← Hacking Humans
Loading summary
Transcript204 lines
- [00:02]
Maria Varmazes
You're listening to the Cyberwire Network, powered by N2K.
- [00:15]
Dave Bittner
Hello, everyone, and welcome to N2K, CyberWire's hacking humans podcast, where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Kerrigan. Hi, Joe.
- [00:31]
Joe Kerrigan
Hi, Dave.
- [00:31]
Dave Bittner
And our 2K colleague and host of the T Minus Space Daily podcast, Maria Vermazes. Maria.
- [00:37]
Maria Varmazes
Hi, Dave. And hi, Joe.
- [00:39]
Dave Bittner
We've got some good stories to share this week. We'll be right back after this message from our show sponsor. And now a few thoughts from our sponsors. At Threat Locker, the tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow listing and ring fencing has your back. All right, before we get to our stories, Joe, I believe we have a little bit of follow up here. What do we got?
- [01:30]
Joe Kerrigan
We do indeed. Asher wrote in to say I wanted to follow up on your recent story about Daisy, the AI grandmother designed to keep scammers busy. You were wondering about how to actually start the conversation between the scammer and the grandmother. And I have an idea. When I get a call, in addition to the answer and decline buttons, I also have a screen call button that allows the Google Assistant to answer the phone for me. It will ask the person why they're calling, and it gives me a transcript of what they say. I've used this feature before. Now, you guys are both Apple users, so you don't get to revel in this bliss, do you?
- [02:03]
Dave Bittner
No, we have it now.
- [02:04]
Joe Kerrigan
Okay, good.
- [02:05]
Maria Varmazes
I never answer the phone, so I don't know how this works.
- [02:09]
Dave Bittner
Right.
- [02:10]
Joe Kerrigan
The feature contains extra buttons so I can have the assistant request more information from the caller and to answer the call myself if I decide to. This would be a great place to add a Daisy button so she could instead answer for me.
- [02:24]
Dave Bittner
Yeah, if.
- [02:25]
Joe Kerrigan
If I decide that's a scam. Phishing call.
- [02:28]
Dave Bittner
Yeah. So this is a great idea.
- [02:31]
Joe Kerrigan
I agree.
- [02:31]
Dave Bittner
Before I had the system that I have built into my phone now, I was using another app. I think it was called Spambot or something like that.
- [02:43]
Joe Kerrigan
I remember you talking about it.
- [02:44]
Dave Bittner
Yeah. And that did this. Basically, you had the option of if it was an unknown caller, the app would answer the phone for you. And it had all sorts of op. Like, with one, I remember is you could have Cher answer the phone for you. Wow. Cher. Kind of like how you have celebrities who can do your gps. It was that kind of a situation. And the idea being that it was funny and it would waste their time and that sort of thing. I just had it dump them to voicemail or just not take the call. The functionality of that app has since been rolled into iOS, so I no longer have to pay the monthly fee for the app. But at the time, the app was money well spent.
- [03:39]
Maria Varmazes
Do you use the Shortcuts app on Dave at all? I don't know if that's native to iOS. Now, the thing where you used to be able to sort of set up an automation, I'm sure Google does this too. I'm wondering if it's. Maybe this is an automation somebody could set up. I don't know. I haven't. I don't do that. But I'm wondering if it's possible, because it might be.
- [03:56]
Dave Bittner
That's an interesting idea. Yeah. I mean, you know, at this point, I have my phone set up, like probably most people do if you're not in my address book. My phone's not even ringing.
- [04:05]
Joe Kerrigan
Right.
- [04:06]
Maria Varmazes
Yeah, right.
- [04:07]
Dave Bittner
Yep. So.
- [04:08]
Maria Varmazes
Correct.
- [04:09]
Dave Bittner
That's just the way it goes. Send me a text message. All right, well, this is good information. A good idea, I think. And we appreciate Asher writing in. All right, let's get to our stories here. Maria, you have the honors to start us off this week. What do you got for us?
- [04:27]
Maria Varmazes
Oh, yeah, well, to use my favorite phrase from every Comic Con ever, this is less of a question and more of a comment about brushing scams.
- [04:36]
Dave Bittner
Okay.
- [04:37]
Maria Varmazes
Brushing scams.
- [04:38]
Dave Bittner
All right.
- [04:38]
Maria Varmazes
Brushing scams. So we've talked about these before. I'm sure many of our listeners are aware of brushing scams, where a package arrives at your house of an item that you did not order. And the way that these have often worked in the past is if your information gets breached on Pick a data breach. Often an unsolicited Amazon package will arrive at your house, and the item manufacturer would put a card in there saying, hey, we sent this to you as a gift. We'd love if you gave us a nice five star review. And then Amazon inevitably started cracking down on that. So those, I guess, are less common. I used to get them all the time. A new evolution of this one.
