1 00:00:00,000 --> 00:00:02,370 Eveline Oehrlich: Hello everybody, this is Evelyn early 2 00:00:02,400 --> 00:00:06,690 Chief Research Officer at the DevOps Institute on the humans 3 00:00:06,690 --> 00:00:13,020 of DevOps podcast. And today we have a fantastic guest, Rachel 4 00:00:13,050 --> 00:00:17,790 Tobac. She's actually my first hacker I have met. But before we 5 00:00:17,790 --> 00:00:21,330 get there, let me quickly tell you a little bit about Rachel. 6 00:00:21,600 --> 00:00:25,770 So Rachel is a hacker and CEO of SocialProof Security, where she 7 00:00:25,770 --> 00:00:30,030 helps people and companies keep the data safe by training and 8 00:00:30,030 --> 00:00:34,050 pentesting them on social engineering risks. Rachel was a 9 00:00:34,050 --> 00:00:37,470 place winner of the DefCon's wild spectator sport the social 10 00:00:37,470 --> 00:00:40,620 engineering Capture the Flag contest three years in a row. 11 00:00:40,620 --> 00:00:43,800 Congratulations. Rachel has shared her real life social 12 00:00:43,800 --> 00:00:47,100 engineering stories with NPR Last Week Tonight, the New York 13 00:00:47,100 --> 00:00:53,490 Times Business Insider, CNN, NBC Nightly News, and Forbes and 14 00:00:53,490 --> 00:00:57,210 many, many more. And having her here on our show, I am honored 15 00:00:57,240 --> 00:01:01,620 to be able to speak to you in her remaining space. And that's 16 00:01:01,650 --> 00:01:04,770 really fantastic to also see that Rachel is the chair of the 17 00:01:04,770 --> 00:01:08,550 board for the nonprofit Women in Security and Privacy (WISP), 18 00:01:09,090 --> 00:01:12,750 where she works to advance women to lead in the fields. Welcome, 19 00:01:12,750 --> 00:01:13,890 welcome, Rachel. 20 00:01:14,160 --> 00:01:16,080 Rachel Tobac: Thank you for having me, Evelyn. 21 00:01:16,860 --> 00:01:19,920 Eveline Oehrlich: I am excited. Like I said, you are really my 22 00:01:19,920 --> 00:01:24,240 first white hat hacker. And I was doing some reading on the 23 00:01:24,240 --> 00:01:30,240 colors of white hat and black hat. And give us a little bit of 24 00:01:30,810 --> 00:01:34,740 an insight on white hat versus black hat. And if there are any 25 00:01:34,740 --> 00:01:38,460 other colors of the hats, you guys are or these folks are 26 00:01:38,460 --> 00:01:39,000 wearing. 27 00:01:39,690 --> 00:01:42,510 Rachel Tobac: A lot of people use different hats to describe 28 00:01:42,510 --> 00:01:45,750 different work, I tend to stick away actually from the hat 29 00:01:45,750 --> 00:01:48,180 description. But I'll give you a high level definition of what 30 00:01:48,180 --> 00:01:51,030 people think of. People think of a black hat hacker as a 31 00:01:51,030 --> 00:01:54,180 criminal, someone who's doing fraud, crime, they don't have 32 00:01:54,180 --> 00:01:57,270 permission to do the hacking that they're doing. And a white 33 00:01:57,270 --> 00:02:00,420 hat hacker is thought of as somebody who does have 34 00:02:00,420 --> 00:02:04,950 permission first. So some might call that an ethical hacker. I 35 00:02:04,950 --> 00:02:08,160 just use the word hacker to describe that person. So we use 36 00:02:08,160 --> 00:02:11,610 the word hacker in the hacker community to describe somebody 37 00:02:11,700 --> 00:02:14,100 who gets permission to do the things that they're doing. And 38 00:02:14,100 --> 00:02:16,740 they're not trying to inflict harm. They're trying to help 39 00:02:16,740 --> 00:02:20,280 people secure their machines and their software. And they think 40 00:02:20,280 --> 00:02:24,300 of somebody who is not getting permission as a criminal. So the 41 00:02:24,300 --> 00:02:27,060 words that we typically use in the field are hacker and 42 00:02:27,060 --> 00:02:27,450 criminal. 43 00:02:27,870 --> 00:02:30,300 Eveline Oehrlich: Ah, interesting. Now I was looking 44 00:02:30,300 --> 00:02:35,280 at your website, in the SocialProof Security and watched 45 00:02:35,280 --> 00:02:39,060 the trailer of the training video library. And there it says 46 00:02:39,060 --> 00:02:45,450 that you're you're doing musical and spoken word content, all 47 00:02:45,450 --> 00:02:49,020 about the topics you need to know to catch a cybercriminal in 48 00:02:49,020 --> 00:02:54,480 the act. And that's very, a very different way of creating 49 00:02:54,480 --> 00:02:56,460 training where the DevOps Institute, of course, our 50 00:02:56,460 --> 00:03:01,050 training institute, so explain to our listeners, what does that 51 00:03:01,050 --> 00:03:05,340 mean, and even more. So how did you get that idea? Which, by the 52 00:03:05,340 --> 00:03:06,450 way, I think is awesome. 