Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
When I was in college, a scammer called
0:02
me up. He's like, look, I'm
0:04
not selling you anything or even telling you what to do. I
0:07
just have information about a stock and
0:09
I wanted to share it with someone. And you were just
0:12
like the lucky guy I found in the phone book. Listen,
0:14
stock Z is gonna go up next
0:16
week. That's all. I'll call
0:19
you back next week to prove it. I was like,
0:21
all right, that was a strange call. Whatever.
0:25
And yeah, he calls me back in a week.
0:27
And sure enough, the stock he told me about
0:29
went way up. He was spot on. He
0:32
was all excited about how much money he made. But
0:34
I told him, he just got lucky and he should
0:36
cash out and take a trip somewhere. He's like, no,
0:39
no, no, it's not luck. There's an
0:41
algorithm that can accurately predict this.
0:44
And he said he knew which stock was gonna go up next.
0:46
I was like, all right, so which one's gonna go up
0:48
next? And he tells me and says to keep an eye
0:50
on it and he's gonna call me back next week to
0:52
prove he was right. So yeah,
0:54
another week goes by and
0:56
the same guy calls me back and he's like,
0:58
boom, you see what I mean? And
1:00
he was all excited again. And I was like, I
1:03
don't see what you mean, but let me check the
1:05
price. And I checked the price and again,
1:07
he was right. And I was like, dang,
1:11
good job. But I think
1:13
you got lucky again. He said, no, he's been doing
1:15
this for a solid year now. And he's been
1:17
right every time. And he tells
1:19
me more about this algorithm and how he's
1:21
analyzing different indicators and watching the stock market
1:23
extremely close and just has everything dialed in.
1:26
And he tells me about another stock that
1:28
he says is surely going to go up.
1:31
And I'm like, okay, call
1:33
me back in a week. Let's see if you're right. And
1:35
sure enough, after a week I checked and he
1:37
was right again, three accurate stock price
1:39
predictions in a row. And
1:41
he called me back and he's like, dude. And
1:44
I'm like, dude. And he's like, you see
1:46
that? I said, I saw that. How are you
1:48
doing this? And he's like, I cracked the
1:50
code. But then like
1:52
the snake he was, he tried to strike at me. He
1:55
said, listen, the next one is
1:57
the craziest one I've ever seen.
2:00
There's this company whose stock price is gonna explode,
2:02
but the best part is they're in the
2:04
initial investor round. So you can get in
2:06
on the ground floor if you want. How
2:08
much do you wanna invest? 10 grand? You've
2:11
slept on three of these. You're not gonna wanna
2:13
miss another, right? And I'm
2:15
like, I'm
2:17
a college kid, dude. I've got 30 bucks
2:20
in the bank. I don't have 10 grand.
2:23
And he's like, ah, crap. He
2:26
hung up the phone. But
2:28
this fascinated me. Who was this guy
2:30
that was always getting the stocks right?
2:32
What was his algorithm? So I
2:34
looked into it. I met with a stock broker and
2:37
I asked him, how is this possible? And he's like,
2:39
ah, that guy was a scammer. And I'm like, duh,
2:41
I know. But how did he get the stocks right
2:43
every time? And this guy broke it down
2:45
for me. He said, okay. That guy called up
2:47
a whole bunch of people on week one, told half of
2:49
them the stock was gonna go up, I told the other
2:51
half the stock was gonna go down. Then
2:54
he called back the people who he was
2:56
right with. And he told half of
2:58
them about another stock that would go
3:00
up. And the other half, he would say, that stock's
3:02
gonna go down. And then he did
3:04
it a third time, calling back the people he
3:06
was right two times with, telling half of them
3:08
that the stock is gonna go up and the
3:11
other half saying it's gonna go down. So by
3:13
the time he did that three times, he had
3:15
this small pool of people who
3:17
he was right with every time. But
3:19
really, he was just playing a math game
3:21
with his victims. And
3:24
I think this is such a long but
3:26
brilliant scam. Seemingly, this guy
3:28
was golden, perfect, getting it right
3:30
every time. But what I didn't know
3:32
is that he was getting his
3:35
predictions wrong all over town. And I was
3:37
just one of the unlucky few that
3:39
saw him get it right every time. These
3:46
are true stories from the dark side of
3:48
the internet. I'm
3:53
Jack Resider. This
3:55
is Dark Knight Diaries. This
4:14
episode is brought to you by
4:16
Varonis. So many security incidents are
4:18
caused by attackers finding and exploiting
4:20
excessive permissions. All it takes is
4:22
one exposed folder, bucket, or API
4:24
to cause a data breach crisis.
4:27
The average organization has tens of
4:29
millions of unique permissions and sharing
4:31
links. Even if you could
4:34
visualize your cloud data exposure, it would
4:36
take an army of admins years to
4:38
right size privileges. With how
4:40
quickly data is created and shared, it's like
4:42
painting the Golden Gate Bridge. That's
4:44
why Varonis built Least Privilege
4:46
Automation. Varonis continuously eliminates
4:48
data exposure while you sleep by
4:51
making intelligent decisions about who needs
4:53
access to data and who doesn't.
4:56
Because Varonis knows who can and
4:58
who does access data, their automation
5:00
safely remediates risky permissions and links,
5:02
making your data more secure by
5:04
the minute. Even when
5:06
you're not logged in, Varonis is
5:08
classifying more data, revoking permissions, enforcing
5:10
policies, and triggering alerts to their
5:13
IR team to review on your
5:15
behalf. To see how Varonis can
5:17
reduce risk while removing work from
5:19
your plate, head on over to
5:21
varonis.com/darknet and start your free trial
5:23
today. That's
5:26
Varonis, spelled
5:29
V-A-R-O-N-I-S,.com/darknet. This
5:36
episode is sponsored by ThreatLocker. These
5:39
days, one wrong click of a button can
5:41
lead to a catastrophic cyber attack on your
5:43
organization and nobody has time to keep training
5:45
poor Doris in accounting on what not to
5:48
click. Cyber attacks are devastating
5:50
to businesses and without the correct solution in
5:52
place, your operation remains at risk.
5:55
Threatlocker has built an endpoint
5:57
protection platform that strengthens your
5:59
information. Structure from the ground up
6:01
with zero trust. Security posture step
6:04
protects business critical data for also
6:06
mitigating cyber attacks. Through. Lockers
6:08
allow listing ring fencing, swords control,
6:10
elevation control, and network control solutions
6:12
to name a few. give you
6:14
a more secure approach to blocking
6:16
the exploits of known and unknown
6:18
threats and application phone or billings
6:21
working together to deny applications by
6:23
default, lot in bow network traffic,
6:25
and ring fencing your applications. Threat:
6:27
Locker provides zero trust control at
6:29
the Colonel level. If you're
6:31
looking for a proactive solution
6:33
that will keep your business
6:36
better protected in the face
6:38
of cyberattacks, Outset Lockers Cyber
6:40
Heroes At W W W.threat
6:42
locker.com. That's
6:44
threats locker.com.
6:50
Gather. Around in this episode we're going
6:52
to hear stories from Rachel Tobacco and
6:54
she's one of the best social engineers
6:56
I've ever met. Let's start with
6:58
your origin story. As.
7:01
A kid. How did
7:03
you get interested in this type
7:05
of work? And.
7:07
Pay my origin story so. My.