- [05:13]
Joe Kerrigan
Got free stuff in the mail.
- [05:14]
Maria Varmazes
Are you serious? I got drunk so much it drove me. It sounds like it should be nice, but it was always stuff I didn't want and couldn't have ever used and just became more stuff. I had to figure out how to recycle the box and where to throw up my trash and it just was a total pain. They weren't always small items either.
- [05:31]
Dave Bittner
Yeah, yeah, it was like a 55 gallon drum of motor oil or something like that.
- [05:37]
Maria Varmazes
Yeah, I got, I got wreaths for my door, like floral wreaths for my door once. Several of them at once. I didn't order this. What am I going to do with this? That was just one of the many weird things I got. I got lamps. I mean it's just again like this is really strange stuff. So this is all brushing scams and this was. Yeah. So the new evolution that I've been seeing and we've talked about this a little bit is when somebody gets at their door a sort of luxury item, a ring that says it's from Cartier and it looks like a diamond ring. Hint, it's not diamonds, it's glass. But a Bluetooth speaker that actually works all those kinds of things that would cost maybe a decent more than a dollar to buy if one were to buy such a thing. And there's no information on the box from who it's from. There's no information in the box about who it's from, only just a slip of paper with a QR code that says if you'd like to know who sent you this diamond ring, scan this QR code. And yeah, it's a trap. Don't do that. Do not. Do not do that. So this is not earth shattering information for our savvy listeners. My comment actually maybe is more of a question. I've been seeing this story covered in a lot of US local news. It's even now made its way to New Zealand. I've seen where the text is something like this from the police. The QR code allows the offenders to then access any and all data on your phone or device that you use. Scan the code including financial information such as your bank account login details and personal data. I've heard this shortened from local news anchors to they're going to drain your bank accounts the moment you scan this QR code. Basically almost like perceiving God. The moment that your phone camera sees the QR code, you're, you're now broke and you've been breached and which is, and some of the, the language from the police is often the same like you know, don't scan the QR code. Which is good advice. Do not scan the QR code. I'm just curious what actually would happen if you did, is it phishing? Right, right. Because the, the sometimes I would also see, and this is, I guess, a point of discussion here, I would see some cybersecurity experts brought on to go well, actually, and they would say basically that this is phishing. So you would have to scan the QR code and then be prompted to download malicious app or go to a phishing site. But I'm seeing things that conflict with that, that say, actually, no, it instantly sends you to a malicious URL that downloads malware. I'm not really sure. And information out there is kind of conflicting. It could be both, I don't know. But if I'm confused about what actually is at risk here and what might happen, that feels like a bad thing for communicating this in the broader public.
- [08:19]
Joe Kerrigan
Right, right. That's a good observation.
- [08:22]
Dave Bittner
Yeah. Well, my initial reaction is that it's not, certainly not as dangerous as those people are saying it is. I mean, a QR code takes you to a website. That's what it does. And I suspect that typically it's going to ask you to, it's going to pretend like it's taking you to log in somewhere. Right. You log into your Microsoft account, log into your Amazon account, you know, that sort of thing. And then they gather your credentials from the fake login site and then they have their way with your account. Like to me, that's the most straightforward version of this scam.
- [08:58]
Joe Kerrigan
Yeah. In order for this to work, like they're describing here, where scanning the QR code would pwn your phone, if you will, there would have to be some kind of vulnerability in the camera app that would permit that. And based only on the information encoded in the URL or in the QR code rather.
- [09:18]
Dave Bittner
Or the web browser.
- [09:19]
Joe Kerrigan
Or the. Well, the, the web browser. Yeah, you're right. If you click through to the web browser, if there's some vulnerability in the URL string part of the web browser. Yeah, maybe, but that relies on there being a vulnerable. You know, you'd have to send out diamond rings to people that, you know, have this version of the camera app or the phone, so. Or, or the camera app, the phone and the web browser, something you. It doesn't seem plausible to me is what I'm saying.
- [09:47]
Dave Bittner
That's the bottom line.
- [09:48]
Maria Varmazes
Yeah. A lot of things have to align, which I suppose if you're sending out millions of these things, then your chances, maybe you'll get a few hits, but that just seems like a total waste of effort on behalf of the people doing these brushing scams.
- [09:58]
Joe Kerrigan
I think it's far more likely that the link goes to a malicious app store. That. And when you click on the link, it tells you how to disable or allow third party app installs and then walks you through installing one of these malicious pieces of code. I think I'm with Dave on this one.
