Hacking Humans 2.17.22
Ep 184 | 2.17.22

Vulnerabilities will be found.


Deral Heiland: This is the reality. If it's a technology, it's a well-liked technology and people are actually looking at it for a security issue, vulnerabilities are going to be found.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, Carole Theriault returns. She's discussing IoT security with Deral Heiland from Rapid7. 

Dave Bittner: All right, Joe, let's jump right into our stories this week. Why don't you start things off for us? 

Joe Carrigan: Dave, I don't have a story from the news today. I have a story from my own personal life today. 

Dave Bittner: OK (laughter). 

Joe Carrigan: These are some of my favorite ones to do. 

Dave Bittner: Yeah. 

Joe Carrigan: Last week, after we recorded this wonderful podcast that we do, "Hacking Humans," at some point in time, I went down to my mailbox, and I opened it up, and there were some packages in my mailbox for me. 

Dave Bittner: We're talking about your physical U.S. Postal Service mailbox. 

Joe Carrigan: My physical U.S. Postal Service mailbox at my home. 

Dave Bittner: OK. 

Joe Carrigan: And I want to show you what came in the mail for me. 

Dave Bittner: Oh, all right. 

Joe Carrigan: You see that? 

Dave Bittner: Yeah, I see that. 

Joe Carrigan: What's inside here? 

Dave Bittner: You're holding up - it's a thing. It says, these checks are yours. 

Joe Carrigan: Right. 

Dave Bittner: Oh, and they're checks - like, bank checks. 

Joe Carrigan: Actual checks. And if you look here, you will see - let's see if I get one open here. This is great podcasting, Dave. 

Dave Bittner: Yeah. Oh, yeah. Just scintillating radio, yeah. 

Joe Carrigan: Right. Right there. 

Dave Bittner: OK. 

Joe Carrigan: My name. 

Dave Bittner: Yup. 

Joe Carrigan: My address. 

Dave Bittner: Right. 

Joe Carrigan: But someone else's phone number. And also came another set of checks and this debit card right here. 

Dave Bittner: Oh, OK. 

Joe Carrigan: So this is all from TD Bank. 

Dave Bittner: Yeah. 

Joe Carrigan: And I don't do business with TD Bank. I just... 

Dave Bittner: (Laughter). 

Joe Carrigan: I use - and not that I have anything against TD Bank. I just... 

Dave Bittner: Right. 

Joe Carrigan: They are not my bank, right? 

Dave Bittner: Right, yeah. 

Joe Carrigan: So I was surprised to receive these things in the mail. I'm like, this is odd. 

Dave Bittner: Sure. 

Joe Carrigan: So I called TD... 

Dave Bittner: So what kind of spending spree did you go on, Joe (laughter)? 

Joe Carrigan: That's right. I - well, unfortunately, Dave, these checks all have my name and actual address on them. 

Dave Bittner: OK. 

Joe Carrigan: So I didn't do anything. 

Dave Bittner: OK. 


Joe Carrigan: You know, they might call the wrong number, but when the Secret Service shows up to my house, they're going to have the right address. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: So I didn't do anything. The first thing I did was I called TD Bank and I said, hi, I'm Joe Carrigan, and apparently I have an account with you. And here's the account number - 'cause it's printed on the bottom of the checks. 

Dave Bittner: Right. 

Joe Carrigan: They were like, yeah, this doesn't really look right. I'm like, it isn't right. I didn't open these accounts, and I need you to tell me right now what kind of transactions have happened on this account. And the guy on the phone said, I can't tell you that. You're going to have to go to one of our branches and present an ID in order to be - in order to have that information. 

Dave Bittner: OK. 

Joe Carrigan: So a quick Google search found that there's one in Laurel, Md. So into my car I hopped... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...And drove quickly down to Laurel, Md... 

Dave Bittner: Then you fishtailed out of the driveway. 

Joe Carrigan: Right. 


Joe Carrigan: ...Down to the TD Bank, where I talked to some lovely people in the TD Bank who are great. 

Dave Bittner: Yeah. 

Joe Carrigan: Everybody was fantastic. 

Dave Bittner: Right. 

Joe Carrigan: And I walk in, and I say, somebody has opened this account, and I need to know all the activity 'cause my biggest concern, Dave, is that next year - I think, yeah, at some point in time in the future, banks have to report all of the transactions that go on in accounts in your name to the IRS, right? 

Dave Bittner: OK, yeah. 

Joe Carrigan: So I'm not sure if that's actually been officially passed yet or not or if that's something - that is a requirement, but it has to happen, or it's going to happen at some point in time in the future. So my concern is that somebody is using this - my account, this new account that they opened in my name to launder money or to move money around and at the end of next year I'm going to get a statement from TD Bank that says, you moved $150,000 through this account. And I'm going to be like... 

Dave Bittner: Right, right. 

Joe Carrigan: ...Well, this is a new headache for me. 

Dave Bittner: Yeah. 

Joe Carrigan: But I went down to the bank, and they said what happened was the bank was - the account was opened online - right? - and it was - somebody put $5 into one of the accounts and then moved that $5 to another account. And at some point in time, the next day after it was opened, TD Bank flagged it as a fraudulent account and froze all the - froze the accounts. 

Dave Bittner: Oh, OK. 

Joe Carrigan: I also received two letters in the mail that said, you know, your account balances are at or close to zero or might be overdrawn; please call us, which was interesting, I thought. So I think that's just something that is a result of them freezing the accounts. 

