Social Engineering Lessons from Mr. Robot Episode 1

you found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we look at social engineering attacks and insider threats.

By analyzing the pilot episode of Mr. Robot Persona and I break down how cyber

criminals use social engineering tactics.

To manipulate people into giving up sensitive information.

We examine realistic ex examples from the show and discuss how AI

powered voice cloning is making these attacks much more dangerous than ever.

And of course, we explore the role of offsite backups in ransomware protection.

This episode will give you practical tools to defend against social engineering.

While actually having a little fun with a great show.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr. Backup.

I almost said Mr. Robot.

I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss that we had no backups of the production

database that we had just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated backup admins into cyber recovery heroes.

This is the backup wrap up.

Welcome to the show.

Hi, I am w Curtis Preston, AKA, Mr. Backup, and I have with me

my Tesla Grief counselor Prasanna Malaiyandi, how's it going, prasanna?

I am doing well, but I don't know about you.

How are you doing, Curtis?

And

in pain.

that you needed a Tesla grief counselor?

I'm in pain.

My friend.

I, my Tesla got, we, um.

think it's more than an owie.

It's more than an alley.

Yeah.

For the record, clearly I'm fine.

Uh, my Tesla is not, uh, I was having breakfast at my favorite breakfast place

and two cars parked parallel, well, my car and then a big old pickup truck.

And then the guy pulled out, we were both backed into the spot.

He pulled out, did a sharp right, right into my front

left bumper, and he got like.

You know, ti tied up and he just couldn't figure out how to get out.

And so basically he went back and forth a couple times.

It actually, um, the picture kind of looks like a can opener like it places,

and it ended up being about $7,000 worth of damage from a parking lot ding.

Which is amazing, right?

Because it's like the complete, uh, fender bumper, some, the support stuff behind

the bumper as well as a control arm.

and yeah.

And a headlight

Yeah.

And it's not like those headlights are cheap.

I was reading

no.

LED headlights are like a thousand dollars to replace.

Yeah.

So that's a thousand of the 7,000 head.

It's the headlight.

And then like there, they listed like a couple of other lights because

there's a light in the, in the fender.

Yeah.

And that light breaks when you take the fender off according to them.

Um, and I'm like, great design.

But, um, yeah, so, uh, and, and then I, I require additional, uh, support because

of the rental that I have, which I'm just gonna call not a Tesla, um, the Polestar.

And it's not so much I am living, you know, when you, when when

I originally bought my Tesla.

You and I talked a lot before I bought the Tesla, and the thing that I remember

you saying more than anything was it's about the supercharger network, right?

And, and now I'm living that reality because I got used to the supercharger

network and now I don't have the supercharger network and it is a hot mess.

I, I feel for all of those poor.

People out there that have EVs, that have CCS or Chad Mo.

Is that how This's pronounced Chad Mo, uh, adapters and the, the fact that there's

like 15 different competing companies, it really comes down to kind of three, right?

Uh, at least in my area, uh, there's, there's Evie go, there's Electrify

America, and then there's charge point,

Yep.

Like I, and the rates, the rates go up and down throughout the day.

The rates based on the different location and, uh, trying, like in the Tesla, I

just go and I say, you know, show me the chargers within 10 miles of me.

And then, oh, look at the rates and if I want to save some money,

because I, I do have to supercharge, uh, pretty, pretty regularly.

And, uh.

I can just look at the rate.

Oh look, that one's less expensive right now.

Let me drive over to there.

The, there's it.

No, it's like one at a, you know, and then there's the fact that, that a bunch

of the fast chargers, 50 kilowatts.

What is that?

That's not fast.

So.

Well, it's all relative, Curtis.

It is faster than charging at home,

right?

then I have that problem too.

'cause I've, I have a, I have a Tesla plug at home, so I had to buy an adapter

and I'm only getting 30 amps out of that.

Instead of the 48 I was getting, uh,

life is rough.

Curtis life is rough.

yeah.

So I'm living, I'm, I'm just, it's not, it's not a good month for me.

They're saying like two to three weeks, once the insurance company approves the

estimate, which hasn't happened yet.

Anyway, that's why I require a Testa grief counselor.

It's it.

Yeah.

Well, so it's funny because I remember when you went from your

Prius to your Tesla, you had all sorts of questions and concerns,

Mm-hmm.

still trying to figure out all these things, and then it's like human nature.

We get used to things over time and then

Yeah.

to change.

Yeah.

