Hacking Humans
534 episodes - English - Latest episode: 9 days ago - ★★★★★ - 276 ratingsDeception, influence, and social engineering in the world of cyber crime.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
Could AI's doomsday be deferred?
April 11, 2024 05:00 - 54 minutesDr. Robert Blumofe, CTO at Akamai, sits down to talk about the AI doomsday versus a "very bad day" scenario. Dave shares a story from The Knowledge Project Podcast, where the host talks to Adam Robinson, a multifaceted individual known for his work as an author, educator, entrepreneur, and hedge fund advisor, and he talks about what is all incorporated into the term "stupidity." Dave goes on to share that while most people may feel stupid when falling for a scam, this research suggests otherw...
Encore: deep packet inspection (DPI) (noun) [Word Notes]
April 09, 2024 07:00 - 5 minutesA network monitoring and filtering technique that examines both the header information and the payload of every packet traversing a network access point.
Cyber crime chronicles featuring scams, spies, and cartel schemes.
April 04, 2024 05:00 - 46 minutesThis week we are joined by Maria Varmazis, host of the N2K daily space show, T-Minus. Maria shares an interesting story about Apple users reporting that they are being targeted in elaborate phishing attacks that involve's a bug in Apple’s password reset feature. Joe and Dave share some listener follow up from Leo who shares some thoughts on episode 282 and the recruiter scam that was discussed. Dave shares a story from Mexico on one of the most violent criminal groups and drug cartels, Jalisc...
Encore: rootkit (noun) [Word Notes]
April 02, 2024 07:00 - 6 minutesA clandestine set of applications designed to give hackers access and control over a target device.
Exploring emerging trends in online scamming.
March 28, 2024 05:00 - 1 hourGraham Cluley joins to discuss trends he’s been seeing lately in online scams. N2K's very own Gina Johnson shares some insights on a discussion a few episode ago on why people need a prescription for oxygen in the US. Joe brings up the topic of getting and exploiting access to your infrastructure, and shares an article that deals with the rise of social engineering fraud in business email compromise. Dave shares a personal story this week, on how he got scammed from a Facebook post, sharing t...
Encore: tactics, techniques and procedures (TTPs) (noun) [Word Notes]
March 26, 2024 07:00 - 6 minutesA set of behaviors that precisely describes a cyber adversary attack campaign.
Job seeker beware: Spotting sneaky scammers on job boards.
March 21, 2024 05:00 - 44 minutesThis week we are joined by Maria Varmazis, host of the N2K daily space show, T-Minus. She shares the story on scammers posing as recruiters on LinkedIn to get you to fall for an age old phishing scam. Dave and Joe share some listener follow up, the first being from listener Alex who shared a video on scammers being forced to prove they are not robots. Listener Chloe wrote in with a question, asking about a potential scam she encountered. Joe has a story from the BBC this week regarding a love...
Encore: cyber threat intelligence (CTI) (noun) [Word Notes]
March 19, 2024 07:00 - 6 minutesInformation used by leadership to make decisions regarding the cybersecurity posture of their organization.
Cyberattack chaos and the impact on families.
March 14, 2024 05:00 - 53 minutesThis week we are joined by N2K CyberWire's very own Catherine Murphy, and she is sharing her family's experiences with Lurie Children's Hospital's recent cybersecurity incident. Dave shares a story on the dangers of Googling airline customer service numbers when an issue occurs. Joe shares another story on scary scams that are costing people millions of dollars, now getting the FBI involved. Our catch of the day was found from the Washington University in St. Louis from their Scam of the Mont...
Encore: identity theft (noun) [Word Notes]
March 12, 2024 07:00 - 4 minutesIn this case Identity is the set of credentials, usually electronic that vouch for who you are and theft is to steal. The theft of a person's identity for purposes of fraud.
New tools, old problems.
March 07, 2024 06:00 - 49 minutesThis week we are joined by Maria Varmazis, host of the N2K daily space show, T-Minus. She discusses how AI is being used as a possible solution to one of the oldest scams in the book in Japan. Dave and Joe share some listener follow up, one from listener Alan and one from Clinton, who both write in about a recent episode and they share their thoughts on the story of Charlotte Cowles being scammed out of $50,000. Dave shares a story about calendar meeting links, from Calendly, a popular applic...