53 00:03:06,000 --> 00:03:10,470 Rachel Tobac: Yes, of course. So I'll tell you a little story to 54 00:03:10,470 --> 00:03:14,310 give you some background on this. I've been I've been doing 55 00:03:14,310 --> 00:03:19,200 SocialProof Security since 2017. So at that point, after I got my 56 00:03:19,200 --> 00:03:23,340 start in the DEF CON, hacking competitions, I did the social 57 00:03:23,340 --> 00:03:25,980 engineering one for three years and got second place three years 58 00:03:25,980 --> 00:03:29,220 in a row. Companies started asking me Hey, Rachel, can you 59 00:03:29,220 --> 00:03:33,510 come to our organization and talk about how you hack, we want 60 00:03:33,510 --> 00:03:36,450 to hear about the human element of security, how we can avoid 61 00:03:36,450 --> 00:03:40,260 becoming one of your targets, etc. So I did that. We then 62 00:03:40,260 --> 00:03:42,870 built out a whole line of services for things like talks, 63 00:03:42,870 --> 00:03:46,680 workshops and training. Then those clients were like, Hey, 64 00:03:46,680 --> 00:03:49,890 Rachel, we just did this live event with you three months ago, 65 00:03:49,890 --> 00:03:53,490 eight months ago. Do you have any videos we want to use other 66 00:03:53,700 --> 00:03:56,490 types of content, not just live events, because you know, we 67 00:03:56,490 --> 00:04:00,690 have new people starting every day? And so I said sure. So I 68 00:04:00,720 --> 00:04:03,600 kind of started with like a little experiment with the 69 00:04:03,600 --> 00:04:09,990 community. We saw that on TikTok. The sea shanty genre was 70 00:04:09,990 --> 00:04:14,970 trending like crazy in 2021. And I was like, Okay, well, maybe I 71 00:04:14,970 --> 00:04:18,540 should make a tech talk about password management and multi 72 00:04:18,540 --> 00:04:22,590 factor authentication and how to stay safe online. So I did that 73 00:04:22,590 --> 00:04:24,750 because I like to meet people where they're at, you know, if 74 00:04:24,750 --> 00:04:27,090 people are on TikTok, and they're using sea shanties to 75 00:04:27,090 --> 00:04:31,050 communicate information that I'll do that too. And it was 76 00:04:31,050 --> 00:04:35,610 surprisingly successful. We had over 400,000 views on that, like 77 00:04:35,640 --> 00:04:39,000 immediately, and companies started reaching out to me, I 78 00:04:39,000 --> 00:04:43,530 had over 100 companies say, hey, that InfoSec see Shanti about 79 00:04:43,980 --> 00:04:47,670 multi factor authentication and password managers. I don't know 80 00:04:47,670 --> 00:04:51,180 why, but for some reason that worked and people are now asking 81 00:04:51,180 --> 00:04:56,160 me, How can I get MFA on my personal device? How do I get a 82 00:04:56,160 --> 00:04:59,280 password manager? How do I avoid reusing my passwords? How do I 83 00:04:59,280 --> 00:05:02,880 report a phishing Email, things that they would not normally ask 84 00:05:02,880 --> 00:05:07,200 me, Can you make more songs, and I have a background in 85 00:05:07,200 --> 00:05:12,360 neuroscience, musical theater, improv. Not a classically 86 00:05:12,360 --> 00:05:15,780 trained singer. But I sing. And in fact, even I met my husband 87 00:05:15,780 --> 00:05:19,650 and my business partner. Both my husband and my business partner, 88 00:05:19,680 --> 00:05:24,420 that's the same person have been great at a open mic night, when 89 00:05:24,420 --> 00:05:27,390 we were teenagers. So that's actually a huge part of my story 90 00:05:27,390 --> 00:05:31,170 and background. And I was like, you know, I am uniquely 91 00:05:31,170 --> 00:05:33,630 positioned to try something really different here and make 92 00:05:33,630 --> 00:05:37,050 music and help people understand how to stay safe on the 93 00:05:37,050 --> 00:05:40,260 internet. So we did it. We were like, the sea shanty worked, 94 00:05:40,260 --> 00:05:44,670 let's let's do a beta launch. So we recorded spoken word videos, 95 00:05:44,730 --> 00:05:49,560 and music based songs, all about things like malware, phishing, 96 00:05:49,560 --> 00:05:53,580 passwords, ransomware, social media safety, patching, 97 00:05:53,580 --> 00:05:57,270 reporting, social engineering, multifactor authentication, and 98 00:05:57,270 --> 00:06:00,570 we'll like, we'll just test it, we'll see how people feel, you 99 00:06:00,570 --> 00:06:02,880 know, what do they like about it. And in our research, we 100 00:06:02,880 --> 00:06:06,540 found that about 80% of the people loved the music based 101 00:06:06,540 --> 00:06:09,480 training, and about 20% of people were like, I learned 102 00:06:09,480 --> 00:06:13,590 better with spoken training. I like to learn from people who 103 00:06:13,590 --> 00:06:16,860 are speaking. And I like to see the hacking demonstrations that 104 00:06:16,860 --> 00:06:20,640 way. So we built both equally, so that everyone gets a chance 105 00:06:20,640 --> 00:06:27,060 to try the genre that works best for them. And it's worked. I 106 00:06:27,060 --> 00:06:30,660 mean, it's it's really shocking me, we had over 160 companies 107 00:06:30,660 --> 00:06:34,830 reach out in the first three weeks asking for demos, and 108 00:06:34,920 --> 00:06:37,260 people are using it, and they're trying it and giving us 109 00:06:37,260 --> 00:06:39,540 feedback. It's it's literally blowing my mind. 110 00:06:39,690 --> 00:06:42,480 Eveline Oehrlich: Wow, that is fantastic. So I could just 111 00:06:42,480 --> 00:06:48,060 imagine having a song or rhythm, something in my head, which I 112 00:06:48,090 --> 00:06:51,150 can repeat over and over again to make sure that I do certain 113 00:06:51,150 --> 00:06:54,720 things. So that's pretty much what you guys are doing. That is 114 00:06:55,080 --> 00:06:58,830 That is fantastic. When AB told me, Hey, I have Rachel Tobac. 