Seniors in scam crosshairs.
[ Music ]
Dave Bittner: Hello everyone, and welcome to N2K CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan. Hi, Joe!
Joe Carrigan: Hi Dave!
Dave Bittner: And our N2K colleague, and host of the "T-Minus Space Daily Podcast," Maria Varmazis. Maria!
Maria Varmazis: Hi Dave, and Hi Joe.
Dave Bittner: We've got some good stories to share this week, but first, let's jump into our follow-up here, Joe, I think you're up first with follow up, what you got?
Joe Carrigan: We got a lot of follow-up, but I'll start with Jay, messaged me and Dave on LinkedIn, and sent a link to a post from Ivan Vercolett [phonetic spelling], I'm hoping I'm pronouncing Ivan's last name correctly. But Ivan's posting an interface improvement that Robinhood has implemented, and this is a pretty big claim that Ivan makes, that Robinhood just solved the $25.4 billion dollar problem with a simple banner. I don't think this solves the problem, but I think this goes a long way, so if you were on the phone when you open your Robinhood app--
Dave Bittner: Okay, Robinhood is a financial--?
Joe Carrigan: It's a financial app, right, you can open an account with Robinhood and trade stocks, and I think you can even buy fractional stocks.
Dave Bittner: Okay.
Maria Varmazis: You can do crypto on Robinhood, too.
Dave Bittner: Oh.
Joe Carrigan: Yes, so if you-you know, if you're-if you want to buy, if you're a small-time investor and you want to buy Microsoft, but you don't have $500 to lay down for a single share of stock-
Dave Bittner: Yeah.
Joe Carrigan: Then you can go in there and buy a fractional share as well.
Dave Bittner: Okay.
Joe Carrigan: So you could put $50 down and buy a tenth of a share, which is good, I think.
Dave Bittner: Alright.
Joe Carrigan: Gets everybody in. Anyway, this banner that comes up if you're on your phone and you open Robinhood, it says "we're not calling you. If the caller says they're from Robinhood, they're not. Hang up."
Maria Varmazis: Love it.
Joe Carrigan: That's what the banner stays.
Maria Varmazis: Love it. Direct, to the point.
Joe Carrigan: I'm looking at the-and that's what Ivan says. This is great. It detects active phone calls, triggers a contextual warning, there's no complex AI. Works across all the scam scripts, and Ivan says zero friction for legitimate users. But there is a lot of feedback in here that is not scalable. I disagree with that. It is-it is scalable, because it says here 200 other apps, but in order for this alert to come up, you have to open Robinhood while you're on the phone.
Dave Bittner: Okay.
Joe Carrigan: So if you're talking to your wife, and you want to know, she wants to know how much is in the Robinhood account, you open it up, and you get the banner, you click the banner away, right? But if someone says hey, I'm from whatever bank I am, open your banking app, if every bank enabled this, it would not, I think it would scale just fine.
Dave Bittner: Hm, yeah.
Joe Carrigan: Somebody else pointed out that Manzo Bank already did this in 2023.
Dave Bittner: Okay. Well good.
Joe Carrigan: It's a good idea.
Dave Bittner: Yeah.
Joe Carrigan: I think every financial app should do it.
Dave Bittner: Alright, what else we got?
Joe Carrigan: Ah, let's see. Hold on, let me close this tab. I have a little follow-up on one of our previous stories. We'll put a link in the show notes, but apparently Myanmar is blowing up, or demolishing scam centers.
Dave Bittner: Yes.
Joe Carrigan: So they're just tearing them down, which is great. So go read that story from the AP news, we're not going to cover this, this is just good news.
Dave Bittner: [Laughing] I would just, I will add quickly that the people are out of them before they're blowing them up [laughter].
Joe Carrigan: Yes! [Laughter]
Maria Varmazis: Yes, like, good news! Lots of people died. No, no, no, no.
Dave Bittner: No, no, they're clearing the people out, and then, and they're actually trying to reconnect them-
Joe Carrigan: Repatriate them. Yeah.
Dave Bittner: Repatriate, that's the word I'm looking for.
Joe Carrigan: Yes. Get them home.
Dave Bittner: And so, but then, to put a button on it, they are blowing up the buildings [laughter] that were used for it-I hope they weren't renters. Anyway [laughter].
Maria Varmazis: Just put a little spackle on it, the [overlapping speakers].
Dave Bittner: That will leave a mark, yeah [laughter].
Joe Carrigan: Then you go over and rent another place, and build another scam center.
Dave Bittner: Yeah, alright, I have some follow-up from J.J., who is a longtime listener, and regular contributor, and Joe, he's taking you to task.
Joe Carrigan: Okay, who?
Dave Bittner: Nobody calls them just a CAC. C-A-C. Everybody except Joe calls them CAC cards. Don't be Joe. Now, let's back up here [laughter] because I couldn't remember what CAC was.
Joe Carrigan: Common Access Card.
Dave Bittner: Common Access Card. So this is kind of like an ID.
Joe Carrigan: Yes-
Dave Bittner: Military contractor ID, I guess?
Joe Carrigan: It's a government ID, issued to government employees, and to some select government contractors, yes.
Maria Varmazis: Not that common.
Joe Carrigan: It's a smart card.
Maria Varmazis: Because I don't have one.
Dave Bittner: [Laughter]
Joe Carrigan: Are you a government contractor? Do you work for the government?
Maria Varmazis: No. So it can't be that common.
Joe Carrigan: You will not have it, but it's a smart card. It's just a smart card, first certificate-based authentication.
Dave Bittner: Okay.
Joe Carrigan: And it's got a PIN on it, and that is what keeps your PIN encrypted, so or your keys encrypted. The PIN is used to decrypt your keys when it's put into a CAC reader.
Dave Bittner: Alright.
Joe Carrigan: So I will take issue with this, J.J., because I did a real quick survey.
Maria Varmazis: [Laughing] You take issue with his taking issue with you.