Encore: Monte Carlo Simulation (noun) [Word Notes]
March 05, 2024 08:00 - 6 minutesA probability simulation technique used to understand the impact of risk and uncertainty in complex problems.
Navigating the post-password landscape.
February 29, 2024 06:00 - 45 minutesMike Kosak, Principal Intelligence Analyst at LastPass, is discussing passkeys, threat actors, and Volt Typhoon. Joe shares a new free certification you could get if you are looking to get into the field. Joe also shares a terrifying story about how everyone can be conned, and it's not as obvious as it may seem sometimes. Dave's story is warning Costco members of a new phishing scam that attempts to steal their credit card information. Our catch of the day comes from listener Pryce who shares...
Encore: Virtual Private Network (VPN) (noun) [Word Notes]
February 27, 2024 08:00 - 6 minutesA software, hardware or hybrid encryption layer between two devices on the network that makes the traffic between the sites opaque to the other devices on the same network.
Scamming the innocent.
February 22, 2024 06:00 - 47 minutesThis week we are joined by Maria Varmazis, host of the N2K daily space show, T-Minus. She brings us a scary story from a woman who never thought she'd ever be scammed. Dave and Joe shares some follow up before getting into their stories, they share a story from a listener who sent in a LinkedIn link about scammers targeting Walmart. They also share a question from listener Cynthia, who asks about bank scam covered before, and how to respond to these scams. Dave shares a story from an anonymou...
Looking forward in 2024.
February 15, 2024 06:00 - 42 minutesAaron Walton, Threat Intel Analyst from Expel is discussing some things to look out for in 2024. Joe and Dave share some listener follow up from Mateusz, who shares some positive news with us. Dave's story is about a romance scammer coming clean after failing to woo CBS News reporter, Erica Johnson. Joe's story is on the latest decision from the FCC, and how they voted to ban scam robocalls that use AI-generated voices. Our catch of the day comes from listener Chuck, just in time for tax seas...
Scamming just isn't what it used to be.
February 08, 2024 06:00 - 47 minutesThis week, we are joined by host of N2K's T-Minus Space Daily podcast, Maria Varmazis, she sits down with Joe and Dave to discuss sextorion materials that were found on popular social media apps such as, TikTok, Instagram, Snapchat and YouTube. Joe and Dave share quite a bit of follow up, Joe starts with an anonymous listener writing in sharing their story on gift card scams. Dave shares another anonymous listeners comments, sharing about what they think of Andy Cohen going public on how he g...
Encore: Network Time Protocol (NTP) attack (noun) [Word Notes]
February 06, 2024 08:10 - 6 minutesA reflection or amplification distributed denial-of-service attack in which hackers query Internet network time protocol servers, NTP servers for short, for the correct time, but spoof the destination address of their target victims.
Quiz scam nightmare.
February 01, 2024 06:00 - 47 minutesJaeson Schultz, Technical Leader from Cisco Talos, is discussing "Spammers abuse Google Forms’ quiz to deliver scams." Dave's story discusses the disturbing new trick up a scammers sleeve to get you to fall for their schemes. Joe has two stories this week, the first a warning to those who pick up scammers phone calls and what that can lead to after gaining access to your voice. Joe's second story follows a band of organized thieves and how they have been targeting high-end homes across Metr...
Encore: smishing (SMS phishing) (noun) [Word Notes]
January 30, 2024 08:10 - 4 minutesFrom the intrusion kill-chain model, the delivery of a “lure” via a text message to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. Smishing is a portmanteau word made of two other words, the acronym “SMS” and the cyber coinage “Phishing“. It’s a text-message-centric variation of the email-based phishing scams that have been around since the 1990s. The term “Smishing” arose in the late 2000s.
Encore: smishing (SMS phishing) (noun) [Word Notes]
January 30, 2024 08:10 - 4 minutesFrom the intrusion kill-chain model, the delivery of a “lure” via a text message to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. Smishing is a portmanteau word made of two other words, the acronym “SMS” and the cyber coinage “Phishing“. It’s a text-message-centric variation of the email-based phishing scams that have been around since the 1990s. The term “Smishing” arose in the late 2000s.
