Don’t let public ports bite.
Dave Bittner: Hello, everyone; and welcome to N2K CyberWire's Hacking Humans podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan. Hey there, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: And our N2K colleague and host of the T-Minus Space Daily podcast, Maria Varmazis. Maria.
Maria Varmazis: Hi, Dave; and hi, Joe.
Dave Bittner: We've got some good stories to share this week. But, first, let's get to our follow-up.
Joe Carrigan: No follow-up section is complete without a chicken story.
Maria Varmazis: Uh-huh. Our listeners demand it, Joe.
Joe Carrigan: They do, they do.
Maria Varmazis: They really do.
Joe Carrigan: I was listening to last week's episode. And I was like, I didn't know that people are that vested in our chickens.
Maria Varmazis: Oh, they are.
Joe Carrigan: Yeah. So it might -- and so I installed the automatic door on my chicken coop.
Dave Bittner: Okay.
Joe Carrigan: And last week I said that it has a photo sensor. It actually has a photo sensor and a timer.
Dave Bittner: Oh.
Joe Carrigan: So I -- I set the photo sensor to open the door, and I set the timer to close the door because, if the -- I set the photo sensor all the way down to 0 sensitivity, which means it gets completely dark before it closes. But, as soon as it gets there, as soon as it detects the light at the level of 0 -- it's 0 to 99, and I don't know what that means internally. But it just means that, when that sensor reads what comes out as a 0, it shuts the door. And, even with the sensor turned down to 0, that door was shutting with one or two or three chickens outside. So I'd go out, like, an hour after dark; and there'd be chickens sitting on the perch going like, Well, I guess we're just going to sit outside tonight.
Dave Bittner: Okay.
Joe Carrigan: So I'd open the door up, put them back inside. So I set the timer. Now the door closes at 6pm, and that has worked well. So it opens with 20% light, and it closes with -- at 6pm.
Dave Bittner: Oh. So you can choose either for any situation.
Joe Carrigan: Correct?
Dave Bittner: That's surprisingly versatile --
Joe Carrigan: It is.
Dave Bittner: -- for something like that.
Joe Carrigan: It is surprisingly versatile for something that is 50 bucks.
Dave Bittner: Yeah.
Joe Carrigan: I was really, really happy with it. It's also solar charge, solar powered.
Maria Varmazis: So what kind of watch do your chickens wear that they know what time it is?
Joe Carrigan: Well, they -- it's they just go inside when it gets dark. But apparently they go inside a little after the door closes.
Maria Varmazis: Okay.
Joe Carrigan: But I go out there every night. Like, I went out last night at like quarter to 6; and they were all sitting in the coop ready to go. But I'm going to leave it at six because I'm not going to go out there and update it for every sunset and sunrise. This will keep me good for probably around two months.
Dave Bittner: Oh, yeah, yeah.
Joe Carrigan: Anyway, so one morning I went out there. It was a Saturday. I went out there on Saturday. And I look, and there's a chicken sitting on the water container. And I'm like, What are you doing on the water container? I look and I'm like, this chicken is upside down; and she has caught her foot in the hook that --
Dave Bittner: What?
Joe Carrigan: Yeah. That holds the water container up off the floor of the ground.
Maria Varmazis: Aww.
Joe Carrigan: You can't have -- you can't have the water container on the ground. They will just make an absolute mess of it.
Maria Varmazis: Eww.
Joe Carrigan: So same with the food container. So they're both hanging from wires through the -- through the roof of the run.
Maria Varmazis: Are they okay?
Joe Carrigan: Well, I pulled her off. I held her a little bit. I checked her foot. It didn't seem like it was broken.
Dave Bittner: Her new name is Stumpy.
Joe Carrigan: Right.
Maria Varmazis: Aww.
Joe Carrigan: And I put her in the -- I put her back in the coop. And she was, like, limping around really, really bad. And I'm like --
Dave Bittner: Oh, no.
Joe Carrigan: I'm like, What's going on here? So I go inside real quick. And I went to Thingiverse, which is a 3D printing site where you can get models. And I found, believe it or not, a chicken splint.
Maria Varmazis: I believe it. You can find anything on there.
Dave Bittner: Oh, man. That's my favorite part of the chicken.
Joe Carrigan: The chicken splint.
Dave Bittner: Oh, save me the chicken splints.
Maria Varmazis: There's some good collagen around that chicken splint. A delicacy in some countries. Yeah.
Dave Bittner: Yeah.
Joe Carrigan: Printed that up. Took about two hours. And, by the time I printed it up, chicken was walking around fine. So --
Dave Bittner: So now -- well, but, you know; now you've got a just in case. You've got one just when -- when needed. You're ready to spring into action --
Joe Carrigan: I am.
Dave Bittner: -- next chick. Now, did you do anything to make the area safer so this won't be --
Joe Carrigan: Yes, I did. I closed the loops on these little things a little bit better.
Dave Bittner: Future poultry inversions.
Joe Carrigan: Right.
Dave Bittner: Okay.
Joe Carrigan: There will be no future poultry inversions.
Maria Varmazis: Is it like with horses where you've got to put them down if they break an ankle or whatever?
Joe Carrigan: I don't know. I saw a YouTube video where somebody said they had an injured chicken, and they built a splint out of pencils or a pencil and some tape and some gauze.
Dave Bittner: Right.
Joe Carrigan: And they said that chicken got better in two weeks. So they're fairly resilient animals. I don't know.
Dave Bittner: Do you remember those -- surely you guys have seen the story about the headless chicken who lived several years.
Joe Carrigan: Yes. I've seen that. Yep.
Dave Bittner: Maria.
Maria Varmazis: I have heard of that. Yes.
Dave Bittner: Yeah. Okay.
Maria Varmazis: Yes. That is legendary. Yep.
Dave Bittner: So, yeah. If -- for our listeners, if you're not aware, just I guess Google headless chicken. And it'll pop up.
