Hacking Humans

Tools that automate the identification and remediation of cloud misconfigurations. CyberWire Glossary link: https://thecyberwire.com/glossary/cloud-security-posture-managementAudio reference link: Josh Whedon. 2005. Serenity [Movie]. IMDb. URL https://www.imdb.com/title/tt0379786/

Andrew Hendel, CEO at Marshmallo, joins to share tips to safeguard your feelings and identity in the online dating world. Dave and Joe share some listener follow up from Gareth, who writes in to discuss strange emails he has been receiving. Dave's story follows a woman who was spared jail time after being manipulated by hackers into money laundering. Joe's story is from listener Doug who wrote in to the show to talk about the site he is in charge of and discusses a website he uses called "Buy me a coffee," where his viewers can buy him a coffee, and how he has been experiencing some weird instances with the payment methods of that website. Our catch of the day comes from listener Brandyon who shares an interesting way he was offered to make $600 a week.Links to follow-up and stories:Woman 'manipulated' by hackers into money launderingHave a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

An electro-mechanical device used to break Enigma-enciphered messages about enemy military operations during the Second World War. The first bombe–named Victory and designed by Alan Turning and Gordon Welchman– started code-breaking at Bletchley Park on 14 March 1940, a year after WWII began. By the end of the war, five years later, almost 2000, mostly women, sailors and airmen operated 211 bombe machines in the effort. The allies essentially knew what the German forces were going to do before the German commanders in the field knew. Historians speculate that the effort at Bletchley Park shortened the war by years and estimate the number of lives saved to be between 14 and 21 million.

Guest Chris Sherwood, owner of Crosstalk Solutions, joins Dave to talk about passkeys. Joe shares some listener follow-up about "revert" and side-loading applications on Android phones. Joe's story came from a listener named Kyle who sent this as a Catch of the Day (COTD) about a phishing scam email conversation about event sponsorship. Dave discusses something he saw on Mastodon from user Bjorn about some fraudulent bank charges and stopping a scam in process. Our COTD is from listener Alec about a potential dating scam offering over Instagram.Links to follow-up and stories: Follow-up on side-loading applications (Note, we do not recommend you install any of these applications.) Mastodon thread about social engineering involving fraudulent banking charges. Chris Sherwood's passkey explainer video on YouTube Passkeys directory website Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

A session and user authentication Zero Trust tactic that allows a user to access multiple applications with one set of login credentials.CyberWire Glossary link: https://thecyberwire.com/glossary/single-sign-onAudio reference link: English, J., 2020. What is Single Sign-On (SSO)? SSO Benefits and Risks [Video]. YouTube. URL https://www.youtube.com/watch?v=YvHmP2WyBVY

Oren Koren, CPO and Co-Founder of Veriti, discusses the need for caution in online shopping. Topics include a sneaky Amazon ad leading to a Microsoft support scam, a shed builder falling for a vanity scam, and analyzing a phishing email impersonating eBay. The speakers emphasize the importance of online shopping safety and share tips to minimize risks.

From the intrusion kill chain model, a malicious code delivery technique that allows hackers to send code of their choosing to their victim’s browser. XSS takes advantage of the fact that roughly 90% of web developers use the JavaScript scripting language to create dynamic content on their websites. Through various methods, hackers store their own malicious javascript code on unprotected websites. When the victim browses the site, the web server delivers that malicious code to the victim’s computer and the victim’s browser runs the code.

The podcast covers various interesting topics like Hawaii fire scams, a banking glitch in Ireland, mobile beta-testing scams, and tracking down scammers on Twitter. They also discuss the emotional toll of romance scams, the manipulations in Google Maps, and frustrations with law enforcement's response to cybercrime. One of the hosts shares a personal experience with a hotel reservation scam and emphasizes the importance of healthy paranoia in their line of work. Overall, they provide insights into different scam tactics and the efforts to catch and report scammers for justice.

From the intrusion kill chain model, the first part of an exploitation technique where the hacker tricks their victims into revealing their login credentials. In the second part of the technique, hackers legitimately log into the targeted system and gain access to the underlying network with the same permissions as the victim. Hackers use this method 80% of the time compared to other ways to gain access to a system like developing zero day exploits for known software packages. The most common way hackers steal credentials is with some version of a phishing attack.

They discuss generative AI and authentication, a device that records phone calls, the FBI warning against scammers posing as NFT devs, and test their scammer catching skills. They analyze various scam scenarios and discuss using AI against AI for online safety. The podcast also explores the impact of AI on online authentication, unproductive conversations on social media, and the use of AI algorithms to differentiate groups based on skin pigmentation.