Hacking Humans

Guest Javvad Malik from KnowBe4 shares his thoughts on bad security training with the CyberWire's UK correspondent Carole Theriault, Dave's story is about deepfake technology being used for business cases, Joe's gives a synopsis of Proofpoint's most recent State of the Phish report, our very first Catch of the Day about Discord comes from a listener named Henning. Links to stories: Deepfakes Are Now Making Business Pitches Proofpoint's 2021 State of the Phish Report Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A collection of people, process, and technology that provides an organization the ability to detect and respond to cyber attacks.

Guest Brandon Hoffman from Intel 471 joins Dave to talk about how cybercriminals are going after large retail and hospitality companies, Joe shares some advice for college students to avoid scams and ID theft, Dave got an edit to the tale of the lightning rod, our Catch of the Day comes from listener Shannon who received a beneficiary scam email. Links to stories: BBB Scam Alert: 6 Scams for College Students to Avoid BBB Tip: 9 Tips for college students to avoid ID theft Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

Cybercriminals who lack the expertise to write their own programs use existing scripts, code, or tools authored by other more skilled hackers.

Guest Jann Yogman, entertainment industry veteran and writer of Mimecast Awareness Training, joins Dave to share his thoughts on the ransomware epidemic and the cybersecurity awareness training problem, Joe's got a story about scams targeting families eligible for the IRS' child tax credit, Dave's story is about scams and fraud experienced by US military veterans, personnel, and their families, our Catch of the Day comes from listener Sawyer Dicky on Reddit who insists he's not the right guy. Links to stories: IRS warns of child tax credit scams US military personnel lost over $822 million to scams since 2017 Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

An isolated and controlled set of resources that mimics real world environments and used to safely execute suspicious code without infecting or causing damage to the host machine, operating system, or network.

Guest Andrew Rubin, CEO and co-founder of Illumio, joins Dave to discuss Zero Trust, Dave and Joe share some follow-up from several listeners including one with a variation on prison pen pals we discussed some time ago and some advice on Dave's Google Authenticator issue he mentioned last week, Dave's story is about non-delivery scams, Joe's got a story on Imperial Kitten doing some catphishing, and our Catch of the Day comes from listener Timothy about with a sextortion campaign. Links to stories: 5 reasons non-delivery scams work I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A stack of security software solutions and tools that allow organizations to orchestrate disparate internal and external tools which feed pre-built automation playbooks that respond to events or alert analysts if an event meets a certain threshold.

Guest Darren Shou, Chief Technology Officer of NortonLifeLock, shares insight on some of the scams he and his colleagues have been tracking, Joe and Dave share some follow up from listener Robert about free learning resources, Joe's story comes from listener Sedric who is new to real estate Investing and was looking for a hard money loan, rather than a story, Dave continues the conversation on passwords and multi-factor authentication with comments from listener Coinsigliere, and our Catch of the Day, well "catches" of the day since we have two, include one from Pryce on a smishing scam and the second from Ronald with a subscription email scam.. Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A term of legal art that defines the types of data and circumstances that permits a third party to directly or indirectly identify an individual with collected data.

Guest Dr. Charles Chaffin, author of the book "Numb: How the Information Age Dulls Our Senses and How We Can Get them Back," joins Dave this week, we have some listener follow up from John with a tip on ATM security, Dave's got a two-fer this week including a useful site called www.shouldiclick.org and a Twitter report on multi-factor authentication thanks Rachel Tobac for calling our attention to it, Joe's story is from Microsoft on trends in tech support scams, and our Catch of the Day is from a listener on Twitter called @DoNoEvilMan about a payout from the Federal Reserve via the FBI. Links to stories: Should I click or not? Twitter Account Security report Tech support scams adapt and persist in 2021, per new Microsoft research Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A security architecture that incorporates the cloud shared responsibility model, a vendor provided security stack, an SD-WAN abstraction layer, and network peering with one or more of the big content providers and their associated fiber networks.

Guest Gil Friedrich from Avanan joins Dave to talk about how bad actors are infiltrating organizations using collaboration apps, we have two pieces of listener follow up from Michael and Tobias, Joe has a story about fake information, Dave's story is about message spam on LinkedIn, and our Catch of the Day is from a listener named Lucio with a questionable Reddit communication. Links to stories: Propaganda as a Social Engineering Tool Annoying LinkedIn Networkers Actually Russian Hackers Spreading Zero-Days, Google Says Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The practice of emulating known adversary behavior against an organization's actual defensive posture.

