Podcasts
Hacking Humans
Ep 224
Hacking Humans 12.15.22
Ep 224 | 12.15.22

Disinformation and verification.

Show Notes
Transcript

Kaspars Ruklis: Now news and information is coming at us from all different kinds of directions. And it's very important for people to realize what to believe and what not, you know, what information to trust and, perhaps, what information needs to be checked and verified.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner. And joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, Kaspars Ruklis - he is the program manager for media literacy at IREX - on the very verified media literacy program. All right, Joe. Before we jump into our stories, we have a bit of follow-up here. We got a kind note from a listener named Vicki, who writes in and says, I listen regularly to both "Hacking Humans" and "Caveat" podcasts. The hosts often reference what sounds like ULA - or ULA. I have not been able to find a definition of what this is, especially since I don't know how it's spelled. I suspect they are referencing to the document that describes a website's terms and conditions. Can you give me a hint? I'm just a curious old lady, so perhaps this is just one more bit of jargon I would know if I were in the business. Thanks for any help you can provide. All right. 

Joe Carrigan: (Laughter) Yeah. Vicki, thank you so much for writing in with this question. If you have this question - and I am 100% certain that there are other listeners who also have the same question. And all too often, we in the industry use jargon to communicate these complex ideas. But the problem with jargon is that it's confusing to people who are not familiar with it. 

Dave Bittner: Right. 

Joe Carrigan: So let us apologize for not clarifying our terms here. But EULA does, in fact, stand for end user license agreement. And it's E-U-L-A. And it is - yeah, there is a EULA for websites. And terms and conditions are kind of EULA. But it's specifically for software, when you buy software. 

Dave Bittner: Yeah. 

Joe Carrigan: It's that big, long piece of paper that you never look at. Or the... 

Dave Bittner: Right. 

Joe Carrigan: Or that thing that you just click accept on. 

Dave Bittner: Forty-two pages of legalese. Yeah (laughter). 

Joe Carrigan: Right. And you never read. 

Dave Bittner: Right. Right. 

Joe Carrigan: And it's - you know, you don't know what you're agreeing to (laughter) because nobody ever reads these things. 

Dave Bittner: That's right. That's right. So yes, Vicki, thank you for writing in. That is what a EULA is. We would love to hear from you if there's something that you would like us to address here on the show. Our email is hackinghumans@thecyberwire.com. All right. Joe, let's jump into some stories here. Why don't you start things off for us? 

Joe Carrigan: Dave, the holidays are coming. Are you ready? 

Dave Bittner: As I'll ever be. 

(LAUGHTER) 

Joe Carrigan: Right. Do you buy gift cards for anyone, Dave, for holidays? 

Dave Bittner: I do buy gift cards for people. I would say, gift cards are typically a birthday thing. Like, I'll stick a gift card in a - or a gift card in a birthday card for someone. 

Joe Carrigan: Right. 

Dave Bittner: Generally, for Christmas time, you know, I try to be a little more personal than that. But, yeah, I use gift cards. 

Joe Carrigan: Something more thoughtful (laughter)... 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: ...Than a gift card? 

Dave Bittner: Give (laughter) a little, you know, minimal attempt. Sure (laughter). 

Joe Carrigan: Right. Yeah. I've used gift cards to send gifts long distances for people that I - you know, people I've... 

Dave Bittner: Yeah. 

Joe Carrigan: I've known casually and say, hey, thanks for your support. Here's a 10 or $15 gift card. Usually, when I buy a gift card, I buy something that's universal, like with Amazon. 

Dave Bittner: Yeah. 

Joe Carrigan: So - and I will usually ask, hey, do you shop at Amazon? And people say - almost everybody says yes. I've never had anybody say no, right? It's just - so I get them Amazon gift cards. Anyway, there's a new video making the rounds. I've seen it. I've seen it on Reddit. And it comes from Nichelle Laus. She is a former police officer from the Great White North, Dave, up there in Canada. 

Dave Bittner: Oh, OK. 

Joe Carrigan: And she is on TikTok giving out safety tips. Oh, the irony. 

(LAUGHTER) 

Joe Carrigan: Being on TikTok, giving out safety tips. 

Dave Bittner: Yeah. 

Joe Carrigan: But nevertheless, she is doing a public service and a public good. And she has recently learned about a scam that works with gift cards. So here's what happens. Let's say there's a bad guy. His name is Joe. And he has a gift card for some - he goes out and gets a gift card for some service that he uses, this guy named Joe. 

Dave Bittner: OK. 

Joe Carrigan: You know you can't trust guys named Joe, right? 

Dave Bittner: No. 

Joe Carrigan: So he goes out. He gets a gift card, maybe loads it up with, like, 20 bucks and opens it up on whatever platform it is that the gift card is associated with. Then he takes a copy of the barcode and goes back to the store and just takes a bunch of other gift cards off the shelf, goes back home, prints out copies of the gift cards on sticky - of the barcode, rather, on sticky labels and pastes them over top of the gift card on the - that they'd just taken from the merchant, from the store, then takes them back to the store and distributes them around the kiosk for the next person to come and buy, right? So when somebody buys a gift card, they grab the next gift card that this guy, Joe, put on the gift card kiosk. They walk up to the cashier. And the cashier scans the barcode, says, yep, this is one of our gift cards. And the person gives them - says, I want to make this a $20 gift card. The person gives them $20 or pays $20 with a credit card. And then the person leaves thinking they have a $20 gift card they're going to give to somebody. But what they've just done is they've given Joe $20 on, let's say, his Steam account, right? 

