TikTok New Terms You NEED To KNOW | Ret. FBI Agent Explains Artwork

Cyber Crime Junkies

Entertaining & Sarcastic Podcast about dramatic stories on cyber and AI, which actually help people and organizations protect themselves online and stop cybercrime.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube & Rumble @CyberCrimeJunkiesPodcast

Dive deeper with our newsletter on LinkedIn and Substack. THE CHAOS BRIEF.

All Episodes

Cyber Crime Junkies

TikTok New Terms You NEED To KNOW | Ret. FBI Agent Explains

February 14, 2026 • Cyber Crime Junkies. Host David Mauro. • Season 8 • Episode 35

0:00 | 46:38

China Government Turns APPS into SPY Tools | Ex FBI Agent Explainsew Episode

🔥The Cybercrime Junkies show dives into China Government Surveillance and TikTok, national security and criminal psychology. Stay informed and protect yourself from cyber crime.

Chapters

00:00 Introduction to TikTok security risks and social engineering threats
08:15 How TikTok tracks military bases through location data collection
3:54 China's Unrestricted Warfare strategy and long-term information dominance
19:57 TikTok's ownership deal doesn't solve backdoor data access problems
24:32 Why Americans overshare personal information on social media platforms
28:08 SSO token theft and credential stuffing attacks explained
32:35 Ransomware impact on small businesses versus large corporations
36:25 AI lowers cost of entry for cybercriminals with subscription tools
40:00 Podcast equipment troubleshooting and audio quality challenges
42:57 Get Cyber Smart book overview for non-technical audiences

Questions? Text our Studio direct. We read these and when helpful we give a special shout out for those to contact us.

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Support the show

🔥New Exclusive Offers for our Listeners! 🔥

1. Remove Your Data Online Today! Try OPTERY Risk Free. Sign up here https://get.optery.com/DMauro-CyberCrimeJunkies
2. Or Turn it over to the Pros at DELETE ME and get 20% Off! Remove your data with 24/7 data broker monitoring. 🔥Sign up here and Get 20% off DELETE ME
3. 🔥Experience The Best AI Translation, Audio Reader & Voice Cloning! Try Eleven Labs Today risk free: https://try.elevenlabs.io/gla58o32c6hq

Dive Deeper:
🔗 Website: https://cybercrimejunkies.com

📰 Chaos Newsletter: https://open.substack.com/pub/chaosbrief

✅ LinkedIn: https://www.linkedin.com/in/daviddmauro/
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

===========================================================

China Government SPYING through your Phone | Ex FBI Exposes

Ever wonder why we hand over our entire digital life to a foreign government but freak out about giving our email to a random website?

The CCP isn't just collecting your dance videos—they're mapping military bases through soldier TikToks, tracking medical data, recording every keystroke even when the app is closed, and building psychological profiles on millions of Americans. All while we scroll past thinking "but the algorithm just GETS me."

And no, that ByteDance "sale" didn't fix anything. They still own the code, still lease the algorithm, and spoiler alert: your data's still flowing back to China's servers.

Stop treating enemy intelligence operations like entertainment apps. Your phone isn't just a camera—it's a surveillance device you willingly carry everywhere.

#CyberSecurity #TikTokBan #NationalSecurity #DataPrivacy #CCP

speaker-0 (00:07.186)
People who won't let their kids eat Halloween candy from strangers will hand over every keystroke, location paying and even medical records to a foreign country on some phone app because we've become too lazy to read. And hey, the dance challenges are fun. Welcome back to Cybercrime Chunkies. Today we've got former FBI agent Darren Mott, a former high school teacher turned cybersecurity educator and author.

joining us to talk about two massive security stories that should be keeping us all up at night. TikTok's sale to US buyers and the newly discovered evidence showing proof of how it doesn't solve the security problem at all. And the explosion of AI powered social engineering now undetectable by the human eye, basically leading the charge to become the poster child of business email compromise and romance scam factories running on autopilot.

We're even throwing in a rant about podcast equipment setups because apparently even former prosecutors and FBI agents want to throw technology through the walls on any given Saturday morning. So join us. This is Cybercrime Chucky's and now the show.

you

speaker-1 (01:29.646)
you

speaker-0 (01:38.67)
Well, welcome everybody to cyber crime junkies. I am your host, David Morrow. And in the studio today is a friend of the show, a fellow podcaster, author of a fantastic book that business leaders should get called Get Cyber Smart, former FBI agent, former high school teacher and a all around great guy. Darren Mott joins us. Sir, Mr. Mott, welcome to the studio.

Dave, thanks. It's always a pleasure to be here and talk to you because you always have good questions and good research. You're a research expert, so that's why I appreciate coming on in. I like having questions made to me as opposed to me having to come up with the questions and do all that kind stuff.