Guest Kurtis Minder from GroupSense joins Dave to discuss divergent ransomware trends, the guys have a listener reminder about it being CompTIA, Joe, Dave has a story about a coupon scam in the Houston area, Joe's story is about a real estate rental scam and a scammer who likes to talk about his work, and our Catch of the Day is from a listener named Craig with an email about an unprofessional colleague and a questionable attachment. Links to stories: A ‘dark-side coupon group’ scammed stores out of millions, police say. ‘They were just going through the ink.’ Housing scams abundant in Jackson. This scammer is proud of it Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A layer seven security orchestration platform deployed at the boundary between internal workloads slash data storage and untrusted sources that blocks incoming and outgoing network traffic with rules that tie applications to the authenticated user and provides most of the traditional security stack functions in one device or software application.

Have you ever noticed how fundamental deception is to the human condition? Deception and forms of social engineering have been with us since the beginning of recorded history. And yet, it seems like we are just as vulnerable to it as ever. But now the stakes are higher because technology allows social engineers to deceive at scale. This episode explores the psychology of deception, provides a foundation for understanding social engineering, offers a few mental models for exploration and exploitation, and discusses how we can prepare our mental defenses. Guests: Rachael Tobac: (LinkedIn), CEO of SocialProof Security Chris Hadnagy: (LinkedIn); CEO of Social Engineer, LLC; Founder of Innocent Lives Foundation; Founder of Social-Engineer.org Lisa Forte: (LinkedIn); Partner at Red Goat Cyber Security; Co-Founder Cyber Volunteers 19 George Finney: (LinkedIn); Chief Security Officer at Southern Methodist University; Founder of Well Aware Security Notes & Resources: CSO Online article on Social Engineering OODA Loop Understanding Framing Effects More examples of Framing Effects Harvard Business Review article on the Principles of Persuasion A blog series I did on Deception (Part 1), (Part 2). PsychologyToday article on Social Engineering Recommended Books (Amazon affiliate links): The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick Ghost in the Wires: My Adventures as the World's Most Wanted Hacker by Kevin Mitnick Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You by Chris Hadnagy Influence, New and Expanded: The Psychology of Persuasion by Robert Cialdini Pre-Suasion: A Revolutionary Way to Influence and Persuade by Robert Cialdini Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray Social Engineering: The Science of Human Hacking by Chris Hadnagy Thinking, Fast and Slow by Daniel Kahneman. Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors by Perry Carpenter Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future by George Finney Music and Sound Effects by Blue Dot Sessions & Storyblocks. Artwork by Chris Machowski.

Guest Joe Payne of Code 42 joins Dave to discuss insider risks Joe has a story about Frank Abagnale who's conned everyone one way or another, Dave's story is about a real estate scam conning a single mother of her life savings, and our Catch of the Day is from listener Michael with an "Extremely Urgent Attention Required" email. Links to stories: Confessions of a Famous Fraudster: How and Why Social Engineering Scams Work Real estate scam robs Florida mom of $63K in life savings Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A network designed to obfuscate the location of a cyber adversary's command and control server by manipulating the domain name system, or DNS, in a way that rotates the associated IP address among large numbers of compromised hosts in a botnet.

The CyberWire's UK correspondent Carole Theriault returns to share an interview with Geoff White, reporter from the BBC and co-host of the Lazarus Heist podcast, Joe has some listener follow-up from Mike looking for advice on certifications for getting into cybersecurity, Dave's story is from Brian Krebs about catching an ATM shimmer gang, Joe's got a piece from MalwareBytes Labs about phishing for Bitcoin recovery codes, and our Catch of the Day is from listener Rohit with a pretty genuine-looking snail mail scam. Links to stories: How Cyber Sleuths Cracked an ATM Shimmer Gang Bitcoin scammers phish for wallet recovery codes on Twitter Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The process of converting plain text into an unrecognizable form or secret code to hide its true meaning.

Guest Matthew Gracey-McMinn joins us from Netacea to speak with Dave about security issues with streaming services, Joe shares some follow-up from listener Jason about a bracelet sale mentioned a few episodes ago, Joe's story is from UMBC about AI-generated fake news reports, Dave's got a story about a replacement scam for a hardware wallet used for storing cryptocurrency, and our Catch of the Day comes from a listener called R about a vishing scam for DirectTV. Links to stories: Study shows AI-generated fake reports fool experts Criminals are mailing altered Ledger devices to steal cryptocurrency Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

Software or hardware that records the computer keys pressed by a user.

Guest Mantas Sasnauskas from CyberNews joins Dave to talk about how he and his colleagues applied for a job with a ransomware gang, Joe and Dave reply to a listener named Christopher about certifications, Dave's story is about credential stuffing with payroll companies for $800,000,Joe shares a story about lewd phishing lures sent to people's email accounts, and our Catch of the Day is from from a listener named Stof who says, he “received this call just now, never heard one this convincing, nearly got me too!" Links to stories: How to hack into 5500 accounts… just using “credential stuffing” Lewd Phishing Lures Aimed at Business Explode Million-dollar deposits and friends in high places: how we applied for a job with a ransomware gang Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

Digital assets that are cryptographically protected on a blockchain and contain unique identification codes and metadata that makes them one of a kind.

