within minutes of these things being posted, the scammers are already all over it, trying to direct people to get fished. I just.

C

That. That is amazing. I mean, it's. It's. It's not like they're following a news cycle by watching the news. They're following a news cycle by being on Facebook, seeing what's going on and responding to it.

A

Yeah, yeah, go ahead.

B

Here's my question about this, because we've talked about something similar that happened. I had a situation a couple years ago where I was looking for tickets for a local event, like a local community theater event. And I just posted, hey, looking for tickets to this event. And somebody replied and said, oh, I've got two tickets. They're $150 each. And I was like, this is a $10 event. What's going on? But my question is, how are they getting access to the feed? In other words, I think this must be something in Facebook's API where people in some kind of automated way are just sucking in keywords or have automated searches or they must something.

A

Yeah.

B

And I would love if any of our listeners know, have any familiarity with either the Facebook API or some. Because Facebook has a lot of different tools for automating things and all that sort of stuff. If anybody out there can point us to how this works or how they're able to key into an event like this so quickly and with such precision in clearly what's at least a semi automated way. Right. I would love to know the mechanism by which they're doing this. And of course the B side of that is the mechanism. Why can't we say Facebook ignores it?

C

Right. Yeah, exactly.

A

Yeah. Because what was interesting to me is there weren't, at least in the posts, they were not obvious keywords. Like if it said this is my video from Shelter in place or something, then I could imagine they're looking for terms like that. But a lot of them were saying, this is the video I took. Or, you know, I'm, you know, nothing that really stood out as this is a newsy thing that's happening. Maybe the comments of, you know, people saying, stay safe. And there's a lot of volume of comments happening very quickly. I don't know. But it just, it seemed more sophisticated than I would have expected. And there were also a lot of these spammy comments very quickly. It wasn't just one or two profiles, it was like five to ten, all very different. So, yeah, they're just gross kind of ambulance chasing and unnecessary noise during a crisis situation, which is just horrific.

B

Right. I wonder if it could be as simple as a post garnering a lot of attention so it gets labeled as being a hot post or trending post. Trending post. Precisely. And so if all you're out to do is get people to go somewhere and you post something that just says, here's my video of this. That doesn't apply to anything really.

A

Yeah, Yep.

B

You know.

A

Yep. Yeah, I'd love to hear people's thoughts too. That's a great point.

B

Yeah, yeah, please. If there's anybody out there who has the details, if you have any experience or can shine some light on what's going on behind the scenes here, or if you're Mark Zuckerberg.

A

We want answers.

B

Just ring us up, we'll have you on the show. Yeah, we'll give you a proper talking to.

C

Why don't you have a seat, Mark?

B

You should be ashamed of yourself.

A

Well, throw some of those hacking humans brains at him with the brains.

B

Yeah, you know, that'd be a great dunk or a great fundraiser rather than A dunking booth. Have a brain hurler booth.

C

Something where you just throw foam balls at Mark Zuckerberg.

B

Yeah, exactly.

A

Use your brain. Know these ones? Yes.

B

Yeah, call me. Call me Mark. We'll make a lot of money together. Oh, sorry. You got a head start.

C

There's one thing he doesn't care about. It's a lot of money.

B

No, it's true. Been there, done that. All right, well, that's interesting. And I guess the lesson here for our listeners is just to be mindful of this sort of thing, particularly when you see a nondescript link posted. Right. It's so easy to fill in the gaps.

A

Yeah, right. Yeah. When you're looking for information, when it's something that's literally happening right now and minutes count because you don't know, is everybody okay? Is anyone hurt? And there are other people commenting. You know, this is what I found. And those are legitimate comments, too. That makes it even more confusing where it's other people also at the situation going, oh, I captured this. So the, the spammy comments, if you're panicking, especially as I kind of was, to be honest with you, they can look pretty much in line with some of the legitimate stuff.

B

Right.

A

And I had to force myself to slow down.

