Hacked - The SIM Swap
Episode Date: February 25, 2020Jordan Bloemen & Scott Francis Winder discuss SIM Swap attacks. If you like the show and want to make sure we can keep making it, please subscribe and if you can visit https://www.patreon.com/hackedpo...dcast and show us some love. Also - don't forget to check out our loving sponsors: Linode: Get 20% by going to www.linode.com/hacked or use the promo code: hacked2020 at www.linode.com Blinkist: Try them out with a free 7 day trial and 25% off at https://www.blinkist.com/hacked Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
The following is based on a sworn affidavit, but it starts with some tweets.
Here are just a few.
Stole 24 million still a failure in the eyes of the world.
Stole 24 million can't stop stealing.
Stole 24 million but can't stay away from drugs.
Stole 24 million and still can't keep a friend.
We are in the 18T flagship store in Times Square.
And two guys walk in. One younger, one older.
The first guy, Nick, the younger of the two, was maybe 20, short black hair, gaunt face, goes up to a clerk named Spencer.
Nick explains that there has been a mistake and he needs to add his name to an account.
He's got the info, the account number of the pin, he shows his passport, and the employee Spencer goes to add Nick to the cell phone account.
But there's an outstanding bill and the employee says that
Nick has to pay it before he can add himself to the account.
Nick says forget it, and he and his friend walk out.
You see, the employee Spencer was this close to making just a huge mistake.
Because you see, if Spencer had let Nick add his name to that account,
well, let me take you through what would have happened.
First, Nick would have used his newfound presence on the phone account
to redirect all incoming traffic to the number to him.
This includes texts.
Then, he would have used that number to get past the two-factor authentication,
protecting the original number holders' cryptocurrency wallet.
The kind of thing where you're texted a pin when you try and log into an account.
Which is all to say that 20-year-old Nick would have pretty quickly had complete and total access
to an online wallet worth, and he would have stolen every cent.
We're not for Spencer.
Which begs the question.
Who was the guy who walked in with him?
The other guy is Chris,
author of the affidavit on which this story is based.
Chris is a private jet rental salesman
who met Nick in the gym of a luxury apartment,
played video games with him,
became his friend,
partied with him,
figured out how Nick made all of his money,
got terrified,
started recording Nick,
and wrote that.
That story is based on his claims.
There hasn't been a trial.
We can't verify that.
It's speculation.
So what scam exactly, according to Chris, was this kid who wrote those tweets that opened the episode, running.
How exactly does a 20-year-old steal $24 million?
This is the SimSwap on this episode of Hacked.
We're still here.
We are?
We didn't go anywhere.
We didn't go anywhere.
We've still been sitting in these seats.
Waiting.
Waiting for a month of past to release another episode.
Four weeks.
We can record the next of us.
That's how excited we've been.
Yeah.
No, it's been great.
I got to say that I've just been enamored by the great response to the podcast coming back,
all the support, especially the patrons.
And this episode shout out goes to Megan Star Trek.
Thanks for your support.
Thanks for being a $5 a higher donor, and we really appreciate it.
It means a whole heck of a lot to us.
And to everyone who's supporting us on Patreon, patreon.com slash hacked podcast, just about the best way you can support the show. It's been a lot of fun being back and getting to make this thing that has people who are actually enthusiastically listening to it. Every message we get, it's a treat. It's treat every single time. It makes it exciting for us to come down and sit in here and record one of these things.
You make our day brighter, each and every one of you.
You're about to meet a man who lost a million dollars.
If you have a mobile phone, you are a potential target in the SIM swap scale.
The SIM is the small card that contains your phone number.
The hackers got Rob's carrier to swap his number off his SIM and put it on their phones.
AT&T said there had been a SIM swap request.
What is a SIM card?
A SIM card is a relatively recent addition to the cell phone.
It was only how when GSM rolled out, you might not be old enough to remember that, but I sure do.
Yeah, the, anyway, the SIM card is the subscriber identity module, which is, you know, a beautiful tech name for something so basic.
