Easy Prey

Regulators have to invest a considerable amount of time in keeping legislation and policy up to date regarding technology and AI, but it’s not easy. We need floor debates, not for sound bytes or for political gain, but to move policy forward.

Today’s guest is Bruce Schneier. Bruce is an internationally renowned security technologist called The Security Guru by The Economist. He is the author of over a dozen books including his latest, A Hacker’s Mind. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. He is a fellow at the Berkman-Klein Center for Internet and Society at Harvard University, a lecturer in Public Policy at Harvard Kennedy School, a board member of the Electronic Frontier Foundation and AccessNow, and an advisory board member of EPIC and VerifiedVoting.org.

• [1:40] - Bruce shares what he teaches at Harvard and the current interest in policy.
• [4:27] - The notion that tech can’t be regulated has been very harmful.
• [6:00] - Typically, the United States doesn’t regulate much in tech. Most regulation has come from Europe.
• [7:52] - AI is a power magnification tool. Will the uses empower the already powerful or democratize power?
• [9:16] - Bruce describes loopholes and how AI as a power magnification tool can mean something different in different situations.
• [12:06] - It will be interesting to watch AI begin to do human cognitive tasks because they will do them differently.
• [13:58] - Bruce explains how AI collaboration can be a real benefit.
• [16:17] - Like every text writer, AI is going to become a collaborative tool. What does this mean for writing legislation?
• [17:18] - AI can write more complex and detailed laws than humans can.
• [21:27] - AI regulation will be skewed towards corporations. Bruce explains how public AI could work.
• [23:46] - Will AI help the defender or the attacker more?
• [26:19] - AI can be good against legacy, but we need some sort of infrastructure.
• [29:27] - There’s going to be a need for proof of humanity.
• [32:29] - It is hard to know what people can do to help move regulation along. Ultimately, it is a political issue.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Schneier on Security

Security risks are dynamic. Projects, employees, change, tools, and configurations are modified. Many companies utilize PEN testers on an annual basis, but as quickly as systems are revised, you may need to implement threat emulation for regular monitoring. 

Today’s guest is Andrew Costis. Andrew is the Chapter Lead of the Adversary Research Team at Attack IQ. He has over 22 years of professional industry experience and previously worked in the Threat Analysis Unit Team at Firmware, Carbon Black, and Logrhythm Labs, performing security research, reverse engineering malware, and tracking and discovering new campaigns and threats. Andrew has delivered various talks at DefCon, Adversary Village, Black Hat, B Side, Cyber Risk Alliance, Security Weekly, IT Pro, Bright Talk, SE Magazine, and others.

• [1:14] - Andrew shares his background and what he currently does in his career at Attack IQ.
• [3:49] - At the time of this recording, there has been a major global security panic.
• [6:06] - There are many programs that we use on a regular basis that we don’t always consider the security of.
• [8:09] - Historically, companies would pay for an external pen test. Andrew describes the purpose of this and how they usually went.
• [9:33] - Pen tests and threat emulation do not need to be limited to just once a year.
• [10:45] - Andrew’s team is in the business of testing post-breached systems. But they preach prevention.
• [11:55] - Attackers are lazy in the sense that they will reuse the same strategies over and over again.
• [14:13] - Many programs we use may be caught in the crosshairs of attacks and vulnerabilities in other companies.
• [16:41] - Andrew discusses the frequency of really critical CVEs.
• [19:01] - What do attackers go after when they’ve breached a system?
• [21:04] - The priority for attackers is to get in quickly and make the victim’s data unavailable.
• [22:24] - A lot of people are under the impression of vulnerability testers. “Fire and forget it” is not a beneficial mindset.
• [24:56] - If we run every test, the amount of data will be overwhelming.
• [27:03] - In his experience, there has been client testing that has been overwhelmingly easy to breach.
• [29:07] - There are also organizations that have done a fantastic job. However, vulnerabilities will still be found.
• [30:18] - The red team is not going to be able to cover your entire organization.
• [32:15] - Threat emulation and pen testing are technically the same thing. Andrew explains how she sees the difference.
• [33:50] - How are vulnerabilities and tests prioritized?
• [36:19] - Andrew describes the things his team works on and their objectives for customers and clients.
• [38:34] - The outage at the time of this recording had a big impact. It gave a really good idea of what could happen if it were a real security breach.
• [41:37] - There are a ton of free resources out there. The primary resource at Attack IQ is the free Attack IQ Academy.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Andrew Costis at Attack IQ

Ransomware may not be on your machines due to your negligence or mistakes. It could be there because of third-party software you are utilizing. Do you know what to do if this happens to you? 