B

Right, right. Well, when you're in that state of mind, you're not thinking straight. Certainly not at 100%, no. So, yeah, that's a good cautionary tale, Maria. All right, well, no link to that, but we look forward to getting some, perhaps some answers from our listeners there. My story this week comes from the folks at Wired, and in a roundabout way comes from a friend of the show and my co host over on Only Malware in the Building, Selena Larson. Selina is a researcher at proofpoint, and they've come up with some interesting information here. Let me start off, sort of lead us into this. You know, we talked about sextortion here many times.

A

Yep.

B

I'd say, correct me if I'm wrong, I'd say the stereotypical sextortion scheme I think of is a phishing email where somebody says, hey, I hacked your machine. I saw what you were up to on your computer. You should be ashamed of yourself. I secretly took some pictures, and unless you send me some money, I'm going to send these pictures I secretly took to all your friends and family. Do you think, am I. Does that align with what you guys think of when it comes to sextortion?

A

I think email or text.

C

Yeah, email. I think of the. I think of the meta platforms. Sextortion Gangs that target teenage boys. That's what I think about a lot because I have. I can't remember his first name. Last name is Raphael. R A F, I, L, E. He's in my LinkedIn feed and he comes up, Paul, I think Paul Raphael. He comes up all the time talking about it. So it's always front of mind for me.

B

And what does that involve?

C

It involves them being on Instagram and. Or Facebook messenger or WhatsApp, and somebody messages him posing as a young girl and they exchange nudes. And then the guy turns around and says, I'm going to extort you for money if you don't pay up. But he's already actually entrenched in his social network.

B

I see.

C

Actually.

B

Okay, yeah. So the thing about. For. For example, the one that I was describing here is that it's a bluff. You know, they don't actually have pictures of you. They. But they're just counting on the fact that there are enough people out there. I don't know if it's fair to say the majority of people out there who occasionally look at things on their computers that they wouldn't want everyone to know about. Right, right. We've all been there.

C

Yep.

B

So that's why it works. Well, the researchers at proofpoint published a report about a tool called Stellarium, which looks like a pretty normal infostealer. And infostealers, once they're on your machine, they just gather up information like passwords or banking information or crypto wallet keys and send it off to the attacker. But this particular one, Stellarium, comes with what proofpoint calls a sextortion feature. It watches for certain keywords in your browser history, words like sex or porn. And when it sees them, it takes a screenshot of what you're looking at. It snaps a picture of you through your webcam at the same time and sends the paired pictures straight to the hacker. And from there, you can imagine where that goes. They send you an email, it says, pay up or we leaked these. And they send you the paired pictures of what you were looking at and you there, you know, through the webcam. Proofpoint has spotted this campaign. It's spreading pretty broadly.

C

Right. I'll bet it is. Because this is actually like somebody said, wouldn't it be great if we could make those scam emails real?

B

Yeah, exactly.

C

Yeah. The kind of engineering you're dealing with here.

B

Right, right. What if it was real?

C

Right.

B

It is gross. It's so gross.

C

Think of the money we could make.

B

Yeah. So the sort of weird twist to all this is that Stellarium is an open source project.

C

Hey, I like open source projects.

B

Wait, suddenly Joe's opinions does a 360?

C

This is all okay with me.

B

It's an open source project.

A

Yes, open source is great, but this is weird. Okay.

B

Yeah. And the person who distributes it on GitHub says that. They said it's for educational purposes only.

C

Of course it is.

B

Yeah.

A

Okay, well, a contributor has a chance to do the funniest thing ever to this. Maybe nuke it from the inside. I don't know.

B

Yeah. So so far, we don't have any stories of people being affected by it. Like, no victims have come forward and said, this is what happened to me. But proofpoint has seen this malware package being distributed. So it's out there in the wild. It's happening, but it's just so despicable. Just the lowest of the low when it comes to taking advantage of people. I was trying to think of lessons learned from this. I mean, I guess put a sticker over your webcam. Right.

C

Right.

A

Yeah.

B

Have it face the wall. Yeah, whatever. Whatever you're up to.

A

Post it note over. Yeah, that's the old post it note.

B

Yeah. Yeah, just as a matter of habit, I guess. I remember. I mean, Joe, this goes way back. Wasn't one of your colleagues at Hopkins figured out a way to activate a webcam without the light going on?