But essentially, it's a way that the cellular network identifies your device.
Kind of like a name tag.
Yeah, essentially.
Back in the day, there wasn't actually a card.
It was just hard-coded into the phone.
so you would literally go to a cell shop, get a phone,
and they would punch in your, like, subscriber ID right into your phone.
And then eventually when GSM came out, they said,
hey, you know, people are keeping their phone numbers
and are changing phones.
Wouldn't it be great if we put this onto a tiny little card
that they could slide in and out of different devices?
Right.
So the reason you want to have a little card
that can be taken out of the phone
is that so that people can easily swap phone numbers between phones
and phones between phone numbers.
Yeah, essentially.
It's probably where it came from.
interesting. To promote the upgrade cycle of cell phones that we all now live and die in.
At what point did a SIM card go from being a way to tie a phone number to a phone and become a tool for security?
Well, that's a, I don't think it ever has. I think a bunch of companies have made it that way.
You know, phones have never been identification documents. It's not my passport, you know. It's not something that I like, have to go to the government and get issued to me.
It's just a phone number.
And the fact that we've all become so addicted to do our cell phones and they never leave our side, they've started using them as such.
I actually spent, you know, five minutes before we shot this episode and rolled through my cell phone or through my text messages to see what recent services had used my phone as such a thing.
And the list was ridiculously long.
And it was all major companies too.
It was like my bank.
It was Facebook.
It was Google.
It was PayPal.
And it was like my internet provider at home.
They all had texted me codes kind of as a two-factor authentication or like a cheap form of a two-factor authentication.
Your bank texting you a pin code that you then type into their website, how does that turn your phone into an identification document?
What is that trying to achieve?
They're just essentially saying, hey, you have the password or, you know, you are trying to reset a password sometimes.
they just want to verify that the person making that request is the person who should be,
and they're cheating the system by using your cell number essentially as a form of identification.
When you say cheating, how's that a cheat?
It's a cheat in the sense that it's not truly something that defines who you are and is part of your identity.
It's just your phone number.
You know?
Right. It's not blood. It's not a fingerprint.
It's not a photo.
No.
It's just literally a text message.
So the whole big idea behind this is, I'm Google, I'm Facebook, I'm your bank.
Someone has tried to log into your Scott Winder's account.
And the bank has gone, okay, they had all the information that we would normally expect for them, right?
They have your username and they have your password.
But we want to take this one last step.
We want to someone else might have those things.
We just want to confirm that this is actually you.
And one other thing we know about you is that you have this phone, this physical device that this hacker
probably doesn't have. So we're going to text that number. And if you get that code, you can
confirm that you got texted. That's the basic kind of mechanism behind this, right? Yeah. Yeah. The beauty of
it is that it is actually better than not doing it. But the catch is that some services, especially
the cryptocurrency brokerage that was in the intro story, was using the cell number as like true
second validation of identity. So like instead of just being like, I'm logging in, here's my
username and password, it was more like, I've lost my password, I need to reset it. And they would say,
okay, we'll send you a link to your text message. You know, same as when we talked about emails
in a previous episode. It becomes a bit of the keychain. So if you can get access to someone's
emails, you can get access to resetting their passwords. This is what the intro story was about,
was the fact that now, you know, some services are using text messages like that. So now getting access
to the text message gets you access to reset their password.
It's the service trusting that the phone number that they have on file is going to the person
they think it is so thoroughly that they let you use that number as kind of a side door
to allow a person to get into their account even if they forgot their password.
Yeah. So imagine, you know, to go back to email, all of us have lost a password to a service
at some point and had to hit the forgot password button and it sends you a nice email with a little
link that when you click on allows you to set a new password. The difference is, is that there's
really no easy way to redirect email. You know, it requires, you know, MX DNS records and all
kinds of, you know, complicated infrastructure that most people would need to, you know, spend lots of
time attaining access to versus a SIM or a cell phone, which you can easily kind of get access to.
I want to dwell on that. You can easily.
get access to someone else's incoming SMS traffic?
