Magic, illusion, and scams, oh my.
Brian Brushwood: The story is the same, whether it's on a street corner with a hustle or whether it's on the global stage with counterintelligence and deception. It's the same story.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Got some good stories to share this week. And later in the show, Perry Carpenter joins us. He's speaking with Brian Brushwood, the host of "The World's Greatest Con."
Dave Bittner: All right, Joe. Before we jump into our stories this week, a quick aside from me.
Joe Carrigan: OK.
Dave Bittner: I was logging into a website that I have not logged into in a long time - just something, you know, in my life. It's a little nonprofit website that I have an account on. And I went to log in, and I had the password saved in my password manager. Did not - and it didn't work. So I said, all right. Well, reset my password.
Joe Carrigan: Right.
Dave Bittner: So they send me a link. Go in to reset my password. I have my password manager auto-generate a new password. All life is good. Paste it in there. Put the new password in. The system accepts it. I go to log in. Won't let me in.
Joe Carrigan: Crap.
Dave Bittner: Right. (Laughter).
Joe Carrigan: Sounds like somebody changed some code, Dave.
Dave Bittner: Well, so I do this again. Maybe - you know, just maybe something happened. Who knows, right? Go through it again. Same thing happens. My password manager generates a password. You know, it doesn't work. All right. Reset it again. Now, I will say also, in the background, the clock is ticking because they're reminding me, you only have so many times to do this, and we will lock you out forever.
Joe Carrigan: (Laughter) Right.
Dave Bittner: Right? So I decide, all right, I'm just going to manually generate a password - because this site also has one of those handy things - and by handy, I mean annoying things...
Joe Carrigan: Right.
Dave Bittner: ...Where it keeps track of how many capital letters you've used and how many special characters. And is your password long enough? - and all these sorts of things. So I start putting in a password, just a manual password. And what I realize is at a certain point, it cuts me off. It limits the length...
Joe Carrigan: I see.
Dave Bittner: ...Of the password I'm allowed to put in...
Joe Carrigan: Yes. I've seen this before.
Dave Bittner: ...As I'm typing in. And this length is fewer characters than my password manager was set to generate...
Joe Carrigan: Yes.
Dave Bittner: ...The password.
Joe Carrigan: And can I ask, how many characters does your password manager generate by default?
Dave Bittner: More than 20, less than 30.
Joe Carrigan: More than 20, less than 30. OK.
Dave Bittner: (Laughter) Right. Right.
Joe Carrigan: I use pretty much 20.
Dave Bittner: Yeah.
Joe Carrigan: Unless it's - but I will set the individual policy for sites I care about. Like, any of my banking - they immediately go up to, like, 64 or something like that.
Dave Bittner: OK. Right. So what do you think's going on here, Joe? I'll bet you can guess.
Joe Carrigan: I know exactly what's going on here, Dave.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Here's what's happening.
Dave Bittner: Yeah.
Joe Carrigan: The code on the page where you set your password...
Dave Bittner: Right.
Joe Carrigan: ...Limits the size of your password.
Dave Bittner: Yeah.
Joe Carrigan: It truncates whatever you enter.
Dave Bittner: Right.
Joe Carrigan: Right? But the code on the page where you enter your password and log in does not do that properly, doesn't do it the same way. If it did do it the same way, it would work. But there's an inconsistency in the way the password is being handled prior to being passed to the hashing algorithm.
Dave Bittner: Yes.
Joe Carrigan: Hopefully.
Dave Bittner: Yes.
(LAUGHTER)
Joe Carrigan: As I'm saying that, I'm like, I don't know. Maybe these guys are storing your password in plain text. Who knows?
Dave Bittner: The aspirational hashing algorithm. Right.
Joe Carrigan: Right.
Dave Bittner: Right. (Laughter).
Joe Carrigan: So it's an interesting thing that they're doing there. First off, they have something that they should not be doing, right? Under no circumstances should you be limiting in a password field what a user can enter.
Dave Bittner: Yeah.
Joe Carrigan: It should be the case that even if the user enters a - you know, a SQL injection string, that never gets passed to the database. What that gets passed to immediately after being submitted is a hashing algorithm that comes out as a known-length string.
Dave Bittner: Yeah.
Joe Carrigan: Right? And I'm getting really in depth here, in the weeds for a lot of our listeners. But a hashing algorithm puts - produces an output that's always exactly the same length.
Dave Bittner: OK.
Joe Carrigan: It doesn't matter if you put in one byte or you put in the entire contents of your hard drive.
Dave Bittner: (Laughter).
Joe Carrigan: The hashing algorithm will always be the exact same length.
Dave Bittner: OK. So that solves that problem.
Joe Carrigan: That solves that problem. So - but what's happening is if I give that hashing algorithm even slightly different input, it will produce vastly different output that won't match.
Dave Bittner: Yeah.
Joe Carrigan: Right? And that's what's happening.
Dave Bittner: Yeah.
Joe Carrigan: Or even if I'm just storing passwords in plain text and I'm producing different input on the login page than I am on the password setting - resetting page, then I won't store the user's - what the user thinks is their proper password.
Dave Bittner: Yeah. So this was frustrating and aggravating. And so now I'm - so, you know, I figured it out. I got it working.
Joe Carrigan: Right.
Dave Bittner: I got into the site.
Joe Carrigan: Yep.
Dave Bittner: But now I'm faced with the dilemma of, do I let them know (laughter)?
Joe Carrigan: Oh, I'd let them know. You want me to write the letter, Dave?
(LAUGHTER)
Dave Bittner: Yes, maybe I should. That's true. I mean, you're kind of a pro at this, right?
Joe Carrigan: Yes.
Dave Bittner: I mean, responsible disclosure is kind of one of your things.
Joe Carrigan: Absolutely.
Dave Bittner: You get paid to do it. So...
