Podcasts
Hacking Humans
Ep 288
Hacking Humans 5.2.24
Ep 288 | 5.2.24

From support to scam.

Show Notes
Transcript

Dave Bittner: Hello everyone, and welcome to N2K Cyberwire's Hacking Humans Podcast, where each week, we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations all over the world. I'm Dave Bittner, and joining me is Joe Carrigan, from the Johns Hopkins Information Security Institute. Hey Joe.

Joe Carrigan: Hi Dave!

Dave Bittner: We've got some good stories to share this week, and once again, we are joined by our N2K colleague, and host of the T Minus Space Daily Podcast, Maria Varmozis. Maria?

Maria Varmozis: Hi! I'm back [laughing] I'm here!

Dave Bittner: [Laughing] We are excited to have you back. And we will be right back after this message from our show's sponsor. Alright, Joe and Maria, before we jump into our stories this week, we have a bit of follow-up here. Joe, you want to take us through what we'v got?

Joe Carrigan: Jes, Dave, Raul wrote in. He said, "Hi Dave and Joe, and Maria, absolutely love, live, and breathe the show." I love it when listeners love, live and breathe this show.

Dave Bittner: Okay!

Joe Carrigan: My favorite. "I witnessed the infamous Facebook post of the fake car crash," Dave, you were talking about this a couple months ago?

Dave Bittner: Yeah. Still making the rounds.

Joe Carrigan: Still making the rounds.

Maria Varmozis: Oh, I've seen it! I've seen it recently, yep!

Dave Bittner: [Laughing] Yeah.

Joe Carrigan: With the person's account saying I can't believe he's gone, I'm going to miss him so much.

Dave Bittner: Yeah.

Joe Carrigan: I did not click on the link, but I did report this post as a scam, or a spam, rather.

Dave Bittner: Yeah.

Joe Carrigan: Facebook instantly closed the report and did nothing with it.

Dave Bittner: Yep.

Joe Carrigan: So, Raul sent along screen caps of the, you know, of the report that he sent and it said right underneath of it, closed.

Dave Bittner: Yeah, I mean, there are several versions of this. And I think one of the things is that there is no perfect category to list this under when you report it to Facebook, and I think that's intentional.

Joe Carrigan: Yeah, because they certainly wouldn't list clickbait as a category, would they [laughter].

Dave Bittner: No, I mean, you could say misinformation, but it really doesn't, yeah. So I stopped reporting this, because something clicked in my head where I thought oh wait a minute, if I keep reporting this, is Facebook going to consider this to be engagement? And give me more of them?

Joe Carrigan: Right.

Dave Bittner: So every time it comes up for me now, I just can say please show me less of this, please show me less of this.

Joe Carrigan: Right.

Maria Varmozis: Interesting.

Dave Bittner: Yeah.

Joe Carrigan: That works.

Maria Varmozis: You're gaming the algorithm. That's smart.

Dave Bittner: Well, I'm trying. The problem is, the algorithm is so fricking aggressive [laughter], you know, it's like oh! Wait a minute! You stopped and looked at sunglasses for five seconds. So for the next week, it's going to be all sunglasses all the time [laughter], oh great! Thanks, that's really useful.

Joe Carrigan: Dave, I love hearing about how happy you are that you came back to Facebook [laughter].

Maria Varmozis: You can hear it, it's just dripping from his voice. It's just--

Dave Bittner: Yeah, oh yeah, just been time well spent [laughter], absolutely.

Joe Carrigan: [Sighs]

Dave Bittner: Alright, what else we got, Joe?

Joe Carrigan: We've got one from, it's a follow up on the episode 286, it says, "David, Joe, hello. Last summer, I was in London for a conference. I got harassed," this is talking about the con-woman at the Piccadilly Circus, or Piccadilly Station in London.

Dave Bittner: Oh, uh-huh.

Joe Carrigan: I don't know if that's an underground station or if it's like just a train station, I have no idea. "I got harassed/scammed at Piccadilly Station as well. Being alone and nonchalant, I guess I was quite approachable. A lady walked up to me and started giving me a story about herself about being an immigrant, and not having enough money to make it to the next station. She, too, asked me if I could buy her tickets, showing me an app. Although it did not have any money in it, she promised that she could have money. I tried to decline, but she was pushy about it and followed me. Eventually, I gave in, walked over to, walked over and bought her physical tickets at a machine, for about twenty pounds."

Dave Bittner: Hm.

Joe Carrigan: "I recall her not being quite happy, but not entirely disappointed. I figured if she was having a tough time getting money that I could help her, and maybe if she also was scamming me, the guilt of someone being genuinely kind, without expecting money back, would make her change her ways."

Dave Bittner: That's adorable, Alec.

Joe Carrigan: Right [laughter]. Alec, that is not what was happening. If you're being scammed, no, these people, maybe it's a bit poor of me to think that way. I don't think so, Alec. Anyway, I forgot about this story until the other listeners showed their Piccadilly story. Thanks for the podcast, and many happy years ahead.

Dave Bittner: I don't mean to give Alec a hard time.

Joe Carrigan: No.

Dave Bittner: Because as I've said many times on here that, you know, I too am a soft touch for scammers, I tend to give people the benefit of the doubt, and my attitude is I would rather go through life losing some money every now and then, than brutally assuming that everybody is out to scam me.

Joe Carrigan: Yeah, I mean, if you buy a ticket for 20 pounds, or 20 bucks, then you know, you're out 20 bucks, right? Not a big loss, you know what your loss is, going in. Maybe you're helping somebody, and you can think that.