Like you can get the texts that are being sent to them sent to you.
Yeah, there's a number of ways to do that.
You know, one is just, you know, I've personally lost a phone.
My phone is very locked down.
Like I have an iPhone.
I probably shouldn't tell everybody that in the world, but I have an iPhone.
Anyway, it's very encrypted.
You know, there's a huge digit combo to get into it.
Losing the device and somebody getting access to the device
is really tough, but I can pop the SIM out of a device and slide it into another device.
And most people don't have passcodes on their SIMs, so it immediately accesses the network
as me and my text message traffic begins. So that's one way, is just simply having the physical
copy of my SIM card. But that's, like you said, that's physical. You have to actually get
access to that physical SIM card, which, if I'm Google, your bank or Facebook, seems like
pretty good security, right? We can trust that as long as someone hasn't physically taken that
SIM card, that it's still locked down. Are there ways for someone who wants access to that
text message traffic to get access to it without physically having the SIM card?
Yeah, there's a whole history of that in hacking. Like one of the most famous hackers in the
world, Kevin Mitnick, used to famously clone cis numbers inside of old cell phones so that he could
location stumble and they could never triangulate where he was. So he was on the run for years and he
would access the cell networks by essentially cloning other devices. You know, and that was in the
90s, like 80s, 90s, you know, and that kind of progresses right up to the intro story that we just
heard, which is me getting access to your account, accessing the account on the cell network
provider, convincing them to put that number onto a different SIM card.
And then I take that SIM card and put it into a new device or a different device that I own.
And now I'm you.
Okay, so I want to be you in that metaphor that we're talking about here.
And right now, all of the traffic that goes to your phone number is being sent to the
SIM card that's physically in your phone.
So what you're talking about is I just have to convince the phone carrier to redirect that
traffic to this sim card that I have over here.
Correct.
All the stuff from Scott's number to this new SIM card that I have.
Totally.
How?
Yeah, it's definitely not the easiest thing, but it's not the hardest thing.
Like social engineering is probably the easiest way to attain all that information,
and that's just literally like manipulation.
And, you know, that's been going on for thousands of years.
And, you know, some people are really good at it.
And, you know, the gentleman from the intro story,
had essentially done that. He'd socially manipulated or socially engineered somebody into giving him all the information that allowed him to access his account.
And to think that like he stopped short because of like a little unpaid bill is wild.
So really just comes down to can the person do a reasonable impression with you?
Yeah.
Over the phone.
Yeah. Like my mother's maiden name is something that you probably know because we've worked together for a few years.
And that is such a, you know, an institutional stalwart of security.
And that is barely confidential information, if at all, could be considered confidential information.
So I've decided on a person that, who's sim I want to clone, basically.
Sure.
Me, hopefully.
It's you.
Oh.
I started doing my research.
I start thinking, I start figuring out all the stuff about you that a person might ask me to confirm that I am you.
Well, better than that, you probably have an account with a cell company.
You could pretty easily figure out what questions they're going to ask.
Right. You call them up and say that you need to do this for your own account.
You figure out all the questions they're going to ask you.
Now you have basically a laundry list.
This is the information about this person that I have to go get in order to be able to pull off this hack.
Yeah, correct.
Huh.
That seems like a giant vulnerability.
It's like the oldest vulnerability, and it continues to pay out.
Okay, so I've decided I want to go after your SIM card.
I do my research.
I figure out what I need to figure out about you.
And then I just go hunting.
And let's say I stitch together all of this information.
What's the next step?
Where does it go from there?
Once you have all of my details and you just literally can walk into a cell phone shop
for the company that I'm with and verify your identity,
say that you forgot you have your ID.
In some of these higher level cases,
they often have what you call like, you know, an inside person who,
who works at the cell company
who can provide you with some of the details
and bypass some of the security restrictions for you,
which facilitates your access.
So that is some cases where there are multiple people,
but in other cases,
I don't know the last time you made serious changes
to an account like this,
but it's not a very rigorous verification process.