Dave Bittner: Oh. 

Joe Carrigan: So isn't that interesting? What happened with Nichelle Laus when she went up to the cashier, she handed the cashier the gift card. And the cashier said, oh, this one's a fake one, and peeled back the label, and said you have to go get a different one because the cashier was aware of the scam. Now, I got to tell you, Dave, I'm surprised this even works. 

Dave Bittner: Me, too. 

Joe Carrigan: Yeah. 

Dave Bittner: So just so I understand here what's going on, so the bad guy buys a gift card, puts some money on it... 

Joe Carrigan: Right. 

Dave Bittner: ...Takes it home. 

Joe Carrigan: Yep. 

Dave Bittner: Then the bad guy goes back to the store, steals a bunch of gift cards, but they have no money on them. 

Joe Carrigan: Yeah. It's not even stealing. You can just walk in and take any of the gift card you want, no problem. 

Dave Bittner: Really? 

Joe Carrigan: Yeah. They don't have any value until you put money on them. 

Dave Bittner: OK. I never really thought about that. 

Joe Carrigan: Yeah. That's why they're all stacked up there. I mean, they're really easy to get out of the store with because they're, you know, they're just - they're worthless, essentially. 

Dave Bittner: Yeah. So take a bunch of gift cards home, and then, as you say, makes up stickers with the barcode of the gift card that they had put some money on. 

Joe Carrigan: Right. 

Dave Bittner: Puts those stickers on the new gift cards. Take those back to the store, puts them on the shelf. So now someone buys that gift card, puts money on it. But the money is actually being - because of the barcode, the money is being put on the gift card of the scammer. 

Joe Carrigan: That's correct. 

Dave Bittner: That's interesting, because what I was wondering was most gift cards have a thing that you have to scrape off that has some kind of code on it. 

Joe Carrigan: Yup. That remains intact. 

Dave Bittner: But this circumvents that... 

Joe Carrigan: It does. 

Dave Bittner: ...Because the money is being put on by the cashier, who presumably is a trusted person in the chain of custody of the gift card. Right? 

Joe Carrigan: Correct. What's happening is that gift card that you're buying with this little scratch-off code and its barcode are being carried out of the store worthless because you haven't actually scanned that gift card. You've scanned the scammer's gift card. But I hate having to say scanned the scammer's gift card because it's... 

Dave Bittner: Right. Say that 10 times fast. 

Joe Carrigan: Yeah, it can sound confusing. But that's what happens. Now, it seems to me, Dave, that again, this is a flaw in the design of the gift card point of sale system, that when, you know, you have these gift cards. And you can put more money on them. I, you know, I've seen that with my wife. She has a Starbucks card, and she continually recharges her Starbucks card. 

Dave Bittner: Right. 

Joe Carrigan: With the app, she puts money on it with the app. But why can you do that at the point of sale? And maybe I'm misunderstanding the design of the system here or the intent of the system. But I think this is something that the people who designed the system didn't envision. And, in fact, I'm actually kind of surprised. How long have we had gift card kiosks in stores? For a very long time, right? 

Dave Bittner: Yeah. Sure. 

Joe Carrigan: And just now this scam is starting to come to light? So I think the scammers kind of missed this one until now as well. 

Dave Bittner: Yeah. I'm trying to think of a workaround or a mitigation for it. And I suppose you could... 

Joe Carrigan: Check for a barcode. 

Dave Bittner: Well, you could charge up the card initially at the, you know, at the merchants. But then maybe if you want to add money, you need to have that code with the scratch off. 

Joe Carrigan: Right. That would be the way to do it. You can't just add money with the barcode. 

Dave Bittner: Right. Right. But merchants can add money just with the bar code. They can - they could initially activate the card, but then couldn't add more without the extra code. That might slow it down. 

Joe Carrigan: You want to see some wild speculation here? 

Dave Bittner: Sure. 

Joe Carrigan: I'm going to speculate into the design of the system. Now, I don't have any idea how this system actually works. But I'm going to bet. 

Dave Bittner: That's never stopped you before, Joe. 

Joe Carrigan: It never has. And the funny thing about this is usually when I do this, I'm pretty close to right. Which is... 

Dave Bittner: Which just reinforces the system. 

Joe Carrigan: Right. Exactly. But here's how I'll bet this works, that the moment that gift card is printed, it's activated. And it's in the system and just waiting for someone to put money on it. And it's - as soon as you scan it at the point of sale system, there's is software in the point of sale system that goes, OK, I'm just going to add money to this gift card, this ID, and it's going to put that money in there. And I'll bet that there is a vendor that provides this service to all of these different merchants. And the vendor puts that kiosk in the store and works with the store. And then just - the vendor goes out to places like Amazon or to Outback Steakhouse or Southwest - I don't know how I'd feel if somebody got me a Southwest gift card, Dave. 