Joe Carrigan: I ****
Dave Bittner: *** suspect you have a nice collection of boilerplate letters on the ready.
Joe Carrigan: Yeah. And then I have backup from people I can talk to for the media if you'd like. I mean, I know this is a nonprofit, but I've found, like - there was one banking site I was using that wouldn't let me copy and paste a password, which is how password managers usually work.
Dave Bittner: Yeah.
Joe Carrigan: Right? So I called them up and said, you're not letting me copy and paste passwords into a webpage. First off, attackers don't do that. That's not their - that's not the threat model.
Dave Bittner: Right.
Joe Carrigan: OK? They write scripts that just inject passwords in and try them en masse.
Dave Bittner: Yeah.
Joe Carrigan: All you're doing by not allowing copy-paste is irritating your user base.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: You're stopping people from using a password manager, which is bad.
Dave Bittner: Yeah.
Joe Carrigan: The company said, oh, we don't care. We're just not doing that. And I said, OK. That's fine. So I called The Register, and I said, hey. You guys want to do a story? I got a story. And they said, yeah. And it went out on The Register. I don't know if they still do it - no idea.
Dave Bittner: (Laughter).
Joe Carrigan: But I haven't had that problem in a while.
Dave Bittner: Right. Don't mess with Joe.
Joe Carrigan: Yeah.
Dave Bittner: (Laughter).
Joe Carrigan: I got important people at important websites that I can - no, I'm just kidding.
Dave Bittner: Yeah.
Joe Carrigan: I'll talk about you on this show.
Dave Bittner: I don't think - yeah, there you go. So, yeah, I don't think it'll come to that. But perhaps we should reach out and just let them know they can stop - they can preempt a little bit of the frustration because if - certainly if it happened to me, it must be happening to other people.
Joe Carrigan: Correct.
Dave Bittner: And, you know, you think it would also cut down on their tech support responses.
Joe Carrigan: Yeah. It's a bug in their software.
Dave Bittner: Yeah.
Joe Carrigan: It's a bug in their website, no doubt.
Dave Bittner: Yeah. All right. Well, so a little side story from me - why don't we jump into our actual stories this week, Joe? Why don't you kick things off for us here?
Joe Carrigan: Dave, my story comes from TechCrunch. And there's a company out there called Block. You know what they used to be called? Square.
Dave Bittner: (Laughter).
Joe Carrigan: Why?
Dave Bittner: Yeah.
Joe Carrigan: Why did Jack Dorsey - this is Jack Dorsey - one of Jack Dorsey's companies, right?
Dave Bittner: OK.
Joe Carrigan: I think it is. Anyway...
Dave Bittner: So he wanted to enter the third dimension...
Joe Carrigan: Right.
Dave Bittner: ...By going from Square to Block (laughter).
Joe Carrigan: I don't know why because as soon as I read this...
Dave Bittner: Got himself a pair of 3D glasses, and the world looked like a very different place.
Joe Carrigan: Right - cubism, Dave.
Dave Bittner: (Laughter).
Joe Carrigan: He's going into cubism.
Dave Bittner: Right.
Joe Carrigan: So the - as soon as I read this, I'm thinking, wait. Did H&R Block buy Cashapp? No. H&R Block is a completely different company than Block.
Dave Bittner: OK.
Joe Carrigan: Right? So, again, we have overloaded names.
Dave Bittner: Yeah.
Joe Carrigan: And it just frustrates me. As an old man, I get mad at these things.
Dave Bittner: Right.
Joe Carrigan: But anyway, they recently confirmed a data breach involving a former employee who downloaded reports from Cashapp that contained U.S. customer information. Now, these reports were accessed by the insider - they're calling this an insider - on December 10. Now, I don't know, Dave. Do you consider a former employee to be an insider?
Dave Bittner: Yes.
Joe Carrigan: Do you?
Dave Bittner: Yes because a former employer is an insider. I would consider a former employer to certainly be - or employee to certainly be an insider threat. But that is a common, I think, misnomer with insider threats - is that people, first of all, think that insider threats mean that that's only people who are up to no good.
Joe Carrigan: Right.
Dave Bittner: An insider threat can be someone who is innocently making errors...
Joe Carrigan: Yes.
Dave Bittner: ...That cause trouble.
Joe Carrigan: The target of every social engineering attack becomes an insider threat.
Dave Bittner: Yeah.
Joe Carrigan: Right.
Dave Bittner: So I would consider someone, certainly a recently departed employee - I would still put them in the category of insider threat.
Joe Carrigan: Yeah, I'm not so sure I would.
Dave Bittner: Yeah.
Joe Carrigan: But suffice to say they do here in this press - or in this report to the SEC that they had to make. Anyway, the reports - these reports were accessed by this insider on December 10. And here's a quote from the filing they did with the Securities Exchange Commission. While this employee had regular access to these reports as part of their past job responsibilities, in this instance, the reports were accessed without permission after their employment ended, right?
Joe Carrigan: Now, TechCrunch reached out to Block and asked questions, but Block refused to answer questions about why a former employee still had access to this data and how long they retained access after their employment had been ended. So here's some of the information that was included in this breach - users' full names, brokerage account numbers. And for some customers, it also included brokerage account portfolio value, portfolio holdings and stock trading activity from one day.
Dave Bittner: Wow.
Joe Carrigan: Right? Now, Block didn't say how many customers were impacted, but they did say they were contacting 8.2 current and former customers.
Dave Bittner: Wow.
Joe Carrigan: Eight-point-two million - sorry, not 8.2.
Dave Bittner: (Laughter).
Joe Carrigan: How do you contact 8.2? So I'm going to guess that about 8.2 million people were affected.
Dave Bittner: Potentially, yeah.
Joe Carrigan: Yes.
Dave Bittner: Wow.