Dave Bittner: Right. 

Joe Carrigan: So I had them do whatever it is they do - close the account. And I said, I'm glad that there's nothing moving through these accounts, and I'm considering the matter closed. I kept the checks and the debit card as evidence... 

Dave Bittner: Yeah. 

Joe Carrigan: ...For my own purposes. And now here's the interesting thing, Dave. This year, I signed up for - as one of my benefits at Hopkins, they offer identity theft protection. 

Dave Bittner: Ah, OK. 

Joe Carrigan: Right? And I had - two weeks ago, I'd gotten a letter in the mail that says, hi, this is your identity theft provider. You should log in and create an account. And I'm like, I'll get to that. 


Dave Bittner: OK. Yeah, OK. 

Joe Carrigan: So old procrastinating Joe here could have known about this event on the day it happened, but because I didn't set up my identity theft protection, I didn't know about it on the day it happened. However, I did immediately - on the same day we recorded the last episode, I did immediately set up and configure my identity theft account. 

Dave Bittner: Ah. 


Dave Bittner: Yeah, lesson learned. Fool me once (laughter). 

Joe Carrigan: Right. And sure enough, the opening of this account is listed on that identity theft site, on that monitoring site. 

Dave Bittner: Oh, interesting. 

Joe Carrigan: So I flagged it as fraudulent, and my identity theft provider called me up and said, hey, let's work together on this. And right now I'm in the process of setting up an appointment with a counselor on this to see what the next step is. And apparently, one of the things I can do any time this happens is I can put a one-year freeze on - or one-year fraud alert on my credit reports just by calling up the credit - one of the credit bureaus and saying there was a fraudulent account opened in my name. 

Joe Carrigan: Now here's an interesting thing that I've also found out. If I get a police report, an identity theft police report, that freeze - or not freeze, but the fraud alert is good not for one year, but for seven years. 

Dave Bittner: Really? 

Joe Carrigan: Yeah. Additionally, if I do the one-year alert, I only have to notify one of the credit bureaus, and they'll share the information for one year. But if I do the seven-year alert, I have to call all three of them independently... 

Dave Bittner: OK. 

Joe Carrigan: ...And notify them. So I haven't decided what I'm going to do. I'm going to talk to the counselor first and see what this person recommends. But it's an interesting - here we are, looking at the actual outcome of a lot of these kind of attacks happening directly to me. This has actually never happened to me before. I've never had any - I mean, I've had other things where people have impersonated me, but nobody's ever opened an account in my name. 

Dave Bittner: So what do you think happened here? What's your best guess of exactly what was going on, what they were trying to do? 

Joe Carrigan: I think somebody was trying to open an account so they could use it to scam other people. 

Dave Bittner: OK. 

Joe Carrigan: So... 

Dave Bittner: Do you think they were going to try to use your good name and your good credit to... 

Joe Carrigan: That is an excellent question. You know, my - if anybody does a Google search on me - and I've actually done this to you, Dave, in one of our previous episodes where I was demonstrating how easy it is to find open-source information. 

Dave Bittner: Right. 

Joe Carrigan: A lot of information comes up about me just by doing a Google search. 

Dave Bittner: Yeah. 

Joe Carrigan: And the information that was used to open this account, a lot of times - I don't know what Social Security number they used to open it. They wouldn't tell me. But it may not have been my Social Security number, but it is definitely not my phone number. Now, there's no small part of me that wants to call this phone number and see who answers. 

Dave Bittner: Oh, yeah. I'm shocked you haven't done it yet (laughter). 

Joe Carrigan: Well, here's what I thought about doing. I have a friend that lives in Virginia, which is a single-party consent state. 

Dave Bittner: OK. 

Joe Carrigan: And I want him to call and ask for me and record the phone call and see what happens. 

Dave Bittner: All right. Well, coming up on our next episode of "Hacking Humans"... 


Joe Carrigan: So, you know, I recommend - now I recommend getting identity theft insurance or, you know, identity theft protection from... 

Dave Bittner: You found religion, Joe. You found religion. 


Joe Carrigan: I'm a convert, Dave. 

Dave Bittner: Right. When it happens to me, it matters (laughter). 

Joe Carrigan: That's right. Well, I think I've demonstrated that I hate when this happens to anybody. But this is - I think this is - you know, this has been an interesting, interesting thing. And, you know, I... 

Dave Bittner: Yeah. 

Joe Carrigan: My biggest concern, my - seriously, my biggest concern is the reporting that would've been done to the IRS on my behalf, where I would've had to explain large amounts of money moving through an account I didn't create but was opened in my name. That's - that was my biggest security concern here. 

Dave Bittner: Well, and tip of the hat to the folks at TD Bank for handling everything as well as I think it could be handled. 

Joe Carrigan: Yeah, they did it very quickly. 

Dave Bittner: But also, you know, just - I mean, this is a time suck for you, right? I mean, you... 

Joe Carrigan: It is. I lost the afternoon to it. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: Now, there are have been other cases of identity theft where people have lost months - one of the stories last week we had where a woman was scammed out of a bunch of money that took them six months to get that money back - or most of that money back. 

Dave Bittner: Yeah. 

Joe Carrigan: So I got off easy. 

Dave Bittner: Yeah, yeah. All right. Well, I mean, it's a lot of good information there, so it sounds like... 

Joe Carrigan: Yeah. 