Well, yeah, that would not be much of an interview if I was like, what do you want to talk about? Like, and you're like, well, how about this? Why don't you ask me this? Yeah, no. So, um, you've been on several times. We talked about a whole bunch of different things, but you know, a couple of things really, uh, caught us over the last couple of months. And one is the acquisition, the merger of, uh, the purchase from us entities allegedly about tick tock. Um,

And then some, know, all of the developments in AI, because I don't think, I don't think you've been on since really AI has exploded into the mult book social network thing that we've had. So let's just, let's talk about the tick tock thing first. So when, when bite, let's, let's back up for everybody. So a little refresh of some things that, that you taught me when bite dance first,

purchased or first launched TikTok for the US. What were the intelligence communities like first concerns like what in your experience, like what was some of the first things that you're like, this isn't right. This is different type of social media.

speaker-1 (03:33.038)
Well, I think the problem is, and I will say, as you're aware of, this is my big hobby horse on LinkedIn. I have several things I talk about, on this and postmortems for data breaches would be great, but that's different topic for a different conversation. But as far as TikTok goes, I think like all technology, it took a while for anyone to really recognize the nefariousness behind what they were doing.

Yeah, you call yourself the town crier.

speaker-1 (03:57.26)
because it was kind of new and it took a while to really explode and it was really kids at first, right? It was focused on kids doing dance videos. I remember.

Challenge, all that when it first came out. I remember all that.

I remember the first time I ever saw it was had to be seven, eight years ago, even maybe longer. I was at my parents' house in upstate New York. It was a family reunion. And two of my niece and my nephew were out on the deck, dancing in front of the phone. I'm like, what are they doing? They're doing a TikTok dance. go, what is a TikTok? Now I was in the FBI at the time. So I wasn't as socially media conscious as I am today now being out of the FBI. So I didn't really pay much attention to it. And then it started to explode. I started paying attention to it.

And then it's then the the national security industry, I guess, started looking at this as, this is a Chinese platform. What do need to worry ourselves about? I think it took a while before anyone actually dove into the code and all the different trackers that when you download TikTok, you're not just downloading TikTok, you're downloading all sorts of trackers that go onto your phone that their use their user agreement you agree to that allows you to them to take, you know, keyboard shots if they want and

And let's hone in on that just a second. So I want to show dance videos on my phone, right, and record them. What I don't realize and what most Americans didn't realize is even the initial terms of condition that we accepted said all of your keystrokes on that phone, even in other apps when TikTok is closed, is recorded and sent to them and kept in Chinese servers.

speaker-0 (05:35.914)
Is that correct? Like that's

That is correct. Now, they will probably argue now that, well, may have been that way at first, but we've changed the way we do it. I mean, I remember. not trust the Chinese? Right. And that's the key thing. The first thing we need to if nothing else, if no one gets anything else out of our conversation here, we cannot trust the Chinese.

Well, here, let's let's let's be clear. It's not the Chinese people. It's not Chinese. It's not China. It's not that it's the CCP like it's it's the Chinese Communist Party. That is what we're talking about. Right.

That's a great, that's a perfect point. don't do a good job of explaining it that way because for me, for me, when I

Because I have Chinese friends and they're like, are you? Are you upset with us? I'm like, no, I like you moved here because of them. they're like, yeah, exactly. Then they're like, then say the CCP. And I'm like, all right.

speaker-1 (06:31.168)
Right. Well, for me, for like 25 years, that's when we refer to China, we're talking Chinese, we're talking China, the government of China, we're talking government of China. And so it's just it's muscle memory for me, right? Right. Yes. The government of China, cannot trust. Right. Exactly. I mean, I remember at a cyber conference in 2015. Yeah. Yeah. 10, 11 years ago, there was a conversation with somebody from the administration saying, well, you know,

We don't have to worry about this threat as much anymore because President Xi promised President Obama they would not hack the US anymore and steal intellectual property. Everybody in the room, I don't know if we said, can I swear on this, can I curse on this podcast or no? It was said, that's bullshit.

speaker-1 (07:17.666)
Because, I mean, let's be honest, one of my other big statements is politicians all suck. So they're all idiots and they don't know any better because they don't want to know any better.

As demonstrated daily. Yeah, right. As we have living proof of daily on both sides.

But so now as we notice, as people dug into TikTok deeper, researchers dug into it, national security experts dug into it, said, hey, not only is it capturing your keystrokes, but it's capturing your location data.

right. Medical data, medical data, like a lot of people have their health data like on their iPhone, right? It tracks all that. They all have that. Don't realize that.

Right. And the big problem from a national security perspective, there several issues here that people don't realize. If people in the army or the Navy or the Air Force or whatever have TikTok on their phone, because obviously there's a lot of young people in the military and they're walking around their bases, all that locational data is going back to China. They can then map out what does this base look like.

speaker-1 (08:15.436)
How do what you know, what are they? I can I know where the barracks are because at 2am in the morning, this is where they are. So the barracks are here clearly, we can kind of draw that out and get satellite image. So it's an intelligence collection platform. Now look, if you're a bakery owner, and you're doing here's how to make my cupcakes on TikTok, your risk from any kind of you're going

They're you in a different file. like, just in case we need to invade that street someday, they may want to know what your bakery looks like. But in general, you're not the target, right?

Right. That cupcake recipe looks great. Let's steal it now. But they're not doing that right away. if, you know, your comes back and you're a military guy, they're going to pay attention to everything your phone does, which is why the government said you can't have TikTok on government devices anymore. Now, the problem is government devices. We all own personal devices. So doesn't you can't you can't extrapolate an executive order down to personal devices, other than you can say you can't have personal devices in this facility, which certainly many organizations do. But how deeply is that?

followed or carried away from. So and the other issue for me as I think about this.

