13 episodes

The Human Element was born out of the realization not enough was being done to address the human component of data breaches, ransomware attacks, and malicious hacking. The goal of the Human Element is to encourage collaboration and participation while providing education to help raise everyone’s awareness of how to recognize social engineering and scams that lead to cyber-attacks.

The Human Element Scott Gombar

    • Technology

The Human Element was born out of the realization not enough was being done to address the human component of data breaches, ransomware attacks, and malicious hacking. The goal of the Human Element is to encourage collaboration and participation while providing education to help raise everyone’s awareness of how to recognize social engineering and scams that lead to cyber-attacks.

    There are Bad Guys Among Us

    There are Bad Guys Among Us

    Episode 13: There are Bad Guys Among Us

    In the last episode, I teased that I would eventually record a podcast about an incident my own child experienced with a stranger in his text messages. Well, here it is.

    While playing a game on his phone he struck up a chat conversation with someone (common with online games). The other person in the conversation convinced him to take the conversation to text message.

    And that’s where the problem begins.

    This episode is focused on the dangers for our kids on the internet, but it applies to everyone. There are some basic things you can do to protect your family, and yourself.

    Transcript

    0:00

    People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data, the human element has to be front and center in a war against data breaches and ransomware attacks, it’s time to educate.

    0:52

    Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar, owner and Washtech, a client focused, security minded proactive IT service provider. In the last episode I teased about a story I was going to talk about on another episode. This is more along the lines of children using the internet. So not really the focus of the podcast. But nonetheless, I as a father, I believe it’s important to talk about this, I believe it’s important to address this topic. And I think it’s super important that parents understand the risks that are out there. We live in a world today where where sex trafficking is a big problem where kids are targeted all the time. And we’re not paying attention when you’re letting your children sit on internet connected devices all day long. We’re letting them do whatever they want. And we’re not paying attention to what they’re doing. This is dangerous. And you may not want to see it this way. You know, it’s keeping them out of your hair. While you’re trying to do things around the house, you’re trying to work. Whatever the case may be summers, you know, it’s summertime as I record this, so the kids are not in school. And so we tend to say okay, they’re on their, you know, their PlayStations, their iPads, their x boxes, and we’re not paying any of their computers, we’re not paying any attention to what they’re doing. Very dangerous. This is episode 13 of the human element podcast. I am Scott Gombar, your host. And let’s talk about safety for children on the internet. All right, so I’m going to tell you the story of what happened with my son. Fortunately for him, and for everybody else I got involved before it got too far. So used to play doesn’t play it anymore. My kids, you may remember, during COVID, when everybody was locked up among us, became a very popular game really fast. And so it’s a it’s an online game that you could play from your phone or from your iPad or whatever device you might have. Where I think the premise of the game is kind of like there was a board game. I forget what it was called now. But the board game is where you would try to figure out who the bad guy was you would do a murder was committed, you would try to figure out who committed the murder. So it was a board game many many years ago. Today, there is a game there’s probably more than one game like this. But there’s a game called among us, where the goal is to figure out which person is the bad guy. Now I might, I might be butchering the game a little bit. I have never played it. My kids played it for a little while they’ve lost interest in it so they no longer play. Well among us, like many other games has a chat feature.

    • 27 min
    Pig Butchering 101

    Pig Butchering 101

    Episode 12: Pig Butchering 101

    I was planning to hold off on this for a little while. Then I started seeing others discussing it on social media.

    I purposely went along with a romance scam for the purposes of learning what the end goal was to share with the world. It was what is being dubbed “Pig Butchering”. Pig Butchering is essentially persuading a victim to invest in cryptocurrency on a platform/website/application that the scammers have control over. They tell you to purchase random cryptocurrencies using Bitcoin that you purchased on Cash App. A few hours later they will tell you to sell it, thus showing a profit on the crypto-exchange they asked you to create an account on.

    They will continue to do this for as long as they can, all the while creating an online romance. You will see profits in a growing crypto account on their website but it’s all fake. They have scammed you out of potentially millions in some cases.

    This particular scammer tried to scam me for almost two weeks until I called her on her bluff.

    In this episode, we will discuss what to look for, and how to avoid being scammed.