- [10:13]
Dave Bittner
Yeah. Like I can. On the one hand, I understand the law enforcement people trying to put the fear of God into you. Right. Like it's kind of. It's the equivalent of, you know, I don't know, Maria, if you ever got this one, you know, if you go into a public restroom by yourself, someone's going to steal you, cut and dye your hair and sneak off with you. Did you ever hear that one?
- [10:40]
Maria Varmazes
What? No.
- [10:41]
Dave Bittner
This was a common one. This was a common one. I'd heard this one and my wife's mother actually used this one on her. This was a common urban myth that it was justification to not let your children go to the public restroom by themselves because it's.
- [10:59]
Maria Varmazes
Oh, you mean for children. I thought you meant for like a grown adult. Oh, okay.
- [11:02]
Dave Bittner
Oh, no, sorry. I guess I should have included that bit of information. Yeah.
- [11:07]
Joe Kerrigan
Good luck kidnapping me.
- [11:09]
Maria Varmazes
I think me personally going, wait, what?
- [11:12]
Dave Bittner
No, no, no, sorry. No, that's on me.
- [11:14]
Maria Varmazes
I took you extremely literally.
- [11:15]
Dave Bittner
All right, children, children.
- [11:17]
Joe Kerrigan
Can you imagine people trying to kidnap me? Oh, come on, help us out. No, we're going dead weight.
- [11:22]
Maria Varmazes
See, I'm trying. Yeah.
- [11:23]
Dave Bittner
Dye your hair.
- [11:26]
Maria Varmazes
Somebody wants to dye my hair.
- [11:27]
Dave Bittner
Why?
- [11:28]
Maria Varmazes
I mean, I usually pay someone for that, but. Okay.
- [11:30]
Dave Bittner
And of course, you know, it's the little blonde girl, right? Bas, you know, gets dragged into the. In the restroom. They cut her hair and dye it black so that people don't recognize her. Because if I brought your child out of the restroom with different colored hair, you wouldn't recognize your child. Right, right. It's an absurd urban myth, but it put fear in your child, which you.
- [11:53]
Joe Kerrigan
Really want to instill in.
- [11:54]
Dave Bittner
That's right. So that's all a long, drawn out, roundabout way of saying that. I can understand these folks wanting to simplify this and say QR codes equal danger. Right?
- [12:08]
Maria Varmazes
Yeah. It's too complicated to explain to everybody, so just don't do it and let's leave it there. And I get it, we don't want people scanning these QR codes. But then there are persons like myself who go, but what happens when you do? I just want to know. And if you tell me, don't worry about it, then I really want to know.
- [12:25]
Dave Bittner
Yeah.
- [12:28]
Joe Kerrigan
Do I'm with you, Maria. And. And it's. Cause if I heard that, I'd be like, well, what's the mechanism behind that? That would be the first question. And of course the police officers are gonna go, you don't need to know the mechanism. No, I kind of do need to know the mechanism.
- [12:42]
Maria Varmazes
I wanna know. Yeah. Cause I'm seeing discussions about this kind of brushing scam all over the place on my local Facebook groups in my town. And a lot of people are just kind of going. They're arguing with each other about what actually would happen if you scan this code. And nobody seems to know the answer either. And to me, that's just sort of. It diminishes the whole effort of trying to get people to believe that this is actually is a scam in some cases. Because some people are just like, well, if nobody seems to know or agree on actually what's happening, then maybe you all are wrong and I'm just going to discount all this information. So I, I understand that the broader point, we do not want people scanning these QR codes. That advice is good. So one could argue it doesn't matter what's actually going to happen, because who cares? But I care. So.
- [13:23]
Joe Kerrigan
Right. We want to know.
- [13:25]
Dave Bittner
So going all the way back to the beginning, we talked about brushing scams. So, Maria, you said this happened to you all the time. So I'm trying to remember if someone sends you a desk lamp. Right.
- [13:38]
Maria Varmazes
Which is one of the things I'm.
- [13:39]
Dave Bittner
Saying out of the blue, what's the scam? What's the pathway to them winning by doing that?
- [13:45]
Maria Varmazes
In the case of the random Amazon items, they were trying to spoof their five star ratings. People are delighted to get a gift in the mail. So the idea is that you would then go on Amazon and just say, hey, five stars for this piece of crud item that you randomly received unsolicited. Yeah. In the case of these brushing scans with these luxury items, it seems pretty clear this is. This is a fish. If that is indeed the mechanism that's happening. But no one will tell me. But that's what we're guessing is happening. But yeah.
