September 28, 2022
Episode 89 of the Humans of DevOps Podcast features Rachel Tobac. Rachel is a hacker and the CEO of SocialProof Security where she helps people and companies keep their data safe by training and pentesting them on social engineering risks. Rachel was also 2nd place winner of DEF CON‘s wild spectator sport, the Social Engineering Capture the Flag contest, 3 years in a row. Rachel has shared her real life social engineering stories with NPR, Last Week Tonight with John Oliver, The New York Times, Business Insider, CNN, NBC Nightly News with Lester Holt, Forbes and many more. In her remaining spare time, Rachel is the Chair of the Board for the nonprofit Women in Security and Privacy (WISP) where she works to advance women to lead in the fields.
Special thanks to our sponsor Range!
(lightly edited for spelling and to correct the robots).
Eveline Oehrlich 0:00
Hello everybody, this is Evelyn early Chief Research Officer at the DevOps Institute on the humans of DevOps podcast. And today we have a fantastic guest, Rachel Tobac. She’s actually my first hacker I have met. But before we get there, let me quickly tell you a little bit about Rachel. So Rachel is a hacker and CEO of SocialProof Security, where she helps people and companies keep the data safe by training and pentesting them on social engineering risks. Rachel was a place winner of the DefCon’s wild spectator sport the social engineering Capture the Flag contest three years in a row. Congratulations. Rachel has shared her real life social engineering stories with NPR Last Week Tonight, the New York Times Business Insider, CNN, NBC Nightly News, and Forbes and many, many more. And having her here on our show, I am honored to be able to speak to you in her remaining space. And that’s really fantastic to also see that Rachel is the chair of the board for the nonprofit Women in Security and Privacy (WISP), where she works to advance women to lead in the fields. Welcome, welcome, Rachel.
Rachel Tobac 1:14
Thank you for having me, Evelyn.
Eveline Oehrlich 1:16
I am excited. Like I said, you are really my first white hat hacker. And I was doing some reading on the colors of white hat and black hat. And give us a little bit of an insight on white hat versus black hat. And if there are any other colors of the hats, you guys are or these folks are wearing.
Rachel Tobac 1:39
A lot of people use different hats to describe different work, I tend to stick away actually from the hat description. But I’ll give you a high level definition of what people think of. People think of a black hat hacker as a criminal, someone who’s doing fraud, crime, they don’t have permission to do the hacking that they’re doing. And a white hat hacker is thought of as somebody who does have permission first. So some might call that an ethical hacker. I just use the word hacker to describe that person. So we use the word hacker in the hacker community to describe somebody who gets permission to do the things that they’re doing. And they’re not trying to inflict harm. They’re trying to help people secure their machines and their software. And they think of somebody who is not getting permission as a criminal. So the words that we typically use in the field are hacker and criminal.
Eveline Oehrlich 2:27
Ah, interesting. Now I was looking at your website, in the SocialProof Security and watched the trailer of the training video library. And there it says that you’re you’re doing musical and spoken word content, all about the topics you need to know to catch a cybercriminal in the act. And that’s very, a very different way of creating training where the DevOps Institute, of course, our training institute, so explain to our listeners, what does that mean, and even more. So how did you get that idea? Which, by the way, I think is awesome.