Dave Bittner: ...All's well that ends well, but keep us posted on how it develops. 

Joe Carrigan: I will. Next week, I'll give you an update on what happens when I meet with the counselor. 

Dave Bittner: All right (laughter). 

Joe Carrigan: We can all follow as Joe's identity theft turns. 

Dave Bittner: Real-time story. 

Dave Bittner: All right, well, my story this week actually comes from an email that I got from, oddly enough, the PR department at TikTok. Now, Joe, I'm not on TikTok. Are you on TikTok? 

Joe Carrigan: Absolutely not, Dave. Why do I want to be on TikTok? 

Dave Bittner: So I have never been lured in to create a TikTok account or anything like that. But certainly, lots of people are. 

Joe Carrigan: Yep. 

Dave Bittner: So this press release that the TikTok people sent us - and just a side note here, you know, we field endless press releases and story pitches at the CyberWire for all sorts of things like this. 

Joe Carrigan: Oh, by the way, Dave... 

Dave Bittner: So it's not unusual for us to get these things. 

Joe Carrigan: I also field endless requests for this at my... 

Dave Bittner: Is that right? 

Joe Carrigan: ...Hopkins email address. 

Dave Bittner: (Laughter). 

Joe Carrigan: Yes. 

Dave Bittner: Yeah. 

Joe Carrigan: I have set up a rule. It just sends those things right to the trash. I don't do this, so stop asking me for interviews. Talk to somebody at the CyberWire. 

Dave Bittner: Yeah. I actually have to go through and consider whether or not they're worthwhile. In this case... 

Joe Carrigan: Right. 

Dave Bittner: This one was worth sharing. So this is from one of TikTok's financial crimes investigators... 

Joe Carrigan: Oh, OK. 

Dave Bittner: ...A gentleman named Lloyd Temple. So first of all, TikTok has financial crimes investigators, so... 

Joe Carrigan: Very good. 

Dave Bittner: Good on them. And this is really focused around romance scams. I think, particularly - as you and I record this, we're coming up on Valentine's Day. 

Joe Carrigan: That's right. 

Dave Bittner: When this show posts, we will have just been past Valentine's Day, so this is kind of related to that. And there's some good things in here. They have some tips for protecting yourself against these sort of frauds. I'll just read part of this. It says, whether in the physical or online world, the best defense against fraud is awareness. 

Joe Carrigan: Right. 

Dave Bittner: If it feels like you've been struck by Cupid's arrow, follow simple safety and security tips from experts like the Federal Trade Commission to protect your heart and your wallet. And there's a good list here, so I'm going to share this. First, they say, take it slowly. Swindlers are quick to profess their affection and take conversations off apps. They often try to draw in victims with love-filled texts, emails or calls. A best practice is to vet your new heartthrob by asking questions and pay attention to inconsistencies that may reveal your crush as an imposter. 

Joe Carrigan: Right. 

Dave Bittner: It's all good stuff, right, Joe? 

Joe Carrigan: Yes, I would agree - 100%. 

Dave Bittner: Yeah. Next one they list here is, keep your funds and personal information to yourself. If you've never met in person, don't send or exchange money via gift cards, wire transfers or cryptocurrency, and don't share personal details like bank account, home address or other sensitive information. This all sounds pretty straightforward to me. 

Joe Carrigan: Yeah. 

Dave Bittner: But when you're wrapped up in the excitement of a new romantic relationship, I think it's easy to get into a mode where you just want to share everything, right? 

Joe Carrigan: That's right. That's right. It's very easy to do that. One of the problems here is that the emotions that we experience really cloud our thinking. And it's OK for that in some situations. But the problem is, that can be exploited. And it is particularly exploited in fear and in greed and in love - in, you know, the love emotions. 

Dave Bittner: Yeah. 

Joe Carrigan: There's a part of me that wonders how people would share accounts. You know, I don't know that I could ever merge financially with somebody beyond a marriage agreement, you know? I just don't know. But, you know, maybe it's because my parents were both in accounting and bookkeeping. 

Dave Bittner: (Laughter). 

Joe Carrigan: And I come from an accounting family, I guess. 

Dave Bittner: Right, right. 

Joe Carrigan: But, you know - and a lot of people don't come from those kind of families, right? I mean, most people don't - not very many people are accountants. But it's something that I grew up with, so I don't know that it's - it seems completely foreign to me. Somebody goes, hey, let's open a joint bank account. No. No, you and I aren't married. I'm not opening a joint bank account with you. 

Dave Bittner: Right. 

Joe Carrigan: I haven't made a decision with you yet. 

Dave Bittner: Yeah. 

Joe Carrigan: But again, you're right. The - once you start getting that - you know, the endorphin rush whenever you talk to somebody and they start telling you nice and pleasing things, you know, you're essentially putty in their hands. 

Dave Bittner: Yeah. 

Joe Carrigan: And it can be very, very dangerous. 

Dave Bittner: The next one they list here - they say, don't play games. Tools like images.google.com, which is Google's reverse image search tool... 

Joe Carrigan: Right. 

Dave Bittner: They can help conduct a reverse image search on someone's online profile photo. If results show the same photo on another site but with a different name attached, a scammer may have stolen it. For sweet emails or text messages that sound too good to be true, copy and paste the text into a search engine to see if others have already encountered this potential fraudster. 

Joe Carrigan: Oh, that's a good one. 

Dave Bittner: I think this is a great point here. You know... 

Joe Carrigan: Yeah. 