So one thing I'm noticing here is like
when we talk about a lot of these hacks,
they feel like they're a shotgun approach.
One's literally called fishing.
And it's like you're putting out
all of these things into the world.
and you're seeing what comes back.
This feels different than that.
This feels like the amount of work necessary
to get one person's traffic sent to this one device.
Like there's research involved.
You have to impersonate the person.
There's real vulnerabilities in this process.
Why would I want to put in all that work?
Yeah, quality over quantity.
You know, to go back to like online street crime
in some of the previous episodes,
you know, ransomware is a quantity business
where this is a selective, this is a real hack.
This is like, you know, Jordan is a Bitcoin trader,
and I know that the brokerage he uses SMS to do password resets.
I think he has $20 million in his Bitcoin account.
Hypothetic.
That makes you a great target.
You know, we're talking about essentially a quote-unquote untraceable currency
that I'm going to potentially take from you.
with a little bit of social engineering
and a little bit of like cell phone cloning.
And the other thing is,
is like maybe the first cell shop I go to,
they want to see my physical ID,
and I haven't fake that yet.
But, you know, there's probably 300 other cell stores,
and eventually I'm going to get a lazy person
who's just going to let me have the information
and make the changes for me.
So you get that information.
You make that change.
All of my texts are going to you.
I steal your Bitcoin.
and I leave the country.
Thanks, Jordan.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone, somewhere, saw something too late,
an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem
by rebuilding security operations from the ground up for a world
where attackers are already using AI.
They created the Aurora Super Intelligence Platform,
with fully agenetic system powered by the swarm
of experts. Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic
agents that handle whole entire workflows. Humans stay in the loop and on the loop to validate
the critical decisions and keep everything trustworthy. And all of this is just off running on
their secure operations graph. A constantly updating intelligence engine fueled by more than
nine trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context, not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform,
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year.
year for major breaches, from sophisticated ransomware operators to AI-enabled attacks that
turned defenses on their head. Organizations around the world saw headlines they never expected
and cybersecurity teams were tested like never before. But here's the thing. These incidents
aren't just news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a
live webinar on February 5th diving the most impactful breaches of 2025. Their field CTO and security
leaders are going to unpack not just what happened, but why these attacks succeeded. And most
importantly, what businesses can do to fortify their defenses for it's too late. You're going to
walk away with real insights into how threat actors are evolving, how defenders are responding,
and what strategies can help you stay ahead of the next big breach. It's not fear mongering. It's
practical, actionable, intelligence from experts in the trenches. Register now at arcticwolf.com
slash hackt. How does Sims actually work? Yeah. So consider them to essentially be a small
computer sitting inside of your phone. They have their own programs, they have their own data
reserves, they have all this other functionality, which can be communicated to you wirelessly,
but we'll get into that later. When your phone tries to log on to the cell network,
there's really two big pieces of information that are critical to that process. The IMSI number,
which is the International Mobile Subscriber Identity Number, and then the KI, which is the
key identification. So, consider.
consider these kind of like the username and password.
And they're often, you know, kind of coded into the SIM card.
So these username and password kind of have an encryption algorithm that they kind of vibe
with the network and that grants your phone access to the network.
So that's kind of how they work.
We could get into the encryption side of it but probably don't need to.
There's different versions of SIM cards over the last, you know, 20 years.
And the first ones were very easily clonable.
The encryption algorithm was really basic.
and you could actually brute force kind of figure out what the key identification or the KI number was.
That's been mostly fixed in the newer ones.
So in like the version two and version three of the like SIM standards, it's much different.
So they're much more secure than they used to be.
Sure.
So there's really no reason for a hacker to try and figure out what that IMSI and that KI number are
because it's just going to be too difficult.
You need to just get the traffic redirected to a whole new SIM card with a whole new IMSI and KIA number.