Dave Bittner: I guess it depends on if they lived close to you or far away. Right? 

Joe Carrigan: Right. That's a very good point. 

Dave Bittner: Yeah. 

Joe Carrigan: My mom and dad got me one, they'd be like, get out of here. 

Dave Bittner: Right. Right. Go somewhere else. 

Dave Bittner: Why don't you go on a trip? Anyway, then these - so there's a - the company out there that does this. And they have one standard for the gift cards. And that's why the bar codes are all very similar. And it works with the particular point of sale system. That's my speculation. And that's why this scam works. 

Dave Bittner: And I think the flawed assumption in this system is that scammers aren't going to be adding money to existing gift cards. 

Joe Carrigan: Right. That is the flawed assumption. And to be honest, it's - this is a really difficult attack to conceive of. So I don't know that there's a way they could have prevented this from happening. So I hate to be the guy that shows up and goes, you should have seen that - you know, Captain Hindsight. But there should be a mitigation that come - that is forthcoming on this. 

Dave Bittner: And when the person - when the innocent person buys the gift card... 

Joe Carrigan: Right. They walk out with something that's worthless and hand it to somebody who then can't use it. 

Dave Bittner: Right. Well, they can't use it because the scratch-off number doesn't match the bar code either. 

Joe Carrigan: Right. Exactly. The scratch-off number will... 

Dave Bittner: They can't even spend on it. 

Joe Carrigan: Right. Well, I mean, they, they could peel the fake bar code off. It's just a label. And they can see the actual bar code underneath of it and - or maybe they realize, oh. 

Dave Bittner: Right. But that won't have any money on it. 

Joe Carrigan: It won't have any money on it. It'll be worthless. Yeah, that's right. 

Dave Bittner: Yeah. Diabolical. 

Joe Carrigan: It is. 

Dave Bittner: (Laughter). 

Joe Carrigan: It's a way to ruin someone's Christmas. 

Dave Bittner: So the lesson here, I suppose, is just, like, you go and you jiggle the thing that scans your card at an ATM or a point of sale thing. You got to check to make sure that there isn't some sticker over the bar code on that gift card you're buying. 

Joe Carrigan: Those bar codes are printed directly on the cards. So if there's something obstructing that bar code, don't buy the card. Get a different card. 

Dave Bittner: Dig through the pile till you find one. 

Joe Carrigan: That's right. 

Dave Bittner: And maybe hand in the one (laughter) that has a sticker on it. 

Joe Carrigan: Yeah. Throw - yeah, hand it in to throw it away. 

Dave Bittner: Yeah. Oh, that's interesting. All right, well, we will have a link to that story in the show notes. Very interesting stuff. 

Joe Carrigan: We'll put a link in the show notes to the interview that Michelle did with CBS so you can see how this works. It's worth - you know, it's a short video. It's worth a watch. 

Dave Bittner: Yeah. All right. Well, my story this week comes from over at WIRED. This is written by Matt Burgess, and it's titled "Scammers Are Scamming Other Scammers Out of Millions of Dollars." 

Joe Carrigan: Good. 

(LAUGHTER) 

Joe Carrigan: I like the headline so far. 

Dave Bittner: Carry on, right? But so I suppose there's no surprise that there is no honor among thieves. 

Joe Carrigan: Right. 

Dave Bittner: But the scammers are scamming each other out of money. And on the underground forums that these scammers use, they quite often have areas of the forums where these bad folks can hash these things out. They can complain about each other. They can vent if they feel as though they've been chosen or have been... 

Joe Carrigan: Targeted? 

Dave Bittner: Chosen - treated. They can vent if they feel as though they've been treated poorly. 

Joe Carrigan: Right. 

Dave Bittner: And I think it speaks to the fact that this underground market works very much on reputation. So if you have a bad reputation, people aren't going to want to do business with you. This article points out that the median scams of the sites of these folks scamming each other ranges from $200 to $600. But they also point out there was - someone had provided a Windows kernel exploit and had not been paid the $130,000 that they had agreed to. So they - one person said, yeah, show me the - throw me the whip. I throw you the idol, right? 

Joe Carrigan: Right. 

Dave Bittner: And someone said, I will give you the $130,000, but I have to test the software. So they got the software and never gave the... 

Joe Carrigan: Never paid up. 

Dave Bittner: ...The money. Surprise, surprise. 

Joe Carrigan: You know what I'd do is I'd report that immediately to Microsoft. I found this vulnerability. 

Dave Bittner: (Laughter) So you burn the vulnerability so it's... 

Joe Carrigan: Yeah, absolutely. That's the first thing I'd do; maybe get a bug bounty from Microsoft and ruin that guy's day. 

Dave Bittner: The other thing, though, that I thought was interesting about this that kind of ties into something we talk about here all the time, which is that when people get themselves into an emotional state, they often don't behave the way that they would otherwise. 

Joe Carrigan: Right. 

Dave Bittner: And this article points out that criminals are typically very cautious about sharing anything that might identify them. They don't use their real names. They'll use anonymization services. They'll use things like the Tor web browser, you know, anonymous web browsing, things like that. 