115 00:06:58,830 --> 00:07:04,350 She does this musical hacking. I was like, oh, I need to talk to 116 00:07:04,350 --> 00:07:08,160 her. We need to bring this out. This is fantastic. So So you 117 00:07:08,160 --> 00:07:10,470 actually have a background, you said in behavioral analysis, 118 00:07:10,470 --> 00:07:13,920 right? So some of that, I'm sure. And by the way, my 119 00:07:13,920 --> 00:07:16,740 daughter was actually a psychologist behavioral analysis 120 00:07:16,770 --> 00:07:21,210 also in Kansas City. She and I have sometimes conversations on 121 00:07:21,240 --> 00:07:26,310 things like in why we in technology are so sometimes 122 00:07:26,310 --> 00:07:30,390 boring and don't grasp onto things. So so the behavioral 123 00:07:30,600 --> 00:07:34,500 analysis aspect that must have helped you right to think 124 00:07:34,500 --> 00:07:37,200 through in terms of what this does to the individuals? 125 00:07:37,710 --> 00:07:41,070 Rachel Tobac: Absolutely, yeah. So my degree is in neuroscience 126 00:07:41,070 --> 00:07:45,750 and behaviorism. I also studied cognitive behavioral psychology 127 00:07:45,750 --> 00:07:49,350 just as like a additional element for my neuroscience 128 00:07:49,350 --> 00:07:54,270 background. It helps give me context about the why behind the 129 00:07:54,270 --> 00:07:59,820 hard science. So I have both. And I found that I can 130 00:07:59,880 --> 00:08:04,320 understand better things like UX research, when I have a 131 00:08:04,320 --> 00:08:08,040 background in something like neuroscience, why people make 132 00:08:08,040 --> 00:08:11,400 the decisions that they do. And so I figured back in the day 133 00:08:11,400 --> 00:08:14,640 when I decided to study that, that I could apply that to a 134 00:08:14,640 --> 00:08:18,030 wide range of different types of roles. I had no idea what I was 135 00:08:18,030 --> 00:08:21,270 going to become when I was in school. When I was in school a 136 00:08:21,270 --> 00:08:25,350 long time ago, I was working in a rat lab, I was trying to study 137 00:08:25,350 --> 00:08:29,430 the effects of things like music on humans and rats, I even did a 138 00:08:29,430 --> 00:08:33,540 rat study in our rat lab, helping a rat distinguish 139 00:08:33,540 --> 00:08:36,480 between different types of music and seeing if that was useful 140 00:08:36,480 --> 00:08:40,170 within their neural pathways. So there's a lot of different 141 00:08:40,170 --> 00:08:43,440 research that I did, that ended up helping me later in life, I 142 00:08:43,440 --> 00:08:45,810 thought I was going to become a teacher. And I did, I taught for 143 00:08:45,810 --> 00:08:49,950 six years. But after that, it helped me build my UX research 144 00:08:49,950 --> 00:08:53,520 career and my hacking career. So it's wild how you can take such 145 00:08:53,520 --> 00:08:56,760 a nonlinear path. And I'm sure the folks listening to this 146 00:08:56,850 --> 00:09:00,450 probably have unique pathways to the jobs that they have today. 147 00:09:00,720 --> 00:09:03,540 And I think it's really cool because not everybody needs to 148 00:09:03,540 --> 00:09:06,330 go to school for their specific area of study, they can apply 149 00:09:06,330 --> 00:09:07,650 something that they learned earlier. 150 00:09:07,860 --> 00:09:10,050 Eveline Oehrlich: Yeah, very, very encouraging. Because 151 00:09:10,080 --> 00:09:13,110 Skilling and re-skilling and upskilling is a big challenge 152 00:09:13,110 --> 00:09:16,800 right now there is of course in technology a large amount of 153 00:09:17,850 --> 00:09:22,650 skillful people needed. But do they all need to be it engineers 154 00:09:22,680 --> 00:09:25,290 study computer science and things like that? We just did 155 00:09:25,290 --> 00:09:27,630 some research on that. So that's interesting. You mentioned that 156 00:09:27,660 --> 00:09:30,960 now, you said social engineering, I just want to make 157 00:09:30,960 --> 00:09:33,810 sure I had to look it up. I thought I knew what it was, but 158 00:09:33,810 --> 00:09:37,770 I had to look it up. But for our listeners, tell us what that is. 159 00:09:37,800 --> 00:09:39,240 What is social engineering? 160 00:09:39,270 --> 00:09:42,480 Rachel Tobac: Sure. Social engineering is the human element 161 00:09:42,540 --> 00:09:45,390 of hacking and security. So you can think of any way that a 162 00:09:45,390 --> 00:09:48,810 person would be persuaded to do something that they wouldn't 163 00:09:48,810 --> 00:09:51,870 normally do. So maybe for instance, Evelyn, let's say I'm 164 00:09:51,870 --> 00:09:53,970 going to hack you. I'm not going to but let's say for the 165 00:09:53,970 --> 00:09:58,620 purposes of this example I where I would need to come up with a 166 00:09:58,650 --> 00:10:02,340 pretext who I'm for tends to be to convince you to do something 167 00:10:02,340 --> 00:10:05,790 that you wouldn't normally do, like, click a link, download 168 00:10:05,790 --> 00:10:09,030 something malicious, tell me something sensitive, send me 169 00:10:09,030 --> 00:10:11,670 money when I shouldn't actually be receiving that money from 170 00:10:11,670 --> 00:10:16,290 