Today’s guest is Amitabh Sinha. Amitabh has a PhD in Computer Science and more than 20 years of experience in enterprise software, end-user computing, mobile, and database software. He co-founded Workspot in 2012. He was the General Manager of Enterprise Desktop and Applications at Citrix Systems. In his five years at Citrix, he was the VP of Product Management for XenDesktop and VP of Engineering for the Advanced Solutions Group.

• [1:03] - Amitabh shares his background and current role and contributions at Workspot.
• [4:35] - The first sign of ransomware in an organization is widespread blue screens and Microsoft machines shutting down.
• [5:40] - How does ransomware find its way to a device?
• [6:59] - Ransomware in your organization is not necessarily your fault.
• [10:37] - Amitabh describes how he has helped client organizations back up and running after having been infected with ransomware.
• [13:11] - Typically, it is not recommended to pay the ransomware, but it may be a viable option for some organizations.
• [15:59] - Most small companies are not prepared to prevent or handle ransomware.
• [17:34] - In most large companies, not all PCs are up to date on security patches.
• [20:41] - Cloud storage is much safer and can be accessed on other physical machines in the event that ransomware shuts down an organization.
• [24:41] - For those who work from home, sometimes multiple machines makes things even more complicated.
• [27:35] - What are you willing to pay to not have something happen? That’s how ransomware takes advantage of people.
• [31:20] - For small companies, there is typically an architectural solution, but that isn’t always viable for large organizations.
• [33:14] - Consider the critical functions of your organizations and what a plan could be if computers were not accessible.
• [34:37] - These types of attacks are more and more frequent.
• [36:44] - Amitabh is confident that AI will make preventing ransomware even more challenging.
• [40:38] - Most people have accepted that a lot, if not all, their information has already been leaked on the internet. But businesses are particularly vulnerable.
• [42:30] - A whole organization can be drastically impacted by just one machine being hit by ransomware.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Amitabh Sinha on LinkedIn
• Workspot.com

We all use technology. Things like internet browsers, search engines, instant messaging, and payment apps. But we aren’t always aware of the data being collected. This information can not only impact your privacy, but those around you as well.

Today’s guest is Carey Parker. Carey is the author of Firewalls Don’t Stop Dragons, a step-by-step guide to computer security and privacy for non-techies. He also hosts a podcast by the same name. He recently retired from a career in software engineering to focus on teaching others how to defend their digital devices and protect their personal data.

• [0:53] - Carey shares his background and what provoked the motivation for a career shift.
• [4:07] - If we all did the small things that protect privacy, we would all be stronger.
• [5:20] - Even if you have already shared a lot of your information online, it is not hopeless and it’s not too late.
• [6:32] - Your security and privacy overlap with other people’s.
• [8:35] - We need to be protecting privacy for all of us, not just ourselves as individuals.
• [10:17] - Carey explains why and how apps and companies collect data.
• [11:48] - Foreign governments would love to get their hands on the data that is collected by countless companies and apps.
• [13:53] - Data is valuable to software developers for honest reasons. Collecting data isn’t inherently bad.
• [17:16] - When determining what connection to use, you are trading off who you trust - your ISP, the public wifi connection, or a VPN.
• [23:10] - Carey shares some easy things you can change right now to protect your privacy.
• [25:25] - Companies love to get your email address and your phone number. These become unique identifiers.
• [27:05] - Search engines collect data as well. This is important to remember.
• [28:05] - Payment apps are another obvious type of website that collects data. Which ones should you avoid?
• [30:32] - There is value in social media. Make sure the things you post are not public by default.
• [32:19] - Metadata and location tools are used on any social media image.
• [34:37] - Messaging apps collect data and share it. There is a gold standard app though that Carey suggests.
• [36:31] - Email is trickier because it is open standard. It wasn’t designed with encryption in mind.
• [38:55] - Carey discusses automated AI systems like Alexa.
• [41:26] - When using AI tools, assume that the information is collected and could be public.
• [42:35] - Car privacy is horrible and there is almost nothing you can do about it.
• [46:18] - It is not true that you need to give up privacy for security. Carey discusses the differences.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Firewalls Don’t Stop Dragons Website
• Firewalls Don’t Stop Dragons Podcast
• Firewalls Don’t Stop Dragons by Carey Parker

Finding a solution to stop spam calls to you, your family, or your business isn’t easy. We may not win this war, but we don’t want the government making this decision for us. We can make it more manageable in the meantime.