Joe Carrigan: Right. 

Dave Bittner: And they're very good at that. But in this case, when they've been wronged, when they're angry... 

(LAUGHTER) 

Dave Bittner: ...That often goes out the window. And they start - they'll post screen captures. And the screen captures will include things like their IP addresses, things like usernames, email addresses, victims' names, the type of software they're using, all kinds of things to - because they are interested in proving their case... 

Joe Carrigan: Right. 

Dave Bittner: ...And they feel as though they've been wronged and emotions are involved, they will include things that they otherwise wouldn't include. And this is a real boon for law enforcement. 

Joe Carrigan: I was just about to say that, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: This is a real feel good story, man. 

(LAUGHTER) 

Joe Carrigan: I have nothing but warm feelings when I listen to this. 

Dave Bittner: Yeah. 

Joe Carrigan: (Laughter) Great. 

Dave Bittner: Yeah. So they're - you know, their defenses go down, and they will share things that they wouldn't otherwise share just in the service of trying to be made whole by either the forum itself or whoever it is they feel wronged them. And in doing so, they make themselves more vulnerable. They say that there's been millions of dollars - this article points out that in the past year or so, they track the criminals have lost more than $2.5 million to other scammers. Poor babies. 

Joe Carrigan: Right. Yeah. Oh, no. 

Dave Bittner: (Laughter) Yeah. Yeah. So I was just curious what your take was on this. Obviously, as you said, you're pleased about this. 

Joe Carrigan: I am. 

Dave Bittner: I suppose this is - you know, crime shouldn't pay. And it's good that these folks are looking over their shoulder all the time. 

Joe Carrigan: Yeah, that's one of the things about this - working in this industry is that you are going to be associating yourself with other people who are perfectly willing to scam people out of money. And that includes you. You know, you're - these guys do make a lot of money from - by scamming people in other locations usually, but... 

Dave Bittner: Yeah. 

Joe Carrigan: ...You know, so when I hear that these guys are getting scammed out of $200 or $600 or even hundreds of thousands of dollars like the guy with the kernel exploit - $130,000 - that makes me feel good. You know, I don't think you should be selling kernel exploits to the highest bidder. I think that you should be reporting those to the manufacturer. That's the right thing to do. You know, get some notoriety for yourself, some street cred. 

Dave Bittner: Well, maybe some bug bounty money, too. 

Joe Carrigan: And maybe some bug bounty money - exactly. But do the right thing. That's what you should be doing anyway. But, you know, that's going to fall on the deaf ears of scammers, I think. You know, they're not interested in doing the right thing. They're interested in getting the easy money. So when they have their money taken from them, I think, well, that's - I get this little satisfied feeling inside of me. 

Dave Bittner: Little tickle up your spine. 

Joe Carrigan: Yeah. But the really great icing on the cake is that the - when they start having their emotions taking control. And that's exactly what these guys do to other people. So I like seeing that. That's a little bit of just desserts, I think. And I feel a little bit of righteous satisfaction... 

Dave Bittner: Yeah. 

Joe Carrigan: ...To see this happen. I don't know. 

Dave Bittner: Yeah. 

Joe Carrigan: Maybe this is too much freudenschade (ph), but - you know, taking delight in other people's suffering. But... 

Dave Bittner: Sure. 

Joe Carrigan: I'll take delight in the suffering of scammers. 

Dave Bittner: Yeah, I think that's fair - worth noting that this article is written based on some research that was done by the folks over at Sophos. They mentioned Matt Wixey is one of the researchers here, so give them credit where credit is due. Again, this article comes from WIRED, and we will have a link to that in the show notes. All right, Joe, that is my story for this week. Why don't we move on to our Catch of the Day? 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day is so bad. 

Dave Bittner: OK (laughter). 

Joe Carrigan: Come on, Dave. 

Dave Bittner: How bad is it? 

Joe Carrigan: Thank you. It's so bad that when our executive producer Jen forwarded it to us, Gmail put a warning on it, saying, this message seems dangerous. Similar messages were used to steal people's personal identification. Avoid clicking links, downloading attachments or replying with personal information - which is great. Thank you. Thank you, Gmail... 

Dave Bittner: Yeah. 

Joe Carrigan: ...For doing that. It comes from Connor (ph), who writes, hey, guys. I discovered you guys through "Grumpy Old Geeks" - love the show. I haven't received one of these emails before. I was starting to feel left out. I got a kick out of it and hope you will as well. Keep up the great work. So, Dave, it's one of those, you know, sextortion emails. But... 

Dave Bittner: Oh, OK. 

Joe Carrigan: It's pretty good. 

Dave Bittner: All right. 

Joe Carrigan: I love the English in it. 

Dave Bittner: Goes like this. (Reading) Greetings. The following is your last notice. I broke into your operating system using the wireless network modem you were connected to. Some time back, I gotten to the systems that you were previously used to get online. All of the information from your own gadgets and devices was automatically copied to my web servers. I can take advantage of all of your messengers, social media, social networks, emails, chats and contact information. My Trojan regularly changes its signature driver type, so it stays invisible to anti-malware software. 