you. And so I need to come up with all of the science, the 171 00:10:16,290 --> 00:10:19,920 reasoning for why you should be doing those things. And it's 172 00:10:19,920 --> 00:10:22,830 sometimes it's as easy as just sending somebody a link. But for 173 00:10:22,830 --> 00:10:26,430 folks that know better and know, to avoid those types of things, 174 00:10:26,520 --> 00:10:30,180 we have to get pretty serious with our pretexting, or who 175 00:10:30,180 --> 00:10:33,630 we're pretending to be. And it's more than just acting, but we 176 00:10:33,630 --> 00:10:36,510 have to understand the full backstory of who were 177 00:10:36,510 --> 00:10:39,810 impersonating. And who we're pretending to be when we're 178 00:10:39,810 --> 00:10:44,550 impersonating to the target, the victim. And so there's, there's 179 00:10:44,550 --> 00:10:47,100 a lot that goes into social engineering. And it's it's been 180 00:10:47,100 --> 00:10:50,610 one of the most fun fields to be able to transition into. And it 181 00:10:50,850 --> 00:10:54,450 really does serve a lot of the interests that I had from 182 00:10:54,450 --> 00:10:56,220 neuroscience and behaviorism. 183 00:10:56,250 --> 00:10:59,970 Eveline Oehrlich: So when you go to your besides being on these 184 00:11:00,300 --> 00:11:04,680 broadcasts being a sought after speaker joining us on the 185 00:11:04,680 --> 00:11:07,830 podcast, and I'm sure you're traveling as well, to other 186 00:11:07,830 --> 00:11:11,400 places, when you go to your clients, what what does that 187 00:11:11,400 --> 00:11:15,000 look like? How can I? How can I understand what do you do with 188 00:11:15,000 --> 00:11:20,460 them for them? In an engagement, let's say I am Jack in the Box 189 00:11:20,460 --> 00:11:24,570 around the block. And I'd like you to help us because we have 190 00:11:24,570 --> 00:11:26,610 issues what what does it look like? 191 00:11:26,940 --> 00:11:28,980 Rachel Tobac: Sure, there's a variety of different ways that I 192 00:11:28,980 --> 00:11:33,900 help our clients. So first and foremost, training, a lot of 193 00:11:33,900 --> 00:11:36,930 times people need to train all of the folks at their 194 00:11:36,930 --> 00:11:41,040 organization, or maybe one subset of individuals, for 195 00:11:41,040 --> 00:11:44,250 instance, the client facing folks at their organization, 196 00:11:44,640 --> 00:11:48,210 they might be concerned that the account managers and the 197 00:11:48,210 --> 00:11:51,720 helpdesk, and the customer service team keeps getting 198 00:11:51,720 --> 00:11:55,860 requests to change email addresses on accounts, which can 199 00:11:55,860 --> 00:11:58,710 lead to account takeover and admin access that shouldn't be 200 00:11:58,710 --> 00:12:02,490 granted. And so I can come in there and help them understand 201 00:12:02,640 --> 00:12:05,340 what are those protocols look like that you're using for 202 00:12:05,340 --> 00:12:08,100 identity verification? What does it look like when you're 203 00:12:08,100 --> 00:12:11,400 authenticating a person as someone? How do we know that 204 00:12:11,400 --> 00:12:14,550 they are who they say they are. And that helps folks think 205 00:12:14,550 --> 00:12:17,580 through their protocols, update them to avoid getting social 206 00:12:17,580 --> 00:12:21,060 engineered, or at least mitigate a lot of those risks. And so 207 00:12:21,060 --> 00:12:24,660 training is a huge part of it. Another thing that we do is we 208 00:12:24,660 --> 00:12:27,990 actually get hired to hack companies. So for instance, a 209 00:12:27,990 --> 00:12:31,590 bank might say, hey, we want to know, can you steal money from 210 00:12:31,590 --> 00:12:36,000 our clients accounts. And so we set up test accounts, that 211 00:12:36,030 --> 00:12:39,210 customer support teams do not know our test accounts so that 212 00:12:39,210 --> 00:12:42,000 we don't steal anybody's actual money. And then we go in there, 213 00:12:42,000 --> 00:12:46,110 and we actually try account takeover, can I steal money that 214 00:12:46,110 --> 00:12:49,470 we in fact, we just had an engagement like this recently, 215 00:12:49,470 --> 00:12:52,260 and we were able to steal money from two out of three of the 216 00:12:52,260 --> 00:12:55,650 accounts. And so that helps them understand the vulnerabilities. 217 00:12:55,800 --> 00:12:59,010 What does it look like? How can they prevent it? And what can we 218 00:12:59,010 --> 00:13:01,710 do to overhaul this process? So this doesn't happen when a 219 00:13:01,710 --> 00:13:03,090 criminal tries next 220 00:13:03,270 --> 00:13:06,000 Eveline Oehrlich: Right. So you so you develop an actionable 221 00:13:06,000 --> 00:13:09,480 plan for them to say, hey, you have to have different scripts, 222 00:13:09,750 --> 00:13:13,650 different conversations, process adjustments, et cetera, et 223 00:13:13,650 --> 00:13:17,250 cetera, which they can then follow. And then is there is 224 00:13:17,250 --> 00:13:21,150 there follow ups to do with them to ensure I'm assuming you will, 225 00:13:21,150 --> 00:13:22,500 right, because, yeah. 226 00:13:22,890 --> 00:13:24,810 Rachel Tobac: Yeah, it's really important to follow up and make 227 00:13:24,810 --> 00:13:28,320 sure that everybody understands the why behind these changes. So 228 00:13:28,380 --> 00:13:31,350 yeah, a big part of my job is the training, the protocol 229 00:13:31,350 --> 00:13:34,200 adjustments, we call that a protocol workshop. And then 230 00:13:34,200 --> 00:13:36,690 going in there and doing those keynotes or talks to talk 231 00:13:36,690 --> 00:13:39,060 through what did we learn? What can we do about it? And what are 232 00:13:39,060 --> 00:13:41,730 the recommendations and changes? And now of course, we have the 233 00:13:41,730 --> 00:13:44,670 videos too, so that if you're looking for something that you 234 00:13:44,670 --> 00:13:47,280 can use for onboarding or monthly training or something 235 00:13:47,280 --> 00:13:49,530 like that, we have that and you don't need to have a live event 236 00:13:49,530 --> 00:13:49,950 to do it. 237 00:13:50,280 --> 00:13:52,290 Eveline Oehrlich: Yep. So what would you say the biggest 238 00:13:52,290 --> 00:13:56,730 vulnerabilities are in terms of what you're seeing in your 239 00:13:56,760 --> 00:14:00,180 career and your journeys across the enterprise and the globe, 240 00:14:01,500 --> 00:14:02,160 today. 241 00:14:03,180 --> 00:14:04,830 Rachel Tobac: One of the biggest things that I've seen if you've 242 00:14:04,830 --> 00:14:10,140 seen my Doni hack video, where I take over a CNN Correspondent's 243 00:14:10,170 --> 00:14:15,240 accounts, and I steal points, I gain access to his accounts. Let 244 00:14:15,240 --> 00:14:17,370 me take a step back. Actually, I want to make sure that I 245 00:14:17,370 --> 00:14:19,800 understood I communicate to everybody that there's two 246 00:14:19,800 --> 00:14:22,920 different ways that I hack. Either I hack you by contacting 247 00:14:22,920 --> 00:14:26,160 you directly, or I hack you through the service providers 248 00:14:26,160 --> 00:14:27,000 that you trust. 249 00:14:27,060 --> 00:14:29,340 Eveline Oehrlich: Ah, yes. And I think that's, that's the one I 250 00:14:29,340 --> 00:14:30,690 saw. Yeah, yeah. 251 00:14:31,860 --> 00:14:34,980 Rachel Tobac: So in this Doni hacking video, I contacted the 252 00:14:34,980 --> 00:14:38,730 services that Doni trusts with his data to get access to his 253 00:14:38,730 --> 00:14:41,400 accounts, I didn't contact Doni directly. So just to give that 254 00:14:41,400 --> 00:14:46,800 context. So I contacted those organizations via phone and I 255 00:14:46,800 --> 00:14:50,010 said, Hey, I'm Doni. I'm spoofing his number and this 256 00:14:50,010 --> 00:14:52,920 caller ID looks like it's calling from him. I updated the 257 00:14:52,920 --> 00:14:55,860 pitch of my voice to match you know, what they might expect for 258 00:14:55,860 --> 00:14:59,160 something Doni O'Sullivan so that they don't question me. And 259 00:14:59,160 --> 00:15:03,210 then from there We continue down the path of trying to gain 260 00:15:03,210 --> 00:15:05,910 access to Doni's accounts. And for a lot of these 261 00:15:05,910 --> 00:15:11,310 organizations, the questions that they ask an individual to 262 00:15:11,310 --> 00:15:15,030 verify that person is who they say they are, are what we call 263 00:15:15,060 --> 00:15:19,410 knowledge based authentication questions. Kba. And these types 264 00:15:19,410 --> 00:15:22,770 of questions are things like, what street did you grow up on? 265 00:15:23,250 --> 00:15:25,830 Where do you live now, your current address, your date of 266 00:15:25,830 --> 00:15:29,220 birth, last four digits of your credit card, your email address 267 00:15:29,220 --> 00:15:32,100 or phone number, just calling in and spoofing from that phone 268 00:15:32,100 --> 00:15:35,160 number is sometimes enough to verify that specific question. 269 00:15:35,640 --> 00:15:39,000 And so I'm able to get access to his airline accounts, hotel 270 00:15:39,000 --> 00:15:44,400 points, his coffee card, it the list goes on and on and on, and 271 00:15:44,400 --> 00:15:47,160 steal all of those points, all that information, do full 272 00:15:47,160 --> 00:15:51,180 account takeover very quickly. And so one thing that I try and 273 00:15:51,180 --> 00:15:55,110 help organizations understand is, if you have folks at your 274 00:15:55,110 --> 00:15:58,530 company who pick up the phone, that's a major vulnerability in 275 00:15:58,530 --> 00:16:02,310 and of itself. And those protocols in many cases need to 276 00:16:02,310 --> 00:16:06,810 be overhauled to verify that I am who I say I am, when I'm 277 00:16:06,810 --> 00:16:09,600 calling in to help you are calling in to ask you for help. 278 00:16:10,440 --> 00:16:14,280 And we also need to verify the internal folks like the folks 279 00:16:14,280 --> 00:16:18,000 that we rely on to do our job, IT support, things like that, 280 00:16:18,090 --> 00:16:20,940 that those individuals are who they say they are, because we're 281 00:16:20,940 --> 00:16:24,930 seeing a lot of organizations get hacked, because somebody 282 00:16:25,140 --> 00:16:28,650 gives a customer support person a call, and either pretends to 283 00:16:28,650 --> 00:16:31,680 be IT support from the company to gain access to internal 284 00:16:31,680 --> 00:16:35,520 accounts. That's what happened in the Twitter hack of 2020. Or 285 00:16:35,730 --> 00:16:38,640 they're calling in and saying, Hey, I'm Evelyn, I need access 286 00:16:38,640 --> 00:16:40,950 to my account. I just lost my phone, can you go ahead and 287 00:16:40,950 --> 00:16:44,190 change the phone number on my account? Okay, great. Hang up, 288 00:16:44,190 --> 00:16:46,470 call back. Can I change the email address on my account? 