Joe Carrigan: Right.
Dave Bittner: And it's quite a -- there are pictures. Quite a tale.
Joe Carrigan: Yeah. It's horrifying.
Dave Bittner: The pictures are horrifying.
Joe Carrigan: Right.
Dave Bittner: But this is the story of resilience and perseverance --
Joe Carrigan: Yes.
Dave Bittner: -- in the face of unbelievable adversity, namely, having your head chopped off.
Joe Carrigan: Right.
Dave Bittner: Which goes to show that chickens is necessary -- don't really need their brains, I guess.
Joe Carrigan: Right. Or at least not most of them.
Dave Bittner: Yeah, yeah. All right. So all's well with the chickens, then.
Joe Carrigan: All's well with the chickens. Yeah.
Dave Bittner: Beyond that, okay.
Joe Carrigan: And now that my classes are over, I'm going to start working on a bigger run for them.
Dave Bittner: Okay. Have you seen any signs that any neighborhood predators are interested in your chickens? Are there any, like, fox footprints or anything?
Joe Carrigan: I have not seen any of that. But this morning, in the shed, when I was getting the food into the coop, I did see mouse droppings and a little bit of gnawing going on, on my chicken food container in the shed.
Dave Bittner: Okay.
Joe Carrigan: So I will be sprinkling the entirety of the shed with peppermint oil to see if that makes them go away.
Dave Bittner: Yeah. I had a friend who had a chicken coop, and he had a black snake that lived in the coop.
Joe Carrigan: Right.
Dave Bittner: And so the deal was, I guess, that, in exchange for keeping rodents away, the snake enjoyed a delicious egg from time to time.
Joe Carrigan: Right.
Dave Bittner: So, you know. And the snake didn't -- wasn't bothered by people being around, and --
Joe Carrigan: Right. Yeah. Black snakes are pretty chill.
Dave Bittner: Yeah. The people weren't bothered by the snake being around other than the first time they came upon it, you know.
Joe Carrigan: Right.
Dave Bittner: Because surprise snakes are never fun but.
Joe Carrigan: Unnerving.
Dave Bittner: Yeah. But -- so maybe you'll end up with a chicken coop snake. That would be.
Joe Carrigan: I wouldn't -- I wouldn't mind having a chicken coop snake.
Dave Bittner: Yeah.
Joe Carrigan: They don't eat much. And they -- I don't know if they will -- they will never out eat the mice with the way mice reproduce. They'll never do that.
Dave Bittner: Yeah.
Joe Carrigan: So -- but they -- their smell might keep them away.
Dave Bittner: Yeah. All right. Well, stay tuned next week --
Joe Carrigan: Next week.
Dave Bittner: -- for Joe's chicken coop corner. And keep the stories coming.
Joe Carrigan: Yep.
Dave Bittner: All right. I tell you what. Let's get to some stories here. I'm going to lead things off for us. Let me start off with a question here for both of you. Have either of you ever received a nasty gram from a company who's claiming that you have violated someone's copyright or digital rights online?
Joe Carrigan: I have not.
Maria Varmazis: No. I have not either.
Dave Bittner: Okay. I have.
Joe Carrigan: Okay.
Maria Varmazis: All right.
Dave Bittner: This is decades ago when I had my previous company. And on our website we had inadvertently left a, like, preview image from some stock photo company and got a nasty gram from them saying, you know, Hey. You're using our photo illegally.
Joe Carrigan: Right.
Dave Bittner: Please pay us. My recollection is we did not pay them. We just swapped it out, and we never heard from them again. But that was decades ago. So the tale I'm going to share today has to do with fonts.
Maria Varmazis: Oh. Oh, yeah. Okay.
Dave Bittner: Turns into a phishing caper and ends with a little bit of a victory for typography nerds everywhere. So imagine this. You're minding your own business, right --
Joe Carrigan: Right.
Dave Bittner: -- which is what I like to do best.
Joe Carrigan: That's what you do on Facebook.
Dave Bittner: That's right.
Joe Carrigan: Everywhere you go.
Dave Bittner: You're running websites for your company, and you get a message on LinkedIn. It has an urgent tone and an official sounding title. And it says, Hey. We found your company using our fonts without a license. Please respond immediately. Now, I'm sure there are people in our audience who are saying to themselves, fonts have licenses?
Joe Carrigan: Yeah.
Maria Varmazis: Oh, my God. Do they ever.
Joe Carrigan: That's my first question.
Maria Varmazis: Yes. Yes, they do. Oh, my goodness. And they are way more expensive than you think they should be.
Dave Bittner: That's right.
Maria Varmazis: Way, way more expensive.
Dave Bittner: That's right.
Joe Carrigan: How much is Wing Dings?
Dave Bittner: So --
Maria Varmazis: Good question.
Dave Bittner: The thing here is, I guess, real quick is that some of the most famous fonts that you see from day to day are owned by people, and they license them out for use. I think part of the confusion comes is that we also have lots of fonts that we use for free every day because they come with our computers, or they've been open sourced. So there's a variety of fonts out there. But some of them absolutely are legally licensed. And, in order to use them legally, you have to pay to use them. So that -- nothing unusual there. That is a standard thing in business. So this letter came to a gentleman who is the kind of the hero of our story. He's actually a self-described typography nerd. His name is Emil. And he got this message on LinkedIn from Monotype, which is one of the big font companies. And they say they've been trying to email you, but they never got -- but you never got their messages. And Emil says -- thinks to himself, that's strange. I don't think we use any Monotype fonts. And he knows about these sorts of things.
Joe Carrigan: Right.