Maria Varmozis: I feel like I should mention here, for people who don't know about Piccadilly, that's like the Times Square of London, so there are a lot of scammers walking around that area [laughter], so just for anyone who is like visiting London on business and doesn't know this? Like that is a hot bed of a lot of not so great activity. So they're on the lookout for [laughs] people.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: If you walk in there with a straw hat, and a piece of grass sticking out of your mouth [laughter]-

Maria Varmozis: Look! It's a Yank [laughter]!

Joe Carrigan: Your denim overalls [laughter]--

Dave Bittner: Right [laughter]!

Joe Carrigan: With a map in your-printed map in your hand, looking around [laughter], wide-eyed.

Maria Varmozis: Where can I find a big mac around here [overlapping speakers]?

Dave Bittner: You know, I've never been to Piccadilly Circle, but I think my most vivid, well, the image that pops up in my mind is the final scene in American Werewolf in London.

Maria Varmozis: [Laughter] Wow!

Joe Carrigan: I don't remember the final scene, but I go to a different movie.

Dave Bittner: Okay.

Joe Carrigan: I go to Wayne's World.

Maria Varmozis: These references!

Joe Carrigan: Where they had a couple of obvious body doubles standing on Piccadilly, on the Circle, going wow, Wayne, we're at Piccadilly Circle [laughs], it's-hilarious.

Dave Bittner: Yeah. Well, hopefully someday I'll get there, but so far, I've never had the pleasure. Alright, we've got one more bit of follow up here.

Joe Carrigan: Yes!

Dave Bittner: Joe, what have we got?

Joe Carrigan: Paula said that we mentioned people being on their phones after a flight gets canceled, and Paula makes the astute observation that some of these people probably have Concierge services with their employers, that they're required to go through. So that's why they get on their phones and call the Concierge service. They don't have to wait in line. They get it done immediately.

Dave Bittner: Right.

Joe Carrigan: Very nice.

Dave Bittner: That's livin'!

Joe Carrigan: That is [laughter]. You know, I used to work for a company that had this kind of thing.

Dave Bittner: Okay.

Joe Carrigan: But I never had to use it. Actually-

Maria Varmozis: Lucky!

Joe Carrigan: Nope, I never had to use it. I missed a plane once, but it was prior to that. Yeah, but I never had a problem with it.

Dave Bittner: I have been around folks who have this sort of thing, or organizations where this is, I guess, a perk of being at the executive level? I've never been at that level, so [laughs].

Maria Varmozis: That's funny, because the places I've worked, as lower folks had to use the booking service, and it was the executives that could book direct [laughs], so-

Dave Bittner: Oh, isn't that interesting? Okay!

Maria Varmozis: [laughing] Maybe things have changed a little bit? But us lower-rung folks are the ones that had to go through the travel agency.

Dave Bittner: Alright, could be that my perception is completely upside-down, so-

Joe Carrigan: When we book through the agency, all of our expense reporting got done automatically, which was nice.

Dave Bittner: That is nice.

Joe Carrigan: I didn't have to fill out an expense report for every trip I went on, which was, they were numerous at one point.

Dave Bittner: Yeah. Alright, well, our thanks to Raul, Alec, and Paula, for sending in these kind notes. We do appreciate it. And of course, we would love to hear from you. You can email us, it's hackinghumans@n2k.com. Alright. Let's jump into our stories here, and Maria, as our special guest, do you want to kick things off for us?

Maria Varmozis: Oh, my goodness! My pleasure. Okay! So rhetorical real question for you, but not rhetorical, an actual question for you both. Do you use, or have you heard, people sort of short-handing a service that one can call when one is having trouble with one's computer or electronic devices at home?

Dave Bittner: Geek Squad?

Maria Varmozis: Yeah, it's either Geek Squad-

Joe Carrigan: Geek Squad, or-right, or Joe and Dave's lifetime technical support [laughter].

Dave Bittner: That's just for our parents, right [laughing].

Maria Varmozis: I would say, like in my family, it's "Call Maria!" That's yeah, but Maria is the Greek Squad Geek Squad in my family, but that's [laughter]-

Dave Bittner: But I would say-Greek Squad [laughing], that's great [laughter].

Maria Varmozis: You're welcome! Hey!

Dave Bittner: Thank you, thank you, please tip your waiters, try the veal [laughter]. I would say in my mind Geek Squad is the Vaseline, the Q-Tip, the, you know, the generic name for this sort of thing, the big corporate provider of this sort of thing.

Maria Varmozis: It is the phrase that I hear a lot, that people just use as exactly, that's shorthand for I need technical help of some kind, a house call.

Dave Bittner: Right.

Maria Varmozis: I guess it's good job Best Buy, on getting that branding out there, like that. So this, that was the term in mind for one gentleman, Charles Gibbs, of Ontario, Canada. He thought he was getting Geek Squad help when he had a printer, it's always a printer, isn't it? That's being very troublesome at home [laughter] printers-

Joe Carrigan: Printers are the worst!