7:11
First time that I ever saw
7:13
about being any sort of hacker
7:15
was when I realized that being
7:17
a spy. Is a job
7:20
that people deal and it's a
7:22
job that girls could do. And
7:24
I learned this. screw with the
7:26
movies Harriet the Spy She goes
7:28
around sneaking into people's houses, dying,
7:30
she takes her notebook everywhere. She sneaks
7:32
through the dumb later in this
7:34
rich woman's house and gets caught
7:36
and I just thought I had no
7:38
idea that a girl could be
7:40
a spy. So that basically became
7:42
my personality from my childhood. Did you
7:45
get into computers when you were older or
7:47
of instill in middle school? I suppose. i
7:49
did not get into computers i wanted
7:51
to get into computers i went to
7:53
my guidance counsellor and i think sixth
7:55
grade and and i said hey i
7:57
wanted he pees coding classes and my
8:00
guidance counselor, she said, you don't
8:02
want Rachel, you don't want to take those,
8:04
those coding classes. Those coding classes are
8:06
40 boys. You'd be the
8:08
only girl there. Just take home ec
8:10
instead. Oh, you serious? I know. And
8:12
me being a child, I was like,
8:15
Oh, good call. I mean,
8:17
yeah, I don't want to like blame her for
8:19
like me never learning to code. I mean, I
8:21
could have tried later in life, right? People try
8:23
later in life all the time. But no, I've
8:25
actually never written a single line of code. I
8:27
ended up getting my degree in neuroscience and behavioral
8:30
psychology. I was a teacher's assistant
8:32
for statistics. I never got into
8:34
code. neuroscience.
8:37
Yeah. So my path to info
8:39
second hacking to the
8:41
untrained eye, it doesn't make any sense. It's almost
8:43
completely nonlinear to me looking back, it makes a
8:46
lot of sense. So I
8:48
got my degree in neuroscience and behavioral
8:50
psychology. I was doing
8:52
improv on the weekends. I was a teacher. I
8:55
then was like, Hey, I want to try and get into tech.
8:57
I moved to San Francisco. I
8:59
was a community manager at a tech company,
9:01
actually ended up leading a UX research team.
9:04
And then while I was at
9:06
that tech company, my husband was in
9:08
security the entire time I actually met my husband in
9:10
high school, I met him when I was 15 years
9:12
old. So my husband was
9:14
like, Hey, I heard about this
9:16
thing called Defcon, I think you would get a kick
9:18
out of it. And I was like, ah,
9:22
I pass. I think I'm not
9:25
going to do that. Okay, so
9:27
Defcon is the annual hacker conference in
9:29
Las Vegas is wild there. You'll see
9:31
people walking around with antennas sticking out
9:33
of the backpacks talks about how to
9:35
bypass just about anything on a computer
9:37
and tons of villages that focus on
9:39
specific areas of hacking. The social
9:41
engineering village is one of the more popular
9:43
ones. And when Rachel husband went into this
9:45
village and saw what they were doing, he
9:48
immediately called her up to tell her what he
9:50
was seeing. They do this thing where they put
9:52
you in a glass booth. It
9:54
soundproof in front of an audience of 500 people,
9:57
You call companies and. Read
10:00
the information out of them over the phone if
10:02
think the exact same skill that you use every
10:04
month to get the bill lowered when you call
10:06
these companies he built a poor are you get
10:08
a deep discount on things like the cable that
10:10
you'll love it. As he still like
10:12
now. I'll pass thinks he
10:14
called me back in his like I just
10:17
saw more of these calls. The Social engineering
10:19
course you have to com like I promise
10:21
you if you don't like it will just
10:23
go gambling. As a side and. Still,
10:26
Like, okay, fine, I packed my bags.
10:29
I get the first flight out Saturday
10:31
morning. As you know, if you're on
10:33
Saturday morning, it's like that sounds like
10:36
a third over at that point, if
10:38
not more social up. I see a
10:40
few calls. What? She's
10:42
watching was the Social Engineering contest.
10:45
There's fourteen contestants and a given
10:47
the task to basically good enough
10:49
information to hack into a company.
10:52
All through phone calls, See.
10:54
Have to prepare and figure out who would be
10:56
an easy target to get information from and
10:58
with cell phone number and you better have backup
11:01
numbers increased. The person who called doesn't answer
11:03
or hangs up on you. Once you do get
11:05
someone on the phone you get points for
11:07
every bit of security data. Using get off stamps
11:09
of you can get them to tell you what
11:11
operating system they use. He get a point
11:13
or a flag. And. Maybe from their,
11:16
you try to figure out what browser
11:18
they use information about their security guards
11:20
would janitor service to. Can't
11:22
just ask these questions directly. It
11:25
raises suspicions. See. That provide
11:27
a pretext or pretend to be
11:29
someone else. Maybe someone who
11:31
works in another departments or someone
11:33
brand new to the company who
11:35
doesn't know anything but urgently needs
11:37
to get a report done today.
11:40
It's tricky, it's it's heads is high
11:42
stakes because if you get caught on
11:44
the phone, your burns and now you
11:46
don't get any points. And
11:48
the best part is the audience
11:50
gets to watch all this lives
11:52
I see. A few calls it's like
11:54
on like this is me like I
11:56
can do this I was born for
11:58
that matter with mine. right? I told
12:00
you. So
12:03
she immediately is like, okay, how do
12:05
I compete and this and yeah, it's
12:07
a whole process. You need to submit
12:09
an application, create a video of yourself,
12:11
and stand out from the crowd because
12:13
only fourteen are chosen to compete out
12:15
of hundreds of people who try out
12:17
for it and. As like all
12:19
I got just the thing. I made
12:21
his Twin Peaks style video to convince
12:23
them to let me get in and
12:25
has somehow they agreed to let me
12:27
participate. Hundreds of people
12:30
fly and fourteen contestants are selected
12:32
Every. Single Year now. They actually give you
12:34
the target company that you have to attack ahead
12:36
of time so you can do your research on.
12:39
And a lot of research was because you want
12:41
to find as much information as you can about
12:43
this company, like going to google searches or just
12:45
looking at public places. Maybe you get a list
12:47
of people and phone numbers, the costs so that
12:50
when it's your turn to call, you know exactly
12:52
who to call and what questions to ask. and
12:54
that becomes quite a lot of work to prepare
12:56
for that moment. for. When you're gonna call someone,
12:59
you could spend a solid month learning everything you
13:01
can about your target company. So you
13:03
can sign when you're in the booth. It
13:05
was a major consulting firm is really all I
13:07
can say. How these companies don't
13:09
know they're about to get hacked
13:11
as really extraordinary into Was is
13:13
basically a life hack with an
13:15
unsuspecting target. So. She gathers as
13:18
much intel as accounts and heads to Def
13:20
Con to compete. I get an
13:22
eye glasses. Now. All eyes
13:24
and ears are on her. Not only does
13:26
he have to trick one person on the
13:28
phone to give her the information they shouldn't
13:30
be giving her personal to do in front
13:32
of an audience. But. She's done
13:35
improv before and was absolutely ready
13:37
for this eye. contact my target
13:39
company that i pretend to be and
13:41
employees is confused is just starting out
13:43
and i end up getting flag after
13:45
flag and to get out of the
13:47
booth and i'm like maybe i did
13:50
okay and then there's like a standing
13:52
ovation i'm like oh maybe i did
13:54
better than okay and i ended up
13:56
getting second place at first time ever
13:58
hacking anybody at first I remember hacking somebody
14:00
happen in a glass booth in front of 500 people.