Dave Bittner: So he starts checking his digital footprint. And his -- his corporation uses Open Sans, which is a free, open source, no license font. He checks their regional sites. He finds one commercial font in play, which is a font called Proxima Nova. But that doesn't come from Monotype, so he doesn't think Monotype should be involved with that. So he reaches out to his team, and he says, Look. Only one person is going to reply to this. We're going to double check all of -- everything, and only one -- I will be the person who will reply, okay, because mono -- I should back up and say, Monotype, he isn't the only person at the company who's getting these urgent messages from Monotype. Monotype is basically going through LinkedIn, finding everybody from the company and just saying, Hey, hey, hey. Please pay us.
Joe Carrigan: Is it actually Monotype, or am I reading ahead?
Dave Bittner: Stay with me, Joe.
Joe Carrigan: Okay.
Dave Bittner: So -- so Monotype does not have a lot of patience. They start again messaging people all across the company, LinkedIn style, and they're saying you owe a licensing fee. Let's settle this quickly. So Joe, quickly.
Joe Carrigan: Quickly. Time, time horizon.
Dave Bittner: There it is.
Maria Varmazis: There it is.
Dave Bittner: Right.
Joe Carrigan: So, yeah. And settle this quickly. Yeah. I'm instantly -- I'm instantly dubious.
Dave Bittner: Yeah. So the folks in procurement at his company are ready to pay just to make this go away.
Joe Carrigan: Really.
Dave Bittner: Well, this is a nuisance kind of thing. It's not that much money. And, you know, what could it possibly cost? But Jamil steps in. And he says, Hold on. Let me take over this. And he digs deeper, and what he finds is that Monotype's report flagged two fonts that were allegedly in use without a license. One of them was an icon set called Credit Cards.
Joe Carrigan: Okay.
Dave Bittner: Okay.
Maria Varmazis: Okay.
Dave Bittner: But they weren't using Monotype's Credit Card font. They were -- they were indeed using a Credit Card font. And how to describe this. A credit card -- the Credit Card font looks like the type that's on your credit card that has its number, the embossed part.
Joe Carrigan: Right.
Dave Bittner: So, if you're illustrating a credit card on your website, you would use this font in an image of a credit card to make it look like a credit card.
Joe Carrigan: Okay. You said it was an icons. So I imagine that, like, a little set of icons is also considered a font.
Dave Bittner: Yeah, yeah.
Joe Carrigan: Okay.
Dave Bittner: Yes. Well, yes. There are -- there are fonts that are outlines of images. So you can get -- there are font sets that are basically logo sets --
Maria Varmazis: Yes.
Dave Bittner: -- of different companies. Anyway, they're using a Credit Card font, but it's not Monotype's font. And Jamil goes through. He verifies it. What he finds is the font they're using has the same file name on their system as Monotype's font, but it's not Monotype's font. They bought it directly years ago.
Joe Carrigan: Okay.
Maria Varmazis: Okay.
Dave Bittner: And so he's confident; no problem there. The second one was this font, Proxima Nova. And he found that they really do use that. But the problem is Monotype doesn't even sell that font anymore.
Maria Varmazis: Okay.
Dave Bittner: And our hero contacted the design agency who created the project site, and they confirm, yes. They purchased it legitimate from Adobe years ago.
Maria Varmazis: Okay.
Dave Bittner: So he writes to Monotype; sends a very thorough email that has screenshots, receipts, annotations.
Maria Varmazis: He's got receipts.
Dave Bittner: He's basically doing their homework for them.
Joe Carrigan: Right.
Dave Bittner: And Monotype goes quiet for a few days, and they finally come back with a last attempt to salvage some cash. They say, Okay. We don't sell Proxima Nova anymore, but maybe you bought that Credit Card font from us. Can you confirm why we don't have a record of your license? So they're trying to -- they're asking him to prove a negative, right?
Maria Varmazis: Yeah.
Joe Carrigan: Can I confirm why you don't have a copy of my license? No because that's impossible.
Dave Bittner: Because we didn't buy it from you is why you don't have a copy of my license. We bought it from the design -- from someone else. So here's the thing. Monotype was not being intentionally malicious, right? Fonts should be licensed. Monotype sells fonts. That is what their business is. And designers deserve to be paid.
Joe Carrigan: Right.
Dave Bittner: But what's at issue here is that the method they were using was pretty sloppy and pressure-based.
Joe Carrigan: Yes.
Dave Bittner: Right. This wasn't careful auditing. This was spray and pray.
Joe Carrigan: Right.
Dave Bittner: They use automated scans. They don't bother to verify anything, and they just shotgun everybody to put fear in them and just hope that they're going to get paid. And I'm sure a lot of people do pay them.
Joe Carrigan: Yeah.
Maria Varmazis: So these were legitimate emails from Monotype.
Dave Bittner: These were legit emails from Monotype.
Joe Carrigan: Well, I was thinking it was a scammer.
Dave Bittner: Yeah. Well -- well, and the hero of our story was wondering that as well. So --
Joe Carrigan: I think -- you know, if I'm wondering that, I say, Look. Our address is on the website. Have your lawyers send us a letter.
Dave Bittner: Yeah. I also wonder if this isn't someone who is handling this for Monotype, basically a bounty hunter, right --
Joe Carrigan: Right.
Dave Bittner: -- who's got some kind of system using some kind of automated, dare I say, AI system --
Maria Varmazis: AI.
Dave Bittner: -- to scan the -- scan the entire internet, find -- in this case it seems like they were just looking for matching file names.
Maria Varmazis: Yeah. That's what I was thinking. Yeah. Just like whatever is embedded, just the font embed file name.
Dave Bittner: Right. And then sending nasty grams. And -- and the third step is profit.
Joe Carrigan: Right.
Dave Bittner: So I guess the point of my story here is that, even though this was a legit inquiry from Monotype, their methods leave a lot to be desired.
Joe Carrigan: Agreed.
Dave Bittner: Ultimately, they -- their claims at obligation were not true. So technically not a scam but, at the same time, not the greatest way to go at something like this.
Maria Varmazis: Yeah.