C

Yeah, that was. His first name was Matt, and I can't remember what his last name was, but he. Yeah, it had to do with the. It was on an Apple laptop with a particular model of camera, but I think it was universal. The issue was that the camera loaded firmware and didn't validate signatures for the firmware. So he could rewrite the firmware. Firmware. And he reverse engineered the camera to find out how to keep the diode, the LED off, even though the camera was on.

B

Right.

C

And you could just turn the camera on.

B

Yeah, yeah. The other thing, I can imagine if they're just looking to grab a still shot, you know, even the. I could imagine the little light just flickering for, you know, fraction of a second and.

C

Right.

B

You wouldn't even notice it or say, wait, what was that? Is my camera on? Oh, no, it's not. The light's not on. I'm good, but you're not. So, you know, I think it's easy to sort of tut, tut and shame the victim here, but I don't think this is a case, you know, where that's appropriate.

C

Right. I don't Think that's the case either? I don't think that. You know that regardless of how you feel about it, you don't compound whatever wrong you perceive by piling another wrong on top of it. Yeah, especially a criminal wrong.

A

People deserve privacy. It's just.

C

That's agreed. People also deserve privacy.

A

Yeah.

B

Yeah. So keep an eye out for this. You know, be careful, obviously, when you're clicking the links and downloading things from places you don't know where they might come from, keep that antivirus running. But then also I'd say just be mindful of keeping your webcam covered when it's appropriate to do so.

C

Or you can do what I do and just not have a webcam on your desktop computer at home.

A

Yeah. If you're on a laptop though, that's a lot harder because they are often built in.

C

Yeah, it's impossible.

A

Yeah. I posted note will do for my.

C

Story when I get to it. I'll explain that I have to put a camera on my computer when I fire it up.

B

Is that right?

C

Yeah.

B

Yeah.

A

Okay, interesting.

B

All right, well, we will have a link to that story in the show Notes again. That comes for the the folks over at Wired. We're going to take a quick break here. We will be right back. And now back to our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on Endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allowlisting, Ring Fencing and Network Control. Allowlisting is a deny by default software that makes Application Control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class Endpoint protection from Threat Locker. And we thank ThreatLocker for sponsoring hacking Humans. And we are back. Joe, you're up. What do you got for us?

C

So since we're talking a lot of privacy stuff today and also we're talking about not having news stories, but personal anecdotal things. There, see, I wove both of what you guys did.

A

Nice.

B

Well done.

C

Yes, thank you. But you know, of course by pointing it out, that makes it worthless. Like a segue is not a segue. If you say the word segue. My story is more about privacy, which we talk about from time to time, than it is about social engineering and today I wanted to talk about metadata. Now, I don't know if our listeners are aware of this, but I am currently enrolled in a Master of Science program or master's program in data science there, I'll say that. Okay. I'm taking one class this semester and it's Introduction to Machine Learning.

B

Now, you already have a master's, right?

C

I do. I have a master's in computer science. Okay, well, yes, I'm getting a number of dual masters.

B

Do you have a Master's?

A

I do not. I only have a bachelor's.

B

Yeah, me too.

C

Well, how many bachelor's degrees you got, college boy? I have two of those as well.

B

I just got my lowly arts degree, so I'll just stay down here in the cheap seats.

C

I have one of those as well. So the name of the class that I'm taking this semester is Introduction to Machine Learning. And before you can do any machine learning on any, any data set, you have to do something called eda, which is in initialism for exploratory data analysis.

B

Right.

C

This is where you start looking at the data. And we were talking about this in class last night as, as. Which I'm really actually enjoying this class. But. And to go back to the camera thing, it is an online class and the instructor has asked that people turn their cameras on so he can see them. Make sure, number one, everybody's sitting at their computer paying attention to him. Number two, see if anybody has any confused looks on their faces.

B

Right.

C

Which is.

A

I think that's only fair.

B

Yeah, that's my default face. Right.

C

Right. So I. First day, first day of class, he says, can you get your. Turn your cameras on? And I'm like, I have to go get my camera. Hold on. He goes, what? I said, yeah, I work on a desktop. He said, they still make those? I'm like, yes, they still make these things.

A

They still.