Today’s guest is Aaron Foss. After winning the FTC Robocall Challenge in 2013, Aaron started Nomorobo. Since then, Nomorobo has stopped billions and billions of unwanted robocalls and spam texts from reaching our phones, and it was acquired by Applause group in August 2023. Aaron has been featured in The New York Times, Wired, CNN, CNBC, Fox News, and countless other media outlets. He has testified in front of Congress, not once, not twice, but three times.

• [1:14] - Aaron shares his background as a serial entrepreneur in the intersection of technology and business.
• [3:57] - At the beginning, Aaron didn’t even know what a robocall was.
• [6:47] - Robocalls have this negative connotation. They can actually be good. But there are many that are unwanted.
• [8:13] - There are different types of robocalls and there is a differentiation between spam and scam calls.
• [10:08] - Aaron explains why spam emails are easier to block than robocalls.
• [12:20] - There are some robocalls that are necessary and helpful for some people. That is one reason why not all robocalls can be blocked.
• [13:40] - Not answering the phone is not a plausible solution.
• [15:50] - Nomorobo is basically a series of bots talking to other bots.
• [16:50] - Aaron describes caller ID and how spoofing a number is possible.
• [19:42] - This is such a big problem because the barrier of entry is low.
• [21:08] - It is amazing that we can call anyone in the world. But that also means that scammers can, too.
• [22:53] - This is a complicated problem, and the future solution is a combination of government regulation, companies like Nomorobo, and AI.
• [26:29] - We are never going to win the war, but we can keep it manageable.
• [29:45] - What is the role of the carriers when it comes to robocalls?
• [31:47] - Keeping scammers on the phone does not make the problem go away.
• [33:52] - Some scams are seasonal and some are evergreen, like Medicare calls.
• [36:26] - Aaron explains the different ways these scams can be done and the range of damage they can do.
• [39:56] - At best, this is an annoyance. But there are people in our lives that are vulnerable and less protected.
• [44:42] - Sometimes, Nomorobo users have to turn it off for specific reasons and specific calls they’re waiting for.
• [47:56] - This problem is an example of “death by a thousand papercuts.”
• [49:30] - There are some red flags and things you might notice if you answer robocalls that could indicate that they are scams.
• [50:46] - This seems like an easy problem to solve, but it is far more complicated than most people think.
• [52:00] - Aaron describes what it was like to testify in front of Congress.
• [56:43] - Listen and educate yourself. Talk to other people about these things.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Nomorobo Website

Most businesses rely on some type of software, either for scheduling, payment, banking, customer lists, or something else. It’s important to know where this information is stored and what would happen if that software was hacked or you weren’t able to access it. Today’s guest is Kris Burkhardt. As Accenture’s Chief Information Security Officer, Kris leads a team of over 800 security experts charged with protecting company client and customer data. 

• [0:49] - Kris describes his role at Accenture and what Accenture is known for in the security industry.
• [2:26] - Part of their program is sending phishing tests and Kris has failed one before as well. It happens, especially when we are in a rush.
• [5:39] - We are so highly connected that when something goes down, it impacts us in ways we never considered.
• [7:10] - Many small businesses rely on software service providers because there is a lot of good about them. But what happens when they go down?
• [9:56] - Defenders have to get it right all the time.
• [11:13] - The last ten years have seen an immense amount of growth in how we store data. We have to stay ahead of change when it comes to security.
• [13:59] - It is hard to understand how much we rely on technology.
• [17:34] - Kris describes a time when the CEO of Accenture was used in a deep fake and the threat actor was very clever.
• [21:17] - Kris believes that advances in technology will make it harder to pretend to be someone else.
• [23:20] - Children are growing up in a technological world and are naturally more skeptical and cautious as a result.
• [25:49] - Safety has always been an afterthought.
• [27:15] - Kris shares what he thinks scams and deep fakes will look like in the near future.
• [30:12] - Pay attention to things that don’t seem consistent.
• [32:57] - People feel like there is a trade off when it comes to efficiency and security.
• [39:37] - Having a plan ahead of time is absolutely beneficial in staying ahead of security problems.
• [44:25] - As deep fakes become more and more of a problem, Kris suggests having code words with family members.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Accenture Website

Is it right for parents to be the ones to have to put limits on their children’s screen time or to monitor the content they consume? Knowing the impact of social media and kids can influence the decisions that are made. Today’s guest is Steve Lazarus. Steve is a retired FBI agent, crime fiction author, and Instagram influencer specializing in personal and child safety topics.