Guest Robert Capps of NuData Security joins Dave to discuss what businesses can do to bolster their protection against tax fraud, Joe and Dave have some follow-up from 2 episodes ago when they discussed a BazarLoader scam: Wired has a recent article with a twist about a totally fake streaming site called BravoMovies, Joe shares a story from a listener Jason about a friend of his who was targeted by a scammer on Facebook Marketplace, Dave's story is about scammers demanding ransom from families who report missing persons on social media, and our Catch of the Day is from Reddit on a Tron cryptocurrency scam. Links to stories: The Bizarro Streaming Site That Hackers Built From Scratch Scammers Target Families Who Post Missing Persons on Social Media COTD post on Reddit: Crypto scammer doesn't understand compound interest and gives me a rate that would give me all of the crypto after 9 hours. Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The use of two or more verification methods to gain access to an account.

Guests Jan Kallberg and Col Stephen Hamilton of Army Cyber Institute at West Point join Dave to talk about cognitive force protection, Joe and Dave have some follow-up from a listener named Obada about Apple only allowing 2FA through SMS, Dave shares a story about Google's plan to require MFA for all users, Joe's story is about a couple who had their Fidelity retirement account defrauded to the tune of $40,000, and our Catch of the Day is from a listener named Doal about becoming named the beneficiary of a similarly-named deceased person. Links to stories: Google to make multi-factor authentication its default mode ‘Sleeping Giant:' Thieves Target Retirement Accounts How to protect troops from an assault in the cognitive domain Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A programming technique where the developer doesn't specify each step of the algorithm in code, but instead teaches the algorithm to learn from the experience.

Guest Tim Sadler from Tessian on how oversharing on social media and in OOO messages can open the door for hackers, Joe shares a story about vishing emails from "Amazon" that had spam confidence levels of 1, Dave's story is about an elaborate BazarLoader campaign counting on a lot of human interaction, and our Catch of the Day is from a listener named Scott about a phishing fax, that's right, we said fax. Links to stories: Hello, Is It Me You’re Phishing For: Amazon Vishing Attacks BazarCall Method: Call Centers Help Spread BazarLoader Malware Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

The process of turning raw information into intelligence products that leaders use to make decisions with.

Guest Kev Breen from Immersive Labs joins Dave to talk about how to address whaling attacks, Dave shares a discussion he had with. a colleague about password managers and elderly parents and Joe weighs in, Dave's story is about a smishing Trojan impersonating a Chrome app, Joe has a story about URL redirection making more effective phishing attacks, and our Catch of the Day is from a listener named Vaughn about a snail mail fraud scheme that references a website. Links to stories: Beware of this smishing trojan impersonating the Chrome app Exploiting common URL redirection methods to create effective phishing attacks Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

Coming May 25, 2021. Get ready for a deep dive into what cybersecurity professionals often refer to as the "8th Layer" of security: HUMANS. This podcast is a multidisciplinary exploration into how the complexities of human nature affect security, risk, and life. Author, security researcher, and behavior science enthusiast Perry Carpenter taps experts for their insights and illumination. Topics include cybersecurity, psychology, behavior science, communication, leadership, and more.

A cloud-based software distribution method where app infrastructure, performance, and security are maintained by a service provider and accessible to users, typically via subscription, from any device connected to the internet.

Guest Helen Lee Bouygues of the Reboot Foundation joins Dave to talk about social media’s effect within the misinformation ecosystem and how users can best fight fake news, Dave and Joe share some follow-up from listener Jonathan on two-factor authentication, Joe's story is about an employee in Scotland sued for making payments based on phishing emails, Dave has a story about fake order confirmation phishing messages prompting us to call rather than click, our Catch of the Day comes from a listener named Wyatt who received a phishing email from some fellow jackpot winners. Links to stories: Why You Should Use a Physical Key to Sign Into Your Accounts Publishing company defrauded of over £193,000 fail to appeal decision that ex-employee was not liable for damages Company sues worker who fell for email scam BazarBackdoor phishing campaign eschews links and files to avoid raising red flags Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A process of converting encrypted data into something that a human or computer can understand.

