Eveline Oehrlich: Hello everybody, this is Evelyn early
Chief Research Officer at the DevOps Institute on the humans
of DevOps podcast. And today we have a fantastic guest, Rachel
Tobac. She's actually my first hacker I have met. But before we
get there, let me quickly tell you a little bit about Rachel.
So Rachel is a hacker and CEO of SocialProof Security, where she
helps people and companies keep the data safe by training and
pentesting them on social engineering risks. Rachel was a
place winner of the DefCon's wild spectator sport the social
engineering Capture the Flag contest three years in a row.
Congratulations. Rachel has shared her real life social
engineering stories with NPR Last Week Tonight, the New York
Times Business Insider, CNN, NBC Nightly News, and Forbes and
many, many more. And having her here on our show, I am honored
to be able to speak to you in her remaining space. And that's
really fantastic to also see that Rachel is the chair of the
board for the nonprofit Women in Security and Privacy (WISP),
where she works to advance women to lead in the fields. Welcome,
welcome, Rachel.
Rachel Tobac: Thank you for having me, Evelyn.
Eveline Oehrlich: I am excited. Like I said, you are really my
first white hat hacker. And I was doing some reading on the
colors of white hat and black hat. And give us a little bit of
an insight on white hat versus black hat. And if there are any
other colors of the hats, you guys are or these folks are
wearing.
Rachel Tobac: A lot of people use different hats to describe
different work, I tend to stick away actually from the hat
description. But I'll give you a high level definition of what
people think of. People think of a black hat hacker as a
criminal, someone who's doing fraud, crime, they don't have
permission to do the hacking that they're doing. And a white
hat hacker is thought of as somebody who does have
permission first. So some might call that an ethical hacker. I
just use the word hacker to describe that person. So we use
the word hacker in the hacker community to describe somebody
who gets permission to do the things that they're doing. And
they're not trying to inflict harm. They're trying to help
people secure their machines and their software. And they think
of somebody who is not getting permission as a criminal. So the
words that we typically use in the field are hacker and
criminal.
Eveline Oehrlich: Ah, interesting. Now I was looking
at your website, in the SocialProof Security and watched
the trailer of the training video library. And there it says
that you're you're doing musical and spoken word content, all
about the topics you need to know to catch a cybercriminal in
the act. And that's very, a very different way of creating
training where the DevOps Institute, of course, our
training institute, so explain to our listeners, what does that
mean, and even more. So how did you get that idea? Which, by the
way, I think is awesome.
Rachel Tobac: Yes, of course. So I'll tell you a little story to
give you some background on this. I've been I've been doing
SocialProof Security since 2017. So at that point, after I got my
start in the DEF CON, hacking competitions, I did the social
engineering one for three years and got second place three years
in a row. Companies started asking me Hey, Rachel, can you
come to our organization and talk about how you hack, we want
to hear about the human element of security, how we can avoid
becoming one of your targets, etc. So I did that. We then
built out a whole line of services for things like talks,
workshops and training. Then those clients were like, Hey,
Rachel, we just did this live event with you three months ago,
eight months ago. Do you have any videos we want to use other
types of content, not just live events, because you know, we
have new people starting every day? And so I said sure. So I
kind of started with like a little experiment with the
community. We saw that on TikTok. The sea shanty genre was
trending like crazy in 2021. And I was like, Okay, well, maybe I
should make a tech talk about password management and multi
factor authentication and how to stay safe online. So I did that
because I like to meet people where they're at, you know, if
people are on TikTok, and they're using sea shanties to
communicate information that I'll do that too. And it was
surprisingly successful. We had over 400,000 views on that, like
immediately, and companies started reaching out to me, I
had over 100 companies say, hey, that InfoSec see Shanti about
multi factor authentication and password managers. I don't know
why, but for some reason that worked and people are now asking
me, How can I get MFA on my personal device? How do I get a
password manager? How do I avoid reusing my passwords? How do I
report a phishing Email, things that they would not normally ask
me, Can you make more songs, and I have a background in
neuroscience, musical theater, improv. Not a classically
trained singer. But I sing. And in fact, even I met my husband
and my business partner. Both my husband and my business partner,
that's the same person have been great at a open mic night, when
we were teenagers. So that's actually a huge part of my story
and background. And I was like, you know, I am uniquely
positioned to try something really different here and make
music and help people understand how to stay safe on the
internet. So we did it. We were like, the sea shanty worked,
let's let's do a beta launch. So we recorded spoken word videos,
and music based songs, all about things like malware, phishing,
passwords, ransomware, social media safety, patching,
reporting, social engineering, multifactor authentication, and
we'll like, we'll just test it, we'll see how people feel, you
know, what do they like about it. And in our research, we
found that about 80% of the people loved the music based
training, and about 20% of people were like, I learned
better with spoken training. I like to learn from people who
are speaking. And I like to see the hacking demonstrations that
way. So we built both equally, so that everyone gets a chance
to try the genre that works best for them. And it's worked. I
mean, it's it's really shocking me, we had over 160 companies
reach out in the first three weeks asking for demos, and
people are using it, and they're trying it and giving us
feedback. It's it's literally blowing my mind.
