LIVE: They’re Stealing You with AI 😳 | AI Risks to Identity & How to Fight Back Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

LIVE: They’re Stealing You with AI 😳 | AI Risks to Identity & How to Fight Back

July 12, 2025 • Cyber Crime Junkies. Host David Mauro. • Season 7 • Episode 1

If you manage care about protecting yourself, your loved ones—and your organization-- this episode offers actionable takeaways you can use today.

This is part of our official Cyber Crime Junkies podcast series—subscribe wherever you listen!

✅ **Don’t forget to like, subscribe, and hit the bell 🔔.**

💬 Comment your “worst phishing attempt” below—I’ll respond personally!

🌐 Visit us at: https://cybercrimejunkies.com

#SecurityAwareness #CyberCrimeJunkies #Phishing #CyberSecurityTraining #LiveTraining

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

They’re Stealing You with AI 😳 | AI Risks to Identity & How to Fight Back

Topics: Top 10 ways protecting yourself online,shocking cyber attack stories,how to stop hackers in their tracks,how to stop hackers. what you need to know,simple ways to protect yourself online,ai risks to identity,live security awareness training,protecting yourself online,new ways to protect yourself online,how to protect your family online,how to protect your family online today,real world cyber threats,real world cyber attack stories,cyber crime junkies

Chapters

00:00 Revolutionizing Cybersecurity Training

01:46 Understanding Cyber Threats

05:10 The Growing Impact of Cybercrime

09:03 The Shark Analogy: Outpacing Cybercriminals

11:55 Myths and Misconceptions in Cybersecurity

16:35 The Reality of Data Breaches

21:49 The Role of Social Engineering

28:39 The Importance of Incident Response Plans

31:00 The Psychology of Phishing

38:38 Exploring the Dark Web

42:44 Case Studies of Recent Breaches

45:21 The Rise of AI in Cybercrime

52:53 Deepfakes and Their Threats

57:55 Best Practices for Cybersecurity

01:25:20 Conclusion and Key Takeaways

If you manage care about protecting yourself, your loved ones—and your organization-- this episode offers actionable takeaways you can use today.

This is part of our official Cyber Crime Junkies podcast series—subscribe wherever you listen!

✅ **Don’t forget to like, subscribe, and hit the bell 🔔.**

💬 Comment your “worst phishing attempt” below—I’ll respond personally!

🌐 Visit us at: https://cybercrimejunkies.com

#SecurityAwareness #CyberCrimeJunkies #Phishing #CyberSecurityTraining #LiveTraining

Speaker 1 (00:00.142)
All right, let's be honest for a second. Cybersecurity training has been boring for way too long. Death by PowerPoint, fear, uncertainty and doubt and random statistics you'll forget about in five minutes. Hard pass. We started cybercrime junkies to flip the script because here's the deal. You don't care about the inner workings of some system. You care about protecting your organization, maybe breaking into the field of cybersecurity. You care about yourself, your family and your life savings.

And that's exactly where we start. We focus on you, the individual. We bring you real stories, exclusive interviews, and binge worthy breakdowns that actually matter. We talk breaches, AI, deep fakes, ransomware, fishing, fishing, you name it, but we make it personal. Because when it hits close to home, that's when people actually care. So whether you're just cyber curious or full blown paranoid, we've got you.

We've got playlists so that you can pick what fits your world, whether you're in the C-suite, HR, IT, or just trying to stop your parents from clicking fake FedEx links. Start anywhere, seriously. It's all binge-worthy. Hit that subscribe button and help us grow our small channel. If you have a small channel, throw it in the comments and we'll help promote it. Share ours with your team and let's simplify cybersecurity and explain why it matters more today.

than ever before, one binge-worthy episode at a time. This is Cybercrime Junkies. Enjoy the show.

Speaker 1 (01:42.734)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.

Speaker 1 (02:02.158)
Welcome everybody. My name is David Morrow. I'm vice president with NetGain Technologies. We are an IT and cybersecurity managed service provider that's been in business since 1984. Today we're going to go over understanding cyber threats, what they mean to each one of you individually and your families, as well as your role at the organization.

and we're gonna talk about healthcare in specific. do this as a public service. We do this to help raise awareness and keep you all safe online. Any questions before we begin?

Speaker 1 (02:44.664)
Little background on me, I was a prosecutor and then went and worked at Lloyd's of London over in England for a while, got into risk management and in particular a lot with healthcare right around the Y2K era. We've been doing this a long time. I'm part of InfraGuard, which is the FBI's InfraGuard and we've run these sessions a lot with FBI agents. I will tell you that when we run them with FBI agents,

They come in and they scare the bejesus out of everybody and then they leave. And it's cool, but it's really not as helpful as it can be. Right. And so we've taken their content because we've done just shy of a thousand of these sessions over the last 14 years. And we've taken their content because we've run about 50 sessions with FBI agents. We we've taken their content, but we've created it and modernized it to, you know, be updated.

because now with AI and everything, it's a lot different than when we did it even a few years ago with them. But more importantly, it's about each one of you individually, because there are ways and all of the take-home resources that we're going to provide you, all of this is no cost. There are ways you can check if you've been compromised. There are ways to protect your finances, protect your change, your privacy settings on your mobile devices. We've got really good.

tips and suggestions on adjusting your privacy settings on your mobile devices. And we hope you guys see the value in that. I would ask everybody if you don't already, if you haven't frozen your credit, we'll get to this at the end in terms of best practices. Our recommendation is 100 % clear and that is freeze your credit, freeze your children's credit.

That is our recommendation. It costs nothing. We show you exactly how to do it right in the take home resources. And that is not coming from us. That's actually coming from hackers and cyber criminals that we have interviewed in our podcasts and our security research, as well as FBI agents that we've interviewed and spoken with. They all say the same thing. The cyber criminals say if Americans would simply freeze their credit, we

Speaker 1 (05:04.984)
wouldn't be able to do half of what we do to them. So I really will strongly encourage you to do that. Let's get going and blow through this content. We have quite a bit of it. The first and foremost thing, and again, I'm going to pause for questions, but I welcome this. Please interject. Okay. Don't feel like you're being rude. You're not at all. But why does this matter? Why do we do these? Why is this in the news? If you look at the media track,

Right up until 2011, 2013, it was almost unheard of. Data breaches weren't in the news. It was very, very rare. Why is it so much that that it's occurred since then? Because now it seems like every single week there's one or two or 10 impacts that are that are newsworthy. Well, there's a couple of reasons. One, they're name brands, right? And there's class action lawsuits and

because of the name brand and the big lawsuits, it becomes newsworthy. The other is because it hurts more today than it did just a few years ago. When you think back 10, 15 years ago, in the workplace we had, and in healthcare, we had nurses with physical records, right? We all did, right? Even in local smaller physician offices.

Right. And there were computers in the office, but frankly, even if they went down, we were fine. We had kinetic physical, we had two worlds. We had our computer digital world and it was helping us, you know, stay organized and get more productive. But we had, the, you know, full processes and procedures and methods of doing things in the kinetic physical world. Since digital transformation and EHR and

all of these initiatives, we are more dependent on our technology than ever before. Because of that, there's more cost when it comes down, when it breaks down, whether it's breaking down because of a cyber attack or an outage or an internet outage, whatever the issue is, it disrupts more now than it ever did before. And because of that, it has become more newsworthy. Also, the dollar value in cyber crime has gotten

Speaker 1 (07:27.308)
extremely lucrative. The dollar value has gone up and that is news. Those are the reasons why we're seeing it. Cybercrime as an industry is the third largest GDP on the planet. No question. When you think of the economy and, you know, products being created and dollars being transacted, the United States is first, China is second, and below that is cybercrime.

There's more revenue generated in cybercrime than the international drug trade. That's been six years in a row. So if we think Pablo Escobar was wealthy, we should see some of the Ukrainian and Russian and Middle Eastern organized crime gangs and their leaders because they are making tenfold what they did selling cocaine and heroin and things like that, which is mind blowing when you think about it. But

Cybercrime right now generates more revenue than all of Europe, all of the Eastern, the European Union, Canada and Australia combined, right? Add all their GDP up and it's still not as much as cybercrime, which is really shocking.