Dave Bittner: Crooks tend to be lazy, so... 

Joe Carrigan: Yes. Yeah, they're going for the low-hanging fruit. 

Dave Bittner: That's right. So there's - chances are they're doing a lot of copying and pasting of both the images and the texts that they're sending around. So that's a real quick way to check and to short-circuit this kind of stuff. 

Joe Carrigan: It's an excellent point. This is a numbers game for these guys, so they really don't have time to craft individual responses for everybody. So... 

Dave Bittner: Yeah. 

Joe Carrigan: That's - this is going to - now, you and I were talking before the show about a LinkedIn request I got. And I thought it looked suspicious. And right before, as we were getting ready to record, dear listener, what I did was I did an image search on the profile picture and found - you know, 'cause it's an attractive woman trying to connect with me. And, of course, immediately, I'm like... 

Dave Bittner: That doesn't make any sense. 

Joe Carrigan: That doesn't make any - exactly. 

Dave Bittner: (Laughter). 

Joe Carrigan: We don't have anything in common here. 

Dave Bittner: Well, I mean, I think it's just because, obviously, that your wife is so stunningly beautiful that... 

Joe Carrigan: Right. 

Dave Bittner: How could any woman possibly compare to that, right, Joe? 

Joe Carrigan: Right. He's got to have something going on, that guy. 

Dave Bittner: (Laughter). 

Joe Carrigan: But the search came up, and it was a model for a dress. You know, that was just - they took the head of this - you know, you can find the site - find sites selling dresses with this picture, and they took the headshot from the model. It's a full-body shot. They just cropped out the rest of the body and put it as the head shot on LinkedIn. 

Dave Bittner: Yeah. 

Joe Carrigan: So I'm like - I'm ignoring this. In fact, I'm even going to report that account. 

Dave Bittner: Yeah. Yeah. Well, on the last one they have here, they say, listen to your heart. Follow your head. If something seems amiss, cut off all contact immediately. Fraud, scams and bad business practices can be reported to the Federal Trade Commission, the FBI's IC3 - their Internet Crime Complaint Center. And the IRS has a taxpayer guide to identity theft. And, of course, TikTok has a safety center as well. So you can report stuff there. So I have to say, I was a little surprised that - this is solid stuff here. 

Joe Carrigan: Yeah, it is. 

Dave Bittner: Maybe I shouldn't be so skeptical of TikTok in the future. I don't know. 

Joe Carrigan: Well, I mean, they have to take their platform seriously, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Because it is their business model, and they need to be out there protecting their users. And if people are getting scammed relentlessly on Tik Tok, that's not going to end well for them. So this is in their business interest to do this. 

Dave Bittner: Yeah. Absolutely. 

Joe Carrigan: But, you know, still, I'm probably not going to create a TikTok account because of this because there's other reasons I don't like this company... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Not the least of which - as I've said many times, social media is bad for you. And this is just another social media account. 

Dave Bittner: There you go. 

Joe Carrigan: I will add one additional thing that isn't mentioned here, and that is listen to your friends and family. A lot of times people are told, I think you're being scammed. You need to be receptive to that if you're in - even if you're in the middle of the throes of a romantic relationship, right? - that when somebody says, I think you're being scammed, you need to stop right there and go, OK, hold on. Why does my son, daughter, wife - or not wife... 


Joe Carrigan: ...That would be very bad. There's a bad - so why is my son, daughter... 


Dave Bittner: Why is my wife so against this romantic relationship... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...I'm having? It just doesn't make sense to me (laughter). 

Joe Carrigan: Right. Why is my son, daughter, brother, sister, good friend I've known for 40 years - why are they telling me this is a scam? 

Dave Bittner: Right. 

Joe Carrigan: It's not because they're jealous, right? It's really not. It might be because they're genuinely concerned. It probably is because they're genuinely concerned... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Right? It's - and that's one of the things. These guys will try to emotionally isolate you to get you to actually physically isolate yourself from your friends and family because those are the people who bear the greatest chance of preventing their success. 

Dave Bittner: Yeah. 

Joe Carrigan: So listen to your friends and family when they say you're being scammed. Pay attention. 

Dave Bittner: All right. Well, I will have a link to the press release here over on TikTok - the - again, the TikTok safety folks - the financial crimes investigators. We'll have a link to that in the show notes. All right, Joe, it is time to move on to our Catch of the Day. 

Joe Carrigan: Dave, our Catch of the Day comes from a listener named John who writes, (reading) hi, guys. One of my friends on Facebook was being hassled by a scammer using a cloned account of a mutual friend trying to convince my friend to click on a link. I asked my friend if they could convince the scammer to give me an email address so I could play, too. 

Joe Carrigan: So you got a phone number and eventually an email address. 

Joe Carrigan: (Reading) So now it's my turn. Using a disposable email address, my aim was to get their Bitcoin wallet address, which I did. And I took a copy of that wallet statement, which he attached and sent along, and I posted every email on Facebook for my friends to have a laugh along with me. He - as a question - should I report this to the authorities? If so, who and how? 

Joe Carrigan: It depends on what country you're in, John. But if you're in the U.S., I'd report it to the Internet Crimes Complaint Center. 

Dave Bittner: Yup. 

Joe Carrigan: I would also definitely report the profile to Facebook as a fraudulent profile. Send along the evidence that you have, including the scams - the screenshots that you sent along. But John was actually kind enough to put this into a PDF for us - the entire email chain (laughter). 