Eveline Oehrlich: Wow, that is fantastic. So I could just
imagine having a song or rhythm, something in my head, which I
can repeat over and over again to make sure that I do certain
things. So that's pretty much what you guys are doing. That is
That is fantastic. When AB told me, Hey, I have Rachel Tobac.
She does this musical hacking. I was like, oh, I need to talk to
her. We need to bring this out. This is fantastic. So So you
actually have a background, you said in behavioral analysis,
right? So some of that, I'm sure. And by the way, my
daughter was actually a psychologist behavioral analysis
also in Kansas City. She and I have sometimes conversations on
things like in why we in technology are so sometimes
boring and don't grasp onto things. So so the behavioral
analysis aspect that must have helped you right to think
through in terms of what this does to the individuals?
Rachel Tobac: Absolutely, yeah. So my degree is in neuroscience
and behaviorism. I also studied cognitive behavioral psychology
just as like a additional element for my neuroscience
background. It helps give me context about the why behind the
hard science. So I have both. And I found that I can
understand better things like UX research, when I have a
background in something like neuroscience, why people make
the decisions that they do. And so I figured back in the day
when I decided to study that, that I could apply that to a
wide range of different types of roles. I had no idea what I was
going to become when I was in school. When I was in school a
long time ago, I was working in a rat lab, I was trying to study
the effects of things like music on humans and rats, I even did a
rat study in our rat lab, helping a rat distinguish
between different types of music and seeing if that was useful
within their neural pathways. So there's a lot of different
research that I did, that ended up helping me later in life, I
thought I was going to become a teacher. And I did, I taught for
six years. But after that, it helped me build my UX research
career and my hacking career. So it's wild how you can take such
a nonlinear path. And I'm sure the folks listening to this
probably have unique pathways to the jobs that they have today.
And I think it's really cool because not everybody needs to
go to school for their specific area of study, they can apply
something that they learned earlier.
Eveline Oehrlich: Yeah, very, very encouraging. Because
Skilling and re-skilling and upskilling is a big challenge
right now there is of course in technology a large amount of
skillful people needed. But do they all need to be it engineers
study computer science and things like that? We just did
some research on that. So that's interesting. You mentioned that
now, you said social engineering, I just want to make
sure I had to look it up. I thought I knew what it was, but
I had to look it up. But for our listeners, tell us what that is.
What is social engineering?
Rachel Tobac: Sure. Social engineering is the human element
of hacking and security. So you can think of any way that a
person would be persuaded to do something that they wouldn't
normally do. So maybe for instance, Evelyn, let's say I'm
going to hack you. I'm not going to but let's say for the
purposes of this example I where I would need to come up with a
pretext who I'm for tends to be to convince you to do something
that you wouldn't normally do, like, click a link, download
something malicious, tell me something sensitive, send me
money when I shouldn't actually be receiving that money from
you. And so I need to come up with all of the science, the
reasoning for why you should be doing those things. And it's
sometimes it's as easy as just sending somebody a link. But for
folks that know better and know, to avoid those types of things,
we have to get pretty serious with our pretexting, or who
we're pretending to be. And it's more than just acting, but we
have to understand the full backstory of who were
impersonating. And who we're pretending to be when we're
impersonating to the target, the victim. And so there's, there's
a lot that goes into social engineering. And it's it's been
one of the most fun fields to be able to transition into. And it
really does serve a lot of the interests that I had from
neuroscience and behaviorism.