- [14:17]
Dave Bittner
All right, all right. Well, I'll tell you what, let's move on. My story this week is about pallet liquidation scam, which, Joe, I don't think we've covered this on the show before.
- [14:29]
Joe Kerrigan
I have never heard of a pallet liquidation scam.
- [14:32]
Maria Varmazes
That's a new one to me, too.
- [14:34]
Dave Bittner
It is unusual for us to come up with something that neither of us have heard of before. This is from the folks at Malwarebytes. They're a cybersecurity company and evidently these are all over the usual social media places, the Facebooks of the world. So pallet liquidation is a legitimate business. It is evidently a multibillion dollar business. And basically the simplest way to think about this is somebody has a retail store, let's say it's a clothing store and summer turns to fall and you got to get rid of all the summer clothes that didn't sell. So you bundle them up, you put them on a pallet and you sell off that pallet for a deeply discounted bundled price. And then somebody buys that pallet and then they go through and sell the clothes individually. Right. In a discount store or maybe on ebay or something like that.
- [15:31]
Joe Kerrigan
So I've seen videos of this where people, people are buying Amazon return pallets because when you give something to Amazon, give some back to Amazon, apparently they don't restock it, they just throw it into one of these pallets and then you can buy that for some amount.
- [15:46]
Dave Bittner
I believe that is the case with I think the majority of stuff that goes back to Amazon and it's the same. I think you guys have probably heard stories about retailers who will shred clothing at the end of the season rather than send it back or give it to people in need, that sort of thing. So again, this is a legitimate business and it's a way that people can get rid of stuff for pennies on the dollar. So if you're on the other side of this, you could do well buying pallets full of stuff. It kind of reminds me of those TV shows where people buy storage lockers.
- [16:22]
Joe Kerrigan
Yes, Storage Wars.
- [16:24]
Dave Bittner
Yeah, like you don't know what's in there. Could be nothing. Could be a Corvette, I don't know. Who knows, right?
- [16:32]
Maria Varmazes
Six pack BMWs.
- [16:33]
Dave Bittner
Yes, right. That kind of thing. So the scam is these folks are advertising places like Facebook and typically what you'll see is an ad will come by and you'll see a pallet full of something that is highly desirable and also hard to get.
- [16:50]
Joe Kerrigan
Spanish doubloons.
- [16:52]
Dave Bittner
Solid gold bars.
- [16:54]
Maria Varmazes
You had that one right there, Joe. I'm impressed.
- [16:58]
Dave Bittner
Let's think PS5s. OK. OK. So remember when PS5s were a hot item and also difficult to get around the holidays? So imagine you're on Facebook minding your own business and an ad comes by and you see several pallets full of PS5s. I don't know how many PS5s fit on a pallet, but A lot.
- [17:21]
Joe Kerrigan
Yeah.
- [17:22]
Maria Varmazes
More than ones.
- [17:23]
Dave Bittner
Right, Right. And it says, good news, you can buy this pallet full of PS5s. And these PS5s are $10 each. If you buy all of them and you think to yourself, I'm going to be rich.
- [17:37]
Maria Varmazes
Right?
- [17:37]
Joe Kerrigan
Right.
- [17:39]
Dave Bittner
Because I'm going to have that.
- [17:41]
Maria Varmazes
Throw in some doubloons and we're good.
- [17:43]
Joe Kerrigan
That scam works right there.
- [17:45]
Dave Bittner
Yeah. Because I'm going to have 50 PS. Not only am I, I'm going to be a hero for Christmas because my kid and all their friends are going to get PS5s, but then I'm going to sell off the rest of the PS5s and I'm going to be rich and I'm going to double, triple, quadruple my money and life will be great. So you reach out to the pallet liquidation company. You say, sign me up, I want to buy this pallet full of PS5s. They say, give me your credit card information or just as likely your crypto wallet. Right.
- [18:17]
Joe Kerrigan
Send us some cryptocurrency.
- [18:18]
Dave Bittner
Yeah. And you eagerly await for the pallet of PS5s to arrive and sure enough, never comes.
- [18:26]
Joe Kerrigan
Okay, it's a scam. So it's just a never coming thing.
- [18:29]
Dave Bittner
It's a never coming thing. It's a too good to be true thing, but it really works. Evidently, these scams are all over the place again. The usual social media places. So they have these sponsored ads on places like Facebook and then they mislead the buyers. They take them to a fraudulent website that looks legit, shows all these other people who have bought all this other stuff and made a fortune doing it. So obviously it's fake, it's a scam. This article has some red flags to look out for. First and foremost, unrealistic prices. Right. There's no reason in the world that this pallet company is going to sell you a pallet full of PS5s for $10 each.