So they're family members too, right? Sure. They'll know like when we think of insider threat and we think of people, you know, we recently did an episode on Robert Hanson, the FBI guy who was a huge spy. of course. You were there when he was. To my college. I was like, what? I'm like, holy cow, I'm proud of where I went. Not that year, but the other years. But really, really the point is this.

speaker-1 (09:37.846)
I was there when he was arrested.

speaker-0 (09:50.626)
they are still gathering up information on relatives of people that are involved in the military or law enforcement and things like

So because all targeting, right? It's all targeting because if they want, if they know that Johnny is in the Air Force and Johnny works on some top secret projects, somebody in

somebody in the family is going for cancer treatment and stuff like that they could mention like there's they they want to find somebody that's vulnerable and all of that stuff I guarantee people don't realize is sitting on China's servers being indexed being searched etc

Right. And now remember a couple of years ago, three years ago when the CEO of ByteDance or TikTok, I think he was CEO of TikTok, not ByteDance, but he was in front of Congress saying, Project Texas is going to solve all these problems because all the infrastructure will be in Texas. The question he would not answer was, well,

Is that information then flowing back to China in some way, or form? He would never answer it. Plus, but we have insiders who have said, yeah, all this stuff goes back to China. And the other thing that people don't realize, and I've said this many times, you've heard me say it, is that there is a law, the 2017 China National Security Law that says any company within China has to turn over any data in its possession to Chinese officials at any time asked.

speaker-0 (11:09.422)
Exactly. Upon request, if we ask for it, you have to by law give it to us.

Right. And so let's say, let's say 10 years ago, there's now a CIA officer who works for the CIA who 10 years ago had tik tok and was doing dance videos when they were 15. They're now 25. They're a covert officer. They're burned, because China knows what they look like knows who they are knows what they sound like can very easily do facial recognition. So that those people can no longer work in that capacity in those particular countries. And that is that is an issue that is never talked about. And so

Exactly right.

And most of it, honestly, most of these risks are never talking. I've talked to it to my, to my brother's, my brother watch ago. I go, shouldn't be on tick tock. It's it goes, why? I don't care. Okay. I mean, he's a soccer coach at a college. really again, he's going in the file with the bakery. Right. But, but still.

Yeah, but again...

speaker-0 (12:02.018)
He's a relative of formal law enforcement. And you know what I mean? Like it's he's still index. He's going to be a little bit more. He's going to probably go in a different file than the bakery owner.

A little bit, yeah. He's got two brothers at work for the government.

file.

Exactly. two. Okay. Yeah, that's not good.

Yeah, my other brother works for the Department of Transportation, so a little lower risk, but still.

speaker-0 (12:24.536)
Well, infrastructure. Infrastructure. we both said the same thing. Yep.

And he specifically works for the railways in the department. yeah. That's key infrastructure area that you don't think about a lot of risk for, but how much stuff still travels by train.

No, a lot of it does. Yeah, exactly. So when we think of bike dance, the corporate structure of bike dance, right? There are people that are part of the CCP. And by the way, the CCP, for those that may know, let's do a quick history lesson. Like the CCP defined in, was it 97, 98? They redefined the definition of war, right? And they said war is

information gathering. is all mediums. is it is I forget the exact phrase. I used to have it on a PowerPoint slide when I was trying to explain this. And it was it's it's it's an information war. It's data point data gathering. And you know, you can see how Tic Tac plays right into that. Like it's it's a social engineering of the American public that we voluntarily drink the drink the kool-aid.

Well, 1999, two Chinese generals wrote a book called Unrestricted Warfare that was published worldwide. I mean, if you don't want to read it, go to chat GPT and say, summarize this book for me. It'll give you all the points. uses both. They recognize hard power is going to be hard for them, right? Actually, kinetically going after the United States, who's the world hegemonic leader is very difficult because they just don't have the capacity. But from a soft power perspective, that's what they're Right. Tick tock is a soft power play. In other words, it's not

speaker-0 (13:54.827)
now.

speaker-1 (13:59.262)
know, tremendously damaging, but it takes a long, a long time. And they're, they're in it for the long haul. They don't, they know, they're not worried about the election every two years. That's not their concern. You know, they look at five, 10 year, 15 year plans and adjust accordingly as they go because they're looking further.

It's a long war. It's exactly right. Because it's all about an ultimate goal for global power. I mean, that's what...

And TikTok is just one part of that, right? TikTok is the more publicly facing piece that a lot of the... Right. And certainly our politicians spend a lot of time on it, thinking about it and trying to get it to forcing this divestiture and all this other stuff. And we certainly talk about the complexities of that and how the government screwed that up three ways a Sunday.

that everybody can relate to. Because we all, because people have it on their phone.

speaker-1 (14:46.45)
But it allows their nation state cyber actors to work a lot quieter because everybody's focused on this big tick-tock is a big problem. Let's deal with this problem. But what about Mustang Panda? What about pick your advanced persistent threat of choice that's being run by the Ministry of State Security or the People's Liberation Army that have tens of thousands of actors that are actively infiltrating company networks today?