Eveline Oehrlich: So when you go to your besides being on these
broadcasts being a sought after speaker joining us on the
podcast, and I'm sure you're traveling as well, to other
places, when you go to your clients, what what does that
look like? How can I? How can I understand what do you do with
them for them? In an engagement, let's say I am Jack in the Box
around the block. And I'd like you to help us because we have
issues what what does it look like?
Rachel Tobac: Sure, there's a variety of different ways that I
help our clients. So first and foremost, training, a lot of
times people need to train all of the folks at their
organization, or maybe one subset of individuals, for
instance, the client facing folks at their organization,
they might be concerned that the account managers and the
helpdesk, and the customer service team keeps getting
requests to change email addresses on accounts, which can
lead to account takeover and admin access that shouldn't be
granted. And so I can come in there and help them understand
what are those protocols look like that you're using for
identity verification? What does it look like when you're
authenticating a person as someone? How do we know that
they are who they say they are. And that helps folks think
through their protocols, update them to avoid getting social
engineered, or at least mitigate a lot of those risks. And so
training is a huge part of it. Another thing that we do is we
actually get hired to hack companies. So for instance, a
bank might say, hey, we want to know, can you steal money from
our clients accounts. And so we set up test accounts, that
customer support teams do not know our test accounts so that
we don't steal anybody's actual money. And then we go in there,
and we actually try account takeover, can I steal money that
we in fact, we just had an engagement like this recently,
and we were able to steal money from two out of three of the
accounts. And so that helps them understand the vulnerabilities.
What does it look like? How can they prevent it? And what can we
do to overhaul this process? So this doesn't happen when a
criminal tries next
Eveline Oehrlich: Right. So you so you develop an actionable
plan for them to say, hey, you have to have different scripts,
different conversations, process adjustments, et cetera, et
cetera, which they can then follow. And then is there is
there follow ups to do with them to ensure I'm assuming you will,
right, because, yeah.
Rachel Tobac: Yeah, it's really important to follow up and make
sure that everybody understands the why behind these changes. So
yeah, a big part of my job is the training, the protocol
adjustments, we call that a protocol workshop. And then
going in there and doing those keynotes or talks to talk
through what did we learn? What can we do about it? And what are
the recommendations and changes? And now of course, we have the
videos too, so that if you're looking for something that you
can use for onboarding or monthly training or something
like that, we have that and you don't need to have a live event
to do it.
Eveline Oehrlich: Yep. So what would you say the biggest
vulnerabilities are in terms of what you're seeing in your
career and your journeys across the enterprise and the globe,
today.
Rachel Tobac: One of the biggest things that I've seen if you've
seen my Doni hack video, where I take over a CNN Correspondent's
accounts, and I steal points, I gain access to his accounts. Let
me take a step back. Actually, I want to make sure that I
understood I communicate to everybody that there's two
different ways that I hack. Either I hack you by contacting
you directly, or I hack you through the service providers
that you trust.
Eveline Oehrlich: Ah, yes. And I think that's, that's the one I
saw. Yeah, yeah.
Rachel Tobac: So in this Doni hacking video, I contacted the
services that Doni trusts with his data to get access to his
accounts, I didn't contact Doni directly. So just to give that
context. So I contacted those organizations via phone and I
said, Hey, I'm Doni. I'm spoofing his number and this
caller ID looks like it's calling from him. I updated the
pitch of my voice to match you know, what they might expect for
something Doni O'Sullivan so that they don't question me. And
then from there We continue down the path of trying to gain
access to Doni's accounts. And for a lot of these
organizations, the questions that they ask an individual to
verify that person is who they say they are, are what we call
knowledge based authentication questions. Kba. And these types
of questions are things like, what street did you grow up on?
Where do you live now, your current address, your date of
birth, last four digits of your credit card, your email address
or phone number, just calling in and spoofing from that phone
number is sometimes enough to verify that specific question.
And so I'm able to get access to his airline accounts, hotel
points, his coffee card, it the list goes on and on and on, and
steal all of those points, all that information, do full
account takeover very quickly. And so one thing that I try and
help organizations understand is, if you have folks at your
company who pick up the phone, that's a major vulnerability in
and of itself. And those protocols in many cases need to
be overhauled to verify that I am who I say I am, when I'm
calling in to help you are calling in to ask you for help.