Joe Carrigan: Block says that no other PII, personally identifiable information, beyond names were accessed. So they don't have your username. They don't have your passwords. They don't have your Social Security numbers. Or this former employee, rather, doesn't have any payment card information or your address. And the filing notes that Cashapp products and features for customers outside of the U.S. were not affected - right? - only U.S. customers. Now, why did I choose this story to talk about? - because this really isn't a social engineering story. It kind of - you know, it's just another data breach. You know, Dave, our saying in this industry should be, another day, another data breach.
Dave Bittner: (Laughter) Right. Count on it.
Joe Carrigan: Right. I chose this story because a listener named Joshua (ph) wrote in, and he was affected by it. He got the email on April 4. Now, funny - last week I said, over there, there's my phone. It has Cashapp on it.
Dave Bittner: Right.
Joe Carrigan: I didn't get an email.
Dave Bittner: OK.
Joe Carrigan: But I went back and looked through my emails and found the confirmation email for setting up my account - October 21, Dave.
Dave Bittner: OK.
Joe Carrigan: So I missed a - dodged a bullet here by 11 days.
Dave Bittner: Oh. Oh, wow. All right.
Joe Carrigan: This employee - this former employee accessed these reports on the 10 of December.
Dave Bittner: OK.
Joe Carrigan: And I was a new customer ***
Joe Carrigan: *** on the 21st.
Dave Bittner: Sometimes it's better to be lucky than good.
Joe Carrigan: That's right.
Dave Bittner: Yeah.
Joe Carrigan: And my life is a lot of that. Joshua had a few questions. First off, Joshua said he went in out of an abundance of caution and changed his password. He's not concerned 'cause he doesn't use the brokerage services. Or he had, but he doesn't use much of - use them much anymore and doesn't keep very much cash in there. So he's not too worried about it. But his first question is, what did Cash App do wrong in this instance?
Dave Bittner: OK.
Joe Carrigan: Now, here's...
Dave Bittner: I have some ideas (laughter).
Joe Carrigan: I have one big idea.
Dave Bittner: (Laughter) Yeah. Go on.
Joe Carrigan: They allowed a former employee to maintain access to a financial services company.
Dave Bittner: Right.
Joe Carrigan: Terrible operational security here.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Right? What protocols - here's another question. What protocols should be in place to prevent these situations from happening? Every financial - every company, not just financial institutions but especially financial institutions - every company should have a policy in place for a daily termination process for network access, right? HR should be notifying whatever IT organization it is that is within a unit or - however you however you structure it. One of the out-processing steps has to be deactivate their accounts. OK? That's the end of the story here. And nowhere is that more important than in financial institutions.
Dave Bittner: Right.
Joe Carrigan: Possibly in organizations where other data, like security-related data, national security-related data, is kept. Those things have to be done with. When somebody submits their notice, you have to make a decision whether or not you're going to trust them for the next two weeks or not. If somebody is going to be fired, I recommend that their account be - you know, they - you know they're going to be fired before they do.
Dave Bittner: Right.
Joe Carrigan: Lock that - lock them out before you give them the notice, OK?
Dave Bittner: Right. As you're walking into the conference room to give them the bad news...
Joe Carrigan: Right.
Dave Bittner: ...The accounts should simultaneously be deactivated.
Joe Carrigan: Exactly.
Dave Bittner: Yeah.
Joe Carrigan: That should be the case.
Dave Bittner: Yeah.
Joe Carrigan: And finally - this is a good question. Joshua asks, what can someone do with the investing reports without any type of login credentials? Because it seems to me like Block is really downplaying the impact of this breach. So let's look at the information that they did get...
Dave Bittner: Yeah.
Joe Carrigan: ...That this former employee did get. They did get full usernames.
Dave Bittner: Right.
Joe Carrigan: So if your name is Dave Bittner and you're a Cash App user who did the investing with them, they have your full name.
Dave Bittner: Right.
Joe Carrigan: Right? They also got your account number.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: And they got your, account balances...
Dave Bittner: Yeah.
Joe Carrigan: ...For some of these users.
Dave Bittner: Yeah.
Joe Carrigan: All right? That is a significant amount of information.
Dave Bittner: Sure.
Joe Carrigan: OK? So here's what any bad actors would do with that information. They would immediately take the full names and look them up against their database, which they have...
Dave Bittner: Yeah.
Joe Carrigan: ...Of full names of people and find an email address. Then they would send a spear-phishing email crafted for Dave Bittner. And they'll say things like, hey, Dave, this is Cash App; we want to talk to you about your account No. This. Right? Because account number is one of the things they've got.
Dave Bittner: Yep.
Joe Carrigan: And they already know how to prioritize it because they have the balance. So they're going to do a sort from largest to smallest, based on balance, and they're going to target the biggest accounts first.
Dave Bittner: Right.
Joe Carrigan: That's how they're going to use this information, or that's how this information could be used if it ends up in the wrong hands.
Dave Bittner: Yeah. The other thing I could imagine is they could go after the brokers themselves and try to reset, you know, account password or something and say, hey - you know, hey, it's Dave Bittner. Listen; I'm having trouble getting in my account. Here's my account number. Can you help me out? You know, last time I checked, I had this amount of money in there.
Joe Carrigan: Right. Ah, that's an excellent point, Dave.
Dave Bittner: And, you know, I've been - you know, I've been trading all of that - I don't know - all that Apple stock lately. So I'm curious, you know, but for - all of a sudden, I can't get in. So the person on the other line is going, well, this - obviously, this has to be this person...
Joe Carrigan: Yeah.
Dave Bittner: ...Because they have all this information about their account.
Joe Carrigan: You know, Dave...
Dave Bittner: I'll just do them a favor and reset the account for them.
Joe Carrigan: You know, Dave, when I called - recently, I called a - one of my firms that manages some of my money.
Dave Bittner: Yeah.
Joe Carrigan: And...