Right? And doing simple things, not even making it complicated. They're calling the front desk and saying, I need to reset my password or claiming to be the front desk and calling someone say, hey, you need to reset your password. We're going to walk you through this. And then they steal your single sign on token and have all those things. but we don't, never hear that anymore. I mean, if you watch cyber news, if you go to cybernews.com or bleeping computer, you have a cyber news feed. You'll see some of those things. What does it change? doesn't, nobody's reacting to it. It seems like an appropriate way.

No, because it seems like the attention spans have gone down to that of a goldfish. And so people just hang on something that they're familiar with, like TikTok.

or you know, I mean, I'm sorry, I'm sorry what happened to Samantha Guthrie's mother, right? But I've been on the news five times in the last two days talking about this case. And there's really not a lot of information about it. But the whole world is focused on it. While China and Russia and North Korea keep going on our infrastructure, right?

Exactly. Yeah, which are doing crime at scale. They're doing damage and crime at scale.

speaker-1 (16:11.98)
Yeah.

And not only that, they're combining the criminal aspects with the nation state aspects now. Those two things are blending together and working off of each other and benefiting from each other. I actually put in a presentation request to a cybersecurity summit in Dubai to kind of talk about exactly this. I didn't see any presentation that had to do with like actual crime and stuff. I figured I'd throw a presentation, see if they'll take it. And if they do, I'll go to Dubai and I'll give the...

I'll give a presentation about this. I mean, I've seen this going back to my early days in the FBI, watching how cyber has evolved from like even with piracy, like internet privacy, piracy is what my first big case was. And at the time, it was the wear scene. And I always think we've talked about that before. But now it's all monetized.

Before it wasn't monetized, now it's monetized, it uses phone farms and all sorts of stuff in every part of the every corner of the world is doing some kind of internet piracy, but still causing billions and billions of dollars of loss to legitimate content holders. They're also coming up with ways to modify intellectual property like changing the speed of a song and then monetizing off of it and then doing it at scale. It's a huge problem for platform holders.

Absolutely. Yep. Yeah.

speaker-1 (17:24.446)
A lot of that coming from China. or China Direct.

Soft. They're all it's all soft power. just different ways to to weaken America like different ways to weaken those content creators that are building things genuinely. Yep. Absolutely. So let's talk a little bit about like what Tic Tac gathers. So everyone's worried about data collection, but Tic Tac's gathering somewhat the same stuff is because I always hear this. But but Zuckerberg.

Right. But like I know you guys say TikTok's dangerous, but isn't Instagram and Metta, right? Instagram and Facebook, which is Metta, which is like started by and or owned now by Zuckerberg and friends. Isn't that, you know, the same thing that TikTok's doing? It's it is, but it isn't right.

Right, their purpose is advertising, they're looking to advertise off your information. That's all that that's kind of all they're doing. Plus, if they misuse your data, if they lose your data, let's say there's a data breach and all of your PII and all your other information that really wasn't available, they can be sued for that, right? You can sue them for that, you get a class action lawsuit. Same thing happens in China. Nothing you can do. Nothing you can do. You recourse and then again, they're used.

And Instagram and Facebook aren't generally trying to take down the United States per se. People would argue that one way another, but still not the same way that the CCP.

speaker-0 (18:54.432)
No, think they're just probably just trying to monetize.

of every aspect of

Yeah, exactly. Because if the app is free, you are the target or you are the product. Right. Yeah. And so the data collection, though, is uniquely dangerous when it comes to Tick Tock. Right. Like the new update right around the new year, everybody got kind of got an updated terms and condition on Tick Tock and everybody just, you know, vast majority everybody just said yes. And they downloaded it. But this went really far, didn't it?

So didn't it go farther than even TikTok had been doing in the first place?

Sure, why wouldn't they do it? Because like you said, no one's gonna read it. how much more can they grab? Because no one's gonna complain. Clearly the authors of the bill that required the divestiture of TikTok didn't look into it because I didn't hear anything saying, hey, hey, hey, this is why we need to do this. And I certainly didn't hear the administration saying, well, this is unacceptable. We're gonna make you sell it all as opposed to just only sell 80.1 % of it.

speaker-0 (19:57.558)
Yeah. So let's talk about the deal. So TikTok has acquired like it's solved now. We solve the problem. America owns TikTok now. Not really true, is it?

They own ownership in it, but and they have basically leased the algorithm. They have not purchased the algorithm They are not getting full access to be able to modify it. They are leasing it for their own the franchise model, honestly, and that's and but by bite dance still owns nineteen point nine percent of it and They still own the algorithm They still are able to move information back to China if they want now people will argue Well now part of the deal says it all has got to stay in the United States. All right, who's policing that?

