Good podcast

Top 100 most popular podcasts

Hacking Humans

Hacking Humans

Deception, influence, and social engineering in the world of cyber crime.


iTunes / Overcast / RSS



How likely are online users to reveal private information?

Guest Professor Lior Fink from Ben Gurion University shares insights from their study on "How We Can Be Manipulated Into Sharing Private Information Online," Dave's story is some good news about a Nigerian man sentenced for phishing the US heavy equipment company Caterpillar, Joe has a story with bad news about a sextortion email scam with a fake Zoom zero day component, and our Catch of the Day is a compelling phishing email a listener named Michael recently received. Links to stories: Nigerian man sentenced 10 years for $11 million phishing scam Watch out for sextortion email scams Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

taint analysis (noun) [Word Notes]

The process of software engineers checking the flow of user input in application code to determine if unanticipated input can affect program execution in malicious ways.
Link to episode

Including your passwords in your final arrangements.

Guest Sara Teare who is known as 1Password's Minister of Magic talks with Dave about things that people don't consider like custody of the digital keys to your stuff online, Dave and Joe share some listener feedback from Jonathan about replacing outdated equipment (aka an old phone), Joe's story is about ongoing campaign targeting security researchers working on vulnerability research and development at different companies and organizations, Dave's story has a holiday theme: emails pretending to confirm orders from lingerie and flower shops that are actually spreading malware, and our Catch of the Day is from a listener named Kristian and it's a "legitimate deal" from Colonel Gaddafi's daughter. Links to stories: New campaign targeting security researchers Pre-Valentine?s Day Malware Attack Mimics Flower, Lingerie Stores Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

ATM skimming (noun) [Word Notes]

The process of stealing ATM customer credentials by means of physically and covertly installing one or more devices onto a public ATM machine.
Link to episode

In the disinformation and misinformation crosshairs.

Carole Theriault returns with a discussion on disinformation with guest, BBC host, podcaster and author Tim Harford, Dave's got a story about Covid vaccine phishing campaigns, Joe's story talks about data breaches that have increased 50% year over year since 2018, and our Catch of the Day is from a listener named John his wife saw on Facebook who translated it from Lithuanian. Links to stories: Count Yourself in For a Vaccine Phish Deep Analysis of More than 60,000 Breach Reports Over Three Years Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

APT side hustle (noun) [Word Notes]

A nation-state hacking group?s practice of funding its town activities through cybercrime or cyber mercenary work.
Link to episode

Understanding human behavior is a key to security.

Guest Nico Popp of Forcepoint joins Dave to discuss why understanding human behavior is a major key to security, Dave & Joe discuss some listener follow-up about a Craigslist posting, Joe's story is about a scam website that is promising refunds to consumers all over the world, Dave shares a story about scam calls coming from call centers in India, and our Catch of the Day is from a listener about an email from former first lady Melania Trump. Links to stories: FTC warns of scam website that promises refund for victims of online scams Scam ?US Trading Commission? website is not the FTC Who's Making All Those Scam Calls? Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

endpoint (noun) [Word Notes}

A device connected to a network that accepts communications from other endpoints like laptops, mobile devices, IoT equipment, routers, switches, and any tool on the security stack.
Link to episode

Covid has shifted the way we deal with money and increased fraud.

Guest Eric Solis of MOVO Cash talks with Dave about the increase of fraud attacks on consumers and businesses by not having a body of regulations for digital payments, Dave's story is about his recent pillow purchase prompting him to do online reviews for an extra bonus, Joe shares some details from Verizon's Cyber-Espionage report, and our Catch of the Day is a letter from a listener named Jim who had a bad eBay transaction. Links to stories: Amazon is trying to crack down on fraudulent reviews. They?re thriving in Facebook groups. Breach of Trust: How Cyber-Espionage Thrives On Human Nature Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

unified extensible firmware interface (UEFI) (noun) [Word Notes]

An extension of the traditional Basic Input/Output System or BIOS that, during the boot process, facilitates the communication between the computer?s firmware and the computer?s operating system.
Link to episode

Targeted phishing campaigns and lottery scams abound.