Joe Carrigan: I do!
Dave Bittner: Yeah?
Maria Varmazis: It dishes all the way down, okay.
Joe Carrigan: I asked-I asked five people familiar with the matter [laughter], and everyone I said-
Maria Varmazis: That is a small sample size, Joe, come on.
Joe Carrigan: It is a small sample size, but four out of five guys-
Dave Bittner: Well, to be fair, Joe works in a cleared space, right? I mean, isn't that right?
Joe Carrigan: Yeah, I don't like talking about that [laughter]-but right. And [laughter], I said what is this? And four people said CAC, one person said CAC card.
Dave Bittner: So four out of five people call it CAC. Sorry J.J.
Maria Varmazis: Are you sure they weren't just clearing their throat, going [coughing]-you know, okay?
Dave Bittner: Isn't CAC card kind of like ATM machine?
Joe Carrigan: It is exactly like ATM machine [laughter].
Maria Varmazis: Oh, don't get him started Dave [laughter], the whole thing! Oh my gosh-
Joe Carrigan: I actually said ATM machine a couple weeks ago, and then corrected myself last week.
Maria Varmazis: Burst into flames-no. Okay.
Joe Carrigan: Yes, I almost burst [laughter] I'm surprised I didn't.
Dave Bittner: Yeah.
Joe Carrigan: I go back and listen to every episode, so that, not just because I love to hear the sound of my own voice, but!
Dave Bittner: In addition to that-
Joe Carrigan: In addition to that, I like to correct my own errors when I say things like ATM machine, or CAC card.
Dave Bittner: Self-flagellation.
Joe Carrigan: Yes.
Dave Bittner: Alright, and then finally-
Joe Carrigan: No follow-up section would be complete without chickens, Dave.
Dave Bittner: Yes.
Joe Carrigan: Shannon writes in to say, "My daughter works as a barista at Scooter's coffee," it's a drive-through coffee place.
Dave Bittner: Oh.
Joe Carrigan: She has seen owners come through the drive with a duck, possum, dogs, cats, and now, a chicken. A chicken got a pup cup, which is just a cup of whipped cream-you ever get that at Starbucks?
Dave Bittner: No, no.
Joe Carrigan: You get like a pup-uccino.
Dave Bittner: Okay.
Joe Carrigan: Yeah. They'll give your dog a free cup of whipped cream.
Dave Bittner: [Laughs] Okay.
Joe Carrigan: I go through there in dog costumes [laughter].
Maria Varmazis: Like, I would like a free cup of whipped cream. I don't have a dog.
Joe Carrigan: But it's a free cup of-this one had a dog biscuit in it.
Maria Varmazis: Oh, never mind.
Joe Carrigan: So, my question to Joe, if you're not taking your chickens for coffee and a pup cup, are you even a real chicken owner? By the way, I'm also including the picture of the duck, because it's adorable, and down in the script you will see a picture of the chicken eating out of the pup cup and somebody holding a duck over, and my wife tried to get-talk me into getting ducks, but my brother has ducks. I have a shirt to that effect.
Dave Bittner: Ducks are great, yeah.
Joe Carrigan: That's a whole other story, but ducks are much messier than chickens.
Dave Bittner: Oh really?
Joe Carrigan: Yeah, if you think chickens are messy, ducks are much more messy. Now, as far as taking your chickens on a ride-
Dave Bittner: Yeah.
Joe Carrigan: The very first person who convinced me that I needed chickens was year ago, this guy's name was Tony Phelps, he has since passed away, so I can say his name.
Dave Bittner: Yeah.
Joe Carrigan: But he had a chicken, a hen, that was very much like my hen, "Snuggle Bug," that I call her [laughter], this is the one that is on my Facebook profile that is sitting on my shoulder.
Dave Bittner: Sure.
Joe Carrigan: She's first out of the coop when I come out there. She wants me to pick her up and hold her.
Dave Bittner: Uh huh.
Maria Varmazis: Little Velcro chicken.
Joe Carrigan: Right, little Velcro chicken. So, but Tony used to take his version of Snuggle Bug in the car. He'd drape a towel over the car, take the headrest off, and take the chicken out for a ride in the car.
Dave Bittner: Oh.
Joe Carrigan: And the chicken loved it, apparently.
Dave Bittner: Okay, yeah, see, that's the thing I would question. I don't know anything about the ability to let's say house-train a bird.
Joe Carrigan: You cannot [laughter]. That's-that's the end of the story, Dave.
Dave Bittner: Yeah, they just go where they go and that's it.
Joe Carrigan: I don't even think they are conscious of the fact that they're doing that. They're just-
Dave Bittner: Yeah, that would keep me from having a chicken in my car [laughing].
Maria Varmazis: Yeah.
Joe Carrigan: I would probably not-yes, I guess, I guess, to answer Shannon's question am I even a real chicken owner. I guess by Shannon's standards, probably not.
Dave Bittner: No.
Joe Carrigan: But I will walk around the yard with a chicken on my shoulder.
Dave Bittner: Okay. So, what you need is a [overlapping speaker].
Maria Varmazis: Living dangerously.
Dave Bittner: -- a pick-up truck. So you can put the chicken in the back.
Joe Carrigan: Yes.
Dave Bittner: Where it doesn't matter, and then you can go pulling up with-you could pull up to Starbucks with all of your chickens.
Joe Carrigan: I could.
Dave Bittner: And you could get a whole bunch of cups of whipped cream [laughter]. Oh my. Alright, well thank you everybody for sending in your kind comments. We would love to hear from you. Our email address is hackinghumans@n2K.com. [ Music ] Let's jump into some stories here. Maria, why don't you kick things off for us?
Maria Varmazis: Sure thing. Well, there is a report from friends at Bit Defender and Net Gear. Their 2025 IoT Security Landscape Report, which I read with great interest, because up until pretty recently, I was a keep all smart things out of my home type person. I didn't want any IoT devices whatsoever. But I have completely lost that battle [laughter], because it just became just about impossible to do, and now my home has many IoT devices, and I worry about it all the time [laughing].