14:04
Dang. Second place. Of
14:06
course, no, she's hooked. That was fun
14:08
as hell. The nerves, the adrenaline, hacking
14:10
and social engineering, all of this, she
14:12
was just craving more of. So she
14:14
applies to compete again the next year.
14:17
And then I ended up getting second place the second year
14:19
and I got second place the third year as
14:21
well. Competing
14:23
three years in a row in the social
14:26
engineering contest and getting second place all three
14:28
years, that's what started
14:30
her career in social engineering. After
14:33
folks started seeing me get second place at DEF
14:35
CON, you know, they'd see me on stage, they'd
14:37
be like, Hey, I want to chat with you.
14:40
Can you come speak at my company about how you
14:42
hack and how we can test you? And
14:44
I live in Silicon Valley. So I got
14:47
really lucky that people started
14:49
asking me to do things that like are
14:52
a job, right? Like I'm like, Oh,
14:54
I guess I need to make a company. So
14:56
I made social proof security in 2017. And
14:59
I mean, I live in Silicon Valley. I was
15:01
so lucky. Some of my first clients were
15:03
like Facebook, Snapchat, PayPal, Twitter. And
15:05
from there it was like US Air Force,
15:08
NATO, Uber, Google, Cisco. It's like, Oh my
15:10
gosh, you know, I feel like I just got
15:12
really lucky in this life. The
15:15
crazy thing is that I've heard this
15:18
story over and over. Someone who has
15:20
no interest in hacking goes to DEF
15:22
CON, sees the social engineering stuff going
15:24
on there, immediately wants to compete, does
15:26
pretty good in a competition, and then decides
15:28
to do that for a living and start
15:30
their own company. It's mind boggling.
15:33
How many lives have changed from
15:35
people attending DEF CON? Oh, it's
15:37
totally wild. I mean, if you would
15:39
have asked me decades ago, like, what did you think you were
15:41
going to get into? The word
15:43
hacker would have never even made the top
15:45
100 list because I didn't know it was
15:47
possible, didn't know it could be a job.
15:49
And I certainly didn't think I would be
15:52
good at it. I, when
15:54
I saw the concept of a hacker in
15:56
TV or movies, it was usually a guy
15:58
who wore a hoodie. in a
16:00
basement. And I mean,
16:02
I wear hoodies and basins are fine, but I didn't think
16:04
that I was going to be good enough. So yeah,
16:08
you just have to see yourself in the position.
16:10
And I've had multiple women come up to me
16:12
and say like, Hey, I saw you in that
16:14
competition, didn't realize it was possible for people like
16:16
me. And now I do this
16:18
for a living. Okay,
16:21
so she started a company called social proof
16:23
security, which is basically social engineering for hire.
16:25
And companies were starting to hire her to
16:27
see if they were vulnerable to social engineering
16:29
attacks, and what they can do to stop
16:31
them. And of course, I'm fascinated by these
16:33
social engineering stories. How do you hack into
16:36
a company with just your voice or
16:38
your term? So a bank
16:40
hired me to penetration test them, effectively,
16:42
they hired me to hack them. And
16:45
they told me that I could hack via phone
16:47
call, email or chat. And
16:50
my job was to take over multiple
16:52
accounts and steal access effectively steal the
16:54
money out of the accounts. You
16:56
want to steal money out of customers accounts?
16:59
Yes. And when we do
17:01
a penetration test, it's very particular, I
17:03
don't want to steal money from like
17:06
everyday people that would be horrible and
17:08
really scary for bank customers to just
17:10
randomly have money stolen because of a
17:12
pentest. So what we do is we
17:15
create fake bank accounts. We
17:18
work with the team on the back end,
17:20
so that the support organization for all intents
17:22
and purposes, sees a real
17:24
customer. But we've
17:26
created fake bank accounts for me
17:29
to steal. So I don't actually
17:31
harm real people. But the
17:33
support team doesn't know they're fake. Okay,
17:35
so this company is a bank. And
17:38
she's told that she can target customer
17:40
support to see if she can access
17:42
a customer's bank account. And
17:45
she's given the options to use a phone
17:47
call, email or chat to get
17:49
through. That's right. So I started
17:51
with the chat feature. And
17:54
I posed as a customer to see
17:56
if I could take over a customer account with
17:59
just chatting. So I told
18:01
the bank support people my sob story,
18:03
I lost access to my phone, my
18:05
email, my laptop. I got lost
18:08
and I had a night out and I'm traveling
18:10
abroad. I mean like the whole story, right? And
18:13
I really need access to my bank account because I'm stuck and I
18:15
don't have money. And
18:17
the first thing that I usually try when I'm
18:19
trying to do an account takeover is I try
18:21
to see if I can get them to change
18:24
the email address or the phone number on the
18:26
account. Because if I
18:28
can do that, then I can change
18:30
effectively the admin on the account. Just
18:33
by changing the email address, I can then
18:35
reset the password or reset to a phone
18:37
number that I control. There's some
18:39
swapping and all of that that could happen after that. But you
18:42
know, that's basically how it works. And
18:44
they're like, oh, well, we can't do
18:47
that because we need to only send the
18:49
password reset to the email address already on
18:51
your account. Good for them. That's
18:53
the protocol they're supposed to follow. That's exactly right. So
18:55
good job bank. That's horrible for me as a pen
18:58
tester. A lot of times I have to play both
19:00
sides of this game. I have
19:02
to train the company and update their protocols
19:04
to prevent people like me from getting in.
19:07
But when I'm first attacking them, it's so frustrating. So
19:10
I try chatting with multiple other support
19:12
people. I'm trying again and again. They
19:14
will not make any exceptions
19:16
for me. It doesn't matter my pretext. That's
19:19
who I'm pretending to be. It doesn't matter
19:21
how I contact them, what I say, my
19:23
story, nothing. So I decide
19:25
to switch to phone call based attacking
19:27
because I tend to be much more
19:29
successful. So
19:32
I switched to phone calls. It leaves less of a
19:34
paper trail. People tend to get
19:37
less suspicious because I can build rapport. They can hear
19:39
my voice. They can hear how trustworthy I sound. And
19:43
also when I'm calling, I
19:45
can spoof phone numbers. And
19:47
a lot of times that helps me gain access.
19:50
Spoofing phone numbers. How
19:52
is this still possible? You
19:55
can download an app from the mobile app store.
19:57
And within a few taps, you can change what
20:00
phone number you're calling from to have
20:02
any phone number you choose. So
20:05
you can make it look like where you're calling from is
20:07
not actually where you're calling from. Now,
20:10
when I was young, I used to do this
20:12
with emails. I would love to send emails to
20:14
my friends pretending to be from the FBI
20:16
or the president of the United States. And I'd
20:18
be like, Bill, you're in serious trouble. We're coming
20:21
to get you. Something
20:23
that my friend Bill would be like freaking
20:25
out and it was awesome fun. But
20:28
then the email protocol
20:30
got updated. They implemented SPF
20:32
records somewhere around 2006. And
20:35
this ensures that the place you sent the emails
20:38
from is where the emails are supposed to
20:40
come from. This effectively put an
20:42
end to email spoofing. Of
20:44
course, not all companies configure their SPF records
20:46
properly and you can still spoof it, but
20:48
at least the option is there if you
20:50
want to block someone from spoofing your email.