Maria Varmozis: They are the worst, they are actually the worst ever, so my sympathies, Mr. Gibbs. So he did what a lot of people in this situation would do, he didn't have Maria to call on for IT support, so he just Googled Best Buy, and Geek Squad, you know, why not? And the first result he got in his search results, again, this was a Google search, was a very legitimate looking website, official logo, the location lookup service was working, it pointed him correctly to his nearby Best Buy, that he knew was his, and it confirmed that store was real, and it even gave him a phone number to call. So there was nothing alerting him that this was a scammy website, or something that he shouldn't trust. It looked completely legitimate. So on that cursory glance, he called the number that he saw on that website. And I'm sure many of our listeners, and you two, know exactly what happened next. What unfolded was very familiar, "Mr. Gibbs, thank you for calling Geek Squad, oh, it looks like there is a $349 refund balance on your account that's just sitting there, don't you want this money? We'll happily get it to you, if you just let us know your banking info, we can have that sent direct deposit, so it's no trouble for you whatsoever, you know, you've got enough to deal with, here you go, and oh, oops! Oh no, we sent you $10,000 instead [laughing]. Tee hee, silly us! Oh, that happens all the time! Yeah, so we-

Joe Carrigan: Right, that's when I hang up.

Maria Varmozis: That is why, I'm not surprised that you knew that.

Joe Carrigan: Go out and spend $10,000!

Maria Varmozis: Go do something useful with that money [overlapping speakers] yeah, yeah, listeners know, this is a common script. We've, I've covered it, you all have covered it, everybody knows. But yeah, so the scammer sent Mr. Gibbs on little errands, between the bank, and a Bitcoin ATM to supposedly return that excess money to the Best Buy, and after all was said and done, that supposed $349 refund that was due to Mr. Gibbs ended up costing him $25,000 Canadian dollars, which is like $18,000 U.S. dollars, which is a lot! So because of his experience, Mr. Gibbs actually went to CTV and told his story, to let others know about his experience, so good job.

Joe Carrigan: Excellent, thank you Mr. Gibbs!

Maria Varmozis: Yes, and hopefully other people will learn from it, especially other seniors like himself. And he said this quote, "when they said I needed to pay even more money for currency conversion that that was enough! And I didn't give them any more. While it was happening, it was almost like I was in a trance, and I kept thinking it was me that called Best Buy Geek Squad, and they are reputable companies," which is a very interesting quote, I think that's a very relevant quote here. So in your expert opinions, to me, this sounds like SEO poisoning, a classic technique, so bad guys gaming the search engines, to make sure their scammy websites rank higher than the legitimate ones. Not a new thing.

Joe Carrigan: Or, was it an ad that he clicked on?

Maria Varmozis: We don't-see, that's the thing I was trying to figure out, was it a sponsored, was it an ad? Or was it just at the top of the search results? I don't know, because that wasn't in the article. I'd be very interested to learn that.

Dave Bittner: Well, yeah, I mean, I would think these days, anything you Google search, an ad is going to be at the top of the search results. And since Google is doing such an awful job these days [laughter] of differentiating between the ads and the actual content-

Maria Varmozis: No!

Joe Carrigan: To say the least, yeah.

Dave Bittner: That's, you know, I will cynically put some of this on them.

Maria Varmozis: I think you are right on. I actually tried to replicate this, and I got a legitimate looking website, that was like an off-brand Geek Squad in my area, that it didn't look like the Best Buy website, but it looked close enough, you know, I just thought that was amazing. It wasn't the same service, I'm sure, that Mr. Gibbs found. But it was something else. In my area. Trying to do the same exact thing. I have no idea if it's legit or not, or if it's just counterfeit [laughs], but either way, it's just amazing [laughter] how-

Dave Bittner: Somebody is selling fake Geek Squad franchises now, right?

Maria Varmozis: Yeah, it was called like Geek's Friends, or something, I was like, what is that? Really?

Joe Carrigan: Geek's friends?

Maria Varmozis: It sounded like a dating website, honestly-

Joe Carrigan: I don't want to go to Geek's Friends!

Maria Varmozis: I wasn't-but it [laughter]...Lonely geeks!

Dave Bittner: There you go.

Maria Varmozis: In your area, no, so it sounded like a pretty classic SEO poisoning attack, and the reminder for everyone of course is always be wary of what you click, that search engines are not nearly as trustworthy as they used to be, and of course [laughs] Best Buy knows about this, many companies like this, their brands are getting hijacked. They know about this kind of thing, but as we've covered before, it's like whack-a-mole, you take one of these websites down, a bunch of them replace, pretty quickly. So what can you do to protect yourself?

Joe Carrigan: What can you do to protect yourself?

Maria Varmozis: Yeah, what can you do to protect yourself [laughing] I'm getting fooled by attacks like this.

Joe Carrigan: Vigilance [laughter], ever, I mean, that's really the only thing.

Dave Bittner: Well, don't click through to a site, a big named site that you're trying to get at, like, for example, if you want to go to Best Buy, type in Best Buy dot com, don't click on the link after a Google search for Best Buy.

Maria Varmozis: I think that's valid, and I think that is the advice, and I'm going to just be a little annoying. If you are not the most technically savvy person, and maybe you've got a lot of advice bounding around in your head, about how scary the internet is, I'm just remembering when Whitehouse.com is a website you really did not want to go to [laughter]-

Dave Bittner: Yeah, it's true.

Maria Varmozis: I mean, just sometimes people get really freaked out, like I don't know which one is the right one. Maybe I'll Google search it to figure out which one I should use, and then you get this poisoned SEO result.

Dave Bittner: I think it's an excellent point. I mean, a dear friend of mine pointed out to me that his sister believes that the Google home page is the front door to the internet. Like, so, in other words, when she brings up a browser, it defaults to Google, which I think is really, really common. And to her, that's where you begin. You don't put the name of where you're going up in the URL bar, you put it into Google, and then Google takes you there.