Yeah, I, I, I, I'm, uh, you know, people still ask me, so,

what do you think of your car?

You know, and I'm like, I could, you know, 'cause they see, they see my

car and they, and I'm like, I hate it.

And they're like, what?

And, and it's not so much the Polestar, it's the, it's the charging

network attached to the Polestar and.

and I'm sure there are ways to show maps and the charging stations

and all the rest, maybe hopefully,

But, but not with money,

yeah.

right?

So like, so my favorite app is plug share.

Mm-hmm.

you can say, I would like CCS adapters over a a hundred kilowatts,

uh, you know, in this range.

And then they'll go, here they are.

But then you click on 'em and it'll say, it'll give you an idea.

Sometimes, sometimes it'll have a price, sometimes it won't.

But it will say, listen, you should really go to the companies.

But the other problem is that each of these networks has

their own like membership.

Yep.

so you kind of have to pick one because they want you to

pay to belong to that network.

Um, and, um, if you want to discount, well the, it's, it's a,

it's, you want the discount, right?

They, they price it so that you definitely want the discount.

Anyway, uh, we're gonna, we're gonna continue.

Um, I just finished, I just published as we're recording it.

I just published the Mission Impossible episode, and I thought we would do,

um, we would go down another sort of entertainment, I'm not gonna call it a rat

hole, an entertainment tunnel, uh, path.

Yes, because it's really hard to

good representations of and cybersecurity in Hollywood.

Yeah.

Yeah.

And I think one example of of pretty decent coverage is Mr. Robot.

And, um, you know, it's not perfect.

It doesn't get everything right.

It sensationalizes some stuff.

But I, I think just by and large, clearly somebody who knows

something about cybersecurity, uh, and also backups, right?

Um, you know, our two sort of intersecting topics.

And so I thought, I thought that it'd be perfect for us to do a, a series

Yep.

based on things that we can learn from Mr. Robot episodes.

Now

so, so I think the

that

we should say is

is.

if you have not watched the show and you are interested in it,

you should pause this episode.

Go watch the first episode, which we're about to cover today, and

then come back and listen to it because there will be spoilers.

Yes, there will be spoilers.

Um, hint, um, Rammy.

Malick is not Mr. Robot.

Hmm.

That's a different guy.

Um, so the first episode we're going to talk about, and it's a nice tail

off of the pre, the last episode, which we talked about, insider threat.

So we're gonna talk about social engineering and insider threats.

From the, the perspective of episode one, which is called, uh, hello Friend Mov.

Um, and, um, you know, which is a, which is a, a bit of a spoiler in

terms of how things get introduced.

So, um, let me, uh, just give a, a summary of the episode.

Uh, you know, it's the pilot, so you know, you're introducing the

characters and you get Elliot, the cybersecurity professional.

So he works for All Safe, which is a cybersecurity company,

which is fascinating given what we're talking about.

I just wanted to say like the people who pick these names, they're geniuses

like of these companies, right?

It's

Yeah, yeah.

Yeah.

similar to Allstate, right?

Insurance and

Yeah.

Yeah.

And, and also we have Evil Corp, which is um, which is the big company

that they're gonna try to take down.

And they use the logo, they use basically Enron's logo.

That's, that's Evil Corp. And I love that they just, they call it Evil Corp in the

show, and no one, like does it, wink, wink, like it's literally just, that's

the name of this company called Evil Corp.

Uh, yeah.

So he works at, uh, the cybersecurity firm and then, uh, evil Corp is a, uh,

as a client of allsafe and they actually get hacked in the, uh, in the pilot.

And the, the, the, um.

All safe to text the hack.

They stop the hack.

Clearly.

Remy Malick is like sort of the, the star of everything, and

he's the one who figures it out.

Not only did that he, he's able to find something they keep

referring to as the dat file.

So he finds the IOC, right?

The indicator of compromise.

And, uh, inside that debt file, he finds some, what would you call those,

uh, breadcrumbs that leads him to Mr.

Robot.

And it turns out that this whole thing was a recruiting exercise

to see if he could find this.

And it's for this group called FSO Society, which is the group that

hacked Evil Corp. And, uh, he's then presented the choice of, um.

Of joining F Society to take down Evil Corp. They are a big bad bank,

and we're gonna take them down.

And literally what he wants to do is erase all of the, um, the, the debt, you know,

by, by basically erasing all the records.

And he's like, but wait, there's backups.

They have backups stored at Steel Mountain.