20:53
But for phones, which have been around a
20:56
lot longer than email, it's
20:58
an unpatched vulnerability, in my opinion,
21:01
you can still spoof phone numbers. Yeah,
21:03
it's kind of wild in the U.S.
21:06
Right now it's still possible because all of
21:08
the telcos have to make the same decisions
21:10
at the same time. And
21:12
unless all of the companies get together and make
21:14
the same choices, it's going to
21:16
be really hard to implement the right solution. So
21:19
at least in the U.S., spoofing is so really
21:21
possible for me. Now, since phone
21:23
companies refuse to fix this, their
21:26
solution was to help pass
21:28
a law making it illegal to spoof
21:30
phone numbers. So for now, it
21:32
just seems like telephone companies are just relying on
21:35
the police to help keep people from doing this.
21:37
But to me, this is an awful way to
21:39
secure things. Telephone companies can
21:41
fix this if they want. But
21:44
while I see this as a
21:46
vulnerability, telephone companies have historically said,
21:48
wait, why are you using telephone
21:50
numbers as identifiers? They were never
21:52
meant to be identifiers. And
21:54
they put the blame on us for doing that because
21:57
for a long time, our phones didn't have
21:59
screens. So we never knew who was calling until
22:01
you picked up the phone and said hello But
22:04
then telephone companies gave us caller ID where
22:07
our phones would show who's calling and so
22:09
I do blame telephone companies for making Us
22:11
think it is an identifier since they were
22:13
charging extra for that feature back in the
22:16
90s and mobile phones today all come with
22:18
This feature so I say phone companies turn
22:20
caller ID off if you don't want us
22:22
to use it as an identifier Otherwise
22:25
patch it so phone numbers can't be
22:27
spoofed anymore so
22:29
anyway Rachel
22:32
was trying to get into a
22:34
customer's account let's call the customer
22:36
Kelly and she figured out what
22:38
phone number Kelly had and Rachel
22:41
spoofs her number to look like
22:43
she's calling from Kelly's phone. I
22:45
spoof my phone number I make it
22:47
look like Kelly on the account and by the way on
22:50
data brokerage sites when we're doing OSINT
22:52
open source intelligence Typically we can find most
22:54
people's phone numbers within a minute or two
22:57
So when we're searching we can just know okay,
22:59
this is Kelly. This is Kelly's
23:01
phone number I'm gonna go ahead and spoof that I
23:03
set that up It usually cost me a dollar
23:05
or so on the tools that are available on the
23:07
app store These are not
23:10
like heavily regulated. You can just find them
23:12
on the app store and I
23:14
go ahead and I place that call Can
23:17
you give me an example of how you sound on these
23:19
calls I'm gonna
23:21
make me act. Yeah, okay.
23:24
Okay. Give me one second. I gotta get into character.
23:26
I mean, yeah I'm gonna change my clothes. I can get the
23:28
character. Here we go Okay,
23:30
here we go Ring ring ring.
23:32
Oh, wait, we both said ring. Okay Thank
23:34
you for calling the bank. How can I help you today? Hi,
23:38
I am so sorry. My name is
23:40
Kelly Smith So I'm
23:42
traveling right now and I just lost
23:44
my laptop. My phone's not working I
23:46
cannot get access to any of my
23:48
funds I'm super stressed out.
23:51
Can you please please help me? Hmm
23:56
That was good. I won't make you do more. Thank you
24:01
So yeah, I mean, they've got a script that
24:03
they go through where they're just like, okay, well,
24:05
you know, do you have the last four digits
24:07
of your phone number or whatever the case is
24:09
to verify you? Or is that how you're challenged
24:11
or what happened? No. So
24:14
this bank knew that KBA,
24:16
knowledge-based authentication, things like what's
24:18
your address? What's
24:21
the last four digits of your phone number? This
24:23
bank knows that that information is very
24:25
easily found online. So
24:27
they don't use KBA, knowledge-based authentication, to
24:29
verify your identity. They usually use MFA,
24:31
multi-factor authentication. Now this is great. This
24:34
is exactly what I recommend, you know,
24:36
send a code to the email address
24:38
on file and make them read it
24:40
out to you rather than going
24:43
through this process of verifying identity
24:45
with information that can be found by an
24:47
attacker in five minutes online. So
24:50
that's good. But as an
24:52
attacker, that's going to be a challenge because I don't
24:54
have access to that email address. And
24:57
when I'm spoofing a phone number, I
24:59
actually can't receive text messages. And
25:01
if they call back, I'm not going to be the
25:03
one that answers that phone call. I'm just spoofing. It
25:05
looks like I'm calling, but I don't actually have access.
25:07
Now, of course, I could sin swap and many criminals
25:09
will do that. But for the purposes of
25:12
this pen test, that's not what I'm testing. So
25:16
they say, okay, we
25:18
have an edge case here. Let
25:20
me see if I can talk to
25:22
my manager and have you send in
25:24
a picture of your driver's license, your social
25:27
security card and a utility bill. And
25:30
instantly I'm like, okay, bingo. We're
25:32
in. The other half
25:34
of social security is my husband, Evan. He does all
25:36
the technical stuff. I do all the human hacking stuff.
25:38
This is great because I need a fake driver's license.
25:40
I can't wait to hear how you got a fake
25:42
driver's license. No. Okay. So
25:45
my husband, Evan, he gets to
25:47
work editing a driver's license, a social
25:49
security guard, and the utility bill to
25:51
the exact information that they're expecting for
25:53
this account, which again, we can
25:56
find through a data brokerage site. So
25:59
we're hoping. that this
26:01
company does not know the
26:04
actual driver's license number, the actual
26:06
social security number, and they're
26:08
just looking to ensure that the name and
26:10
address that are on the account match
26:13
those documents. You
26:15
can find those pieces of information through OSINT, and
26:17
a lot of times I've noticed that when they
26:19
ask for these types of documents, they don't know
26:21
the right info, they're just hoping that it matches,
26:23
and they stop there. So
26:26
you didn't need a real driver's license, social security
26:28
card. You just needed a JPEG, right? Correct.
26:31
And that's the trick there. Photoshop
26:34
was your friend. Photoshop,
26:36
yes. We spend all night
26:38
on these driver's license, social security cards,
26:40
and utility bills of the accounts we're trying
26:42
to hack. I
26:44
email the bank at 8
26:46
a.m. the next day. I
26:48
tell them my story. I tell them the edge
26:51
case that we have set up with support. I
26:53
send them the driver's license and social
26:55
security card and utility bill. By
26:58
9 a.m., I have full admin
27:00
access to the bank account. I
27:03
have changed it to be controlled
27:05
by my attacker-controlled email address, and I can
27:07
steal all of the money in the account. So
27:11
once I finally get in, I have
27:13
access to everything. I use the same method again
27:15
and again. I get access to two more accounts
27:17
throughout the day. I end up spreading out the
27:20
request so that we're not raising suspicion with the
27:22
same attack method over and over
27:24
again, back to back. In the end,
27:26
we took over each bank account that we
27:28
were asked to hack within
27:30
two days. Hmm. It's
27:33
truly astonishing the sheer force of
27:35
the human voice, its
27:38
ability to persuade, to move,
27:40
to manipulate all through a
27:42
simple phone call. It also
27:44
reminds me of how vulnerable customer support is
27:46
to this kind of exploitation.