Dave Bittner: All right. 

Joe Carrigan: So Dave, as usual, why don't you play the part of the scammer, and I will play the part of John? 

Dave Bittner: All right. Here we go. 

Joe Carrigan: So John opens up. He says, (as John) hello. My friend passed me your email address. Apparently, I might qualify for a grant. Please, can you tell me more? Thank you, John. 

Dave Bittner: (As scammer) It's my pleasure to have - my name. My name is Gene Smith, the online claiming agent in charge of the ongoing United Nations Democracy Fund grant. I would like to enlighten you more about this program. Can we proceed? 

Joe Carrigan: (As John) Hello. Yes, please. Thank you. 

Dave Bittner: (As scammer) UNDEF grant program, which is an empowerment of the United Nations to promote international monetary, facilitate international trade, foster sustainable economic growth, make resources available to members experiencing balance of payment difficulties around the world. This program is a worldwide tour embarked on for all the disabled, unemployed, student workers, retired, young and old people, all citizens of the United Nation. The COVID-19 UNDEF grant isn't alone. And you do not have to pay us back. Do you also want to apply as well? 

Joe Carrigan: (As John) Yes, please. 

Dave Bittner: (As scammer) OK. You have to be honest with us so that I can help you get your grant. You will have to fill in some information now so we can proceed with processing. Are you ready? 

Joe Carrigan: (As John) Hello. Yes, please. Thank you. 

Dave Bittner: (As scammer) OK. Here's what I need - full name, residential home address, age, gender. Do you have credit cards? - email address, marital status, mobile number, monthly income. What do you want from us, cash or check? 

Joe Carrigan: And then John replies back with a fake name, James. And he says - gives an address in Switzerland - says his age is 67, that he's male. He does have credit cards - provides an email address, which is, of course, a disposable email address. His marital status is listed as widowed. Mobile number - none. I was cut off during COVID because I couldn't get out to pay the bills. This is why I need the grant. I'm really cut off and I need some help. His monthly income is from a pension. And what do you want - cash or check? He goes, cash, please. How much would I be entitled to? 

Dave Bittner: (Laughter). 

Joe Carrigan: And then John notes, I wonder if they noticed that the address I gave them is for the United Nations building in Geneva (laughter). 

Dave Bittner: Nice. Well, nicely played, John, nicely played. 

Joe Carrigan: I didn't notice that, John. 

Dave Bittner: (Laughter) (As scammer) You have to hold on for three minutes because your information will be saved to our database now to verify if you're qualified to receive the grant so that we'll not deliver the grant to the wrong person. Remember, the grant money is non-refundable and interest free. If you qualify for this, you'll pay for a clearance fee so that your money can be delivered to you without any stress. 

Joe Carrigan: Uh-huh. 

Dave Bittner: (As scammer) Congratulations. We got your full details and information processed and programmed in our database. Below are the references for your referral number, batch, winning number, ticket number and serial number. Kindly keep the reference number below safe and confidential as they will be needing at the point of delivery to provide you with the adequate support to enhance a swift delivery to your home address. 

Joe Carrigan: (As John) That's wonderful news. How much is the award? Please go ahead and send it to me. 

Dave Bittner: (As scammer) Here's the list of the amounts that you're qualified to receive from the UNDEF Grant. If you are to choose the amount to which to claim now, you pay $800 to get $120,000. You pay $3,000 and get $300,000. You pay $7,500 and get $700,000. You pay $10,000 and get $1 million. 

Joe Carrigan: And then John says, I don't have this much. I'll need to ask my neighbor for a loan. I'm not sure about this. He's not very nice. The kind of people who see him sometimes go to the hospital if they don't pay him back. (Laughter) That's pretty funny. Please, can you tell me how to pay and I'll get the money. If I can promise to pay him back a bit more, he'll probably let me have $10,000 and I can go for the highest award. 

Dave Bittner: (As scammer) We accept payment through bitcoin and gift cards. Your money will be delivered 10 hours after you make the payment. 

Joe Carrigan: The money - the U.N. - it's good to know the U.N. accepts payment in gift cards, Dave. 

Dave Bittner: Well, you know, times are tough. 

Joe Carrigan: Right. Thirty minutes later, John writes, that's great. My neighbor said he would loan me $10,000 and only charge me $5,000 for 10 hours, but then it's another $500 for every hour I'm late. Since this is the United Nations, I'm sure there will be no delays. I trust you. Can you give me a phone number that I can call once I'm ready? I may need to have some help. I may not be near my computer. I'll have to use a public phone. What is bitcoin? I'm old and don't know much about this. My wife used to deal with money before she died. I think there was a bitcoin machine at the train station. How does that work? What are gift cards? How do those work? (Laughter) I love this, John. This is awesome. (As John) Thank you for your help. This is going to make such a difference. I really don't know what I would have done. I'm so desperate for some help. So grateful to the United Nations. 

Dave Bittner: (As scammer) Can I text you on Facebook Messenger? 

Joe Carrigan: (As John) I don't have Facebook. 

Dave Bittner: (As scammer) I just sent you a text on Messenger app. Check your Messenger spam messages. 

Joe Carrigan: (As John) I don't know what this mean. What is Messenger app? 

Dave Bittner: (As scammer) Check your Facebook message. I sent you a text message. Did you see the message? 

Joe Carrigan: (As John) I don't have Facebook. Please don't send my money to someone else. 

