Social engineering served sunny-side up.

A

You're listening to the Cyberwire network. Powered by N2K.

B

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Hello everyone and welcome to N2K CyberWire's Hacking Humans podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Buettner and joining me is Joe Kerrigan. Hey, Joe.

C

Hi, Dave.

B

And our N2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes. Hello, Maria.

A

Hi, Dave. And hi, Joe.

B

All right, before we dig into our stories here, we have a little bit of follow up here. What do we got, Joe?

C

We have a message from PhD. I'm assuming this person may have a PhD. I don't know. They sent a pretty huge deal.

A

Pretty huge deal.

B

Pretty huge deal. I like that.

C

Yeah, pretty huge deal. That's a good one as well. The question is, is this what Joe looks like? Is AI listening and building articles tailored towards me, or am I an AI or just a fan? And he sends a link to an article from the Onion. Dumbest friend just bought 20 chickens. Moron. Also spent a couple grand on a chicken coop.

B

Yeah, yeah.

C

Now, yeah. I will tell you, I have already seen this article and taken a screenshot of it and sent it to my entire family. THEY ALL LAUGH of course, we are probably buying the world's most expensive eggs ever, but we do get to have chickens. And the picture is of a guy holding two chickens in a flannel shirt and a baseball hat. I and has. He has a full beard. I have now gone completely clean shaven, however temporary that may be. May grow a beard back? I don't know. I'm not.

A

But otherwise it's a spitting image of you. Is that what you're saying?

C

I do look like this guy. I'm kind of built like this guy. I wear a cowboy hat usually when I'm out. Out in the yard, just because it keeps the sun off of everything. It's great. It says under here, your most dimwitted friend with some of. Some of the chickens that will consume hundreds of hours of his life.

B

Yeah, I mean, it's not so much a food source as it is a hobby, right?

C

Yeah, that's right. My new hobby is farming, Dave. My new hobby.

A

That also feeds you as opposed to just the other way around.

C

Full time jobs. That's right, Maria. I do have to feed them, but they also feed me.

B

Knowing yourself, how much time do you think it's gonna take before you are completely sick of eggs?

C

I don't know. I really like eggs and I'm not one of those guys that gets sick of a food. I can eat a food over and over and over again.

B

Okay, well, let's mark this moment as the one where he really likes eggs.

C

Right.

B

And we'll check in.

C

My doctor may have something else to say about it. Once my cholesterol shoots through the roof, we'll see.

A

Okay, we'll see.

B

Fair enough.

C

But that's a great article. Thank you for sending that in. PhD. Yeah, that's right.

B

Yeah. All right, we got another piece of follow up here from a listener named Peter who writes in and says, hi Dave, Joe and Maria, I'm a big fan of your show. I've been listening for years. Has some very nice things to say to us. He said. I wanted to follow up on your recent episode about YETI product scams.

C

Aha.

B

I live in Belgium and have seen this exact scam though with different products. High quality backpacks from a large sporting goods retailer, but also other products in stores are being used. The scam profiles on Facebook use the same tactics. They're obviously fake, share a sad story about a fired employee and offer a fake employee discount on the backpacks. All of them are sponsored messages. I've reported many of these to Meta and while they usually get a pass, I did get one report that was successful which felt like a huge win. Woohoo. Isn't it funny how Meta lulls you into feeling like anything is a huge win when you're doing anything with.

A

They're doing the least, right?

C

The least they can do.

B

Yeah.

C

If you spend enough time screaming into the void. That one voice coming back going hey, I hear you is so rewarding.

B

So Peter says, I have some additional details about what happens next that I think you and your listeners would find interesting. All Ears says you are right that these scams collect personal information, but they also offer you the chance to win a high value product. You always win, of course, and are asked to pay a small fee of just a few euros to get the item. Ooh. This is where the real scam begins. Oh, this is where the real scam begins.

A

Okay.

C

The other were just precursor scams.

B

Yeah, appetizer scams.

C

Right.

B

In Belgium, a recently introduced new type of debit card called Debit MasterCard, allows for periodic subscription payments. By agreeing to pay the small fee, people are also unknowingly signing up for a recurring subscription of 60 to €80 per week. Wow. Yeah. While the fine print might technically disclose this, it's highly unethical and designed to trick victims into losing far more than they signed up for. We see this type of scams popping up constantly with a lot of variants, but always with the same outcome for the victims. I'm not sure if this specific payment scheme works the same way in the US but it's a new angle to this scam that your audience should be aware of. Thanks again for all the great work you do from Peter. Well, Peter, thank you for sending this in. I certainly have seen these subscription scams.