- [19:15]
Joe Kerrigan
They could just as easily turn around and sell them all for $100 apiece.
- [19:18]
Dave Bittner
Exactly right. There's nothing, nothing in it for them. The whole reason that a pallet purchase works is that it is more valuable to you. They want you to take the time to split the stuff up and sell them off one by one. It's not worth their time to do it.
- [19:36]
Joe Kerrigan
Yeah, like Amazon's never going to take a box that a customer opened, looked at and went, nope, this is wrong, and sent back. They're never going to take that box, resell it, or try to sell it at a discount. They're just going to put it in a box, a pallet box, and sell it to you, and you're gonna do something with it, cut their losses. Right.
- [19:53]
Dave Bittner
Yeah. Other red flags. Suspicious payment methods. That says that scammers often insist on methods without buyer protection, a lack of a manifest. They will often refuse to disclose the contents of the pallet.
- [20:07]
Joe Kerrigan
Now, I thought that's how the Amazon pallets worked.
- [20:09]
Maria Varmazes
Yeah, I was thinking that, too.
- [20:11]
Dave Bittner
In that case, I think it is. Yes, I think it is. Again, it's like the Storage wars kind of thing. Of course, there's time pressure act now, that sort of thing.
- [20:21]
Joe Kerrigan
The artificial time horizon that you won't get from Amazon. Cause if you don't buy that pallet, somebody else will.
- [20:26]
Dave Bittner
Right. Right. Now, this is all to say that there are legitimate pallet salespeople. It is a legitimate business. You can do this if you want to, but you just have to be vigilant. And I get the bottom line here is don't ever trust an ad you see on a social media platform to be legitimate when it comes to a pallet liquidation sale. Because that's not how they do this.
- [20:53]
Maria Varmazes
And if this whole idea appeals to somebody, they can just buy a blind box for, you know, a dollar.
- [20:58]
Dave Bittner
Yeah.
- [20:59]
Maria Varmazes
As opposed to a whole pallet. You know, I think that might scratch that itch.
- [21:03]
Dave Bittner
Yeah, yeah, yeah.
- [21:04]
Joe Kerrigan
I don't know what a blind box is.
- [21:06]
Maria Varmazes
Oh. It's where you just don't know what's in the box. And it's like a treat, you know, a toy of some kind.
- [21:10]
Joe Kerrigan
Is that legal?
- [21:11]
Dave Bittner
Yeah.
- [21:12]
Joe Kerrigan
There's somewhere that, like, loot boxes were outlawed in some states, like, because, I don't know, maybe I'm.
- [21:18]
Maria Varmazes
This is the thing in, like, nerd circles where you go to, like, toy stores and there's a box that says you can get one of these five things in this box. You don't know what it is until you buy it. It's that whole sense of, like, you don't. It's a gamble. Right. So to me, the whole palette thing feels like sort of that same kind of a gamble. You don't know what you're going to get. It could be something really rare or like trading cards used to have, you know, the holographic ones.
- [21:38]
Joe Kerrigan
You know, here's the thing that makes that not appeal to me. The old phrase pig in the poke. Do you know? Are you familiar with that phrase?
- [21:44]
Maria Varmazes
Oh, yeah. My goodness.
- [21:45]
Joe Kerrigan
You don't know what you're getting. You know?
- [21:47]
Dave Bittner
Yeah. For me, ever since I saw the Movie seven What's in the box? I am. I am not interested in what's in the box. All right. We will have a link to that story in the show. Notes. Let's take a quick break to hear from our sponsor. We'll be right back after this. So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't Want to Run, ThreatLocker enables you to easily curate an allowlist of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust endpoint protection platform deploys in a learning mode that analyzes the operations of your company using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show. All right, we are back. Joe, you are up next. What do you have for us this week?
- [23:37]
Joe Kerrigan
So this is all over the place most recently, but it. The. The FBI and now cisa. The, The Critical Infrastructure Security Agency.
- [23:48]
Dave Bittner
Cyber Security.
- [23:49]
Joe Kerrigan
Cyber Security Agency. Yeah, whatever. Camera. I don't remember what they are.
- [23:54]
Dave Bittner
Right.
- [23:54]
Joe Kerrigan
The, the people, the cyber people, the feds. The Feds. Right. They're, they're saying that people should start using end encrypted apps. And the reason is because about two months ago, the Wall Street Journal reported that hackers linked to the Chinese government have broken into a system that enabled law enforcement agencies to conduct electronic surveillance operations under the Communications Assistance for Law Enforcement Act.
- [24:20]
Dave Bittner
Right, right. Kalia. Yeah.
- [24:23]
Joe Kerrigan
Kalia. And my first reaction to this when I hear this is, oh, no. If someone only would have told them this is what's going to happen.