Dave Bittner: (As scammer) Are you in Switzerland or United State? 

Joe Carrigan: (As John) Switzerland, like I said when I gave you my details. 

Dave Bittner: (As scammer) Do you have the $10,000 now? 

Joe Carrigan: (As John) My neighbor said they'll give it to me as soon as I ask. 

Dave Bittner: (As scammer) Now go and ask. 

Joe Carrigan: Twenty minutes later, he says, wow, this is a lot of money. Are you sure this is all OK? I'm a bit scared. What now? 

Dave Bittner: (As scammer) This is real and legitimate. Now go to the bitcoin machine. Text me once you get there. 

Joe Carrigan: (As John) I can't text you. My mobile phone is cut off. I need to get reconnected. Tell me what to do, please. 

Dave Bittner: (As scammer) Once you get to the bitcoin machine, send $10,000 worth of bitcoin to this wallet address. 

Joe Carrigan: Now this scammer is probably salivating right now. Like, I'm getting 10 grand. This is - and he's given him a bitcoin address. And John texts back, going now. And this is the last email he sent him at 10 p.m. at night. He wanted the scammer to think that he was a 67-year-old retiree widower with $10,000 in his cash pocket. So it's - this is pretty much where it ends. But John pulled off something called a wallet statement, which you can get from blockchair.com, which is essentially just a blockchain explorer. So this is available to anybody. And he entered the email - or the bitcoin address rather. And bitcoin is a public blockchain. Everybody can see every transaction that's ever happened. And these guys have scammed people out of about .03 bitcoin, which is around $2,000 in - going through these transactions. It's a lot of money. 

Dave Bittner: Well, the last thing that the scammer writes is this - (as scammer) don't let anyone to be aware of your grant money. They might charge you 30% of your winning money for tax. Keep it to yourself for your own good and self-privacy. Thanks for complying with us. Congratulations once again. 

Joe Carrigan: (Laughter). 

Dave Bittner: (As scammer) Are you back? Hello? Hello? 

Joe Carrigan: Yeah. And John's ghosting him now. John's done. He got what he wanted. He got the email address. He got the bitcoin address. So, you know, if - maybe, John, if the guy is dumb enough to put this on an exchange - you know, I don't think he is. He probably has his own physical wallet, in which case the money is gone, gone, gone, you know? 

Dave Bittner: Yeah. 

Joe Carrigan: It's - but it's - I said physical wallet. But it doesn't have to be a physical wallet, just his own wallet that he controls. 

Dave Bittner: Yeah. Yep. All right, well, thanks to John for sending that in. We would love to hear from you. If you have something you'd like us to consider for our Catch of the Day, you can send it to hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, always great when we can welcome Carole Theriault back to the show. 

Joe Carrigan: Yep. 

Dave Bittner: And this week, she has a conversation with Deral Heiland He is an IoT security researcher at Rapid7. Here's Carole Theriault. 

Carole Theriault: OK, well, today, folks, we are here with Deral Heiland. Now, he is an IoT security researcher at Rapid7. Now, Deral, you have quite a history. I've heard that you love to own printers and breach companies with them. Is that true? 

Deral Heiland: Oh, yeah. Oh, yeah. I have a long, lurid history with printers out there. So, yeah, done that for a number of years. Did a lot of research against Xeroxes. We did some research for - across all the printers. And I think there was one we call a pass-back attack where you could leverage the LDAP that's configured on multifunction printers and just request it to do an LDAP lookup and have it point to you. And you can get the active directory credentials in clear text. So a lot of that's used by pen testers now. So, yeah, that was something we did years ago. It's amazing that it still works. 

Carole Theriault: Now, these days you are doing a lot of IoT research. And I really wanted to speak with you about this - like, there's just so many smart devices getting pushed out every single day, like from vacuums to fridges to, you know, toys. And I wanted to know from your experience, are they mostly secure? Am I panicking for nothing, or should we be concerned about this stuff? 

Deral Heiland: You know, I'd like to say, yeah, they're all secure. But the truth is, no, they're not secure. A number of them are not. I am seeing a definite increase with companies that have a brand name they want to protect - are paying more attention to, actually, security, and they're getting their devices tested before they go to market. Or when a company acquires another company, they're like, hey, let's test this equipment before we put our brand name on it. Unfortunately, there's so much technology out there that I call basically white-label technology. They're mass-produced. They have no branding behind them. They often have poor security. They often do not get effective updates and patches pushed to them when there's problems. And I think those are some of the biggest problems out there. Most of those devices obviously have a very low price point. So consumers have a tendency to go, hey, do I want to put a camera in that costs me $35 or do I want to put a camera in that costs me $100 that's branded. 

Carole Theriault: Yeah. 

Deral Heiland: And often, a number of them choose the cheaper, and along with that comes poor security. 

Carole Theriault: Do you often see products like IoT devices, maybe available on something like Amazon or some kind of site like that, where the name has been faked? So perhaps they have a legitimate, reputable name on the outside, but it's actually a knockoff. 

Deral Heiland: I personally have not experienced that. 

Carole Theriault: OK, that's good. You haven't seen it. That gives me some hope. 

Deral Heiland: But that doesn't mean it doesn't exist out there. Obviously, counterfeiting things have been a big thing over the years. I mean, people were counterfeiting chips that are actually used in devices, so why not counterfeit the actual IoT devices? But personally, I have not seen it or experienced it or engaged anyone that has come across it yet. 

