Beau Friedlander:
Travis. Do you remember what happened when I called you up and I had a password issue with, I think it was Gmail. And you said, “Beau…”
Do you remember what I did? Because I remember I did something that was so alarmingly stupid. You were like, didn’t even want to say anything.
Travis Taylor:
I do. You hadn’t updated your password in a decade, as I recall.
Beau Friedlander:
Which password?
Travis Taylor:
Do you really want me to say it on recording?
Beau Friedlander:
No, but I mean, for what account? Because they’re all different now.
Travis Taylor:
Your personal one, the one that you’ve had since the late ’90s.
Beau Friedlander:
Really?
Travis Taylor:
Yeah. Really.
Beau Friedlander:
Terrifying. See, now you all know that if you can find that on Have I Been Pwned, go for it. Because it doesn’t work anymore.
Hi, I’m Beau Friedlander and I am sometimes a victim of cyber crime, but often just writing about it.
Adam Levin:
And I’m Adam Levin. I’m former head of the New Jersey Division of Consumer Affairs, founder of CyberScout, author of the book Swiped and here to either make your day or scare the heck out of you.
Beau Friedlander:
Scaring is caring.
Adam Levin:
It is.
Travis Taylor:
I’m Travis Taylor, resident tech geek and occasional voice of God.
Beau Friedlander:
Speaking of this sort of thing, did you see the news about Clubhouse and the fact that their API was wide open?
Travis Taylor:
An API stands for application programming interface, which sounds super techie. Really all it is, is the way that any app that you’re using, can send and receive data.
Beau Friedlander:
So, how does that work with regard to Clubhouse?
Travis Taylor:
So, with Clubhouse what that means is, anyone who is accessing the API can find out about any of Clubhouse’s members. Their name, basic account info. So, they pretty much just leave the door wide open to be able to tell everyone all about their user base. Parler had a similar thing happened with that, but it was later on used to bust some of the people at the January, 6th riots at the White House. Just in terms of leaving the access completely open, so you could find out not just how many people were on their, their names. In the case of Parler, their location. In the case of Clubhouse, their Instagram log-ins. So, it’s really sloppy security.
Adam Levin:
Have you noticed in the past few months that there has been a literal parade of major organizations leaving the door open in one form or another? Facebook, LinkedIn, Clubhouse, the list goes on.
Beau Friedlander:
Indeed.
Travis Taylor:
Most definitely.
Beau Friedlander:
Indeed, I think the Parler one was kind of remarkable because this place where the January, 6th assault on the Capitol was planned, in large part, was also the place where the FBI went to bust all those people. When they posted photographs of themselves in the Capitol.
Speaker 4:
The democratic Chair of the House Oversight Committee is calling on the FBI to investigate Parler’s potential role in the deadly US Capitol attack. And its possible use as a channel for foreign influence.
Beau Friedlander:
Which brings us to one of your favorite things to talk about, which is oversharing.
Adam Levin:
Yes. People have a tendency, they have almost an unquenchable thirst to share every morsel of their lives with everyone else on social media. And I always never quite got why people feel the need to do this. And one of the biggest dangers is that so many people use real life, either out of wallet facts or out of life facts, when they set up security questions and answers.
Beau Friedlander:
So, what’s an out of wallet fact, Adam? What would an out of wallet fact look like?
Adam Levin:
An out of wallet fact is something that would be… It’s almost a financial identifier. People give away too much information as to where they live, what they drive, what they own, who they know where they go. And this is where people open themselves up to trouble. Not to mention the fact that so many people love to talk about where they went to high school, where they went to college. And while those are all wonderful personal facts, the problem is that oftentimes this finds its way into the answers to security questions. So my attitude, if you’re going to overshare, then the way that you can really show that you care about yourself, is lie like a superhero. I mean, does Bruce Wayne tell us he’s Batman? Does Clark Kent talk about the fact that he’s Superman? I mean, maybe Lois Lane knows. But the truth of the matter is, that you don’t owe anyone the reality of your life when it comes to social media, when it comes to security questions and answers.
Adam Levin:
If you went to Forest Hills High School and the question is “where did you go to high school,” tell him you went to Sky High or if your mother’s name is Brown, say that it’s Green. Again, all that’s important is that, when you’re asked that question, the answer you give is the same answer you gave when you set it up. So, it’s not about veracity, it’s about consistency.