Joe Carrigan: Right.

Dave Bittner: So I think that's a pretty common reality for a lot of folks who are just, you know, aren't sophisticated tech folks.

Joe Carrigan: Right.

Maria Varmozis: Like us, you can say it [laughing].

Dave Bittner: Like us, thank you.

Joe Carrigan: It makes sense, and it works. It works a a model.

Maria Varmozis: Right?

Joe Carrigan: You know, I used to think that way, about Yahoo. You know, not knowing that it was not the front page, but whenever I loaded my-I mean this was way back!

Maria Varmozis: I remember it, though. Yeah, yep.

Joe Carrigan: Before Google existed, you know, Yahoo would be my front-end page, and I'd be like, well let's see what's out there, and look at it. And when I open the web browser, it came up to Yahoo, and that's how I thought about it.

Dave Bittner: Right.

Joe Carrigan: Now, it comes up to the default unloaded page, that's what I do every single time. And I do that partially to remind me that this is not just some search that I can go, or just some search engine.

Dave Bittner: Yeah.

Joe Carrigan: Of course, my main browser is Chrome [laughs].

Maria Varmozis: Yeah, and-

Joe Carrigan: It has [overlapping speakers]-

Dave Bittner: Sort of the same thing.

Maria Varmozis: Yeah.

Joe Carrigan: Search interface, right in front of it.

Maria Varmozis: And I'm curious, I mean, I'm not sure if he was on a desktop or if he was on his phone. I feel like if you're on your phone, it adds a whole other level of difficulty there too.

Joe Carrigan: Right, yeah, there is a big real estate problem on phones.

Maria Varmozis: Yeah, so I know the advice is, as you said, you know, go directly to the website, but then we've also kind of a little bit freaked people out about [laughing] that too, so it's a rock and a hard place on that one for sure. But Joe, you nailed it with the never give out your bank info, just disconnect the phone right there. That is always the reddest of red flags.

Joe Carrigan: I was trying to say that I would hang up as soon as they put the $10,000 into my account, but the truth of the matter is, they never put $10,000 into this guy's account. They're just not going to risk that, and if the guy is online with them, what they're doing is they're manipulating a web page that he's watching, while this is going on.

Maria Varmozis: Hmm! Mm-hmm!

Joe Carrigan: You know, it's a social engineering attack, but you know, the way to handle this is you know, when somebody says hey, we have a balance here that we need to transfer to you, give me your bank account, just say "just write me a check." Write me a check and mail it to me.

Dave Bittner: Right.

Joe Carrigan: I don't need that money right now, it's fine. You know, but then again, maybe-

Maria Varmozis: Maybe you do!

Joe Carrigan: Maybe you do need that money right now, well chances are, this is a scam, and there is no money. And that you're only going to wind up in greater need of money at this point in time. So yeah, tell them write you a check.

Maria Varmozis: Until the check bounces. Okay, now, I'll stop, I'll stop [laughter].

Joe Carrigan: Right, the check will never show up.

Dave Bittner: I guess the problem I have with write me a check is that, even at that level, it's engagement.

Joe Carrigan: Right.

Dave Bittner: And they've hooked you in some way.

Joe Carrigan: And they're like, well what's your address.

Maria Varmozis: Yeah, now they've got your address, yeah.

Dave Bittner: So now they send you a check, and there is a problem with the check, but the check has a tech support call number on it [laughter], oh, we forgot to sign the check? Hey, no problem, tell you what, right?

Maria Varmozis: Or couldn't it just become a check cashing scam, where they send you a check for too much money, right? Then it could be again the same thing all over again, oh, we sent you a $10,000 check instead of $349, I mean, yeah.

Joe Carrigan: I'll just drop that right in the shredder then.

Maria Varmozis: Just hang up! Just hang up.

Joe Carrigan: I'm sitting here fantasizing about how to deal with these guys, and you've got the right answer, Maria. Terminate the call.

Maria Varmozis: But poor Mr. Gibbs' printer is still not working, who is going to fix it [laughing].

Dave Bittner: Right, exactly.

Joe Carrigan: Nobody is going to fix his printer, printers don't work. Just accept it.

Maria Varmozis: Throw it out the window yeah [laughter].

Joe Carrigan: Go buy another one. I got so frustrated one time with a printer that didn't work I just went out and bought another one.

Maria Varmozis: You didn't just Office Space it?

Joe Carrigan: That one is working great. Yeah [laughing], I did. I'm going to Office Space it. We've Office Spaced a few things in my house. There was a bundt pan that would tear my wife's cakes apart and that got Office Spaced.

Maria Varmozis: [Laughing] You Office Spaced a bundt pan?

Joe Kerigan: My kids did, yeah [laughter] yeah.

Dave Bittner: Were there explosives involved, or just hammers?

Joe Carrigan: Just baseball bats [laughter] and some ghetto boys music in the back [laughter].

Maria Varmozis: Wow, wow.

Dave Bittner: Absolutely.

Joe Carrigan: They made a vine of it, that's how long ago it was.

Maria Varmozis: Oh gee!

Dave Bittner: Wow. Alright. You know, I'm actually friends with the person who shot that scene?

Joe Carrigan: Are you?

Dave Bittner: Yeah, it was shot way after the movie was wrapped, also, like, the movie was shot in California and that scene was shot in New Jersey, or something like that. I forget what the actual lore is, but yeah.