27:49
When you're met with a soft voice telling
27:52
you a sad story, but wrapped
27:54
in kindness, it tugs at your
27:56
heartstrings. You find yourself
27:58
eager to assist. especially if you
28:00
just got off the phone with a real prick who
28:02
was yelling at you about overcharging him 10 cents. Contrast
28:06
that with a kind voice that's
28:08
truly asking for help. And
28:11
it really makes it hard to say no. I
28:13
know that in a lot of these organizations there are
28:15
edge cases. So I'm helping companies
28:19
say, okay, we
28:21
did this pen test. We figured out what the edge
28:23
case is. We figured out how we
28:25
got access. How do we make sure
28:27
we don't fall into this trap next time when the real
28:29
criminals get here? So I then
28:31
helped them with, okay, let's set up some
28:33
edge cases back to back so that we
28:36
have something like a
28:38
callback that would thwart spoofing. If
28:41
you don't want to use that, you can use
28:43
email verification one-time passwords, you know, sending a code
28:45
or just a word to the email on file
28:47
and having them read that out. SMS
28:50
verification. Okay, they claim
28:52
they're calling you from this phone number, but
28:55
maybe they're just spoofing it. See if they
28:57
can read out a text message, callbacks, sort
28:59
spoofing, service codes, pins
29:01
or verbal passwords. If
29:03
it's some sort of internal support
29:06
ticket, you can loop in a manager. There's
29:08
so many ways to do this right that
29:10
a huge part of the pen test is
29:12
not just hacking the company, but helping the
29:15
company figure out what is a real practical
29:17
way that we can solve these edge cases
29:19
in the future to verify
29:21
identity the right way and make it harder for you
29:23
to get in the next time. Because I'll go in,
29:25
I'll make it harder for me to get in as
29:27
an attacker. And then the next year, I'm like, Oh,
29:29
my, this is so hard for me to get in
29:32
until the point where I can't get in anymore. And
29:34
that's when I'm like, Okay, you've done the most that
29:36
you can do. It's time for a
29:38
sponsor break. But stay with us because Rachel has a few more
29:40
stories that she's going to share with us. This
29:45
episode is sponsored by Exonius.
29:47
Complexity is increasing and IT
29:50
and cybersecurity control it with
29:52
Exonius, the system of record
29:54
for all digital infrastructure. The
29:56
Exonius platform correlates asset data from
29:59
existing tools. to provide an
30:01
always up-to-date inventory, uncover security
30:03
gaps, and automate response actions.
30:05
Go to axonius.com/darknet to learn
30:07
more and get a demo.
30:09
That's axonius spelled A-X-O-N-I-U-S.
30:15
axonius.com/darknet.
30:21
On another engagement, Rachel was hired by
30:23
a company to help them sort out
30:25
an issue that they kept encountering. It
30:27
was a large technology company who would
30:29
sometimes buy or acquire smaller companies. Now,
30:32
when you're buying another company, you typically want
30:34
to keep it quiet until the official announcement.
30:36
It could affect share price or cause panic
30:39
in the company if things aren't communicated properly.
30:41
But for some reason, when this technology company
30:44
would do any merger or acquisition, it
30:46
would get scooped by some news agencies.
30:48
The announcement would show up on news
30:50
sites way before the company was ready
30:52
to tell the world. So this
30:54
company was like, Rachel,
30:57
maybe you can help us figure out how this
30:59
news keeps slipping out ahead of schedule. And
31:01
so they approached me about doing a
31:03
pen test to figure out how this
31:06
M&A info was getting leaked, where
31:08
they could possibly improve their training, their
31:10
messaging, their internal protocols to figure out
31:13
why is this happening? Why are folks
31:15
being incentivized to talk about this and what can we
31:17
do about it? When you hear this,
31:19
what's your mind first go into? Like,
31:21
you've got an insider threat somewhere. You've
31:24
got a breach, active breach. Yeah. So
31:26
insider threats happen. But
31:28
what is usually most
31:30
common is people
31:33
just make a mistake. I
31:35
kind of live in this world where I
31:37
assume that people are making mistakes and I
31:39
try and help them. So we came out
31:41
with a few different attack methods that might
31:43
work to uncover where this is happening. Number
31:46
one, I was going to attempt
31:48
to pose as a journalist and reach
31:51
out to various team members, asking
31:53
them via social media DMs,
31:56
email, text message, etc. about their
31:58
experience in tech and see if
32:00
I could siphon out M&A info and just see
32:02
where it goes. And number
32:04
two, I was going to
32:06
apply to their product manager role,
32:09
go through the entire hiring process
32:11
and see if I could extract
32:13
M&A related info during the question
32:16
portion of the hiring interview. I
32:18
did not know what was going to work and what wasn't,
32:21
but I just wanted to try both. All
32:26
right, so if you can oppose as either
32:28
one of these people, it sounds like you're
32:30
going to need a LinkedIn account or at
32:32
least some online presence. You can't just show
32:34
up as a nobody, right? Or at least
32:36
it helps establish your background and your pretext.
32:38
Definitely. Do you have any framework
32:42
or methodology for how you establish an
32:45
existing ghost in the world? Yeah.
32:48
So we call these ghosts,
32:50
we call them sock accounts. Sometimes
32:53
they'll be real people. And
32:55
so we'll fashion them pretending to be a
32:57
real person. Sometimes they'll be fake people. And
33:00
they'll just have this full life online. With
33:03
the fake journalist, I figured it was
33:05
going to be a lot easier to
33:07
pretend to be a real journalist and
33:09
just not actually be them, then create
33:11
an entire persona of a fake journalist
33:13
and populate real content. So
33:16
I built a fake journalist pretext,
33:18
email background and social media based
33:20
on a real journalist who I'm not
33:22
going to name of her. Interesting.
33:25
Rachel tried to be another
33:27
journalist that actually exists, maybe
33:30
by doing something like using a similar email address
33:32
or social media accounts. But the question
33:35
is, how do you know
33:37
who to ask in a company to
33:40
get information about upcoming mergers and acquisitions?
33:43
These are typically closely guarded secrets. But
33:47
there is a website that's
33:49
extremely helpful to social engineers.
33:53
There's a website that lists pretty much every
33:55
company and most of the employees that
33:57
work there and it tells you their job title.
34:00
role, what duties they have, and
34:02
full name. The
34:04
website is LinkedIn. And
34:06
personally, I feel like LinkedIn is a
34:09
security risk to most companies on there.
34:11
It makes it really easy for someone like
34:14
Rachel to go down the list of people
34:16
who work at a company and pinpoint the
34:18
exact person to target. Once
34:20
you have their name, it's probably
34:22
easy to get their email address.