Dave Bittner: I reckon that at this point, you realize why I remained quite right until this current day. While get together infos about you, I discovered that you are a huge fan of adult webpages and much more. You actually prefer to go to porno webpages and watch kinky video clips while having an orgasmic pleasure. I have surely made a web camera capturing videos of you. The editing of the video clip you were watching at the same time, and you are pleasuring yourself. Your own facial area is obviously seeable. I do not think this type of information will be great for your profile. I can now direct this footage out to everyone who realize who you are. I also have no challenge with making all your personal data public via the internet. I think you realize what I mean. It may be a real disaster for you. I will be able to ruin your daily life permanently. I really think that you do not want that to take place. 

Dave Bittner: Now let's fix it in such a manner. You send me $1,200 via Bitcoin equivalent at the time of exchange, and I will immediately get rid of all your data from my computers. And then we will just ignore each other. My Bitcoin wallet address for transfer - in case you don't realize how to transfer cash and exactly what bitcoin is, the key in the Google search engine buy bitcoin. I present you with three business days to transfer money. The timer launched counting instantly once you read this message. I'll receive a message the minute this email is exposed. Do not attempt to look for aid as the payment address cannot be tracked. Address the message is coming from and cannot be tracked also and generated automatically. Hence there's no reason for texting me. 

Dave Bittner: Don't make an attempt to reach out to the police and some other security solutions. And if you choose to, your information will undoubtedly be revealed. Changing online passwords and social networks, email and devices isn't going to help you as all the info is already saved to my hosting space. All the best, and try to not do something dumb. Carefully consider your forthcoming future. 

Joe Carrigan: Well, there's a lot of isolation here. 

Dave Bittner: Yeah. 

Joe Carrigan: It's, you know, a lot of, don't try to talk to anybody. Don't try to call law enforcement. Don't try to do anything. This is always a scam. It's just people who fire up these Bitcoin addresses and then send out emails. Now, I have good news. That email - or not email - that Bitcoin address does exist, but it hasn't received any money. I don't know if this particular scammer sent out a bunch of emails with this one bitcoin address or just Connor received this one with this bitcoin address. I don't know, so - very interesting. It's a typical sexploitation scam. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, we've seen these before. We've seen much more horrific examples of this. But it's - when you get these emails, just delete them. Move on. 

Dave Bittner: Yeah. 

Joe Carrigan: They don't have anything. And even... 

Dave Bittner: Yeah. 

Joe Carrigan: ...If they have a password for, like, one of your sites, that's just coming from an old password breach or some old password database. So they may try to convince you that they have the right information, that they actually have done this. The truth of the matter is that they can script the authoring and sending of these emails remarkably quickly. So it's just pulling the data from a database, and then inserting it into a text field and then sending it on its way. There's nobody... 

Dave Bittner: Yeah, but also... 

Joe Carrigan: ...Giving you personal attention. 

Dave Bittner: I'll note also that I think one of the things that makes these effective is that this is a topic that people hesitate to discuss with their loved ones, so... 

Joe Carrigan: Yes, absolutely. 

Dave Bittner: You know, it makes you scared that, you know, what if, on the very, very slight chance that this might be legitimate, I don't necessarily like the pathway that this could go down with my... 

Joe Carrigan: Right. Right. 

Dave Bittner: ...Friends and family. I don't want to talk about this, so... 

Joe Carrigan: Right. 

Dave Bittner: ...That's what they're relying on. So I think, for those of us who are trying to protect our loved ones, you need to be preemptive about this. Go to your relatives - I'm thinking of, you know, elderly parents, people like that, and say, listen. This is a type of scam. If this type of scam happens to you, know that you can talk to me about it, and there will be no judgment (laughter), right? 

Joe Carrigan: Right. 

Dave Bittner: There's no reason to be embarrassed about someone trying to scam you. 

Joe Carrigan: Right. 

Dave Bittner: No matter what the subject matter is. All right. Well, our thanks to Connor for sending that in. And again, we would love to hear from you. Our email address is hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Kaspars Ruklis. He is the program manager for media literacy at an organization called IREX. And we were discussing the Very Verified Media Literacy program. Here's my conversation with Kaspars Ruklis. 

Kaspars Ruklis: Well, this information is a huge issue not only in the United States but also all around the world, including the Baltics. And there has been a lot of different types of misinformation and disinformation connected to the rise of the social media and many other information channels, also connected to foreign propaganda that is quite accessible. Or it used to be quite accessible here in the Baltic states. And so there's a big need for the society to learn tricks and tips, you know, how to better navigate the information environments, as complicated as they are today. It's not as simple as it used to be even 10, 15 years ago when there were, you know, major news sources, you know, the television channels and - also limited number of television channels, perhaps - newspapers and radio. Now news and information is coming at us from all different kinds of directions. And it's very important for people to realize what to believe and what not, you know, what information to trust and perhaps what information needs to be checked and verified. So I think, yeah, that's where the need comes from. 

Dave Bittner: Can you give us some insights as to, what are some of the specific things that people deal with there when it comes to disinformation? I mean, I think we have an idea, those of us here in the United States, of the types of things we deal with. But I suspect there are some differences in your part of the world. 