Phishing for mail.
January 25, 2024 06:00 - 52 minutesAbhilash Garimella from Bolster joins to discuss a USPS phishing campaign abusing freemium dynamic DNS and SaaS providers. Dave and Joe share some follow up, one was from listener Mike who wrote in to tell us about a breach at Resend, another was regarding a previous episode on grief and the internet, and finally Joe and Dave discuss a listeners response to a previous episode regarding an SMS scam a listener wrote in about. Dave shares a story on Walmarts relaxed security methods and how scam...
Encore: port mirroring (noun) [Word Notes]
January 23, 2024 08:10 - 4 minutesA network switch configuration setting that forwards a copy of each incoming and outgoing packet to a third switch port. Also known as SPAN or Switched Port Analyzer, RAP or Roving Analysis Port, and TAP or Test Access Point. When network managers and security investigators want to capture packets for analysis, they need some sort of generic TAP or Test Access Point. You can buy specialized equipment for this operation but most modern switches have this capability built in.
Encore: port mirroring (noun) [Word Notes]
January 23, 2024 08:10 - 4 minutesA network switch configuration setting that forwards a copy of each incoming and outgoing packet to a third switch port. Also known as SPAN or Switched Port Analyzer, RAP or Roving Analysis Port, and TAP or Test Access Point. When network managers and security investigators want to capture packets for analysis, they need some sort of generic TAP or Test Access Point. You can buy specialized equipment for this operation but most modern switches have this capability built in.
It's the intricate deceptions that get you.
January 18, 2024 06:00 - 38 minutesThis week we are joined by the host of T-Minus, N2Ks very own Maria Varmazis brings her own story and discusses with Dave and Joe. We start off with Joe, and he brings in the story of Andy Cohen and how he fell victim to a credit card scam and shares what he had learned through the experience. Maria shares Arctic Wolf Labs' story and how they have investigated several cases of Royal and Akira ransomware victims being targeted in follow-on extortion attacks dating back to October of 2023. Last...
Encore: Network Detection and Response (NDR) (noun) [Word Notes]
January 16, 2024 08:10 - 6 minutesNDR tools provide anomaly detection and potential attack prevention by collecting telemetry across the entire intrusion kill chain on transactions across the network, between servers, hosts, and cloud-workloads, and running machine learning algorithms against this compiled and very large data set. NDR is an extension of the EDR, or endpoint detection and response idea that emerged in 2013.
Password Perils: The threat of credential stuffing exploits.
January 11, 2024 06:00 - 1 hourFrank Riccardi sits down to discuss how cybercriminals exploit people’s fondness for reused passwords to launch credential stuffing attacks. Dave and Joe share a bit of follow up, one from a listener named Steve who shares some push back from the 23andMe story from last week, and the other from a listener named Michael who shares a story of unpaid toll scams. Joe shares the story of a Utah exchange student and how he fell victim to a cybersecurity kidnapping, and now authorities are trying to...
Encore: shadow IT (noun) [Word Notes]
January 09, 2024 08:10 - 4 minutesTechnology, software and hardware deployed without explicit organizational approval. In the early days of the computer era from the 1980s through the 2000s security and information system practitioners considered shadow IT as completely negative. Those unauthorized systems were nothing more than a hindrance that created more technical debt in organizations that were already swimming in it with the known and authorized systems.
The DNA dilemma: Unraveling a 23AndMe breach.
January 04, 2024 06:00 - 49 minutesAlethe Denis from Bishop Fox is talking with Dave and Joe with her take on the 23AndMe breach. Dave and Joe share some follow up from listener Michael, who writes in to share thoughts on our catch of the day from last episode, regarding the voice mail from Spectrum. Dave shares a story on email security, and how human factors have a heavy influence on it, especially with people's vulnerability to phishing and social engineering. Joe has two stories this week, his first story is a good wrap on...
Stolen personality?
December 28, 2023 06:00 - 45 minutesMatt Lewis from the NCC Group joins to discuss how cybercriminals can decode your personality through AI conversations to launch targeted attacks at you. Dave and Joe share some follow up from listener Sydney, who writes in to share her thoughts on an FCC proceeding and how it could be of greater relevance to IoT security than SBOMs and HBOMs. Dave also shares a story from a listener from last Christmas, sending a warning to holiday shoppers. Dave has two stories this week, he shares one rega...