289 00:16:46,710 --> 00:16:50,400 Right now? I can verify right? And so we have all these issues 290 00:16:50,400 --> 00:16:53,790 with account takeover and phone based authentication protocols. 291 00:16:53,790 --> 00:16:56,010 And that's one of the big things that I like to support on. 292 00:16:56,370 --> 00:16:59,190 Eveline Oehrlich: Yeah, I was listening to one where you were, 293 00:16:59,460 --> 00:17:04,530 I think it was a delivery of a furniture or something. And the 294 00:17:04,560 --> 00:17:08,190 the service person was actually quoted or telling you the the 295 00:17:08,190 --> 00:17:12,270 address to confirm you to confirm with you that that was 296 00:17:12,270 --> 00:17:16,290 the reason address. So that's an excellent example of where the 297 00:17:16,290 --> 00:17:19,740 front end, whoever service individual needed to think 298 00:17:19,740 --> 00:17:23,220 through and the protocol needed to be changed. That's an 299 00:17:23,220 --> 00:17:24,570 excellent example. Yeah, 300 00:17:24,600 --> 00:17:26,850 Rachel Tobac: I really like how when you just said that you were 301 00:17:26,850 --> 00:17:29,250 like the frontline person has to think through and it's like, 302 00:17:29,250 --> 00:17:32,040 wait, no, they don't even think about it. Their team needs to 303 00:17:32,040 --> 00:17:36,240 change the protocol that you use, because we have to take the 304 00:17:36,360 --> 00:17:40,260 pressure off of individuals to try and do something that their 305 00:17:40,260 --> 00:17:43,830 organization isn't telling them to do. Right. We can't expect 306 00:17:44,040 --> 00:17:46,920 the person whose job it is to help you get access to your 307 00:17:46,920 --> 00:17:50,640 account to on the fly come up with the verification protocols. 308 00:17:50,670 --> 00:17:55,290 Yes. Fair, right. Yeah. Excellent. Yeah, we can't blame 309 00:17:55,320 --> 00:17:59,700 people, we have to put the responsibility on companies to 310 00:17:59,700 --> 00:18:01,890 update their protocols. I love that distinction you just made 311 00:18:01,890 --> 00:18:02,400 on the fly? 312 00:18:02,690 --> 00:18:07,190 Eveline Oehrlich: Yeah, that great, great correction of me, 313 00:18:07,190 --> 00:18:11,960 of course, right? Because that has significant impact. The 314 00:18:11,960 --> 00:18:15,530 companies need to do what they need to do. So you made some 315 00:18:15,530 --> 00:18:18,680 points on what companies can do. Tell me about individuals all of 316 00:18:18,680 --> 00:18:22,670 us are out there, you know, we get I mean, what should we watch 317 00:18:22,670 --> 00:18:28,430 out for? And can we actually become something like, tell 318 00:18:28,430 --> 00:18:31,640 them? Hey, you guys, you just said something, you need to 319 00:18:31,640 --> 00:18:35,570 update your can we become Rachel, maybe two questions. One 320 00:18:35,570 --> 00:18:38,450 question is, how should individuals protect themselves 321 00:18:38,450 --> 00:18:41,300 for not getting hacked? Right? Let's go there first, I think, 322 00:18:42,050 --> 00:18:45,950 Rachel Tobac: Sure. So individuals, let's just say you 323 00:18:45,950 --> 00:18:49,460 can't control the services you trust with your data, right? We 324 00:18:49,460 --> 00:18:54,830 can't hope and pray that they don't allow other people to call 325 00:18:54,830 --> 00:18:57,710 in as us and get access to our data. So let's only talk about 326 00:18:57,710 --> 00:19:02,150 what we can focus on as individuals. The first thing is 327 00:19:02,150 --> 00:19:06,320 password reuse. Because we know that about 52% of people just 328 00:19:06,320 --> 00:19:10,280 admit reusing their passwords across multiple sites, including 329 00:19:10,280 --> 00:19:13,460 the types of individuals who listen to this podcast, and even 330 00:19:13,460 --> 00:19:17,300 hackers. And so we need to make sure that we don't reuse their 331 00:19:17,300 --> 00:19:20,120 passwords, because that's one of the easiest ways for me to hack 332 00:19:20,120 --> 00:19:24,320 you, I can just log into my password dump repository that I 333 00:19:24,320 --> 00:19:28,370 have access to. It's all up there, it's on the internet. 