Beau Friedlander:
So Adam, today’s story, actually, it’s not really about oversharing, but it’s definitely related to sharing. There’s something that happens sometimes when a certain kind of photograph is posted where, wow, the whole universe could explode open in a very specific way. So, we’re going to explore that a little bit today.
Adam Levin:
When my wife talks to me about my life on Instagram, which other than for strictly business, doesn’t exist. I post nothing personal and my wife always says to me…. She’s very active in Instagram. She always goes, “You’re a troll.” I go, “I’m not a really a troll, but sometimes it’s easier to find out what you did for the day without having to ask you, is to basically see what you’re doing on Instagram.”
Beau Friedlander:
Today’s show is about lurking.
Adam Levin:
Roy.
Roy:
Hi.
Beau Friedlander:
So Adam, I know you’ve never met him, but I talk about him all the time. Roy lives upstate with his wife, and they have a little farm. He told me a really funny story recently where I found him outside with his wife sleeping in a van. They both had flashlights and they were waiting for I think, the enemy. Roy, can you tell them why you were sleeping in your van, out in the yard at night?
Roy:
Raccoons were eating all of my wife’s heritage corn. Just every night, there’d be a few more stalks pulled down. So, we were trying to… There’s different things, you can set up lights. There’s different… I don’t know if it was like some kind of animal urine or blood, or… I mean, yeah, it’s the raccoons, the predators dealing with extreme wilderness. I mean, yeah, it’s wild here.
Beau Friedlander:
It’s a crittocracy. So Roy, you’re up in Cooperstown, Have you been spending any time at the Baseball Hall of Fame?
Roy:
I’ve only been there when my parents came to visit, I don’t have that much interest in baseball. There’s a great farmers museum here though and a folk art museum, and also an opera. So, lot more in Cooperstown than just the Baseball Hall of Fame.
Adam Levin:
Cooperstown is how far from New York City and how far from Canada?
Roy:
It’s about four hours to New York City and about five hours to Montreal and Toronto. So, it’s kind of nicely situated between there and like an hour west of Albany, to place it that way.
Beau Friedlander:
What do you do most of the time up there?
Roy:
Well, I’m a painter and ceramic artist and homesteader, and I also trade stocks a lot. So, those are my activities.
Adam Levin:
What is a farmers museum? Because that’s pretty cool, what’s that?
Roy:
The farmers museum is James Fenimore Cooper’s old farm, part of the New-York Historical Society, where they’ve moved about, I’d say it’s about two dozen historical buildings, like an apothecary, a blacksmith’s shop, a church and they’re all working buildings, print shops. So, it’s sort of like people in period costume, cooking and letterpress printing, and blacksmithing, and they offer blacksmithing classes, and it’s amazing. It’s the best thing here, really.
Adam Levin:
So, it’s kind of like a version of Williamsburg, but in New York? Williamsburg, Virginia.
Roy:
Yeah. Or like a Sturbridge Village type place. The buildings are all exquisite, like things that were moved here. So, they’re all like original buildings and the classes they offer too, I think makes it really special. And it’s useful for the community here and not just some tourist site.
Adam Levin:
Going back to one of the things you mentioned, what kind of art do you do?
Roy:
Let’s see, how would I describe it? It’s very folk primitive base, but I guess, it would be considered contemporary art, just a collage of materials. I’m also very inspired by sort of Pre-Renaissance Italian, so. And learning different crafts, so sort of taught myself how to make frescoes and combined ceramic relief tiles that I make, like embedding them in frescoes. So yeah, pretty mixed media. And making frescoes that are portable. So, sort of making them on foam. So, sort of a combination technology of surf board meets church in the medium.
Adam Levin:
So Roy, so it’s clear that you are at one with the earth and based on that being sort of an earth person, how did it happen that you ended up with a cybersecurity issue?