The grinch who hacked Christmas. [Hacking humans goes to the movies]
December 24, 2023 08:10 - 33 minutesThanks for joining us again for another episode of a fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch some holiday classics, describe ...
Reeling in some phishing trends.
December 21, 2023 06:00 - 55 minutesAdam Bateman, Co-Founder & CEO at Push Security, is sharing some of the latest phishing trends his team has been observing. Dave and Joe share some listener follow up from Michael, who writes in with a new idea, calling it "eDeception." With the holiday season practically here, Joe shares a story about gift card scams, reminding everyone to be safe this holiday season. Dave's story follows a new iPhone update regarding stolen device protection in an upcoming version of iOS. Our catch of the d...
chaos engineering (noun) [Word Notes]
December 19, 2023 08:10 - 10 minutesThe resilience discipline of controlled stress test experimentation in continuous integration/continuous delivery environments, CI/CD environments, to uncover systemic weaknesses. CyberWire Glossary link: https://thecyberwire.com/glossary/chaos-engineering Audio reference link: Farnam Street, 2009. Richard Feynman Teaches you the Scientific Method [Website]. Farnam Street. URL https://fs.blog/mental-model-scientific-method/
Shielding your inbox.
December 14, 2023 06:00 - 53 minutesSeth Blank, CTO of Valimail, joins to discuss the implications on email security on behalf of DMARC. Joe and Dave share some follow up regarding Meta, who is the parent company to Facebook and Instagram, and how they are now in a lawsuit over steering predators to children in New Mexico. Joe shares how he was almost hacked, as scammers used Peacock to lure him in. Dave's story continues with popular streaming apps being impersonated, this time with Disney+ falling victim. Joe's story follows ...
Encore: remote access Trojan or RAT (noun)
December 12, 2023 08:10 - 4 minutesFrom the intrusion kill chain model, a program that provides command and control services for an attack campaign. While the first ever deployed RAT is unknown, one early example is Back Orifice made famous by the notorious hacktivist group called “The Cult of the Dead Cow,” or cDc, Back Orifice was written by the hacker, Sir Dystic AKA Josh Bookbinder and released to the public at DEFCON in 1998.
Small, medium, and large phishing trends of 2023.
December 07, 2023 06:00 - 53 minutesMike Price from ZeroFox sits down to discuss what 2023 phishing trends mean for the broader industry as we quickly approach 2024. Dave and Joe share a serious write in from listener Michelle who shares her pleads for her aunt, who she believes is being catfished. Listener Marc also writes in with an email that claims to be from "Walmart," that he is quite suspicious of. Joe's story follows Meta, and how they have designed products to target and harm kids. Dave's story is on bad bots and the d...
zero knowledge proof (noun)
December 05, 2023 08:10 - 6 minutesA mathematical method by which one party (the prover) can prove to another party (the verifier) that something is true, without revealing any information apart from the fact that this specific statement is true. CyberWire Glossary link: https://thecyberwire.com/glossary/zero-knowledge-proof Audio reference link: Staff, 2022. Zero Knowledge Proofs [Video]. YouTube. URL https://www.youtube.com/watch?v=5qzNe1hk0oY
Encore: The age old battle between social engineering and banking.
November 30, 2023 06:00 - 53 minutesChip Gibbons, CISO at Thrive, sits down with Dave to talk about how to defend against social engineering attacks in banking. Dave starts us off this week with a story about Amazon opening up its selling market to Pakistani residents, and what consequences that led to for the organization’s business. Joe's story follows a scam targeting soldiers in the Army. The Army warns against unknown individuals purporting to be noncommissioned officers that are calling said soldiers and asking them for m...
Encore: business email compromise or BEC (noun) [Word Notes]
November 28, 2023 08:10 - 3 minutesA social engineering scam where fraudsters spoof an email message from a trusted company officer that directs a staff member to transfer funds to an account controlled by the criminal.
Cops in the catfish game.
November 23, 2023 08:10 - 29 minutesThanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, descr...