That's another one.

They have offsite backups.

Thank you.

Good job.

They have, you know, offsite air gapped backups stored at Steel

Mountain, but he says, aha.

There is a gas storage facil, a gas processing facility, I think

is what it is, right next to.

Bad desire there, right next to the, uh, steel mountain storage facility, and we're

gonna blow it up, thus blowing up Steel Mountain and all of their backups with it.

That's the plan.

What do you think?

Do you want to join?

Right.

And that's, and that is episode one.

What, you know, what's your thoughts on the, you know, just overall

Yeah.

No.

So loved episode one

mm-hmm.

It's one of those shows where you're like, oh, like especially being in

tech and movies, other than Mission Impossible, which you talked about,

most shows do an awful job of portraying or it's like, Hey, let me just type.

I think the best was, uh, example you have is like Alias, right?

Where it's like, oh no, they're in the network.

Let's just pull all the cables.

It's

Yeah.

Yeah, yeah, yeah.

The, the one, the one of the worst ones I can think of is like the net,

yeah.

Um, you know, it's just, yeah.

Sandra Bullock.

Yeah.

Yeah.

The tech is so bad.

This is, the tech is decent, right?

exactly.

And I think it's also interesting sort of that dilemma that Elliot

played by Remy Mallick faces, right?

Where it's like, do I want to help and defeat the evil corp, or

do I wanna keep my job and be a normal person and all the rest?

Yeah, there, there's a couple of side plots.

Uh, one of them is, uh, that there's this girl that he, he kind of, I don't know

if he, I think he has a crush on her, or she's just a friend, I'm not quite sure.

But she's, you know, she's this woman that, that works

and she's an account executive.

And the, um, in, uh, and then the, um.

The, that's one plot.

And then the other plot is that he's seeing a counselor.

Um, and he clearly has some issues with people and like, and he, he clearly in

his brain, like he hates everyone and he hates society and he hates like,

like, uh, you know, capitalism and, you know, so he's definitely, you know,

f Society again, great naming, right?

'cause it's like f the society, right?

I get it.

Um, and, and so it, it, it definitely, like on one hand he's like, I hate,

I hate the world, and this would be a great way to screw the world.

But he also does have some, um, yeah.

I think the one critique I'll make of the show, I think they did a phenomenal job.

I think that they played too much into the stereotype of a hacker

Mm-hmm.

with his character.

Right.

In the

In what way?

in the sense of right, a loner who has people issues, right?

Who is right.

Those sort of things

This is, this is wrong.

This is wrong.

How?

no, no, no.

But if you think about like your Edward Snowdens, right?

Your other folks, right?

They're just

Yeah.

They look and seem like normal people.

Right?

It's almost like portraying that, Hey, if you see someone who looks like

this, they may be a hacker, versus there are a bunch of people who seem

normal, who act normal, who have social skills, But who could be malicious?

Yeah, I, I think that's probably true of any.

Yeah.

Sort of fringe group, right?

Um, there are definitely, so yeah, hacker doesn't necessarily, you know, Rami Malick

has a very unique look to him, and I'm sure that's part of why he was hired.

Um, and, um, and the character definitely is a loner, right?

Um, but they paint a picture that he is an ethical hacker.

Yeah.

So, um, and what we're gonna talk about, one of the things in this, in this

episode is they, they do paint the picture that he does do some hacking, but his

hacking, like his first thing that we see in the episode is that he, the, he

uncovers a person who does child porn,

Yeah.

at least he, he has child porn.

Yeah.

um, he, um, 'cause the guy's like, I never hurt anyone.

Yeah.

Okay.

Dude, whatever.

Um, and, and he, and he turns in this person to the police.

Right.

Yeah.

Um, and then the other topic that we're gonna talk about in this, you know, in

this episode, um, he, you know, he paints a picture that he's an ethical hacker.

And so what these guys are suggesting is very much a

non-ethical thing, unless you really

Believe in

have some serious situational ethic situation.

Yeah, yeah.

Believe in the cause.

Yeah.

right.

Of FSO society.

Yeah.

Yeah.

Which is apparently, you know, erasing all debt.

but by the way, okay, so there are two things I think that were interesting

that are actually three incidences that happened in this episode, which

I think might be useful to talk about.

Right?

The first,

Okay.

The first that you alluded to was a cyber cafe owner.

Yeah.

And so what did he end up doing?

Or did they, uh, describe what he did in order to sort of infiltrate?