Roy:
It was right before the inauguration. I mean, I think when Parler got kicked off of their… Their own app was shut down by, I don’t know, was it Amazon or Apple? Everyone kind of shut them down. And it was in the news that everyone from Parler was migrating to Telegram. And I’m pretty active on Telegram, just in different stock chat rooms or following different companies that sort of have ongoing Telegram chats. So, just I was doing a search for Parler on Telegram and saw… I mean, it was like tens of thousands of people filling up these rooms and just wanted to kind of observe. I had never been on Parler, so just wanted to observe the crazy QAnon chat going into what was a really scary inauguration. Just obviously, after what had happened on the sixth and being in those rooms was just a little too tempting to get into conversations with people, and invited different friends there.
Roy:
And we were kind of pretending like we were Trump supporters, but who were finding out what a sham he was and you know, pointing out like his, oh, did you like you see his tax returns, this article in the New York times or it’s these rape cases, or just sort of being like a disaffected Trump supporter and…
Beau Friedlander:
Now, Roy. Roy. I got to break in here and confess.
Roy:
Okay. I wasn’t sure.
Adam Levin:
Wait, Roy, Beau’s about to make a confession?
Beau Friedlander:
I think Travis knows about this too. I was on Telegram with Roy, and Roy and I would be texting back and forth saying, “Now you tell him blank.” “Okay.” And then we would go back and first of all, Telegram, if you don’t know what it is, it’s an encrypted app. It is end-to-end encrypted. Isn’t it, Travis?
Travis Taylor:
Not for the desktop version, actually.
Beau Friedlander:
It’s a way that people communicate. It’s an app and there’s also a desktop version where people can message with each other and it’s a fairly safe place to do that. And then Parler, in case you don’t know what that is. It’s basically Twitter for right-wing people and QAnon types. A lot of Trump supporters on there. So my confession, Adam, is that I was lurking on the Parler threads with Roy and we were poking the bear.
Roy:
You first told me when you were on Telegram, you were like, “I can see your phone number.” I had this moment of freak out like, oh my God, my phone numbers out there.
Adam Levin:
A note is that, our telephone numbers are probably the most ubiquitous thing that we can think about now. People talk about Social Security numbers being unique identifiers, telephone numbers have become the ultimate unique identifier right now.
Beau Friedlander:
But why is that Adam? Come on. Why?
Adam Levin:
Because everybody tends to give out their phone number to everybody.
Beau Friedlander:
How is that a liability? Like, go ahead, call me. I’m just going to not pick up or tell you this stuff…
Adam Levin:
No, unfortunately, first of all, people do pick up even though they shouldn’t pick up. And the second thing is that for people who use two-factor authentication, where the code is sent in order to be the second level of identifying you as you, the code goes to your phone. If someone were to hijack that phone number, which is becoming a little bit more common than the old days, you could have a problem in the fact they could hijack your number and they could be getting the code, and they could be using that as a way to get into your accounts.
Adam Levin:
Hey, there campers. Look, if you have a story about being a victim of a hack, we’d love to hear about it. Give us a call at 623-252-1820 that’s 623-252-1820, or email stories@whatthehackpod.com.
Beau Friedlander:
Okay. We were lurking. Fair enough Roy?
Roy:
Well, it went from lurking to trolling. I mean, I got kicked out of like, room after room and we’d go to like a different Parler room.
Beau Friedlander:
But you were being very, very provocative as I recall.
Roy:
I mean, yeah. We were like the MyPillow guy, he’s not even giving the troops pillows, like just freaking out over things. It’s like try to be as funny as possible. And then they would just… They’d out us. They’d be like, you guys are obviously fake Trump supporters.
Beau Friedlander:
But also those dudes, I forget the guy’s name, but his name was like Sedona or something. And he was really gentle and kept trying to recruit us. He’d be like, “Well, you don’t know the whole story. You should just listen a little bit and maybe you’ll learn something.” And then you’d be like, “Are you kidding?”
Roy:
Yeah, he was the one who banned me, for sure.
Beau Friedlander:
So, there were all these images and stuff there, and there was people posting stuff left and right. And it was kind of hard to see who was who. Where was your cyber incident in here?
Roy:
Well, Okay. So, I’d gotten kicked out of the really bigger rooms and was just then, I couldn’t even find any more Parler rooms. So, I went to look for different QAnon rooms and I saw one and it had, it was like maybe 20 or 30 people. Same routine, like just was troll posting. And there were these crazy GIF’s I’d never seen, like evil clowns with their arms and jaws opening. And I mean, that to me seemed like it could have been some kind of virus, but in any case, so I’m posting, posting, posting. They’re yelling back at me this or that. Then all of a sudden I see a picture posted and it was a picture of me that doesn’t exist on the internet, that’s only on my phone and my computer. And just completely freaked out, I just immediately shut down the app, the computer, just everything. Slammed down my MacBook, shut off my phone.