C

I love my desktop. You cannot have a GTX 1080 Ti in a laptop. Sorry. And I'm boasting about how much factorio.

A

Are you playing, Joe? Anyway, I'll just get there.

C

I'm boasting about having like a seven year old graphics card now, but it still works very well. So exploratory data analysis is what you have to do before you can do any machine learning. This is where you look at the data and you see what needs to be cleaned up. You begin looking at different parts of the data. Those are called dimensions or features. Right. You might think of them as columns if you're Familiar with databases and things like that. Some of these pieces of the data might be more significant than others. You can visualize them in a limited way. You're not going, you know, if you've got a big data set, you're not going to visualize a lot of it, but you can start visualizing little pieces of it, and it's really fun. And like last night, we looked at a small data set for classifying species of irises, the flowers.

B

Oh, okay.

A

Yeah.

B

Okay.

C

I know this sounds like it would be boring, but it was remarkably interesting to see the data.

B

I'll take your word for it.

C

Should hear crickets in this. Right. Nobody else says anything. It's just me. Anyway, we've talked about how much I love data on this show before, so looking even at the data analysis of flower petal length and stuff like that is fascinating to me. Anyway, the instructor took one year of his own browsing data and stripped out all the information except for two pieces of information, the domain he was visiting and the timestamp. And this is a very limited form of metadata. And we had a discussion last night and we all. Well, I don't know. I'll tell you what metadata is. Metadata is data about the data.

A

Right.

C

So there was a. Somewhere I can't remember, it was during the Obama administration, there was a disclosure that came out. It came out that the. That the government was keeping data about phone calls.

B

Right.

C

And it was like the two numbers that had called the time of day that it happened and the length of the call.

B

Right.

A

Which can reveal a lot. Yeah, right.

C

I remember President Obama was talking about saying, everybody should just relax. This is just metadata. But this was everybody's metadata. Right, right. This was indiscriminately being pulled up. If I'm remembering this incorrectly, I'm sure our listeners will remind me. But it was a lot of information. And there was somebody on. Was it Facebook or LinkedIn, one of the social media sites, Maybe they even had an article about it where he requested essentially the metadata that the government was getting from the cell phone companies, and he was able to entirely map out his day just from that metadata.

B

Right, right.

C

So, I mean, it's. When you hear somebody say, we're just talking about metadata, don't let that fool you.

A

Yeah, that's for you. Yep. Yep.

C

The metadata of your data is so important. And the example that our instructor gave in class last night was that Facebook or Meta was going to start learning using your metadata from WhatsApp about to build machine learning and training of These models and they said, don't worry, we can't see your messages. That's actually end to end encrypted. But he did this demonstration with his browsing data. And I want to remind everybody, two pieces of data, timestamp domain, that's it. Like if you, if he went to Google and did a search, all that showed up was Google. If he went, if he went to the Wall Street Journal and looked at an article, all that showed up was Wall Street Journal. And by looking at this, I was able to, he graphed it out as number of, average number of, of visits per day during the 24 hours of the day.

A

Okay.

C

And he said, look at this graph. And he didn't sing it, but he said, look at this graph. And he said, can anybody tell me anything about me from this graph? And I look at it and I'm like, yeah. You get up in the morning around 6 o', clock, you check your email, you check your phone, you do something. Then it looks like you will commute into work somewhere between around 7 o' clock because you're very inactive at that point in time. On average you don't do anything until noon. That's probably indicative of you being at work. And there are studies that show that you're the most productive at work during the morning. That as the day goes on and you become more tired of doing the work, you start doing more stuff like browsing. And sure enough, right after noon it starts picking up and then there's a steep drop off around 4pm I'm going to guess that's where you commute home. And then it doesn't pick back up again till like 7 o'. Clock. That's probably after dinner. And then you're on, on the Internet intermittently from 7 o'. Clock. And then it looks to me that like from 11 to 1pm that's when you do the, or 11pm to 1am that's when you do the most of your, most of your browsing. And he was like, everything you just said is 100% correct.

B

Yeah.

C

And I got that information from two pieces of data extracted over a year.

B

Yeah.