Dave Bittner: That big, old podcast money?
Joe Carrigan: That big pile of podcast money, right?
Dave Bittner: Right (laughter).
Joe Carrigan: It's actually a retirement account. But I called them up, and they said - one of their questions was, can you give me a recent balance on your account?
Dave Bittner: Yeah, there you go.
Joe Carrigan: And they were only looking for an approximation.
Dave Bittner: Yeah.
Joe Carrigan: Right? They weren't looking for an exact value.
Dave Bittner: There you go. Yeah.
Joe Carrigan: So this won't help in that knowledge-based authentication as well.
Dave Bittner: Yeah.
Joe Carrigan: That is an excellent point.
Dave Bittner: Yeah.
Joe Carrigan: So, Joshua, thanks for bringing this to my attention. You know, I think Block really dropped the ball here. I wouldn't be surprised if this winds up being something of a class-action lawsuit.
Dave Bittner: Yeah. Another reminder to have multifactor authentication on your financial accounts.
Joe Carrigan: Yep, absolutely, put multifactor authentication on your financial accounts, on all of them...
Dave Bittner: Yeah.
Joe Carrigan: ...And the most secure kind you can use. Watch out. Be - if you are a Cash App customer who uses their brokerage service, be particularly vigilant for looking out for spear-phishing emails because they might be coming.
Dave Bittner: Yeah.
Joe Carrigan: I don't know what this ex-employee is doing with this data. I'm sure there's going to be some law enforcement questions for this person.
Dave Bittner: (Laughter) Yeah. Right.
Joe Carrigan: You know, but who knows? Maybe this ex-employee isn't the person who did it.
Dave Bittner: Yeah.
Joe Carrigan: They could be somebody who just, at some point in time, fell victim to a phishing attack. And that person - I don't know how - I'm speculating wildly here.
Dave Bittner: Yeah.
Joe Carrigan: You know, Twitter has their two-factor authentication with a YubiKey now, and they let the people keep it. And since this is a company that's also started by Jack Dorsey, perhaps they have implemented similar security protocols, in which case it would only be the employer - or employee, rather, ***
Joe Carrigan: ***** who had access.
Dave Bittner: All right. Well, we will have a link to that story in the show notes. My story this week comes from the folks over at NPR. This is from Shannon Bond. It's a story that they had over on Morning Edition. And this is about - actually, Joe, this is something you and I dealt with probably about a month ago. It's about LinkedIn profiles that are inauthentic.
Joe Carrigan: Yes.
Dave Bittner: And there's a trend here where - let's say that I am a company who is hiring a third-party marketing company to help generate leads for me. And some of these companies are going out, and they're using some of the artificial intelligence services to generate fake images of people. And they're creating fake LinkedIn profiles. But they're saying that these LinkedIn profiles work for the company that hired the marketing company. So let's say I'm the Acme Widgets Company, right?
Joe Carrigan: Right.
Dave Bittner: This LinkedIn profile will be created, and it'll say, hey, this is Bob Jones from the Acme Widgets Company. We'd love to tell you about our products, right? And typically, it's not that straightforward. First thing they do is they try to establish some rapport. They reach out. And they need to do a friend request, you know, that sort of thing. And they may spend some time commenting on your posts before they pounce with the ask, right?
Joe Carrigan: Really?
Dave Bittner: (Laughter) Right. So in this case, the artificially generated image was claiming to be someone named Keenan Ramsey. And that person did not exist at all. It was spun up out of whole cloth from a marketing company. And this article goes into some of the marketing companies who do this, some of the other ways that you can kind of, you know, suss out that this isn't a real person. I guess I'll pivot a little bit here and say, you know, Joe, this happened to us - right? - with this show.
Joe Carrigan: Yeah.
Dave Bittner: You want to share the story of the request we got?
Joe Carrigan: Yeah. I got a - this was recent. And we talked about it. I got a connection request on LinkedIn from a person. And it was a picture of an African American woman...
Dave Bittner: Yeah.
Joe Carrigan: ...Very beautiful. And I'm looking at the picture. And I'm like, who is this person? I have no idea who this is.
Dave Bittner: I got it, too.
Joe Carrigan: You got it, too?
Dave Bittner: Yeah.
Joe Carrigan: And it was - I - the first thing I do when I get these things and they don't add up - first off, the LinkedIn profile was kind of sparse - right? - which was kind of the big red flag for me. The picture looked like it could be a LinkedIn picture, right? But I took that picture and did a reverse image search on it with Google and found the actual picture. And the actual picture is a picture of a model wearing a dress. And she is - it's just a picture for selling the dress. So somebody said, I'm going to take this attractive woman, this model...
Dave Bittner: Right.
Joe Carrigan: I'm going to crop out the dress part and just put her face in a LinkedIn profile. And then I'm going to try to get Dave and Joe to accept the connection request.
Dave Bittner: (Laughter) Right.
Joe Carrigan: I'm going to social engineer these social engineering experts, as it were.
Dave Bittner: Yeah. Yeah (laughter).
Joe Carrigan: And, you know, I reported the account as fraudulent. And I don't know that it's gone yet. I haven't checked on it recently. But I'll bet it's still there.
Dave Bittner: Yeah.
Joe Carrigan: If it's not there, then one using the same picture is probably still there.
Dave Bittner: Yeah. Yeah. So these images are used with a generative adversarial network.
Joe Carrigan: A GAN they call it. Right.
Dave Bittner: A GAN is what they call it. So the other part of this story that I thought was interesting and that our listeners would be interested in is that someone has created a Chrome extension that is called Fake Profile Detector.
Joe Carrigan: Really?
Dave Bittner: And it goes, and it can detect GAN-generated images.
Joe Carrigan: Interesting.