C

Yep.

B

I have seen them lots of different places. The thing that comes to mind at first are. What do you call them? Infomercials.

C

Right, the Ron Popeil infomercials.

B

Well, there's all kinds of infomercials out there, but I have seen some of them that say, come and buy our super deluxe, whatever it is. And while you're on the phone, our representatives will tell you about an opportunity to subscribe to such and such and such and such. Now, in that case, they're telling you about that, but I can bet you that they're strong arming you about it. But we've seen other ones. Remember, there was one probably, I don't know, within the last year or so. Remember, Joe, I told you that I was attracted to an ad for digital watch faces?

C

Yes, digital watch faces.

A

Yeah, I remember that. Yeah.

B

So, same sort of thing. They get you this way, it's free to start, and then it's like $30 a week or something.

C

Crazy.

B

Yeah. And I think my guess is the business model here is that they just figure on getting you for one or two billing cycles.

C

Right.

B

And that's all they need. Yeah, it's a profit.

C

That's a successful scam.

B

Despicable.

C

Yes, despicable. That's. Thanks, Daffy.

A

Despicable.

C

Despicable.

B

No, despicable. It is despicable. All right, well, our thanks to Peter for sending this in. We do appreciate you taking the time, and of course, we would love to hear from you. If there's something you'd like us to consider for the show, please do email us. It's hackinghumans2k.com we're going to take a quick break here to hear from our sponsor. We'll be right back with this week's stories. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. All right, we are back and I am going to kick off our stories this week. This one caught my eye for reasons that I think will be evident as I go through it. This is from the folks at Infosecurity magazine and it says, experts warn of celebrity podcast scams.

C

Are people impersonating us, Dave?

B

Celebrity podcasters, celebrity podcasts.

C

Oh, not podcasting celebrities. Sorry.

A

Right. So not. Okay. Oh, adjacent, but not the same.

B

I don't know that we. Yeah, I don't know that any of us qualify for any for either of those categorizations.

C

I think, Dave, I think I've talked about my belief of only having six lists of celebrities from A to F. Yeah. And you are at least D, possibly C level list celebrity.

B

Oh, that's so sweet of you.

C

Everybody in the world is at least an F list celebrity.

B

Oh, I see.

A

At least an F. At least an F. Right.

C

And I use six because it's the same thing as six degrees of Kevin Bacon.

B

Yeah.

C

Right. So you would say Kevin Bacon's an A lister, right?

B

I would.

C

Right. You can probably get to Kevin Bacon quicker than anybody else on this podcast.

B

Yeah, it's true.

C

You may not have to go six.

B

The way I define the problem is. Well, not the problem. The fact of the matter is I grew up with Edward Norton.

C

Ah, yes.

B

So that shortcuts me to just about everyone in Hollywood.

C

That's right. He used to hang out at my house when I lived in Columbia.

B

Is that right?

C

Yeah. My neighbors told me that they'd see Ed Norton sitting on the backyard in the back. In the back of my house drinking beer with the guys that live there.

B

Oh, okay. Well, there you go. All right. So celebrity podcast scams. So let me ask the two of you, have you ever been offered money to appear as a guest on a podcast? Joe.

C

As a guest? No.

B

Okay. Maria?

A

Oh, I certainly have. Yes.

B

Yeah.

A

Not a lot, but it was money. Yes.

B

Yeah. My general approach to being offered money to appear on someone's podcast is I ask them to make a donation to my favorite charity. I just figure that I'm already being paid by my day job to be a podcaster, so I'm kind of covered there. And, you know, it's extra work. Why not just have it go somewhere where it can do some good? However, what this scam is about is fraudsters are posing as managers of a fake celebrity podcast, and they offer people $2,000 to peer as a guest. Okay. So they're targeting fairly high profile people, business people mostly. And they reach out and they say. And of course, they get buttered up. They get an email that praises them, tells them, you know, how impressed everyone is with all they've done in business and their life.

A

And everybody wants to be on a podcast, right? Everybody, yeah. Who doesn't? Who doesn't want this, Dave?

B

I know.

C

Everybody that wants to be on a podcast is on a podcast.

B

There you go. That's right.

A

At this point, yes.

B

I was gonna say it seems like more in the past than the present, but anyway, so if the victim agrees to being on the podcast, of course they have to go through a technical check. So they're asked to join a call to test their webcam and their audio. But what's really going on here is the attackers are trying to get them to install remote access software.

C

I see.