34:25
It's usually first.lastname at companyname.com. I
34:28
mean, not only is there a list of people
34:30
who work at most companies on LinkedIn, but
34:32
they like to list their skills too. And
34:35
if someone says they've worked for a company
34:37
for 10 years as a database admin, and
34:40
specifically they say they're excellent at
34:42
Microsoft SQL Server, now
34:44
you can guess with high confidence
34:47
this company runs Microsoft SQL Server
34:49
internally, and this person probably
34:51
has the admin password for it. And
34:54
we all know how susceptible people are to phishing
34:56
emails. I mean, my
34:58
opinion is if you list and stuff like that, you're
35:00
just putting like a big old beacon over your head
35:02
saying, hey, I'm the person you're going to want to
35:04
hack. If you want to get in the database of
35:06
this company, come at me. Essentially,
35:10
the private information that should just
35:12
be kept inside the company is
35:15
posted publicly for anyone to see on LinkedIn.
35:18
And I mean, here's a story where the company
35:20
is wondering, hey, how come the public knows about
35:22
one of our internal memos? I
35:25
say start by auditing what your employees are
35:27
posting to LinkedIn. If
35:30
the company is totally cool with all this internal
35:32
stuff getting posted publicly, then
35:34
maybe that's perpetuating a
35:36
culture that's okay to blab
35:38
about exciting news to whoever asks. I
35:43
had someone message me on LinkedIn the other day asking me, hey, how
35:45
can I get my data taken off the internet? Like,
35:49
is this your photo? Is this where you work?
35:51
Is this where you went to school? Is
35:53
that your actual name? And you
35:56
posted all this to LinkedIn and you're wondering,
35:58
how come the internet knows? is all
36:00
this stuff about you? Because
36:03
the thing is, a lot of what data
36:05
brokers know about us is from the stuff
36:07
we post publicly. Data brokers are scouring our
36:09
social media profiles, our blog posts, and any
36:11
mentions of us on the internet. And
36:13
then data brokers store all that information
36:15
about you that you posted. It's frightening.
36:18
And I mean, the reality of the
36:20
situation is that anybody can do
36:22
a full background search in less
36:24
than five minutes on most people in the US.
36:26
And people don't realize that this information is out
36:29
there about them. They have no idea that it's
36:31
being sold. They just don't Google themselves. I
36:33
say we should take our own
36:36
privacy seriously. Because the more we
36:38
don't care about our privacy, the
36:40
more companies won't care about your privacy.
36:44
Anyway, as you can imagine, Rachel had
36:46
this target company and was able to
36:48
quickly guess at who might know about
36:50
upcoming mergers and acquisitions and started hyper-targeting
36:53
them, doing full background
36:55
searches on them, gathering up their details,
36:57
and just started reaching out, acting
36:59
like a journalist, emailing them, wanting to see
37:01
if she can easily get this information from
37:04
people. Exactly. Or we can reach out
37:06
over social media at DM. DM
37:08
on LinkedIn or Twitter or Instagram. And
37:10
I mean, that's the thing. Journalists really
37:12
do reach out using all of those
37:14
methods. So it's hard to know what's
37:16
real and what's fake sometimes. But
37:19
it didn't work. No matter who
37:21
she reached out to or how convincing
37:23
her backstory was, people weren't freely giving
37:25
her information about upcoming mergers and acquisitions.
37:28
This method wasn't working. They
37:30
let me know some minor details about excitement
37:33
about potential M&A, but they're not going to
37:35
confirm any juicy details. And I
37:37
try to get people on the phone
37:39
to talk with me, but I think
37:41
there's just this inherent distrust of this
37:43
particular pretext. So I'm like, OK, I got
37:46
to really go for the big guns here. I
37:48
want to attack via the hiring process. Attack
37:52
via the hiring process? What an
37:54
interesting sentence to say. I
37:56
don't think that idea crosses many people's minds. That
37:59
people. applying for jobs might
38:02
have malicious intent. I've
38:04
heard of the evil maid attack, but
38:06
what's this called? The phantom
38:08
applicant attack? There's
38:11
a lot of information that you can get
38:13
just from reading a job posting. Like when
38:15
a company lists the job duties, it might
38:17
tip their hand into what endeavors the company
38:19
is going to do next or expose what
38:21
technology they have in the company. And
38:24
these things can be used against the company
38:26
in social engineering attacks. I think
38:28
if you read enough job listings, you could
38:30
probably develop a map of the data center.
38:33
Packing into the company through the employment
38:35
process is actually a decent
38:37
attack vector. I don't think many companies
38:39
would expect you to come in through that door. Anyway,
38:42
what Rachel was going to do was
38:44
pose as a job candidate and try
38:46
to get an interview. And in the
38:48
interview, she was going to see if
38:51
she could get some insider information about
38:53
upcoming mergers and acquisitions. Something
38:55
to understand is as an attacker,
38:57
this is not easy to do. I've
38:59
never been a PM. So to apply
39:02
for a PM role takes a lot
39:04
of background research. I
39:07
mean, I led a UX research team at a
39:09
tech company. So I do have a sense of
39:11
what a PM, a product manager does, but I
39:13
am in no way prepared for a PM interview.
39:15
So I have to study for three full weeks
39:17
for this role. I'm watching
39:19
YouTube videos. I'm doing interview prep quizzes
39:21
online. I'm taking free online courses like,
39:24
so you want to be a PM,
39:26
like the whole nine yards. So
39:28
I'm building a full persona, a
39:31
resume, a Twitter, LinkedIn, Facebook, all
39:33
of these stock accounts have photos,
39:35
thousands of friends, reviews of my
39:37
work from networking groups on LinkedIn.
39:40
People I've never met that like
39:42
you give them a review and they give you a
39:44
review. All of this stuff is so gameable.
39:48
I suppose this is stuff you do at
39:50
social proof. Like there's
39:52
just like one person sitting over there like,
39:54
just keep making stock accounts all day. I'm
39:56
going to burn through them so fast. Unfortunately.
39:59
Yes, we do change the names
40:02
of many SOC accounts, but then you have to populate a
40:04
lot of new information. It
40:06
ultimately takes me about three weeks
40:09
to build a believable social media
40:11
account and enough examples of previous
40:13
PM work to get anywhere near-convincible
40:16
during the interview process. Did you
40:18
get help at getting your resume to the
40:20
top of the pile? No, I just had
40:22
to apply. That's not easy, you know.
40:24
There's a lot of people who don't get callbacks. Well,
40:28
during this period of time, the
40:31
tech hiring process wasn't as bad as it is
40:33
in this current year. So,
40:36
I apply for the role. I
40:38
get a phone screen. I am sweating
40:41
bullets. Because if
40:43
I don't get through this phone screen, I will
40:45
not move on to a full interview process. I'm going to have
40:47
to do a bunch of work to change my SOC accounts on
40:50
social media to match a new persona. It's going to be a
40:52
lot more work for me. Luckily,
40:54
it took like 45 minutes. I
40:58
passed. I get moved on to
41:00
the next round. The
41:02
next round has six different
41:04
interviewers. So, it's just... No,
41:06
this is in person? No, virtual, thank
41:08
goodness. Did
41:10
you try to gain any information on the first round?
41:14
No, not during the phone screen. I wanted
41:16
to get... Because you were like, I'm going to wait for the right time.
41:19
Yeah, I was terrified that they were going to be like,
41:21
this person's a weirdo, like, I just not moved them forward.
41:24
So, I waited until the
41:26
actual official interviewers.
