Friday, December 16, 2022

No, That's Not Your Credit Card Company Calling to Lower Your Interest Rate

Today I got a call that my phone flagged as "Scam Likely". Of course, being a good cybersecurity practitioner, I like to keep these people on the phone as long as possible, because every minute they're on the phone with me is one less minute they're scamming someone else.

The caller claimed to be from Discover, calling to lower my interest rate. Of course I don't have a Discover card, so I decided to play along. In the past I've always thought these were just credit card companies trying to get you to take out a card with them for a "lower rate". However, now that I know the truth I'm even more horrified.

In the several minutes I was on the phone, the scammer asked me a series of questions including if I knew the balance on my Discover card. I told her no, and said "can't you look that up?" Her response was to ask me for the credit card number of my Discover card. Wanting to keep her on the phone as long as possible, I gave her a test card number that would validate in her system as a real Discover card.  Of course if they try to use that card number at a retailer they're going to instantly get flagged for attempted fraud.

The scammer then asked for the last 4 digits of my social, as well as my billing zip code. I pushed back on the social a little, but she promised it was "just for verification purposes", so I gave her the last 4 digits of the test card number and she didn't even bat an eye. Then I told her I wasn't sure what my zip code was, but that I live in Washington DC. Then I pretended to be having connection issues and asked if she could call me back at another number.  Sadly I think she realized I was messing with her because she ended the call before I could give her a number to call - I was going to have her call the Maryland State Police just for laughs.

I am happy that my phone flagged the call as a potential scam, but I'm still worried that we're still fighting this issue today. For those not aware, scam call centers in India are a huge industry. These call centers prey on victims with various tactics, such as tech support scams, credit card scams, and even scams where the caller pretends to be with a local police department, demanding a bail payment for a loved one.

While many of us won't fall for these scams, some such as the elderly possibly will.  That's why it's important to share with them resources on how to recognize and prevents scams.

Ken is a cyber security professional with over 15 years experience. All opinions are his own, and do not reflect those of his employer or his clients.

Sunday, November 20, 2022

Detecting Flipper Zeros for Fun and Profit

Flipper Zero Packaging
For those not familiar, Flipper Zero is a "Multi-tool Device for Geeks", with capabilities including sub-GHZ transceiver, the ability to read, write and emulate RFID and NFC access cards, completely programmable infrared remote control, Bluetooth compatibility, and even hardware exploration through GPIO.

After what seemed like forever (thanks US Customs), I finally received my Flipper Zero and I absolutely love it. However, I'm sure there are many organizations out there absolutely terrified that someone might use one for nefarious purposes - and rightfully so given some of the TikTok videos where people use brute force attacks to gain access to restricted buildings. Spoiler Alert: Most of those videos are actually fake.

So, I started looking at my Flipper a little more in depth, and thought how can we develop methods to detect Flipper Zero when it enters your environment?

Well, it seems that the Flipper uses Bluetooth Low Energy (BLE) to communicate with your phone, allowing you to program and even control the Flipper remotely. Fortunately, all Flippers come from the factory with a default name "Flipper <random>".

So the easiest and quickest way of detecting Flipper Zero, since most people will keep BLE enabled, is to scan for Flipper BLE devices.

So using the free Android app creator Thunkable, I created a basic proof of concept app that does just that.



The app is available on Thunkable's public app gallery. Please feel free to take the methods used in the app to expand its detection capabilities, such as searching for BLE device ID signatures, etc. I won't be publishing this to Google Play as it's a very basic proof of concept, but if you develop it into something more full-featured, please feel free! If you'd just like to play around with the app (which is probably still buggy), my latest version is here.

Of course, this doesn't actually fix any of the security flaws which are revealed by Flipper Zero, so organizations would do well to focus on that, instead of trying to detect the Flipper. It also doesn't detect Flipper Zero if the Flipper has custom firmware and has been renamed, or if the Flipper's Bluetooth has been disabled.  Nevertheless, it's a fun little proof of concept project, and works to highlight how Flipper Zero can be detected in the wild.