334 00:19:28,370 --> 00:19:31,370 It's not the dark web, it's just the clear internet. And I can go 335 00:19:31,370 --> 00:19:33,800 ahead and get access to your password and just log in as you. 336 00:19:34,040 --> 00:19:36,620 So we need to make sure that we don't reuse their passwords 337 00:19:36,620 --> 00:19:39,440 because if they ended a breach, end up in a breach with which 338 00:19:39,440 --> 00:19:41,840 they're probably going to at some point, I'm going to use it 339 00:19:41,840 --> 00:19:44,570 against you to steal your money or gain access to your email, 340 00:19:44,600 --> 00:19:49,430 etc, etc. Use a password manager to store those long, random and 341 00:19:49,430 --> 00:19:52,940 unique passwords and always use multi factor authentication to 342 00:19:52,940 --> 00:19:56,270 back them up. We know a lot of people, even folks in the 343 00:19:56,270 --> 00:20:00,650 developer community know the importance of multi factor 344 00:20:00,650 --> 00:20:05,330 authentication, because if your tools that you've worked on 345 00:20:05,330 --> 00:20:08,660 maybe an open source tool, somebody gains access to that. 346 00:20:08,690 --> 00:20:11,300 Now we have a huge supply chain issue. This is something that 347 00:20:11,300 --> 00:20:14,450 we're seeing over and over again, in the news. And so the 348 00:20:14,450 --> 00:20:17,630 importance of multi factor authentication, and making sure 349 00:20:17,780 --> 00:20:22,370 we don't just use a password to secure those important updates 350 00:20:22,400 --> 00:20:27,230 that we push, it's essential. And so those are the main things 351 00:20:27,230 --> 00:20:29,330 that I would say you have control over and can make a 352 00:20:29,330 --> 00:20:33,290 change today, you can prioritize updating 10 of your passwords, 353 00:20:33,290 --> 00:20:34,310 like this weekend. 354 00:20:36,170 --> 00:20:39,020 Eveline Oehrlich: Listen, listen up. I'm going to do that exactly 355 00:20:39,020 --> 00:20:43,250 after this call. Because I am one of those who even so I mean 356 00:20:43,250 --> 00:20:48,020 it and but yes, we're guilty of lots of that. Great. So you 357 00:20:48,020 --> 00:20:50,420 mentioned a few things on companies, but they could do of 358 00:20:50,420 --> 00:20:55,160 course, go get some training, start singing songs, learning 359 00:20:55,160 --> 00:20:59,180 songs, right. Anything else on the company side they could do, 360 00:20:59,240 --> 00:21:02,660 which you think is absolutely high priority for those who are 361 00:21:02,660 --> 00:21:03,830 listening in today? 362 00:21:04,340 --> 00:21:06,350 Rachel Tobac: Sure. Well, we need to make sure that the 363 00:21:06,350 --> 00:21:09,770 companies protect us using two methods of communication to 364 00:21:09,770 --> 00:21:13,670 confirm we are who we say we are when we call in chat and or 365 00:21:13,670 --> 00:21:17,000 email in to get help. And so if I call into a company, and I 366 00:21:17,000 --> 00:21:19,880 say, Hi, I'm Evelyn, I need to change the email address on my 367 00:21:19,880 --> 00:21:22,430 account, they should say something like, Sure, Evelyn, I 368 00:21:22,430 --> 00:21:25,880 just shot a word or code to your phone, go ahead and read that 369 00:21:25,880 --> 00:21:29,270 out to me. Now, that's going to stop me as a hacker because I'm 370 00:21:29,270 --> 00:21:31,880 spoofing your phone number, I can't gain access to your text 371 00:21:31,880 --> 00:21:34,940 messages, of course without doing a sim swap. But a lot of 372 00:21:34,940 --> 00:21:37,940 times, this is just low hanging fruit, and we need to avoid 373 00:21:37,940 --> 00:21:41,390 those types of issues, then, we need to make sure that 374 00:21:41,870 --> 00:21:45,410 individuals at companies understand the likelihood of 375 00:21:45,410 --> 00:21:49,850 them receiving a phishing email, a vishing call SMS Testament 376 00:21:49,880 --> 00:21:52,640 text messages pretending to be something like Okta, which we're 377 00:21:52,640 --> 00:21:58,400 seeing over and over again, right now. And what we can do to 378 00:21:58,400 --> 00:22:01,550 spot those and report them quickly. A lot of times people 379 00:22:01,550 --> 00:22:03,830 be like, Oh, that seems spammy, I'm just gonna delete it, or I'm 380 00:22:03,830 --> 00:22:08,300 gonna ignore it. But we can actually save our coworkers who 381 00:22:08,300 --> 00:22:11,150 are likely to fall for that stuff. If we report quickly. And 382 00:22:11,150 --> 00:22:13,670 then the end, the institution can say, we've got a big 383 00:22:13,670 --> 00:22:16,850 problem, we got to shut this down and let people know. And 384 00:22:16,850 --> 00:22:19,790 then from there, of course, multi factor authentication that 385 00:22:19,790 --> 00:22:23,480 matches the company's threat model. For instance, this is a 386 00:22:23,480 --> 00:22:26,840 really famous case with the Twitter hack of 2020. In that 387 00:22:26,840 --> 00:22:30,590 case, an attacker called up customer support, pretending to 388 00:22:30,590 --> 00:22:34,130 be IT support, got access to that password was able to log 389 00:22:34,130 --> 00:22:37,340 into the admin portal, and send out all those spammy tweets 390 00:22:37,340 --> 00:22:40,550 with, you know, from like Elon Musk, former President Barack 391 00:22:40,550 --> 00:22:45,110 Obama, Kanye West's list goes on. And they are able to do that 392 00:22:45,110 --> 00:22:47,690 because there wasn't multi factor authentication on that. 393 00:22:47,990 --> 00:22:51,140 On that account, the individual didn't use a second method of 394 00:22:51,140 --> 00:22:55,850 communication to confirm the caller was truly IT support. And 395 00:22:55,940 --> 00:23:00,350 their MFA model didn't match their threat model. And so they 396 00:23:00,350 --> 00:23:04,670 used app based MFA when a Ubikey a security key would have been a 397 00:23:04,670 --> 00:23:08,960 great match for them, because it's not fishable. And so they 398 00:23:08,960 --> 00:23:12,350 ended up making that change to security keys, and since then, 399 00:23:12,350 --> 00:23:15,140 have not seen issues and they posted all about this on their 400 00:23:15,140 --> 00:23:17,030 blog. They've been really, really forthcoming about how 401 00:23:17,030 --> 00:23:19,970 that works. So a lot of great success stories with security 402 00:23:19,970 --> 00:23:23,000 keys for folks who have an elevated threat model. Wow. 403 00:23:23,030 --> 00:23:25,610 Eveline Oehrlich: Wow. Wow. Wow. Wow, lots, lots of great advice. 