Guest Arjun Sambamoorthy of Armorblox talks with Dave about five targeted phishing campaigns that weaponize various Google services during their attack flow, Joe's story is about the MegaMillions jackpot that is approaching epic proportions and attracting the attention of scammers, Dave's story comes from a listener over on the Grumpy Old Geeks podcast about a Venmo incident, and our Catch of the Day comes from Joe's son who received an email from the FBI. Links to stories: Advisory: Beware of Scams as Jackpot Grows Lottery Scams: Some scammers falsely use Mega Millions name Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

Daemon (noun) [Word Notes]

An operating system program running in the background designed to perform a specific task when certain conditions or events occur.
Link to episode

As B2C interactions shift online, call centers become new fraud vector.

Guest Umesh Sachdev of Uniphore talks with Dave about how call centers are becoming the new fraud vector, Dave's story involves an email that has a Trump scandal .jar file attached that's really a RAT, Joe has a story about hackers spoofing a victim's phone number making emergency calls where the police respond to the victim's home with force, he also talks about credential stuffing for swatting a video doorbell, and our Catch of the Day comes from a listener Christian who received an email with a lazy trunk box scam. Links to stories: Hackers Using Fake Trump's Scandal Video to Spread QNode Malware FBI Warn Hackers are Using Hijacked Home Security Devices for ?Swatting? Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

greyware (noun) [Word Notes]

Also known as spyware and adware, it is a software category where developers design the application neither to cause explicit harm nor to accomplish some conventional legitimate purpose, but when run, usually annoys the user and often performs actions that the developer did not disclose, and that the user regards as undesirable.
Link to episode

Combating growing online financial fraud.

Dave switches gears and shares a story from the National Law Review with a social engineering spin to it about a theft exclusion in a title company's errors and omissions policy, Joe shares a story from Facebook taking action against hacking groups, The Catch of the Day comes Joe himself with a connection request he received on LinkedIn, and later in the show, Dave's conversation with Carey O?Connor Kolaja from AU10TIX on fraud in the financial services and payment industry, and how organizations are using emerging technical solutions to help combat it. Links to stories: Engineering Coverage for Social Engineering Schemes in Light of New Jersey Federal Court Opinion Finding No Errors and Omissions Coverage for Email Scam Taking Action Against Hackers in Bangladesh and Vietnam Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

fuzzing (noun) [Word Notes]

An automatic software bug and vulnerability discovery technique that input's invalid, unexpected and/or random data or fuzz into a program and then monitors the program's reaction to it.
Link to episode

Unix (noun) [Word Notes]

A family of multitasking, multi-user computer operating systems that derive from the original Unix system built by Ken Thompson and Dennis Ritchie in the 1960s.
Link to episode

Encore: Don't go looking for morality here. [Hacking Humans]

Dave has a story of an investment scam featuring celebrities, Joe warns of scams surrounding the Coronavirus, the Catch of the Day features Joe's son-in-law's adventure with thousands of bot infiltrations, and later in the show, Dave's extended interview with magicians and entertainers Penn and Teller at RSAC 2020 in San Francisco. Links to stories: Revealed: fake 'traders' allegedly prey on victims in global investment scam Coronavirus: Scammers follow the headlines Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

deep packet inspection (DPI) (noun) [Word Notes]

A network monitoring and filtering technique that examines both the header information and the payload of every packet traversing a network access point.
Link to episode

Encore: Separating fools from money. [Hacking Humans]

Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers.  Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

rootkit (noun) [Word Notes]

A clandestine set of applications designed to give hackers access and control over a target device.
Link to episode

tactics, techniques and procedures (TTPs) (noun) [Word Notes]

A set of behaviors that precisely describes a cyber adversary attack campaign.
Link to episode

Phishing lures that may be in your inbox soon, and how to deal "left of bang."

Joe talks about phishing lures with holiday packages, current events, and things he expects to see in your inbox soon, Dave's shares a blog post on how to troll a Nigerian prince, The Catch of the Day comes from a listener named Christian who received an email from an ill churchgoer that tests US knowledge of geography, and later in the show, Carole Theriault returns with a conversation with Rebecca McKeown, an independent Chartered Psychologist, with experience researching and evaluating learning and development across the Ministry of Defence. She is studying the psychology of cyber response. Links to stories: How to Troll a Nigerian Prince Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

identity theft (noun) [Word Notes]

In this case Identity is the set of credentials, usually electronic that vouch for who you are and theft is to steal. The theft of a person's identity for purposes of fraud.
Link to episode

The landscape has shifted for holiday shopping to online.