Ken is a Cyber Security professional with over 15 years experience. The opinions expressed in this article are his own, and do not reflect those of his employer or clients.

Saturday, October 15, 2022

The Dystopian Reality of Being Monitored while Working from Home

"Mouse Jiggler" from Amazon (affiliate link)
Recently an Amazon ad caught my eye while scrolling Facebook. Originally I thought it was some sort of recreation of a prop from Star Wars or Star Trek. Then I realized the horrifying truth - it's a device designed to keep your mouse "moving" while you're away from your desk. The fact that there is a market for such devices is terrifying, and presents the cold, harsh reality of some of the downsides to working remotely.

Disclaimer: This article contains affiliate links, and I'll get paid a small commission if you purchase something through one of these links.

Monday, July 4, 2022

Scams and cryptocurrency can go hand in hand – here’s how they work and what to watch out for

Scams and cryptocurrency can go hand in hand – here’s how they work and what to watch out for

Yaniv Hanoch, University of Southampton and Stacey Wood, Scripps College

When one of our students told us they were going to drop out of college in August 2021, it wasn’t the first time we’d heard of someone ending their studies prematurely.

What was new, though, was the reason. The student had become a victim of a cryptocurrency scam and had lost all their money – including a bank loan – leaving them not just broke, but in debt. The experience was financially and psychologically traumatic, to say the least.

This student, unfortunately, is not alone. Currently there are hundreds of millions of cryptocurrency owners, with estimates predicting further rapid growth. As the number of people owning cryptocurrencies has increased, so has the number of scam victims.

We study behavioral economics and psychology – and recently published a book about the rising problem of fraud, scams and financial abuse. There are reasons why cryptocurrency scams are so prevalent. And there are steps you can take to reduce your chances of becoming a victim.

Crypto takes off

Scams are not a recent phenomenon, with stories about them dating back to biblical times. What has fundamentally changed is the ease by which scammers can reach millions, if not billions, of individuals with a press of a button. The internet and other technologies have simply changed the rules of the game, with cryptocurrencies coming to epitomize the leading edge of these new cybercrime opportunities.

Cryptocurrencies – which are decentralized, digital currencies that use cryptography to create anonymous transactions – were originally driven by “cypherpunks,” individuals concerned with privacy. But they have expanded to capture the minds and pockets of everyday people and criminals alike, especially during the COVID-19 pandemic, when the price of various cryptocurrencies shot up and cryptocurrencies became more mainstream. Scammers capitalized on their popularity. The pandemic also caused a disruption to mainstream business, leading to greater reliance on alternatives such as cryptocurrencies.

A January 2022 report by Chainanalysis, a blockchain data platform, suggests in 2021 close to US$14 billion was scammed from investors using cryptocurrencies.

For example, in 2021, two brothers from South Africa managed to defraud investors of $3.6 billion from a cryptocurrency investment platform. In February 2022, the FBI announced it had arrested a couple who used a fake cryptocurrency platform to defraud investors of another $3.6 billion

You might wonder how they did it.

Fake investments

There are two main types of cryptocurrency scams that tend to target different populations.

One targets cryptocurrency investors, who tend to be active traders holding risky portfolios. They are mostly younger investors, under 35, who earn high incomes, are well educated and work in engineering, finance or IT. In these types of frauds, scammers create fake coins or fake exchanges.

A recent example is SQUID, a cryptocurrency coin named after the TV drama “Squid Game.” After the new coin skyrocketed in price, its creators simply disappeared with the money.

A variation on this scam involves enticing investors to be among the first to purchase a new cryptocurrency – a process called an initial coin offering – with promises of large and fast returns. But unlike the SQUID offering, no coins are ever issued, and would-be investors are left empty-handed. In fact, many initial coin offerings turn out to be fake, but because of the complex and evolving nature of these new coins and technologies, even educated, experienced investors can be fooled.

As with all risky financial ventures, anyone considering buying cryptocurrency should follow the age-old advice to thoroughly research the offer. Who is behind the offering? What is known about the company? Is a white paper, an informational document issued by a company outlining the features of its product, available?