Joe Carrigan: That's a great movie, though, by the way. The movie is Office Space [laughter], if you haven't seen it. It's a Mike Judge movie, and-

Dave Bittner: Great scene, anyway-

Maria Varmozis: That scene is-

Joe Carrigan: The whole movie is great, in my opinion. I think it's just, I love Mike Judge in just about everything he does.

Dave Bittner: Yeah. Alright, well, Maria, good advice, and of course, we will have a link to that story in the show notes. Joe, what do you have for us?

Joe Carrigan: I have two things, Dave and Maria, but the first one is really quick. Dave, you remember, way back in Episode 272?

Dave Bittner: Sure.

Joe Carrigan: Yeah, in January, there was a listener named Michael who wrote in about getting scam texts for toll roads.

Dave Bittner: Yes.

Joe Carrigan: Well, the FBI has, through the Internet Crime Complaint Center, has released a Public Service Announcement, and we can put a link to this in the show notes, it says "Smishing scam regarding debt for toll road services." So apparently, this is a common thing. They are calling it a new scam, since early March of 2024, however, Dave, we've been talking about it since January of 2024.

Dave Bittner: Right. Go on.

Joe Carrigan: So they've received over 2,000 complaints about these smishing texts, that say the recipient owes money for unpaid tolls and contains almost identical language with the outstanding amount. So just take a look at this advisory. Understand that if you get these texts, they're just scams to try to get you to pay the $12 before the mythical $50 bill approaches.

Dave Bittner: Right. The mystery that I think is still out there when it comes to this, that I did not see addressed in the information from the FBI, was the part that Michael shared with us about how the text message would come moments after they were on a toll road.

Joe Carrigan: Yeah.

Dave Bittner: Like it seemed to be somehow geofenced. Right? That was the mysterious part to me.

Joe Carrigan: Yeah, still mysterious.

Dave Bittner: Mm-hm. Because I can understand just a generic, you know, spray and pray, send everybody we can a thing that says you owe-you have a balance on a toll, right? That, to me, that's just run of the mill, just out there, trying to collect what we can, you know, scenario.

Joe Carrigan: Right.

Dave Bittner: But the part that Michael shared, where it would seem to be somehow Geofenced to actually being on a toll road, that is still intriguing to me.

Maria Varmozis: That is interesting. That's quite the wrinkle to that story, yeah.

Dave Bittner: It is, yeah. What else you got, Joe?

Joe Carrigan: So, I have this story that has kind of been in the news, developer news, and I'm going to talk about software development, so buckle up everybody.

Maria Varmozis: Alright [laughing].

Dave Bittner: Oh, goodie!

Maria Varmozis: Okay! Let's do it [laughter].

Joe Carrigan: There is a utility that is included with a lot of Linux distributions called XZ Utilities.

Maria Varmozis: What's a Linux? No, I'm kidding, I'm kidding, I'm kidding [laughing].

Joe Carrigan: Right [laughter].

Dave Bittner: Is that like a Unix?

Joe Carrigan: Yes, very much so [laughter].

Maria Varmozis: Is that how I get on internet? Is this the year of the Linux on desktop? Sorry, okay I'll stop [laughter].

Joe Carrigan: Let's hope. No [laughter continues] that will never happen. So anyway, these utilities were developed by one guy, essentially, as is the case with a lot of these open source projects, and he was developing them in his own spare time, and on his-on one story I read about this, he was saying that he was getting kind of worn down, getting kind of exhausted, and somebody said hey, I'm happy to help take over this, this project, and help you work on it. And his name is Gia Tan and he positioned himself, or actually, this report says they positioned themselves, because they believe this is actually a group of people from a nation state. They positioned themselves to be able to put a back door into this, into these libraries, into these XZ libraries. And these XZ libraries have to do with file compression, so there are Linux distributions that use these file compression libraries and there was not widespread distribution of the back door, because it was detected before it could be widely distributed. But it was there, and it was heavily obfuscated, which means, it was hard to see.

Dave Bittner: Mm-hm.

Joe Carrigan: Well, there is an organization called the Open Source Security Foundation, which is, they work on the security of Open Source software, and there is a company called Open-or another organization, OpenJS-who is the Open JavaScript Foundation. They're issuing a security alert for all open source projects to watch out for social engineering takeovers of their projects. So apparently someone who is really targeting open source projects, because if you can get into an open source project, and put a back door into it, successfully and undetected, chances are over time that project is going to be distributed with so much other software. If you think about the log for J vulnerability. I don't know if that was delivered or not. I don't think it was, I think it was just a bug. But log for J is so ubiquitous, that I remember using it back in the early or late 2000s, and it has been just around for that long. It's a library that everybody has, in just about every Java project they produce. So there are some suspicious social engineering patterns to look for that the open, the OpenSSF and OpenJS people say you should look for. One, friendly yet aggressive and persistent pursuit of maintainer, of the maintainer, by a relatively unknown member of the community. So, a new person comes up and says hey, I need to be part of this system. You need to put me in charge, you need to give me a position of authority. I'm going to do the best job on this thing. Maybe that is a guy that is working for somebody who wants to put a back door into your software. Request to be elevated to maintainer status by newer, unknown person. Endorsement coming from other unknown members of the community who may also be using false identities. And they have a term for this. It's called sock puppets, which, I love that term [laughter]. Then it says pull requests, containing blobs or as artifacts. So this is where I have to get in developer stuff. So a pull request is something you do on Get Hub, where somebody has cloned your repository, and they've made the change, and they've uploaded it to their repository, and they issue a pull request, for you to pull their changes into your repository. And if they have large, well, blobs, which are binary large objects, in their code as artifacts, chances are, that could be the back door masquerading as something like a test. As it was in the case of those compression utilities.