Kaspars Ruklis: Yes, there are many things that are probably quite similar and especially, you know, the things that, you know, happened around the global pandemic. There are a lot of people around here that are also very skeptical about the virus, just like in the United States and many other places around the world. But then perhaps what is slightly different for us, we are actually living, having a joint border with the aggressor, with Russia, at the moment. And the Russian government has been disseminating propaganda messages for many years. And, you know, being direct neighbors, we have been directly affected by that disinformation. A large portion of people in the Baltics also understand and speak the Russian language, even though, of course, we also speak our own Latvian, Lithuanian and Estonian languages. But still, this language is historically spoken and understood here. So it's been, you know, quite easy for the propaganda experts from Moscow to target us and perhaps spread the messages that are not always true, that are quite manipulative and that are, you know, not really, you know, helping us in any way, that are trying to damage us. They have tried different campaigns portraying the Baltics as failed states. They have been, in part, successful with those messages. So perhaps that's one really big difference. 

Kaspars Ruklis: And as we all have seen since February 24, unfortunately, this threat is not only in the information environment, but if you look at what is happening in Ukraine and how Russia has been aggressive against Ukraine and in the territory of Ukraine, then, sometimes, these threats can really translate into something much more tangible and bigger. And that's certainly not something that people in the Baltic states are looking forward. We are a part of the Western world now. We are - Latvia and Lithuania and Estonia - are members of EU and NATO. And we do, you know, align with the values of the Western democracies at the moment. 

Dave Bittner: Well, let's talk about the Very Verified Media Literacy program. What exactly are you doing here? What are the things that you've put in place? 

Kaspars Ruklis: You know, this is a program that is based on skills. We are trying to ensure that people of the Baltic states can better engage critically with information. There is a lot of different types of information that people are bombarded with these days, you know, coming from social media, coming from all different kinds of channels. And very often, if you are not an expert on the communication or information world, it is very hard to distinguish, you know, what things to believe and what not. And so it's important that people actually, you know, take a breath and take a step back and maybe sometimes ask questions about the information that they receive and try to verify it, try to, you know, question it - and, you know, before making any actions or any big decisions. You know, in the first place, I think it's important that, you know, before making political decisions - you know, now, actually, this weekend, Latvia will have a parliamentary elections. And a lot of people are looking at wonderful, beautiful, you know, posters of politicians and all different kinds of promises and messages. But, you know, they look very appealing. And it seems like this new political party or new politician is going to come and solve all our troubles, that we are going to be living in a much happy world. But what people sometimes do not realize is that they actually need to look at it a little more carefully with some scrutiny. And there are ways how information can be checked and verified, you know, by looking at the records, by even - sometimes even such a simple thing as a Google search can help find out what, you know, these people stand for and what they are all about. 

Kaspars Ruklis: Also, of course, in the - in other areas of life, for example, economically, very often, you know, especially during a pandemic, people started using a lot of online shops to buy things and, you know, basically spent a lot of time online. And very often, I think all of us have had an experience where we order something, and then it turns out to be totally not what we wanted to actually order. And sometimes, when we are being a little more critical, we can, you know, check and figure out, you know, what do other people say about this product that we purchased? And we can still, you know, be a little bit smarter about how we make these economic decisions. And also in other areas - like we work with a lot with young people and young audiences. Very often, they choose their next university to go to. Here in Latvia, there was a university that actually organized, like, a big party during the, you know, late hours. And the students who attended the party and chose a study program got you know, a 50% discount for studies. Is that really how people want to, you know, make a decision about their future without really much trying to investigate what exactly are they going to be studying? Or what is the quality of the study program? - and so on and so forth. So there are so many different areas. why, you know, this course can help people to navigate the information environment a little bit better and, you know, in their interests. 

Dave Bittner: Yeah. Is it accurate to say that it's not so much that you're trying to tell people, you know, something is true, or something is disinformation, but you're really providing them with tools to better be able to evaluate on their own? 

Kaspars Ruklis: Yes, exactly. I think it's very important not to, you know, be lecturing from a supreme position because especially people that are - you know, that have their mind set on certain things, it's very hard for - to convince them with a lecture about how things should be done in a normative way. Of course, it's probably not a good idea. So our approach is actually much more gentle, so to speak. We try to equip people with the different tools. We tell them how to, for example, you know, fact-check stories, fact-check photos or fake videos. We we point out things that should be kept in mind when you read a sensational headline, for example. And, you know, we don't tell them what to read and what to consume but how to do it, you know, in a more sensible way that actually benefits perhaps them later on. 

Dave Bittner: And how are you reaching people? How do how do you engage with them? 

Kaspars Ruklis: Well, Media Literacy in the Baltics program has a number of components. But one of our main component is we actually work with universities. We actually have cooperation with 13 university partners in Latvia, Estonia and Lithuania. So we help university faculties to develop specifically designed study courses that we call JEDI in English, meaning journalism in the era of disinformation, trying to explain some of the things that are important for the future communication professionals to avoid this information because we have had cases in the Baltics where journalists have been tricked with deepfakes or cheapfakes where somebody dresses up as someone else and gives an interview, and then that gets broadcast on the national television. And after a day or two, it turns out that that was an imposter giving the interview. And it's actually not true. So it's very, very important for people that are working in media, also for teachers, to be knowledgeable about different ways to spot and fight disinformation. And we call that media literacy in one term, but it includes a lot of different things. 