Dave Bittner: And, if you're on the receiving end of something like this, I think, as, you know, both of you said, your first year radar went up that this is some kind of phishing scam or that it wasn't actually Monotype. In this case, it was. But I would say just be really careful when you have something like this where they want you to -- they're claiming that you've already violated some rules, some law, some copyright, whatever it is; and pay now or else.
Joe Carrigan: I'm going to do a little quick search because they are a publicly traded company.
Maria Varmazis: Yeah. They're a big company. I actually interviewed for a job with them many, many, many, many, many years ago. And I had a very negative experience, and so I kind of have a beef with Monotype.
Dave Bittner: Okay.
Maria Varmazis: So, when you're telling me that they're doing something a little untoward, I'm like, yeah. That tracks. And this is just based on absolutely nothing but a bad interview experience that I had with them.
Joe Carrigan: Oh, right? Perhaps they're not publicly traded.
Dave Bittner: Right.
Joe Carrigan: Or at least not anymore.
Dave Bittner: Yeah, yeah. You know, I think most people out -- most people who aren't professional designers or into typography don't really think twice about fonts. They just scroll down. They choose Comic Sans, and they get on with their life.
Joe Carrigan: Yes. That's what I do. It's on my resume.
Maria Varmazis: I am in physical pain from you saying that, Dave. Just for the record. Oh, my God.
Dave Bittner: Right. All right. Well, if you want all of the gory details of this story, we will have a link in the show notes. Let's move on here. Joe, what do you got for us this week?
Joe Carrigan: So my story comes from Lita Gore over at al.com, and that is Alabama.
Maria Varmazis: Lita gore at al.com.
Dave Bittner: I was going to guess American League.
Joe Carrigan: Right. Al.
Maria Varmazis: Al Gore.
Joe Carrigan: Al Gore. I get it. That's where your mind went.
Maria Varmazis: That's where my mind went.
Joe Carrigan: Right.
Maria Varmazis: Hanging chads. Sorry.
Joe Carrigan: Celebrate good times. I will. I went to -- right to the Simpsons reference. Also -- well, never mind. I'm not going to tell you how I feel about Al Gore. I'll just say this: Not a fan and haven't been since the mid '80s.
Dave Bittner: All right.
Maria Varmazis: You got a beef with Al Gore. Okay. Got it.
Joe Carrigan: I do. He's a big time censorship advocate, and don't let anybody tell you that he isn't. Really not a fan. So millions of Walmart customers are victims of a major scam is what the headline of this story is. Now, this is nothing new from what we've heard before. This is talking about a bunch of calls that are going on coming from Walmart. And they're saying -- the scammers would call and say, Hey. This is Emma from Walmart, and we're just calling to authorize the $919.45 purchase of a PlayStation 5. Press 1 to speak with a representative if you want to cancel the order, right? And then you -- you press 1, and these people start asking for all kinds of -- all kinds of personal information. It's just a scam to get you to do this.
Dave Bittner: Right. We just need to verify your credit card number.
Joe Carrigan: Right. Exactly.
Maria Varmazis: Yeah. Your social security number, your date of birth, your physical address.
Dave Bittner: Your blood type.
Joe Carrigan: My son came up with a great idea for a website and that is a credit card verification site where you say, has your credit card been released in a breach? Enter your credit card details here.
Maria Varmazis: I've seen those.
Joe Carrigan: No. You're fine.
Maria Varmazis: No. I've seen those. Yeah.
Joe Carrigan: Oh. Those are actually --
Maria Varmazis: They exist. Yeah.
Joe Carrigan: No. So okay. So he's not doing any great thinking.
Maria Varmazis: Please do not put your credit card information on those websites.
Joe Carrigan: Right.
Maria Varmazis: Okay. Just feel like we need to say that. Okay.
Joe Carrigan: So there is a link in this story to an FCC press release, and that's where I want to focus on today.
Dave Bittner: Okay.
Joe Carrigan: But, before we get into this, I need to go and do a little bit of background information. So there is a company called YouMail that offers phone call screening services. And they all -- they have a mobile app, and you can get a -- you can get a -- like a virtual phone number if you pay for the service. But they do have a free tier service. I don't know how it integrates with your regular phone, you know, like the phone that you have, you know, like the actual phone number, your SIM card phone number, whatever.
Dave Bittner: Yeah.
Joe Carrigan: Or if it only works with the -- with the virtual phone numbers. I guess it has to work with the regular phone. I don't know if I want to try this yet because I already have the Google screening service that does a pretty good job.
Dave Bittner: Yeah.
Joe Carrigan: But -- so keep in mind that the company YouMail, that's one player in this story. Then there is another standard called -- or a suite of protocols called STIR/SHAKEN or shaken stir. And these are a suite of protocols and procedures. This is direct from Wikipedia: A suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks.
Dave Bittner: Right.
Joe Carrigan: So the way it works is it adds a digital signature to something called the Session Initiation Protocol header, right? So Session Initiation Protocol is a way that you can establish, maintain, and end multimedia phone calls like voice, voice and video, video, whatever.
Maria Varmazis: Good thing signatures have never been faked before.
Joe Carrigan: Well, it's -- I'm going to -- you can -- we're going to get to that.
Maria Varmazis: I'll put a pin in that. Okay. I'll put a pin in that.
Joe Carrigan: Because that's not what's going on here, but -- because digital signatures provide two features right out of the gate. They provide integrity of the data, right. You can -- you can verify that the data has -- that the data you received is the data that was sent by the seller. And it also provides verification of the source. And, in cryptography, this is called nonrepudiation, which means the only person who can create a digital signature that matches that -- that can be verified with the public key is the holder of the private key.
Maria Varmazis: Okay. Yep.