Roy:
It was a picture from two, three, maybe four years ago. It was a picture my wife had taken of me. And we were in like Venice Beach, it was in a restaurant. I mean, but they had to have gone back through like three years of pictures to grab that.
Beau Friedlander:
And you’d never posted that picture anywhere online and neither had Obe?
Roy:
No, absolutely not. She must’ve sent it to me from her phone to my phone, then I had.
Adam Levin:
This is almost like the scene in the shower, in the Alfred Hitchcock movie, Psycho. Where this is now the music, so he’s kind of.
Roy:
Well, I think Obe just made dinner and sort of, I couldn’t even tell her at first. I didn’t know what… I was still just processing this and just felt so exposed and vulnerable, and what are the ramifications of this?
Beau Friedlander:
That’s when you called me.
Roy:
I think, yeah.
Beau Friedlander:
And we changed all your passwords.
Roy:
I texted you or called you and were like, “What do I do? Or can you go in and try to find this room and see what else they posted, or what they’re saying?” And the room was gone. You couldn’t find it. I went back on, I couldn’t find it. And it’s like, the room was just gone.
Beau Friedlander:
I went back to that room. Now this was a moment where it was like, “Sorry sir, the call is coming from inside the house.”
Speaker 6:
You hear me? Its coming from inside the house.
Beau Friedlander:
I was just like, “Oh God.” I went to the page and I was like, “No, there’s no one there Roy.” There’s two people there. And one of them is Sedona and he’s still trying to get me to join QAnon.
Roy:
No, no, that was the Parler.
Beau Friedlander:
That was a different… Whatever it was, it went from whatever thousands it was to nothing. And that was…
Roy:
Those other Parler rooms were gone too.
Beau Friedlander:
Yep. So, I don’t know about you Adam, but I feel like I’m waiting for the voice of God to kind of bounce into my head right now because I have no idea what happened.
Travis:
Okay. So, the first option, the first possibility could be a type of malware called TeleGrab. And that is something that, as the name implies, targets Telegram users and is capable of taking files off of your computer or your device. It can also be used for mining cryptocurrency. The second one, which is, I think one that’s a bit scarier, but also a bit more interesting is something called steganographic hacking, which is quite a mouthful there.
Beau Friedlander:
Is it related to the dinosaur or is it a…
Travis Taylor:
It is. Yes.
Beau Friedlander:
What is it?
Travis Taylor:
So, stegosaurus means roof lizard or covered lizard, and steganographic means either roof writing or covered writing. So, the way that that works is, you have a picture, maybe one of those GIF’s that Roy saw, or it can be a video or an audio file that is being used to also convey some sort of data or some sort of malware. And that can be really, yeah. And that has been found on both Telegram and WhatsApp. There was a famous security hole there, where all you needed to do is send someone a picture and then you could compromise their app.
Roy:
I feel like it was that GIF more than anything else. I mean, just the way that stuck in my head. This is the scariest, like GIF I’ve ever seen.
Travis Taylor:
They can look more innocuous, they don’t necessarily to be scary GIFs.
Beau Friedlander:
So Travis, I have a question about the stegosaurus, the roof lizard. So, my understanding of it, is that it is often used as a trigger. So, there’s already something on your computer. The image actually flips… It’s like a trip wire for malware that’s already somewhere in your works. Am I wrong on that?
Travis Taylor:
Oh no. That’s one of the ways that it can work. So, if you had to take a tiny little bit of malware, just a very small amount of code that’s for the most part dormant. It’s waiting for further instructions, it’s a bit like one of those spy movies where you have a sleeper agent. So, you have like a sleeper file on your computer. And then if you see the wrong image or file, a video, audio, anything like that.
Beau Friedlander:
Or the right image.
Travis Taylor:
Exactly. Yeah. But that can be the trigger there to tell the malware, “Okay. We’re off to the races and then it’ll activate.