In the SQUID case, one warning sign was that investors who had bought the coins were unable to sell them. The SQUID website was also riddled with grammatical errors, which is typical of many scams.

Shakedown payments

The second basic type of cryptocurrency scam simply uses cryptocurrency as the payment method to transfer funds from victims to scammers. All ages and demographics can be targets. These include ransomware cases, romance scams, computer repair scams, sextortion cases, Ponzi schemes and the like. Scammers are simply capitalizing on the anonymous nature of cryptocurrencies to hide their identities and evade consequences.

In the recent past, scammers would request wire transfers or gift cards to receive money – as they are irreversible, anonymous and untraceable. However, such payment methods do require potential victims to leave their homes, where they might encounter a third party who can intervene and possibly stop them. Crypto, on the other hand, can be purchased from anywhere at any time.

Indeed, Bitcoin has become the most common currency requested in ransomware cases, being demanded in close to 98% of cases. According to the U.K. National Cyber Security Center, sextortion scams often request individuals to pay in Bitcoin and other cryptocurrencies. Romance scams targeting younger adults are increasingly using cryptocurrency as part of the scam.

If someone is asking you to transfer money to them via cryptocurrency, you should see a giant red flag.

The Wild West

In the field of financial exploitation, more work has been done to study and educate elderly scam victims, because of the high levels of vulnerability in this group. Research has identified common traits that make someone especially vulnerable to scam solicitations. They include differences in cognitive ability, education, risk-taking and self-control.

Of course, younger adults can also be vulnerable and indeed are becoming victims, too. There is a clear need to broaden education campaigns to include all age groups, including young, educated, well-off investors. We believe authorities need to step up and employ new methods of protection. For example, the regulations that currently apply to financial advice and products could be extended to the cryptocurrency environment. Data scientists also need to better track and trace fraudulent activities.

Cryptocurrency scams are especially painful because the probability of retrieving lost funds is close to zero. For now, cryptocurrencies have no oversight. They are simply the Wild West of the financial world.The Conversation

Yaniv Hanoch, Associate Professor in Risk Management, University of Southampton and Stacey Wood, Professor of Psychology, Scripps College

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Tuesday, June 28, 2022

Google’s powerful AI spotlights a human cognitive glitch: Mistaking fluent speech for fluent thought

Kyle Mahowald, The University of Texas at Austin College of Liberal Arts and Anna A. Ivanova, Massachusetts Institute of Technology (MIT)

When you read a sentence like this one, your past experience tells you that it’s written by a thinking, feeling human. And, in this case, there is indeed a human typing these words: [Hi, there!] But these days, some sentences that appear remarkably humanlike are actually generated by artificial intelligence systems trained on massive amounts of human text.

People are so accustomed to assuming that fluent language comes from a thinking, feeling human that evidence to the contrary can be difficult to wrap your head around. How are people likely to navigate this relatively uncharted territory? Because of a persistent tendency to associate fluent expression with fluent thought, it is natural – but potentially misleading – to think that if an AI model can express itself fluently, that means it thinks and feels just like humans do.

Thus, it is perhaps unsurprising that a former Google engineer recently claimed that Google’s AI system LaMDA has a sense of self because it can eloquently generate text about its purported feelings. This event and the subsequent media coverage led to a number of rightly skeptical articles and posts about the claim that computational models of human language are sentient, meaning capable of thinking and feeling and experiencing.

The question of what it would mean for an AI model to be sentient is complicated (see, for instance, our colleague’s take), and our goal here is not to settle it. But as language researchers, we can use our work in cognitive science and linguistics to explain why it is all too easy for humans to fall into the cognitive trap of thinking that an entity that can use language fluently is sentient, conscious or intelligent.

Using AI to generate humanlike language

Text generated by models like Google’s LaMDA can be hard to distinguish from text written by humans. This impressive achievement is a result of a decadeslong program to build models that generate grammatical, meaningful language.