That's going to be simpler than trying to work through.
these impossible numbers. Yeah, often. To go back to the, you know, quote unquote inside person,
if you have true access into the cell network information, you can actually grab data tables
of all of this information and just kind of make your own Sims. So that's a different way to
solve this problem. So instead of trying to trick someone to redirect the traffic, you just get
access to the tool for redirection basically and redirect it yourself? Yeah, essentially, you could
just code your own Sims.
That seems like you would
That's like God mode
It seems like you get some insane damage
If you got into that back end
You get a special badge
For that one
Yeah and then actually in
There's a rumor in 2010
That Jamalto
One of the major sim manufacturers
Was actually hacked
By the NSA
And I
It's kind of a complicated story
But you know
They never proved it was the NSA
The NSA never took credit for it
But essentially
It looks
It looks like they hacked Jamalto to verify whether the entire global cell network was at risk, because Jamalto had most of this information.
So kind of accessing the ultimate God mode, where you're not just in the cell network, but you're actually at the highest level getting like 7.2 billion SIM cards worth of data.
And theoretically, if you were in there, you could redirect the traffic from any of them?
Well, you'd have enough data.
you would have enough data that you could really cause a havoc.
You wouldn't be able to redirect the traffic
as much as you would be able to start making your own SIM cards.
So you'd be making clones of the username and password
to log on to any cell network you wanted to.
There's definitely like a certain kind of elegance to this,
the whole solution that makes a lot of sense to me.
In spite of that kind of human vulnerability we've been talking about,
is there a version of this that removes that?
Is there a version of this that works better?
Yeah, well, it's actually coming.
So, like, I have an Apple watch on, which, again, I probably shouldn't tell people.
But that watch has what's called an e-sim.
So they've essentially gotten rid of the physical devices.
So a lot of new phones now, you don't actually slide a SIM card into.
They have a, you know, virtual SIM.
So there's a separate security profile on my phone that downloads from the Cell Network.
my SIM card, but then it can also be taken off of my watch. And the same thing will happen.
So they've definitely made large strides to solve this problem, and I think it's going to go away.
So we're going to go less from, you know, we started where we used to code in our IP addresses.
You know, we would tell our phone what our Sims were, what our subscriber ID was.
And then we went to this chip that kind of told the phone what our subscriber ID was, and now we're going to go
back, but it's going to be prescriptive. So the cell network will prescribe our device,
a subscriber ID, and then it will be able to recall and control that.
I might be misunderstanding this, though. If the cell phone carrier has the ability to recall
that profile and move that profile to say, oh, I got a new iPhone, and this whole hack is based
on tricking the cell phone provider into thinking that you're someone, you're not,
haven't we just ended up right where we started?
Humans are always the vulnerable link, Jordan.
I guess I'm curious, like, is there a way to do this without tricking people?
Like, I like that this feels like a real hack, right?
Like, it feels like an actual, like, it feels like heisty, right?
Yeah, this is a real heist.
There's a grift.
Like, you got to trick people.
You got to have an inside man.
It's really cool.
But I feel like there is someone out there who at once wants access to one of these accounts
but doesn't have the ability or the desire to go about it in that kind of social.
engineering, grifty way.
Is there like a hard way through?
Is there a way to get this traffic?
Is there a way to clone someone's SIM without tricking a cell phone company?
Is there a way to math your way through this thing?
Yes.
It's much harder now.
I touched on it a bit ago that they've modified the SIM algorithms, so the encryption
algorithms.
So the first version of it, yes, used to be able to properly, easily clone people's
SIM cards.
Now it's tougher.
Even getting access to the actual physical card,
you can't really easily scan off the IMSI and KI number.
So it's much more complicated.
Getting raw access to the cell records inside the cell provider
would probably be your easiest way.
You can program your own sims.
They are little microchips with computers and data.
You can write stuff into that data.
but you still need these pieces of critical information.
And unless you can get those critical pieces of information,
it's much more complicated.
It's much easier to have the cell network do it for you
than to try and do it yourself.
We've been talking about the value of that cell phone traffic
in the context of two-factor authentication.
I get texted this pin, great.
I can now log into this account
and I can wreak all kinds of havoc.