Dave Bittner: And where do you hope the program goes as you expand and are exposed to more people? 

Kaspars Ruklis: Well, we are working with a lot of different audiences. We work with future journalists and future education professionals. We are also targeting teachers that are already working in the schools because national curricula is requiring them that they integrate media literacy skills into all study subjects horizontally. So those are some of our audiences. Then we also just go out and work with youth, with youth organizations in the Baltics who are, you know, interested in, you know, becoming better, more informed citizens. So it's really targeting all different kinds of kinds of people living all over the Baltic states. Also, what is important for us, given our specific, is that we work with Russian-speaking population, especially with the Russian-speaking youth. We do have some regions, especially in Estonia and Latvia, where we have a large proportion of Russian speakers or - and sometimes they speak also the Latvian or Estonian language, depending on which country of course, but sometimes not as well. And the risk is that they are facing this information coming from channels from Moscow is much, much higher. So we do pay attention to make sure that also this Russian-speaking population is well-integrated and also well-equipped with tools to recognize different manipulation that, you know, may not be good for them. 

Dave Bittner: And how do you measure success? How do you know that your efforts here are really making a difference? 

Kaspars Ruklis: We do have a very rigorous monitoring and evaluation program that we use. We do ask a lot of questions throughout our trainings and also on the online course that we have just launched called Very Verified. There are quizzes. And there's also the final test where we do try to measure also, what is the impact of these teachings? Because every education program these days needs to really prove that it is effective. And we are trying to do that also with our program. So we do ask our training participants, you know, whether they are, you know, they feel safer and what things they will be doing differently when they will be reading a sensational headline or when they will be, you know, seeing something that seems so unbelievable that it might not be true and so forth. So, yeah, we do look at the results. 

Dave Bittner: Well, congratulations on your efforts. I mean, I think it's certainly a worthwhile program. For those of us in the English-speaking part of the world, are there accessible ways for us to check out what you're up to? 

Kaspars Ruklis: Yes, of course. Internet works everywhere. So yeah, the online version of our course is called Very Verified. Our address is www.veryverified.eu. And you can you can check it out. But I must warn you that the course is designed for the Baltic audiences. So there will be a lot of Baltic context and also Baltic examples. But we do have an English version that is available to anyone who speaks English. If you speak Russian or anybody who speaks Russian, there's also a Russian-language version. And then of course there's a Latvian, Lithuanian and Estonian language version for people in the Baltics. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Good interview. I am a big fan of the media literacy program at IREX, although it is targeted towards the Balkans. That's - I think it has a lot that could be applicable to the United States. There has been a huge change in the media landscape. And Kaspars talks about that. First, there are biases, most of the time completely unacknowledged in what we would call traditional news sources. It's just the nature of - part of human nature, that you've got to understand that the people reporting the news to you are people and do have - they do have their biases. 

Dave Bittner: Right. 

Joe Carrigan: That is one of the things that is just unavoidable in dealing with people. They're going to have biases. And you're just going to have to understand, try to understand what their biases are. 

Dave Bittner: Yeah. 

Joe Carrigan: With the expanded internet access that we've all experienced, the number of outlets has absolutely exploded. So now - one of the things Kaspars says in here is that we started off with like a very few number of news outlets, so it was easy to vet them, right? Because there's - if you can count them on one hand, you can go, OK, that one is good. And they tend to be a little left-leaning. That one's good. They tend to be a little right-leaning. That one's garbage. You know, and you know which one I'm talking about, you know, The National Enquirer. 

Dave Bittner: Sure. 

Joe Carrigan: But now, what's out there? It's actually - the National Enquirer, not necessarily bad in terms of news, but just what they cover is just unpalatable to me, I should say. Are they still around, the National Enquirer? 

Dave Bittner: I think so. I think you're still - you can get them at your local newsstand, I suspect. 

Joe Carrigan: Yeah. That's great. I think it's always interesting to hear the differences and similarities in other populations - to me, at least. The Russians are masterful at propaganda. And nobody experiences that more closely than the Balkan states. They are right there. And, you know, the Russian government is still upset about losing them. And now they're part of the EU, you know, Estonia, Latvia and Lithuania, part of the EU. And they're trying to portray the Baltic states as failed states. And it's interesting that some people are buying this. And it's - this is part and parcel of what Russia does is they try to convince people within a country that their country has failed. And that's a win for them. That's good for the Russian government. It works. So I like one of his - one of the things Kaspars says. Question everything. Every message from any media outlet should be taken with a grain of salt. You should at least understand the biases that you're dealing with from the media outlet. You should also have - make sure you have reputable media outlets. There are a ton of media outlets that are either owned by people in political parties or people closely associated with political parties. I wouldn't count anything any of those media outlets say as valid just because they are masquerading as a real news outlet, and it's just not something that is the case. It's just not true. They're just essentially publicity arms for these political parties. If you want to call it propaganda, I really wouldn't have a problem with that. It's good to see that politicians in Latvia are also untrustworthy. 