HIPAA (noun) [Word Notes]
November 21, 2023 08:10 - 10 minutesA U.S. law designed to improve the portability and accountability of health insurance coverage. CyberWire Glossary link: https://thecyberwire.com/glossary/hipaa Audio reference link: Dr. Dana Brems, 2021. Doctor reacts to “HIPAA violations” [Video]. YouTube. URL https://www.youtube.com/shorts/Ksk00s8a_IU
Unmasking the deceptive.
November 16, 2023 06:00 - 53 minutesJohn Wilson, Senior Fellow, Threat Research at Fortra, joins to discuss email impersonation attacks which found that nearly 99% of these threats can be classified as business email compromise. Dave and Joe share some listener follow up from Terry, who writes in with some comments on episode 262 regarding cybersecurity jargon used. Joe's story comes from a listener this week, this individual writes in sharing the horror story he had to deal with when him and his wife ended up on a target list ...
Encore: man trap (noun) [Word Notes]
November 14, 2023 08:10 - 4 minutesA physical security access control device consisting of an enclosed hallway with interlocking doors on each end where both doors can’t be open at the same time. A person presents credentials to the entry doorway. If authorized, the entry door opens and the person walks into the mantrap. The man trap exit door will not open until the entry door closes. The person presents credentials to the exit door. If authorized, the exit door will open. If not, the person is captured in the man trap until ...
Leaving a trail of digital breadcrumbs.
November 09, 2023 06:00 - 1 hourThis week we are joined by Harry Maugans from Privacy Bee who sits down to discuss how our digital breadcrumbs, old and new, are coming back to haunt us. Joe and Dave discuss some follow up from listener Phil, who writes in with a question about the safety of IoT and consumer devices. Dave's story follows the ever so popular YouTube, and its implemented measures to prevent users with ad blockers from watching videos. Joe shares a personal story from a friend regarding a scam he had fallen for...
Common Vulnerability Scoring System (CVSS) (noun) [Word Notes]
November 07, 2023 08:00 - 7 minutesA qualitative public framework for rating the severity of security vulnerabilities in software. CyberWire Glossary link: https://thecyberwire.com/glossary/common-vulnerability-scoring-system Audio reference link: Peter Silva, 2020. What is Common Vulnerability Scoring System (CVSS) [Video]. YouTube. URL https://www.youtube.com/watch?v=rR63F_lfKf0
Weaponizing your out-of-office replies.
November 02, 2023 05:00 - 52 minutesJames Dyer and Jack Chapman of Egress join to discuss "Cybercriminals don’t take holidays: How bad actors use this two-step phishing campaign to weaponize out-of-office replies." Dave and Joe share some listener follow up from Ron, who has a suggestion about registration specific email accounts. Joe has two stories this week, one where he shares some good news on a scammer who received some justice after taking part in a $66K romance scam. His second story is on social media and how it is a b...
Encore: anagram (noun) [Word Notes]
October 31, 2023 07:00 - 3 minutesA word, phrase, or sentence formed from another by rearranging its letters. For example, cracking a columnar transposition cipher by hand involves looking for anagrams.
Spooky, scary, skeletons at the movies. [Hacking humans goes to the movies]
October 29, 2023 07:01 - 36 minutesThanks for joining us again for a very special and scary episode brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering, scams, and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, d...
Scams, scams, and more scams.
October 26, 2023 05:00 - 50 minutesMallory Sofastaii, a consumer investigative reporter from WMAR TV, is joining Dave and Joe to discuss some recent scams she's seen in her reporting. Dave and Joe share some listener follow up from Kenneth who writes in with a suggestion on creating separate email addresses. Dave's story this week follows fake browser scams and how one has gotten a face lift, and what it looks like now. Joe's story is on a new term WIRED is calling "obituary pirates," people who create YouTube videos themselve...
Encore: zero-day (adjective) [Word Notes]
October 24, 2023 07:01 - 3 minutesA class of software-security-weakness-issues where independent researchers discover a software flaw before the owners of the code discover it. Zero-day, or 0-day in hacker slang, refers to the moment the race starts, on day zero, between network defenders who are trying to fix the flaw before hackers leverage it to cause damage. It is a race because on day zero, there is no known fix to the issue.