Early versions dating back to at least the 1950s, known as n-gram models, simply counted up occurrences of specific phrases and used them to guess what words were likely to occur in particular contexts. For instance, it’s easy to know that “peanut butter and jelly” is a more likely phrase than “peanut butter and pineapples.” If you have enough English text, you will see the phrase “peanut butter and jelly” again and again but might never see the phrase “peanut butter and pineapples.”

Today’s models, sets of data and rules that approximate human language, differ from these early attempts in several important ways. First, they are trained on essentially the entire internet. Second, they can learn relationships between words that are far apart, not just words that are neighbors. Third, they are tuned by a huge number of internal “knobs” – so many that it is hard for even the engineers who design them to understand why they generate one sequence of words rather than another.

The models’ task, however, remains the same as in the 1950s: determine which word is likely to come next. Today, they are so good at this task that almost all sentences they generate seem fluid and grammatical.

Peanut butter and pineapples?

We asked a large language model, GPT-3, to complete the sentence “Peanut butter and pineapples___”. It said: “Peanut butter and pineapples are a great combination. The sweet and savory flavors of peanut butter and pineapple complement each other perfectly.” If a person said this, one might infer that they had tried peanut butter and pineapple together, formed an opinion and shared it with the reader.

But how did GPT-3 come up with this paragraph? By generating a word that fit the context we provided. And then another one. And then another one. The model never saw, touched or tasted pineapples – it just processed all the texts on the internet that mention them. And yet reading this paragraph can lead the human mind – even that of a Google engineer – to imagine GPT-3 as an intelligent being that can reason about peanut butter and pineapple dishes.

The human brain is hardwired to infer intentions behind words. Every time you engage in conversation, your mind automatically constructs a mental model of your conversation partner. You then use the words they say to fill in the model with that person’s goals, feelings and beliefs.

The process of jumping from words to the mental model is seamless, getting triggered every time you receive a fully fledged sentence. This cognitive process saves you a lot of time and effort in everyday life, greatly facilitating your social interactions.

However, in the case of AI systems, it misfires – building a mental model out of thin air.

A little more probing can reveal the severity of this misfire. Consider the following prompt: “Peanut butter and feathers taste great together because___”. GPT-3 continued: “Peanut butter and feathers taste great together because they both have a nutty flavor. Peanut butter is also smooth and creamy, which helps to offset the feather’s texture.”

The text in this case is as fluent as our example with pineapples, but this time the model is saying something decidedly less sensible. One begins to suspect that GPT-3 has never actually tried peanut butter and feathers.

Ascribing intelligence to machines, denying it to humans

A sad irony is that the same cognitive bias that makes people ascribe humanity to GPT-3 can cause them to treat actual humans in inhumane ways. Sociocultural linguistics – the study of language in its social and cultural context – shows that assuming an overly tight link between fluent expression and fluent thinking can lead to bias against people who speak differently.

For instance, people with a foreign accent are often perceived as less intelligent and are less likely to get the jobs they are qualified for. Similar biases exist against speakers of dialects that are not considered prestigious, such as Southern English in the U.S., against deaf people using sign languages and against people with speech impediments such as stuttering.

These biases are deeply harmful, often lead to racist and sexist assumptions, and have been shown again and again to be unfounded.

Fluent language alone does not imply humanity

Will AI ever become sentient? This question requires deep consideration, and indeed philosophers have pondered it for decades. What researchers have determined, however, is that you cannot simply trust a language model when it tells you how it feels. Words can be misleading, and it is all too easy to mistake fluent speech for fluent thought.The Conversation

Kyle Mahowald, Assistant Professor of Linguistics, The University of Texas at Austin College of Liberal Arts and Anna A. Ivanova, PhD Candidate in Brain and Cognitive Sciences, Massachusetts Institute of Technology (MIT)

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Monday, June 20, 2022

Giving away my cyber security books to empower the next generation of professionals

The cyber security industry is struggling with a severe lack of talent right now, and even though this is one of the most exciting fields to start a career, many people are encountering barriers in gaining the initial knowledge, or trying to figure out if cyber security is right for them.

So effective immediately, I'm giving away all three of my cyber security books with any LeanPub Reader Membership.

Three great books, one low price. This bundle includes...