Rachel Tobac 3:06
Yes, of course. So I’ll tell you a little story to give you some background on this. I’ve been I’ve been doing SocialProof Security since 2017. So at that point, after I got my start in the DEFCON, hacking competitions, I did the social engineering one for three years and got second place three years in a row. Companies started asking me Hey, Rachel, can you come to our organization and talk about how you hack, we want to hear about the human element of security, how we can avoid becoming one of your targets, etc. So I did that. We then built out a whole line of services for things like talks, workshops and training. Then those clients were like, Hey, Rachel, we just did this live event with you three months ago, eight months ago. Do you have any videos we want to use other types of content, not just live events, because you know, we have new people starting every day? And so I said sure. So I kind of started with like a little experiment with the community. We saw that on TikTok. The sea shanty genre was trending like crazy in 2021. And I was like, Okay, well, maybe I should make a tech talk about password management and multi factor authentication and how to stay safe online. So I did that because I like to meet people where they’re at, you know, if people are on TikTok, and they’re using sea shanties to communicate information that I’ll do that too. And it was surprisingly successful. We had over 400,000 views on that, like immediately, and companies started reaching out to me, I had over 100 companies say, hey, that InfoSec see Shanti about multi factor authentication and password managers. I don’t know why, but for some reason that worked and people are now asking me, How can I get MFA on my personal device? How do I get a password manager? How do I avoid reusing my passwords? How do I report a phishing Email, things that they would not normally ask me, Can you make more songs, and I have a background in neuroscience, musical theater, improv. Not a classically trained singer. But I sing. And in fact, even I met my husband and my business partner. Both my husband and my business partner, that’s the same person have been great at a open mic night, when we were teenagers. So that’s actually a huge part of my story and background. And I was like, you know, I am uniquely positioned to try something really different here and make music and help people understand how to stay safe on the internet. So we did it. We were like, the sea shanty worked, let’s let’s do a beta launch. So we recorded spoken word videos, and music based songs, all about things like malware, phishing, passwords, ransomware, social media safety, patching, reporting, social engineering, multifactor authentication, and we’ll like, we’ll just test it, we’ll see how people feel, you know, what do they like about it. And in our research, we found that about 80% of the people loved the music based training, and about 20% of people were like, I learned better with spoken training. I like to learn from people who are speaking. And I like to see the hacking demonstrations that way. So we built both equally, so that everyone gets a chance to try the genre that works best for them. And it’s worked. I mean, it’s it’s really shocking me, we had over 160 companies reach out in the first three weeks asking for demos, and people are using it, and they’re trying it and giving us feedback. It’s it’s literally blowing my mind.
Eveline Oehrlich 6:39
Wow, that is fantastic. So I could just imagine having a song or rhythm, something in my head, which I can repeat over and over again to make sure that I do certain things. So that’s pretty much what you guys are doing. That is That is fantastic. When AB told me, Hey, I have Rachel Tobac. She does this musical hacking. I was like, oh, I need to talk to her. We need to bring this out. This is fantastic. So So you actually have a background, you said in behavioral analysis, right? So some of that, I’m sure. And by the way, my daughter was actually a psychologist behavioral analysis also in Kansas City. She and I have sometimes conversations on things like in why we in technology are so sometimes boring and don’t grasp onto things. So so the behavioral analysis aspect that must have helped you right to think through in terms of what this does to the individuals?
Rachel Tobac 7:37
Absolutely, yeah. So my degree is in neuroscience and behaviorism. I also studied cognitive behavioral psychology just as like a additional element for my neuroscience background. It helps give me context about the why behind the hard science. So I have both. And I found that I can understand better things like UX research, when I have a background in something like neuroscience, why people make the decisions that they do. And so I figured back in the day when I decided to study that, that I could apply that to a wide range of different types of roles. I had no idea what I was going to become when I was in school. When I was in school a long time ago, I was working in a rat lab, I was trying to study the effects of things like music on humans and rats, I even did a rat study in our rat lab, helping a rat distinguish between different types of music and seeing if that was useful within their neural pathways. So there’s a lot of different research that I did, that ended up helping me later in life, I thought I was going to become a teacher. And I did, I taught for six years. But after that, it helped me build my UX research career and my hacking career. So it’s wild how you can take such a nonlinear path. And I’m sure the folks listening to this probably have unique pathways to the jobs that they have today. And I think it’s really cool because not everybody needs to go to school for their specific area of study, they can apply something that they learned earlier.
Eveline Oehrlich 9:07
Yeah, very, very encouraging. Because Skilling and re-skilling and upskilling is a big challenge right now there is of course in technology a large amount of skillful people needed. But do they all need to be it engineers study computer science and things like that? We just did some research on that. So that’s interesting. You mentioned that now, you said social engineering, I just want to make sure I had to look it up. I thought I knew what it was, but I had to look it up. But for our listeners, tell us what that is. What is social engineering?
Rachel Tobac 9:39
Sure. Social engineering is the human element of hacking and security. So you can think of any way that a person would be persuaded to do something that they wouldn’t normally do. So maybe for instance, Evelyn, let’s say I’m going to hack you. I’m not going to but let’s say for the purposes of this example I where I would need to come up with a pretext who I’m for tends to be to convince you to do something that you wouldn’t normally do, like, click a link, download something malicious, tell me something sensitive, send me money when I shouldn’t actually be receiving that money from you. And so I need to come up with all of the science, the reasoning for why you should be doing those things. And it’s sometimes it’s as easy as just sending somebody a link. But for folks that know better and know, to avoid those types of things, we have to get pretty serious with our pretexting, or who we’re pretending to be. And it’s more than just acting, but we have to understand the full backstory of who were impersonating. And who we’re pretending to be when we’re impersonating to the target, the victim. And so there’s, there’s a lot that goes into social engineering. And it’s it’s been one of the most fun fields to be able to transition into. And it really does serve a lot of the interests that I had from neuroscience and behaviorism.