Does the information that's getting piped into your SIM card
have any other value?
Yeah, of course, you know, when we talk about social engineering and social manipulation, if I have access to all of your private data, I'm going to know a lot more about you and a lot more about what makes you tick. I'm going to know about, you know, social vulnerabilities you have. You know, if you've been texting or DMing somebody that you shouldn't be. You know, any of that information is, you know, very valuable if I'm going to try and manipulate you. So it depends on what your end goal of this has.
hack is. You know, the intro story was, hey, I want to steal your Bitcoin. And that's a great thing.
But maybe it's not. Maybe it's a different actor trying to get access to your work environment.
And maybe they clone your SIM and they have been reading your text messages between you and somebody
you shouldn't be texting. And they're going to hold that over you unless you put this USB key
into a computer at work. You know, so you never really know what the outcome is going to be or
what the goal of the people doing the hack is, but any kind of valuable social information
is always going to pay out if you're kind of involved in a larger scale hack.
It kind of paints this picture of a person who gets robbed through one of these hacks
and then can't do anything or say anything about it because the person knows all this stuff
about them.
Yeah, right.
It's like the classic movie scene of, you know, the person who doesn't report the crime
and is now a part of it.
Looking at this hack from, you know, 10,000 feet up, what does the blizzard?
leading edge of this look like? Does it kind of live and die by social engineering or is your phone
vulnerable in some entirely different way? No, I think your phone's eternally vulnerable. You know,
they've done a really good job encrypting the local files and things like that. So they've done a
pretty secure job. They've been big fights with the FBI and the NSA about, you know, kind of
preventing them from having a backdoor into it. But there actually was, um,
Recently, some interesting news that had come out. I think it was at the end of last year,
you know, September, October. There's kind of a control protocol. So your phone's SIM card
being kind of like a little microchip and kind of having its own programs needs to be communicated
to via the cell network occasionally. And it turns out that that's as simple as sending,
you know, binary encoded text messages to your phone. They'll never pop up on your phone. You'll
never know that it's happening, but it's happening in the background. It turns out that, you know,
between, well, known between 2015 and 2019, this was pretty common. So the security company was
analyzing traffic and SMS data going across many networks, but often some Mexican telecos. And it
turns out that some third-party actor was essentially pinging cell phones, getting location data
via the chip.
So the chip or the SIM card will return its cell ID and kind of its home tower and the tower
that it's currently on.
And they can use that to essentially kind of pinpoint where the phone is within a relative
proximity.
It kind of went on for years and it still could be going on.
There were some emergency kind of security protocols released in 2019 to kind of tell cell
companies to make some security mods to their platforms to prevent it from happening.
but who knows if those have actually been done.
You're saying that cell phone carriers have the ability to, on the platform that text messages get sent on.
SMS.
Send some piece of information to your phone that tells your phone to ping back with some piece of information about it,
who you are and where your phone is kind of thing.
Well, that is a few of the commands.
It can actually send a plethora of commands as far as like open browser and download this.
Yeah, exactly.
Jordan's face you can't see right now, but it's exceptional.
How the heck did someone figure out how to do that?
It's all public API docs.
You can literally pull up the technical docs to talk about it.
It's very technical and you need to be very competent to do it,
which is probably the best security that it has now
is that you require a proper real IT tech hacker to do it,
but it's very viable.
That's the version of this we were talking about
that sits somewhere outside of either physically getting the SIM card
or tricking a person.
So there is a way.
There's this sort of math.
You can math your way through this thing.
You can program your way through it for sure.
It's not going to be easy.
It's going to be very hard, very complicated, but they suspect there's not a lot of public discussion about it
because it is such a global security problem.
So it's probably very locked down.
But there's been rumors and discussion about it being as vulnerable as they can tell your phone
to download a Trojan horse or download a virus.
and your phone will go do it.
So there's not a lot that verifies that.
There's a few like DefCon articles and DefCon presentations about it.
And it's not like the SMS networks in this kind of SIM Toolkit SDK commands.