  • "Death by Identity Theft", a guide to protecting you and your family against identity theft;
  • "Hacking of the Free", a guide to digital threats to our elections
  • "Cyber Security: Rules to Live By", an introductory primer to cyber security concepts

As a cyber security professional with over fifteen years experience, I couldn't be happier than LeanPub has enabled this opportunity for its authors and readers. Authors are still compensated for their work, and the number of books available to readers at an extremely low price point exponentially increases as more authors join the cause.

This is an exciting time for the cyber security industry and tech industry as a whole. LeanPub is helping break down barriers of entry for technology careers, and the timing of this shift is perfect. With LeanPub, we can truly help empower the next generation of cyber security professionals.

Ken is a Cyber Security professional with over 15 years of experience.  All opinions are his own, and do not reflect the opinions of his employer or clients.

Sunday, April 24, 2022

Departing the Federal Space, CBD and The Rest of the Story...

Now that I've departed the Federal contracting world, I can share the rest of my story.

As you may already know, I recently made a major career move departing the Federal contracting space. While there were other health reasons which contributed to my departure from my previous employer, including photophobia triggered by fluorescent lights in most Federal office spaces, this move was in part directly related to the injury I suffered from the COVID-19 vaccine, and the treatment I found worked for me to repair the damage.

Thursday, February 24, 2022

Starting a New Chapter

What a long, strange trip it's been. For over 15 years now, I've devoted my career to supporting the Federal government through Information Technology and Cyber Security. That chapter of my life is now quickly coming to a close.

For quite some time now, I've kept my employers confidential due to concern over being targeted by foreign entities in relation to my work I've performed for various Federal agencies. It's been an interesting run, providing my expertise to Defense Information Systems Agency, Department of Veterans Affairs, the Census Bureau, and various private companies over the years. I've worked with state-of-the-art computer systems distributed across the country, as well as worked with computer systems which are actually older than me but still up and running (and I just recently turned 40).

Three books, and thousands of tweets later, and I still feel like I've only scratched the surface of the real depth, and scope, of the cyber security realm.

Wednesday, February 23, 2022

CISA Launches Catalog of Free Cyber Security Tools

In a big win for cyber security advocates, the Cybersecurity and Infrastructure Security Agency (CISA) has released a catalog of free cyber security tools for private and public sectors.

The list is organized to align with CISA’s recent advisory on:   

  • Reducing the likelihood of a damaging cyber incident, including by preventing devices from connecting to malicious sites and scanning for security weaknesses and vulnerabilities, etc.   
  • Detecting malicious activity quickly, including by deploying network intrusion detection and prevention, undertaking penetration testing, and improving endpoint detections.  
  • Responding effectively to confirmed incidents, including through collection and analysis of malware and other artifacts. 
  • Maximizing resilience, including by automating system backups and enhancing threat modeling. 
The catalog contains links to public sector resources, as well as free, commercially developed products from vendors such as Microsoft, Cisco, Google, and Splunk.

The full catalog can be accessed on the CISA.gov website.

Ken is a Cyber Security professional with over 15 years of experience.  All opinions are his own, and do not reflect the opinions of his employer or clients.

Tuesday, February 22, 2022

Lions, Tigers, Echo Chambers, and Imposters, OH MY!

For those unaware, yesterday Donald Trump's social media network "Truth Social" launched for iOS, with the Android app scheduled to come out, well, someday.  The launch of the social network has been met with expected reactions - conservatives celebrating its launch while liberals condemn it. Meanwhile, moderates like myself sit back and cringe, wondering how we got here in the first place.

Dissent, discourse, disagreements, and compromises are good for all of society. Originally social media was a free flowing, politically neutral environment where political discourse was welcome, and occasionally tempers flared. Unfortunately, in recent years, social media has become fragmented. Social media networks started removing political content, often leaning towards one side of the political spectrum or the other based upon the company's values.

Looking at X's Grok for Potential Cyber Threat Intelligence and Guidance

I'm playing around with X's Grok from a cybersecurity perspective, and I'm very impressed so far. Because Grok has real-time acc...