- [24:31]
Dave Bittner
Yeah.
- [24:31]
Joe Kerrigan
You know, this is, this is one of the, this is just manifest what every single cryptographer has always been saying about, about the crypto wars and keeping things secure. You're, you're. There are too many moving parts. If you start making people's communications insecure, somebody's going to come in and violate that security. And here we are. Here we are. We have been telling you this for literally decades. Yep, decades. Says since the crypto wars back with the V chip during the Clinton administration or not the V chip, the Clipper chip. That I can't. I'm very frustrated with this.
- [25:16]
Maria Varmazes
We can hear it. Don't blame you.
- [25:19]
Dave Bittner
Yeah, there's no blame at all. Completely secure back door. And here we have a case where the government partnered with the telecommunications companies to create backdoors into our telecommunications systems for the sake of law enforcement being able to do wiretaps.
- [25:36]
Joe Kerrigan
Right. And then a foreign adversary exploited that back door and the first people they targeted were the government employees. They were focusing on people that lived in the D.C. area and looking at their text communications.
- [25:52]
Dave Bittner
Allegedly President elect Trump got popped and Kamala Harris campaign.
- [25:58]
Joe Kerrigan
I am 100% sure all of that happened. Absolutely.
- [26:02]
Dave Bittner
Yeah. No, it's a big deal. This is the name of the campaign in cybersecurity circles is Salt Typhoon.
- [26:10]
Joe Kerrigan
Salt Typhoon is the. Yeah, that's the name of the apt.
- [26:13]
Dave Bittner
Yeah, the Chinese group that does it.
- [26:15]
Joe Kerrigan
Right.
- [26:16]
Dave Bittner
So when we refer to this, this is. Well we refer to this as Salt Typhoon over on the cyber wire and yeah, it is legitimately a big deal. It has the government tied in knots over this from an espionage point of view.
- [26:31]
Joe Kerrigan
Absolutely. Yeah, absolutely. Now to be fair, there should be no communication of any information like that is remotely related. Remotely. I'm going to say controlled but I don't mean like remote controlled is controlled in the slightest way. Machine classified, not like even below classification.
- [26:54]
Dave Bittner
Yeah, like classified class, but for layperson.
- [26:56]
Joe Kerrigan
Right, okay.
- [26:56]
Dave Bittner
Classified information.
- [26:57]
Joe Kerrigan
Classified information. But there is some information that's not classified but still controlled. Right. That information cannot be sent in the clear across anything by policy. It shouldn't be sent in the clearance. So if you're communicating that kind of stuff then and you're doing it in the clear, you're violating policy. So don't do that. Remember CISA released a bulletin that said mobile communications best practice guidance and we'll put a link to this in the show notes. Now Dave, Dave, I want you to listen to the general recommendation to see if any of this sounds familiar to you. Are you ready? Number one, use an end to end encrypted communication channel. Right. Like actually imessages between Apple users are encrypted end to end Google messages. Now does it end to end? They actually introduced that after. That's one of the things where Android was late to the party and Apple was a leader.
- [27:57]
Dave Bittner
Let's see, signal is really the post signal for this signal.
- [28:02]
Joe Kerrigan
If you're going to trust somebody, trust signal because that is Run by a foundation, not by a, not by a for profit organization. They also say like WhatsApp. WhatsApp is run by a for profit organization that, you know, I'm not really fond of. It's, it's, it's run by Meta. So, you know, I mean, yeah, they're probably doing it right, but you never know with them, you just never know. And Signal I don't think has that same vulnerability. So I have Signal on my phone. I would stay away from Telegram. I just don't trust that as much as I trust signal number two. Number two, Dave, enable fast identity online efficient resistant authentication. A fido, right? Migrate away from short message service, SMS based mfa, which is the text message. Now I say do that if you can, right? If you can't do that, using SMS based MFA is still gonna be better than using nothing. But if you have the option to use something else, do that. And here's why. I mean this, this whole case is why. Because I mean the Chinese government is probably not going to try to hack your bank account this way because that's not what they're after. They're after different stuff, but they could. Dave, Number four, use a password manager.
- [29:36]
Dave Bittner
Right?