Or was it kind of like, Hey, I did something and,

think he, yeah, he, I, he, he did give a, he did give a, a summary.

I don't remember exactly what he, 'cause it was so early in the episode,

I wasn't, you know, quite, but he basically got into the guy's accounts.

He saw that he was doing, the guy was using, uh, security by obscurity.

Right in that he was hiding in plain sight in this, uh, cyber cafe.

Right.

He was using his business that otherwise would have, you know, um, but, but, um,

Elliot saw something that caused him to sort of look differently and he looked

and he saw all this stuff going on, right?

And he's like, look, I, I, I've, I've got your emails, I've got your, you

know, I've got, I've got all the stuff.

I've got, dude, I've got all the evidence.

And the guy's like, are you blackmailing me?

And, um, and he's saying, um, no, I've turned you into the cops.

And then the cops all show up.

Yeah.

So I don't, I don't, I don't have any good stuff from that one.

Do you, do you have any, um, yeah,

from that one.

Any good takeaways?

yeah.

But the, let's talk about the, the, the, i I, I want to call her the girlfriend.

The, the, the friend girl.

Yeah,

yeah.

the coworker who he may or may not have a crush on

Yeah.

Yeah,

may or may not have feelings for.

yeah, yeah.

So, um, the, um, uh, you want, you wanna talk about that.

So his coworker, whose name is Angela, right?

He sort of is looking out for whatever you want and he suspects the guy

and doesn't like the guy at all.

Going back to what Curtis was saying, he hates people,

Yeah,

He has people issues and so he

but he senses something.

Something is not right with this guy.

Yeah.

senses are going off.

So he decides, okay, let me take a look and do a deeper dive and dig

into what this guy's all about.

And so he actually sort of social engineers, the guy, right?

Yeah.

uh, do you wanna walk through like what he does?

Yeah, so he calls the guy pretending to be, I believe it's the bank, and

basically said, Hey, we're the bank.

We need to talk to you about your account, but before we do that, uh,

we need to authenticate you, uh, you know, what's your dog's name, what's

your, you know, blah, blah, blah.

And he asked a couple different security questions and the guy's

like, I don't remember these being security questions, but the guy totally

falls for the social engineering.

which is crazy considering he works for a cybersecurity company.

Right, right.

Maybe he's another, maybe he's an ae and he's not a, he's not

a cybersecurity professional, but it's still, he should know.

He should know better.

And then he uses the, the responses to then, um, seed a

password guessing, uh, algorithm.

Yeah.

And

And.

ends up breaking into the guy's account and he finds all sorts of evidence

that the guy is not who he seems to be.

Dun Dun.

Yes.

married and actually Dun, he, I think he has like multiple

girlfriends or something.

Yeah.

Yeah.

Not a good guy.

And then he, he blackmails something.

He's like, look, get out, get out of her life, or else.

Um, and then I,

the first one, we talked about him being like the ethical hacker.

yeah.

This one, do you think he's really the ethical hacker

just because it's self-motivated?

Does

It is, you know, he is an ethical hacker with an ulterior motive.

How's that, right?

I I, I, I'm one of these that believes that there's no

such thing as a selfless act.

Um, every selfless act that you do has a reason behind it.

This just may be a bigger reason.

Right.

Um, we could have that philosophical discussion, you

know, even like gifts to charity.

Right.

You know, you give it, I, I believe you, you know, you want that

feeling of, you know, whatever.

Right.

Anyway, in this case, he's trying to stop the,

Yeah,

you know.

the interesting thing, if we just look at this particular incident, right?

It's the fact the guy worked at a cybersecurity company, he didn't

like, someone calls you from the bank and starts asking you questions.

You should be like, Hey, I'll call you back, hang up, and then call the

number from the back of your bank card,

Yes.

Right.

whatever else to validate because then you know, okay, that is the actual number.

Well, you know, here's a, here's a real world, um, example of this.

I am an Airbnb host and I, and I'm on the Facebook groups and this person said.

Someone calling, claiming to be Airbnb.

Um, and I talked to them and uh, next thing you know, he's locked out

of his Airbnb account and they've changed the bank stuff to go and

he's trying to get into Airbnb to get to, to fix things, right?

Meanwhile, any payments that go through or going to this other entity and, um.

And I'm just like, guys, guys, you know, like what if, if any business

or government entity, you know, or personal entity calls you they

called you and then they want you to authenticate them yourself.

It's, it's a scam.