Dave Bittner: Yeah. So you put in this plug-in into, you know, your Chromium-based browser. And when you go to a profile, you can - there's a little pulldown menu. And you can say, check fake profile picture. And it will check the profile picture. And it will give you a percentage of how much it thinks that it's authentic or not.
Joe Carrigan: Right, whether or not that image came from a GAN.
Dave Bittner: Right. So if you install this plug-in into your browser, again, you can just, you know, check. And, you know, I can't vouch for the accuracy of this browser plug-in. I just think it's interesting that we're in the place where this exists, right (laughter)?
Joe Carrigan: Right. Yeah.
Dave Bittner: And I think, hey, you know, a useful tool. It can sort of double check. If you have a funny feeling about this and you run it through and it says, hey; 99% chance this is a artificially intelligence-generated image...
Joe Carrigan: Yep.
Dave Bittner: ...Well, then you probably know what to do next.
Joe Carrigan: So I'm looking at this. They have this animated picture on the article you were talking about.
Dave Bittner: Yeah.
Joe Carrigan: And every picture of every person has a cross through it, like, a little white line going up and a little white line going to the side. And they're all the same. All the lines are at the same height. And same - and they have, like, a 6 by 3 matrix here of these things.
Dave Bittner: Right.
Joe Carrigan: And they're showing you all these different pictures as they scroll through. And what's weird about it is all the eyes are in exactly the same place (laughter) in these images.
Dave Bittner: That's right. That's right. Yeah. And this article has a little guide for figuring out - or, you know, telltale signs that these might be generated images. And one of them is centered eyes...
Joe Carrigan: Yep.
Dave Bittner: ...That the eyes are precisely centered.
Joe Carrigan: Yep.
Dave Bittner: They say, a vague background - in this particular image, the woman only had one earring. So if you had a professional headshot, chances are you wouldn't just have one earring, right?
Joe Carrigan: Right.
Dave Bittner: And sometimes, you know, the hair blurs into the background, things like that.
Joe Carrigan: Yeah.
Dave Bittner: But that could happen with other, you know - because we have - you know, we have AI in our *****
Dave Bittner: ******** phones now that are automatically generating idealized photos when we take photos.
Joe Carrigan: Right.
Dave Bittner: So it's hard to know for sure. But, you know, this helps. So I thought - it's an interesting story. We'll have a link to it in the show notes. Also, doubly interesting was the fact that someone has created a browser plug-in...
Joe Carrigan: Yep.
Dave Bittner: ...To help detect these things.
Joe Carrigan: I think that's interesting.
Dave Bittner: Yeah.
Joe Carrigan: If you haven't - I've talked about this website before. But if you just go to thispersondoesnotexist.com, every time you load that page, you get a new randomly generated person.
Dave Bittner: Yeah.
Joe Carrigan: And you can see how quickly this can be done.
Dave Bittner: Yeah. Yeah. It's amazing. All right. Well, we will have links to all of those stories in our show notes. If you have something you'd like us to consider on the show, you can send it to us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, it's time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from a listener named Richard. He writes, hi, guys. I received the attached in the mail today. So this is actually a piece of mail.
Dave Bittner: The mail?
Joe Carrigan: The mail. Right.
Dave Bittner: (Laughter) OK. Wow.
Joe Carrigan: Obviously, it's some pretty out-there claims being made by QAnon, but that's not what raised the red flags. It's the fact that QR codes are being mailed to people on such a large scale. I'm sure this is relatively common, but combining malicious QR codes with such politically charged language sounds like a decent strategy. Yes. Been a listener since Day 1. He loves the show. I'm going to go ahead and say this right now. If you have strong political opinions one way or another, it doesn't matter which way, you've got to watch out for people trying to exploit that in you.
Dave Bittner: Right, right.
Joe Carrigan: Right?
Dave Bittner: Right. Using your emotions to short-circuit your...
Joe Carrigan: Exactly.
Dave Bittner: ...Irrational part of your brain (laughter).
Joe Carrigan: They're going to say things like, hey, buddy, pal, friend, you know? This is how extremists work in...
Dave Bittner: Yeah.
Joe Carrigan: ...Recruiting people. They start with going after people based on commonality, on the tribalism - right? - and how that can just descend into something. Anyway, this is an interesting piece. Dave, you want to read the true story of QAnon?
Dave Bittner: Yes. It says, the true story of QAnon. I was a child victim of the cabal spoken of in QAnon. They invented the whole saga of QAnon and planned all news and entertainment events 20 years ago. They planned 9/11, the 7/7 bombing, the Ukraine war and COVID-19, and they told me that Luvox cures COVID-19. The minutia of every battle and every action by Zelenskyy and Putin were planned. They put a mind-reading device in me and tortured me and spied on me my whole life. On Good Friday, this world will end, possibly by nukes, or my world will end. Please read the truth at the below QR code. I will be hiding in Kansas. Please share this and email me at blah, blah, blah, blah, blah so I know people are getting my postcards. And there's a QR code.
Joe Carrigan: Yes.
Dave Bittner: Oh, there's a lot in (laughter)...
Joe Carrigan: Yeah.
Dave Bittner: There's a lot in one paragraph.
Joe Carrigan: So I want to point something out. One of the things this guy says is they planned everything 20 years ago, including 9/11, which was 21 years ago.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Right?
Dave Bittner: They've been using this postcard for a while.
Joe Carrigan: Yeah.
Dave Bittner: So, yeah.
Joe Carrigan: The QR code is not malicious. I scanned it with my trusty Trend Micro QR code scanner. And unfortunately, when it says it's safe, it takes you right to the webpage. So I went to the webpage and gave this guy a hit.
Dave Bittner: Oh.
Joe Carrigan: It is exactly the kind of webpage you'd expect.
Dave Bittner: Yeah.
Joe Carrigan: It's just text on a screen.
Dave Bittner: Oh, I see. Just a conspiracy theory screed.
Joe Carrigan: Manifesto, yeah.