Joe Carrigan: So it's asymmetric cryptography. So now we can get back to this complaint here. This complaint says the FCC demands cessation of Walmart impersonation robocalls. So the FCC has written two documents that we'll put links in the show notes to. It is -- they're talking about the Enforcement Bureau of the FCC -- FCC has demanded that SK Telco, which is a company based in Montana, cease and desist processing these Walmart calls. And they know that this company is responsible for these calls. And they start with 29 complaints, and they send -- they then go and look at the STIR/SHAKEN data which is available. And they found -- at least to them. They found that the company, this company, SK Telco was responsible for 97% of these Walmart preauthorized calls identified by YouMail between May of 2024 and March of 2025. So a little less than a year this company was responsible for 97% of what YouMail tracked as about 9 million calls.
Dave Bittner: Wow.
Joe Carrigan: So YouMail has a small subset of the phone market for inbound calls. So this is just a fraction of what's going on out there. These guys have probably sent out billions of calls. And it's -- and something else this -- this press release says from the FCC is that it is unlawful to place calls to cell phones containing artificial or prerecorded voice messages absent of an emergency purpose or prior written consent. So --
Dave Bittner: Huh. I didn't know that.
Joe Carrigan: I didn't know that either.
Maria Varmazis: Yeah. How would we have ever known that? Because clearly nobody cares about it.
Joe Carrigan: Because I get these calls all the time.
Maria Varmazis: Constantly. Yeah. I mean, that's nice. Are they going to do anything about it?
Joe Carrigan: Hello. It's Sherry from the approval department. I don't think you're a person, and it just keeps going.
Maria Varmazis: It just keeps going. Yeah.
Joe Carrigan: It's a recorded message.
Maria Varmazis: Your car's warranty blah, blah, blah. I don't have a car.
Joe Carrigan: Right. Somebody called my old phone number -- my home phone number the other day, and it came in as scam likely. And I -- they got to talk to Mabel Johnson, who is my old lady voice that I do. And I just started talking this woman's ear off. I don't know what happened to Joe Carrigan. I can't find him anymore. Well, how are you today? And it was like, Oh, I've got to go, Mrs. Johnson. It's awesome to do this. I love doing this. This was actually some business that was doing that. I've gotten great results with Mabel.
Dave Bittner: Good for you, Joe.
Maria Varmazis: Have you placed a pizza order with Mabel yet? Because that's what I want to hear.
Joe Carrigan: I have not. Can I tell a story about it?
Dave Bittner: I think you're going to.
Joe Carrigan: This is a great story.
Maria Varmazis: I think it's happening whether we want to or not. All right.
Joe Carrigan: My sister-in-law called her parents' house. And I was there, and I answered the phone as Mabel. And I go, Hello. And she just hangs up the phone, right. She figured she dialed the wrong number. So she calls again. And I go, Carissa, why you keep calling? And she hangs up the phone the third time. And she calls the third -- or the second time. She calls the third time and I answer the phone and go, Hello. She goes, Joe. I'm like, Yes. You're at my parents' house. Yes. Oh, good because -- I said, Hold on, Carissa. There's someone here that wants to talk to you. And I go, Carissa, why you keep calling and hanging up on -- she hangs up a third time.
Dave Bittner: Oh, wow. Wow. You induced a panic state.
Joe Carrigan: So she talks to me. Yeah. She talked to me. And I was like, Hold on just a minute. I do the voice. And she -- she panics and hangs up. And so, yes. It's a running joke in the family, the Mabel Johnson voice. Somebody actually found an obituary from Mabel Johnson one time.
Maria Varmazis: Oh, my God. So she's speaking to us all from beyond the grave.
Joe Carrigan: Oh, rumors of my demise are greatly exaggerated. The FCC has given SK Telco two days to respond, or they're going to remove them from the communication system. So they will not be able to send calls with the signatures anymore. Essentially, they'll just revoke the public key.
Dave Bittner: Right.
Joe Carrigan: They'll say, No. We're not accepting this anymore.
Maria Varmazis: Why are they giving them two days? Why aren't they just revoking it? Like, what's the -- I mean --
Joe Carrigan: Well, because this is the first official governmental action. There -- there is a -- that's -- I didn't cover this. There's an FCC-sanctioned group called the Industry Traceback Group, which traced these sources of this call, of the 29 illegal calls that were complained about to the FCC to SK Telco. And then the Industry Traceback Group notified SK Telco -- SK Telco about the illegal robocall traffic; and they said nothing. So now they have two days to respond.
Maria Varmazis: That's what I'm saying, that we know -- everyone knows what a nuisance these things are, and --
Joe Carrigan: Right.
Maria Varmazis: -- clearly, no one's taking it seriously and then giving them two days as if it's like, Oops, a little mistake, no. Why they should -- I don't understand why they don't just come down hard on them.
Joe Carrigan: I am -- I think two days is coming down hard from a government standpoint. I mean, you're -- we're going to revoke your certificates in two days if you don't give us a satisfactory answer.
Dave Bittner: I mean, I guess you have to have a little room in there for the possibility that the FCC made a mistake.
Joe Carrigan: Right. Which there -- there is a -- there is a strong rewarded letter that we'll also include, and I'm not going to go over this.
Maria Varmazis: I know the FCC is flawless and would never make a mistake. So okay. Yeah, yeah.
Joe Carrigan: This strongly worded letter here that was sent to the CEO, directly to the CEO of the company and carbon copied somebody else at the company, it -- we'll put a link to this in the show notes too. This is worth the read. It is -- the FCC lines out their case in this -- in this letter.
Dave Bittner: Yeah.
Joe Carrigan: And it's pretty good. I mean, it's pretty obvious that, you know, we have the evidence that says this is the case. And here's everything we found, and here's all the references. And it's, like, cited. And, I mean, it's a beautiful letter. I love it.
Dave Bittner: Yeah.
Joe Carrigan: So this -- this company --
Maria Varmazis: It's a long one. Otherwise, I'm sure you would read it. But it's quite long. Yeah.
Joe Carrigan: Yeah. It is long. It's like four pages, four or five pages.
Dave Bittner: The implementation of STIR/SHAKEN definitely made a difference.