- [29:37]
Joe Kerrigan
Number five is set a telco pin, right? So whatever your service is, whether it's AT&T or Verizon, which are the two that were targeted here, or if you use like T Mobile or one of the third party providers that actually just resell space on those three networks, put a pin on that account. You should always do that anyway because it really helps you prevent getting SIM swapped, which is a nightmare if it happens to you regularly update your software, opt for the latest version of hardware from your phone manufacturers. And number eight, which is something we have not yet said on this podcast, is do not use virtual private networks or VPNs. I'm going to take issue with this one. They say personal VPNs shift the residual risk for your Internet from your Internet service provider to your VPN provider, often often increasing your attack service. Many free and commercial VPN providers have questionable security and privacy policies. However, if your organization requires a VPN client to access its data, that is a different case, a different use case. So number one, yeah, you can't. I don't think you should just say avoid in a blanket statement. Avoid using personal VPNs. Because if I have an employer that requires me to have a VPN connection to the local area network at the office, that's a different thing. That's not using a vpn. Like you think of, like, what's Tunnel Bear or whatever the other ones are.
- [31:09]
Dave Bittner
Right. The VPNs people use so they can watch net movies on Netflix from their part of the world.
- [31:15]
Joe Kerrigan
Here's another reason I'm not sure I'm on board with this is because it shifts the risk from. They say it shifts the risk from your ISP to the VPN provider, but what if your ISP is the risk because Comcast and Verizon around here sell your browsing data. They just sell it. Right. I don't like that. So I pay for a VPN service that I use now. I pay for it. I do not use a free one.
- [31:39]
Maria Varmazes
I will say it's not a free one, which a lot of people use. Yeah, yeah.
- [31:42]
Joe Kerrigan
If you use a free one again, you're the product, not the. Not the. Not the customer.
- [31:46]
Dave Bittner
Yeah.
- [31:48]
Joe Kerrigan
This bulletin goes on to have a bunch of iPhone specific recommendations and Android specific recommendations, which I won't get into because it's a short bulletin and it's easy to understand. It's well written, it's from cisa, so everybody should go take a look in the show notes, read this bulletin, and everybody in government and law enforcement should please stop asking for backdoors. Please, please, please, please stop asking for backdoors. This is what you get when you don't listen and do what you wanted to do anyway.
- [32:19]
Maria Varmazes
Maybe they'll listen this time, Joe. Maybe this will be the magic time that they listen.
- [32:23]
Joe Kerrigan
Nope. Nope.
- [32:24]
Dave Bittner
Well, I mean, it gives ammo to all the people who were saying it all along that any back door is an opportunity for the bad guys to get in. They can all now point to this and say, we told you so. Right.
- [32:37]
Joe Kerrigan
And that's kind of what I'm doing here, Dave. Just getting a little bit of I told you so in.
- [32:43]
Maria Varmazes
Didn't pick up on that at all.
- [32:45]
Joe Kerrigan
You know, I'm sure that you remember the paper that was written up at. Well, it was written by a bunch of cryptographers called Keys Under Doormats. Matt Green was one of them when I was working at jhu.
- [32:57]
Dave Bittner
Okay.
- [32:58]
Joe Kerrigan
And then either Diffie or Hellman was in on it as well, and one of the guys from rsa, either the R or the A, it wasn't Adi Shamir.
- [33:08]
Dave Bittner
That's what I remember.
- [33:08]
Joe Kerrigan
Okay. But you know, there are a bunch of, like, big names in crypto on that. And one of the things they said is, this is the biggest risk, and bam, here we are. This is not exactly crypto related. This is backdoor into a cell phone system for surveillance purposes. Yeah, but it got exploited.
- [33:30]
Dave Bittner
A lot of people also are kind of raising their eyebrows. I think what's perceived as being a 180among law enforcement, who all along were against encryption, and now they're saying everybody.
- [33:44]
Joe Kerrigan
Needs to use encryption. In other words, oh, man, we really screwed this up. You guys better start using encrypted apps.
- [33:53]
Dave Bittner
Yeah.
- [33:54]
Joe Kerrigan
Which also kind of makes me suspicious when the FBI says you guys should move your conversations to WhatsApp. Like, really? WhatsApp?
- [34:00]
Dave Bittner
Yeah. Well, but I think the subtlety here is that in many cases, law enforcement wasn't advocating for the. The elimination of encryption. They were advocating for the elimination of encryption that they did not have the keys to break.
- [34:17]
Joe Kerrigan
Right, right.
- [34:19]
Dave Bittner
And here we are. Here we are. All right, we will have a link to that in the show notes. I agree with Joe. I mean, CISA does a great job. They are really a really effective government organization, and they're not law enforcement.
- [34:36]
Joe Kerrigan
So they don't have the motive of trying to catch bad guys. And I empathize with the FBI's position on this in law enforcement enforcement's position on this. I get it. I get it. If there's only some way we could get around the crypto, we could understand so much more, but you lose so much when you do that.
- [34:54]
Dave Bittner
All right, we will have a link to that in the show notes. Joe, Maria, it is time to move on to our catch of the day.