Dave Bittner: Manifesto. That's a good word for it. OK. Wow. What do you suppose the endgame here is? I mean, is there - you had a chance to look at the website. Is there an ask?
Joe Carrigan: No, I didn't read the website.
Dave Bittner: OK.
Joe Carrigan: I just saw what it was and...
Dave Bittner: Yeah.
Joe Carrigan: ...Read, like, the first two sentences, was like, no.
Dave Bittner: I'm out of here (laughter).
Joe Carrigan: I'm done.
Dave Bittner: Right, right.
Joe Carrigan: So this - it's actually coming up in the news. There are a lot of people getting these postcards.
Dave Bittner: OK.
Joe Carrigan: And you can find a news story about it. I don't know what the end - I don't know that there is an endgame.
Dave Bittner: Yeah.
Joe Carrigan: I think this is just somebody who took the time and money to send - use the postal service's direct-to-postal postal customer service...
Dave Bittner: Right.
Joe Carrigan: ...To send a bunch of stuff out. That's really cheap. I mean, I used to do this during my time as a real estate agent...
Dave Bittner: Yeah.
Joe Carrigan: ...During my failed sales career. And it was remarkably cheap to reach a lot of people.
Dave Bittner: Yeah. I mean, obviously, I guess they're trying to attract people to this line of thinking.
Joe Carrigan: Yes.
Dave Bittner: So there's that.
Joe Carrigan: Or maybe find people who already think this way to bring them into the fold.
Dave Bittner: Right, right, right.
Joe Carrigan: ...Bring them into the organization or - if there is an organization. I don't know.
Dave Bittner: At some point, they're going to - at some point, you can count on the fact they're going to ask for money.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Yeah.
Dave Bittner: Fascinating that these are going out by postal codes. I mean, that's - even as cheap as it can be, that's so much more expensive than email.
Joe Carrigan: Right. But Richard's point is valid. There's nothing to stop somebody from using this exact same service to put out malicious QR codes.
Dave Bittner: Oh, right. Yeah, yeah.
Joe Carrigan: Why not? I mean, it's - like you said, it is so much more expensive than email, but we've seen people spend more money per customer sending them USB sticks and things like that.
Dave Bittner: Right.
Joe Carrigan: It's...
Dave Bittner: Be interesting to see if he sent out - I don't know - you know, a thousand postcards that contained nothing but a QR code on it.
Joe Carrigan: Right.
Dave Bittner: Nothing (laughter). No text, no return address, just a QR code. How many hits would you get from the QR code? That would be an interesting - I'll bet you somebody's done that experiment.
Joe Carrigan: Yeah.
Dave Bittner: It seems too obvious to not have done. But yeah.
Joe Carrigan: Right.
Dave Bittner: I'll bet a lot (laughter).
Joe Carrigan: If nobody's done that, I might submit that as a research proposal (laughter).
Dave Bittner: There you go. All right. Well, our thanks to Richard for sending that into us. Interesting for sure. Again, we'd love to hear from you. Our email is hackinghumans@thecyberwire.com.
Dave Bittner: Joe, we have a special interview this week. Our friend Perry Carpenter, who is host of the "8th Layer Insights" podcast - that is a show on the CyberWire Network. So if you are not familiar with that, do check it out. It is absolutely worth your time.
Joe Carrigan: I will give it my personal recommendation. Good show.
Dave Bittner: Yeah. Yeah. So Perry is talking with Brian Brushwood. He is the host of "The World's Greatest Con." Here's Perry Carpenter and Brian Brushwood.
Perry Carpenter: Thanks, Dave. So I've got a real treat for you today. I recently had the chance to catch up with Brian Brushwood. He's a guy who's spent his entire life studying why magic, illusion and scams work, why they have this effect of being able to hijack our thoughts and push us into directions that we never thought that we'd go. You may have heard of Brian from shows like "Scam Nation" and "Scam School" and "Hacking The System" and a lot of other things that he has out there. But the thing that really brought me to Brian for this interview was he recently started a podcast called "World's Greatest Con." There are a lot of things that I like about this podcast, but the one thing that I want to zero in on right now is a key phrase that Brian uses over and over and over again. It's kind of a tagline. He says, cons don't fool us because we're stupid. They fool us because we're human. And I love that phrase so much because it is really the epitome of what you guys say every episode in "Hacking Humans." But before I steal any of Brian's thunder, let's go to the interview.
Perry Carpenter: I guess the first thing, given everything that you do and everything you're involved in, why a podcast? What made this the right time to do that?
Brian Brushwood: Mainly because I finally have gotten old enough that I have interesting things to say. And there's that live element of spending 20 years touring colleges with a bizarre magic show, you know, eating fire and sticking nails in my eyes, doing mind reading and deception and stuff. That was all very, very valuable. But I saw where that road ends, and it ends by aging out of the market and not spending time with my kids. And so there was sort of this second epoch where we focused on video content with "Scam Nation," with the TV show "Hacking The System" on NatGeo, with its successor, "The Modern Rogue." And that allowed me to have more flexibility, the ability to edit and so on. But now we're in this phase where I love deconstructing these deep stories of our own flawed wetware, this uncatchable mess of neurons that we exist as, and also fascinated with the parallel life I've led because I lived my life on the track of a white-hat hacker of humans as a magician. And meanwhile, there's all of these stories of deception where the powerful deceive the weak. The weak take on the man - the righteous, the unrighteous. And I honestly don't think 20 years ago, I could be taken very seriously at the tender age of my late 20s, explaining how the world of deception works. But as I creep up on 50, I realize that this is a medium that I'm only going to get more interesting over the next 10, 20 years. And so I'm deeply, deeply excited and engaged to keep on going.
Perry Carpenter: This line, cons don't fool us because we're stupid; they force because we're human - when you say that line, what does that mean to you?