Dave Bittner: When you say lost the battle, is this lost the battle with your other family members?
Maria Varmazis: No, it was just, like when we needed to replace the TV, my husband and I we just didn't want any smart devices in our home, and it became almost impossible to find a non-smart TV, and it just-we tried to buy basically a monitor, a TV-sized monitor, without any smart features, and it lasted I think all of a year before my kid essentially destroyed it. But it was just becoming harder and harder to do, to find things that were just dumb, even though I'm still trying [laughs], but especially when I moved into my new home in the last year, I just-I gave up. I said I just can't put in all this work to get nowhere. So I have a lot of IoT devices in my home now, and it worries me a lot. So, I mean, I'm not staying up at night worrying about it, but I'm concerned. Anyway, so I read this report from Bit Defender and Net Gear, and apparently they looked at telemetry from 6.1 million smart homes across North America, Europe, and Australia, from January through October 2025, and Bit Defender researchers analyzed 13.6 billion IoT attacks, and 4.6 billion Vuln Exploitation Attempts to give what they call a detailed snapshot of global IoT risk. So I'm going to throw a bunch of stats at you from their report, because I thought these were fascinating. Connected households, like mine, are under constant attack. Hooray. The average household now has 22 connected devices and faces an average of 29 attacks a day, which is up about three times, 3x increase, from 10 attacks in 2024. So do you know off the top of your head how many connected devices you have in your home, out of curiosity?
Dave Bittner: Oh, all of them.
Maria Varmazis: All-all the devices. Yes [laughter], does 22 sounds about right?
Dave Bittner: Sure.
Joe Carrigan: I think it's a little high for me, but-
Dave Bittner: Sure.
Joe Carrigan: But what counts? Does my phone count as a device?
Maria Varmazis: Your phone counts. Yes.
Joe Carrigan: Okay, then, maybe.
Dave Bittner: I guess anything that is hosed up to the Internet counts as a-
Maria Varmazis: Yeah.
Joe Carrigan: Right.
Dave Bittner: I guess, though, my question is what constitutes an attack? If somebody is, I mean, obviously the vast majority of these are unsuccessful, right?
Maria Varmazis: Yes.
Dave Bittner: So a port scan probably counts as an attack.
Maria Varmazis: It does. Yes.
Dave Bittner: Even though they don't-they don't get in.
Maria Varmazis: Yes.
Joe Carrigan: Yep.
Maria Varmazis: By this report's metrics, definitely that counts. They-well, I'll get into a little bit of what they were specifically looking at for attack types, but yeah, I mean 29 attacks a day, I don't think people are going to be aware of those. I'm certainly not aware of 29 attacks a day, but I'm sure it's happening, but it was saying 22 connected devices per household, I was trying to inventory how many I have, and I cannot [laughter], which is kind of the problem, isn't it? Every time I kept thinking that's definitely the number I've got-I go no, wait, there's two other things, no wait, there's some other things. So-
Dave Bittner: Just like Joe trying to count up the number of girlfriends he had in college, it's just [laughter] he always forgets one or two, and so why even bother counting. Am I right, Joe? Am I right?
Joe Carrigan: One, two... [laughter]-
Maria Varmazis: He's going to be there for a while-
Joe Carrigan: So four-
Dave Bittner: One one hand, there you go.
Joe Carrigan: And one of them was my high school girlfriend that lasted into the first year [laughter].
Maria Varmazis: Well, alright [laughter] so anyway, to your question about what are IoT devices, specifically, and anything you hook up to the Internet is definitely an IoT device-
Joe Carrigan: Twenty-five... [laughter]
Maria Varmazis: Mobile devices are the most common kind, mobile phones can account for almost 20% of connected end points, followed by Smart TVs, which is 9.5%, and streaming devices, so I imagine this would be like a Roku, or a Fire Stick, or an Apple TV, that's 7.3%. So smart phones, no surprise I think to anyone that they are the central hub for basically anything in a connected home, it goes through a smart phone. It's-everything requires an app, which is what I've noticed, anyway.
Joe Carrigan: Right.
Maria Varmazis: Yeah. Entertainment devices, like smart TVs, or streaming devices, and IP cameras are the most frequently targeted IoT devices in a connected home. So streaming devices, smart TVs and IP cameras specifically represent over half of all detected IoT vulnerabilities. Because they're frequently left unpatched and rarely updated, and again, I was thinking to myself, when was the last time if I even knew if any of those devices in my home needed to be updated, how often am I checking that? I genuinely have no idea [laughing].
Dave Bittner: Right.
Joe Carrigan: I will say this. I have an LG television in my basement that does a really good job of letting me know when it needs an update.
Dave Bittner: Hm.
Maria Varmazis: Hm.
Joe Carrigan: So, I'm actually pretty impressed with LG in that.
Maria Varmazis: Smart TVs, yeah, and mine doesn't know the Internet exists. I never hooked mine up to the Internet at all.
Dave Bittner: Right.
Joe Carrigan: Right.
Maria Varmazis: My streaming device, in my case, I have an Apple TV, device that does a good job of-I have auto updates turned on, so that updates itself. I feel pretty good about that. But I'm just going through all the other devices in my home, and I-half the time the app has been uninstalled because I haven't used it in a while, I don't get emails from any of them, so I'm going when is the last time this has been updated? I don't know.
Dave Bittner: Yeah.
Maria Varmazis: I imagine I'm not alone in that at all. So yeah, that's a huge [laughs] potential entry point, when you have all these unpatched devices that are just sitting there on your network. So it's not-it's not great. Yeah, I don't even know what the login is, for half my devices, to be honest with you [laughter], so yeah, and does the update [inaudible 00:15:06]? I have no idea. Um, so known vulnerabilities. Not zero days, nothing like that, known vulnerabilities remain the biggest risk for all of these home IoT devices, and this stat is amazing to me-99.4% of IoT exploits target already known and fixed CVEs, not weak passwords, which I think was a drum that a lot of us were beating for a long time, like-
Joe Carrigan: Yeah.