C

And it wasn't, and actually it wasn't even the domain piece, it was just timestamps from just the timestamp data. I told that whole story of his daily life. And from that I'm able to tell he probably has a full time job, he probably commutes to and from work. All these kind of things you can learn just from this, this one piece of metadata. He also Listed out the top 50 sites he visited during this year. From this information, we were able to say, to guess correctly, hey, you're looking at buying a house, aren't you? Because he was going to realtor.com and Zillow and another place, and we could identify two of his financial institutions.

A

Yep.

B

Right.

C

And then I said, hey, what's your email address and your first pet's name? And that. That seemed to confuse him. Listeners of this show will know. I said, don't answer. Don't answer that. I was joking about that. Please don't answer.

B

Yeah, you know, we talk about this over on the Caveat podcast, Beniellen and I pretty regularly. And the example we use is just location data. That's it. Just location data?

C

Yep.

B

If I have a log. So here's the thing. Organizations, the data brokers will often say, all this data is anonymized.

C

Sure it is.

B

So we don't know whose data it is. Okay. But I'll just use you, Joe, as my example. I know where you work and I know where you live.

C

Right.

B

So all I have to do is look for a device that spends at night. Spends its night where you live while you're asleep and spends its day where you work while you're at work.

C

Yep.

B

And I have a device id.

C

Yep.

B

And then I tell them, give me every location that this device ID has been.

C

That's correct.

B

And now I know where you go to church. I know where you go to the doctor.

C

Yep.

B

I know what bars you visit.

C

Yep.

B

I know. Just, you know, all these, as you say, that's all just metadata.

C

Yeah, it's just metadata. It's Right.

A

Yep.

C

You know, it's not. We're not watching your conversations. We're not reading your messages.

B

Nope.

C

But another great example that our instructor gave last night is, what if I see that you make a phone call to a doctor or you. What was it he said? He said you visit a doctor's website and then a cancer institute's website.

B

Right, Right.

C

What can I guess about that?

A

Yeah.

C

And I remember I actually looked this up in 2015. I got an ad on Amazon that said cancer in you.

A

And I'm like, jesus, oh, they know something you don't.

B

Right, Right.

A

They figured out before you whether or not you're pregnant. Yeah.

B

Right.

A

Famously.

C

It was a couple years later. I think I have to ask my mom and dad about this. But within. After that happened, both my parents were diagnosed with cancer.

A

Oh, my God.

C

It wasn't within like, a year. I don't think I think it was a little longer than. Than that, but I have to go back and find that out. But I always think about that. I was like, I got that ad and I posted it on Twitter, and I actually went back to the Twitter account to look this up to see when did that happen? And then I got a Facebook ad that was like, something about massive heart attacks and had a guy looks a lot like me sitting there reading a book, and I'm like, oh, geez, they've.

A

Got it out for you.

C

I better go to the cardiologist.

A

Yes. Seriously. Well, it's like that. There was that story a few years ago about a woman who got an ad for diapers or something in the mail, and then a few weeks later found out she was actually pregnant. But I guess it was Target. They knew that she was pregnant, where she was or something. I don't know if that was true.

B

Well, the version of that that I've heard is that Target figured out that she was pregnant and started sending her coupons and things. But she lived at home with her parents, and her parents did not know she was expecting. But her parents found out she was expecting because of all the stuff she was getting from Target.

C

Right.

B

Like envelopes that said, you know, here comes the blessed day, you know, and things like that.

A

Blessed day? The day you move out.

B

Oh, no, yeah, it's.

C

Whatever, Dad.

A

I totally misunderstood that story then.

B

Yeah, that's the version. I've heard of it, but, you know, I don't know, you know, how those stories sort of take on a life of their own?

A

Bit of a meme. Well, Joe, isn't. Don't these data sets also generate. Not. I'm trying to think of this in terms of AI kind of bringing it back to that. But don't they also generate their own metadata, especially if there's requests flying back and forth? Or am I thinking more in the space world?

C

No, absolutely not. You're not. You know, our example here is actually just data pulled out of the browser.

A

Yeah.

C

That is. That is one small piece of the data that's available about you and your browsing history. Yeah, there is all kinds of other data that's out there. And yes, you're right that even the network traffic can provide metadata, like your location, your approximate location, or maybe even your exact location if they have access to the. To the lease information, the DHCP lease information.