When we think of what we're supposed to do, right? I've heard it best from global chief information security officers, the ones for Zurich that talk to boards all over the world. They've always used this analogy and I like it so I want to share it with you. It is just imagine that we are at the beach. Everybody loves going to the beach. So let's just imagine we're all at the beach. We're at the beach, we're in the water, we're swimming. There's people from other...

companies there, there's other families there, right? And all of a sudden somebody sees fins in the water. Is it a shark? Is it a dolphin? Frankly, I'm not sticking around to find out what are we going to do? We're going to start swimming towards shore. Now the truth is, and the reality is, is if you make the analogy that that shark is a hacker and is a threat actor, here's the truth, right? We will not be able to

Speaker 1 (09:34.978)
And I don't care how much money you invest. I don't care how skilled and talented any organization is. You will not be able to out swim that shark. But the beauty of the analogy is because it's a real analogy. It's very accurate. The truth is we don't have to, we don't have to outrun criminal cyber criminals and hackers. We just have to be able to out swim that guy.

We literally just have to be able to swim faster than somebody else that is also in that water. And here's what I mean. Cyber criminals are opportunistic. We've studied them. This is their, this, will tell you like we are not targeting Southwest medical. We are not targeting individual employees there, but if you have an unlocked door, we're coming in. Okay. So what that means is this.

Imagine the target parking lot, the Walmart parking lot, right? Just imagine it, right? All these cars and there's a criminal walking in between the cars doing what? Just popping the car doors, checking to see what? Checking to see who left the car door open, right? That is the modus operandi of organized cybercrime, right? They are not necessarily targeting any individual.

or any individual organization, with the exception of say, Nike or a big airlines or something like that. In general, when we're talking about rural healthcare, we're talking about smaller organizations, midsize organizations, we're not a specific target of them. But the vulnerabilities are, they are going across and going into every single organization that doesn't do.

basically five main best practices because those five main best practices will be the equivalent of a locked door. And what are they going to do? Yes, they could break the window. They could, you know, blow up the car. There's a bunch of things they could do, but the odds of them getting caught and the effort that it takes is a lot harder because there's still so many other locked door, unlocked doors. There's still so many other swimmers that are out of shape that are closer to that shark.

Speaker 1 (12:00.674)
Right. We don't have to out swim that shark, but we just have to out swim that guy. Right. And doing some minor things, doing a little really gets us there. So there's a QR that'll dance around this deck. QR code is for the take home resources. Honestly, so long as you give us your name, we will create this certification and we will give everybody that attends or watches this later, all of the take home resources. And I'm telling you, they're really useful. All it takes is

code.

Speaker 1 (12:30.796)
a little bit of time, read them and just do what they say. If you do that in 14 years that we've been doing that people and individuals that have done it, not one has experienced identity theft. Not one, not one organization that we've trained has experienced a full blown breach. Have they been compromised? Have bad guys gotten in through social engineering? Yeah, I mean that happens, but that's not a breach.

There's a difference between winding up in the news and there being a major data breach because it's very common. It's very realistic that it can happen, but there's a difference between that and just somebody getting in unauthorized or us letting them in and then them immediately getting kicked out because that's not a breach. That's not a hyper violation. And that's what we're going for, right? What we're going for is not perfection, but what we are going for is

staying out of the news, staying out of regulators crosshairs. So to do that, let's just talk about the basics. Let's talk about, I will let Jessica in. There we go. Let's talk about some myths. Okay. Cause we all have them, especially when we think of cyber crime, right? First one is very common. We're small. We're rural, right? Why do they want us? We don't have any value.

The other is a hacker. When I tell you, when I talk about hackers, what do you picture? Nine out of 10 times, my guess is that you're picturing sharp kid in a hoodie, right? Drinking Red Bull, living in his mom's basement, really technical, right? Cracking code all night long, right? That's the perception of a hacker. The other...

myth is security is not our issue. My job is a nurse. My job is a data analytics person. My job is this. I don't have to worry about cybersecurity. That is a complete myth. If you get online, you are a target individually as well as as an employee of the organization. Why? Because because of this, if you have a FICO score,

Speaker 1 (14:54.316)
and you have an identity and you have a social security number, right? Then, and you use technology, then you yourself could be subjected to losing your life savings or more, meaning incurring debt above what your net worth is. And that happens every day. One of the stories that we don't hear is that when there's data breaches, there's blurred lines today.

between what happens in our private lives and what happens at work. Again, we used to have two separate worlds. We don't anymore. Some of the things we do on Facebook jeopardize our employer. Some of the things we do at work jeopardize our life savings. Okay? That is why this is designed just to raise awareness and to help you take control back.

so that you are empowered and you can be aware every time you get online because they don't care whether you're at work or not. They just want to be you online. And I'm going to show you a video in a second that shows the danger and the risk there. The other major myth is this. We'll know when we've been breached. I talk to organizations all the time. I talk to leadership all the time. And when

we ask whether they've been breached. They may say no, oftentimes they'll say no, no. And then we'll ask some further questions and find out, they don't have detection in place. They don't have certain fundamental things in place for them to even know that they've been breached. Same thing in our personal lives. Have we been breached? I don't know. Like if you don't know, if you can't look and see if your data is for

for sale right now on the dark web. If you can't see who is in your network or who is in your personal email or who is in your work systems, right? If you don't have visibility because a lot of people, individuals and a lot of organizations don't do the fundamental things and they don't have that visibility, then the truth is, is we don't know if we've been breached, right? We don't know if somebody's sitting in there or not. And this is why it matters. So.

Speaker 1 (17:15.63)
When we think about the myth of we're too small, right? Well, 57 % of all the breaches that are occurring in the United States for the last five years have been at organizations below 250 employees, more than half. Okay. And for organizations above that number, like you guys, that number is even higher, right? The tactic that is used most often in healthcare,

Other than I have to qualify some of this, right? Other than the change healthcare breach, right? Which exploited a vulnerability in a software that went all over the place, right? Other than that one or other than the move it breach or some of these unique software vulnerabilities, which are more rare even though they're in the news. When we're talking about rural hospitals engaging in HIPAA violations and being breached,

The number one tactic is social engineering. What is social engineering? It is the psychological manipulation, meaning I'm going to use words to convince you to do something against your interest. Right. And the methodology is always the same. We'll use text, we'll use email, we'll use video, audio, right. And we will create a sense of urgency or importance and we will create

trust, meaning we will impersonate somebody in authority. We will impersonate a leader at your organization, or we would impersonate a brand or a vendor that you use and you trust. And given AI and the rise and the improvement of AI in the last four months, that's gotten very effective, more so than it has been in the past. 36 % of the data breaches that we see

actually come from the employees personal lives. It comes from an ad that they see that they click on. You see a lawnmower that on Instagram or on Facebook that you like or a new AI app or whatever it is, right? And you click on that ad because there's a great sale going on. Guess what? That winds up being a data breach at work later. How? Because anybody can create an ad

Speaker 1 (19:42.168)
put malware on the back. There's no filters. There's no scans. There's nobody checking that. Right? Anybody can do it. Mark Zuckerberg doesn't care. Right? Like it is there. There are so many ads. So what are we supposed to do as people? Very simple. If I see that lawnmower, that John Deere lawnmower, and it's 80 % off, I'm not going to click on that ad because I don't know what's in the back of that image because anybody can just create an image on Canva and slap it.

and pay for the ad and then the malware is there like slap malware on the back and it's there and tens of thousands of people click on it. What I'm going to do is I'm simply going to go while they've got a really good sale. I'm going to go to the John Deere website and just see if that's real because nine out of 10 times it's not real. Okay. That's one of the things they're called Infos dealers and it's part of the reason why when you're

Capturing your passwords and you're using your password when you're using a password manager You're not supposed to use the one in the browser so if you use edge Microsoft edge or Google Chrome like so many people do right and you want to save your passwords because you've got a really good password, but it's Complicated and I can't remember every single password for all my apps, right then You need to use a password manager, but the answer is not to use the Google Chrome one in the browser

don't use any of them that are built into a browser. You use an encrypted actual password manager and then they have their own browser extensions and that's safe. The reason is because the moment you click on that ad, even on your phone, right? They're able to capture all of your browser information and that is 36 % of the time. That's what leads to company and organizational data breaches.