Yep.

And, and even if it's not a scam, if it's not a scam.

'cause what, well, what you should do regardless is what you just said.

Right.

Call them back at the published number.

Not a number that they give you the published customer service number.

Right.

And they're like, you know, they're like, no, that one, you gotta call

this special number to get into me.

You know?

No, no, no, no.

I'm gonna call the published number.

Yep.

And I, I, in my entire career, this has always been a thing in my entire career.

I've always.

Done this.

And I've had one company, and I remember that it was Union Bank, which it,

you know, this is like 20 years ago.

Union Bank would call me and say, we want to talk to you about your account,

but we need you authenticate first.

And I'm like.

You are bad, bad company.

And it was Union Bank, right?

They're like, we want to call you about your, your, um, you know,

these transactions, but we need you to authenticate yourself before you

can authenticate these transactions.

And I'm like, you called me.

What?

What?

exactly.

uh, yeah.

So that's, that.

That's classic social engineering.

There are, there are lots of, go ahead.

there's also one more I wanted to talk about too from, from this incident.

A social engineering one.

yeah,

Okay.

What?

Go ahead.

So the other one to talk about is the security questions,

Yeah.

right?

So I know everyone likes to be like, Hey, what's your favorite, uh, fruit?

Or What's your favorite travel destination?

Or blah, blah, blah.

People don't realize, you don't have to answer those truthfully

Yeah.

is asking you, like, I remember we had Rose Rose

Yes.

podcast,

Yeah.

And one of her favorite things was when people ask me for those, she's

like, I just put random things because it doesn't matter what it is.

Yeah.

You just need to store.

Yeah.

As long as you can remember.

So what I do is I put the, the answers to those in the notes of my, of of Dashlane.

Right.

Um, and, uh, and that way I, I have it because some of them are like.

You know, some of them are case sensitive and you know, all stuff,

so you gotta make sure you store it as the way you put it in there.

But yeah, you could put, you know, you know, mother's maiden name,

Yeah.

like, it doesn't matter what you put as long as you could, as

long as you can put it back.

Yeah.

By the way, that is my mother's maiden name, but

So here's a question just now that you brought it up.

yeah.

think it would be better for you to store those answers to

security questions separately from your Dashlane password manager?

I don't think so.

Um, I, I know what you're thinking.

Single point of failure.

Here's the thing, if gasoline is hacked, I am.

Straight?

Yeah.

Yeah.

Um, and I, I put, um, you, you can make the argument.

I, I do use a different.

OTP, uh, program, right?

I don't, I don't use Dashlane supports.

OTP one time password.

Uh, I, I use a different one of those, but, but to me, it's a very secure

place to store this information.

Um, I see what I, I can see the argument that says if someone gets

my password, they would also have my, if someone gets into Dashlane,

they would also have the word the.

Arguments to my security questions.

Um, this is, this is where security versus no, um, uh,

security versus convenience, right?

We had a great conversation with Mike and I learned a lot on a few episodes

ago about where, where I was able to come up with a good security version.

Security versus convenience Workaround to his suggestions.

Like always do a, a separate browser for whenever you're doing anything that like

really matters, like great squad cast.

If some we're using squad cast to record this, if somebody hacks

squad cast, I couldn't care less.

I would lose like the last couple of recordings.

Right?

Yeah.

it wouldn't be the end of the world.

Right?

Uh, but my bank.

You know, QuickBooks, all these things, I, those need to work.

And so what I came up with was I use a separate browser, not the

one I, I live in Chrome, right?

I don't use Chrome now, based on his, uh, suggestion, I don't use Chrome anything

financial and anything where really important Prasannal information is stored.

Yeah.

So like, if my social security number is there, I'm, this is going.

And then what I did was, um, I, I installed a Chrome

plugin to block those sites.

So that's my, so I created the process.

The process is, um, you know, I'm gonna use this other browser for those.

And I needed to use another browser that was supported by Dashlane.

Yep.

And, um.

I then, uh, installed this plugin that basically if I go to.

Any of the sites that I, that I've need, by the way, it's, it's a lot of sites.

It's like, it's like 30 or 40 sites where I do this kind of stuff.

And, um, I, um, it, it comes up as being blocked.

Right?

So that's, um, and so that's the kind of thing that you can do.

Um.

But I, I can see, I can see a solid argument saying, okay,

if you have security questions, put it in this other thing.

Um,

I can't argue against it.

I can't argue against it.

but you also have to back it up.