Joe provides some listener feedback on allowing site notifications, Dave shares good news in his story about taking down money mules, Joe's got not as good news about a phishing campaign targeting the COVID-19 vaccine cold chain, The Catch of the Day comes from a listener named Virginia who received a phishing email impersonating a bank, and later in the show, Dave's conversation with Neal Dennis from Cyware on the cybersecurity concerns and pitfalls customers need to look out for and why ecommerce has become a goldmine for hackers. Links to stories: U.S. Law Enforcement Takes Action Against Approximately 2,300 Money Mules In Global Crackdown On Money Laundering IBM Uncovers Global Phishing Campaign Targeting the COVID-19 Vaccine Cold Chain Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

Virtual Private Network (VPN) (noun) [Word Notes}

A software, hardware or hybrid encryption layer between two devices on the network that makes the traffic between the sites opaque to the other devices on the same network.
Link to episode

cyber threat intelligence (CTI) (noun) [Word Notes]

Information used by leadership to make decisions regarding the cybersecurity posture of their organization.
Link to episode

Going behind the scenes and preventing social engineering in financial institutions.

Joe has a story about fake websites with advanced profiling tools and malicious software by OceanLotus, Dave's story is about sites that ask if it's ok to send you notifications, The Catch of the Day comes from a listener named William who received a phishing email from the boss, and later in the show, Dave's conversation with Mike Slaugh from USAA on his predictions for 2021 and best practices for organizations to protect themselves and consumers, including creating better means of identity verification. Links to stories: OceanLotus: Extending Cyber Espionage Operations Through Fake Websites Be Very Sparing in Allowing Site Notifications Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

smishing (SMS phishing) (noun) [Word Notes]

From the intrusion kill-chain model, the delivery of a ?lure? via a text message to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. Smishing is a portmanteau word made of two other words, the acronym ?SMS? and the cyber coinage ?Phishing?. It?s a text-message-centric variation of the email-based phishing scams that have been around since the 1990s. The term ?Smishing? arose in the late 2000s. 
Link to episode

Network Time Protocol (NTP) attack (noun) [Word Notes]

A reflection or amplification distributed denial-of-service attack in which hackers query Internet network time protocol servers, NTP servers for short, for the correct time, but spoof the destination address of their target victims.
Link to episode

Encore: Wearing a mask in the Oval Office and the art of deception.

Joe shares his Classic Cons Part 3, Dave has an Apple device scam story, The Catch of the Day is your assassination heads-up, and later in the show our interview with Jonna Mendez, retired CIA intelligence officer and former Chief of Disguise. Link to story: Twitter Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

port mirroring (noun) [Word Notes]

A network switch configuration setting that forwards a copy of each incoming and outgoing packet to a third switch port. Also known as SPAN or Switched Port Analyzer, RAP or Roving Analysis Port, and TAP or Test Access Point. When network managers and security investigators want to capture packets for analysis, they need some sort of generic TAP or Test Access Point. You can buy specialized equipment for this operation but most modern switches have this capability built in. 
Link to episode

The public's expectations are changing.

Dave has a story about the security risks of your outbound email, Joe's story is about a fake company, Ecapitalloans, using fake BBB affiliation, The Catch of the Day comes from a listener named Max with a new work phone with curious activity from previous number owner, and later in the show, Dave's conversation with Bill Coletti, crisis communications and reputation management expert at Kith, and author of the book Critical Moments: A New Mindset for Reputation Management.  Links to stories: The 2020 Outbound Email Data Breach Report Finds growing email volumes and stressed employees are causing rising breach risk BBB Warning: Ecapitalloans steals personal information and money from loan applicants Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

Network Detection and Response (NDR) (noun) [Word Notes]