Maria Varmozis: It's basically bits of code. We don't know quite what it does, and we're not sure it should be there, and [laughing]-

Joe Carrigan: Right, and it's not in source code, so you can't just read it, you actually have to reverse engineer it. Right, you actually have to do the reverse engineering on it, which is not a task that every single developer can do. There are some security researchers that are really good at it, it's what they do. Vulnerability researchers, or malware researchers in particular. They go after it, and they're good at doing it. But most developers I've met have been very good at writing the code into the machine code, but not great at getting it back out. Just because that's not where they spend their time.

Maria Varmozis: It's just not what they do. It's a different area. It's a different thing.

Joe Carrigan: Right, it is. It is. Intentionally obfuscated or difficult to understand source code. So, if you get source code that is not plain and not clear, that should be a red flag anyway. That may be bad development [laughter], you know, it may be a developer that is not that skilled.

Maria Varmozis: Could they be using AI?

Joe Carrigan: Right. All the AI code that I've tried to generate recently has all been pretty clear and pretty concise.

Maria Varmozis: For now. Sorry, I'm just being conspiracy minded now [laughing].

Joe Carrigan: Once they wake up-

Dave Bittner: Maybe that's a red flag, the code is too clean.

Maria Varmozis: Yeah.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Gradually escalating security issues, let's see, a deviation from typical project compile. So this is, again, if you start using different chains, different compiler chains, you're start-including blobs and zips and other binary artifacts into your builds, if you're not a software engineer, none of this matters to you, so you don't need to worry about it. But the final point here is a false sense of urgency, especially if the implied urgency focuses a maintainer to reduce the thoroughness, or review of bypass control. So this is the typical, you know, asks to deviate from the standard process. Which we see in a lot of social engineering attacks, just applied to a software engineering background or project.

Maria Varmozis: What was the timeline for Gia Tan, like how long were they working this? Was it years? Months?

Dave Bittner: Two years, wasn't it? Yeah, about two years I think?

Joe Carrigan: Yeah, it was two years, I think. It was the accounts that were involved in that, in the library compromise, were old accounts by the time the vulnerability happened, but they were-I'll tell you another story. A couple of years, or weeks ago? I don't know, how long ago? A month? Who knows? No, losing track of things. A friend of mine had someone convince him to upload, or download malware, onto his computer that turned out to be an info stealer. And the way they did that was by compromising the discord account of another person on a development project he was working on, that was kind of like, it wasn't an open source project, but it was a collaborative free project, with a bunch of different people on it. And one guy got compromised, and tried to spread to my friend's account. And my friend was fortunate that he acted quickly enough to be able to get everybody, get everything, get the passwords changed on all of his accounts before the guy had any access to it. But he was immediately asking for money to give him back access. I think this, these attacks are nation state sponsored, and they're going after these open source projects, because they know that these open source projects are widely distributed throughout the world.

Maria Varmozis: Yeah, and if they're investing years into developing it, I mean, they know the payoff is huge. They're not trying to rush this. I mean, I know the development cycles are not super duper fast, but still two years is a decent amount of time.

Joe Carrigan: Yeah, my concern is that what we're seeing here is just the tip of the iceberg, and that the one capture on the library and the other couple of things in this article that it talks about are just the ones that they happen to have been successful at stopping. There may be some out there that have not been successfully stopped, and now there are open source libraries that are in distribution that have back doors in them.

Dave Bittner: Well, and this one was found pretty much by accident. Right? Somebody was looking, someone had noticed that there was, that this library had taken a speed hit. Someone was measuring how quickly it functioned, and they noticed a difference, that for some reason it was burning up a lot of the processor time, that it shouldn't have, so that's what got this person curious, and they started reverse engineering it, and that's how it was found.

Joe Carrigan: It was a Microsoft researcher, if I recall.

Dave Bittner: It was, yeah, and so it was just, you know, someone had a very specific interest in something that this did, and was curious enough and obsessive enough to figure out or to want to dig in, as to why something that should have taken a certain amount of time took a little bit more time than it should have.

Joe Carrigan: Right.

Dave Bittner: And so I think a lot of folks feel like they dodged a bullet with this one because it would have been very likely that it wouldn't have been noticed.

Joe Carrigan: That's one of the metaphors that's used in one of these articles. I read about this. I can't remember if it was this article or another one, but I read like six articles on this. But they said you should not be feeling happy that you've dodged a bullet here, because you've only dodged, you only know about the bullet you dodged. Right?

Dave Bittner: Yeah, well, I think the good news, if there is any, is that this is making a lot of folks who are working on open source projects take a fresh look at how their security is handled, how this social engineering side of it, I think a lot of folks who are technically minded and working in technical industries tend to underemphasize the degree to which pure social engineering play could work on them.

Maria Varmozis: Yes, yes, yep! Yeah, and there's a lot of social trust that goes into these kinds of projects, too.

Joe Carrigan: There is.

Maria Varmozis: So you have to trust your collaborators on these kinds of things to some degree, I mean, but yeah, it's definitely worth making sure there is some kind of process in place, or some protocol? I would hope there would be more [laughter], but if you don't have any, it's time to get some together for sure.

Dave Bittner: Yeah, well, and there are countless projects like this, that are just some really, you know, what is it, the XCS-

Maria Varmozis: XKCD? Yes. Yeah [overlapping speakers] that's exactly what I was thinking about with this whole [laughter] there is always an XKCD comic for anything, that's true.