    Transcript of Pig Butchering 101

     

    0:00

    People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in a war against data breaches and ransomware attacks it’s time to educate.

    0:52

    Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused, security minded proactive IT service provider. Welcome everyone to Episode 12 of the human element podcast. I am Scott Gombar, your host, owner of Newswatch Tech, we are a client focused security minded, proactive IT service provider. But this podcast is mostly based mostly about psychology psychology in social engineering aspects of the cybersecurity world. We’ll talk some Oh synth, we’ll talk some social engineering, we’ll talk about fishing a lot, things like that. And what I’ve noticed, personally is an uptick in my own, or I should say, people trying to compromise my accounts or compromised me, I guess you could say but fortunately for you, and for this podcast, I’m pretty well versed on what to look for, and how to avoid it. In this way, I can educate everyone else. So as I said, this is episode 12. This one is going to be called pig butchering. And you’ll by the time we’re done, you’ll understand but I will say this. So before I jump into it, I’ve had several attempts on my Facebook account as of late. Lots of smishing that is fishing through text message. And that’s kind of where this one is going to go winds up on WhatsApp. But it starts out on my text message. And you can almost always sniff it out. There’s only been one instance where I was wrong that it was a legitimate text message. But every other time I sniff it out and we’ll share you know some details from there but for whatever reason, and it may be because of this podcast maybe because of what I do. I don’t really know the number of attempts at trying to hack me has definitely increased. Got to do better hackers I’m sorry you you haven’t succeeded. You’ve got to do better do your homework. I’ve got MFA turned on on everything I’m can sniff a scam a mile away. You’re gonna have to come a little bit better than that. So let’s talk about pig butchering, and I wasn’t going to do this yet but then I see other cybersecurity professionals sharing their experience with pig butchering or you know the stories that are coming out so long story sh...

    • 27 min
    It's Super Easy to Find Your Home Address and Cell Phone Number

    It's Super Easy to Find Your Home Address and Cell Phone Number

    Ep 11: It’s Super Easy to Find Your Home Address and Cell Phone Number

    In this episode, we talk about just how quickly and easily someone can uncover your personal information such as your home address and cell phone number. This is certainly not newsworthy information as it has been possible to do this for years but the number of people who are scammed, stalked, or otherwise because they do not know what information of theirs is easily accessible is alarming.

    This information could easily be crafted in an attack to gain access to bank accounts, retirement accounts, home titles, identity, and business networks. At this point, it’s unrealistic to believe that some of your data is not publicly available but there are ways to protect yourself from an attack.

    To illustrate this again I performed the same type of research on another recent college graduate who did not believe I could find his cell phone number. This one was a little more challenging because the number was actually in his father’s name but he was shocked when I called him and told him what else I uncovered, in less than an hour.

    This type of information gathering is almost always the precursor to a social engineering attack. Attackers will gather as much information as possible before trying to socially engineer you. The more they know the easier it is to be convincing. That’s why you need to be prepared.

    Transcription

    0:00

    People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in a war against data breaches and ransomware attacks. It’s time to educate.

    0:52

    Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused security minded proactive IT service provider. Welcome to Episode 11. This is the real episode 11. I am Scott Gombar, your host. And the last episode I uploaded was episode 10. Even though in the podcast I said episode 11. It is not episode 11. This is episode 11. We’re going to do a little bit differently this week. And I think maybe the next couple of weeks it’s it’s going to be storytime. So this week, I’m going to talk about a scenario and I’m going to leave names out for obvious reasons you’ll you’ll understand soon. I was at a sporting event for my one of my children. And over here a few of the moms discussing someone who borderline stalking I guess. And that person pops up on the internet, wherever they are, they’re able to communicate with them despite being blocked. They pop up in physical locations that they attend. So let’s say the mom attends a parent teacher conference. Somehow this this person shows up there as well. They do random text messages, Facebook messages, LinkedIn messages, all of the different platforms, all the different ways of communicating. I don’t I don’t recall hearing WhatsApp, but I suppose it’s a possibility WhatsApp messages, which we’ll have another podcast about in the future because I have started receiving a lot of WhatsApp messages out of the blue. From people I don’t know, they’re obviously scams. But I think that’s where a lot of romance scams are taking place now. So we’re gonna, we’re gonna go over one of those in a future episode. So I overhear this conversation going on between a few moms. And I interject, and I say, you know, is there something I could do to help? Now at this point, the moms don’t they don’t really know who I am, what I do. So I, you know, introduce myself and tell them that my primary business is it. However,