Joe Carrigan: Yes.
Dave Bittner: They cut down on this stuff, and then -- and it made it easier for them to hold these folks accountable. But I think, at the end of the day, it's always going to be, to a certain degree, a game of whack a mole.
Joe Carrigan: Right. This is exactly what this is. We're looking at one of these moles getting whacked.
Dave Bittner: Yeah. Which is kind of gratifying.
Joe Carrigan: It is kind of gratifying. I'd like to see -- I'd like to see some fines from these guys. I'd like to see if there's any other way to get other records from somebody other than YouMail because YouMail is, like I said, a small fraction. It's only their customer base that they have data on. They don't have data on everybody else.
Dave Bittner: Yeah.
Joe Carrigan: So -- but, you know, 9 million records or something like that inside of -- inside of less than a year, and that is only a fraction of what these people were calling. If you assume that this is just randomly hitting YouMail customers, that's huge, absolutely huge.
Dave Bittner: Yeah.
Maria Varmazis: I'm just trying to think. Like, how many people are in -- this was written in Alabama. Is the entire state of Alabama 9 million people?
Joe Carrigan: Yeah. Probably.
Maria Varmazis: I mean --
Joe Carrigan: I could -- I could ask Google that question.
Maria Varmazis: You could.
Dave Bittner: All right. Well, we will have a link to that story, as well as the documents from the FCC in our show notes. Do check that one.
Joe Carrigan: I stand corrected. It is 1 -- it is 5.158 million people as of 2024, so that is more than the population of Alabama.
Dave Bittner: There you go. All right. I tell you what. Let's take a quick break. We will be right back after this message from our show sponsor. And we are back. Maria, it is your turn. What do you have to share this week?
Maria Varmazis: Well, as -- Dave, as you know, and as, Joe, as you just recently found out, I just got back from a trip literally yesterday. So if I sound a little under the weather, it's because I am.
Dave Bittner: Boy, are your arms tired.
Maria Varmazis: Yeah.
Joe Carrigan: My favorite joke,
Maria Varmazis: Yep. I didn't even say I'd flew in. I just say I got -- anyways. And it was 14 hours in transit each way because I was going overseas. And I'm -- I still operate on a kind of outdated model of I need to make sure I've got a lot of charging cables with me because my bat -- the battery on my phone will not last that trip, which is not true anymore. It definitely lasted. And I've been thinking a lot about charging my phone in public places, in countries that I don't know, in airports that are seeing a bazillion people come and go. And the reason I've been thinking about this is because just when I was on the plane yesterday coming back to the United States, I saw this story that came up on my -- my Google -- you know, the default homepage at Google has where it services news stories that might be relevant to you or interesting to you. And it was from USA Today, which is not a minor newspaper, not a minor news source. I would dare say it's a lot of people in the United States know USA Today and read it. And the headline was this: TSA urges travelers to avoid two tempting airport freebies. And I was like, okay. It's definitely a good clickbait headline because I was like, all right. What does that mean? And I -- the two freebies, do you want to guess what those two freebies are? Because I was just agog when I read this. Any guess?
Dave Bittner: Freebies. Let's see. Offers for massages in the men's room.
Joe Carrigan: This is airport, airport freebies.
Maria Varmazis: Airport freebies. Airport freebies.
Joe Carrigan: Is one of them -- is one of them the charging stations.
Maria Varmazis: One of them is charging stations. Correct. Yep.
Joe Carrigan: Yep.
Maria Varmazis: Any guess on the second one because there's two.
Joe Carrigan: Is technology -- probably Wi-Fi.
Maria Varmazis: Yes. You got it in two, Joe.
Joe Carrigan: All right.
Dave Bittner: Ding ding ding ding.
Maria Varmazis: Yeah. This story from USA Today said, according to a post from the FCC from March 2025 but, still, they just reported on it early December 2025.
Dave Bittner: Only USA Today right on top of all the breaking news.
Maria Varmazis: Not exactly breaking news. Okay. But they were servicing it during, you know, the holiday travel season, basically saying don't use public Wi-Fi at the airport, and definitely do not use USB ports to charge your devices at airports. And I just sat there on the plane going, I cannot believe we are still giving people this advice. Now, I understand why this advice is being given out because it used to be the -- these were legitimate concerns. And certainly for public Wi-Fi there are concerns about look-alike public Wi-Fi SSIDs or something. You know, there's Euro airport, I'll say, for Boston is like Boston Logan Wi-Fi, something like that. That's the SSID. And someone might name it, Boston Logan Wi-Fi with a dash somewhere and fool people into connecting to an actually malicious Wi-Fi network. I understand all that. But the reason that I -- I was a little bit rolling my eyes at this was I had just read the week before a really great open letter to the public, to employers, journalists, and policymakers; and it's titled, Stop Hacklore. And that's actually really what I wanted to talk about. And this is what the letter starts off with. We are a group of current and former CISOs, security leaders, and practitioners who have seen how compromises unfold in the real-world. And we write to correct a set of persistent myths about digital risk to everyday people and small businesses that continue to circulate widely online and in public advice columns. And this is the list from Stop Hacklore, that they're basically begging people to stop perpetuating. And number one is we aim to retire the following outdated pieces of advice. Number one, avoid public Wi-Fi because they say large-scale compromises via public Wi-Fi are exceedingly rare today and also that personal VPN services offer little additional security or privacy benefit for most people and don't stop the most common attacks.
Joe Carrigan: This one, I'm -- is good for the most part because they're correct. Like, if I get on a public Wi-Fi spot and I go to my bank, TLS will keep -- the transport security layer will keep the malicious actor -- actors' hands off of my stuff, off my traffic. But, if they have a DNS server set up that just redirects me to their impersonation site, what happens then?
Dave Bittner: We'll get to that. Keep going, Maria.