Dave Bittner: Right, you know, one little piece is holding up this whole big structure, and that one little piece is that tired little developer who is single-handedly keeping track of some little open source component that everything else is built on, but nobody knows.

Joe Carrigan: Right.

Maria Varmozis: There's nothing here for the average person to do. This is definitely on open source maintainers to, yeah-

Joe Carrigan: But my point here is that this is the same techniques that the average person sees. The artificial time horizon, the pressure, the hey buddy! Hey pal, let me help you out-those kinds of things.

Dave Bittner: Right, right. Alright, well we will have a link to those stories in the show notes. Before we get to my story, we're going to take a quick break to hear this message from our sponsor. [ Music ] Alright, we are back, and I am going to go out on a limb at the outset, and say that my story is a doozy!

Joe Carrigan: A doozy!

Maria Varmozis: [Laughing] Love doozies, let's do it!

Dave Bittner: So, Joe, this has some local appeal to you and I. this actually took place nearby at Pikesville High School, and I have to say Pikesville is not too far from us. In fact, my in-laws live in Pikesville.

Joe Carrigan: I used to work in Pikesville.

Dave Bittner: Is that right?

Maria Varmozis: Where is Pikesville [laughs]?

Dave Bittner: It's a suburb of Baltimore. It's a lovely, near Towson, it's about-

Joe Carrigan: It's due west of Baltimore.

Dave Bittner: Yeah, it's a lovely community and probably, I don't know, 20, 25 minutes from us, depending on traffic.

Maria Varmozis: In Maryland.

Dave Bittner: It is in merry-land.

Joe Carrigan: Merry-land [laughter].

Dave Bittner: The land of Queen Mary. So, the Principal of Pikesville High School, whose name is Eric Eiswert, found himself at the center of some controversy when a audio recording of him saying some terrible things started making the rounds among the school community.

Joe Carrigan: I remember the news stories about this.

Dave Bittner: He was making racist and anti-Semitic comments.

Joe Carrigan: Right!

Dave Bittner: And as you can imagine, this audio file would spread like wildfire.

Joe Carrigan: Yes!

Dave Bittner: And it did.

Joe Carrigan: It was all over social media.

Dave Bittner: Yes.

Joe Carrigan: And I remember people were trying this guy in the social media court, and getting ready to burn him in effigy.

Dave Bittner: Right. He was pulled from his job, you know, given what do they call it when they-

Joe Carrigan: Suspended with pay? Administrative leave.

Dave Bittner: There you go, administrative leave, that's the term I was looking for. Yeah. So he was pulled from his job, and they had to put security at his house, because folks were making threats over social media. It was just terrible. And imagine this school community by all accounts this was a respected and liked Principal of the school, leader of the school community, and suddenly, you know, people felt betrayed by this audio file, by these allegations. So imagine that this person could have done this, people felt, I think, you know, rightfully upset, if this were true.

Joe Carrigan: Right.

Dave Bittner: Well, turns out, which I think should be the name of half the podcasts that are out there, turns out [laughter] that he did not do it.

Joe Carrigan: Ah!

Maria Varmozis: Duh-duh-duh! Okay there you go!

Dave Bittner: [Laughing] Right. Turns out that one of his co-workers, someone who is named Dashon Darion, who has been arrested and charged with using artificial intelligence to create a deep fake to impersonate the school principal.

Joe Carrigan: Now, if I recall correctly, that is exactly what the principal said had happened when this initially took place.

Dave Bittner: Is that right?

Joe Carrigan: Yes.

Dave Bittner: So Dashon Darion was the head of athletics at the school, and we can only imagine, you know, must have had some kind of beef between him and the principal, and created this audio file allegedly and sent it around, evidently was selective. You know, like we all know that person, right? If I sent it to this person, it's going to make the rounds [laughter].

Maria Varmozis: He took his cues from high school bullies, and was like, that seems like a great idea, I'm going to do that. Wow.

Dave Bittner: Right, right. Exactly.

Maria Varmozis: Of course it was the gym teacher, sorry, but I mean [laughing].

Dave Bittner: So, the school district got involved, and the police got involved, and the Baltimore County Police, as they started to investigate, things just didn't add up. And they discovered that this gym teacher had been doing searches for AI tools, using his computer that was on the school network, and they found a email account that was associated with this person that was one of the ones responsible for the initial distribution of the audio file.

Jack Carrigan: Interesting.

Maria Varmozis: He used a school account? I'm sorry-I'm still stuck on that [laughing]. He used a-at school?

Joe Carrigan: A computer at the school.

Maria Varmozis: He knows how much those things are monitored, right? I mean, come on.

Joe Carrigan: Maybe not.

Dave Bittner: I don't know, I don't know those specific details. It seems as though that is the case, you know, the specific details are a little sketchy here, or fuzzy anyway, in the reporting that I've seen on this, but evidently there were enough breadcrumbs for the police to follow that they charged him.

Joe Carrigan: Really?

Dave Bittner: Yeah, he's charged with a number of things. Now, one of the things that they point out here is that there really aren't direct laws about this particular thing [laughter].

Maria Varmozis: Yeah, what do you get charged with? Is it like wire tap fraud or something, what do you-what is the crime they can get you for?

Dave Bittner: So the charges that he faces include disrupting school activities, theft, retaliating against a witness, and stalking.

Joe Carrigan: Alright, I want to pause a minute, disrupting school activities is a chargeable offense? Is that new? Because I hope that isn't [laughter], I hope that wasn't the case back in the 80s, Dave!