Brian Brushwood: This is something that has gotten my goat in the world of magic for the longest time. It's this emphasis on fooling whether or not you got me or this superior, like, I win, you lose dynamic. It's fairly idiotic in my opinion. For example, let's say we wanted to do a heist, and the whole point was to fool you. So I spend a couple thousand dollars on prosthetics. I crash a couple of cars together. I take a severed torso, lay it on the ground. I hire a bunch of actors to scream and cry. And your car comes over the hill, and then you see this terrible disaster that has just happened. When you pull over and offer to render aid, you didn't get got. You didn't do anything dumb. You didn't get fooled. You behaved as a rational actor and a humanitarian in a moment of crisis. You did, in all ways, a legitimately good thing. So that heuristic of, I see cars that have crashed. I see blood. I see people screaming. Activate subroutine render aid. I refuse to engage in a paradigm where that, in any way, is a bad way for a human to act. So as a result, when somebody were to use that to manipulate someone, it's not that you're stupid. It's that you're human. And ***
Brian Brushwood: * that's an important distinction.
Perry Carpenter: I'd love to hear about the backstory behind "World's Greatest Con." What made you decide to kick this off? What was the inciting incident? And then really, how did you arrive at the subject matter for season one versus the subject matter that you're tackling in season two?
Brian Brushwood: "World's Greatest Con" only happened because my friend Justin called me up and said, hey, if you could have a well-produced, richly told story on anything you want, what would it be? I would be like, oh, I'd want to talk about the world's greatest cons. And he said, well, what is the world's greatest con? No hesitation, straight from the gut, it's like, oh, it's got to be Operation Mincemeat. He's like, great. What's that? And I explained the concept of Allied forces, how the creator of James Bond had an idea that got filed away for years in a filing cabinet until it was discovered by Montagu and Chumley and used to deceive Hitler by this incredible cadre of folks and layers upon layers of secrecy to basically get Hitler to protect the wrong coast and, by all accounts, seems to be an incredible success. We took that story and broke into four chapters, each one focusing on a different aspect. Like, where do these ideas come from? The first one is about how you can't con an honest John. You need somebody to deceive themselves. All the effort into the first impression is the way we put it. That's the tool of the con man - is the asymmetry of time. They get to prepare a lot more than the mark. Second chapter, we talk about, how do you build the story? How perfect is too perfect? Enough to set off alarm bells. And then the third chapter, we talk about that visceral reality. Now you're at the point where, well, this story looked good on paper. Now I guess we have to take this dead body and put it into actual uniform and make this happen and physically get it to the right place. And then there's that moment of surrender where the job of the con man is over. They've done everything they can do, and all they could do is hope that they've crafted it well enough for the mark to convince themselves. Now, if the con man has the advantage of an asymmetry of time, energy and effort, the mark has the advantage of that gut feeling. Gavin de Becker, in his book "The Gift Of Fear," talks about how as humans, we don't have tough scales. We don't have thick hides. We don't have claws. We're not especially fast. What we have is one thing - a supremely, finely honed sense of intuition, the ability to walk into a gulley and just feel like something's not right because at an unconscious level, we notice that this bush and that bush both seem to move at the same time. And when the mark trusts their gut, they walk away. But when the narrative is so strong it overpowers that, that's when the con man wins. And so story one - season one ends with Hitler looking at this report on his desk saying, man, this is, in every way, what I want to hear. And he thinks, you know, presumedly - I wasn't there. But you have to imagine he thinks, well, I suppose they could have taken a dead body, filled it with a bunch of lies, dropped it off the coast of Spain, hoped that it would float over to Huelva, that it would just happen to land in the hands of a coroner who's a Nazi sympathizer, who would take copies of this and get it to me. Dot, dot, dot. But that would be stupid. So I'm going to just believe that this is all real. So that's the part that blows me away when it comes to magic - is anytime somebody asks me how so-and-so did a trick, I always ask, well, how would you do it if you had to do it in 2 hours on camera? Whatever they say next is almost always the exact right answer, followed by the words, but that'd be stupid. And so yes, the answer is magicians do a lot of insane, stupid work for one moment that is hopefully ignored.
Perry Carpenter: So my immediate question at the end of season one is how you continue a show where you started in season one conning the ultimate villain. What was your process as you thought about getting into season two?
Brian Brushwood: I mean, what do you do when you want to follow up an act where the whole world pulls a con on Hitler? So I wanted to go the opposite direction. And I told them I would love to do a bunch of small tales that involve TV game shows. And that's a very counterintuitive move because we're going from the biggest, most epic thing to very, very small, petty things where, you know, we're talking about maybe tens of thousands of dollars of fraud. But to me, it was important because the story is the same, whether it's on a street corner with a hustle or whether it's on the global stage with counterintelligence and deception. It's the same story, and I kind of wanted to prove it. And I think we've done it because we - this anthology of five different tales of deception from within the world of game shows - if people enjoy it as much as they do season one, which - so far, the feedback has been phenomenal - then that really frees us up to go anywhere and tell any story of the human condition. You'll notice that about 50% of the content is the story itself. Twenty-five percent is contextualized through my 30-plus years of doing this for a while. And 25% of it is this learning segment, this - these teachable moments about fundamental flaws that get taken advantage of.
Perry Carpenter: Well, guys, I hope you enjoyed that discussion with Brian Brushwood. Brian brings a ton of passion and perspective to this topic that we're all interested in, why we fall for the scams and the schemes that we think that we'll never fall for. And the answer is, cons don't fool us because we're stupid. They fool us because we're human. For the CyberWire, I'm Perry Carpenter. Back to you, Dave.
Dave Bittner: All right, Joe, what do you think?
Joe Carrigan: I was recently talking to Perry, and he was telling me about this interview on his show. And I checked out the episode. And then I went out, and ***
Joe Carrigan: *** I just tore through "The World's Greatest Con" - great podcast. So not only should you check out Perry's, but should also check out "World's Greatest Con" as well.