There's that blurred line now between what we do in our private lives and what happens to us at work. What happens today on average for healthcare right now, it's around 23 days. So when a data breach at when an event happens and they've been inside for a while and then they launch their ransomware or their malware, right? On average, the downtime is 23 days. Honestly, even one day.

Speaker 1 (22:09.366)
is too expensive. One day is too expensive to... it jeopardize lives, it jeopardizes medical care, and for the average to be 23 days on average, it's serious, right? 76 % of the organizations that have been breached in the last three years, 76 % didn't know they were breached. They found out about it from media, from social media, or from law enforcement.

That's the reality, right? And in the, the, the statistic for individuals is even higher, right? Most individuals don't know that they've been compromised because they don't do some of the fundamentals and they don't check. And we show you this in the take-home resources, how to check on your, let's say you have Gmail at home, right? You need to go into your Google account and look at the locations where you're signed in. Because my guess is you're probably not signed in.

and shouldn't be signed in over in Russia or over in the Ukraine or over in Pakistan, et cetera. And yet oftentimes when you look on your Google account, you will see that you are. That means you've been compromised and you need to change your password, right? And so we also show you how to see if your personal information is for sale on the dark web. If you've been involved in a prior breach, my guess is each one of you have, and it's fine because it's not the end of the world.

What that means is your data is for sale on the dark web. So what that means is we have to find out what data is for sale, right? And then go change those passwords because then they can't log in issue. The reason is because if we don't do that, then they don't have to hack anything. When we think of that kid in the hoodie, it's not a kid in the hoodie today. It hasn't been a kid in a hoodie for over 10 years. Are there still kids in hoodies with great tech school, the tech skills?

Yeah, but they're not the majority because right around 2011, 2013, they started cybercrime started productizing their code. You know, there's like ransomware, right? Which will encrypt things. Then you have to pay a ransom to get your own data back. Right. We've all heard of that. But did we know that there's certain flavors of it? There's different brands of it. And each brand is designed by the code. Now that being the case, they have names, they have logos.

Speaker 1 (24:37.282)
They actually employ and run business sessions just like a regular operation. Some of them follow the EOS method. Some of them follow business method, the Harvard Business Review method of holding meetings. They have business meetings. They have forecasts. They track their extortion campaigns. It's big business and it's well organized. And how did it get so big? Simple, there's a lot, because they started productizing it.

meaning one person had to have the technical skills to write the bad code. Everybody else just sells it. Everybody else just goes and hacks and their skill is convincing us to click on things. Right. And there's a lot more criminals in the world than there are people with technical skills. So that's part of the reason why it's so popular. The other reason is this. And this may come as a surprise. It may not come.

this is a surprise to you at all. But where cyber criminals, generally speaking, and when I'm saying generally, I'm talking 90 % of all of cyber crime, they're located outside the United States, a good 90 % of them. There's a group here, especially some certain young ones like scattered spider and the calm and, certain social engineering groups, cause they're fluent in Western civilization and they know how to.

They know what to say to get people to do things. But in general, most of it is overseas and you have to understand something. Two things. One, nothing will happen to them to ruin your life into bankrupt your organization. Nothing, nothing. No one's going to go to jail. It's not going to happen. No one's ever going to be questioned. It's not going to happen. They operate with full impunity and immunity. Okay. So

The other second thing, which is something about their mindset is this, they lack empathy for us. And part of the reason for that is this, they grew up their whole life that we were their enemy. We are the bad guys in their worlds. And there's a lot of them. Okay. So we are dealing with a group that doesn't care if they bankrupt us individually, make us homeless, ruin our life savings.

Speaker 1 (26:57.422)
wreck our organization, bankrupt the organization, interfere with healthcare. They don't care. You're not going to convince them otherwise. Plus you have to understand we are the enemy. grew up kind of their whole life. Understanding that we are the enemy, right?

you know, this webinar.

Speaker 1 (27:18.964)
Hang on, let me... There we go. That better. So why is this occurring and why does that happen? A couple different reasons. They're in parts of the world where that doesn't do a lot of trade with the US or has restricted trade or limited trade. And so if they're bringing in 30 million dollars into their village from American dollars, everybody's high five at them. They're excited.

and then we'll go to private.

Speaker 1 (27:47.362)
Right? Because that money is being spent in a great big way in that village and they would not otherwise get that revenue because we're not trading with them. That is the reality of it. So 76 % of organizations here in the U.S. don't realize that they've been breached. But meanwhile, what are we doing? And this is where the take home resources and sessions like this get to. And that is we're making it easier. We are leaving our car doors open. OK, we are out of shape when we're getting into the

ocean, right? And there's a shark there. We're the person out of shape, or we're the person that doesn't even know how to swim, and yet we're out in the ocean. That's the reality of it. What I mean by that is, well, let's look at the facts. 68 % of all of us reuse our passwords. Been doing these sessions for a long time, and they evolve over time. And so sometimes some people will come back and say, I have a great password. It's long.

It's really good. I use it on everything, right? It's not the way to do it, right? Because it doesn't matter how good that password is. If that account is compromised, it is immediately posted for sale on the dark web. Somebody now has that great password and they can do what? They can log in as us. That's what we don't want to happen. So we show you in the take home resources how to not reuse passwords.

how to create strong passwords and how to use password managers. It's really key. the organization less like three quarters of organizations in the U S don't plan for the day of a data breach. We don't have incident response plans. We haven't tested them. We all did fire drills in school and yet we don't prepare for that day. Right. And it matters because when every literally every minute counts, we're not going to know like

Who does what on hour one? Who does what hour two? Who does what hour three? Because it's not IT. Like IT is hamstrung. Everything's down. IT can't do anything, right? What is the leadership doing? What is HR doing? What is PR doing? Who's speaking to customers? Who's speaking to the press? Who's speaking to law enforcement in hour one? Think of it almost like a living, breathing, racy document.

Speaker 1 (30:09.858)
Who's responsible, who's accountable, who needs consulted, who needs informed our one hour, two hour, three day one, day two, day three to speed things up and get things back up and running. That's the key, right? It's a fire drill. You need to simulate those once or twice a year because the data shows organizations that do that unequivocally respond faster and it costs like a 10th of the price just by preparing. And then here in the U S when

hackers first get in to a network or they get into your own personal information. On average, none of us know it. In general, it is 197 days, especially at the organizational level that attackers are inside before they launch what they're going to do. 197 days. That's more than six months. That is like somebody having your having stolen your wallet and you don't know it for more than six months.

you're missing your wallet and it's been six months. They've been using your credit cards and racking up debt that you are personally liable for and you don't even know it for more than six months. You don't become aware that they're inside or that they're doing these things for more than six months. You don't have to believe me. You can literally Google it. You can literally Google how long are hackers inside my network undetected and you will be blown away at the length of time.

So I've been talking a lot and if anybody has questions, I'm going to show a video and then let's debrief right after it's a short video, but it's going to show you how social engineering works and how a, what actually happens when you click on a phishing email. Everybody tells you not to click on phishing emails and yet it's still the number one cause of data breaches. So the bottom line is this, when we get an email,

And when we get a text or something that is evoking emotion, what is happening is it's triggering a migdala hijack. It is triggering that biological sense in us that is prehistoric, right? It is that there's a wooly mammoth in our village and we have to flee, right? It is triggering that visceral response. And because of that, what neuroscientists that work in cybersecurity have said we need to do is

Speaker 1 (32:37.012)
simply pause. So my boss is going to fire me if I don't do these gift cards, my boss is going to fire me if I don't send these W2s. That email looks mad. I've got to get this done right away. No, no, no, you don't. Right? Pause because by waiting around 30 seconds to 45 seconds, it actually lets the cortisol drip down and it allows your neocortex to start functioning again.

so that you can realize, hey, I'm not positive about this. Let me verify, right? And when we say verify, we don't mean call the number in the email, right? We mean contact the person through a channel, like whether it's on Teams, whether it's by text, whether it's down the hall, you go work, go and talk to somebody so that you know for sure that they really want you to do it.

because the truth is you're gonna find out that they don't. So this is a video that we filmed from Defcon. Like I said, cybercrime is a big industry and they've had conventions in Las Vegas for over 25 years and it's called Defcon and so I wanna bring you there.