41:30
And it's going to be a packed day of
41:32
interviews. I have six interviews back to back all
41:34
day. These interviews are conducted
41:37
over Zoom. I get all dressed
41:39
up in my interview clothes that I
41:41
haven't worn in years. I'm pressed with
41:43
all my anecdotes, my strengths and weaknesses,
41:45
my KPIs and success stories. And
41:48
a lot of these examples I'm using are heavily
41:50
focused on UX research because if you remember, that's
41:52
something I used to do. And
41:54
many PMs do have advanced UX research skills.
41:56
So, I'm just like hoping that they don't
41:58
think that's weird. So
42:01
I get to the first interviewer and the
42:03
interviewer is like, okay, asking me all these questions.
42:05
I seem a little nervous, but they're like, oh,
42:07
you know, don't worry about it. It's going to
42:09
be fine. We go through all
42:12
the PM related questions. This person's nervous
42:14
for all the wrong reasons. That's what's funny
42:16
here. I know, but I
42:18
have to pass. Yeah. So I'm going through this. I
42:20
mean, they're used to people being nervous and so that
42:22
I could see them saying, oh, it's fine. You're
42:25
doing great. Don't worry about it. And
42:27
you go, thanks. Because I'm trying to pack you.
42:29
And the only thing is when you're hacking people, a lot
42:31
of times it makes sense for your pretext to match how
42:33
you're actually going to feel when you're hacking. And
42:37
a lot of times you are nervous
42:39
when you're calling support because you can't
42:41
gain access to your bank account. You
42:43
are uncomfortable during an interview. These are
42:45
normal human emotions. And so it's okay
42:47
to not be way too overconfident. Sometimes
42:49
that can even read as strange. So
42:52
yeah, I mean, I'm sweating bullets. It's
42:55
clear. I'm, I'm nervous. We
42:58
finally get to the end and the
43:01
interviewer says, so do you have any questions for
43:03
me about the role? I
43:05
have never been sweater in my life. This is it.
43:08
And if they get suspicious during this
43:10
moment, all of my work is for nothing. So I
43:13
say, I
43:15
am so excited about this company. I hear
43:17
there's a lot of opportunity for growth. I
43:19
did a bunch of research. I did find
43:21
a few news stories that mentioned XYZ potential
43:23
merger. I know you can't
43:26
confirm anything, but I just want to
43:28
understand what an integration process
43:30
looks like at your company during
43:32
an M&A. I know
43:34
you can't confirm anything again, but I just want
43:36
to understand how my role could potentially change over
43:39
time. The interviewer
43:41
takes a beat and
43:43
says, you're right. I can't confirm
43:45
anything. And
43:47
my heart sinks. I'm like, no,
43:49
this person's trained. And
43:51
then they go, but just
43:53
because I can't confirm doesn't mean I
43:55
can't talk in generalities. And
43:58
winks. Actually, winks. like,
44:00
oh, this is going to be so good. So
44:03
there's a lot of hand waving and you
44:05
know, I can't confirm, but throughout the rest
44:07
of these interviews, but it
44:09
seems that everyone at this company knows you're
44:11
not allowed to say information in plain language
44:13
about M&A's, but that doesn't mean that I
44:16
can't glean pretty serious details about
44:18
the upcoming acquisition plans that have
44:20
been clearly discussed internally. By
44:23
the end of this day, I
44:25
got M&A info out of
44:28
three of the six interviewers. So
44:30
50%. What kind of info
44:32
are we taking? Yeah. So they
44:35
wouldn't tell me the names of
44:37
the companies that were potentially going
44:39
to be acquired. But I
44:41
would say things like, I saw a
44:43
rumor about XYZ
44:45
company. Is this the type of company
44:48
that you would be excited about? And
44:51
then the wink, wink hand waving process
44:53
starts of, you know, I can't confirm
44:55
it, but we
44:57
are interested in integrating things
44:59
like XYZ. So
45:01
I was able to glean information such that
45:03
when I reported it back to the team,
45:05
they were like, I mean,
45:08
yeah, you,
45:10
you, you got the right information. And
45:12
nobody said anything in plain language, but
45:14
you can get people to say things
45:17
kind of beating around the bush. So in
45:19
the end, I got M&A info out of 50% of
45:22
the interviewers, three out of six. I
45:24
debrief with the security team. I
45:26
asked them when they want to discuss the
45:29
results with the organization. They say, well, let's
45:31
just wait up and just finish the hiring
45:33
process so that it's not a distraction to
45:35
them. And in the
45:38
meantime, the next day, I actually get an email
45:40
that I used to apply for this role, that
45:43
I was being moved to the next stage of the interview
45:45
process to get an offer. So
45:48
not only did I siphon out the info I
45:50
needed during the interview pent-up, I
45:52
also got the job, I guess. Well, congratulations.
45:54
I hope that goes on your resume. No,
45:57
I should put PM on there. So she meets
45:59
with the security team. and explains to them how she
46:01
found out about all this upcoming mergers and acquisitions.
46:04
And together they had a chat about whether
46:06
this was just an obscure edge case or
46:08
a bigger problem. They realized that
46:10
when they explained to people that
46:13
they were not allowed to say
46:15
the words of the
46:17
acquisition, they realized that they needed to
46:19
be clearer in their communication. That
46:23
no, just because you're not
46:25
saying we are acquiring XYZ
46:27
company, it doesn't
46:29
mean that friends, family, on social
46:32
media, people can't glean information to
46:34
understand, oh, they're interested
46:36
in AI. This person is talking about how their
46:38
role is going to change. They're
46:40
talking about how much they love this
46:42
specific technology and they're tagging certain companies
46:44
on Instagram or Twitter. They
46:47
realized that they needed to be much
46:50
more specific in their protocols and language,
46:52
saying, when we're planning an acquisition,
46:55
once we talk about it internally, please
46:58
do not talk about it even in a
47:00
hand waving fashion with friends or family or
47:02
on social media. Don't talk about how
47:04
your role is going to change on LinkedIn. Don't
47:06
talk about what you're excited about upcoming on Instagram. They
47:08
had to be really clear about that. And
47:11
once they did that, those leaks stopped because
47:13
it wasn't an insider threat. It was just
47:15
people not 100% getting
47:17
what an attacker is interested in and how
47:19
they could find that info. Oh,
47:21
so it did solve the problem. It did. Yeah,
47:24
it doesn't necessarily mean that it's coming
47:26
through the interview process. Now, maybe it
47:29
was, but it's probably just
47:31
that people in general at the company
47:33
didn't understand that when talking in generalities,
47:35
that can be used by attackers too.
47:38
Yeah. And then you probably had recordings to
47:40
show concrete proof of, when you say this,
47:42
I'm hearing this.
47:45
Exactly. And they were like, oh, I get it.
47:47
So I can't say that we're
47:49
talking about this technology and how
47:51
it's going to change my role as a
47:53
product manager, because that tips off people to
47:55
understand that we're going to be acquiring XYZ
47:58
company in the next six months. That's where
48:00
these leaks are coming from. So
48:04
you know, you came on my
48:07
radar because you sometimes just create
48:09
these crazy viral
48:11
instances online where
48:13
I've seen you hack a... Who's
48:17
Donnie from? Donio Sullivan from CNN.
48:21
From CNN. So I've seen you
48:23
hack a CNN correspondent. I've seen you
48:25
hack voting machines before. I've
48:27
seen you do all kinds of crazy things that suddenly
48:29
you've got like a million views on this thing.
48:31
And I'm just like, well, there she is again.