Maria Varmazis: Like make sure you update your default password, that's-point 27 percent of attacks [laughs], and then devices using HTTP instead of HTTPS for authentication is only.30 percent, so yes, again, 99.4% are known vulns being exploited. That's-there you go. Yeah. And I was curious if either of you could guess what generally the CVSS score might be for the-on average, for the types of vulns that are being exploited for IoT devices in the home?
Joe Carrigan: This is the criticality score for any vulnerability correct?
Maria Varmazis: Yes. Yes. What do you think that number would be?
Joe Carrigan: If I had to pick an average? I'd say 7.5.
Maria Varmazis: Wow, okay.
Dave Bittner: Uh...yeah, I mean, I would-
Joe Carrigan: It's a scale of 10, right?
Maria Varmazis: Yes, out of 10. Yes.
Dave Bittner: I guess I'd put it somewhere in the middle, like 5 or 6, because you know, these are-the devices still work, you know? They're not-yeah, I mean, they're not screaming at you that oh my gosh, you must update now, or bad things are going to happen-even if they are.
Maria Varmazis: Yeah.
Dave Bittner: So yeah, I'd put it somewhere in the middle.
Maria Varmazis: Both are very good guesses. So [laughter], the answer from this report, 34.3% of total issues, which is overwhelmingly the most common, the median number, was the high-high, of 7.8, that was the CVSS score that was most common, so Joe, you were pretty good.
Joe Carrigan: Good, yes. Pretty good guess.
Maria Varmazis: So, I thought it was very interesting that critical severity vulns that were, you know, 8 or above, those are the drop everything, your house is on fire metaphorically speaking, you know, the news is-the headlines are in the news, that you know, your baby monitor could get hacked, and someone could do something creepy. That would be like a 10, right? Huge, huge, you would hear about that. But something that is in the high-highs, 7.8, it's something that the attacker can use, but it's not necessarily a house on fire criticality.
Dave Bittner: Right.
Maria Varmazis: And from the point of view of the device maker, they're going, oh, it's not critical, so we could probably wait on updating this for a while, and that represents a great opportunity for an attacker. Yeah, 7.8 feels like a nice little sweet spot for an attacker.
Dave Bittner: Mm-hm.
Maria Varmazis: So yeah, they'll just get around to it, I suppose. So, the types of attacks that are being exploited for these home IoT devices are over-buffer overflow, and denial of service attacks. That is most of what IoT exploits are in this situation. And then the critical severity, so the really severe headline-grabbing stuff that doesn't happen very often, but is catastrophic when it does, are privilege escalation code execution attacks. So that means that the cyber criminal can take full control of your device. So it doesn't happen very often. Denial service and overflow, again, are the big ones. Some interesting long-term trends from this report that I wanted to highlight, especially given my space angle that I'm always looking out for, long-term expectations are not a huge surprise here that IoT is going increasingly industrial. We've known this for quite a long time in the space world, IoT is a huge, huge topic. And many more of these attacks are going to continue targeting IoT in commercial and the industrial domains. So EV chargers, smart inverters, like the one I've got on my roof right now, routers [laughs], industrial controls-expect to see more and more techs going after these. I think many people who have been watching this for a while know that, but just expect more of it. And then something that made me stop cold in my tracks was attacks going after-attacks that would be using vulnerabilities and shared libraries, software development kids, and even updating mechanisms, would allow attackers to cast a hugely, hugely wide net across entire ecosystems. So that is an expected potential vector there, so [laughs], the scenario they said in the report was imagine an attacker compromising an over-the-air updating service, like I don't know, certain famous car companies [laughs].
Dave Bittner: Right, right.
Maria Varmazis: How would you detect that? And how would you remediate that? And that just makes me go alright, this is a terrifying, terrifying thought.
Dave Bittner: Yeah, they'd break your car.
Maria Varmazis: Break your car, and then how do you get it to the dealer to get it fixed I can't even begin-I don't even want to imagine that happening, so, yeah. So, thankfully this report did have some advice for the home IoT user, which is all of us [laughs].
Joe Carrigan: Yes.
Dave Bittner: Yes [laughs].
Maria Varmazis: Yeah, number one was try to keep an updated inventory of all IoT and network devices in your home or at work, disable the ones you no longer use, and note from me, it is very easy to forget all of the devices that you have hooked up to your network because I certainly have.
Joe Carrigan: Right.
Maria Varmazis: Yeah, it's like, I still don't think my inventory is complete, frankly.
Joe Carrigan: This goes back to a couple of years ago with Black Hat. I can't remember how many years ago it was. But the-the best new product award went to a company that had invented or developed a fantastic asset inventorying system that would go out and discover all the IT on your networks. There is no shadow IT anymore.
Maria Varmazis: Yeah.
Joe Carrigan: Which is exactly the problem-this problem.
Maria Varmazis: Yes.
Joe Carrigan: But I'm sitting here thinking about all the things I have in my house, I keep forgetting about the TV I have in my bedroom, which right now is unplugged, but is the Fire Stick in the back of that unplugged? Probably not. Has that been updated? Probably not.
Maria Varmazis: Probably not, yeah [laughter]. Yep. They just hang around, it's just really easy to forget what's there. And one of the-I know for my home router, I have Verizon, and they gave me a home router when we hooked up with their service. They had, the router came with an IoT network option built in-
Joe Carrigan: Right.