Maria Varmazis: Okay. Again, the point about if you -- if you connect to public Wi-Fi that is malicious or it's not the actual official public Wi-Fi for your airport, that's a different situation. Same thing with people doing impersonations of public Wi-Fi on planes. But there's the -- the general advice that we've given people about don't use public Wi-Fi and make sure you use a VPN, this open letter is saying is just outdated advice.
Joe Carrigan: Yep.
Maria Varmazis: The second piece of advice was don't scan a QR code ever. And even I -- I'm still on this train, to be completely honest.
Joe Carrigan: I gave this advice last week.
Maria Varmazis: Yeah. I'm still on that train. I'm, like, I don't like QR codes. I don't like how -- Dave, just at the event we were at last month where the QR codes every year, you and I are both looking at them askance --
Dave Bittner: Yeah.
Maria Varmazis: -- this letter is telling us we can just chill out. So --
Dave Bittner: I scanned them. I did a Maria. I clicked --
Maria Varmazis: You just clicked the link. Yeah.
Dave Bittner: I was curious.
Maria Varmazis: I was -- yeah. You know what? I am too. Number three was to never charge devices from public USB ports. And I'm just going to read what they wrote here. There are no verified cases of juice jacking in the wild affecting everyday users. Modern devices prompt before enabling data transfer, default to restricted charging modes, and authenticate connected accessories. And I've certainly seen that with at least my more modern devices. I suppose if you're using something really old, juice jacking in theory could be a concern. But I don't think this applies to most people.
Dave Bittner: Yeah.
Joe Carrigan: I think this is correct, but I'm still bringing my power brick with me and using the actual power outlet.
Maria Varmazis: Yeah. I -- I'm with you. I did the same. I had my big power brick with me, and that's what I choose to charge from. But, in an emergency, I'm going to -- I'm going to charge from a public USB port, like a USB C --
Joe Carrigan: Right.
Maria Varmazis: -- especially since I was just in Europe and I only had one travel adapter for the plug. So I needed to charge my laptop, my phone, and my headphones all at once; and I didn't have an adapter for all three. But I'll use USB for that, and I'm not going to worry about it. The fourth piece of advice they say is outdated is turning off Bluetooth at -- Bluetooth and NFC, which I was like, whoa. Turning off Bluetooth was considered sort of standard. Definitely just keep that off unless you really need it. And they wrote wireless exploits in the wild are extraordinarily rare and typically require specialized hardware, physical proximity, and unpatched devices. Modern phones and laptops isolate these components and require user consent for pairing. Okay. Piece number five is to regularly clear cookies because they say clearing or deleting cookies doesn't meaningfully improve security --
Joe Carrigan: Does not.
Maria Varmazis: -- or stop modern tracking, which now includes identifiers and fingerprinting other than cookies. So, Joe, I heard you say it doesn't, right?
Joe Carrigan: Right. That's correct.
Maria Varmazis: Yeah.
Joe Carrigan: Because it's -- there's all kinds of better ways they -- or ways they can make association between the last set of cookies and -- and where you are now.
Maria Varmazis: Yeah. Yep. And then, number six, the piece of advice they're asking us to stop perpetuating and I mean, like, us in general is asking people to regularly change passwords. And that one is --
Joe Carrigan: That is correct.
Maria Varmazis: Big, big, big yes to that one. I just had this conversation with a neighbor this morning at my daughter's bus stop about how he cannot remember the stinking password to his online bank because it has to keep changing all the time. And I talked to him about password managers. And I just was thinking, yeah. I mean, it's just -- this is -- this is a big problem. And I know in my case a lot of the banks around where I live are very small, and they're not up to date with the latest on security. And a lot of them, they just default to change your password regularly, and that's a pain. So --
Dave Bittner: I had this conversation with my dentist yesterday about changing passwords.
Maria Varmazis: Yeah, yeah.
Dave Bittner: He asked me about it. And I replied, I said [garbled]. But --
Joe Carrigan: And he goes regularly. I shouldn't do that.
Maria Varmazis: All right. So that was the -- this is the -- that was the list of six things they're asking people that -- for the general public and small businesses. Enterprises are different. So people who are managing enterprise security, obviously, you guys have a different risk situation. So --
Dave Bittner: Don't email us.
Maria Varmazis: Don't email us. We understand. This is for the general public and for small businesses. All right. And they go through pains to emphasize that as well. So the recommendations for the public, it's easy. There's four things that people should do is, number one -- you can even guess it -- keep your stuff updated. Keep them updated. Just do that, and you're really, really pretty good. Number two is to enable multifactor authentication, which we're now all calling MFA instead of 2FA. We've been being that drum for years. So we mean it. MFA is great. Using strong passphrases. This really is familiar.
Dave Bittner: Again, this is what I told my -- that's what I told my dentist yesterday. Same thing.
Maria Varmazis: Yeah, yeah. That's what I was telling my neighbor this morning. Don't reuse them. Make sure everything is unique. And that's why a password manager is great and. And then he was like, messaging himself password manager. Okay. I don't know. I have a feeling I'll be getting a knock on my door soon asking him to help him set that up, which will be interesting. And that was actually tip number four was use a password manager. And I'm a big fan of password managers and have been for many years. And there are a lot of them now. Many of them come built in, in your phone or your computer; and they're pretty good. So, yeah. So that -- that's the Stop Hacklore open letter. And that came out on November 24 right before US Thanksgiving when they knew a lot of us were going to be going home and doing family IT work. So I thought that was really great.
Dave Bittner: Maria, I stepped on you there. I apologize. You were about to explain what the difference is between a password and a pass phrase.
Maria Varmazis: Yeah. So a password or a pass phrase is -- well, it's -- it can be a short sentence of a number of words with spaces in it. So that -- and what that can enable if you use a pass phrase is length. So like over 16 characters is a really good -- if the system you're using will allow you to run something that long, which can also sometimes be a problem. But, yeah. Length and uniqueness are both really, really helpful because, if you just use the same password and add an exclamation point at the end -- I'm looking at all y'all, not you. But, you know, some people, that's just what they do. I'm not going to name names. But length is really important. And a sentence can really help, even if it's a bunch of nonsensical words. And that can be very handy. So I really recommend reading this letter. I think it's -- I would love to send this to USA Today. Just please, please take a look at this, guys.