B

So they're saying, in order to use our exclusive system, we're going to have to install this driver onto your computer. Now, we use a system for recording podcasts, right? We're using it right now.

C

Yes, we are.

B

Yeah, it's called Riverside. But most of the. In fact, I can't think of any of the dedicated podcast recording platforms that require you to install anything. They're all browser based now, so. So they get you to install something on your machine, and then they steal the things that they steal. Once they have access to your machine, your social media logins, they look for your other accounts, credentials, things like that, which is kind of a twist on the classic tech support scam. But they're going after business leaders and specialists and of course, these people's information. And presumably having access to their PC could be more valuable than just a run of the mill person.

C

That's right. This is more like almost like a spear phishing attack of the tech support scam.

B

Right, right. And then once they're on a computer, they then pivot to try to get into corporate systems and things like that. So it can spread from this one initial outreach.

C

Yeah. If you took this Call at work, that could be devastating to your company.

B

Right, right.

A

Oh, good point. Yep. Absolutely.

B

Yeah. So the advice for businesses is, of course, be skeptical of generic emails. Verify a sender address. They say real podcasts don't use Gmail.

C

Hold on.

B

Mostly true.

C

When I had my own personal podcast, that was a Gmail address.

B

Yeah. They say real podcast, though, Joe, So.

C

It was real.

B

That's true. I was on it more than once.

C

Were you at. Yes, that's right. You did a. You did. You. You sent me a sound bite once.

B

That's right. Yeah, that's right. A bit, if you will.

C

A bit, yes.

B

Beware of unsolicited money offers. Never allow strangers remote access to your device. I would say that in this case, you don't know that that's what they're doing.

C

Correct.

B

But still, I'd say be cautious of anybody installing anything on your device, even a browser plugin, anything like that. Yeah.

C

One of the big problems with this is, is if they're using custom malware that they've built here, it may not show up in the virus scanner.

B

Right, right, True.

A

Yep. Yeah, yep.

B

Yeah. So you can see why that caught my eye and wanted to share it. But, yeah, it's a good one to look out for. So we'll have a link to that in the show notes. That is my story this week. Joe, you're up. What do you have for us?

C

I have an interesting story that I actually got while I was at work. This is from the gurus over at the IT Guru, and there's a company called. The headline is Workday Discloses Data Breach following CRM Targeted Social Media or Social Engineering Attack. So what is Workday? I don't know if you guys are familiar with Workday, but they are a leading provider of human resources and financial management software. And here's how I became aware of them and why I think other people should become aware of them. About a little over a year ago, I was in a job search mode, so I went out and I found, you know, I would start applying to these positions, and every time I would go to the company's website to submit my application for the job, I would go to a workday front end. It always looked the same. And I don't know if it's because the front end is not that customizable or these companies just don't care about that or. Or can you remove the word workday from the front end? I don't know.

B

I see. So it was labeled as being workday, right?

C

It was labeled but it also had their branding on it. But you could clearly see that it was Workday.

B

Okay.

C

And it always looked the same when you went in. Okay, Absolutely. Very uniform, which kind of made it good. Right. And then I knew what I was dealing with when I was applying to any of these companies. But, you know, neither here nor there. It's just the front end of a lot of these HR processes.

B

Okay.

C

So that's how they collect resumes. Now is with Workday. So Workday has confirmed that it fell victim to data breach stemming from a social engineering attack targeting a third party CRM, which is a customer relationship management system.

A

Yeah. Yep.

C

So it's important to note that Workday says, and I'll just quote the article, the breach did not impact its customer, tenants or the secure data therein. Instead, the compromised system contained primarily commonly available business contact information, including names, address, email addresses and phone numbers. So it looks like all they did was breach Workday CRM system. So the. This article says it's probably a Salesforce system because Salesforce is like the world's biggest. Like if you have a CRM system, it's probably Salesforce.

B

Yeah, Right. Most likely, yeah.