Right? Tell me how you, I've seen nothing that says here's how we're going to police it. Other than they said, this is what we're going to do. Okay, who's watching that? Because who's going to engineer it? Who's engineering this whole thing? It's going to be people from TikTok and ByteDance in China that will maybe get, you know, get the golden visa and come over here and be able to work for the China and TikTok locally here in the US.

they're going to put backdoors in and ship that stuff overseas. Whether you believe you cannot believe me, but I almost guarantee you that in three years from now, there'll be a whistleblower that said, Hey, yeah, or Oracle owns 80 % of this, but this data is still flowing back to China. This and this is how it's happening. It's gonna happen.

there.

speaker-0 (21:13.87)
Because at the end of the day, ByteDance still has ownership. They own the algorithm and the code. They own the code. So the ability to put backdoors in, rest with them in a private room, right? And it's theirs and they are owned by, in part, members of the CCP.

Right. I'll give you an I'll I'll give you a here's an analogy in 2005 or so Lenovo purchased the laptop creation part of Microsoft, right? The Microsoft computers was purchased by Lenovo, a Chinese company, because I know this because they had their main manufacturing plant or headquarters was in Raleigh, North Carolina. I was a Charlotte field office agent. We went and said, shouldn't make this deal. This was a bad bad plan.

the connection.

speaker-1 (22:02.998)
But they said, we're going to, know, this is this area of manufacturing will not be accessible by Chinese engineers. It's only U.S. people are cleared in here. All this kind of stuff like, okay, great. Well, what happened four years later? The U.S. government said we will no longer purchase Lenovo laptops. Why is that? Because certainly there's a threat and a risk there that there was was identified. And to this day, I would not buy a Lenovo computer.

So even then we saw a demonstration of how it's done through backdoors. And then wasn't there a recent finding and report on Meta and how Meta had an internal kind of fraud department, not necessarily fraud department, but

but organizations that were running fraudulent ads that would socially engineer people, take people's life savings, all of this, but they were paying ad revenue and they had a watchdog internal arm. but it was, it started and it was becoming effective over the last couple of years, but it was hurting ad revenue and there was a meeting and they kind of dismantled that because the ad revenue was so strong.

Are you familiar

I'm not I'm sorry. I'm not familiar. I'm afraid I'm not familiar with that one. Apologies. Okay, so know

speaker-0 (23:20.118)
That's OK. That's OK. I'm diving deep into that because I want to kind of really understand that because that to me is like, mean, I guess it's a business decision, but like making that much money off of things that are demonstrated to hurt, you know, your users and your customer base is pretty reckless and bordering.

Well, it's interesting because like MetaBot WhatsApp, right? And so they own WhatsApp now and now there's all sorts of WhatsApp issues where there are certain settings you have to turn off. Otherwise a remote user could completely take over your

your profile. exactly. Unbelievable.

Certainly security is not a big thing within many businesses as we're aware.

Yes. Well, and in social media, it just seems like it's being weaponized, right? Because it is, it is, you know, especially Americans, but we are, you know, not very astute to, I still see it everywhere. Like people are still taking pictures of their kids' faces online and posting it. They're still taking pictures with their backgrounds showing where they live, where they're at at the moment. Like they're, still taking vacations with

speaker-0 (24:32.45)
pictures right there and then almost real time or they're live streaming from it, meaning you're not at home right now. Like they're sharing so much information that it's really dangerous. And I don't know if everyone is super naive or super narcissistic and they just want everybody to see them or what the issue is. But it's like,

It's just.

combination of those things, because I think humans by nature are generally trusting or want to be. Right. Most people want to be trusting. And so online, you can be more trusting because there's not that immediate feedback that you shouldn't do this. It's hey, this is working. And then there's the dopamine where people are liking this picture, I need to more pictures, because people are liking this picture. And a lot of people just don't suffer the bad actions that happened from that for a while. And so they figure and I've had this even with businesses are the same way, where I've been to many

companies are, well, we never had a cyber incident. why should we, why do we need to worry about that? It's kind of like saying, well, I've never had a heart attack. So why should I my heart checked out? I don't go see the doctor and I had a heart attack.

Exactly. Yeah, I'm going to keep smoking and eating cheeseburgers three times a day because I haven't had a heart attack yet. Okay, but statistically you're heading for one. you know, pushing 400 pounds doing that, like I'm thinking statistically it's not going to last long, right?

speaker-1 (25:51.562)
No. Well, it's like with like, especially with with parents, like the more information you put about your kids, the worse it is, because there's there are bad people looking and saying, okay, that kid, where's his profile, I can now find that because they're linked to the mother and the parents haven't taken the methodologies to restrict that or watch it and such, then you have kids target. I mean, it's a whole different threat that we're not talking about here. But certainly an issue and you know, sexting and sextors, I'm sure you've had podcasts on this is a huge problem. Six kids killed themselves because of sexting.

issues in the last five years and that number is just going to go up because it's very hard to police.

Right. And it happens quickly. Like the kids that do it with sex-stortion, sometimes it happens within a day or two. Right. Yeah. And it's brutal. And the advancements with AI and AI deepfake, right? I've seen examples on Telegram and things where, you know, middle-aged man is posing as...

Yeah, because the messages now come at scale.

speaker-0 (26:49.998)
you know, this younger girl and befriends them does this and they do a psychological ploy, right? Where they love bomb them and then they cut it off and the person's like, what's going on? What's going on? And, and, then they're like, okay, but to come back, you have to do something for me. And they convince them to do something. Now they've got the blackmail over them and they force them to do that saying they're going to embarrass them, et cetera. And these kids are like literally committing suicide or harming themselves, et cetera. And it's, it's just, it's

It's just brutal.