- [35:07]
Joe Kerrigan
Our catch of the Day today comes from Jim and Dave and Maria. I used to see a lot of these as a result of being on this podcast. I would get them all the time at my JHU email address. And I'm still mad about my JHU email address getting put into some network somewhere so that I just got nothing but spam. I actually had to put a whitelist on my email. Yeah. Was that you, Maria?
- [35:30]
Maria Varmazes
That was me.
- [35:32]
Joe Kerrigan
I hope they gave you something nice in the mail.
- [35:34]
Maria Varmazes
It was the lamp.
- [35:36]
Dave Bittner
It was the lamp. It was the lamp. There we go. Still.
- [35:39]
Joe Kerrigan
But this one is a little more fishy than most. So, Dave, why don't you go. This is an opportunity to talk to somebody.
- [35:49]
Dave Bittner
All right. It says, hi, CEO Admin. I hope this message finds you well. I've been following your work with great admiration. Our shared interest in news caught my attention. I have a professional team of experienced freelancers, and we specialize in strategies to boost businesses. If you're interested in exploring a collaboration, I'm in. Here are a few ways in which we envision increased market Reach. Leveraging our respective networks for broader audience engagement. Enhanced expertise Sharing insights and expertise to provide greater value to both our audiences. Mutual building a partnership that drives long term success for both parties. I would love the opportunity to discuss our ideas further and explore how we can tailor a collaboration that aligns with the strategic objectives of both of our organizations. Thank you for considering this collaboration and I look forward to the possibility of working together. Best regards, Robert De Niro. Didn't see that coming, did you?
- [36:55]
Joe Kerrigan
No.
- [36:57]
Maria Varmazes
Sounds just like Robert De Niro.
- [37:01]
Dave Bittner
Yeah.
- [37:02]
Joe Kerrigan
So, I mean, I don't know if this is actually a legitimate marketing email or not, but it looks like just a phishing email to me. I mean, I'm sure there's somebody out there trying to do some kind of business with this and I used to get the one. Hey, I can really promote your podcast, Joe.
- [37:21]
Maria Varmazes
Yeah.
- [37:22]
Dave Bittner
Oh, believe me, Maria, we get a lot of these. Oh my gosh.
- [37:26]
Maria Varmazes
Every day.
- [37:27]
Dave Bittner
So many. Every day there's an avalanche of. Can I pay you to place an article on your website? Like, it is relentless. And that's just the ones we see like.
- [37:38]
Joe Kerrigan
Right. The ones that make.
- [37:40]
Maria Varmazes
Not the ones. The ones that don't go through the spam. Yeah. There are so many.
- [37:43]
Joe Kerrigan
Can you put an article on my website?
- [37:44]
Dave Bittner
Yeah, no, no. Can, can. Can they pay us? Basically they want to put an article on the Cyberwire website. Right. And they want to pay us to do so because they're looking for Google Juice, I guess they're looking to have links and all that old school SEO optimization stuff. That's what they're after. Who knows? They probably want to embed some Javascripts or. I don't know, they go right in the. Right in the delete file.
- [38:15]
Joe Kerrigan
Right. So what's the term for that when they. It's a ring something ring. Like a boosting ring or something.
- [38:19]
Dave Bittner
It used to be web rings.
- [38:21]
Maria Varmazes
We have to say web rings. That's 1997.
- [38:24]
Dave Bittner
Yeah.
- [38:25]
Joe Kerrigan
Web ring was an original, an original term, but there's like this SEO, the same thing, but in an SEO context where they use a ring of websites, just like an old web ring, but they just reference each other and that boosts the sites and the boots, boosts the sites that are paying for the service in the algorithm. And it's got ring in the name. And I can't remember what it was.
- [38:45]
Dave Bittner
Huh. Yeah, I don't remember that one. But I definitely remember webrings because I'm old.
- [38:51]
Maria Varmazes
I also remember webrings. I guess I'm old too. They were great. Though. I loved them. They were so great.
- [38:56]
Dave Bittner
Yeah, I miss them. Yeah. All right, that is our catch of the day, and of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans2k.com and of course, we want to thank this week's sponsor, Threat locker. Go to threatlocker.com HH and check out their Zero Trust Endpoint Protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your devices. That is our show brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans2k.com we're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode is produced by Liz Stokes. Our executive producers, Jennifer Ibin. We're mixed by Elliot Peltier and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Bittner.
- [40:32]
Joe Kerrigan
I'm Joe Kerrigan.
- [40:33]
Maria Varmazes
And I'm Maria Varmazes.
- [40:35]
Dave Bittner
Thanks for listening.