C

So what they said was that Workday became the target of a coordinated social engineering attack where they reached out to Workday employees via SMS phone calls or phone calls, impersonating internal HR IT personnel. And then these attackers tricked employees into granting access or revealing enough personal details, allowing them to infiltrate and get access to this CRM, which they did via malicious OAuth applications. Now, OAuth is open authorization which allows you as an account holder to give some other application access to your account details. It's not like the single sign on thing, which is where the single sign on provider gives the client here a token and says, yes, I validated. This is Dave or Maria. Right. So there's a really interesting quote in here from Dre Agha, who is the senior manager of security operations at Huntress. And he says this incident underscores three non negotiable deficiencies. Eliminate OAuth blind spots and enforce strict allow listing for third party application integrations and review connections at regular intervals. Adopt phishing resistant MFA hardware tokens as essential because MFA fatigue still remains trivial. So that's really two things. User enrollment in execution of malware is very effective. So once again, what we're seeing here is the fatigue aspect of wearing people down with these other means of multi factor authentication. One of the great things about the hardware based tokens and whether that's like a yubikey or something else similar that uses the Fido Alliance's protocol or some other hardware based token. There are multiple other tokens. There's like the government has a common access card. It's the same kind of thing. Whereas it's called colloquially the CAC because that's a acronym. These things are not subject to this fatigue because it's a physical device that you have and it's certificate based and it's a challenge response kind of kind of structure, as opposed to I'm going to send you a text message and you're going to enter the code or you're going to go to your other app and you're going to click allow. Those things can quickly overwhelm a user. Additionally, with the codes, you can socially engineer those out of people. Even the ones that are, are cryptographically sound like the rsa.

A

RSA tokens.

C

You can just say, okay, I need you to read those numbers to me. So really I think it's time, you know, maybe, I mean, I don't know, it's been time for a while, but I think we really need to move beyond these other methods of multi factoring. Just go with these hardware based certificate multi factor authentications.

B

Yeah, we covered this, I want to say years ago in the pre Maria era, the dark times of our podcast. Remember there was a story about Google. Yes. There was an internal story about Google and basically anything that they applied a hardware token to was 99.99% secure. Yeah. It just didn't get popped.

C

They haven't had. When we read the article, as of the time we read that article, they had not had a security incident on anything secured with a Google Titan.

B

Right.

C

Because that's their hardware key solution, I think that uses Fido.

B

It does.

C

So it's the same thing as a Yubikey. You can use it everywhere. You can use a Yubikey, I think.

B

Yeah.

C

So it's. Yeah. And it works. You know, it keeps. There's no way that you can make somebody put that in there. The only time you ever need it is when you're trying to authenticate right now.

B

I will say, because we use some hardware tokens here for various things at work and it is occasionally a pain in the butt.

C

Yes.

A

Yeah. I mean if it's so great and it is, and it's sort of like when I talk to people or 10 years ago, especially about Password Manager, it's like, oh, it's so great, why isn't everyone doing it? Well, friction there is friction there. And I'm not trying to say this is a bad idea because there's friction. It's just, how can one reduce the friction? Because it does sound like a fantastic idea. Yeah. Yeah.

B

So I think pass keys are supposed to be the happy medium between these two things, and I think they could be, but they seem to be getting off to a sluggish start of installation or adoption, I guess is a better word for it. But I just try to remind myself every time that something calls for a hardware key, and it's at the worst possible moment. Like, I'm at home sitting on my couch. Right, Right. And it says, we need.

A

And I'm like, okay, now where is that thing?

B

Right. Gotta go find my keys. Gotta get.

A

Did I leave it in the car? Is it in my work bag? Yeah.

B

Will my phone successfully scan, you know, like, all those things? And I just remind myself, say, all right, this is for safety. This is good. You know, this is better than the alternative. So just take a deep breath and do it.

C

I use my Yubikey to secure my password manager, which is Keepass xc. I believe it's the. NET version of Keepass. Probably shouldn't use the actual Keepass, but use the. If you're on Windows, you can use Keepass xc. It's better. And what that does is it allows me to keep my. Or it makes me comfortable enough. I'll say that, because I'm really already allowed to do this, but it makes me comfortable enough where I can keep my password database up in the cloud so that I can have it wherever I need to have it. Because even if somebody breaks in and get. And they know the password for my password manager, they can't get into that database without my physical key.

B

Yeah.

C

And, yeah, it's a pain when I leave it because it's always attached to my backpack via a lanyard. And it's a pain when I leave that backpack upstairs and have to go get it because, you know, I always go downstairs and go, well, time to go do something. Oh, I gotta log into this site. Oh, I need my backpack.

B

Well, just not to mention you need a dolly to move your backpack.

C

I don't know anybody else does.

B

Yeah.

A

How's your back, Joe?

B

Back's great.

C

Ever since I started wearing a backpack.

B

It really increases the name of Thor's hammer.

A

Oh, the M. The Mjolnir.

B

Is that what it is? Yeah. Yeah. That's basically Joe's backpack. He's the only one who can pick it up. It's. It's full of solid gold Bars from.

A

Costco that I have learned that Costco sells thanks to this show.