Mm-hmm.

Anyway, so let's talk about ways that people in organizations, especially in the small midsize organizations, the ones that don't have internal cybersecurity leaders telling them this all the time, you have published some information on like SSO tokens and the risks there. And I want to explore that. So let's first explain to people what an SSO token is. Can you do that?

I think I could try I'm not sure how technically I'm going to get here, but I'll to the best point. like her so when you if you have a single sign on setup, when you log into your system at work, it creates a token on your computer that basically when you go to go to an application, the token signs in for you. So you don't have to sign in every single time you have to

speaker-0 (27:51.694)
to people that aren't technical.

speaker-1 (28:08.546)
do it one time. Hopefully you have multi-factor authentication too, but certainly we know many companies still don't do that, but you sign in, you log in and password, hopefully your multi-factor authentication creates a token. So when you go to your next app, automatically logs in for you. So you don't have to keep logging in. that token stays resident on your computer as long as you're logged in.

And a lot of people will see this. It'll either say SSO right on there. It'll pop up or they'll be the remember me. It'll say remember me. It's convenient on this side, right? Like here you go. It'll save you time. But basically they hold your credentials in like a temporary state, right? And it sits there in this token. And that's where it sits.

And honestly, your browser does that by default if you don't turn it off.

Right. Exactly. And the issue is how do people that want that have bad intent, how do they capture those from us? I think the same way they do everything else, right? Like social engineering, clicking on malicious ads on social media, going to sites that are not secure, even though they look like legitimate sites, clicking on links and phishing emails, things like that. Right.

Yeah, it's all those things. Yeah, it's getting access to the device that has the token on it. Right. So from a browser perspective, if I'm sitting at if I'm sitting in a coffee shop, log into my network, and I click the wrong link, or I open an attachment, and a hacker gets in and now has backdoor access to my computer, if my browser has all my single sign ons on or my remember me on

speaker-1 (29:44.206)
I can pull up a browser in the back, back end and all those logins will now work. That's one way. The other way is what's what mustang panda Chinese APT does is they pretend to be IT and say, Hey, we need to change your password. So their credential stuffing. they're getting you to change your you think their IT, you don't question it, you think that they're doing you the right thing. They'll get you to change the password. So now they have the password, then they say, Okay, I you to do one more thing. I need you to confirm your MFA. So they'll send you an MFA link, you confirm it. And it confirms it for them because they're in the middle of this process.

So now they have your token on their device. They now have single sign on access to all of your stuff.

Exactly. And with that, they now can log in as you. Yes. And that is really what we've been seeing a massive growth in statistically talking like over the last year and a half, two years. mean, they're not hacking in as much as they're logging in because logging in is so much more effective. Right. And it's interesting because the FBI has issued public alerts on this. They've said stop using.

Remember me without multifactor phishing resistant, multifactor authentication, right? Like they keep warning this, but I don't think that message is getting through.

Well, like you said, with small medium sized businesses, have nobody to read that stuff and push it out. So they don't have that leader, that strategic leadership that says we need to do these things. This is what we need to pay attention to. Right. So I think your company does fractional CISO, right. So as do we. But again, you get into these companies, I've never had a problem. Why do I need why do I need that particular functionality? That makes no sense. Because

speaker-1 (31:19.038)
I think they see that as going to be an impediment to doing stuff because too many people, too many companies, too many business, too many owners value, and I'm stealing this comment from a friend of mine, they value convenience over security.

Right. But what they don't realize is it's going to become extremely inconvenient. Right. Yes. It will at the time that you expect at least. Right. Because all you have to do is talk to colleagues that have gone through it. you know, colleague like I talk to people all the time that have experienced lock bit and Akira ransomware attacks and things like that. And they will all tell you without

any prodding for me, I never wanted to go through that again. Like it it dismantles their organization. It affects productivity. It affects morale. It affects client trust. All of that for years to come. Like it is, it's, it's a real thing. It's really bad.

especially small and medium, large corporations are able to kind get around it.

They might have a bad quarter, right? They might have a bad quarter, but they'll bounce back because they're too big to die. Right. But small and mid-sized businesses aren't too big to die.

speaker-1 (32:35.404)
that on that note, have you read Chase Cunningham's By the Breach?

I have not.

You need to have him come on and talk about that as he makes it he does he has done a survey he has done a research project that basically and it only this only works for large publicly traded companies, but a company gets hacked tomorrow wait three days for the Stock to dip buy it within a year. You'll be above where they started at each time. So I don't have those the sensor wherewithal to be able to do my own personal stock trading, but

if you knew how to do it, you can make money if you follow that. But just small medium sized businesses, right? They're going to go out. They're going to go out of, they're going to go out of business. mean, I'm, I'm an expert witness on 25 data breach cases because they are constantly occurring. And these are all companies that lost PII or PHI as a result of either a lock bit or a black cat or whoever. Right. And then I, some of these groups are not even doing the ransomware piece anymore. They're just taking the data and saying, here's your data.

What?

speaker-0 (33:32.547)
Yep.