NDR tools provide anomaly detection and potential attack prevention by collecting telemetry across the entire intrusion kill chain on transactions across the network, between servers, hosts, and cloud-workloads, and running machine learning algorithms against this compiled and very large data set. NDR is an extension of the EDR, or endpoint detection and response idea that emerged in 2013. 
Link to episode

shadow IT (noun) {Word Notes]

Technology, software and hardware deployed without explicit organizational approval. In the early days of the computer era from the 1980s through the 2000s security and information system practitioners considered shadow IT as completely negative. Those unauthorized systems were nothing more than a hindrance that created more technical debt in organizations that were already swimming in it with the known and authorized systems. 
Link to episode

Ransomware: Statistically, it's likely to happen to anybody.

Joe has a story about how Emotet is being used in phishing emails through thread hijacking, Dave's story is a two-fer: one is about bad guys using image manipulation and the other has Elon Musk giving away Bitcoin again taking advantage of the US election, The Catch of the Day is from a listener named John about an email-based vishing attack, and later in the show, we welcome back Kurtis Minder of GroupSense on the burgeoning ransomware negotiation industry.  Links to stories: Spike in Emotet activity could mean big payday for ransomware gangs Sneaky Office 365 phishing inverts images to evade detection Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

remote access Trojan or RAT (noun) [Word Notes}

From the intrusion kill chain model, a program that provides command and control services for an attack campaign. While the first ever deployed RAT is unknown, one early example is Back Orifice made famous by the notorious hacktivist group called ?The Cult of the Dead Cow,? or cDc, Back Orifice was written by the hacker, Sir Dystic AKA Josh Bookbinder and released to the public at DEFCON in 1998.
Link to episode

Too good to be true.

Dave has a story about a fake Facebook copyright violation scam trying to trick you out of your TFA to get into your account, Joe story about the largest elder fraud scam in US history, The Catch of the Day is about a scam using a Google code for verification and includes Hacking Humans in the response, and later in the show, Dave's conversation with Mallory Sofastaii from WMAR Baltimore returns with her reporting on a fake website luring victims through social media ads. .  Links to stories and Catch of the Day: Facebook ?copyright violation? tries to get past 2FA ? don?t fall for it! Feds Bust Massive Magazine-Subscription Scam Targeting Older Consumers Feds in Minnesota charge 60 in $335M magazine fraud that defrauded seniors nationwide Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

business email compromise or BEC (noun) [Word Notes]

A social engineering scam where fraudsters spoof an email message from a trusted company officer that directs a staff member to transfer funds to an account controlled by the criminal. 
Link to episode

David Sanger on the HBO documentary based off his book, "The Perfect Weapon". [Special Edition]

On this Special Edition, our extended conversation with author and New York Times national security correspondent David E. Sanger. The Perfect Weapon explores the rise of cyber conflict as the primary way nations now compete with and sabotage one another. ?
Link to episode

The Malware Mash!

Link to episode

New consequences, extortion and cyber insurance.

Joe has a story about a woman who called a fake customer service number and got scammed, Dave's story talks about how phishing kits are not that. hard to find, just check YouTube, The Catch of the Day is an opportunity for a listener remove their name from the BLACKLIST, and later in the show, Dave's conversation with John Pescatore from SANS on Thinking Through the Unthinkable: Should You Pay Off a Ransomware Demand.  Links to stories and Catch of the Day: Local Doctor Scammed After Calling Fake Customer Service Number Phishing kits as far as the eye can see Sawyer Dickey: " Your name is in the US.BLACKLIST which makes it impossible for you to send money" Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

anagram (noun) [Word Notes]

A word, phrase, or sentence formed from another by rearranging its letters. For example, cracking a columnar transposition cipher by hand involves looking for anagrams.
Link to episode

What is true and important versus what is the spin.