Maria Varmozis: You know, like bomb threats, and stuff?

Dave Bittner: One thing I've come to kind of understand and believe is that there are all kinds of laws on the books, and there are proactive laws, and there are reactive laws, right? There are laws that you go out there and actively seek to enforce, and there are reactive laws, which are on the books just in case you need them.

Joe Carrigan: Right.

Dave Bittner: And I would probably put disrupting school activities as being one of those. And I don't know if it's a misdemeanor, or felony, or who knows what. The theft is because when more scrutiny was put on this person, turns out that they are again are alleged to have inappropriately distributed some school funds.

Maria Varmozis: Hm!

Joe Carrigan: Okay.

Dave Bittner: So that's part of what's going on here.

Joe Carrigan: So uncovering other actions during the investigation.

Dave Bittner: Correct.

Maria Varmozis: But nothing actually about impersonating him?

Dave Bittner: No. No.

Maria Varmozis: Because there is no law for it.

Dave Bittner: I don't think it's illegal yet. Yeah, right.

Maria Varmozis: Dang! Yep! Alright.

Dave Bittner: Yeah, so I think as I read through this, what it really brought home to me was the community's rush to judgment. Which is an understandable impulse, right? I mean, the accusation was of doing horrible things. Of saying horrible things.

Joe Carrigan: I think when we talked about this when it first happened, I may have brought that up, like, I think that we owe this guy, I don't know, maybe I didn't? But I seem to remember thinking we owe this guy at least the benefit of the doubt here. You know, okay, put him on administrative leave until we sort this out, and if it comes out that he did it, we can dismiss him. If it comes out that he didn't do it, you know, no harm, no foul, right? Except for the damage that has been done to the school community. There is always going to be that lingering doubt, I mean, it's what any accusation does.

Maria Varmozis: Yeah, and his reputation has taken a hit, through no fault of his own. Yeah. Yep!

Dave Bittner: I don't know if he has kids or not, but you know, hey daddy, why is-why are there guards out in front of our house?

Joe Carrigan: Right, yeah.

Dave Bittner: You know, there's all kinds of things that could come from this, but I think it's just a terrible example of somebody, so this is the new reality that we're in here, this is easy to do.

Joe Carrigan: Right.

Dave Bittner: Right, you have someone who is a public individual, so not hard to get a voice sample.

Joe Carrigan: Right.

Dave Bittner: And you can spin something like this up effortlessly, for free. And that is what this person did.

Maria Varmozis: Yeah, benefit of the doubt is not a very stylish thing right now so yeah, as much as we need it more than ever, it's not really a thing anymore, it seems. So oh boy!

Dave Bittner: Right. Yeah, and of course the other side of this, to be fair, is that folks who did do horrible things, or say horrible things, one of the ways that they'll try to deny it will be well say oh obviously that's a deep fake. I never said that. Right? That means you can do that for free, and it's easy and I'm a public official, of course someone did this to me.

Maria Varmozis: Isn't my friend. Yeah, that's great, like right!

Dave Bittner: Yeah, I mean, I don't know how we work this out. I don't know how we sort this out. It's going to lead to hopefully more skepticism, I guess, but you know, who do you believe? At some point, you have to believe people, you have to trust people, and this is yet another injection of uncertainty in our ability to trust each other. And it's troubling.

Joe Carrigan: It is.

Dave Bittner: Yeah.

Maria Varmozis: Hooray [laughter].

Dave Bittner: Alright, well that is my story for this week. We will have a link to that in the show notes. And of course, if there is something you'd like us to consider for the show, please email us. It's hackinghumans@n2k.com. Joe, the Catch of the Day has the week off, this week.

Joe Carrigan: Alright!

Dave Bittner: It is intimidated by Maria [laughter], so he'll be back next time.

Maria Varmozis: I've been told, I've been told [laughter].

Joe Carrigan: I'm sure it's out fishing right now [laughter].

Dave Bittner: Exactly, right. It knew better. So Catch of the Day will return next time. But until then, Maria, thank you so much for joining us. It is always a pleasure. And we are so happy to have you take the time to be with us.

Maria Varmozis: Oh, thank you for having me! I always have a great time.

Dave Bittner: So, if folks want to check out some of the other things that you're up to, what's the best way to do that?

Maria Varmozis: Please listen to T Minus Space daily, anywhere fine podcasts are purveyed, and Space.n2k.com is our website. [ Music ]

Dave Bittner: Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu, N2K Strategic Workforce Intelligence optimizes the value of your biggest investment. Your people. They make you smarter about your team, while making your team smarter. Learn more at N2K.com. Our executive Producer is Jennifer Eiben. This show is mixed by Trey Hester. Our executive editor is Peter Kilpe, I'm Dave Bittner.

Joe Carrigan: I'm Joe Carrigan.

Maria Varmozis: And I'm Maria Varmozis.

Dave Bittner: Thanks for listening. [ Music ]

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Maria Varmazis
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan has been a Software and Security Engineer for 25 years and has been working in the security field for more than 15 years focusing on usable security, security integrations social engineering, and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Maria Varmazis is the host of T-Minus Space Daily at N2K and a frequent guest on numerous technology and cybersecurity podcasts. She is an artist, podcaster, journalist, and content creator with over 15 years experience in telling stories that engage and delight. She is always happy to geek out over space and cybersecurity, both professionally and personally!
Schedule: Thursdays
Creator: CyberWire, Inc.