B

And this is why, when we have those stories about that, Facebook is listening to you, Right? Facebook doesn't have to listen to you because Facebook has all the metadata. And it can figure out pretty much everything it needs to know about you by stitching together the metadata from your use of their apps. But also they have their little probes on just about every other place you go.

C

You know what's really weird is I reinstalled Facebook on my phone, and I might take it off again, because I noticed that when I start, when I go to a place and I meet people, like, there's a person, a woman I used to work with who were not friends on Facebook, but we would go out. There's a brewery over in Rockville that we'd meet at every now and then, and I would show up there and with one of my friends who is a Facebook friend, and one of my. And this woman who is not. Shortly after that meeting, I started getting her as a recommended friend on Facebook.

B

Yeah.

C

Because we were in the same location long enough that they're like, hey, do you know this woman?

B

There's a famous story about that where there was, like, a Domino's pizza delivery person who got held up.

C

Really?

B

Yeah. Got held up delivering pizzas. And a couple hours later, the person who held them up got recommended as a friend on Facebook.

C

Took too long to rob the guy.

B

Well, I mean, because they were in proximity. They were in close proximity, and it figured, ah, these two folks must know each other. Let me make a connection.

A

Under what circumstances? Yeah, that's the question.

C

That's awesome.

B

So the thing is, here in the good old US Of A. We have no data privacy legislation, none at the federal level. So there's not a whole lot that we can do about our metadata being vacuumed up. But if this sort of thing gives you pause and upsets you, then this is very much the sort of thing that if you want to pen a letter to your representatives in Congress, it's a good kind of thing to do, because that's the only way we're going to get there.

C

I'm sure that I'm going to be very upset next week because our homework assignment is to do this with our own browsing data.

B

Oh, yes. Oh, see, that's interesting.

A

That's an interesting exercise.

B

It is. Do you share it with someone and then they try to figure out.

C

No. That is one of the things you made abundantly clear. Do not share the metadata. Only share the graphs and the output of the program and the software and the code. That's it. Don't share the metadata.

B

See, I would. What? I. You know me, I would try to find a way to subvert this right to make it seem as though my browsing was the most unhealthy, weird, just, you know, bonkers, psychopathic things, you know, like, why do you keep searching for how to bury a body?

C

Right.

B

Oh, no reason. Aren't you?

A

Yeah. Reverse car boom.

B

Well, in terms of advice for our listeners, there's not a whole lot you can do, really. I mean, well. So be mindful of cheap, janky apps on your mobile devices.

C

Absolutely.

B

Because they are the ones that are quite often tracking your location data and all your other data and sending it off to the data brokers. But if you have. If your phone has privacy features, like, for example, iPhones have switches you can throw that help hide where you are and who you are and that sort of thing. And Android has similar things. So activate those, because. Why not?

C

Absolutely.

B

But you're kind of pushing a rock uphill when it comes to metadata because there's just so much of it, and.

C

That rock just keeps getting bigger and bigger and bigger.

B

It's a reverse snowball, Right? Yeah. All right, well, no link to that story as well, but again, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com Joe, Maria, it is time for our Catch of the Day.

C

Dave, our Catch of the Day comes from the Scam subreddit, and I haven't looked through this one yet, so I'm just gonna send it over to you and see what it says.

B

All right, it goes like this. Dear Candidate, you have been specially selected to receive this exclusive invitation to join the Illuminati Brotherhood. Our international network continually monitors individuals who demonstrate ambition, leadership, and potential for influence. After carefully reviewing your background and online presence, you have been identified as a candidate worthy of induction. No payment or upfront fees are required.

C

Oh, that's a relief.

B

You have the opportunity to rise above the ordinary and achieve true power, wealth and recognition. Initiated members enjoy the benefits and protection of this prestigious global organization. If you're ready to begin your induction process today, contact the Supreme Superior via email. Wow. Don't delay.

A

Is that on LinkedIn?

B

Opportunities like these come along once in a lifetime and your future awaits. Required information, first and last name, country, address, phone number, occupation. Please send the above information directly to the High Superior so I can post.