• [0:42] - Steve shares his background and his career history in the FBI and the military.
• [4:02] - For a long time, Steve was anti-social media. However, since the publication of his book, he has garnered a significant social media following.
• [5:50] - He started his Instagram with posts of things that he would never do as a retired FBI agent.
• [7:08] - Steve describes the post that went super viral on TikTok and Instagram.
• [9:00] - Parents need to know what their kids are looking at on the internet and control the amount of access they have online.
• [10:40] - Sextortion is a very real and serious problem, especially for young boys.
• [12:27] - Always report any case of sextortion or sexual content involving a minor. Law enforcement becomes involved immediately.
• [14:09] - Steve lists some of the things to look for when children and teens that could be red flags.
• [16:01] - The internet is on almost every device in your home. A child’s access is not limited to just a computer.
• [17:59] - Covid did not help the increasing amount of time children spend online.
• [20:52] - We’re asking kids to have good judgment without teaching them how.
• [22:13] - The first question that needs to be asked by anyone, but especially a child is, “Do I know this person?”
• [26:07] - To deal with the digital world now, common sense is crucial and we can’t take everything at face value.
• [27:56] - A relatively new issue is AI generated images that are very convincing and look so real.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Steve Lazarus Author Website
• Steve Lazarus on Instagram
• Steve Lazarus on TikTok

Synthetic IDs can be used to open fake accounts, but without a person to file the fraud claim, how should companies deal with this type of deceit? There is no crime where someone doesn’t need to pay for the loss. Either way, the loss is passed on to the consumers in some way or another. 

Today’s guest is Steve Lenderman. Steve is currently the Head of Fraud Solutions North America at Quantexa and has over 25 years of experience in financial crimes investigation. His previous roles include being the Senior Vice President of Fraud Prevention Investigations at Bank Mobile Technology, the Director of Strategic Fraud Prevention at ADP, and the Fraud Operations Lead for PayPal Business Loans. He is a certified fraud examiner and actively contributes to the anti-fraud community.

• [1:07] - Steve shares his background and what his current role is at Quantexa.
• [4:04] - For those who are interested in a career path in cybersecurity or fraud, Steve has some tips.
• [6:07] - What is synthetic identity? Steve describes what it is and why we should be concerned about them.
• [8:59] - Although still mostly built around financial data, synthetic IDs have also morphed into other nefarious uses.
• [10:56] - All fraud in general is underreported, but synthetic IDs are extremely underreported, so data is not accurate, although still very high.
• [12:37] - Synthetic IDs can be used to open a credit card and then after several purchases, fraudsters leave the card open and unpaid.
• [14:21] - Some think that synthetic IDs and fake accounts are victimless.
• [18:59] - To understand how fraud works, Steve had to create synthetic IDs.
• [22:15] - Over the years, it has gotten even easier to do, which is alarming.
• [25:13] - Credit repair using a CPN is illegal fraud using synthetic IDs.
• [26:40] - Synthetics are all built around data and the ease of collecting data in the last few years has increased the ease of creating them.
• [27:57] - Criminals have learned that they can use synthetic IDs in more ways and in more industries.
• [31:04] - Small businesses are particularly easy targets for synthetic ID use.
• [33:16] - It is possible for synthetic IDs to also be used to create a new business.
• [34:53] - Technology has also made it possible for a deep fake to be created to match a synthetic ID.
• [36:49] - A lot of synthetic IDs are created with unused credit.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Steve Lenderman’s Website
• Quantexa Website

Criminals do their own recon to study how vendors craft their emails and how they can structure them to match. Scammers know employees are busy and that they want to act promptly on requests, but they also understand it takes time to verify the validity of the email. How do we train employees to know what is real and what isn’t?

Today’s guest is Josh Bartolomie. After joining Cofense in 2018 as the Director of Research and Development, Josh currently serves as the Vice President of Global Threat Services. He has over 25 years of IT and cybersecurity experience. He designed, built, and managed security operations centers, incident response teams, security architecture, and compliance for global organizations. 