Maria Varmazis: And every once in a while I'm messing around with network settings, doing stuff, and I'm always just shocked at how many devices I have actually connected to my home router IoT network, to the point where sometimes I turn to my husband like, are we sure all these devices are ours [laughing]? Are these all supposed to be here? Because this is a very long list, I don't remember half of these, and I guess I'm just getting old. But I just don't remember some of these [laughing]. Some other advice was to replace Legacy hardware, which is, you know, much easier said than done, if you remember what your Legacy hardware is? Try to prioritize devices that receive regular security patches, like, I don't know how much people are going to prioritize this, and you know, hey, get a brand-new TV because your old one is not getting security updates, I hope you have a couple K to drop on that, but there you go [laughter]. If you can segment your network, to keep all your smart devices on a home IoT network, like the one that I have, I mentioned, it's a good idea if you can do that. Patch devices as soon as [laughs] new firmware becomes available, if you know that it has become available, try to do it, maybe keep an eye on that to begin with. That would be a nice start for me [laughs]. Use routers or gateways with built-in security, and as you might imagine, Net Gear has some ideas for you there [laughing], you can dot-dot-dot, fill in the blanks.
Joe Carrigan: Right.
Maria Varmazis: And my favorite tip is avoid exposing devices to the Internet unless absolutely necessary. Amen to that. My smart TV does not know the internet exists, and it never will [laughs], so it's a pretty dumb TV, so but not everyone has that option, obviously, for many reasons. But if you can take that route, it is a good one. So yes.
Joe Carrigan: I will tell you this, I have a Net Gear device inside my Comcast router. So my Comcast router talks directly to my Net Gear device, and I'm actually seriously considering replacing that with an Open BST firewall. But neither here nor there. Everything that matters to me connects to the Net Gear, and everything that I don't want, you know, I don't want to worry about-that's on the Comcast box. So if it does get compromised, it's outside of my network.
Maria Varmazis: Hm!
Joe Carrigan: That's number one. Number two, it's kind of a way of subnetting. When I had Verizon services at my house in Columbia, I had the TV connected to my Net Gear router, not to the Verizon router, and I called Verizon, and I said do I need to connect my TV wi-fi to the Verizon router in order to stream the TV services, instead of putting a cable box in, and they're like yeah, of course you have to. And I'm like, oh, okay, well this is going to work then. Because I have it on my network. He's like, well why don't you put it on our network? I don't trust you [laughter]. That was my answer. Kind of stopped them dead in their tracks.
Maria Varmazis: Yeah, when we've tried doing stuff like that, with my previous ISP, we would find that things just wouldn't work. Basically our ISP would try and shut it down, and it would take a lot of phone calls to them to go no really this is legit, but it just became more trouble than it was worth. This is a different ISP, not Verizon, but it's a lot of work, even if you kind of know what you're doing.
Joe Carrigan: Right, it is.
Maria Varmazis: It's-I do appreciate that, I'm not being paid by Verizon to say this, providers like them giving people an IoT network option sort of built-in to make it a little easier, but [whispering] it's still not easy.
Dave Bittner: Yeah.
Joe Carrigan: Right.
Maria Varmazis: Do you need to take a couple of networking classes to figure this out? I don't know.
Joe Bittner: Well, you need kids and grandkids, that's what you need [laughter].
Maria Varmazis: Obviously, yeah, I better get my 8-year-old on that, yeah, that's for sure, yeah I'll get right on that [laughter].
Joe Carrigan: It won't be long, she'll be helping you out.
Dave Bittner: Yeah.
Maria Varmazis: I'm looking forward to that immensely, honestly.
Joe Carrigan: Your day is coming, Maria, trust me on this.
Maria Varmazis: Good! I'm tired of being family IT. Let someone else do that.
Dave Bittner: Yes, exactly [laughter], exactly. The two things I'll just add to your information here, Maria, which I think is excellent, is number one, to just kind of flush out what you were saying about the bad guys searching for these devices, and how many of them are unpatched. Like, the bad guys will just go out on the internet and they'll say I'm going to go looking for unpatched thermostats. Right? And they just go poking around on the internet, and there are so many out there to be found, they're low-hanging fruit.
Maria Varmazis: Oh yeah.
Dave Bittner: And they just do what they need to do, and off they go. So that's one thing. The other thing, and so if you keep your devices patched and up to date, you're no longer the low-hanging fruit or that sort of attack. The other thing is, just remember that just because your device is working the way it should doesn't mean it hasn't been compromised.
Joe Carrigan: Right.
Maria Varmazis: Amen to that.
Dave Bittner: So particularly we talk about video cameras, security cameras. You know, pretty much everything that has a single function, like a security camera, these days has way more processing power built into it than it actually needs.
Joe Carrigan: Yep.
Maria Varmazis: Mm-hm.
Dave Bittner: And that's what the bad guys take advantage of. They come in and they say okay this is a video camera. It's still going to function the way it always has as a video camera, the user won't notice a thing.
Joe Carrigan: It's got an operating system on it.
Dave Bittner: We're going to add our own little thing, on top of that, or next to that, or underneath of that, that will either mine cryptocurrency in the background, or be available when we want to summon up a D-Dos attack on somebody-
Maria Varmazis: Like happened recently!
Dave Bittner: Yeah! We can use this camera as one of our nodes, and use it to help flood somebody with denial of service attacks.
Maria Varmazis: Yeah, that's right.
Dave Bittner: So just because you don't see anything doesn't mean it's not happening.
Maria Varmazis: Yeah, I feel like there was some common advice for some time, you know, if you notice degradation in your home network performance that maybe something amiss was happening, I don't know if that really applies as much anymore, or if at all, to your point, that you know, are there signs that you've been-that your devices have been poned [phonetic spelling]-I don't know anymore. I genuinely, I'm not saying that facetiously, I genuinely don't know if that is true anymore.
Dave Bittner: Well, there is so much overhead now, like you-there is so much spare bandwidth and spare processor power, and things don't lug down the way they used to, noticeably.