C

Right?

B

Yeah, yeah. All right, well, we will have a link to Joe's story in the show Notes. I tell you what, let's take a quick break before we get to Maria's story. We'll be right back after this. And now back to our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allow listing, ring fencing and network control. Allow Listing is a deny by default software that makes application control simple and fast. Ring fencing is an application containment strategy ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class endpoint protection from ThreatLocker. And we thank ThreatLocker for sponsoring hacking humans. And we are back. Maria, what do you have for us this week?

A

I have just two sort of quick ones for my one story is actually two. Right before we started recording today, like half an hour, a little bit before I got a spam text that normally I would just hit, you know, delete, junk it, but I, there was something about it that I just wanted to surface because I haven't seen this before and maybe you both have, but it just was, was a little noteworthy to me it was yet another. We tried to deliver a package to your house and you need to go to this spammy URL and we're going to phish you when you do that. And the, the URL it had in this case was fedex.comspamurl. spam, spam, spam, spam. I have not seen a spam URL actually try to obscure itself within the legitimate one like that using the symbol.

C

Which we have talked about this before. I've actually never seen this in the wild. I've only ever heard about it. But what is happening here is the very first HTTP protocol had specifications that would let you put a username and a password before the URL. So you could put username and I think it was a colon and then a password at the domain you wanted to go to and it would log you in.

B

Oh yeah, so I've forgotten about that.

C

Yeah. So what's, what this is, is. And if you just put a username, it will prompt you the the system is what should prompt you for a password. Yeah. So what this is, is this is looking like www.fedex.com is the username as far as the URL is concerned. But to the average user, they. Nobody even knows about this. Nobody thinks about this because nobody has used HTTP hypertext transfer protocol to do this ever. I've never seen this done, but I did know that if you put.

A

Didn't FTP do this? Like, doesn't. Oh, my God. That is an old part of my brain I have not thought about.

B

Right.

A

Yes. Oh, my goodness.

C

SSH still does it.

A

The cobwebs. Yes. I was like, wait a second, I have seen this before. All right.

B

Wow.

C

If you do SSH space your username at the server you want to go, it logs you in as the username. Otherwise it just asks you for the password. Otherwise it will prompt you for username and password. So that's what this is. You're looking at the username portion of the URL, which is generally disregarded. I don't even know that web servers actually plan for this in the protocol, but I think it's still there.

B

Yeah, yeah, exactly. That's what I was going to say. I think it's just. It's a zombie protocol. Right?

C

A zombie part of the protocol.

B

Yeah. Right. Yes, yes. That's a better way to put it. It's just fallen out of use. But probably, you know, things that are deprecated often stay in there.

C

Yeah. So I'm actually very excited.

A

Long forgotten.

C

I really like. Oh, cool, here it is. I've only ever heard about this.

A

It's vintage and it's been brought back. And look, there it is. And what I loved in the spam text was that they had very explicit instructions. Just reply with Y, then close and reopen the message to make the link work. If that doesn't do it, copy the link and paste it straight into Safari. I was like, oh, very specific instructions to get pwned. I just thought that was kind of adorable before I hit junk and deleted it. But just noteworthy. Yeah, the AT made me go, oh, that's interesting. But yeah, as you mentioned it that those cobwebs cleared and. Yeah, yeah, it's been. It has been ages. My goodness. Okay, well there. That was my little show and tell for today for Joe with the history lesson.

C

Yeah, yeah. That's how old I am. It's time for me to give you the Internet history lesson.