Dave Bittner: Yeah.
Joe Carrigan: I agree with my - with the assessment. My favorite line in this show that Brian says every single episode is, cons don't fool us because we're stupid. They fool us because we're human, right? And then Brian's example in this talk is the example of the car crash, right? And that is one of the three big triggers that social engineers use that I like to focus on when I'm telling people about what their exposure is.
Dave Bittner: Yeah.
Joe Carrigan: And I say the No. 1 is fear, and No. 2 is greed. No. 3 is our desire to help each other, right? We have this innate desire to help other humans and even other animals as well...
Dave Bittner: Yeah.
Joe Carrigan: ...Like dogs and any animals we've domesticated...
Dave Bittner: Right.
Joe Carrigan: ...And some we haven't. But I digress. The point is that if you came across a situation where somebody had gone through a great length to make it look like they were in trouble, would you be a horrible person if you didn't stop and help them, right? You know, we all think that. Is this person in trouble? Does this person need my assistance?
Dave Bittner: Right.
Joe Carrigan: Can I render it?
Dave Bittner: Yeah.
Joe Carrigan: One of Brian's big points is that the bad guys have the advantage of time and preparation. They also have the advantage of practice, right? If they're going to con you, you're not the first person that they've talked to, right?
Dave Bittner: Yeah.
Joe Carrigan: Yeah. It's like when I was teaching my kids to play chess. Prepare to lose the first hundred games you play.
Dave Bittner: (Laughter).
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: Same thing with a con man. Prepare to have the first hundred people you talk to go, you're nuts, and walk off, right?
Dave Bittner: First hundred people you ask out on a date.
Joe Carrigan: Right. Yeah. Exactly.
Dave Bittner: (Laughter).
Joe Carrigan: It's all about getting that one yes, right? How many nos do you have to do to get to the yes?
Dave Bittner: Yeah.
Joe Carrigan: It's a sales rep question, right? The target has the advantage of that gut feeling. But my favorite thing he says is, but that would be stupid, is the payoff the con is looking for, right? So don't dismiss your gut feeling if your very next thought is, yeah, but that would be stupid, right? Instead, use that as another indicator that something's up. Yeah. If you can recognize that pattern - like, hey; I think something might be up; he might have gone through all these things, but that would be a bit much - think about it. What - how much time has this guy had before he walked into you?
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: He's had as much time as he is alive, as far as you know.
Dave Bittner: Yeah.
Joe Carrigan: Brian mentions the fundamental flaws that we have as people that are preyed upon that - I think of them as those three things I talked about earlier - fear, greed, and our innate desire to help. I don't think - while these things can all be exploited as flaws, they're not necessarily flaws, right? Our fear keeps us alive - right? - keeps us out of dangerous situations. Think about, you know, being on a - one of my examples is a time I saw a bear on a bike ride, you know?
Dave Bittner: That's weird. A bike-riding bear - wow.
Joe Carrigan: I was on the - OK, I wasn't clear. I was on the bike ride.
Dave Bittner: Oh, I see.
Joe Carrigan: The bear was just standing there.
Dave Bittner: Ah. All right. Wow. OK. Well, it's not quite as exciting.
Joe Carrigan: Right.
Dave Bittner: But still (laughter)...
Joe Carrigan: So - that's awesome, Dave.
Dave Bittner: (Laughter).
Joe Carrigan: But, you know, what did I do? I didn't go near the bear, right?
Dave Bittner: No.
Joe Carrigan: I turned around and left.
Dave Bittner: Right. Right. Yes.
Joe Carrigan: Our greed is what keeps us alive. You know, everybody likes to bemoan the fact that, you know, everybody's so greedy or, you know, that certain people are so greedy. But, no, everybody is greedy. Everybody has a a certain desire to accumulate food, shelter, clothing and anything else - right...
Dave Bittner: Yeah.
Joe Carrigan: ...Because that's how you survive in the old days - right...
Dave Bittner: Yeah.
Joe Carrigan: ...Was just by having those things.
Dave Bittner: Sure.
Joe Carrigan: And then our desire to help each other is how we as a species have become the most successful species on the planet, right? And actually, these three things, I think, together - while there's something that can be exploited, there are also things that have made us - put us where we are.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: I would add to your list love and sex.
Joe Carrigan: Yeah. Yeah. I might file that under greed. Yeah. I mean, you're right. It's...
Dave Bittner: Desire, maybe.
Joe Carrigan: Desire - yeah, maybe.
Dave Bittner: Do you put greed and sex under desire?
Joe Carrigan: Yeah.
Dave Bittner: Hunger?
Joe Carrigan: Maybe. I don't know. That's a good point, though.
Dave Bittner: OK.
Joe Carrigan: You know, I don't really talk about that. I didn't really talk about that much in the - but, you know, love, actually, I might put under our desire to help each other.
Dave Bittner: Yeah.
Joe Carrigan: And sex I might put under greed.
Dave Bittner: Yeah. I'm just thinking of things that can short-circuit your sensibilities in a hurry.
Joe Carrigan: Right. Yeah.
Dave Bittner: And I think love and sex are certainly in that category.
Joe Carrigan: Absolutely. No, you're 100% correct. Romance scams are one of the biggest scams that cause people to lose money...
Dave Bittner: Yeah.
Joe Carrigan: ...Left and right. It's one of the big things that gets exploited...
Dave Bittner: Yeah.
Joe Carrigan: ...As well.
Dave Bittner: Yep. All right. Well, again, our thanks to Perry Carpenter for joining us and sharing this interview. Again, his podcast is the "Eighth Layer Insights" podcast. Definitely check that out. And also, our thanks to Brian Brushwood for joining us as well.
Joe Carrigan: Yep.
Dave Bittner: That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