Maria Varmazis: Yeah, I maintain that there has got to be some kind of growing market for people like me who want dumb devices. I know everything wants to be connected, but I really want dumb devices for a lot of stuff, like I don't want my dishwasher to be hooked up to the internet, I just don't [laughter].
Joe Carrigan: Yeah. Well, appliances, I think it's happening. We were talking about this with my office mate, Michelle. We mentioned her last week, but she was saying that she's seen more and more of these appliances that are just-that are not connected to the internet. Nobody wants that.
Dave Bittner: Yeah.
Maria Varmazis: Yeah.
Joe Carrigan: So it's-the market forces are trending. I want like mechanical appliances, right.
Maria Varmazis: Amen to that. Yes! Amen to that.
Dave Bittner: You want gears and solenoids.
Joe Carrigan: Right [laughter] yeah, that's what I want. I want my washing machine to have a timer, gears, solenoids.
Maria Varmazis: That you can replace and fix yourself when they need replacing, or get someone in-yes, I agree with you completely. Yep! I'm with you.
Dave Bittner: Alright. We will have a link to that story in the show notes. My story this week comes from a researcher who found that his AWS account had been hacked. AWS, of course, is Amazon Web Services. That's Amazon's cloud service. People buy time and space on those kinds of services. So this is a researcher who goes by the name Zvi, Z-V-I. He actually is a cloud architect, and a former vulnerability hunter. So this is somebody who knows a thing or two about all of this computer stuff, but also security. But he got hit. And he shared his story as to what happened, and how he figured it out, and ultimately what he did about it. He was doing some work, minding his own business, when suddenly his email inbox, as he put it, "explodes," just hundreds of spam messages, random sign-ups and newsletters. Noise, just coming in his email account. And he sees this, and he thinks, well that's odd. Buried in the noise is an email from AWS about his account. That seems routine to him. He is actually working on a personal project in AWS, so it seems routine. A little later, another AWS email lands in his email, telling him that something is pending. He hasn't changed anything, so that gets his attention. He says that is kind of his "uh-oh moment."
Maria Varmazis: Yeah.
Dave Bittner: So he jumps into his account and he checks the activity logs, and he spots some actions taken by a user that he never created. So now he knows somebody is inside. So he jumps into defensive mode [laughs], right? He says his first priority is to stop the bleeding. So he resets his password, keeps his multi-factor on, and he already had multi-factor on, and they were in.
Joe Carrigan: Yeah, how'd they get in?
Dave Bittner: We'll get to that, Joe.
Joe Carrigan: Okay.
Maria Varmazis: Oh [laughs].
Dave Bittner: And he deletes several fake users and their access keys. He checks his AWS bill. Now, AWS is metered, you know, kind of like your electric bill or your water bill. The more you use, the more you pay.
Joe Carrigan: But it goes up really fast [laughter].
Dave Bittner: Yes, and that's what happens to this person, his costs have spiked. Somebody launched some powerful servers in a region that he doesn't normally use. So he shuts all those down. He removes the attackers' email settings, so they can't send messages that look like they're coming from his domain. He actually calls AWS, on the phone, imagine that and they flip his account to an under attack mode that blocks any risky changes. Basically gives everybody time to clean things up. So then he starts looking through his logs to see what happened, try to figure out what happened. And what he finds is, the intruder used an access key that was tied to his account, created a back-door-created these back-door users, spun up the servers, and tried to set up his domains to send phishing emails. And that initial spam flood was a smokescreen to hide the real alerts. So the real alerts from Amazon would be buried in this pile of spam.
Joe Carrigan: Hm!
Maria Varmazis: Wow.
Dave Bittner: So. How did they get in? He says this is the painful part. While he was building his own personal website, he accidentally left an access key and some code that ended up exposed.
Joe Carrigan: Oh, okay.
Dave Bittner: So all the bad guys had to do was scan the web, they found this key, and they walked right in.
Maria Varmazis: Uh!
Dave Bittner: He says, who were they? It's hard to say. He says the behavior points to money motives rather than espionage, or spies, or anything like that. The trail led to a particular hosting provider, but that's as far as he can prove. So he rotated his keys, all of them [laughs], checked all his users, tightened his alerts, paused his site, and he moved his secrets into a proper vault. He said no more keys in code, ever. And the lessons that he learned was, he said trust your gut, contain first, and investigate second, because time matters when you're doing these sorts of things. That AWS clock is ticking, right? And they're going to be trying to send spam emails out, using your account. He said also don't rely on chat bots to bless a security alert. He actually at one point in this thing, he asked ChatGPT about a security alert, and said is this routine, and ChatGPT said yes, that's a routine security alert. Turns out it wasn't.
Joe Carrigan: Hm!
Dave Bittner: He said logs and notifications are your friends. So he says the big take-away here is that security isn't a feature you tack on later, it is a habit. He said if it can happen to someone who does this for a living, it can happen to anyone. So quite a story here. I'm curious, what do you guys think of this?
Joe Carrigan: Well we were talking about this, I think last week. I did listen to the show, of course, this morning [laughter]. So you know, we talk about how we've gotten got before.
Dave Bittner: Yep, yeah.
Maria Varmazis: Mm-hm!
Joe Carrigan: Through social engineering attacks, and you know, this guy, I get exactly what he was doing. He was trying to quickly develop a web page, and then forgot about a credential that he left.
Dave Bittner: Yeah, so he put the credential in for his convenience while he was testing, probably.
Joe Carrigan: Developing, yeah.
Dave Bittner: Yeah.
Joe Carrigan: And then deployed that out to the web, and somebody found it. And finding it is trivial. You just match a regular expression and say hey, I pulled down all this web, find all the Amazon keys in here. And you can actually write a python script that will spit that out pretty quickly.
Dave Bittner: Okay. Yeah. So it doesn't take a lot of sophistication.
Joe Carrigan: No, it does not.
Dave Bittner: To take advantage of this simple mistake that this person made.
Joe Carrigan: Yep.
Dave Bittner: Admittedly.