A

The other item I wanted to raise was for me kids going back to school right now is Top of mind because my kid is currently watching TV downstairs because school starts in a few days. So we're getting ready for that season in my household. And with the inevitable start of school in North America, Northern hemisphere area, there is this slew of pictures of adorable kids often on their front step or in some notable landmark holding up a chalkboard saying my name is this, My teacher is that I am this many years old and I like blank, blank and blank. And I would venture most listeners to the show know that that is a very bad idea for very many, many, many reasons. However, this is still a trend that is going on. And the Independent has an article sort of about this, sort of about the Sharon Ting thing with an interesting angle. And it's not just the don't do that because that message has been out there for a while like don't post these pictures. And clearly people are ignoring that advice. There is sort of a halfway method that a lot of people, including celebrities have been trying to I guess toe the line on trying to protect their kids privacy a bit while not completely disappearing from Internet social life. And that is by posting their family photos, but putting a cute sticker or emoji over their kids faces. And this article by Katie Rosinski on the Independent asked some cybersecurity and privacy experts does that actually do anything? And I wanted to give a sort of a thumbs up call out to Lisa Ventura who I'm a big fan of. And she did not pile on with the the thing that I often hear which is, oh, AI can remove the sticker and she's going that's kind of an overblown threat. That's not really a thing as much as you would think. It's more that using the emoji sticker over the kid's face may give the poster or the parent in this case a false sense of security and they may get complacent about the other details that are in the photos that they're sharing that actually give away a lot more information. So I just wanted to just highlight what Lisa said because I just thought it was a fantastic quote. I'm just going to read what she said. And there's a lot of scaremongering about AI being able to magically reconstruct faces from emoji covered photos as well as various digital tools that claim to be able to get rid of this layer. For the most part though, when the image gets saved, the original will be overwritten. You can't see behind it. So the main issue isn't the threat of peeling away the emoji. But the fact that most parents aren't just posting one carefully emoji protected photo, they're sharing multiple images over time. And the combined data from all those posts creates a much bigger privacy concern than any single image. And then the writer goes on to say, if popping some cartoonified mask onto their face makes you more laissez faire about what you're posting about your kids, it could actually be counterproductive. So I thought that was a really nice nuanced take on what is often just like, don't do the sharing your photos online thing, because that is what I do. But I recognize most people don't want to do that. So it's just a nice reminder, I think for people that it is putting a privacy screen over your kid's face if you're going to share those pictures is nice, but think about the other things in the photos that you're sharing. And especially with AI, it's really easy to glean a lot of details very quickly about kids personal lives by people who have very ill intentions. So be very careful out there. And you know, as I say, I always am a fan of don't post your kids online at all. But I recognize that that's not what most people want to do. That's kind of hard line way of operating. So they're just be, don't be complacent in the ways that matter.

B

Joe, what do you think of this?

C

I agree with what's being said here, especially about the image, because when you talk about layers in an image, what you post on Facebook or Instagram or wherever is not a layered image. It's generally like a PNG or a jpeg. So yeah, AI is not going to be able to peel that away. If you take that out of the image, the underlying image is gone. But, but when you, when, yeah, when you post a picture of that on there, think about, just think about the information that's there first off, what your house looks like. Right. Is there GPS location information in the metadata of the picture?

A

There often is.

C

And I know that Facebook strips that out, or I think they do, but you never know. And more importantly, what's Facebook doing with it? What's Meta doing with that information? They're tracking you. What about if you put up a picture of your house that has your house number on it? I mean, yeah, you didn't post a picture of your street, but only so many house numbers. Only so many streets have house numbers that are the same as yours. So it Definitely limits the domain of the problem, if you will.

A

Sports teams that your kid is playing on. Yeah. Like things that they're interested in, the school that they attend. And my other thing is other children who did not consent to be in this photo especially. So, yeah, there's a lot of information that can sort of inadvertently get in there. I know people. I know the best practice for a lot of celebrities is you don't post same day pictures. For sure. You definitely do a delay post. And this is something I remember in my sophos years, many years ago that we were sort of told as well was, you know, wait a few weeks when you come back from vacation to post those vacation pictures.

C

Absolutely.

A

And so it's one of those things like, you know, delay a little bit. But also. Yeah. Be super careful about what's in the background of those photos.

B

So can I chime in and be the plop and the punch bowl?

A

Go for it.

C

Gross. But yes.

B

But funny, I don't like this. I think this is a solution in search of a problem.

C

Really? Yeah.

A

In what way?

B

How many kids in your neighborhood are being snatched off the street every day?

C

Oh, that's a good point.

A

I'm not worried about being snatched off the street. That is the least of my concerns.

B

What are you worried about?

A

Unsavory things being done by people who really are. I don't wanna get really disgusting, but.

B

Like, how would they do that? They'd have to snatch your kid off the street. Right?

C

No, what she's saying is that. Yeah. Use the images to train a model to make other images.

B

Oh, okay. Yeah, never thought of that.

A

Yeah, I'm not worried about my kid being snatched off the screen. I recognize that as a really overblown fear. That's not a thing I'm worried about. There are people with different threat models, of course, who. There are custody battles or estranged family members or people who are, you know, disgruntled folks in their lives where, you know, their child's safety may be potentially a thing that they're concerned about more than the average person.

C

Yeah, you gotta know your own risk model.

A

Yeah, yeah, but. And my thing is also, you may not always know that. That you're at that risk is that. That's my paranoia coming out. But yeah, I'm not worried about. I'm not worried about like the. The 80s milk carton. Have you seen this kid situation?