Dave Bittner: (Laughter). 

Joe Carrigan: I think that might be a universal truth. 

Dave Bittner: Good in what way, Joe - it's reassuring that it's not just us? 

Joe Carrigan: Yeah, reassuring that it's not just us, you know? 

Dave Bittner: OK. 

Joe Carrigan: The big... 

Dave Bittner: Universal truths of human nature. 

Joe Carrigan: Yeah, the big, smiling poster of people and... 

Dave Bittner: Yeah. 

Joe Carrigan: I'm going to make everything so much better. And then you elect them, and nothing changes. You know, it's... 

Dave Bittner: (Laughter). 

Joe Carrigan: I like his story about going to school, going - the university that had the big party and gave everybody 50% off. I have a big rant on picking a school and a major, but I'll save that for another time. It's actually outside of the scope of this show, but... 

Dave Bittner: OK. 

Joe Carrigan: It's very important to listen to. So if anybody wants to hear it, give me - let me know. I'll give you a call and give it to you. You can listen to me rant on the phone for a little while. 

Dave Bittner: 1-900-JOE-RANTS. 

Joe Carrigan: I'll make a fortune. 

Dave Bittner: One-ninety-nine a minute. Yeah. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter). 

Joe Carrigan: The media interviews with imposters - I thought that was very interesting. I don't know that I've ever seen that happen. I mean, we've seen the cheap fakes happen where those make the rounds on social media. But I can't think of a time when somebody interviewed somebody they thought was a politician and it turned out to not be that politician, just some random person wearing a disguise to look like the politician. Have you ever seen that happen? 

Dave Bittner: No, I don't think I have. 

Joe Carrigan: No. 

Dave Bittner: Not here. I mean... 

Joe Carrigan: Yeah, not here. I don't know that it has happened here. I'm not aware of it happening here. I should say that. So I think I would love - well, I mean, I wouldn't love to see that happen. But I would - that would be an interesting experience, to say the least, to be part of that, you know, to see that happen. I wouldn't like to see it happen. But I'd be interested to see it happen. Does that make sense? 

Dave Bittner: Yeah. Yeah. I think - I'm wondering what the risk-reward is for someone to go on - well, yeah. I'm thinking of - because there are the prank kind of things. 

Joe Carrigan: Right. 

Dave Bittner: I was thinking of, like, the ways - like, someone's going to be a guest on "The Today Show," right? 

Joe Carrigan: Right. 

Dave Bittner: You're on TV. You're on camera. There are lots of staff at that show who are doing the vetting and all that sort of stuff, and they have systems in place. And that's one thing. Then I'm thinking about, you know, people from "The Howard Stern Show" calling and saying, Baba Booey. 

Joe Carrigan: That's right. 

Dave Bittner: Like, that's... 

Joe Carrigan: I was just thinking about that. 

Dave Bittner: We have the other end of the spectrum, right? 

Joe Carrigan: Right (laughter). Yeah, I've seen a bunch of that. 

Dave Bittner: Not really an impersonation, but... 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: It's just somebody calling in, pretending to be somebody with information that they are not. That's a different kind of thing. And that's when the news media - when they're in that news cycle with something breaking and big and they're looking to get anything else out of - any more information they can put on screen and go, look; we got the scoop, you know... 

Dave Bittner: I guess I have - yeah, I guess I have - you know, along the lines with that Howard Stern kind of thing, I have heard of pranking situations where someone would call in with a really good impersonation of a celebrity... 

Joe Carrigan: Yes. 

Dave Bittner: ...And pretend to be that celebrity, you know, where somebody... 

Joe Carrigan: Yes, I have seen that. 

Dave Bittner: So I've seen that, but I haven't seen it where the consequences are someone pretending to be a politician or pretending to be a president or a congressperson or something like that. So... 

Joe Carrigan: Yeah, or, you know, like... 

Dave Bittner: I don't know. 

Joe Carrigan: Like, showing up in person, pretending to be somebody. 

Dave Bittner: Right. 

Joe Carrigan: Yeah. We've all seen - I'm not talking about the call-ins. The call-ins are easy to do. You get somebody who can do a good - (imitating Bill Clinton) well, I can do a pretty good Bill Clinton, I think. But... 

Dave Bittner: (Laughter). 

Joe Carrigan: That's a much younger Bill Clinton, by the way. 

Dave Bittner: Yeah. 

Joe Carrigan: It doesn't - I don't think it sounds like him anymore. But I've never seen somebody, like, dress up, like, to look like Bill Clinton or any - not even Bill - I mean, I would think that Bill Clinton or a former president - any former president - it'd be easy to - that's not who that is. But... 

Dave Bittner: Right. 

Joe Carrigan: You know, maybe a local state delegate, right? I mean, do you know what your state delegate looks like? 

Dave Bittner: Kind of. 

Joe Carrigan: Kind of - yeah, exactly. 

Dave Bittner: Yeah, yeah, yeah, right, right. 

Joe Carrigan: That would be interesting to see. 

Dave Bittner: Yeah. All right. Well, our thanks to Kaspars Ruklis for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.