Our UK correspondent Carole Theriault returns to share her interview with Julie Smith from the Security Alliance and Kelvin Coleman from National Cyber Security Alliance about Identity Management Day, Dave's story is about how Pixar uses colors to hack our moods and minds to see colors we've never seen before, Joe has a story about ways malicious actors can break into accounts with multi-factor authentication enabled, our Catch of the Day comes from a listener named Brett who works in a PC repair shop and "HackerDont'comebacker" software. Links to stories: How Pixar Uses Hyper-Colors to Hack Your Brain How Social Engineering Tactics Can Crack Multi-factor Authentication Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A cryptographic hack that relies on guessing all possible letter combinations of a targeted password until the correct codeword is discovered.

Guest Stacey Nash, Head of Fraud and Central Operations at USAA, joins Dave to discuss romance or sweetheart scams, Joe and Dave share some listener follow-up, Joe's got a story about emails sent to British awards organizers asking them to transfer prize money to a PayPal account, Dave's story is about a Rolling Stones tribute band targeted in a bogus check racket, and our Catch of the Day comes from a listener named Konstantin about a fake tax refund. Links to stories: $40,000 Swindle Puts Spotlight on Literary Prize Scams Scammers can’t get no satisfaction Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A cyber attack designed to impair or eliminate access to online services or data.

Guest Margaret Cunningham from Forcepoint talks with Dave about cognitive biases that lead to reasoning errors in cybersecurity, Joe shares some follow-up from a listener named Alex about the Alexa phone call Joe mentioned a few episodes back, Dave shares a note from listener Brandon about finding similar DNS names (check out https://dnstwister.report/), Dave's story is about dark patterns to get you to do something on a website, Joe shares a story phishing emails and defenses against them, and our Catch of the Day comes from a listener named Big Mike about an old time radio podcast he heard recently with great examples of social engineering. Links to stories: Dark patterns, the tricks websites use to make you say yes, explained Why do phishing attacks work? Blame the humans, not the technology Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

A type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer’s Random Access Memory or RAM during the reboot process in order to steal sensitive data.

Guest Herb Stapleton, the FBI’s cyber division sector chief, joins Dave to talk about the FBI's Internet Crime Complaint Center (IC3) annual report and its findings, Joe's story is about an ongoing IRS impersonation scam targeting educational organizations, Dave shares a story from the BBC about people using their pets names as passwords (tell us that hasn't crossed your mind or your keyboard before), and our Catch of the Day comes from the Land Down Under via Gareth and Kingsley. COTD note: Just to be clear their jurisdiction is a single party consent jurisdiction. Links to stories: IRS warns university students and staff of impersonation email scam Pets' names used as passwords by millions, study finds Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

On-demand pay-as-you-go Internet delivered compute, storage, infrastructure, and security services that are partially managed by the cloud provider and partially managed by the customer.

Guest Peter Warmka, founder of the Counterintelligence Institute, joins Dave to talk about how insider targets are chosen and assessed, Joe shares a weird phone call he received, Dave's story from a Twitter use named Jake on flower shop scams, Joe has a story about student loan forgiveness scams, and our Catch of the Day comes from a listener named Andrew about a pricey software subscription renewal scam. Links to stories: Twitter thread with flower shop scams from Australia 3 Ways to Spot Student Loan Scams Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

An acronym for Advanced Persistent Threat to describe hacker groups or campaigns normally, but not always, associated with nation state cyber espionage and continuous low-level cyber conflict operations.

Guest Fleming Shi of Barracuda joins Dave to talk about about travel-related phishing attacks now that vaccines are more readily available, Dave and Joe share listener advice about preventative email blocking, Joe shares a story about romance scams by someone that includes fake W2s and other documents in the process, Dave's got a story about a phone scammer posing as McDonald's CEO, and our Catch of the Day is from a listener named Tarik with an email about his reported death. Tarik awards this email the Unlikely Phishing Hook of the Year Award presented by the Institute of Questionable Intentions. Links to stories: Irvine man accused of $1 million romance scam Phone scammer pretending to be McDonald's CEO nearly cons Pennsylvania restaurant out of thousands: report Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

An undocumented or publicly unknown method to access a computer system undetected or to break a cypher used to encode messages.

Guest Ming Yang of Orchard joins Dave to talk about ways to help your parents with technology (aka providing tech support for our parents). Dave shares the FBI's advisory warning of an expected increase in the use of deepfakes for social engineering attacks, Joe's got a story about phantom debts, and our Catch of the Day is from a listener named Anthony about an email from [email protected]. Hmmm...seems legit. Links to stories: Malicious Actors Almost Certainly Will Leverage Synthetic Content for Cyber and Foreign Influence Operations Beware Scammers Trying to Collect Phantom Debts Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.

From the intrusion kill chain model, a technique where the hacker compromises sites commonly visited by members of a targeted community in order to deliver a malicious payload to the intended victim.