C

Right.

A

It's more a lot of unsavory people doing things very easily on the Internet with easily scra. Images. And some people go Well, I don't know about it, so I don't care. And that's. That does not jive for me.

C

But yeah, yeah, Well, I mean. I mean, you know what? I'm going to keep this scenario in my head. I'm not going to share it. But there are reasons I do care about that. But.

A

Yes.

B

Anyway, I guess what I'm saying is my belief is that the worries about these sorts of things tend to be overblown.

C

Yeah, I get that.

B

The odds of any of this happening to any of us, in my mind, versus the benefits of sharing a picture of my kids with my parents. You know, I mean, that's the calculation I've made, and I have to live with that. But I don't know, it just seems like, you know, it's very much a save the children kind of thing.

C

Somebody please think of the children.

B

Right. But, like, it's a horrible idea and a horrible thing to think about, but I'm not convinced that most of it is grounded in reality.

C

I will counter that with this point, and that is that there have been articles that we've read, I think, on. Do we have it here? Maybe it's been a long time. But when you upload your pictures of your kids to Facebook or to. Well, particularly to Facebook at the time, the article I read, they're tracking that. They know what your kids look like. They have facial recognition models for your kids. So there's a real privacy angle here that maybe I don't want my kids getting targeted by Facebook while I'm the custodian of them. Or my, you know, in my case, now my grandkids. Dave.

A

I think of it this way. It could be completely overblown for me. There is no benefit of putting these images online, so I would rather not take the risk. That's the judgment that my husband and I have made for our kids.

C

Yeah, that's an excellent point. What is the benefit?

A

It's just like, I don't see a benefit. I. I'm really old school. I send my family photos through the mail. I'm just like, listen, you want pictures of my kid, I will send them to you. And it helps that a lot of my family's not online anyway. But I just like, I don't want it going through a third party. They don't need a picture of my daughter. It's just none of their business.

C

Right.

A

I recognize my. My situation is not everybody else's, but I'm just like, it's not worth the risk. I don't want to worry about this. So it's just easier if I just go. I'm not doing this to her. When she's old enough to make that decision about how she wants to be online, I want her to make that choice. That's just sort of how I came.

B

And I don't. Yeah, yeah, yeah, yeah. And I'm asking you this question. I need you to believe that. I'm asking you this question in good faith.

A

I believe, and I do believe it.

B

It just came to me, which is, do you think. You said, I don't want to worry about this. Do you think you worry about this more than I do?

A

I have absolutely no idea. I have no way of knowing that, Dave. How would I know that?

B

But you understand the point of my question is that in the actions that you're taking, you're worrying about this. I'm not worried. I'm not worrying about it.

A

I'm not worried about it either. Cause I don't put my kid online.

B

But you're worried about it. But the action of not putting your kid online means you're worrying about it. Right.

A

But it doesn't take any work for me to not post something. It's like, it's literally. I just. I'm not participating in a thing.

B

Right. Okay.

A

So I'm like, okay, but I recognize.

B

What about, like, at school? I mean, or a birthday party or stuff like that? I mean, that's. Do any of us believe that Facebook doesn't know what our kids look like?

A

At this point, I'm sure Facebook does. But I know in the social circles that I'm in, people don't post pictures. Like, when people are taking pictures of their kids, I don't even ask. They just go, I'm not posting this anywhere. I'm just keeping this for myself. Yeah, that's sort of like the way it's done.

C

So then either Apple or Google have a copy of your picture.

A

I know it's not an absolute thing. It's not an absolute thing, but it's not meta and I'm not the one posting it. And it's not public. And that, to me is enough.

B

All right, well, I respect all of that and I appreciate you.

A

I'm in the minority on this.

B

No, I appreciate you entertaining my questions in a respectful way.

A

Believe me, I've heard it from my in laws, my family, I've heard it all. And I know I'm in the minority on this, and that's okay. But it's just. I think there's an interesting thing to be said about just being careful about what we post in general. Like as people. Many people use Facebook to keep in touch with their family all over the world. And that's great. And I just think it's always worth being careful about we post, that's all.

B

Yeah, for sure. All right, well, we will have a link to that story in the show notes. Joe, Maria, it is time for our catch of the day.

C

Dave, our catch of the day comes from you. Yes, it does.

B

And much like Maria, this came to me this morning.

A

Woo hoo.

B

Sitting here doing what I love to do best, which is mind my own business and.

C

Right, minding your own business.

A

It's like they know we're recording the show.

B

Yeah, that's right.