404 00:23:25,850 --> 00:23:28,130 I want to go back, we have a few minutes left, I'm gonna go back 405 00:23:28,130 --> 00:23:32,210 to where we started out with which is to kill your, your job. 406 00:23:32,450 --> 00:23:35,690 What do you do during the day? Sounds fantastic. doesn't get 407 00:23:35,690 --> 00:23:40,340 boring, is very exciting and right, right up in the digital 408 00:23:40,370 --> 00:23:45,620 age, right. It's key and essential. So, so wanted to see 409 00:23:45,680 --> 00:23:50,750 any career advice. For listeners here, you already said don't 410 00:23:50,750 --> 00:23:55,280 have to necessarily get a degree in security to be a white hat 411 00:23:55,280 --> 00:23:59,750 hacker. Any anything else? Sure, 412 00:23:59,870 --> 00:24:02,180 Rachel Tobac: I recommend if you're excited about hacking, 413 00:24:02,180 --> 00:24:06,260 and you want to try some ethical hacking, go to DEFCON, happens 414 00:24:06,260 --> 00:24:09,830 every year in Las Vegas in July or August. It's an amazing 415 00:24:09,830 --> 00:24:14,750 conference for 30,000 Plus hackers descending upon one area 416 00:24:14,840 --> 00:24:18,770 practicing learning and tinkering together. And so I 417 00:24:18,770 --> 00:24:21,710 highly recommend starting with some talks maybe that you find 418 00:24:21,710 --> 00:24:24,650 online from DEFCON and then from there seeing what your interests 419 00:24:24,740 --> 00:24:27,530 look like. If you would like to join women in security and 420 00:24:27,530 --> 00:24:30,170 privacy all are welcome. You're welcome to join us for our 421 00:24:30,170 --> 00:24:34,250 workshops where we get to tinker and try different tools and see, 422 00:24:34,280 --> 00:24:38,180 you know, where do our interests lie within hacking and privacy? 423 00:24:38,810 --> 00:24:42,290 And then from there, try it. There's a lot of really cool 424 00:24:42,290 --> 00:24:46,070 ethical hacking skills that you can try at DEFCON with your 425 00:24:46,070 --> 00:24:48,710 peers so I highly recommend getting in there and just 426 00:24:48,740 --> 00:24:51,350 jumping in. A lot of people are first timers every 427 00:24:51,350 --> 00:24:54,080 Eveline Oehrlich: year. When is the next DEFCON coming up. 428 00:24:55,160 --> 00:24:57,890 Rachel Tobac: Let's see. DEFCON 2023 429 00:24:58,490 --> 00:25:00,350 Eveline Oehrlich: Sorry to put you on the spot but I want to 430 00:25:00,350 --> 00:25:02,600 make sure that everybody knows when it's happening. 431 00:25:02,810 --> 00:25:05,630 Rachel Tobac: August 10, through the 13th to 2023. 432 00:25:05,810 --> 00:25:07,970 Eveline Oehrlich: All right, everybody has enough time to buy 433 00:25:07,970 --> 00:25:11,630 themselves a ticket Las Vegas is has a lot to offer besides 434 00:25:11,630 --> 00:25:14,570 DEFCON as well. All right, super. Rachel, thank you so 435 00:25:14,570 --> 00:25:17,990 much. I'm gonna call you a guardian angel. I think I read 436 00:25:17,990 --> 00:25:21,260 that somewhere else, you are making the world a better place 437 00:25:21,800 --> 00:25:27,290 with your work. If people wanted to learn more about you and the 438 00:25:27,290 --> 00:25:31,370 organization, where should they go? Of course, yeah, 439 00:25:31,000 --> 00:25:34,300 Rachel Tobac: LinkedIn is fine. Rachel Tobac there and then my 440 00:25:34,300 --> 00:25:39,430 Twitter handle is just my name are R-A-C-H-E-L T-O-B-A-C. Or 441 00:25:39,430 --> 00:25:41,290 you gonna go to my website socialproofsecurity.com. 442 00:25:42,250 --> 00:25:44,770 Eveline Oehrlich: Fantastic. Rachel, this has been really, 443 00:25:44,770 --> 00:25:48,100 really, really, really good. Very good, very great. You have 444 00:25:48,100 --> 00:25:50,590 a lot of energy and you have great job. I'm very envious of 445 00:25:50,590 --> 00:25:54,310 your job. Maybe I should try that. As an analyst. I get to do 446 00:25:54,310 --> 00:25:57,490 a lot of fun things. But yours sounds a lot more fun than mine. 447 00:25:57,790 --> 00:25:59,410 Rachel Tobac: Well, you can hack a bank with me next time, 448 00:25:59,410 --> 00:25:59,740 Evelyn. 449 00:26:00,010 --> 00:26:02,680 Eveline Oehrlich: There we go. That sounds great. Appreciate 450 00:26:02,680 --> 00:26:06,700 your time. Have a great rest of the day. And thanks to everybody 451 00:26:06,700 --> 00:26:09,910 listening in to the humans of DevOps with Evelyn Oehrlich and 452 00:26:09,910 --> 00:26:13,930 today with our guest Rachel Tobac Take care. Thank you. Bye