I mean, the Klopp site on dark web is a fascinating watch.

Oh yeah, well, Klopp drove the Klopp is a Russian ransomware gang and they drove the. Move it, the move it breach. It was that operated almost like DocuSign in a sense, right? It was transferring data, but they got in and. I think the important thing here from a high level from non technical sense is if they can get tokens like this right because Mrs. Buttermaker is not trained. She's clicking. She's got 27 browsers open.

browser tabs open and she's clicking on links like it's an Olympic sport. You know, like that, if that happens, right, it's not going to like, there's no alarms that set off when they're able to log in as her. They can access everything she can, if not more. And they're like, it's not going to set out. Your MSP is not going to know about it. Nobody, nobody in charge is going to realize this because it's authenticated. It's a legitimate use.

Right. And you don't have a soccer, anybody looking at it saying, why is this login coming from India? Big companies can see that and they can block it they can, but again, you're small.

speaker-0 (34:40.555)
Exactly.

speaker-0 (34:45.038)
They're looking at behavior. They're looking for those behavior anomalies. Sure. That's exactly right. Which is why, you know, when we think of how AI has sped everything up, know, AI is fantastic. We use it every day. You do as well. But it is really to me, it is it's increased the attack surface, meaning the ways that people with bad intent can attack.

Small mid-sized organizations has increased because of AI for sure. The speed of it has. But it's not so much that the AI itself is going to cause the breach, but it makes the fundamentals all the more valuable. Right? Like if you don't have the ability to stop somebody from uploading all your intellectual property and you're just staying out of the AI game and you don't have an AI policy at your organization, you don't know that they're doing it.

Like there's, there was a recent report that came out that said upwards of above 70 % of the U S employees are using shadow AI now. Like they, they are using AI without their leadership, authorizing it, controlling it, being aware of it. And that's a huge issue. That is something new. That is a new frontier of risk that I'm not even sure a lot of leaders appreciate that they are taking by staying out of AI. Right.

by not kind of getting in and providing governance.

Right and from the criminal side the cost of entry to become a criminal is much lower now for the cost of a Netflix subscription you can get access to all sorts of tools to do all sorts of bad things that are all AI created.

speaker-0 (36:25.642)
Absolutely. Absolutely. It's unbelievable. So what is on your horizon? What do you have going? What do you have coming up?

Well, I'm starting a new podcast so I will say that my podcast career has been adventurous to be be To be kind. I think I've started and stopped five different podcasts for a variety of reasons. I'm bad at marketing it, right? I don't have I don't have the big cybercrime junkies Backbone to market my stuff and get people

We've got Kylie and a couple other people.

It was more than I got. I got Darren. I Darren in his desk. So like the Cyber Guy podcast kind of comes and goes periodically. And then the Cyber News one I did for a year and a half, but it never really moved anywhere. I had people who liked it, but it wasn't, it turned out to be, just, I didn't have the time. Especially when I, when I left my other job to become an entrepreneur, solopreneur, whatever, things got a little busier. I did a podcast with a partner of mine for a while, but then he had to

take another job and he hadn't had the time and we weren't getting any traction on that one. And I whatever. So I'm starting a new podcast. Hopefully in the next couple of weeks with Scott Augenbaum based on his book, the secret to cybersecurity. So we're to basically start break down his book for well, the fortress is part of his book. His book is the secret to cybersecurity and the four truths are within there. So we're to break it, break this book down into sections and it may include like in this section, we're talking about

speaker-0 (37:36.108)
the four truths.

speaker-0 (37:47.936)
That's good.

know, what's the story that led to this discussion? Talk about a case that was related to it. Maybe bring someone to talk about it. It's going to be a host of different things. I actually purchased a new podcasting platform for myself and I'm giving him my old one. I have a road cast to him to I'm giving him my old Not very technically oriented. So as long as he can plug in a microphone, he should be

Needs that's all I needs I use the I use my pro cat my road caster Pro to yep kept dying on me. It latching and stuff. So I got the duo Okay, because I kept reply replaced it like twice and I took it my wife I'm like this thing's for getting can we I'm gonna try the duo because I don't need eight tracks I don't have like 15 people in here. I'll just get the do it and the duo has worked great anything Everything that the other one does I love her

So I did get-

speaker-1 (38:39.126)
I did purchase these little wireless things because when I do these, I do a bunch of news hits for Fox. I did Fox News this morning and Newsmax. Some of them don't like the big microphone in my face. I got a little, I got the little wireless pro with the lavalier. But it doesn't sound good. doesn't sound like the sound. Do you like the sound?

Yeah.

speaker-0 (38:56.986)
There is a way. This is a great. This great. This is more of a behind the scenes, but I will tell you, I have been trying. There is a way, at least on the road site, it says you can have the Apex software on this, like on your phone. If you do it on your phone, I can't figure out how to do it because because and then you can have Big Bottom and the other audio aspects on it. And it's supposed to be really good.

I have been trying to figure it out. It sounds okay. It amplifies it. But it doesn't have the...

For me, there's an echo with, there's a little bit of a background noise echo. Not that I don't get from this mic. This mic is great, but anyway.

Yep. Yeah, that's the challenge I have. Like I, I, I'm not able to get it to do the things that my road caster does. And that's what I want to do. Even if I have to connect it to a laptop or something, I want it to be able to

So your doesn't connect to your duo?

speaker-1 (40:00.6)
Does it? It will.

It will. Yeah, it will. I guess I could do that. I was just trying to connect it to an iPhone and do things elsewhere, right away from the the duo. This will work with the duo. No problem. I've done that. And then it sounds and then you control the sound through the duo.

I should

speaker-1 (40:19.818)
It still doesn't sound good for me though. It still doesn't. I still like the sound. It still sounds too too echoish for me. Okay. But I'm a I'm very picky from a sound perspective. I used to be a radio DJ so sound is very I'm very particular to that.

Absolutely, absolutely. But I'm trying to get this to work with an iPhone and have some of the effects from the duo. And if I can do that, I will send it to you. That's what I'm trying to figure out. It says it's supposed to do it. And I'm like, OK, I'm doing what you're saying. But. And I'm about to throw the thing through the wall because I'm like, it's Saturday and I've spent five hours on this thing. And I'm like, can you please work?

Yeah, if find that out, that'd be great.

speaker-1 (40:51.054)
Yeah, because I got the,

speaker-0 (40:59.734)
And I'm going through, like, what step am I missing? So anyway, if road is listening, like, please reach out to us. Like we obviously like your products. Yeah, please do that. We're really trying to get this going. So that's great, man. And let's let's end with with talking about your book. So walk us through who the book is for. I read it and I won. I first got it when you and I met a couple of times ago.

sponsor the Cyber Junkies podcast.

speaker-0 (41:28.792)
I told you I liked it because it was very practical. It was very understandable. It was written almost for non-technical people that really it explains browser extensions. What the risks there with just, you know, everybody's just using Chrome. Like what are the, what are the concerns? It really was good.

Thank you. And it's designed for it is designed for people who are not technical. If you're a cybersecurity person, this is not the book for you. Don't now buy it. Buy it for your mother and for your brother who is not a cyber person who has a teenager because there's a section in there on protecting teens and seniors. And it's designed for people who just don't know what to do, how to get from point. And again, it's the teacher in me. Like, how do I teach this to people and make it sensible? kind of every chapter starts with an FBI story of some way, or form to kind of

drive why I'm talking about this particular section. And I self-published it. I mean, there's spelling errors and there's all that kind of stuff, but it doesn't change the point at all. Right, exactly. And so, yeah. And so it's...

This was done in pre-AI, I will say. It was done with...

No, it was done at the beginning of the AI. I actually went through a course that helps you use AI to develop some stuff. most, mean, it's all my own thoughts and all that kind of stuff. Some of it's might be structured from AI from that perspective. then other words, like I may say, here's two, two paragraphs. You create me some more, commit me a couple extra sentences on this. So there's some of that in there. be honest. I still edit it. didn't just dump it and say good to go.

speaker-0 (42:57.286)
Right, exactly.

And it would take like that that particular course had some interesting AI modules like here's a like, who's the story, who's the story for who's in it? What's the point? What'd you learn? And it created the story was some of that. And then I would go

modules.

speaker-0 (43:10.424)
So that's good. Well, that might be why it reads well, because it does. It flows very well.

And I would say if I had Claude today versus chat, GPT would probably better.

be better. You'd be better. Like that's what you and I were talking before we went on air. And Claude, I use it the same way you do. I use chat GPT for deep research to really understand the problem, have all the have all the references and the resources. But Claude's writing. And part of it is because when you train Claude in samples of your human writing and the cadence, like when we say that, when people say, it sounds like AI, I'm not just talking about the red flags like

in this digital age or the uncomfortable truth or here's the kicker. Whenever I see that on LinkedIn or wherever, I'm like stop using it.

Like, is, that yeah,

speaker-0 (44:00.874)
dash, right? Like, yeah, we know that's AI. But what I mean by it being less AI, why Claude is so good is the the structure of the paragraphs, like humans write with different length sentences, some short, some long, like it flows at different cuts and paces and it builds drama and all of that. And AI doesn't. AI is like, here's the data, here you go. And it's all even sentences and like that. You're like, that's AI. That's writing.

Right. But Claude does it like Claude, as long as you prompt it correctly and you train it on your voice and your samples and everything else, then it'll give you an initial draft that at least gets us 80 % of the way there. Like it's it's like I still always have a human in the loop and go through it, but it's like it's really good. So.

I will say one way, one place I don't use AI, have a newsletter on LinkedIn. So I've made a conscious effort. I'm not using AI for this. may use it to say, find me some stories, but I do not, I do not put AI sentences in my newsletter. That's the one thing I'm focused. And that's why it's usually short. Cause I'm like, no one, again, no one wants to me write these. I look at newsletters and if they're real long, like, you is there a way for this?

I mine very short and I just make them very like relevant to what's in the news or what stories are going on and just give a give a different take. Mine is usually sarcastic. Yeah, I just want sarcasm and humor.

That's me too.

speaker-1 (45:28.568)
Can I rant? Is there something I can rant on?

Exactly. That's how I because that's what we really want to hear. Right. Like, I'm like, this is kind of this is.