Dave Bittner: I'm looking at all the people who signed on to this letter.
Maria Varmazis: Yeah.
Dave Bittner: And this is quite a lit -- I mean, this is a who's who of big names --
Maria Varmazis: It truly is.
Dave Bittner: -- in cybersecurity. So this isn't just --
Maria Varmazis: It truly is.
Dave Bittner: -- you know, the AV club down the street. These are --
Maria Varmazis: No. I -- many of my former colleagues that I've worked with and I trust them just explicitly, they're on this list. And these are people who have guided me a lot in my own career. So I was very happy to see that they signed on. And, yeah. They're -- this is definitely a who's who of really, really very smart people, many of whom do a lot of public messaging. That's a lot of what they do is talking about this stuff to the general public. So I hope more people will listen to them, and certainly we'll do our best to amplify their message as well. And I want to give a shout-out to the FTC that also put out a message saying public Wi-Fi networks are also -- like, you don't need to worry about that whole thing anymore unless you sign on to the wrong one. So they amplified the Hacklore letter, which I just -- FTC, nicely done. So that was nice to see.
Dave Bittner: Yeah. Yeah. All right. Well, good stuff. And to our listeners, if you want us to consider a story for our show, you can email us. It's HackingHumans@n2k.com. All right. Joe, Maria, it is time for our Catch of the Day. [ (SOUNDBITE OF REELING IN FISHING LINE ]
Joe Carrigan: Dave, our Catch of the Day comes from the phishing subreddit. It's a service notification, Dave. Apparently you're due for some service.
Dave Bittner: Yeah. So I will point out that the -- this comes from service dash -- dash notification at service dash provider dash update dot work.
Joe Carrigan: Somebody just got one of those brand spanking new dot work domains.
Dave Bittner: Right.
Joe Carrigan: How old are these things now, these new top double domains. They're probably four or five years old.
Maria Varmazis: Couple years. Yeah.
Joe Carrigan: I'm -- everything's brand spanking new to me.
Dave Bittner: So it says, Your email account has been flagged and reported. And then there's the Microsoft logo.
Joe Carrigan: Right.
Dave Bittner: And it says, Our system has received large number of complaints regarding your email. Your email address has been reported by other users from Microsoft, Yahoo!, and Google for sending spam and threatening emails. The nature of these emails suggests that either you were involved in dubious activities or your account has been abused and misused by someone. Due to the severity of these complaints, and under the empowerment of terms and conditions applicable to our services, we have the right to suspend your service in case we do not receive a justifying explanation until seven business days from today. This mailbox is not monitored for replies. Please do not reply to this email. For clarification, please contact the case manager at, and then they have a phone number. We have assigned a case manager to your account to supervise you through the transitional process. You can file an appeal against the complaints either online or by directly calling your case manager. You can initiate an online chat with your case manager here. In case you wish to speak to your case manager, connect on phone during business hours that -- like, they -- they're really going at it with the phone number here.
Maria Varmazis: Please call us. Please.
Dave Bittner: Yeah. Regards, account support team. All right. So bunch of things going on.
Joe Carrigan: Yeah. This is just -- obviously, this is a scam. First off, like, the capitalization, we can't -- you can't really see that in -- on the podcast. But the capitalization in this is bizarre.
Dave Bittner: Random.
Joe Carrigan: Random.
Maria Varmazis: Yeah.
Dave Bittner: Some -- some words are randomly -- the first letter of some words is randomly capitalized for presumably no rhyme or reason.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: So, I mean, obviously, hey. We're going to suspend your account in seven days. There's your official time horizon. It's impersonating Microsoft. It is not Microsoft, obviously, because Microsoft would send you something -- well, first off, Microsoft's never going to reach out to you to provide support, and -- nor are they going to reach out to you if they want your -- about your email. They're just going to shut your email down. And, when you go to log in again, they'll say, I'm sorry. This account has been shut down. Goodbye.
Dave Bittner: Right.
Joe Carrigan: That'll be -- that'll be the end of it. Good luck getting it back if -- even if you weren't responsible for it. But, you know, that doesn't happen unless people are actually abusing email accounts.
Dave Bittner: Yeah. A couple of minor grammatical errors but nothing too bad. I mean, these are -- they're definitely trending towards better, right, over the time that we've been doing this.
Maria Varmazis: Yeah.
Joe Carrigan: Yes.
Dave Bittner: And obviously all the AI tools make it a lot easier.
Joe Carrigan: The second paragraph is just one sentence. You almost ran out of breath on that one.
Dave Bittner: That's true. That's right, that's right.
Maria Varmazis: I'm also liking at the bottom in dark, like, a medium gray. It says, Note: Do not share your password/ security questions/ one-time password with anyone, even your case manager. Ooh.
Joe Carrigan: Yeah. That's good. That way you know this is official and that these guys are nice guys who care about your security.
Maria Varmazis: Yeah. They don't want you to give away any information that, you know, could put you at risk. So no.
Joe Carrigan: Right.
Maria Varmazis: Good for them.
Joe Carrigan: They just want you to install some software so they can take over your computer.
Maria Varmazis: Yeah. I'm sure, I'm sure. It's fine. Definitely trust them. Yes.
Dave Bittner: All right. That is our Catch of the Day. And, again, we would love to hear from you. If there's something you'd like us to consider for the show, please email us. It's HackingHumans@n2k.com. And that is our show brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Peltzman and Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.
Joe Carrigan: I'm Joe Carrigan.
Maria Varmazis: And I'm Maria Vermazis.
Dave Bittner: Thanks for listening.