    • 23 min
    CISA Outlines Bad Practices Every Organization Should Avoid

    CISA Outlines Bad Practices Every Organization Should Avoid

    Ep 10: CISA Outlines Bad Practices Every Organization Should Avoid

     

    The RSA Convention 2022 wrapped up in early June. At the convention, the US-CISA outlined 3 bad practices businesses (and people) should avoid to prevent data breaches. The truth is these bad practices continue to be a problem for everyone despite the warnings and ease of protection against them.

    In no particular order, they are



    * Use of unsupported or end-of-life software/hardware

    * Use of known/fixed/default credentials

    * Use of single-factor authentication for remote or admin access.



    Article on Infosecurity Magazine

    The Big 4 – Prevent Data Breaches & Ransomware Attacks

    Transcription

    0:00

    People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in a war against data breaches and ransomware attacks, it’s time to educate.

    0:52

    Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused, security minded proactive IT service provider. Welcome to Episode 11 of the human element podcast. I’m Scott Gombar, your host, and today we’re going to talk about an article that came out on June 10, or a couple of weeks. Well, yeah, about two weeks past the article date. But the information an article is not really new. I just thought I’d take a moment to highlight how important it is. And this article is on info security dash magazine.com. The name of the website is just info security, but it’s info security dash magazine.com. And this is Sissa, which is the cybersecurity infrastructure and security agency in the United States. Outlines outlines bad practices Every organization should avoid. So I always talk about the Big Four in it. And that is not patching, or having a patch program, weak passwords, exposed remote desktop protocol. And then my favorite is phishing. And we talk about all these things, because these are the most common ways for attackers to get into an organization or even into a personal computer. This particular article and apparently, you know, the cysa is listing these as the three things that the three bad practices that are causing a lot of breaches, data breaches and ransomware attacks are usually go hand in hand data breaches and ransomware attack. So there are a few bad it practices that are dangerous for any organization, and particularly for organizations and critical industries like health care. So healthcare is a big target education, legal financial. Those are those are some of the bigger target and critical infrastructure. Those are usually the big targets. Now critical infrastructure is sort of a separate topic, because they have different systems than all the other ones health care, legal financial education usually have very similar technology in their environment. Whereas critical infrastructure, has some other things involved. A lot of IoT devices, not that the other not healthcare, definitely as IoT. But more so in the critical infrastructure, things that are sometimes vulnerable that they may not realize. But again, this article are the CISOs list of bad practices, and there’s three of them would prevent a lot of the issues that that are faced by critical infrastructure. At the RCA conference, 2022.

    • 20 min
    Facebook Messenger Used to Hack Accounts and Drive Ad Revenue

    Facebook Messenger Used to Hack Accounts and Drive Ad Revenue

    How many times has a friend of yours posted on Facebook “My account has been hacked, don’t click on any messages from me”?

    A massive phishing campaign that utilized Facebook messenger was recently uncovered. This campaign served two purposes for the attackers.



    * Serve ads to victims to earn money on ad clicks

    * Compromise account credentials using phishing sites with fake log-in pages to further the phishing campaign.



    Usually, the message came from someone you know who already had their account compromised. The original article is on Bleeping Computer (link below).

    Massive Facebook Messenger phishing operation generates millions

    Transcript

    0:00

    People are the weakest link in any cybersecurity plan. We’re distracted, exhausted, and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in a war against data breaches and ransomware attacks it’s time to educate.