Defcon is the biggest hacker convention of the year. It's a where thousands of hackers come to hear talks to demonstrate their newest hacks. It's actually a place that's so dangerous to be on the internet that they tell you to turn off the Wi-Fi and the Bluetooth on your phone. I think this is car hacking village. This car is locked. Can you get me in?

unlock it for you. Good.

Speaker 2 (34:20.813)
Working is no longer like this fringe activity and if you are at DEF CON there's a good chance that you're here because you want to learn what could happen to you or your company. help people with human security issues by testing vulnerabilities for like a network test but it's for the people network. We test those vulnerabilities, see where the holes are and then help people learn so they can patch.

Can we try some of this? We could have our star visher here and make some phone calls as usual. Sure. Do you want to do a sample vishing call? What's vishing? Vishing is voice elicitation. And basically what you do is you use the phone to extract information or data points that can be used in a later attack. Let's do it. Who are you going to call? Maybe I'll call your cell phone provider and see if I can get them to give me your email address. I bet they're good. I bet they have my back. But yeah, go for it. I'm going to spoof from your number. So it's going to look like it's calling from you.

Okay.

Hi, I'm actually, so sorry, can you hear me okay? My baby, I'm sorry, my husband's like, we're about to apply for a loan and we just had a baby and he's like, get this done by today, so I'm so sorry, I can't call you back. I'm trying to log into our account for usage information and I can't remember what email address we used to log the account. The baby's crying and, can you help me? Awesome. In just 30 seconds, Jessica gets my personal email address.

So I thought when we got married, he added me to the account. Jessica uses my girlfriend's name and a fake social security number to set up her own personal access to my account. Wait, I'm sorry. So there's no password on my account right now? Can I set that up? She even gets the support person to change my password. Thank you so much for your help today. So she just basically blocked me out of my own account.

Speaker 2 (35:58.776)
I'll get her fed after this. Alright, thank you. Holy shit. So they just gave you access to my entire cell phone account. You're gonna have to go on and change your password now because it's just my name. And all it took was a crying baby and a phone call.

I really thought that my cell phone company would protect me. mean, like, this is the most basic stuff and they're not doing it. And if they're not doing it, you know all these other businesses aren't doing it either. But I was curious, what can a hacker with serious coding skills do? I did get into quite a number of things that I found. So what were the first things you did? How did you start hacking me? I quickly found your Squarespace blog and had an idea. Basically what I did was created a bogus Squarespace site and...

sent an email to you, um, fish asking you to go to this website, run this certificate in stock. So once you ran that, it gave me access to your computer and I created several fake pop-ups that looked like system pop-ups, uh, that would ask you for your credentials. So I stole your one password key chain. That one password is where I store all my other passwords. So effectively by social security number and your AMAC stuff and all your stock trading and bank information, I can send email to everyone in this room as you, I am you right now, if I want it to be.

If my evilness is working correctly, it should actually be taking pictures of your desktop and pictures through your webcam every two minutes. And I have been watching you for about two days now in coffee shops at your mom's house on a plane. Here's your editing stuff. There's you. my God. So this is literally every two minutes through my webcam. Yeah, through this guy. How badly could you have messed up my life? I could have made you homeless. I could have made you homeless and penniless. How would you make me homeless? I have control of your digital life in its entirety.

I have all your credentials, have all your access to all your financial information, all your work information, all your personal information. I can pay people with your bank account or your Amex account. I am you. I can fully impersonate. The only thing I couldn't doctor would be like your fingerprints. This is like as bad as it gets. It's ridiculous, yeah. It's bad. He got everything. I mean, frankly, I want to take my computer and throw it into the deepest part of the ocean. And I want to never touch a piece of technology again.

Speaker 2 (38:06.7)
because holy shit, was everything. That was the keys to my entire life. And he just pulled them out of his pocket.

Any any questions on that? And there's a lot to unpack there, but you saw the social engineering piece. You saw how she clearly is not a awkward kid in a hoodie cracking code, right? She's very articulate and American and English speaking and understands how Western society works and knows what to say to get people to do stuff. And that is the face of a hacker today. Like they're they're not easy to spot.

And you also saw what all happened from one click of a phishing email, right? And that was just the script and the malware that he had tied where he was able to capture things and take over that person's finances. But there's other scripts like ransomware and information stealers and other things. And what they do when they take that data is they sell it on the dark web. So we've talked about the dark web. People hear about it all the time. So I'm going to take you there.

The dark web is available on every device that you use that attaches to the internet. You're just not able to see it because you have to download a certain software and do it a certain way so you yourself don't get breached and go to the dark web. And on the dark web, it is called dark for a reason. It is brutal. It's ugly. It's violent. The worst part of human nature lives there, but they have everything.

And when I say everything, I mean, they have violence for hire, they have murder for hire, they have horrible things, right? They sell drugs and blah, blah, blah. But that is where all of our cybersecurity in the United States, all the risk to protecting yourself in your own identity and your organization and cybersecurity, all of it is on the dark web, meaning that is the place. And there are

Speaker 1 (40:10.666)
chat rooms and forums, but there are marketplaces that operate just as easily as Amazon. And I want to show them to you. I mean, they work just like Amazon. I don't know how else to explain it. Amazon, you can order from your phone and you can get something delivered, right? Instantly, right? It's the same thing. Only it's you pay in Bitcoin or Monero or whatever cryptocurrency that marketplace wants, and they can't trace it to you.

That's how it works because when you're on the dark web to get there, you have to use this browser, this certain browser. It's called the tour browser. T O R stands for the onion router. Basically from logging in from where we are in the Midwest and the U S it's actually going to record you logging in from like Spain or from Europe or some other place. And then from there you can order these things and have it shipped to the U S and no one's going to know about it. That's the issue.

On there though, is what they sell. They sell them ransomware toolkits. They sell fake IDs. They sell birth certificates. They sell death certificates. So when you hear about, you know, somebody doing what's called an exit scam and they disappear and they probably took a different identity, yeah you can buy it for about 50 bucks online and you can start your life over. Everything is for sale there. You can buy an 800 credit score. You could buy credit cards generated in things.

It's what happens when we lose our identities and we get our identities stolen. They generate all this stuff from that identity. They take loans out, they do all this stuff and it's all for sale in the dark web. In addition, there are what's being sold are things called session cookies. What that is, this. When we log into a system and there's that remember me link, right? Often in almost every system we have, that's convenience.

On the other end is cybersecurity. What we're trying to find is a balance, right? The FBI has said unequivocally and they've made four public service announcements. Please stop using the remember me. They've literally come out and said it four times. Please stop using it because it's for sale on the dark web. What it does is it keeps for 90 days. It keeps you logged in and it creates a token in between your browser and the site that you're logged

Speaker 1 (42:38.742)
And when you click on that ad at home, right, they scrape your session keys and then they sell them like on Amazon on the dark web. What happens then is this, they don't have to hack in. They don't need any technical skills. They literally will click that token. They'll click the link and they will log in as you. So we are either letting them in

through social engineering, right? Or they are logging in as us. And when they log in as us, they move laterally and have access to everything that we have access to at work. And even though based on how your network is configured, we may not have the technical skills to move and to get over to the finances and to get over to the PHI and like exfiltrate data from the EHR system, et cetera.