Adam Levin:
So Travis, and one quick question. So, that means you don’t have to click anything? It’s just when that video shows up?
Travis Taylor:
It depends, but one thing that people often don’t really keep in mind is, when you’re seeing any image online, it is being downloaded to your device in a temporary format. It’s usually kept in just a cache file either on your computer or on your phone. But as soon as you’re seeing a file, yeah, it has been transmitted to you. It’s not remote anymore. So, anything you’re seeing is actually getting downloaded to your device.
Adam Levin:
Okay. That’s pretty terrifying.
Beau Friedlander:
So, what happened when you called up your dumb friend who sort of knows about cyber stuff?
Roy:
I think you recommended that I get Malwarebytes and run that, empty caches, clear cookies, restart. I mean, I put out a fraud alert on all my credit cards. Yeah. Changed passwords, Googled what to do in these situations and just watched everything. And I still am. I mean, I don’t know if these were just like kids messing around and they just wanted to try to find an embarrassing picture to shut me up or get me out of there. Or if there’s something lurking in there waiting to figure out how to drain my bank accounts, but I’ve seen no other sign of any activity, nothing. And Malwarebytes hasn’t found anything.
Beau Friedlander:
So do you check your bank accounts?
Roy:
I mean, well I’m trading every day, so yeah. I’m pretty aware of what’s going on. Yeah.
Adam Levin:
Did you sign up for notifications from your financial institutions that notify you anytime there’s activity in your accounts? Because you can do that with banks and credit card companies. You might’ve been able to do it with brokerage firms too.
Roy:
I would get a notification if someone signed in from somewhere else. I could go to two factor authentication every time I sign in, which I’m considering.
Adam Levin:
I mean, I have two factor authentication and in particular there’s one financial institution where every time I signed in, it then says, “Okay, we’re going to send a text to your phone.”
Roy:
Right.
Adam Levin:
And I sometimes go. But the truth of the matter is, that is just an extra layer of protection, which is really important, especially now that you have been exposed somehow. And that you need to really sort of double down.
Roy:
What about leaving things open, like overnight? Like if you’re in some account and you just leave it open?
Adam Levin:
It’s better to close when you’re done with an account, sign off. Get out. Now, some people, in terms of, your computer and once again, the voice of God, Travis, can give us an idea about this. But isn’t the best at the end of the day and just not to log out of your computer, to shut it down or to log out, but leave it on?
Travis Taylor:
It’s more power efficient to log out, but to leave it on. It’s sort of counter-intuitive, but it uses more electricity to turn on your computer than it is to leave it running it in sleep mode. That being the case, it’s always a good idea just to log out of your account or to lock your account. So, either for Windows or macOS, they’ll have the thing where you need to enter your pin code or your facial verification or something like that. That means that in case anyone happens to get access to your device, they’re not going to be able to just see whatever it was that you were just doing or have full access to your files.
Roy:
So, but definitely log out of Safari or whatever browser and all that? Yeah.
Adam Levin:
It might not even be a bad idea to delete your history as well, every day. Just simple practice. And that doesn’t mean, I correct me if I’m wrong, Travis, but I believe that for instance, if you find a website that you really like save it in your favorites. Right? But at least kill your history daily, if you can.
Travis Taylor:
Yeah. It’s a good idea to kill your history, go through and clear off your cookies, anything like that, that could just be leaving your fingerprints across where you’ve been or what you visited. Especially if you’re trolling QAnon people.
Adam Levin:
And I think that, that’s one of the other messages is, is perhaps it’s best not to troll those who might not appreciate the trolling.
Roy:
That was a lesson I learned. For sure. It’s like, if you’re going to troll QAnon, do it from a burner computer or something.
Adam Levin:
I get reminded of that every night when I come home, you were trolling me again. It’s like, “Well, it’s a shortcut to not having to bother you by saying, so how was your day?”
Beau Friedlander:
Yeah, you’re a bit of a lurker it’s different than trolling. Trolling, it’s like hurling bombs. And I think the lesson is troll all you want, but make sure that you’re wearing armor. And I think also, Travis, the only question I have outstanding in all this discussion is, why doesn’t malware see this piece of dormant code that is triggered by the image, that may have been what happened to Roy? Why would that piece of code be sitting there undetected by an anti-malware, antivirus?