And we also need to verify the internal folks like the folks
that we rely on to do our job, IT support, things like that,
that those individuals are who they say they are, because we're
seeing a lot of organizations get hacked, because somebody
gives a customer support person a call, and either pretends to
be IT support from the company to gain access to internal
accounts. That's what happened in the Twitter hack of 2020. Or
they're calling in and saying, Hey, I'm Evelyn, I need access
to my account. I just lost my phone, can you go ahead and
change the phone number on my account? Okay, great. Hang up,
call back. Can I change the email address on my account?
Right now? I can verify right? And so we have all these issues
with account takeover and phone based authentication protocols.
And that's one of the big things that I like to support on.
Eveline Oehrlich: Yeah, I was listening to one where you were,
I think it was a delivery of a furniture or something. And the
the service person was actually quoted or telling you the the
address to confirm you to confirm with you that that was
the reason address. So that's an excellent example of where the
front end, whoever service individual needed to think
through and the protocol needed to be changed. That's an
excellent example. Yeah,
Rachel Tobac: I really like how when you just said that you were
like the frontline person has to think through and it's like,
wait, no, they don't even think about it. Their team needs to
change the protocol that you use, because we have to take the
pressure off of individuals to try and do something that their
organization isn't telling them to do. Right. We can't expect
the person whose job it is to help you get access to your
account to on the fly come up with the verification protocols.
Yes. Fair, right. Yeah. Excellent. Yeah, we can't blame
people, we have to put the responsibility on companies to
update their protocols. I love that distinction you just made
on the fly?
Eveline Oehrlich: Yeah, that great, great correction of me,
of course, right? Because that has significant impact. The
companies need to do what they need to do. So you made some
points on what companies can do. Tell me about individuals all of
us are out there, you know, we get I mean, what should we watch
out for? And can we actually become something like, tell
them? Hey, you guys, you just said something, you need to
update your can we become Rachel, maybe two questions. One
question is, how should individuals protect themselves
for not getting hacked? Right? Let's go there first, I think,
Rachel Tobac: Sure. So individuals, let's just say you
can't control the services you trust with your data, right? We
can't hope and pray that they don't allow other people to call
in as us and get access to our data. So let's only talk about
what we can focus on as individuals. The first thing is
password reuse. Because we know that about 52% of people just
admit reusing their passwords across multiple sites, including
the types of individuals who listen to this podcast, and even
hackers. And so we need to make sure that we don't reuse their
passwords, because that's one of the easiest ways for me to hack
you, I can just log into my password dump repository that I
have access to. It's all up there, it's on the internet.
It's not the dark web, it's just the clear internet. And I can go
ahead and get access to your password and just log in as you.
So we need to make sure that we don't reuse their passwords
because if they ended a breach, end up in a breach with which
they're probably going to at some point, I'm going to use it
against you to steal your money or gain access to your email,
etc, etc. Use a password manager to store those long, random and
unique passwords and always use multi factor authentication to
back them up. We know a lot of people, even folks in the
developer community know the importance of multi factor
authentication, because if your tools that you've worked on
maybe an open source tool, somebody gains access to that.
Now we have a huge supply chain issue. This is something that
we're seeing over and over again, in the news. And so the
importance of multi factor authentication, and making sure
we don't just use a password to secure those important updates
that we push, it's essential. And so those are the main things
that I would say you have control over and can make a
change today, you can prioritize updating 10 of your passwords,
like this weekend.
Eveline Oehrlich: Listen, listen up. I'm going to do that exactly
after this call. Because I am one of those who even so I mean
it and but yes, we're guilty of lots of that. Great. So you
mentioned a few things on companies, but they could do of
course, go get some training, start singing songs, learning
songs, right. Anything else on the company side they could do,
which you think is absolutely high priority for those who are
listening in today?