But what we've seen in recent breaches is they have the skills to do that, right? And they buy access from a group called IABs. They're called initial access brokers. What that means is they're bad guys, but they're not part of a ransomware gang. They just want to make a quick buck by finding those vulnerabilities, pushing out those ads, getting people to click on them and then, or pushing out phishing emails, getting you to click. And then they're going to take all of your session cookies and log in this year.

That is the dark web. That's how that all works. Any questions at all on that? No such thing as a dumb question.

Does anybody want to know how to get to the dark web? I'm not going to show you, but I will. I will be glad to tell you not to go there. Freaks me out every time. Let's talk about some, some recent case studies.

Speaker 2 (44:26.03)
because

Speaker 1 (44:32.43)
These are all in your patch of the woods. Liberty Hospital in Missouri was breached. These are all in the last couple of years. It was undetected for three months. Social engineering was the cause. They were down for four days. The facility was unable to receive new patients or provide care. Total costs exceeded $2 million so far. University of Kansas Health System, St. Francis, Kansas. Social engineering disrupted care for more than 60 days.

Patients were diverted, surgeries were halted until systems were restored. North Kansas Hospital, a transcription service vendor, Perry Johnson Associates, well known. They didn't discover it for four months after the breach. It affected PHI of over 500,000 individuals. It's a major, major HIPAA investigation. Ascension, obviously based out of Chicago, but the Christie, Kansas.

branch disrupted operations in over 140 hospitals. A lot of fallout so far. It keeps mounting because of the class action suits, but it's like $5.6 million and up from that. And then Sunflower, which is more, more recent on Sunflower Medical Group in Kansas, undetected for 45 days. It happened in January this year. The breach involved over three terabytes of data, meaning when they get in,

they're undetected. What do they do during the 45 days until they launched is they stole data. They call it exfiltrating data, which is a fancy word. The cybersecurity industry, love acronyms. We love fancy words. Exfiltration just means we stole it. Just means steal, right? We took the data. We downloaded the data. Some organizations have what's called data loss prevention. So if you download too much data at once, it might set off the alerts.

Well, they're smarter than that. They design their code with anti detection in the code. And so it'll just keep downloading the data at a level just below the amount that will trigger the alerts. That's how it works. Any questions on that?

Speaker 1 (46:47.904)
Now we're going to get into the cool part. So, AI. Have you guys heard of it? Anybody here of AI? It's kind of a thing. there's, I mean, there's generative AI, which is the one that most of us have been using. There's agentic AI where basically we build our own chat bots, et cetera. But in general, there's three main buckets of risks.

that have emerged in the last two years since generative AI has made it mainstream, right? The first is external use of generative AI and think of hiring. If anybody's involved in hiring in the organization and doing interviews, how many of those interviews are done by zoom? Given that you are rural healthcare, essentially you very well may not do, you may be doing all of your interviews in person, which is great. Okay.

But a lot of organizations don't. A lot of organizations rely on Microsoft Teams and Zoom and Google Meets, right? And they do video interviews. Well, overwhelmingly, something that is very, very common is for HR to receive resumes that are very good for the jobs that are posted. And frankly, they're almost too good, right? Why is that? Because they took that job description, they put it in AI.

and they use stolen credentials, right? And they're going to be that person for you, right? And they're going to get that job. And when you have that zoom meeting or whatever, they're going to use AI, they're going to use deep fake technology, inexpensive, and it's very effective. And there's really no way of detecting it right now. And they're going to interview and they're going to get that job. And the key is, is it's not really the person they're using.

stolen credentials, but traditional hiring practices never catch it. We don't have good AI deep fake detection yet. We don't. There's about five main vendors out there and they've all been tested and they've, they all come up short. Meaning you can literally upload AI generated videos, you know, cause you just created it. You can upload it right there and it's going to tell you that it's legitimate and it's not cause you just made it. And

Speaker 1 (49:08.118)
The reason they're doing that is they want the income, right? They are not here in the United States. They are remote. Now, given your industry and given what you guys do, you may not see that as much, which is good because the jobs are in person, right? So that person might actually have to be there, but there's a lot of jobs that are still remote. And because of that, that's where that risk is. There's also

disclosure, you know, Samsung in the beginning when OpenAI first came out with chat GPT Samsung, the big company Samsung, everybody's heard of it. They were one of the first ones to fall victim to it. They had the new phone coming out and the developers said, Holy cow, we've got AI and we've got a couple bugs on the new phone that's coming out in a couple months. Let's throw the code in to chat GPT and have it fix the code. They haven't fixed the bugs. And guess what? It did. That's great. The

problem is that when you feed something into generative AI, we all have it now. The whole world has it. Meaning when they did that, they put the source code into generative AI. So when you're using open AI and you're using AI apps, you have to redact and remove all of the data that is personal and private and confidential.

Why? Because you're feeding a machine. It's not Google. It's not a Google search. You're actually feeding a machine learning entity, a rack of servers. And what they're doing is they're going to process that and they're going to spit it out to anybody that prompts them to get it. And so Samsung came under fire because three, four months before their new phone came out, everybody else was able to generate a phone with all those same features because it was public.

right? Even though they didn't finish the product yet and they couldn't sell it. The other risk is internal generative AI. So when an organization builds their own agentic AI, they have AI inside. Let's say it's you're using a AI for transcription services and it sits inside your network. What has happened in wild is when attackers get in and again, they get in a lot of organizations don't have detection.

Speaker 1 (51:28.386)
So they're in undetected and what they do is first thing they do, they used to always go to your inbox, your email inbox. Okay. And from there they go to which folder the sent folder. Why is that? Because how many of us have sent important documents by email, right? And we forgot that we said, right. It was three months ago. Yeah. The list of the employees and

list of this or some records or whatever they're sent. The attackers always go to the sent file because we keep too much data as Americans. We just do. So what they used to always go there. What they do now is they go to the internal AI and they will say, find me the gold, right? And bring it to me. And AI does exactly what it's supposed to do. It does that and gets it to them. They don't even have to move laterally and go and grab it.

and everything else. They're going to use our own internal AI. It recently happened. Attackers got in to an organization and this is in the news. You can Google the story. They got in and what they did is they went and they found on the organization's SharePoint site, their drive, their OneDrive, their SharePoint site. In this case, it was their SharePoint site and they found a spreadsheet, massive spreadsheet that had all of the passwords.

little scary, but the good thing on the good side is it was encrypted. It had pass locks on it. And there was a way they tried, they bought tools on the dark web. They tried to crack it. They couldn't do it. And then they're like, well, let's just ask AI to do it. And they did it. And guess what? AI did it. AI opened it, put it all in plain text, and they were able to get the entire organization's credentials for all employees.

There's no

Speaker 1 (53:23.842)
Right? Wasn't a bad idea to keep it centralized. It's not a bad idea to have it encrypted. It is just something that there need to be guardrails around what your own instance of AI can do and what it can't do. But that's something that's new. It's something that most leaders haven't had to deal with in the past. The other thing that leaders haven't had to deal with in the past is people impersonating them. Now there have always been

business email compromise and people email or text people claiming to be somebody in the C suite or a director or an executive director, right? And asking you to do things or disclose some information. They're sending texts, they're sending chat, they're sending emails, right? And they're impersonating by email, but never before have they been able to jump on a zoom meeting or a teams call meeting or whatever and be there.

person with their face and their voice. And that's exactly what's happening. It's happening quite a bit. So AI and deep fake technology has grown so much that the FBI has alerted about it. They started alerting about it, believe it or not, back in July of 22 before Chad PT even rolled out. So the FBI was seeing this and now it is so common. There have been

you

Speaker 1 (54:50.794)
a whole bunch of different videos and a whole bunch of different breaches that have talked about it. So rather than me just talking to you about it, because if I tell you it's undetectable by the human eye, you might think, well, I'd be able to detect it. So let me show it to you so that you can see it.

Speaker 1 (55:14.061)
I was shocked.

Speaker 1 (55:19.114)
You know.

It's getting to the point where deepfakes are nearly impossible to decipher as computer generated, which is super exciting, but also kind of scary. Now my face is slowly morphing into something else, and it's basically pixel perfect. Look, it's like, amazing.