Carole Theriault: And in your - can I ask - this is a bit of a personal question. But in your house, are you IoT-mad or do you kind of, you know, just get the ones that you think are absolutely necessary, or is there no IoT at all in certain rooms? 

Deral Heiland: Obviously, there's certain types of IoT that I don't bring inside the house, and that would be camera devices. I do have Amazon Echos, but I do a lot of simple little things that, I think, improve the security. One, I go in and I shut off all the crazy services that I don't want these things doing. I also enable the Echos to - when they go into listening mode, instead of just listening, they actually make a beep tone. I've enabled them to do that. So if I have my back turned to the thing and it decides it wants to key on a word and start listening, I hear that tone and, instantly, I stop talking. 

Deral Heiland: The other thing I do is since most of this stuff is captured, I always go online about once a quarter. And I go through. And I look at the captured audio that was not interpreted because those may be personal conversations, things like that it inadvertently captures. And I go through, and I listen to a number of those. And then I purge everything that's more than 90 days old that's on there. So... 

Carole Theriault: That's really good advice. I was going to ask you, like, what are your biggest areas of concern for home users with all these devices? But you may have already touched on a few of them. 

Deral Heiland: Yeah. Typically, I get concerned when I hear people putting cameras into - internal to the house. 

Carole Theriault: Take heed, Dad. Listen to this guy, Dad (laughter). 

Deral Heiland: Yeah. To me, that's a big privacy no-no. And I wouldn't do that. 

Carole Theriault: Yeah. 

Deral Heiland: I am concerned about audio, even audio captures in the house. But again, you know, we all have cellphones. And we... 

Carole Theriault: Yeah. 

Deral Heiland: We often put all kinds of crazy applications on there without thinking of the implications of those. So - and that's a camera. And I've seen so many people like, hey - head off to the bathroom with their cellphone in hand, which has cameras on it... 

Carole Theriault: (Laughter). 

Deral Heiland: ...Which is like, what? But again, with IOT technology, I think it comes down to the comfort of the person. They need to really think about privacy. What is concerning to them? And then consider that when they purchase the technology. Do you want cameras in the house? Do you understand the implications of cameras if the account gets compromised somehow, some way, that someone could get access to audio - same way with consumer alarm systems, as an example. 

Carole Theriault: Right. 

Deral Heiland: We just released something here about a month ago on a particular alarm system that literally had no authentication. If you knew the person's email address, you can make a request to the cloud services. And it would give you this control number, a tracking number, for his device. 

Carole Theriault: Oh, my God. 

Deral Heiland: Then you could turn around and repost that up with a command zero, which would basically disable his entire alarm system. So there's crazy problems with potentially everything out there. 

Carole Theriault: I'm glad there's smart people, like you, helping to solve them, though, or give us that - you know? 

Deral Heiland: Yeah. It was one of the guys on our team - it was one project that I did. And I did this over a number of years. We would pick a series of products. And I would pick two or three of them. And we would get two or three volunteers from other departments, typically the pen test team, that would want to actually play around with some IOT. And we'd run this project for a quarter or two quarters, where they could actually go through and do research and testing on a piece of IOT technology. And a number of times, we've found some really interesting findings. It's nice when we see products that don't have any serious issues. That's always a good thing. So I'm always excited to see those because then someone will ask me, hey, Deral. I'm buying this product. What do you think about it? I can give them a thumbs up, you know, and say, hey, we've looked at it. We didn't find anything major. But I also want to point out vulnerabilities are going to exist. So we can't, you know, jump off the end of the bridge over IOT because we find a vulnerability. Last time I checked, Microsoft releases a whole stack of them once a month. So this is the reality. 

Carole Theriault: (Laughter). 

Deral Heiland: If it's a technology, it's a well-liked technology and people are actually looking at it for a security issue, vulnerabilities are going to be found. 

Carole Theriault: Yeah. 

Deral Heiland: What we want to see is more and more complex vulnerabilities, ones that take a little more work to actually pull off. 

Carole Theriault: So basically, stick to known brands and look up things on Rapid7 to see if they've actually been tested by Deral and his team. Is that fair? 

Deral Heiland: That's fair. That's fair. One of the things I always encourage people to do, when you're out - when you - like, when you go to buy a car, you do all this research. What's the safety test and the research, you know, crash impact test, because I'm buying something? It's about the safety of my family, who's riding in the car with me. Let's look at IOT the same way. And that - you know, everything from smart TVs to audio devices, to home security systems, go out and look to see if there's any vulnerabilities. Often, you can find it on their sites. Or you can just do general searches on Google. 

Deral Heiland: Now, if there's vulnerabilities that were found, that's not a problem. That just means researchers are typically looking at that technology. What you want to see is how the vendor responded. To me, that is more critical than the actual vulnerabilities. Did they acknowledge the researcher? Did they turn around and fix the problem? And how fast did it take them to fix the problem - because to me, those are good traits. A vulnerability is pushed to them. They acknowledge it. A week later, it's fixed. That's a product I want to buy because they seem to care about their security. 

Carole Theriault: Deral Heiland, IOT security researcher at Rapid7. Thank you so much for talking to us. 

Deral Heiland: Thank you very much. 

Dave Bittner: All right. Joe, what do you think? 