Maria Varmazis: Hm!
Dave Bittner: Yeah. Any thoughts, Maria?
Maria Varmazis: No, nothing to really add there [laughing] honestly. Yeah.
Dave Bittner: Okay yeah. That's fine. Alright, well we will have a link to his story in the show notes. There is a lot more technical details in there, if you're the kind of person who likes to dig into the tech, this is a good one for that.
Joe Carrigan: But unlike Joe, Dave will not be diving that deep [laughter].
Dave Bittner: We will spare you on this show, but it's there if you want it. So go for it. Alright, I tell you what, let's take a quick break to hear from our show sponsor. We will be right back after this message. [ Music ] And we are back. Joe, you're up. What you got?
Joe Carrigan: My story comes, actually it's not a story, it's a consumer protection data spotlight from the Federal Trade Commission. False alarm, real scam, how scammers are stealing older adults' life savings. And this thing starts off by talking about how older people are more likely to lose more money than younger people, but younger people also get scammed. One of the things I like about this article is, it has three lies. Three lies that will be told to you, to get you to-these lies will short-circuit your thinking.
Maria Varmazis: Okay.
Joe Carrigan: They will focus your attention on what the attacker says, and what they are is, lie number one, someone is using your accounts. It says this lie might start with someone pretending to be your bank, flagging some so-called suspicious activity or pretending to be Amazon with a message about an unauthorized purchase.
Dave Bittner: Mm-hm.
Maria Varmazis: Yeah, yep.
Joe Carrigan: I got one of these from Amazon, allegedly from Amazon one time, and the guy was like, did you authorize this purchase? I'm like, I just want to know what happens next in this scam, and the guy just [laughter] started swearing at me. Like, I don't think you're actually-
Maria Varmazis: What if you say yes, though? Yeah, oh, I totally bought that.
Joe Carrigan: Right. I got one of these yesterday. And I should have said oh yeah, yeah, that's me. I did that.
Dave Bittner: Yeah [laughter].
Joe Carrigan: Because oh, something that's happened to me recently is I've moved my-what was my old house phone from Comcast to my mobile provider, as like an app number.
Dave Bittner: Yeah.
Joe Carrigan: So now, I get my old house number directly at my cell phone.
Dave Bittner: Yeah.
Joe Carrigan: Because I don't have a house phone anymore.
Dave Bittner: Right.
Joe Carrigan: But I want to keep the number, because that's the only number some people have for me. Even though I haven't been able to answer that number in over a year [laughter], but it's still a good number, but somebody called, knew my name, and started talking to me about some wireless service, I think. Anyway, I'm going to be having some fun with the people who called me today. Lie number two that they tell you-your information is being used to commit crimes. This will be a lie that allegedly comes from some government agent or officer, warning your social security number is linked to some crimes, like drug smuggling or money laundering, or even the dreaded CSAM.
Dave Bittner: Oh yeah.
Maria Varmazis: Yeah.
Joe Carrigan: Once you hear that, you're like uh-oh, I don't want anything to do with this. Your first reaction when anybody says this is "I want to talk to my lawyer." You don't have to talk to anybody from law enforcement without talking to your lawyer first, you know, and if you can't afford a lawyer, and you're being charged with crimes, one will be provided for you by the state. So don't talk to anybody claiming to be from law enforcement, even if they are, and they're accusing you of crimes. Law enforcement doesn't work this way, by the way [laughter]. Law enforcement actually does real investigations, and you know, usually they'll show up at your house if they have questions. They don't just call you on the phone.
Dave Bittner: Yeah.
Joe Carrigan: Lie number three is, there is a security problem with your computer. This is often like the on-screen security alerts from Apple or Microsoft, and you need to call this number. They have some statistics in here about combined losses, and these are reported combined losses from like 2024. And they have stats going all the way back to 2022, but in 2024, combined losses under ten grand were $41 million dollars, combined losses between ten grand and one hundred grand were $214 million dollars, and combined losses over $100,000 were $445 million dollars. And that's just reported losses. These scammers are making billions, I guarantee it.
Dave Bittner: Yeah.
Maria Varmazis: Wow.
Joe Carrigan: So they have a couple of-three things you can do. Don't move money to protect it. That's always a lie. Don't worry, I'm going to keep your money safe. That's always a lie too. Hang up and verify. So in other words, somebody calls you from some bank or some law enforcement agency, you hang up, and then block unwanted calls. And this is another thing I learned recently with my mobile provider, with all my lines, I have this spam option to block unwanted spam calls. And it's something I have to switch on, which I wonder why I have to do that, but I do [laughter].
Maria Varmazis: Why is that on? On by default [growls]. Yeah.
Dave Bittner: Yeah, I use that as well, and it's definitely a lifestyle upgrade [laughter].
Joe Carrigan: Yeah, it is.
Dave Bittner: I mean, the phone doesn't even ring.
Joe Carrigan: Right, because nobody calls anymore. You get a text, right?
Dave Bittner: That's true, that's true.
Joe Carrigan: Hey are you busy? Can I talk to you? Yeah, that's the only time I call anybody in my family, right? I text them first, hey can I give you a call right now?
Dave Bittner: That's true. I think that's the way.
Joe Carrigan: Yeah.
Dave Bittner: Alright, well very good. We'll have a link to that from the FTC in our show notes. [Background music] Joe, Maria, it is time to move on to our Catch of the Day. [ Soundbite of reeling in fishing line ] [ Music ]
Joe Carrigan: Dave, our Catch of the Day comes from the Scam Bait Subreddit. Trying to Scam the Scammers Called.
Dave Bittner: Yes, so, Maria. I'll ask for your help here.
Maria Varmazis: Oh yeah?
Dave Bittner: Yeah, you will be the person leaving this off, the gray text, if you will, in this text exchange.
Maria Varmazis: Okay.