I'm not me. I mean, I am me. But I'm not me to you. And that's kind of nuts. We're about to enter a brave new The FBI tells NBC News they're following the rapidly developing technology closely. It's a real concern. It's a real concern. Lawmakers and law enforcement are getting worried about this technology. Here's a letter from Congress to the director of national intelligence. A 43-page report from the U.S. Department of Homeland Security.

and look at this title page. I look at that graphic design. just says that deep fakes and the misuse of synthetic content pose a clear present and evolving threat to the public across national security, law enforcement, financial and societal domains. The Pentagon is using its big research wing, the one that helped invent, I don't know, the GPS and the literal internet, that one, to look into deep fakes and how to combat them. Like, they're taking this very seriously.

And then of course, deep fakes are being used for good old fashioned cyber crime. Like this group of fraudsters who were able to clone the voice of a major bank director and then use it to steal $35 million in cold hard cash. $35 million. Just by deep faking this guy's voice and like using it to make a phone call to transfer a bunch of money. And it worked.

Speaker 1 (56:48.206)
That's a lot of

Speaker 2 (56:57.144)
We've got you involved in a few different breaches that unfortunately almost every American is going to show up in. Look, obviously like the things I'm obviously not immune to being human. Let's get into the pretext. It's about to get creepy. Rob, we're going to do a voice clone demo. So I took a clip of you speaking from a video on social media. I put it into my voice cloning tool that requires no consent. I spoof your phone number. So I make it look like it's calling from you on caller ID.

think we do a lot of smart.

Speaker 2 (57:27.042)
Your team member picks up the phone call. They answer it. They hear your voice. You remind me of my password managers master. It's very accurate. It's my voice. So this is me wearing your face like a digit.

It took about two minutes of that video and I put it into this tool with no consent and I spit out your voice asking about the master password again. Imagine this is in a zoom or a Teams call. Can you. For manager master password. The thing that's going through my is Rachel.

Hey, remind me of my past. Appreciate it. My mind is, imagine what an attacker with unlimited time and resources could accomplish. So.

We're in the kind of wild west phase where the lawmakers are kind of just trying to get their head around this stuff. I mean, that's unbelievable. Yeah, that was within a few minutes. Deepfake technology is getting faster, cheaper and more realistic, making it easier than ever to create scams or spread misinformation. AI companies have created deepfake detectors, but this cybersecurity expert says they have serious limitations. Anyone that promises that one click type of answer is wrong. I can upload.

The that I know are deepfakes because I made them and they'll say that they're likely authentic. It has the very real potential of creating a false sense of security. Probability 5.3. Same audio clip that was 100 % AI generated and it thinks it's real. I think somebody that's not thinking about this with nuance would go, it's probably real. Yeah, and that took no effort. Deepfakes are getting better and better, more believable, and the tools that maybe I thought would help me figure it out may not be so helpful.

Speaker 1 (58:39.758)
of security.

Speaker 1 (59:00.782)
If we

We have set up some kind of code word. can ask you that. It's simple human things like that that we're going to be able to use until the technology catches up.

Any questions on that? I know I want to be cognizant of the of the time. I'd like to just go over real quick some of the best practices that are in the take home resources. We will show you how to freeze your credit, how to find and use password managers. There are some free ones. There are some low cost ones. They're all excellent. They work quite well. We talk about and we always recommend that you create a safe word for your family and several organizations have begun doing this where they

have that safe word or they have that challenge word for their vendors and for their employees. So that way, should somebody ask you to disclose sensitive information, you simply go, sure, what's the what's the code word? What's our safe word? Right? It's a policy. It's free. And it really saves things. Other than that, the best practice is to verify, pause, and then verify, verify not based on the information that

the potential attacker has given you, but verify through a channel where you know that human lives and you know it's actually that human that'll pick up. So you call their number, you walk down the hall, you talk to them through chat, but you talk to them in a channel that you know is real. And that will get you very, far. In terms of other things that you should be doing, turning off wifi and turning off Bluetooth on your phones is absolutely recommended unless

Speaker 1 (01:00:41.518)
you are currently using it. Meaning if you're using, let's say you have an iPhone and you're using your AirPods, you obviously need Bluetooth for that. So you can turn Bluetooth on that for that. But when you're leaving or you're walking, especially when you're in public and you're at stores, you're at coffee shops, you're at a library, you're at, you're traveling, turn wifi off, turn Bluetooth off. There's a whole host of reasons we go over it with in the take home resources.

but there's a lot of danger to automatically connecting to wifi. If you're at a hotel, et cetera, always use a VPN. They even have VPNs for your phone. If you're working on a coffee shop, either turn your phone into a hotspot because the cellular data is encrypted or use a VPN. Those are the recommendations when you're traveling and they have convenient charging stations, never plug into them. Don't ever do that. They always recommend traveling with

battery pack, a small one, at least to get you enough charge until you can get to a safe place to to charge. There is a tactic called juice jacking, where when you plug in there, they're actually scraping all of your data off your phone when you're also traveling. Right. And you're going to head somewhere. Right. You're going to Florida. You're going to Arizona. You're going to Europe, wherever you're traveling. Don't post about it ahead of time. Wait.

take a bunch of pictures, but post about it after you get back. That's just obvious physical safety. They also recommend adjusting the privacy settings and we show you how to do that. For organizations, it's a little different, but it's still the same. It's still the same core five principles. When you look at all of the compliance regulations that are out there, not all of them apply to healthcare clearly, but HIPAA, high trust do as well as common law because

in the lawsuits, always cite various regulations and say the organization didn't have this basic fundamental. One of the five things, all of these requirements all boil down to the same five things. And it doesn't have to be as complicated, but when you let the government and you let an industry kind of create their own entity, they make it complicated by, I think by design. But the truth is, is there's five things that every organization needs to do. One, know what your risks are.

Speaker 1 (01:03:06.508)
Right to be able to find them have detection, right? It's not very expensive and you can you can do it. You even do it in your private lives and we show you how to do that in in the take home resources plan for the day of a data breach and what to do. Just like you're going to plan for yourself what to do about identity theft, right? And you're going to freeze your credit prioritize.

vulnerabilities. Vulnerabilities are open, open ports and open vulnerabilities, open exposures to the outside world that you can't physically see. You need to run a scan, identify those, prioritize those and just shore up the ones that are actively being used by bad actors to get it, right? We don't care about the other ones because nobody's using them. And then just constantly be aware, educate, protect.

protecting users is simply having them use password managers, having them use multi-factor authentication and the like. That's really it. Any other questions? If you want to stick around for another minute or two, there is a Northwestern University Kellogg School deep fake. I'm telling you, everybody is talking about this because it is real and it gets to a lot of our.

understanding of what is real and what's not when we see things online. Let me just ask you guys this, which ones of these are real? Throw your answers in chat if you want. Have a outburst. Tell me what numbers you think are real. Anybody?

Speaker 1 (01:04:51.18)
I'm going to randomly call on somebody if somebody doesn't participate.

Number six.

Number six looks really real, doesn't it? Number seven looks a little too perfect. Number one looks maybe a little too perfect, right? Number six for sure looks real. I thought number five looked real as well. Anybody else?

So take a look at those number two looks pretty real too. The truth is, is only number three was real. All of those others do not exist. Right. And so imagine seeing those other people speaking and talking and being on video and they will look real. They will not be robotic. They will not have glitches. They will look as real as any of you do today. Right.

That is the level of sophistication that the AI deep fake technology has gotten to. So I hope that helped. Any other questions? Questions at all? Questions about passwords? Yeah, go ahead. I was affected by one of those hospitalizations, actually two hospitals, and got sent a letter saying we were breached or they're, so they asked us to.

Speaker 2 (01:05:57.646)
you

Notifications.

