Rachel Tobac, a white hat hacker and the CEO of SocialProof Security, tells us just how paranoid we need to be online.
Rachel Tobac is a hacker—not a Mr. Robot-type who steals your information for nefarious purposes while donning sunglasses and a hoodie (that’s what she’d call a “criminal”). Instead, she helps people and businesses protect themselves against cyberattacks for a living as a type of hacker called a “white hat.”
Tobac didn’t set out to be a hacker; her foray into the world of tech was an unexpected intersection of other passions: she has a background in behavioral science, neuroscience, improv, and musical theater. And while those may not immediately seem related to the world of cybersecurity, there is a method to the madness. Tobac became interested in a form of hacking called social engineering—where a hacker assumes someone’s identity in order to manipulate a target into exposing their information—at a DEF CON convention in Las Vegas. Fascinated by the live-hacking challenges at the event, she spent a year studying only to return to the next convention, participate in a hacking competition in front of an audience of 500 people, and win second-place on her first try. She cites the energy of the crowd as a partial reason for her triumph.
Tobac later founded SocialProof Security with her husband, a security researcher, where they help both companies and individuals (like politicians and celebrities) protect their data. We asked Tobac about the ins and outs of her work as a hacker and how she uses her powers for good.
Tobac’s work at SocialProof Security involves training companies and individuals on how to be aware of and put an end to social engineering attacks through demonstrations. How does she do it?
“Social engineering over the phone is called ‘vishing’—voice elication. It’s a known vector for social engineering, and a really, really strong vector at that. It uses tools like impersonation and pretexting (when you pretend to be someone else). We can spoof a phone number and make it appear differently on a Caller ID, and we can make the voice on the other end of the line sound like someone it’s not.” (You can see Tobac use this technique here as she steals hotel points from a CNN tech reporter.)
“I’m assuming someone else’s identity completely when I’m hacking over the phone. Let’s say I was trying to hack into your account. I would ask myself a couple of questions: What level of access do you have? How sensitive is that access? And who do you have to trust to get your job done? The people that you trust to get your job done are the people that I’m going to pretend to be when I’m hacking you.”
“I can find about 60% of that information I need to hack a person on Instagram alone. This includes posts, geolocation tagging, comments, and simple tagging. Twitter and Facebook are also very useful. I’ll use advanced searches for both of those.
“I’ll also use Google dorking, which is when we use special search operators on a search engine to uncover things that people believe to be private but aren’t. A special search operator might uncover a PDF that’s only meant for internal use, or is confidential, but I’m able to uncover it because someone [often unknowingly] leaked it in a PowerPoint one day, and now that PowerPoint is up publicly online.”
“One of my biggest jobs is helping people become Politely Paranoid™. How much in the public eye are you? Are you a politician? Are you the president? Are you in the senate? Those who are in the public eye—celebrities for instance—need to be extremely politely paranoid about what they do or don’t post. For a person who is not in the public eye, posting a picture of yourself drinking a mojito on the beach is completely fine. I would just [suggest] they don’t tag the hotel they’re staying at. If they don’t tag the hotel, then I don’t know who to place the call to, pretend to be them, and gain access to where they’re staying and what room number they are in.
“Disinformation, as we’ve all encountered, is on the rise on social media. As technology advances and DeepFakes become stronger and more believable, we’re going to need to be able to programmatically find, detect, label and remove that type of content, because it can really impact public discourse.”
“Hackers and criminals are working in lockstep. For example, I’ll try a brand-new hacking methodology, and then two weeks later I’ll hear that a criminal tried the exact same thing that I just did, in some data dump. With the speed that we are trying to manipulate and gain access to new tools, or trying account takeover methods, it’s neck and neck, and it will probably be like that for a while.”
“The most essential tools an organization can deploy for all their users is MFA (multifactor authentication) and a password manager. Both of those are essential for each employee; without a password manager we’ll see loads of password reuse, and without MFA it will be easier for an attacker to take over an account.
“MFA should be mandatory, and if you have users, find a way to encourage them positively to turn on their MFA. The more you can move towards hardware-like MFA the better. We want to move away from SMS, though SMS is better than nothing in many cases. As you move toward being more well-known or more available online, you’re going to want to move towards Google Authenticator, or Duo, or some sort of tokenized MFA like a YubiKey or a Google Titan Key. That’s something that should be deployed at the business-level.
“Tools to help people remove and manage their identity online are really important. A tool I really like Abine’s DeleteMe. It’s a service that deletes your information from data brokerage sites. I recommend that companies provide that for their employees if possible.”
“The most common mistakes people make are reusing passwords and not keeping machines or browsers up to date. It’s so important to not reuse passwords, and we know that 52% of people do because of Google’s online security survey from 2019. [Editor’s note: This is just one of many reported statistics, some of which indicate that as many 72% of individuals reuse passwords.] Those are just the people who admit to reusing their passwords. We know it’s probably much larger than that.
“Another common mistake has to do with keeping machines and software up to date. With software updates, companies are closing known vulnerabilities. One of the easiest things for me to do is to look up a known vulnerability for your machine, solicit that information out of you, and then tailor my malware for your machine.”
“A lot of times people tell me, ‘Rachel I’m way too paranoid to use a password manager, it feels like putting all my eggs in one basket,’ so I’ll tell them: using a password manager is better than reusing your passwords, and if you need an extra special trick to be convinced a password manager is safe then I recommend people ‘salt’ their passwords. This means that you still store passwords in a password manager, but you also have a special little code that only you know that’s not stored in your password manager.
“You enter this code manually for your password [after it’s autofilled by your password manager]. Now, an attacker would have to miraculously break encryption (which isn’t computationally possible right now), crack your master password, break your multifactor authentication for your password manager, and if they pulled off all of these feats—which again isn’t possible because of encryption, but let’s humor the hypothetical—then they still wouldn’t be able to use the passwords in your password manager because you have a special code you add to those passwords that the attacker doesn’t know about.”
Want more Rachel? View our Happy Hour with a Hacker!
Hear more from Rachel Tobac and get the inside scoop on cybersecurity from an expert who’s literally been there, hacked that. Join Rachel and Dashlane’s Diva Hurtado for a conversation and Q&A we called Happy Hour with a Hacker. View the recording here.