You have to make

Yeah.

keeping copies everywhere, right?

You have to secure it, you have to encrypt it all the rest.

And like you

Well, I just download all my passwords and I put it as a,

as a Google spreadsheet, as a.

that's, that's I think the easiest.

Yeah.

Oh yeah, it's a text file.

Yeah.

a text file on my desktop.

Um, so yeah, so the, the social engineering thing is, you know, that

the only protection against social engineering is constant training

and vigilance to, to, to recognize.

For, for, you're right.

'cause that guy should have recognized what was happening.

He should have said, I'm sorry if you're really the bank, let me

call you back at the bank's number.

He should have done that.

He should have recognized this as a po potential social engineering, uh, effort.

exactly.

then, and then immediately shut it down and, and, and called him back.

And the only way, this is where the human is the worst, uh.

It's the weakest link.

You are the weakest link.

So the only protection is you.

yep.

And so you, this is why you need to constantly train, remind

yourself of, of the newest things.

By the way, the latest thing has to do with ai.

You want to talk about that.

Yeah.

So as, yeah, unless you've been living in a rock somewhere, or

a deserted island, one of the things that is happening, right?

AI is everywhere, right?

Everyone uses chat.

GPT, Claude, take your pick, right?

But now.

Huh?

I.

yes.

This podcast is not being generated by ai.

Don't worry.

Um, but one of the things now is before it just used to be like generating

text, but now it's gotten really good with like generating video and audio.

And so it's actually able to replicate people's voices.

So you might get a call, Curtis being like, Hey, it's uh, my

granddaughter that needs help at

Yeah.

and she's been kidnapped, and please pay X amount of dollars in

ransom, otherwise you won't get

Yeah.

or

Yeah.

it is.

Or they went to jail and they need to be bailed out.

Please call this number.

And very, very convincing about the voices because people's voices are out

there, like our voices are out there.

Right, right.

this podcast, on YouTube, et cetera.

Yeah.

Yeah.

people can build a pretty good AI model just based on a short amount of audio.

so that's where if you do get a call sounding like someone, make

sure you have a way to verify that.

Yeah, if they're calling, I mean, my granddaughter calls me and

just wants to chat, talk about the latest episode of Bluey.

Um, but if she calls me and says, I need you to wire this money.

I'm gonna do a little extra authentication.

And the way to do that, by the way, is to discuss something that only

the two of you would actually know,

Yep.

Where did, where did we go?

You know what?

Where did we go for dinner last week?

What did we have?

Something like that

yes, and the key is only the two of you would know.

So if you post on Instagram what you ate to last week,

that would.

that's probably not a good thing to use for verification.

Yeah, you wanna, you wanna, you know what, you know what,

what, what did we talk about?

What did we talk about while we were at dinner?

Right.

Um, you know, I, I, you know, originally I was thinking that you should

have a shared secret, but thi this, this is, this is what you need as a

shared secret if you really are my granddaughter, um, you know this thing.

Right?

Um, what was the last topic that we talked about When we spoke, right?

And in

Yeah.

think that having a last topic or something like that, like more contextual

makes sense because who's gonna remember a password that you agreed upon like

six years ago or 10 years ago, right?

one's gonna

Yeah.

versus like, Hey, we just had this conversation.

What did we talk about?

You know, we used to, we used to have a DT.

Right?

Um, and there was a password that you could call.

and

Um, yeah, you know what, you know what ours was?

It was, it was lumpia.

Oh

Um, anyway.

Yeah.

So, uh, and by the way, use the same uh, thing we just said.

You, if, if it really is your granddaughter, call them back on

your granddaughter's phone right now.

There's still a possibility that still might not be your granddaughter, right?

Because of.

Things Right.

But the, the chances are, again, good, better, best.

Right.

Yeah.

then, so call 'em back on the number and then, and if they don't answer Hmm.

Right.

Um, and then have that conversation, uh, of, you know, some shared secret

that only the two of you would know.

Yeah.

Um, in my case, it, yeah, go ahead.

yeah.

And it is interesting because I don't think people realize the amount of

information they post online about

Yeah.

Yeah.

Yeah.

right.

Well, that, that's another,

against you.

that's another thing that happens here.

Uh, what, what is it called?

Um, yeah.

So that's a great, uh, um, segue into another topic to talk about, which

is, uh, osint, O-S-I-N-T, which is short for open source intelligence.