It's kind of the thing that I'm talking about.
It's not like there aren't security protocols.
It's just that when lots of these cell companies set them up, they didn't turn them on.
So they don't require authentication.
They don't require anything.
The phones receive, you know, this kind of encoded message,
and the phones execute the instructions in that message.
You know, so many vulnerabilities that exist in the world today
are because of improper setup.
Whether it's someone figuring out that if they impersonate you,
they might be able to get traffic redirected to a new SIM,
whether it's someone figuring out how to send these weird phantom text messages
that make your phone do stuff,
the vulnerability on the cell phone carrier side, do you think that's born of ignorance or apathy?
Do they know that this is a vulnerability, but they think no one's ever going to figure it out?
Or do they not know about it until somebody exploits it?
Yeah, I think that's the case.
I don't think anybody is willfully negligent.
I think that many of these hacks of opportunity that come up and like lots of the, if you go to like the CVID,
like the security logs of, you know, insecurity.
that are found in the resolutions, you know, they're all kind of just accidental, whether they're
set up, whether it's a user case that's no one programmed for, so you reach an exception
that doesn't have a catch. It's things like that that cause these problems. It's not, you know,
somebody willfully being negligent. You kind of come back to that thing we've talked about this before,
but it's this idea of like, you can point all this money and all this time and all this energy and all
these resources and the smartest people you can conceivably hire for the most money at solving a problem,
but you're never going to be able to outsmart just the hive mind, basically.
Well, and the reality is to that is that usually the problem you've tasked these people with isn't
security. You're saying, hey, let's build this application that does this. Security is the afterthought.
So, you know, all these smart people put their heads down and they build you this great piece of
software, this huge cell network, all of these.
these wonderful things that we use, but security is still the afterthought. They haven't spent
all that time focused just on how do we make this the most secure platform ever. And that's
where the securities come in and where a lot of today's Infosec kind of companies and service
providers, what they do. Last question. Thinking about these systems, the ones that, you know,
they've been improved and reiterated on, but we're at their core invented decades ago.
when the people who were designing those systems were designing them, were they thinking about security or were they just trying to make it work?
I think like this is, you know, just my personal track record, but I think of the last 25 years, a lot more people think about it.
You know, especially when you've got technology is gone from being, you know, something that we use, you know, a computer on a desk not connected to a network, to being, you know, a small,
small computer that's driving my Tesla. And, you know, when we talk about security or the impact of
insecurity, that's a huge difference. You know, I'm not going to lose my word document with my
resume in it. I'm going to lose my life. Welcome to the hacked after episode question hour.
packed after dark where we answer listener questions from previous episodes or just about anything
about life and love and finding your way in this crazy world.
Our question this week is from our last episode, DDoS for Hire and they wanted, Scott, they wanted you to dig a little deeper into how a DDoS attack actually takes a network down, the mechanic by which they take down a network.
Yes.
Thanks, Jordan.
and I apologize.
So a DDoS attack taking down a network.
So let's go back to one of the ways, data pipe.
So say we have X bandwidth.
Let's say that X bandwidth is 15 megabits per second.
If enough people are attacking me sending data traffic packets of data into my pipe,
the pipe eventually fills up.
And that means no other data can get into it.
So if I'm trying to go to Google,
there's no traffic inside of that pipe left to let me out to get to Google.
So that's one way that it knocks you down.
That's the most common recreational way that it knocks you down.
The major other way is that when you overload a network so much with so much traffic
that it'll actually overheat and shut down the physical electronic boxes that move packets around networks.
So if you're sending so much traffic through that the capacity on all the,
of the network routers and switches is capped out. Eventually they might overheat, shut down, melt.
So those are the two probably main ways that DDoS attacks affect and disconnect things from the
internet. I have nothing to say to that. You can melt someone's computer. Oh, you wouldn't
melt the computer. You'd melt their like, you know, modem or router. But it wouldn't actually
meld it could if it overheats enough it could fry the chips that's like a real thing