Dave Bittner: I will be in the blue, and we will take this as far as we can before we realize it's probably in our best interest to stop [all laughing].
Maria Varmazis: Jeez, oh, goodness.
Dave Bittner: Go for it!
Maria Varmazis: Okay, alright. Hello, I hope you are doing well. I'm delighted to connect with you. Sarah Sutton, from Indeed Job Center has notified me that you are interested in a flexible, remote opportunity. Is that right?
Dave Bittner: [Gruff voice] Who do I have the pleasure of speaking with?
Maria Varmazis: My name is Alice, I work for Data Stax as an instructor. Nice to meet you.
Dave Bittner: [Gruff voice] Nice, Alice is a sexy name.
Maria Varmazis: May I know your name?
Dave Bittner: [Gruff voice] Petey Wheatstraw.
Maria Varmazis: And in reply to Alice is a sexy name, I say [in a high voice] "Thank you for your compliment," smiley face.
Dave Bittner: People call me the devil's son in law, on account my ex-father-in-law was a serial killer [laughter].
Maria Varmazis: LOL.
Dave Bittner: [Gruff voice] It's true. What kind of jobs?
Maria Varmazis: Anyway I like your honesty and openness.
Dave Bittner: [Gruff voice] This is a picture of me [laughter], you got a pic [laughter].
Joe Carrigan: The picture is [laughter] almost like a mug shot [all laughing].
Maria Varmazis: Mug shot in-
Dave Bittner: If you saw this person coming down the street, you'd cross the street to get on the other side.
Maria Varmazis: It's a very dimly lit mugshot too [laughter continues], it's like a mug shot in an abandoned mental hospital.
Dave Bittner: There you go [laughter].
Maria Varmazis: This is a remote position, with flexible working hours. You'll be required to work for just 30 minutes to one hour per day, and you can choose any time that suits you, within business hours from 10 a.m. to 11 p.m. Eastern Standard Time, EST. There are no regional restrictions, so you can work from anywhere in the world. You may use a smart phone, a laptop, iPad, or PC, whichever device you prefer to complete your daily tasks.
Dave Bittner: [Gruff voice] Nice. You got a pic?
Maria Varmazis: Now there is a-I am sending a random photo of some lady in a bathroom. Clothed. I should mention she's clothed.
Dave Bittner: Yeah, she's fully clothed.
Maria Varmazis: She's fully clothed.
Dave Bittner: She looks professional, I'd say. Attractive. Yes [laughter], then he sends a reply of Jim Carey as the Mask [laughter] with his jaw on the table, like the old Warner Brother's wolf, you know where he's [vocalizing]-
Joe Carrigan: Yes.
Maria Varmazis: The wolf whistle, yeah [overlapping speakers].
Dave Bittner: Yeah [laughter].
Maria Varmazis: If it's convenient for you, I'll explain the job role and salary structure. Do you have any free time right now?
Dave Bittner: [Gruff voice] Not at the moment. I'm kicking my girlfriend out of our house. She got mad that I cheated on her. Can you believe the audacity? Sure, it was with her 20-year-old daughter [laughter], but that's no excuse for getting mad.
Maria Varmazis: [Groans] I'm sorry to hear from you. I hope it's going well for you.
Dave Bittner: [Gruff voice] It will be, once she's out of here. You got a man?
Maria Varmazis: I am a divorced woman. Since my divorce, I have devoted my time to my son, so I have been single for a long time.
Dave Bittner: [Gruff voice] Sweet.
Maria Varmazis: [Laughing] Are you really interested in remote work for extra income? Please confirm with me.
Dave Bittner: [Gruff voice] I'm interested in you and the job.
Maria Varmazis: [Laughter] LOL, smiley face, winky-winky, smiley face. Many, many emojis.
Dave Bittner: [Gruff voice] I like you.
Maria Varmazis: So, shall I explain the job details and salary structure for you?
Dave Bittner: [Gruff voice] yes.
Maria Varmazis: So, I will explain your work role first.
Dave Bittner: Alright, you know what?
Maria Varmazis: This is going on [laughter]. My goodness.
Joe Carrigan: This goes on for-I thought it was going to be like for maybe 15, or for like four slides, it's like 15, 20 of them.
Dave Bittner: Yeah, this person really keeps him going. It goes, eventually goes into the fact that he uses AI images to create ladies that he's actually catfishing people. At one point he references Hot For Teacher, from Van Halen [laughter], I mean just, you know, the whole thing. But basically the point here is that this person is wasting a spammer's time.
Joe Carrigan: Yeah. These guys are good at their jobs.
Dave Bittner: Which we don't recommend because-there's a good chance that they're better at this than you are.
Joe Carrigan: Right [Maria laughing].
Dave Bittner: But at the same time, it's fun to see when somebody is actually capable-
Joe Carrigan: Yes.
Dave Bittner: Holding their attention, wasting their time, and keeping them away from the rest of us.
Maria Varmazis: Well done.
Dave Bittner: Yeah [gruff voice] nice [laughter].
Maria Varmazis: Nice [laughing].
Dave Bittner: [Gruff voice] sweet. [Normal voice] we will have a link, you know what I was thinking of, the whole time, when I was doing that voice? I was thinking of Carla's ex-husband on Cheers, Nick Tortelli [laughter]-
Joe Carrigan: Oh yeah, I remember that guy.
Maria Varmazis: Oh wow!
Dave Bittner: Right? I am trying to think of like the most disgusting [grunting] person and I don't know why he popped up. Anyway, [background music begins] we will have a link to that in the show notes. And again, we would love to hear from you. If there is something you would like us to consider for the show, you can email us. It's hackinghumans@n2k.com. [ Music ] And that is "Hacking Humans," brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our Executive Producer is Jennifer Eiben. We're mixed by Elliot Pelsman, and Trey Hester. Peter Kilpe is our publisher. I'm Dave Bitter.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Varmazis.
Dave Bittner: Thanks for listening. [ Music ]