Dave's story is about some cybercriminal gangs that have stolen $22 million from users of the Electrum wallet app, Joe's story talks about a business email compromise scam cost a US company $15 million, The Catch of the Day is a gift card scam that includes references to National Treasure movie, and later in the show, Dave's conversation with Bill Harrod, Federal CTO of MobileIron on election disinformation campaigns.  Links to stories and Catch of the Day: Bitcoin wallet update trick has netted criminals more than $22 million The anatomy of a $15 million cyber heist on a US company Uno reverses, 50000 credits worth of nitrous oxide, Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

rogue access point (noun) [Word Notes]

1. A wireless access point installed by employees in an office or data center environment as a convenience to connectivity without the consent or the knowledge of the network manager. 2. A wireless access point, sometimes called an Evil Twin, installed by a cyber adversary in or near an office or data center environment designed to bypass security controls, gain access, and/or surveil the network traffic of the victim?s network. Both kinds, the employee installed and the adversary installed rogue access points, increase the attack surface of the organization. The employee installed device, because of its electronic footprint range, might make it easier for hackers and mischief makers outside of the organization?s network to bypass the corporate security controls and gain access without permission. The adversary installed device is designed specifically to bypass the security controls of the target network.
Link to episode

Use a Dance Dance Revolution floor lock for your data centers.

Starting with some listener follow-up on password managers, Joe's story has an angel investor bilking people out of due diligence fees, Dave's story comes from Graham Cluley on a malware campaign talking about details on Donald Trump's COVID-19 status, The Catch of the Day is an animal vaccine phishing scam, and later in the show, we?ve got a special treat for you: David Spark from the The CISO/Security Vendor Relationship Series podcast joins us to play the Best Worst Idea game.  Links to stories: Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30M Hackers disguise malware attack as new details on Donald Trump?s COVID-19 illness Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

darknet (noun) [Word Notes]

A subset of the internet where communications between two parties or client-server transactions are obscured from search engines and surveillance systems by layers of encryption. The U.S. Navy designed the original Darknet by developing The Onion Router network, or TOR, back in the 1990s. Roger Dingledine and Nick Mathewson deployed the first alpha implementation in 2002 with some initial funding by the Electronic Frontier Foundation (EFF.) The TOR Project became a non-profit in 2006 and is funded by the U.S, Sweden, different NGOs, and individual sponsors.
Link to episode

Don't click any button...even the 'No' button.

Dave's story is about how some adware took a turn for the worse (and how his dad has fallen adware in the past), Joe's story talks about how someone is trying to phish AT&T employees and others, The Catch of the Day is an OfferUp scam on an rtx 3080 (you gamers know what that is), and later in the show, Dave's conversation with Caleb Barlow from Cynergistek reacting to the recent story of the tragic death of a woman due to hospital ransomware. Links to stories: Linkury adware caught distributing full-blown malware Phishing Page Targets AT&T?s Employee Multi-Factor Authentication Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode

phishing (verb) [Word Notes]

From the intrusion kill chain model, the delivery of a ?lure? to a potential victim by pretending to be some trustworthy person or organization in order to trick the victim into revealing sensitive information. According to Knowbe4, the word ?phishing? first appeared in a Usenet newsgroup called AOHell in 1996 and some of the very first phishing attacks used AOL Instant Messenger to deliver fake messages purportedly from AOL employees in the early 2000s. The word is part of l33tspeak that started in the early days of the internet (1980s) as a shorthand to let readers know the author was part of the hacker community. In this case, the letters ?ph? replace the letter ?f? in the word fishing, as in ?I fish, with an ?f,? for bass in the lake.? In hacking, ?I Phish, with a ?ph,? for login credentials from key employees at my target?s organization.
Link to episode

Cookies make for some tasty phishing lure.

In addition to his regular story Dave shares a situation where his mom almost took the bait, Dave's story is about an SMS phishing (smishing) Apple scam in UK (ps, there's never a free iPhone & Joe is still not an Apple fan), Joe's story talks about why you don't trust anything political on a social network, The Catch of the Day is from a Reddit user invited to join the Illuminati game, and later in the show, Dave's conversation with Alex Mosher from MobileIron on MobileIron's Phishing with Cookies Campaign. Links to stories and Catch of the Day: SMS phishing scam pretends to be Apple ?chatbot? ? don?t fall for it! Chinese propaganda network on Facebook used AI-generated faces Catch of the Day on Reddit Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter.
Link to episode
A tiny webapp by I'm With Friends.
Updated daily with data from the Apple Podcasts.