And, um, Elliot does that when he, when he, once he hacks the guy, that's

how he figures out all the stuff.

Like he's looking at a, he's looking at all his Facebook profiles and stuff.

Yeah.

Yeah.

And sometimes people will be like, Hey, where did this thing come from?

Um, as an example, Hey, here's a license plate.

Can you help me figure out what it is?

Or here's like a random broken taillight of a car that did a hit and run,

Yeah.

of scour the internet looking for things, right?

That's all open source intelligence.

Yeah.

That they're using

Yeah.

this.

It might be Wikipedia, it might be Google, it might be looking at

Google Maps to figure out like, okay, where did the sunlight hit

in this certain point of time?

And let me figure out where exactly

There's a guy, have you seen the guy?

There's a guy that you could send him a picture and within five minutes he will

tell you where that picture was taken.

It's really kind of freaky.

There's a YouTube channel.

Um, and, and he does it really, really quickly.

Um, the, um.

I saw Kevin Mitnick, uh, speak once, uh, which is, you know, at one time

he's a, he was an ethical hacker.

He is no longer with us.

Um, and again, every time I mention his name, I gotta say,

not everybody is a fan of Kevin.

There's some stuff there, but I did see this, um.

This presentation where he talked about using, again, this is

again, a combination of social engineering and, uh, OSINT, right?

So he finds, he, he, he wants to target a person.

He finds their, their LinkedIn profile, and then he sends them an

invitation to be a speaker at his event, which he has created a, um.

Uh, you know, a webpage, four and everything, right?

And, um, and he sends him a Zoom and, and he, he goes, we want to do a, um,

intro

an interview of you prior to the thing.

We just want, we just wanna close the deal.

And he sends him a, a link, supposedly to a Zoom invite.

The link is actually a, uh, a thing that downloads.

Malware and then opens up zoom, right?

So unless you're really paying close attention, you don't notice that you

just downloaded this, this malware, and, um, and basically you then just gave

them your keys to the kingdom, right?

Um, and that's where again, that's, um, that's another topic that we'll cover in

a later episode about the phishing, right?

But, but osint is a big thing.

Um, and of course, um.

Social engineering.

And then, um, let's also talk about just the fact we talk about it a lot.

Uh, the concept of an insider threat

Mm-hmm.

Elliot is going to be, you know, a really big insider threat.

Oh yeah.

in cybersecurity for the client, right?

Who you are thinking about now attacking

Yes.

know,

Yeah.

you know all their weaknesses, you know all their infrastructure,

you know, all the personnel.

Yeah, and you, you know, a pretty good story about, uh, an

insider threat situation from a cybersecurity firm as well.

Yeah, there was recently, a, probably a couple weeks ago, uh, an article came

out where the DOJ was investigating an employee of a cybersecurity company

who basically was supposed to be ne.

Helping, uh, victims negotiate with ransomware companies and

Yeah.

up and running, and literally what the person did instead was he would negotiate

for lower rates with the ransomware companies and then take the difference and

Take a, yeah, take a cut.

Yeah.

Yeah.

And, um, yeah, not good.

Not good.

exactly.

The person

Um,

trust, it's like your doctor who's like, oh, by the way, when

I'm doing surgery, I'm gonna like take out part of your kidney.

Or take out your kidney at the same time.

Right?

You

And yeah.

do what they're trained to do, right.

Yeah, and I, and I, without going into detail, I had an incident like this, not,

not in cybersecurity, but I had this, I had an incident in my business life where

I had a person that I had entrusted a lot of stuff and I did not verify, and

honestly, it ruined my life for a while.

And so

Yeah.

you, you, um.

The, this is where we want to talk about the concept of trust, but verify, right.

The, the great, so two things, trust, but verify.

And then also, um, the concept of, uh, least privilege and, you know,

bumpers and all of, all of the things that the, the more that a person

is entrusted with, the more they should be monitored by someone else,

yeah,

right?

Yeah.

yeah.

Because otherwise you don't know what they're doing.

But here's the challenge though, Curtis, right?

So as an example, you hired the doctor

Yeah,

a surgery.

not an expert in that.

You don't know what's gonna be happening, right?

And you

is, this is, this is why you get a second opinion, right?

Yeah.

Yeah.

Um, I, I think, I think, um.

The, I I, I'm not sure if that's a good analogy for this world, but

I mean, you should, you should.

But in the case of like, it's just a matter of like, have other things, other

people that can verify, you know, again, the more you, the more you entrust a,

a group, a company, a person with, the more you need to at least occasionally be

looking around to see what they're up to.