Speaker 1 (01:06:09.57)
monitor our stuff, change our passwords and they gave us free access to a credit. Credit, credit monitoring. Yep. Yeah. So is that it? You just change your passwords and that's all you have to do or that was it. No further notification. Just those instructions. So what next? Yeah, that's yeah. So here's the, here's the reality is they, you know, in the, United States, we love our freedom, which is great, but

We also, we don't have things like GDPR and things that they have over in Europe. It's not necessarily a bad thing, but there's a risk to that. And so to answer your question, that is all that organization is going to provide you. Right? So what you need to do though, is over time to, if your credit is frozen, you're pretty safe. Okay. About 80%, 85 % of anything that anybody can do to you.

is stopped, right? And so you know, when you freeze your credit, your FICO score still goes up, you can still take out a loan. If you want to buy a boat, a car, a house, whatever, you could still do that, get a credit card, you can still do that. What you do is it's one button, you press it, it opens up your credit, they can run your credit report. And then it stops. What freezing your credit does is it blocks anybody other than you from taking out loans and taking out credit in your name.

because that is what they want to do. Right. That is what that is. So to answer your question in general, that is what is available. What you need to do is to run your the email that you use your personal email, run that through the dark web scan that we provide. So right here, let me show you this. So in the take home resources, we give you the link to

this site where you can put your business email and you can put your personal email in and it will scan the dark web and see if any of those Amazon sites are selling your credentials. So somebody that I did this for a couple of weeks ago, they gave me their business email and I ran it through and like they had 20 public data breaches, including their work email and nine passwords that were in there.

Speaker 1 (01:08:36.674)
And so we went on the dark web and we found who was selling it. And yeah, nine of their last passwords that they've been using are all for sale on the dark web. So they needed to go to those accounts, right? And change that password. And that was last exposed this past February. So it kind of shows you in the organization itself has numerous ones. So what you, what you want to do is you want to make sure there's also a site that would give you, and now this cost me.

but there's also a site have I been pwned and in that site you can put your personal email in or your work email and it'll tell you whether you've been involved in any data breaches, not necessarily whether they're selling your data on the dark web, but whether your information is involved in those breaches. And most of you have like there's the change healthcare, there's several breaches, Equifax breach. mean, there's a lot of breaches that affected almost every

American and you'll see those on there. And then you just have to make sure it'll have the year and you just have to make sure if I haven't changed my password for that account recently, it's time to do that and not make it look like the other.

Right? Like if you're using Kansas hashtag 100 for your password, don't change it to Kansas hashtag 200 because the software they're going to use does billions of combinations in seconds. Right? So they'll be able to guess that and then log in issue. So you want to make it unique. And there's a lot of bad advice on passwords out there and NIST.

the National Institute that actually creates the rules for passwords, right? Basically recently said in the last couple months, look, forget all that. Length is what matters. So the key to a password is to have phrases, to have, to have it be longer, right? It doesn't necessarily matter about having a capital and a symbol and everything else. It's about length. So I wanted to share that.

Speaker 1 (01:10:49.08)
But in terms of what they can do when they get somebody's driver's license or somebody's social security, look at this video I'm going to show you. It's only like 30 seconds long. This is Matt Cox. He's on LinkedIn. And by the way, when I was talking about some of those ransomware gangs, know, some of the ones that are breaching healthcare throughout the U S I don't know if you guys know this, but because they don't get in trouble, guess where they are. They're on Twitter.

Some of them are on LinkedIn. You can see their posts. You can see who they are because they don't care. Right. And they will say like on LinkedIn, you have the head of LockBit, the number one ransomware gang for years past. That person is on Twitter or X. Right. And talking about, hey, we just took down this children's cancer hospital. You know, here's the dark web link if anybody wants to buy the data.

They're advertising it on regular social media. Okay. This is not as clandestine and hidden as one would think. Right. And it's, and it also demonstrates the lack of the lack of empathy that they had. The Matt Cox is the largest mortgage fraud person in the United States stole about. was on the U S secret services most wanted list, turned himself in, did his time. And now he's out.

consulting on identity theft and he's on LinkedIn and he posted this on LinkedIn. So I want you to hear from him what he does with just one person's identity.

I got a driver's license in this guy who lives under a bridge six states away who has no clue and I can go immediately and I get a couple of secure credit cards in his name and if I really want I go into I go and I prepare a birth certificate and I get another social security number issued in his name and I get driver's license I get I get credit cards in that name

Speaker 2 (01:12:51.634)
And what, and then I get a car loan in that name. open bank accounts in that name. Now I don't even have anything that's attached to this guy. And if you want to go a step further, I actually one time went and had a guy's name change legally changed from stop from either base, Michael Eckert. His name is Michael Eckert. I changed it from Michael Eckert to Michael Johnson.

They can't come up with like a Smith would have just been, it would have been just a slap in the face. Right. So Michael Johnson and went to a lawyer, paid him third, paid him 1500 bucks and just, wanted to see what the process was. And then I go back and I get the driver's license reissued to Michael Johnson, get the social security number issued to draw Michael Johnson and get this guy hasn't got a prayer of figuring this out.

And that is actually cyber crime right there. I mean, that is the thing that they do with our identities. And you can see it just goes and goes and goes. That is why it's so important to freeze the credit of children because we have talked to more than I want to admit number of families that have children that are coming of age 18, 19, 20 that are getting their first loans. They want their first car. They're

applying for loans for college, et cetera, and they can't get it. Why? Because they have a foreclosed condo in Nevada. They have $180,000 worth of medical bills. They have six credit cards that are passed due in their name for their child. Right? That's the reality. That is really what's happening. And so freezing your children's credit or your grandchildren's credit stops that. So why would we not do it? Literally costs nothing.

takes about a half an hour total to do it for all three credit bureaus. So we will be sending you all that information so that you guys can get that done.

Speaker 1 (01:14:54.4)
Any other questions? Are password generator generators safe or is it best to create your own? No, actually password generators when they're part of good password managers, they actually a good password manager will have it'll have an option when you're logging into a site. If you don't have a password yet, it'll it'll generate one right for you. And sometimes they're really good and you don't have to worry about memorizing it because you just click save. It's right there in your password.

So yeah, they're actually quite good. The only thing I will say about password managers is when you think like a hacker, you're like, wow, I'd love to take down a password manager because literally everybody's password is on there. That would be a goldmine. There is only one password manager that has been breached. So I will let you discover who that was. A simple Google search will tell you that. Other than that one, we recommend all the others. Other than the browser one that Google provides.

Yes, it's convenient, but again, conveniences over here, securities right here. We're looking for, we're looking for the balance in between, because if we just did security, security would just be like, just unplug it, throw the computers away. Let's be Amish and just do it. And we're safe from cyber crime. But the truth is, is you're still not safe because you still have systems and you still have social security and from KZL and other stuff that you still have to log in for. So really just finding that balance is.

Any other questions? I thought I heard somebody.

Now back in that DEFCON video that when the guy clicked on the link and the guy had access to his entire life, he mentioned in there that he got access to his password manager too.

Speaker 1 (01:16:37.646)
Right. Well, that was because yeah, what, that was is he had, uh, the guy was using a Mac and while Macs are historically safer than windows machines, the reason is because there's not a lot of malware that's created for Macs because in the marketplace, Macs are only about 4 % of the marketplace, 96 % of the world in business.

operates with Windows. It's just the reality. And so when you're designing malware, you design it for Windows. Having said that, what they did there is they created a pop-up that asked him to put in his Apple ID. And from there, the guy was using his Apple password manager. And that's where stored everything. Which kind of has the same risk as a Google Chrome browser.

Gotcha.

Speaker 1 (01:17:36.386)
Right? You really need an actual password manager, not something that's from your machine or from the browser that you use simply because that's it's all encased. It's all enclosed. There's code around it and like you can't get into it, right? They'll have convenience factors. Like they'll have a browser extension that you download and then you log in with your master password. Then you have access to all your passwords.

Then you just click on it and just populate it works really well. I use one all the time. I used to honestly use the Google browser all the time as a password manager until I started talking to all these people and they're like, no, would you like me to grab your passwords? And I'm like, what are you talking about? I'm using a password manager. They're like, don't use the one in the browser and here's why. And then they showed me, they actually demonstrated it. I'm like, wow, that's really easy. They're like, that's in all the mouth.