Eveline Oehrlich 10:56
So when you go to your besides being on these broadcasts being a sought after speaker joining us on the podcast, and I’m sure you’re traveling as well, to other places, when you go to your clients, what what does that look like? How can I? How can I understand what do you do with them for them? In an engagement, let’s say I am Jack in the Box around the block. And I’d like you to help us because we have issues what what does it look like?
Rachel Tobac 11:26
Sure, there’s a variety of different ways that I help our clients. So first and foremost, training, a lot of times people need to train all of the folks at their organization, or maybe one subset of individuals, for instance, the client facing folks at their organization, they might be concerned that the account managers and the helpdesk, and the customer service team keeps getting requests to change email addresses on accounts, which can lead to account takeover and admin access that shouldn’t be granted. And so I can come in there and help them understand what are those protocols look like that you’re using for identity verification? What does it look like when you’re authenticating a person as someone? How do we know that they are who they say they are. And that helps folks think through their protocols, update them to avoid getting social engineered, or at least mitigate a lot of those risks. And so training is a huge part of it. Another thing that we do is we actually get hired to hack companies. So for instance, a bank might say, hey, we want to know, can you steal money from our clients accounts. And so we set up test accounts, that customer support teams do not know our test accounts so that we don’t steal anybody’s actual money. And then we go in there, and we actually try account takeover, can I steal money that we in fact, we just had an engagement like this recently, and we were able to steal money from two out of three of the accounts. And so that helps them understand the vulnerabilities. What does it look like? How can they prevent it? And what can we do to overhaul this process? So this doesn’t happen when a criminal tries next
Eveline Oehrlich 13:03
Right. So you so you develop an actionable plan for them to say, hey, you have to have different scripts, different conversations, process adjustments, et cetera, et cetera, which they can then follow. And then is there follow ups to do with them to ensure I’m assuming you will, right, because, yeah.
Rachel Tobac 13:22
Yeah, it’s really important to follow up and make sure that everybody understands the why behind these changes. So yeah, a big part of my job is the training, the protocol adjustments, we call that a protocol workshop. And then going in there and doing those keynotes or talks to talk through what did we learn? What can we do about it? And what are the recommendations and changes? And now of course, we have the videos too, so that if you’re looking for something that you can use for onboarding or monthly training or something like that, we have that and you don’t need to have a live event to do it.
Eveline Oehrlich 13:50
Yep. So what would you say the biggest vulnerabilities are in terms of what you’re seeing in your career and your journeys across the enterprise and the globe, today.
Rachel Tobac 14:03
One of the biggest things that I’ve seen if you’ve seen my Doni hack video, where I take over a CNN Correspondent’s accounts, and I steal points, I gain access to his accounts. Let me take a step back. Actually, I want to make sure that I understood I communicate to everybody that there’s two different ways that I hack. Either I hack you by contacting you directly, or I hack you through the service providers that you trust.
Eveline Oehrlich 14:27
Ah, yes. And I think that’s, that’s the one I saw. Yeah, yeah.
Rachel Tobac 14:31
So in this Doni hacking video, I contacted the services that Doni trusts with his data to get access to his accounts, I didn’t contact Doni directly. So just to give that context. So I contacted those organizations via phone and I said, Hey, I’m Doni. I’m spoofing his number and this caller ID looks like it’s calling from him. I updated the pitch of my voice to match you know, what they might expect for something Doni O’Sullivan so that they don’t question me. And then from there We continue down the path of trying to gain access to Doni’s accounts. And for a lot of these organizations, the questions that they ask an individual to verify that person is who they say they are, are what we call knowledge based authentication questions. Kba. And these types of questions are things like, what street did you grow up on? Where do you live now, your current address, your date of birth, last four digits of your credit card, your email address or phone number, just calling in and spoofing from that phone number is sometimes enough to verify that specific question. And so I’m able to get access to his airline accounts, hotel points, his coffee card, it the list goes on and on and on, and steal all of those points, all that information, do full account takeover very quickly. And so one thing that I try and help organizations understand is, if you have folks at your company who pick up the phone, that’s a major vulnerability in and of itself. And those protocols in many cases need to be overhauled to verify that I am who I say I am, when I’m calling in to help you are calling in to ask you for help. And we also need to verify the internal folks like the folks that we rely on to do our job, IT support, things like that, that those individuals are who they say they are, because we’re seeing a lot of organizations get hacked, because somebody gives a customer support person a call, and either pretends to be IT support from the company to gain access to internal accounts. That’s what happened in the Twitter hack of 2020. Or they’re calling in and saying, Hey, I’m Evelyn, I need access to my account. I just lost my phone, can you go ahead and change the phone number on my account? Okay, great. Hang up, call back. Can I change the email address on my account? Right now? I can verify right? And so we have all these issues with account takeover and phone based authentication protocols. And that’s one of the big things that I like to support on.