Yeah, I agree with that.

And it might be as simple as logging reviewing the logs to make sure,

okay, what actually did happen?

Does it align with what they said they're doing?

Or hey, setting alarms for things they shouldn't be doing.

Right, right.

Yeah.

Honey pots,

Yeah.

uh, you wanna talk about what a honey pot is?

Yeah, so honeypot is basically, you can think of it as physical world.

You have honey in a pot and it's supposed to attract bees,

Mm-hmm.

And so a honey, a pot is basically you put out something that looks like

a normal device, but you're putting additional logging and monitoring.

And the goal is to have bad actors target that.

So you can detect when someone is in your network, in your infrastructure, or

doing something they shouldn't be doing.

Yeah.

And, and a really important element of a honeypot, uh, is

that it has no other purpose.

No one should ever be logging into it.

If anyone ever logs into it, it should set off the CLS on alert

Yep.

uh, it's time to look.

I first learned about honeypots reading the Cuckoo's Egg, which we've talked

about before, but if you've never read The Cuckoo's Egg, go read it.

It's a short read, right?

It's a pretty, pretty short read.

And it's a true story back from the early days of, of, uh, you know, computing

where, um, a guy uncovers a. Like a couple of, like a 3 cent accounting error.

Right.

Yep.

And he ends up uncovering, you know, a cybersecurity ring and, and it's

fascinating the way, so, you know, the cis admin is the hero in the story.

Uh, cliff Sto is the guy's name and, uh, it's a great, it's a great book.

And, and then he has honeypots.

That's where I first learned about honeypots.

Yeah.

Um, and then finally our, our favorite topic.

Backups.

So I was so excited to see that, that they discussed that, that

they were using Steel Mountain.

I mean, this is where I was like, okay, alright.

Iron Mountain facilities are generally like, the more branding you see of

Iron Mountain, the less it has anything to do with storing anybody's media.

Like one of the things I learned was when you see Iron Mountain trucks,

those do not have backups in them.

Those have paper.

Shredding,

Yeah.

Yeah.

The shredding services.

Yeah.

Yeah.

Um, and, um, because they, they, they know this problem, right?

There is, there is some element, or there is some value in

security by obscurity, right.

Um, not publishing what's, I mean, maybe you can figure it out, but I'm thinking

that I, that Iron Mountain probably and other media storage facilities.

Probably use lots of LLCs and things like that to, to rent

buildings so that they can have that stuff, um, easily not detected.

Uh, and then the vehicles that are going to and from of them, you know,

I'm wondering if you're a determined hacker really wanting to target

Iron Mountain or something like it.

Maybe you could eventually figure it out.

But again, it's um, you know, you follow the, you follow the guy, right?

Where's, where's the guy going?

Right.

sign up for an Iron Mountain account and ship a tape and just put an air tag in it.

Just saying

That's just so wrong that it's so easy to do that.

Right.

saying that's

You're just saying.

But yeah, that is, that would definitely find a Iron Mountain

storage facility and might not find the one you're trying to target.

But, um, yeah, again, I'd go back to Alias.

I remember when she needed to pass a message, she would, um.

Like have a thing and she would like ball up a thing and put it in the trash can.

And then that was how they passed messages.

Yeah.

Anyway.

Um, so enough for, uh, Mr. Robot episode one.

Go watch.

You know, go watch episode two.

Go Refresh.

It's a decent show.

It's a solid show.

It really put, uh, Remy Meek on, on the map and he of course ends up

playing Freddie Mercury in the movie.

Uh, Bohemian Rhapsody an amazing job, uh, doing, uh, Freddie Mercury.

So, um, yeah, go watch it.

And, you know, and, and you, you'll see the same things we

stuff where they get it wrong.

I, you know, but, but by and large, the show does a pretty good

job of, of getting this stuff.

So go watch it.

It's good, you know, and, um, you know, and then we'll talk, we'll talk next week.

Sound good?

sounds

Thanks.

Yeah.

All right.

, Thanks folks for listening.

And uh, that is a wrap.

The backup wrap up is written, recorded, and produced by me w Curtis Preston.

If you need backup or Dr. Consulting content generation or expert witness

work, check out backup central.com.

You can also find links from my O'Reilly Books on the same website.

Remember, this is an independent podcast and any opinions that

you hear are those of the speaker and not necessarily an employer.

Thanks for listening.