Rachel Tobac: Sure. Well, we need to make sure that the
companies protect us using two methods of communication to
confirm we are who we say we are when we call in chat and or
email in to get help. And so if I call into a company, and I
say, Hi, I'm Evelyn, I need to change the email address on my
account, they should say something like, Sure, Evelyn, I
just shot a word or code to your phone, go ahead and read that
out to me. Now, that's going to stop me as a hacker because I'm
spoofing your phone number, I can't gain access to your text
messages, of course without doing a sim swap. But a lot of
times, this is just low hanging fruit, and we need to avoid
those types of issues, then, we need to make sure that
individuals at companies understand the likelihood of
them receiving a phishing email, a vishing call SMS Testament
text messages pretending to be something like Okta, which we're
seeing over and over again, right now. And what we can do to
spot those and report them quickly. A lot of times people
be like, Oh, that seems spammy, I'm just gonna delete it, or I'm
gonna ignore it. But we can actually save our coworkers who
are likely to fall for that stuff. If we report quickly. And
then the end, the institution can say, we've got a big
problem, we got to shut this down and let people know. And
then from there, of course, multi factor authentication that
matches the company's threat model. For instance, this is a
really famous case with the Twitter hack of 2020. In that
case, an attacker called up customer support, pretending to
be IT support, got access to that password was able to log
into the admin portal, and send out all those spammy tweets
with, you know, from like Elon Musk, former President Barack
Obama, Kanye West's list goes on. And they are able to do that
because there wasn't multi factor authentication on that.
On that account, the individual didn't use a second method of
communication to confirm the caller was truly IT support. And
their MFA model didn't match their threat model. And so they
used app based MFA when a Ubikey a security key would have been a
great match for them, because it's not fishable. And so they
ended up making that change to security keys, and since then,
have not seen issues and they posted all about this on their
blog. They've been really, really forthcoming about how
that works. So a lot of great success stories with security
keys for folks who have an elevated threat model. Wow.
Eveline Oehrlich: Wow. Wow. Wow. Wow, lots, lots of great advice.
I want to go back, we have a few minutes left, I'm gonna go back
to where we started out with which is to kill your, your job.
What do you do during the day? Sounds fantastic. doesn't get
boring, is very exciting and right, right up in the digital
age, right. It's key and essential. So, so wanted to see
any career advice. For listeners here, you already said don't
have to necessarily get a degree in security to be a white hat
hacker. Any anything else? Sure,
Rachel Tobac: I recommend if you're excited about hacking,
and you want to try some ethical hacking, go to DEFCON, happens
every year in Las Vegas in July or August. It's an amazing
conference for 30,000 Plus hackers descending upon one area
practicing learning and tinkering together. And so I
highly recommend starting with some talks maybe that you find
online from DEFCON and then from there seeing what your interests
look like. If you would like to join women in security and
privacy all are welcome. You're welcome to join us for our
workshops where we get to tinker and try different tools and see,
you know, where do our interests lie within hacking and privacy?
And then from there, try it. There's a lot of really cool
ethical hacking skills that you can try at DEFCON with your
peers so I highly recommend getting in there and just
jumping in. A lot of people are first timers every
Eveline Oehrlich: year. When is the next DEFCON coming up.
Rachel Tobac: Let's see. DEFCON 2023
Eveline Oehrlich: Sorry to put you on the spot but I want to
make sure that everybody knows when it's happening.
Rachel Tobac: August 10, through the 13th to 2023.
Eveline Oehrlich: All right, everybody has enough time to buy
themselves a ticket Las Vegas is has a lot to offer besides
DEFCON as well. All right, super. Rachel, thank you so
much. I'm gonna call you a guardian angel. I think I read
that somewhere else, you are making the world a better place
with your work. If people wanted to learn more about you and the
organization, where should they go? Of course, yeah,
Rachel Tobac: LinkedIn is fine. Rachel Tobac there and then my
Twitter handle is just my name are R-A-C-H-E-L T-O-B-A-C. Or
you gonna go to my website socialproofsecurity.com.
Eveline Oehrlich: Fantastic. Rachel, this has been really,
really, really, really good. Very good, very great. You have
a lot of energy and you have great job. I'm very envious of
your job. Maybe I should try that. As an analyst. I get to do
a lot of fun things. But yours sounds a lot more fun than mine.
Rachel Tobac: Well, you can hack a bank with me next time,
Evelyn.
Eveline Oehrlich: There we go. That sounds great. Appreciate
your time. Have a great rest of the day. And thanks to everybody
listening in to the humans of DevOps with Evelyn Oehrlich and
today with our guest Rachel Tobac Take care. Thank you. Bye
We recommend upgrading to the latest Chrome, Firefox, Safari, or Edge.
Please check your internet connection and refresh the page. You might also try disabling any ad blockers.
You can visit our support center if you're having problems.