Eveline Oehrlich 16:56
Yeah, I was listening to one where you were, I think it was a delivery of a furniture or something. And the the service person was actually quoted or telling you the the address to confirm you to confirm with you that that was the reason address. So that’s an excellent example of where the front end, whoever service individual needed to think through and the protocol needed to be changed. That’s an excellent example. Yeah,
Rachel Tobac 17:24
I really like how when you just said that you were like the frontline person has to think through and it’s like, wait, no, they don’t even think about it. Their team needs to change the protocol that you use, because we have to take the pressure off of individuals to try and do something that their organization isn’t telling them to do. Right. We can’t expect the person whose job it is to help you get access to your account to on the fly come up with the verification protocols. Yes. Fair, right. Yeah. Excellent. Yeah, we can’t blame people, we have to put the responsibility on companies to update their protocols. I love that distinction you just made on the fly?
Eveline Oehrlich 18:02
Yeah, that great, great correction of me, of course, right? Because that has significant impact. The companies need to do what they need to do. So you made some points on what companies can do. Tell me about individuals all of us are out there, you know, we get I mean, what should we watch out for? And can we actually become something like, tell them? Hey, you guys, you just said something, you need to update your can we become Rachel, maybe two questions. One question is, how should individuals protect themselves for not getting hacked? Right? Let’s go there first, I think,
Rachel Tobac 18:42
Sure. So individuals, let’s just say you can’t control the services you trust with your data, right? We can’t hope and pray that they don’t allow other people to call in as us and get access to our data. So let’s only talk about what we can focus on as individuals. The first thing is password reuse. Because we know that about 52% of people just admit reusing their passwords across multiple sites, including the types of individuals who listen to this podcast, and even hackers. And so we need to make sure that we don’t reuse their passwords, because that’s one of the easiest ways for me to hack you, I can just log into my password dump repository that I have access to. It’s all up there, it’s on the internet. It’s not the dark web, it’s just the clear internet. And I can go ahead and get access to your password and just log in as you. So we need to make sure that we don’t reuse their passwords because if they ended a breach, end up in a breach with which they’re probably going to at some point, I’m going to use it against you to steal your money or gain access to your email, etc, etc. Use a password manager to store those long, random and unique passwords and always use multi factor authentication to back them up. We know a lot of people, even folks in the developer community know the importance of multi factor authentication, because if your tools that you’ve worked on maybe an open source tool, somebody gains access to that. Now we have a huge supply chain issue. This is something that we’re seeing over and over again, in the news. And so the importance of multi factor authentication, and making sure we don’t just use a password to secure those important updates that we push, it’s essential. And so those are the main things that I would say you have control over and can make a change today, you can prioritize updating 10 of your passwords, like this weekend.
Eveline Oehrlich 20:36
Listen, listen up. I’m going to do that exactly after this call. Because I am one of those who even so I mean it and but yes, we’re guilty of lots of that. Great. So you mentioned a few things on companies, but they could do of course, go get some training, start singing songs, learning songs, right. Anything else on the company side they could do, which you think is absolutely high priority for those who are listening in today?