• [1:08] - Josh shares his background and what he does in his current role at Cofense.
• [4:06] - After all these years, email continues to be an easy way for scammers to target many people at one time and victimize a percentage of them.
• [5:52] - Wherever there are a lot of people, that is where attackers will go because that is a bigger pool of success for them.
• [7:08] - You used to be able to block emails with an unsubscribe button, but now we rely on those emails, too.
• [9:50] - The goal is not to stop them altogether, because at this point it isn’t possible. The goal is to dissuade people from clicking links and trusting emails.
• [11:47] - With AI and LM, crafting emails has never been easier for scammers.
• [13:48] - Organizations get hit in different ways, but HR generally gets targeted a lot.
• [16:54] - Intellectual property theft is also a part of email crafting.
• [20:14] - Chris shares the story of an unfortunate experience.
• [25:10] - Acknowledge that these things do happen and they can happen to you.
• [27:33] - Always call the vendor. It’s an extra layer and extra work, but never trust an email that says something has changed when it comes to finances.
• [28:54] - Organizations should have a strong reporting culture.
• [30:55] - Employees can report emails that seem suspicious. The majority of them are spam emails, rather than scams, but they should be reported.
• [34:02] - What constitutes a spam email? What is the difference?
• [36:13] - Organizations tend to cut IT and cybersecurity when there are budget cuts.
• [39:18] - This is changing every single day.
• [41:46] - Scammers collect data and create profiles. They are very sophisticated in their strategies to target organizations.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Cofense Website
• John Bartolomie on LinkedIn

Some scammers love the challenge of deceiving those they target while others are forced to scam. Those that thrive off of destroying others try to heighten your emotions very quickly. Both excited and angry responses can get you into making irrational decisions. 

Today’s guest is Doug Shadel. Doug is a former fraud investigator and special assistant to the Attorney General at the Washington State Attorney General’s office. He served as state director for AARP Washington and Strategy Director for AARP’s national anti-fraud efforts. Doug has collaborated on numerous educational videos and academic studies and co-authored five books about fraud. He also co-authored the AARP Fraud Frontier 2021 Report. He is currently Managing Director of Fraud Prevention Strategies LLC, a Seattle-based consulting firm.

• [1:08] - Doug shares his background and career in fighting fraud.
• [2:43] - Robo-calls have been a long lasting problem that Doug has been working on with AARP and Nomorobo.
• [7:11] - Over the years, Doug has interviewed numerous scammers. They all say their primary goal is to get a victim in a heightened emotional state.
• [9:07] - Doug describes the research that shows when people are in a heightened emotional state, they are more likely to fall victim to a scam.
• [10:57] - Block the incoming robocalls to begin with to help avoid a scammer manipulating you into a heightened emotional state.
• [13:17] - It still is very dangerous to answer these phone calls because a lot of them are really persuasive and really good at what they do.
• [14:34] - There isn’t a specific demographic profile. Doug explains what people who fall victim to a scam have in common.
• [16:49] - The FCC has come down hard on robocallers, but this has just caused scammers to be more careful and even more skilled.
• [18:09] - Have you recently received calls asking for a donation? Doug describes how these work.
• [21:12] - The number one red flag of a robocall is the threat of loss.
• [25:22] - Caller ID is not reliable. It is very common and easy for scammers to spoof a call.
• [27:48] - There are some legitimate needs for people to be able to spoof a call.
• [29:42] - Assume it is a scam if you did not initiate the contact.
• [33:08] - By and large, scammers will not cause violence on a victim, even if they threaten them. They follow the path of least resistance.
• [36:02] - Doug describes some software he uses to edit videos that incorporates AI. These tools are great, but are also used by scammers.
• [39:26] - Grandparent scams are really common. Doug describes what people have said after falling victim.
• [40:40] - There is an illusion of invulnerability. If you are convinced that you are not vulnerable to something, you won’t do anything to prevent it.
• [43:04] - There’s a lot more money for scammers to make in scamming an employee of a large company than individuals.
• [46:10] - The pandemic also had a big impact on the scamming industry.
• [50:50] - The AARP Fraud Watch Network Helpline is 1-877-908-3360.
• [53:00] - Always report a scam when you know of one. It helps more than you know.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest