Easy Prey

Exploiting Trust (Part 1)

Most security failures don't start with a dramatic breach or a mysterious hacker sitting in a dark room. They usually start quietly. Someone assumes a system is locked down. Someone trusts that a door shouldn't open, or that a machine "just works," or that no one would ever think to look there. Over time, those small assumptions stack up, and that's where things tend to go wrong. Today's guest is FC Barker, a renowned ethical hacker, social engineer, and global keynote speaker with more than three decades of experience legally breaking into organizations to expose their blind spots. Formerly the head of offensive cybersecurity research at Raytheon and now co-founder of cybersecurity firm Cygenta, FC is also the author of How I Robbed Banks, a book packed with true stories from the field. In this conversation, FC shares what he's learned from decades of breaking into places he was hired to protect. The stories range from funny to unsettling, but they all point to the same pattern: technology usually isn't the weakest link. People are. From outdated systems that can't be replaced to everyday workplace habits that quietly invite risk, this episode offers a grounded look at how intrusions really happen and what actually makes environments safer. Show Notes: * [03:06] FC grew up before cybersecurity existed and learned computers when manuals were thicker than the machines themselves. * [05:27] How early internet culture shifted from curiosity-driven exploration to the rise of malicious actors. * [07:15] Why inviting external testers to break into your systems was once an unthinkable idea and how that changed. * [09:35] The danger of internal blind spots and why external validation is often more valuable than internal confidence. * [10:46] Unexpected discoveries during penetration tests, including systems no one remembered were even running. * [12:23] Choosing unusual, esoteric security projects and why unconventional systems often hide the biggest risks. * [12:50] A real-world operation that involved reverse-engineering hardware to shut down power infrastructure in seconds. * [16:29] One of the easiest break-ins ever happens accidentally, proving how fragile some systems really are. * [17:21] The most common technical failure seen across organizations: poor network segmentation. * [18:36] How a routine internal scan accidentally knocked an entire country's banking connection offline. * [20:04] A bank unknowingly runs its internal network on an IP range owned by the U.S. Department of Defense. * [21:43] A mysterious daily network outage turns out to be caused by a single employee's music collection. * [23:07] Plugging into a forgotten network switch triggers a fire during a government penetration test. * [25:15] Why penetration testers are often blamed first even when nothing has been touched yet. * [26:25] Discovering malicious insider code planted by coordinated nation-state actors. * [29:41] Why some outdated systems must remain untouched and why "just update everything" isn't realistic. * [33:15] Implanting covert hardware inside everyday office devices to gain persistent network access. * [35:01] How avoiding people altogether is often the most effective form of social engineering. * [37:10] Why attackers move from the top floors down and how authority bias works without a single word spoken. * [38:35] Clothing, context, and small visual cues that instantly make people assume you belong. * [42:26] A penetration test derailed by an unexpected office costume day—and why randomness can be a defense. * [44:33] A simple exercise anyone can use to start thinking like an attacker by examining their own home. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes [https://podcasts.apple.com/us/podcast/easy-prey/id1488678905] and leave a nice review. Links and Resources: * Podcast Web Page [https://www.easyprey.com/] * Facebook Page [https://www.facebook.com/EasyPreyPodcast] * whatismyipaddress.com [https://whatismyipaddress.com/] * Easy Prey on Instagram [https://www.instagram.com/easypreypodcast/] * Easy Prey on Twitter [https://twitter.com/easypreypodcast] * Easy Prey on LinkedIn [https://www.linkedin.com/company/easy-prey-podcast/] * Easy Prey on YouTube [https://www.youtube.com/channel/UCCgy_xKrjiXghSgGFEAFdTQ] * Easy Prey on Pinterest [https://www.pinterest.com/easypreypodcast/] * Cygenta [https://www.cygenta.co.uk/] * Dr. Jessica Barker [https://www.drjessicabarker.com/] * FC aka Freakyclown - LinkedIn [https://www.linkedin.com/in/freakyclown/] * How I Rob Banks: And Other Such Places [https://www.amazon.com/How-Rob-Banks-Other-Places-ebook/dp/B0C3WSZSXM/]

Surviving a Ransomware Attack

A ransomware attack doesn't always announce itself with flashing warnings and locked screens. Sometimes it starts with a quiet system outage, a few unavailable servers, and a sinking realization days later that the threat actors were already inside. This conversation pulls back the curtain on what really happens when an organization believes it's dealing with routine failures only to discover it's facing a full-scale cyber extortion event. My guest today is Zachary Lewis, CIO and CISO for a Midwest university, a 40 Under 40 Business Leader, and a former Nonprofit CISO of the Year. Zachary shares the inside story of a LockBit ransomware attack that unfolded while his team was still building foundational security controls, forcing real-time decisions about recovery, disclosure, negotiations, and whether paying a ransom was even an option. We talk about the shame that keeps many cyber incidents hidden, the emotional weight leaders carry during these moments, and the practical realities that don't show up in tabletop exercises from buying bitcoin to restoring systems when password managers are encrypted. It's an honest, grounded discussion about resilience, preparedness, and why sharing these stories openly may be one of the most important defenses organizations have. Show Notes: * [04:05] Zachary Lewis explains why the absence of an immediate ransom note delayed suspicion of an attack. * [06:00] The first technical indicators suggest something more serious is unfolding. * [07:45] Discovering encrypted hypervisors and realizing recovery won't be straightforward. * [09:30] Zachary outlines when data exfiltration became a real concern. * [11:05] Receiving the LockBit ransomware note confirms the organization has been compromised. * [12:55] The 4:30 a.m. phone call pushes leadership into full crisis mode. * [14:40] Zachary reflects on managing fear, responsibility, and decision fatigue mid-incident. * [16:20] Executive expectations collide with technical realities during the breach. * [18:05] Why "doing most things right" still doesn't guarantee protection. * [19:55] Cyber insurance begins shaping early response decisions. * [21:35] Bringing in incident response teams and legal counsel under tight timelines. * [23:20] Zachary describes working with the FBI and understanding jurisdictional limits. * [25:10] What law enforcement can and cannot realistically provide during ransomware events. * [26:50] Opening communication channels with the threat actors. * [28:35] The psychological pressure behind ransomware negotiations. * [30:10] Attacker-imposed timelines force rapid, high-stakes decisions. * [31:55] Zachary walks through the practical challenges of acquiring cryptocurrency. * [33:40] Why encrypted password managers created unexpected recovery barriers. * [35:15] Determining which systems could be restored first—and which could not. * [37:00] Lessons learned about backup integrity and offline recovery. * [38:45] The importance of clear internal communication during uncertainty. * [40:25] Balancing transparency with legal and reputational concerns. * [42:10] How staff reactions differed from executive responses. * [43:55] Zachary discusses the stigma that keeps many ransomware incidents quiet. * [45:40] Why sharing breach stories can strengthen collective defenses. * [47:20] MFA gaps and configuration issues exposed by the attack. * [49:05] Why tabletop exercises fall short of real-world incidents. * [50:50] Long-term security changes made after recovery. * [52:30] Zachary offers advice for CISOs facing their first major incident. * [54:10] What preparedness really means beyond compliance checklists. * [56:00] Why resilience and recovery deserve equal priority. * [58:30] Final reflections on leadership, accountability, and learning in public. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes [https://podcasts.apple.com/us/podcast/easy-prey/id1488678905] and leave a nice review. Links and Resources: * Podcast Web Page [https://www.easyprey.com/] * Facebook Page [https://www.facebook.com/EasyPreyPodcast] * whatismyipaddress.com [https://whatismyipaddress.com/] * Easy Prey on Instagram [https://www.instagram.com/easypreypodcast/] * Easy Prey on Twitter [https://twitter.com/easypreypodcast] * Easy Prey on LinkedIn [https://www.linkedin.com/company/easy-prey-podcast/] * Easy Prey on YouTube [https://www.youtube.com/channel/UCCgy_xKrjiXghSgGFEAFdTQ] * Easy Prey on Pinterest [https://www.pinterest.com/easypreypodcast/] * Zachary Lewis - The Homesteading CISO [https://homesteadingciso.com/] * Zach Lewis - LinkedIn [https://www.linkedin.com/in/zacharylewis1/]

Why You Fall For Scams

Why do smart, capable people fall for scams even when the warning signs seem obvious in hindsight? In this episode, Dan Ariely joins us to examine how intuition often leads us in the wrong direction, especially under stress, uncertainty, or emotional pressure. A renowned behavioral economist, longtime professor of psychology and behavioral economics at Duke University, and bestselling author of Predictably Irrational, The Upside of Irrationality, Misbehaving, and Misbelief, Dan has spent decades studying why rational people consistently make choices that don't serve them. We talk about the deeply human forces that shape how we decide who to trust, and how easily those instincts can be exploited in high-stakes situations involving fraud, financial loss, and digital deception. Dan shares a deeply personal story about surviving severe burns and the long process of self-acceptance that followed, using his own experience to show how hiding, blending in, and social pressure quietly influence behavior in ways most of us never stop to question. We also explore why stress pushes people to search for patterns, stories, and a sense of control, even when those explanations aren't accurate. Dan explains how our minds operate like a "vintage Swiss Army knife," well suited for small, predictable communities but poorly equipped for modern risks like scams, cybersecurity threats, and low-probability, high-impact events. Topics include why near-misses teach the wrong lessons, why authority and urgency are so effective in manipulation, and why expecting people to be perfectly rational is a losing strategy. We also discuss practical ways to slow decisions down and bring in outside perspectives to help design safeguards that work with human nature. Show Notes: * [01:52] Dan Ariely joins the episode to examine how human decision-making actually works under pressure. * [03:41] How intuition can point us in the wrong direction during moments of stress and uncertainty. * [05:26] Trust, authority, and urgency as core levers used in fraud and manipulation. * [07:12] When decisions feel overwhelming, the brain's tendency to rely on shortcuts. * [08:58] Dan explains why rational thinking often breaks down faster than we expect. * [10:34] Near-misses and how they quietly reinforce false confidence instead of caution. * [12:09] Why repeated exposure to risk doesn't necessarily make people better decision-makers. * [13:55] Stress-driven pattern seeking and the human need for explanation and control. * [15:32] Superstition, conspiracy thinking, and what they reveal about uncertainty tolerance. * [17:18] Why modern threats like scams and cybercrime confuse brains built for simpler environments. * [18:56] The "vintage Swiss Army knife" analogy and what it says about human cognition. * [20:41] Authority cues and why skepticism often disappears in the presence of perceived expertise. * [22:27] Slowing decisions down as one of the most reliable defenses against manipulation. * [24:13] Dan reflects on how behavioral economics challenged traditional models of rational choice. * [25:59] A personal story about surviving severe burns and the long path to self-acceptance. * [27:44] How hiding and blending in can quietly shape behavior and self-perception. * [29:31] Social pressure and its role in everyday compliance and risk-taking. * [31:16] Why vulnerability doesn't look the way people expect it to. * [33:02] Expecting perfect rationality and why that assumption consistently fails. * [34:47] Designing systems that account for human limits instead of ignoring them. * [36:33] The value of outside perspective when decisions carry real consequences. * [38:19] Practical ways individuals can reduce risk by changing how they decide. * [40:05] When slowing down matters more than having more information. * [41:52] Applying behavioral insights to fraud prevention and digital safety. * [43:38] Why better tools help, but mindset still plays a critical role. * [45:24] Final thoughts on working with human nature rather than fighting it. * [48:02] What listeners can take away about decision-making, risk, and self-awareness. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes [https://podcasts.apple.com/us/podcast/easy-prey/id1488678905] and leave a nice review. Links and Resources: * Podcast Web Page [https://www.easyprey.com/] * Facebook Page [https://www.facebook.com/EasyPreyPodcast] * whatismyipaddress.com [https://whatismyipaddress.com/] * Easy Prey on Instagram [https://www.instagram.com/easypreypodcast/] * Easy Prey on Twitter [https://twitter.com/easypreypodcast] * Easy Prey on LinkedIn [https://www.linkedin.com/company/easy-prey-podcast/] * Easy Prey on YouTube [https://www.youtube.com/channel/UCCgy_xKrjiXghSgGFEAFdTQ] * Easy Prey on Pinterest [https://www.pinterest.com/easypreypodcast/] * Dan Ariely [https://danariely.com/all-about-dan/] * Dan Ariely - LinkedIn [https://www.linkedin.com/in/danariely/] * Books by Dan Ariely [https://www.amazon.com/s?k=dan+ariely&adgrpid=192132124771&hvadid=779576127358&hvdev=c&hvexpln=0&hvlocphy=1014424&hvnetw=g&hvocijid=3861454944472323533--&hvqmt=e&hvrand=3861454944472323533&hvtargid=kwd-5568692795&hydadcr=22529_13730677_8633&mcid=526858b62a573b9498b156bfa3d7202f&tag=googhydr-20&ref=pd_sl_4pid177tql_e] * Dan Ariely - YouTube [https://www.youtube.com/user/danariely]

Mobile Device Threats

In a world where we're told to carry our entire lives in our pockets, we've reached a strange tipping point where the very devices meant to connect us have become windows into our private lives for those who wish us harm. It's no longer a matter of looking for the "shady" corners of the internet; today, the threats come from nation-state actors, advanced AI, and even the people we think we're hiring. We are living in an era where the most sophisticated hackers aren't just trying to break into your phone, they're trying to move into your business by pretending to be your best employee. Joining the conversation today is Jared Shepard, an innovative industry leader and the CEO of Hypori. A U.S. Army veteran with over 20 years of experience, Jared's journey is far from typical; he went from being a high school dropout to serving as a sniper and eventually becoming the lead technical planner for the Army's Third Corps. He is also the founder of Intelligent Waves and the chair of the nonprofit Warriors Ethos, bringing a perspective shaped by years of advising technologists in active war zones. We're going to dive deep into why Jared believes everything you own should be considered already compromised and why that realization is the first step toward true security. From the terrifying reality of his own 401k being stolen via identity theft to the future of "dumb terminals" that protect your privacy by storing nothing at all, this discussion challenges the status quo. We'll explore how to navigate a future where AI can fake your identity in real-time and why the ultimate battle in cybersecurity isn't against a specific country, but against our own human tendency toward laziness. Show Notes: * [[02:12] Jared Shepard of Hypori is here to discuss how modern cyber threats actually play out in real life. * [04:48] How modern attacks unfold slowly instead of triggering obvious alarms. * [05:55] Why many victims don't realize anything is wrong until secondary systems start failing. * [07:56] What identity theft looks like when accounts are targeted methodically over time. * [08:48] How attackers prioritize persistence and access over immediate financial gain. * [10:32] A real attempt to take over long-term financial accounts and how it surfaced. * [13:07] Why financial institutions often respond late even when fraud is already underway. * [15:44] The limits of traditional identity verification in an AI-driven threat environment. * [16:52] Why layered authentication still fails when underlying identity data is compromised. * [18:21] Deepfakes, voice cloning, and why video calls no longer prove much. * [20:57] How laptop farms are used to bypass hiring controls and internal access checks. * [22:18] Why insider-style access is increasingly coming from outside the organization. * [23:33] Why some companies are quietly bringing back in-person steps for sensitive roles. * [26:09] SIM farms, mobile identity abuse, and how scale changes detection. * [28:47] The growing tension between personal privacy and corporate device control. * [31:22] Why assuming device compromise changes everything downstream. * [33:58] Isolating data from endpoints instead of trying to secure the device itself. * [35:12] How moving compute and data off the endpoint reduces exposure without requiring device monitoring. * [36:35] How pixel-only access limits data exposure even on compromised hardware. * [39:11] Why AI training data introduces new security and poisoning risks. * [41:46] Why recovery planning is often overlooked until it's too late. * [44:18] The problem with victim-blaming and how it distorts security responses. * [46:52] Why layered defenses matter more than any single tool or platform. * [47:58] What practical preparation looks like for individuals, not just enterprises. * [49:12] Rethinking privacy as controlled access rather than total lock-down. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes [https://podcasts.apple.com/us/podcast/easy-prey/id1488678905] and leave a nice review. Links and Resources: * Podcast Web Page [https://www.easyprey.com/] * Facebook Page [https://www.facebook.com/EasyPreyPodcast] * whatismyipaddress.com [https://whatismyipaddress.com/] * Easy Prey on Instagram [https://www.instagram.com/easypreypodcast/] * Easy Prey on Twitter [https://twitter.com/easypreypodcast] * Easy Prey on LinkedIn [https://www.linkedin.com/company/easy-prey-podcast/] * Easy Prey on YouTube [https://www.youtube.com/channel/UCCgy_xKrjiXghSgGFEAFdTQ] * Easy Prey on Pinterest [https://www.pinterest.com/easypreypodcast/] * Jared Shepard - Hypori [https://www.hypori.com/leadership-and-board] * Jared Shepard - LinkedIn [https://www.linkedin.com/in/shepardj/] * Warriors Ethos - Jared Shepard [https://www.warriorsethos.org/jared-shepard/]