C

Not the Supreme Superior, That's. Well, it says contact the Supreme Superior.

B

Maybe the High Superior is the Supreme Superior's lackey.

C

Okay.

A

Yes. Scheduler Hierarchy's weird.

B

Yeah. Sincerely, the Illuminati brotherhood.

A

So why would they be sincere about anything?

C

Right. I have gotten emails like this in the past, actually, and I will tell you, at one point in time, I was like, really? But no. But no.

A

Tempting. Tempting, yeah.

C

So very tempting. But here's my number one question. You're the Illuminati. Why do I need to tell you my first name, last name, country address and phone number?

B

Right.

C

You should know that.

B

Exactly.

C

That would be my reply. I'd reply to Supreme Superior. Going, supreme Superior, this is. You know who. You've asked for this information. Why don't you provide it to me?

B

Yeah, that's right.

C

Of course. My luck, they'd be like, you're Joe Kerrigan. Here's your address, here's your phone number.

B

Right here's everywhere you've been browsing, you weirdo.

A

Listen, the Illuminati is falling on some hard times. They're not up. They have to up their game a little bit. They're just getting rusty.

B

Right? Yeah. It's harder to be an Illuminati when the data brokers are out there sucking up your metadata.

C

Have you ever played Steve Jackson's Illuminati game?

B

I do not believe I have.

C

It is a great game. The rules are, of course, convoluted, but you get. It's a card game, okay? So you're in control of an Illuminati, which is one of, like, eight organizations, because you can have up to eight players, and then you get money, and your Illuminati, your organizations produce money, and then you can, you know, the idea is you can use that money to influence and destroy other Illuminatis. Anyway, it is a great game because you wind up saying things like, mtv is controlled by the CIA.

B

Right. Okay.

C

As you're building your Illuminati out, you start to sound like a tinfoil hat wearing conspiracy theorist.

B

Right?

C

And it's brilliantly funny. Like a lot of Steve Jackson games, it's brilliantly funny and awesome to play.

B

Well, I want to add Maria. Evidently, you're not eligible.

C

Yeah, sorry, Maria.

A

I don't think I can be part of a brotherhood.

B

Just a brotherhood. So you're gonna have to sit this one out. I know that's a huge disappointment for you.

A

I know.

B

Maybe next round. Maybe there's an Illuminati sisterhood, or maybe.

C

There'S an Illuminati support organization, like there is for a lot of the men's fraternities, like the Masons.

B

Yeah.

C

They have organizations for the wives.

B

Yeah. Yeah.

A

That implies that my husband's in the Illuminati.

C

Here's how we can get in.

A

How would I know?

B

Would you know? Right. Where is he going? Does he already says he's at the office today?

A

I don't know.

B

Right. Seems like every time you guys go out, you pull up to the building, there's always an available parking space right out front.

A

It's amazing. I gotta pull some strings, but it's pretty nice.

C

I get the rollerblades from the far.

B

Right.

C

From the far parking space.

B

All right.

A

What?

B

I'm just going. I'm just keeping going.

C

It's a Simpsons reference again.

B

This is a Stonecutters reference.

C

Yeah.

B

Stonecutters.

A

Oh, my God. Jeez. Stonecutters Guild. It's been a while.

C

Okay, Lenny and Carl get up to front parking, but Homer doesn't get any. He still has to. But they said no. But they gave me these cool rollerblades. To riding.

A

What's the song? What's the Stonecutter Guild song?

B

Who keeps the trains on time? We do. We do.

A

That's right.

B

Yeah. So and so down. We do. Or was it the metric system? The metric system keeps the metric system.

A

That's what it was. That's what it.

C

Who makes Steve Guttenberg a star?

B

We do. Yeah. All right. Well, again, we would love to hear from you. Please email us. It's hackinghumans2k.com we are going to mercifully take one more break before we wrap things up. We'll be right back. Thank you to Threatlocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com and we are back. And that is Hacking Humans, brought to you by N2K CyberWire. We would love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com this episode is produced by Liz Stokes. Our executive producer is Jennifer Ibin. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Varmazes.

B

Thanks for listening, Sam.