Rachel Tobac 21:04
Sure. Well, we need to make sure that the companies protect us using two methods of communication to confirm we are who we say we are when we call in chat and or email in to get help. And so if I call into a company, and I say, Hi, I’m Evelyn, I need to change the email address on my account, they should say something like, Sure, Evelyn, I just shot a word or code to your phone, go ahead and read that out to me. Now, that’s going to stop me as a hacker because I’m spoofing your phone number, I can’t gain access to your text messages, of course without doing a sim swap. But a lot of times, this is just low hanging fruit, and we need to avoid those types of issues, then, we need to make sure that individuals at companies understand the likelihood of them receiving a phishing email, a vishing call SMS Testament text messages pretending to be something like Okta, which we’re seeing over and over again, right now. And what we can do to spot those and report them quickly. A lot of times people be like, Oh, that seems spammy, I’m just gonna delete it, or I’m gonna ignore it. But we can actually save our coworkers who are likely to fall for that stuff. If we report quickly. And then the end, the institution can say, we’ve got a big problem, we got to shut this down and let people know. And then from there, of course, multi factor authentication that matches the company’s threat model. For instance, this is a really famous case with the Twitter hack of 2020. In that case, an attacker called up customer support, pretending to be IT support, got access to that password was able to log into the admin portal, and send out all those spammy tweets with, you know, from like Elon Musk, former President Barack Obama, Kanye West’s list goes on. And they are able to do that because there wasn’t multi factor authentication on that. On that account, the individual didn’t use a second method of communication to confirm the caller was truly IT support. And their MFA model didn’t match their threat model. And so they used app based MFA when a Ubikey a security key would have been a great match for them, because it’s not fishable. And so they ended up making that change to security keys, and since then, have not seen issues and they posted all about this on their blog. They’ve been really, really forthcoming about how that works. So a lot of great success stories with security keys for folks who have an elevated threat model. Wow.
Eveline Oehrlich 23:23
Wow. Wow. Wow. Wow, lots, lots of great advice. I want to go back, we have a few minutes left, I’m gonna go back to where we started out with which is to kill your, your job. What do you do during the day? Sounds fantastic. doesn’t get boring, is very exciting and right, right up in the digital age, right. It’s key and essential. So, so wanted to see any career advice. For listeners here, you already said don’t have to necessarily get a degree in security to be a white hat hacker. Any anything else? Sure,
Rachel Tobac 23:59
I recommend if you’re excited about hacking, and you want to try some ethical hacking, go to DEFCON, happens every year in Las Vegas in July or August. It’s an amazing conference for 30,000 Plus hackers descending upon one area practicing learning and tinkering together. And so I highly recommend starting with some talks maybe that you find online from DEFCON and then from there seeing what your interests look like. If you would like to join women in security and privacy all are welcome. You’re welcome to join us for our workshops where we get to tinker and try different tools and see, you know, where do our interests lie within hacking and privacy? And then from there, try it. There’s a lot of really cool ethical hacking skills that you can try at DEFCON with your peers so I highly recommend getting in there and just jumping in. A lot of people are first timers every year
Eveline Oehrlich 24:51
When is the next DEFCON coming up.
Rachel Tobac 24:55
Let’s see. DEFCON 2023
Eveline Oehrlich 24:58
Sorry to put you on the spot but I want to make sure that everybody knows when it’s happening.
Rachel Tobac 25:02
August 10, through the 13th to 2023.
Eveline Oehrlich 25:05
All right, everybody has enough time to buy themselves a ticket Las Vegas is has a lot to offer besides DEFCON as well. All right, super. Rachel, thank you so much. I’m gonna call you a guardian angel. I think I read that somewhere else, you are making the world a better place with your work. If people wanted to learn more about you and the organization, where should they go? Of course, yeah,
Rachel Tobac 25:31
LinkedIn is fine. Rachel Tobac there and then my Twitter handle is just my name are R-A-C-H-E-L T-O-B-A-C. Or you gonna go to my website socialproofsecurity.com.
Eveline Oehrlich 25:42
Fantastic. Rachel, this has been really, really, really, really good. Very good, very great. You have a lot of energy and you have great job. I’m very envious of your job. Maybe I should try that. As an analyst. I get to do a lot of fun things. But yours sounds a lot more fun than mine.
Rachel Tobac 25:57
Well, you can hack a bank with me next time, Evelyn.
Eveline Oehrlich 26:00
There we go. That sounds great. Appreciate your time. Have a great rest of the day. And thanks to everybody listening in to the humans of DevOps with Evelyn Oehrlich and today with our guest Rachel Tobac Take care. Thank you. Bye
Want More Content?
Enjoy the Humans of DevOps Podcast? We’re incredibly grateful to be voted one of the Best 25 DevOps Podcasts by Feedspot.
Want access to more DevOps-focused content and learning? When you join SKILup IT Learning you gain the tools, resources and knowledge to help your organization adapt and respond to the challenges of today. And if you’re looking for the answers to DevOps’ persistent questions, pop on in to SKILup Discussions, one of the fastest-growing DevOps communities around!
Have Questions or Ideas?
Reach out! We want to hear from you. Send us an email at [email protected]
social engineering, Rachel Tobac, passwords, companies, hacking, hack, accounts, protocols, hacker, account takeover, person, DEFCON, individuals, worked, training, security, folks, organization, upskilling