Past, Present, and Future of AI agents

The intersection of AI and cybersecurity is changing faster than anyone expected, and that pace is creating both incredible innovation and brand-new risks we're only beginning to understand. From deepfake ads that fool even seasoned security professionals to autonomous agents capable of acting on our behalf, the threat landscape looks very different than it did even a year ago. To explore what this evolution means for everyday people and for enterprises trying to keep up, I'm joined by Chris Kirschke, Field CISO at Tuskira and a security leader with more than two decades of experience navigating complex cyber environments. Chris talks about his unconventional path into the industry, how much harder it is for new professionals to enter cybersecurity today, and the surprising story of how he recently fell for a fake Facebook ad that showcased just how convincing AI-powered scams have become. He breaks down the four major waves of InfoSec from the rise of the web, through mobile and cloud, to the sudden, uncontrollable arrival of generative AI. He then explains why this fourth wave caught companies completely off guard. GenAI wasn't something organizations adopted thoughtfully; it appeared overnight, with thousands of employees using it long before security teams understood its impact. That forced long-ignored issues like data classification, permissions cleanup, and internal hygiene to the forefront. We also dive into the world of agentic AI which is AI that doesn't just analyze but actually acts and the incredible opportunities and dangers that come with it. Chris shares how low-code orchestration, continuous penetration testing, context engineering, and security "mesh" architectures are reshaping modern InfoSec. Chris spends a lot of time talking about the human side of all this and why guardrails matter, how easy it is to over-automate, and the simple truth that AI still struggles with the soft skills security teams rely on every day. He also shares what companies should think about before diving into AI, starting with understanding their data, looping in legal and privacy teams early, and giving themselves room to experiment without turning everything over to an agent on day one. Show Notes: * [00:00] Chris Kirschke, Field CISO at Tuskira, is here to explore how AI is reshaping cybersecurity and why modern threats look so different today. * [03:05] Chris shares his unexpected path from bartending into IT in the late '90s, reflecting on how difficult it has become for newcomers to enter cybersecurity today. * [06:18] A convincing Facebook scam slips past his defenses, illustrating how AI-enhanced fraud makes traditional red flags far harder to spot. * [09:32] GenAI's sudden arrival in the workplace creates chaos as employees adopt tools faster than security teams can assess risk. * [12:08] The conversation shifts to AI-driven penetration testing and how continuous, automated testing is replacing traditional annual reports. * [15:23] Agentic AI enters the picture as Chris explains how low-code orchestration and autonomous agents are transforming security workflows. * [18:24] He discusses when consumers can safely rely on AI agents and why human-in-the-loop oversight remains essential for anything involving transactions or access. * [21:48] AI's dependence on context becomes clear as organizations move toward context lakes to support more intelligent, adaptive security models. * [25:46] He highlights early experiments where AI agents automatically fix vulnerabilities in code, along with the dangers of developers becoming over-reliant on automation. * [29:50] AI emerges as a support tool rather than a replacement, with Chris emphasizing that communication, trust, and human judgment remain central to the security profession. * [33:35] A mock deposition experience reveals how AI might help individuals prepare for high-stress legal or compliance scenarios. * [37:13] Chris outlines practical guardrails for adopting AI—starting with data understanding, legal partnerships, and clear architectural patterns. * [40:21] Chatbot failures remind everyone that AI can invent policies or explanations when it lacks guidance, underscoring the need for strong oversight. * [41:32] Closing thoughts include where to find more of Chris's work and continue learning about Tuskira's approach to AI security. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes [https://podcasts.apple.com/us/podcast/easy-prey/id1488678905] and leave a nice review. Links and Resources: * Podcast Web Page [https://www.easyprey.com/] * Facebook Page [https://www.facebook.com/EasyPreyPodcast] * whatismyipaddress.com [https://whatismyipaddress.com/] * Easy Prey on Instagram [https://www.instagram.com/easypreypodcast/] * Easy Prey on Twitter [https://twitter.com/easypreypodcast] * Easy Prey on LinkedIn [https://www.linkedin.com/company/easy-prey-podcast/] * Easy Prey on YouTube [https://www.youtube.com/channel/UCCgy_xKrjiXghSgGFEAFdTQ] * Easy Prey on Pinterest [https://www.pinterest.com/easypreypodcast/] * Tuskira [https://www.tuskira.ai/] * Chris Kirschke -LinkedIn [https://www.linkedin.com/in/kirschke/]