I said, okay, that's good to know. I said, what about these other pastor ventures? They were like, no, nobody can touch those. That's the key.

Okay, so really no difference between a paid password manager and free.

No, there really isn't. I forgot the name. Nord has one. Nord also has a good VPN. Keeper has one. Keeper is excellent. They have a good password manager and there is a free one that is, I forgot the name of it, but it's in the take home resources. And both of the other ones are very inexpensive. It's like a dollar or two a month. It's not crazy, but the free one is also very good.

Speaker 1 (01:19:19.414)
and has no history of any breaches.

I use Bitwarden.

Yeah, Bitwarden is excellent. Bitwarden is great.

Speaker 1 (01:19:31.266)
Bidwarden has a lot of respect in the industry and doesn't have any histories of any compromise.

Speaker 1 (01:19:44.002)
One of the things that we'll show you, there is a woman who went viral on Instagram for all the wrong reasons. She has a four year old daughter and she went to take a shower. Four year old daughter was playing like Candy Crush or some game. And so she gave her daughter her phone or her iPad. I forgot which while she took the shower and the daughter, because little kids will do whatever they want, just like elderly relatives, right? They will do

They will click on things. Just curious. What are you doing? Right. And so the little girl did that and went live streaming on Instagram while mom was in the shower and it like everybody was like, how do you stop that scenario? And we show you right in the take home resources. There's actually it's built in, it's free. It's already in your iPhone. It's already in your Android device. We show you on both take home resources do because I know some people love their Android. Some people love their like they love their Samsung's.

They love their iPhone, so we have the instructions for both. But what it shows you is then what you do is you just press a button. Once you just set it up, it's super easy. There's like two buttons that you press and then you just you have the game open. You just hand it to them and they can't move from that app until it comes back to you and you use your face ID. That way you never have to deal with that.

Speaker 1 (01:21:08.962)
And I just included that because I was always worried that I would do one of these and then somebody would say, this happened. You didn't remind me of this. And I'm like, well, we're going to show you about.

Speaker 1 (01:21:21.772)
Makes sense?

Yes, good information.

Great. Any other questions? mean, here's the bottom line is this is we don't have to out swim that shark. We just have to do a little bit. And the other thing is that all of this, every breach you see in the news is a hundred percent preventable. There's no question. Everybody in the industry says, right, it's preventable. A lot of it is just in the moment. We're busy. We're distracted.

And we're just doing things that if we pause, we could just verify. And then we'd be surprised because a lot of times some things that look really real are not.

Speaker 1 (01:22:10.61)
And phishing emails today, the old red flags of there's going to be bad grammar or there's going to be typos or it might look weird or something like that. None of those are the case anymore because they use generative AI to write the content of those emails or those texts and they customize it. They say sound like a person that grew up in this part of Texas, in this part of Kansas and

you know, is this age with this educational background use local colloquialisms and references and that email is going to come out perfect. It is going to come out sounding exactly like the person that they're impersonating.

Which is why we can't rely on the old red flags that we used to. Like, know, prints from Nigeria or there's a broken English or there's typos or something. None of those are red flags because none of the phishing emails we've seen in the last year have any of

Speaker 1 (01:23:18.038)
Any other questions? Otherwise, I'm going to show another video.

It's all very interesting. We wouldn't mind.

I will show one more video because it's one of my favorites and this one is about the large breach that everybody heard of last year. MGM, Caesars, right? And it was a ransomware attack, but I want you to see it because it'll be remarkable for you to kind of understand how they operate with complete impunity. Okay, it's only about three minutes long and then after that we can wrap up. Is that okay?

Absolutely.

Okay, let me make sure I'm sharing with sound. I don't think I hit sound, so let me share again. Sorry about that.

Speaker 1 (01:24:07.374)
Are you guys able to see this?

Yes.

Speaker 2 (01:24:16.716)
The hackers demanded $30 million to unlock MGM's data. The company refused, but they still paid a price, $100 million in lost revenue and millions more to rebuild their servers. So how did the intruders get in? Through a technique of deception and manipulation called social engineering. Hackers zeroed in on an employee, gathering information from the dark web and open sources like LinkedIn.

Next, a smooth-talking hacker impersonating the employee called the MGM tech help desk and convinced them to reset his password. With that, the hacker was inside MGM's computers and unleashed the destructive malware.

And this was just the iceberg.

Elevators were malfunctioning. Parking gates froze. Digital door keys wouldn't work. As computers went down, reservations locked up and lines backed up at the front desks. Anything that required technology was not working. Brian Vornedrin is head of the FBI's cyber division. He told us ransomware attacks have grown increasingly brazen.

From an FBI perspective, our position is we recommend a ransom not be paid, but we understand it's a business decision during a time of crisis.

Speaker 2 (01:25:37.28)
Scattered Spider is what the FBI calls a loose-knit web of predominantly native English-speaking hackers responsible for the casino hacks and dozens more. Their specialty is social engineering. So there's a term, it's called ransomware as a service, that's been given to the structure and the format of these gangs. The long-established Russian gang offer their services. Experienced negotiating ransoms and laundering money,

They know what to say to get to do something.

Speaker 2 (01:26:06.638)
to what they call affiliates like Scattered Spider. DiMaggio says the Russian government provides a safe haven for ransomware gangs. As long as they don't target an organization that falls within Russia or the former Soviet state, they don't get prosecuted. It's not considered a crime. It's not considered a crime to attack American businesses? Crazy, right? That's how it works though. So it's like they operate with impunity. 100%. That's the whole reason why

is a lot time.

Speaker 2 (01:26:36.322)
This is such a popular crime. The scattered spider hackers who did pull off the attack are still online, hiding in plain sight in unholy alliance with Russians. Russian ransomware has become such a threat, the elite cyber warriors at the National Security Agency have joined the fight. The FBI's Brian Vornsren calls it an evolution of cybercrime.

In the case of Scattered Spider, is it powerful that they are with Black Hat? Of course. I think that it's important to know that we are capable set of adversaries.

against a very capable.

Speaker 1 (01:27:20.12)
So any questions on that? I mean, there's a lot to unpack there, but I think the key is that the point that we've made and that is they operate with impunity and you have the ransomware gangs, right? Which have their services that they provide the money laundering, the negotiating ransoms, the actual code, and they're combining with groups in the United States and North America, Canada, Mexico, Latin America, et cetera.

because they understand social engineering the best. Right. And so you have groups like scattered spider or one that's called the calm and they are like young hackers in the East Coast and down in Florida, et cetera. And they don't have any experience running ransomware, but they know how to convince people and they know how to hack people and they know how to socially engineer people. So they're combining together.

And they took down MGM for a million dollars. So they're quite effective with it. And meanwhile, we have the national security agency and our elite cyber warriors going after the Russian gangs. But at the same time, you have the head of those gangs right on Twitter, like talking openly because they're like, yeah, I know, you know who I am, but so what you can't touch me. And that's the issue that we have. And it's why we have to do.

be ready, right for for an attack, right? Because again, not all breaches are created equal. And it doesn't mean we're going to wind up in the news. Doesn't mean it's going to rise to level of the HIPAA breach, right? But we have to be prepared for it. And we have to make sure that we can see it the moment it happens, because when you're able to catch it in minutes, then it doesn't right like you catch them before they get to any PHI. That's the point of it.

And for ourselves individually, if we freeze our credit, then our own individual risk goes down greatly. That's really it all in a nutshell.

Speaker 1 (01:29:29.72)
So I appreciate the time that you all spent and we will send out this recording and we'll get the names and we'll get everybody the certifications. Those can be attached to any cyber insurance policies that we can apply for any CE credits that may be needed. Just let me know what you all need and we'll get it done.

Okay, thank you very much for your time.

Excellent thanks everybody have a great day. We will talk soon.

Bye bye.

Thank

People on this episode

David Mauro

Host

Cyber Crime Junkies