Joe Carrigan: Dave, I don't know if you remember this. But years ago, on one of our shows, you asked me if I had any IOT devices on my home network. And I immediately said, no. I don't have any IOT devices. That's silly. But then you had started asking me about, like, cable boxes, right? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: And I changed my answer. I'm like, wait a minute. What is an IOT device... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Right? What constitutes an IOT device? 

Dave Bittner: Right. 

Joe Carrigan: Not what is one, but what constitutes one? 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: And sure enough, I don't think of printers as an IOT device or an embedded system. And I probably don't think that way because I came from a time, Dave, when they weren't really IOT devices, (laughter) right? 

Dave Bittner: Right. 

Joe Carrigan: They were devices you connected to your computer as a - through a serial or a parallel cable. And then you would send print jobs to that computer. There was a computer that did the job that now these printers just sit on the network and they have access to everything. 

Dave Bittner: Right. 

Joe Carrigan: It's fascinating to listen to Deral talk about how he gets the credentials out of these printers. They're probably just stored in plain text in the printer and sent across the network, right back to the person that asked for them, which may or may not be your Active Directory server - right? - or your LDAP server. 

Dave Bittner: Yeah. 

Joe Carrigan: LDAP, for our non-technical listeners, stands for Lightweight Directory Access Protocol. It's kind of like an authentication protocol - really low-level stuff. I won't get into the weeds on it. I've got to be... 

Dave Bittner: Too late. 

Joe Carrigan: Yeah, too late. 

Dave Bittner: (Laughter). 

Joe Carrigan: Well, I just wanted to let people know what it meant. That's all. 

Dave Bittner: Just razzing you, Joe. 


Joe Carrigan: Right. I can go really deep into the weeds on this if you need me to, but I won't. I'll spare everybody. 

Dave Bittner: Yeah, no, we know, Joe. We know. Yeah. 

Joe Carrigan: Right. Yes. I'm glad to hear that companies are thinking about security to protect their brand. I really think it's a shame that that's what businesses have to think about. But actually, I think that way because I'm a security person, right? And one of our biggest challenges is relaying to the C-suite or to the people in charge what the risks are. And if you can express risks, security risks, as financial or brand damage risks, then you can go a long way to convincing people that they need to pay attention to these risks. 

Joe Carrigan: Now, there are people - or companies out there like Amazon, Google, Microsoft, Apple. I think they all take security very, very seriously. They already understand that's the case. And you can say privacy is a different thing, and you're absolutely right. It is a different thing. But security I think they all do very well. But when you're talking about these people that white-label something, these are just devices that are just pushed out to the market as quickly as possible. 

Dave Bittner: Right. 

Joe Carrigan: These are companies that just want to sell these things, and they want to sell them to other companies who just want to sell these things. That's how this works. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I like what Deral says about his Alexa device, going back to the Amazon point. He turns off all the services he doesn't need or want, and that's reducing your attack surface area. That's one of the top five things I tell you - I tell people to do when they're trying to improve their own personal security. Turn off things you don't need because you never know if there's a vulnerability in them. And like he says towards the end of this interview, vulnerabilities are going to be found. Well, if your service is not needed and you turn it off, if there's a vulnerability in it, it can never be exploited because that service isn't active, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Somebody has to exploit another vulnerability to turn that service on to exploit the first vulnerability, at which point in time, why would they do that? They've already exploited the first vulnerability - the second vulnerability, whatever. I like what he says about enabling a beep to let you know when it's actively listening. This does a few things. One - sometimes you might say something that sounds like (laughter) the keyword that turns it on. You remember that time when I was telling you about how I didn't - this actually happened to Dave and I. We were sitting in the CyberWire studio, and I was saying, not that I don't trust Google, but - and then my phone went, but what? 

Dave Bittner: (Laughter) Right, right, right, right. 

Joe Carrigan: And Dave and I both kind of looked over at the phone. 

Dave Bittner: (Laughter) Yeah, we picked our jaws up off the floor. 

Joe Carrigan: Right. Yeah. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: But what it heard was just the keyword for activating the voice assistant, and it - and then heard me say but and then pause, and it went in to its next statement. But it was really weird. But that's - it's good to have that on the Amazon so that - on the Amazon device so that that doesn't happen to you, right? So that there's a beep that goes, OK, and now I know to shut up because Amazon's listening, right? 

Joe Carrigan: There's another attack vector that this protects against, as well. It is possible to play an ultrasonic sound that the human ear can't perceive, but the microphone in an Alexa device perceives just fine and interprets as a voice. And I don't know if Amazon has fixed this or, you know, that they ignore things beyond a certain frequency. That may be the case. In fact, it - I would not be surprised to find out it is. But if you have this beep turned on and all of a sudden, you're in a quiet house and your Alexa just beeps, you know you've got something else going on, right? 

Dave Bittner: Yeah. 

Joe Carrigan: I like what he does, going back to review all the captured audio with some periodicity and purging old audio - old audio data. And then he talks about the (laughter) security system that had that really weak vulnerability that all you needed to know was the email address. Dave, I can't think of a product I would expect to be more secure than a home security system (laughter). 

Dave Bittner: Right, right. 

Joe Carrigan: And this one has just got a terrible vulnerability in it. But good interview. I always love hearing Carole talk to people. A lot of times when I'm writing, I actually hear Carole's voice reading the words. So it's... 

Dave Bittner: (Laughter) Yeah, yeah. Yeah, well, we do appreciate Carole bringing us this interview. And, again, our thanks to Deral Heiland from Rapid7 for taking the time for us. 

Dave Bittner: All right, that is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.