    0:52

    Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client-focused security-minded proactive IT service provider. Hello and welcome to episode nine phishing through social engineering. And we’re going to use bleeping an article from bleeping computer again this week. I don’t like I don’t usually go for the same source twice. But bleeping computer is a really good site. They don’t talk a lot about social engineering, but they do a little bit and obviously, so we have a couple of two weeks in a row now podcasts with social engineering ties on bleeping computer. And this article is massive Facebook Messenger phishing operation generates millions. And this really shouldn’t come as a surprise to anybody who’s familiar with social engineering. Many of us get scammed on Facebook, Instagram, Twitter, and not so much on LinkedIn, but it can happen on LinkedIn and other platforms. A lot. It happens a lot. And while I have not been successfully scammed on any of those platforms, I certainly get my fair share of attempts. And how so how does it happen in this article, talks about how it happens a little bit. And it says researchers have uncovered a large-scale fishing operation that abused Facebook and messenger, which means that you could conceivably think WhatsApp as well. And I have gotten messages on WhatsApp as well. To lower millions of users to phishing pages, tricking them into entering their account credentials and seeing advertisements. The campaign operators used these stolen accounts to send further phishing messages to their friends generating significant revenue via online advertising commissions. So while it’s not you would think, okay, they’re just, you know, they’re just getting people to click on ads, and they’re making money off of that you can, you know, sign up as an affiliate and make money off of ads. I’ve done this with AdSense in the past and not currently doing it anywhere. I’ve done this with Amazon as well. Of course, my methods are a little more ethical, these are not ethical methods. So they send in, send you a message from somebody who claims to be your friend. In reality, that account has been compromised, and And chances are, you’re clicking on, as it says you’re clicking on a link in and logging in. They’re stealing your credentials, too. So now they’re going to use your account to do the same thing. So how does this happen?

    • 21 min
    To Trust Google Search Results or Not

    To Trust Google Search Results or Not

    Have you ever gone to Google to search for Microsoft Office to purchase and returned results that offer the entire Microsoft Office Suite for a one-time purchase of $30? Who could pass up that deal?

    Well, you should pass on that deal but some will not because it’s human nature to want to save money and to trust Google.

    That $30 Microsoft Office purchase is cracked software and likely contains malicious software. The $120 you saved could cost you in identity theft, credential theft, credit card theft, network takeover, data theft, ransom demands, and/or loss of your business.

    So why do people still purchase it? Is it a lack of education? Or do they just not care?

    In this episode, we discuss how attackers are using a cracked version of CCleaner Pro to install credential-stealing software on victim computers. People are choosing to “steal” the software rather than pay the $30 (currently $20) for CCleaner Pro. The $30 savings is costing them a lot more but why do people choose to do this?

    Here’s the article on Bleeping Computer

    Poisoned CCleaner search results spread information-stealing malware

     

    Transcription

     

    0:00

    People are the weakest link in any cybersecurity plan. We’re distracted, exhausted, and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data. The human element has to be front and center in the war against data breaches and ransomware attacks. It’s time to educate.

    0:52

    Welcome to the human element podcast, visit our website at thehumanelement.net for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client-focused security-minded proactive IT service provider. Hey, everyone, it’s been a little bit of a while I apologize the IT world is insane. A little busy lately. This is episode eight. I may change the title later. But I’m going to call this the Google search problem. For now. We’ll call that a working title. And I’m using an article from bleeping computer. It’s one of my favorite sites for news, bleeping computer.com. And this one is called poisoned CCleaner search results spread information-stealing malware. Now the issue isn’t really CCleaner. And you’ll understand why once I’m done. I know in the past CCleaner has had malicious or had a vulnerability. I think it’s been a few years now. That vulnerability no longer exists unless you’re you know, you haven’t updated CCleaner in years. Hopefully, that’s not the case. Because that would be a different set of circumstances, I’m sure. Well, what is going on here is that attackers, malicious actors are using Google Search to get people to download CCleaner. Now you’re thinking alright, what does it have to do with the human element has a lot to do with the human element because Google accounts for I don’t know what the numbers are in 2022. But it’s always been very high. Around 90% of all internet search traffic now hasn’t changed much. Or maybe it’s gone down to 80%. I don’t really know. You know, the competition for Google, as far as search goes, hasn’t been really much of a competition, though DuckDuckGo has gained a little bit of ground, I think that’s a different topic. And DuckDuckGo now has its own set of issues, because they were actually, you know, DuckDuckGo advertises that they don’t track anything. But that’s not true. They were tracking for Google or for Microsoft, sorry.

    • 19 min