A

Send it in.

B

Thinking to myself, oh my gosh, what are we gonna use for the catch of the day? And then, ding.

C

Ooh, I'll take this one.

B

Here we go. So this was a text message that came in on my phone and it says, good morning, I'm Gina, a customer service representative from YouTube. Your resume has been recommended by multiple online recruitment platforms. High paying position, YouTube optimization specialist. Flexible working hours, remote work. Daily salary between 80 and $600. No experience required. Free training provided. Monthly salary, 6 to $10,000 plus daily salary and immediate payment. Long term position, part time or full time options available.

C

I got the bases covered.

B

Help increase the visibility and viewership of YouTube user videos. Company benefits, four day paid probation period. After the probation period, you can sign a formal labor contract with the company. Enjoy statutory paid holidays, medical insurance and education subsidies. The longer you work, the welfare policies you will enjoy.

A

What?

B

Wow, there's the tell.

C

Right, Right.

B

For more information, please send a message to this number. And then there's a phone number.

C

Huh.

A

Sounds a little too good to be true, Dave. Hmm.

B

Yeah. Do you think.

C

I think that this is just scamming you into four days of being paid to click farm, essentially.

B

Yeah.

C

So yeah, likely like you're gonna, they're gonna say, okay, you go out and watch these videos, we're gon 600 or $100 an hour. $80, right?

A

Well, yeah, I like how they included 80. It's like, okay, that's a very specific number there.

B

Daily salary. Yeah.

C

Because you're still on probation, won't pay you until after the probationary period. But in four days we'll give you anywhere between what, 3200 or 320 and whatever. 600 times four. $2400.

B

Yeah. Yeah. So what is it worth for four days of labor of clicking on YouTube videos to boost to goose.

C

They probably make like five bucks.

B

Yeah.

C

And they get you to do that for free because you never get the money.

B

Right, right. What I love is that my resume has been recommended by multiple online recruitment platforms. Yeah, I'm out there. I am a well known YouTube visibility booster.

C

You know, there was. Can I talk about this a little bit? I might. I'm gonna go way off topic here.

B

Okay.

C

But.

A

All right.

C

There. Do you guys know who Maddox is? He has a website called the Greatest Page in the Universe.

B

No.

C

He's been on the Internet for a very long time. He. Then he had a. A podcast and he had a YouTube channel, and his. His webpage was pretty popular. And somebody said, hey, could you review this product on your YouTube podcast? And he's like, well, what do you. You know, we really like your. Really like your content. If you ever read his content. It's not content that any business would ever want to associate.

B

Oh, I see.

C

Right, right. It's really snarky, angry, funny. It's humor. It's humorous. Yeah. But it's. It's.

B

It's not safe for work.

C

Not safe for work. Right. Yeah.

B

Don't.

C

Don't pull it up at work.

B

Okay.

C

You look at it at home and, you know, maybe you're like, should have.

A

Said that first before.

B

You might not.

C

Yeah. Now somebody's out there.

B

Damn it, Joe.

A

So.

C

So he got this thing and he. He wrote back and said, what do you like about my work? What specifically? And they were like, oh, everything. It's great. And he's like, sure, I'll review your product. And they send him a bridal veil. And he did a video review of the bridal veil.

A

Got married, A plus.

C

Right. And he rated. He said this. He said it was very profane. And he said, this thing's a total piece of crap. I wouldn't recommend anybody buy it. And then he sent the link to the video to the person that was asking to do it, and he goes, hey, I reviewed your product. Here's the video.

B

Oh, my.

C

And they wrote back and said, thank you very much. We'll take you off of our CRM.

B

Yeah. Be careful what you ask for.

C

Right? Yeah. That video is worth it. It's a pretty good video.

B

Yeah. So needless to say, this text message went right in my spam folder, got reported as junk, and hopefully I shall not hear from them again.

C

Yeah.

B

All right.

A

Until next time.

B

That's our catch of the day. We would love to hear from you. Our email address is hackinghumans2k.dot com. We're going to take a quick break. We'll be right back. Thank you. To ThreatLocker, the powerful 0 trust enterprise solution that stops ransomware in its tracks. For sponsoring hacking humans, visit threatlocker.com and that is Hacking Humans. Brought to you by N2K CyberWire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show Notes. Please take a moment and check it out. This episode is produced by Liz Stokes. Our executive producer is Jennifer Jer Iban. We're mixed by Elliot Peltzman and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

C

I'm Joe Kerrigan.

A

And I'm Maria Vermazes.

B

Thanks for listening.