Travis Taylor:
I mean, one of the first things that anyone who was making malware, wants that program to do, is to not be found.
Speaker 7:
You can try, but you’ll never catch me.
Travis Taylor:
One way that a lot of malware can be detected is, if it’s trying anything sketchy on your computer. So, if you just have a file sitting there, you can think about how many millions of other files are just kind of thing you have on your computer, not doing anything. It’s when they suddenly activate it and try to access your files or access your network or something. That’s often with the anti-malware program, when they get triggered and say, “Okay, this is suspicious.”
Roy:
I didn’t have malware running though. So there’s that.
Adam Levin:
But we also know the genius of hackers is that, every time someone gets on to whatever their malware is, it’s like, aha. They simply find a work around. They just tweak it just a teeny little bit. That makes it undetectable yet again, correct?
Travis Taylor:
That’s right. Exactly. There’s a new trick that hackers are doing, which I think is ingenious and scary, that it knows when it’s being inspected by a malware program or by a cyber security researcher, that oftentimes what they do to research malware is to run it on they call called a virtual machine. And what this malware does, is it checks to see if it’s actually running on a virtual machine and then says, if so, don’t do anything and just hide. Only once you’re on someone’s personal device, would it start to activate.
Beau Friedlander:
So Roy, did you learn anything today? I mean, did you learn anything?
Roy:
It was probably that scary clown GIF, but I mean, no, I guess just all the… I mean, yeah, like shutting everything down regularly. I don’t know. That’s new information to me.
Adam Levin:
Roy, really quickly, what we call it as the three M’s, which is, you always have to work hard to minimize your risk of exposure, by reducing your attackable surface. You need to monitor and you need to have a way to manage the damage. For some, it’s calling Beau, for others, it’s calling their insurance agent, their financial services rep or the HR department where they work and say, do you have a program that can help me through an incident? Am I in it? If not, what do I need to do to get in it? Is it free? Which it could be as a perk of your relationship. Is a deeply discounted or what do I have to pay?
Roy:
The setting up fraud monitoring was fairly easy.
Adam Levin:
And you want fraud monitoring, in particular, you want identity monitoring that’s obviously looking for fraud and is scanning the dark web to see what of your information or even your images, your photographic images, are lurking around on the dark web.
Beau Friedlander:
One other thing that we did not mention today, which I think is really important is setting up credit freezes, so that when ever you’re doing anything that involves your credit, opening a new account, moving an account, shopping for a mortgage, whatever. You have to unfreeze your credit, so that whoever’s looking can look. If you don’t do that, they can’t look. And what that does, is it protects you from ever getting scammed in that way? No person can get in there and steal from your credit, which is a pretty valuable asset. It’s like a kinetic asset, right. It’s money that you can have, but you haven’t activated and there’s plenty of criminals out there who are just waiting to do that. So a freeze, I think it’s a great idea when you’ve been compromised like you where.
Roy:
I have a question though. I mean, I don’t know how much experience or how many types of hacks or similar hacks you’ve heard of, but just what you think they could be after. I mean, was it just like, shut this guy up?
Adam Levin:
Yeah. A combination of things. It could be that first, they’re trying to get away into your system, in order to gain access to either the data in the system or that every time you log into an account, it’s transmitting that information to the hacker. It could also be just sending you a message, which is we know who you are and at least in the digital world, we know where you live.
Beau Friedlander:
And shut up.
Roy:
Yeah. That’s a good explanation.
Adam Levin:
What a great show. This has been awesome. Roy, it was great to talk to you, to finally see there’s the real human being. And secondly, to learn a little bit about Cooperstown, New York. And to find out something that, to explore with you an incident, which could be more and more common with people, depending upon where they’re looking and what they’re looking at, and who they’re communicating with. So, thank you so much for joining us on What the Hack.
Beau Friedlander:
Thank you, Roy.
Roy:
Great to meet you. Great to see you both. Thanks for having me. Thanks for helping me.
Beau Friedlander:
We’ll see you later. Bye Roy.
Adam Levin:
What the Hack is a Loud Tree Media production in partnership with Larj Media. That’s L A R J Media. You can find What the Hack, wherever you get your podcasts. Be sure to follow us on social media and find additional information at adamlevin.com. Loud Tree.