48:34
Rachel's out there going, doing things. But
48:37
one thing was interesting was when you went on
48:40
60 Minutes. Yeah, it's
48:42
last year or so I started talking more
48:44
on Twitter about how I'm seeing AI get
48:47
used by criminals to trick people. So
48:49
I'm talking about this scammers are tricking
48:52
grandparents out of 1500 bucks posing as
48:54
their grandson, spoofing the grandson's phone number,
48:56
voice cloning, or just like modulating the
48:59
pitch to sound like the grandson and saying they
49:01
need money for bail. Just talking about these examples,
49:03
60 Minutes sees this. They
49:06
email me, they reach out, they say, hey, we
49:09
want you to do a hack live. It's
49:12
actually got to trick somebody. Can
49:14
you do that with us? And
49:16
I'm like, I mean, yeah,
49:19
I can do that, but it's complicated. I've done a
49:21
lot of these live hacks over the years for large
49:23
media pieces. I
49:26
need consent. Before I
49:28
do any sort of hacking, I get
49:30
consent. Like when I hacked CNN's, Stonio
49:32
Sullivan, I hacked him through his
49:35
service providers, and I also hacked him through his leaked
49:37
passwords. And I had his
49:39
consent with a lengthy contracting process and
49:41
scope discussion before I was able to
49:44
contact his service providers pretending to be
49:46
him. Before I was able
49:48
to log into his LinkedIn using his breached
49:50
passwords and the things that I found online.
49:53
So I started explaining to them how much consent
49:55
I'm going to need. And they're like, I
49:57
mean, we'll just try and see what happens.
50:02
So I start to
50:04
talk to them about who my target is going to be.
50:07
They want my target to be
50:09
Sharon Alfonsi. She's an
50:12
awesome correspondent for 60 Minutes. Rachel
50:14
Toback is what's called an ethical hacker.
50:17
She studies how these criminals operate. So
50:19
ethical hackers, we step in and show
50:21
you how it works. So
50:24
the mission was to use AI to
50:27
somehow trick and scam the host of
50:29
60 Minutes while on the show. But
50:32
the problem is the host needs to consent
50:34
to being targeted, which if she
50:36
knows she's going to be scammed while on
50:38
her show, it'll really put her guard up,
50:40
right? So this was going to
50:43
be tricky. How do you trick someone who's asking
50:45
you to trick them? She's got a lot
50:47
of information about her online, so I do my own
50:49
thing. Since the host of
50:51
60 Minutes has been on TV for years, Rachel
50:53
realized there is a lot of audio of
50:56
Sharon talking. This might be
50:58
useful. Maybe she can somehow
51:00
use Sharon's voice to do something. I
51:02
determined through OSINT, open source intelligence,
51:04
that the best way to do this
51:07
hack was to
51:09
trick her coworker while
51:11
pretending to be Sharon. Because
51:14
sometimes our coworkers have just as
51:16
much info and access on us
51:18
as we do about ourselves. So
51:21
I needed to get consent from
51:23
the coworker. And here's
51:25
the massive challenge. I
51:27
needed to get her coworkers consent because she
51:30
was a major part of the hack. This
51:33
coworker is named Elizabeth. I contacted
51:35
her like, hey, this is what we're going to do. We're
51:37
going to do this hack. You
51:40
need to consent to essentially being part of
51:42
the hack, but you don't know when, where,
51:45
or how it's going to happen. You don't know
51:47
who I'm going to pretend to be. You're not
51:49
going to know the method of the attack, whether it's going
51:51
to be a phone call, email, text, contacting your
51:53
service providers, pretending to be you. Elizabeth
51:56
is awesome. She's like, that's
51:59
fine. That's like completely fine. I'm
52:01
really excited and I'm like, okay, let's
52:04
do this So I
52:06
decided that I wanted to do a phone
52:09
call because I wanted
52:11
to clone Sharon's voice and
52:13
spoof Sharon's phone number to Elizabeth and
52:16
Trick her during a phone call to reveal
52:19
some sort of personal information to me now
52:22
Sharon is a famous reporter. So her voice
52:25
is everywhere I grabbed about
52:27
five minutes worth of samples of her
52:29
voice just from YouTube videos from 60
52:31
minutes I put her voice into my voice
52:33
cloning tool. I start tweaking the tool There's
52:36
voice clone settings for things like
52:38
clarity voice stability style exaggeration And I
52:40
finally get the settings tweaked to a
52:43
point where I feel like it's gonna
52:45
be Credible at all during a
52:47
phone call, but it's not a hundred percent
52:49
perfect and I do my
52:51
open source intelligence to find the right phone
52:53
numbers to spoof and The
52:56
great phone numbers to call like I
52:58
said data brokerage sites have personal contact
53:00
details for almost everyone And I
53:02
need to find the right details to you during the
53:05
hack like upcoming travel the right information
53:07
to try and siphon out For the demo
53:09
you can find most of the stuff through social
53:11
media when people talk about their lives The
53:15
only issue No, I'm
53:19
gonna have to somehow get Elizabeth
53:21
to participate in this hack without
53:23
her realizing It's the hack itself
53:25
going down. How am I gonna do
53:27
that? She's already consented to this and she
53:29
knows it's coming So I
53:32
figure the only way that this is gonna work is
53:35
if it feels natural within the filming day Otherwise,
53:37
how is the film team going to
53:39
catch the hack live so that anyone
53:41
in the audience can watch it? So
53:43
when you so they've got
53:46
the cameras on you, they've got you
53:48
in the studio. They've got Sharon there
53:51
Not yet. Let me tell you these details So
53:56
I get my hair and makeup done for 60
53:58
minutes, right I'm doing my vocal warm-ups I'm like,
54:00
la, la, la, la, la, la, la, la, I'm getting ready
54:02
for recording. Sharon's still in
54:04
her room, prepping for the day. The
54:06
light and the sound crew are getting the gear
54:08
ready for the shoot. Elizabeth
54:11
shows up, she's getting ready. I
54:13
pull aside the head of the sound and lighting crew,
54:16
and I let them know that I think the only
54:18
way they're gonna be able to catch this hack on
54:20
camera live is this, I'm
54:22
gonna go out into the hallway with my computer and
54:24
phone. You, the camera crew,
54:26
cannot follow me because it'll be way
54:28
too obvious to Elizabeth if you follow
54:31
me, and it really shouldn't
54:33
matter anyway because it will be me on the other
54:35
end of the phone call, so you should catch the
54:37
interaction from her end anyway. So
54:39
you, the crew, must ask Elizabeth to
54:41
stand in for Sharon so you can get
54:44
lighting, sound, everything prepped so that when Sharon
54:46
finally comes down, she can just slide into
54:48
the shot and we can get started. That
54:51
way, when I start the hack, you'll be able to actually
54:53
see and hear Elizabeth and be able to catch the
54:55
attack in motion. Wow.
54:58
The crew is like, what
55:00
did we sign up for? This
55:02
is ridiculous. I am so
55:04
nauseated by this plan. Like, I'm so freaked out
55:07
by this because if this
55:09
doesn't work and Elizabeth is like,
55:11
sure, crew, I'll stand in for
55:13
Sharon and immediately realizes what is
55:15
happening, then this entire shoot, all
55:17
15 members of the
55:19
60 Minutes team, the lighting crew, sound, hair, and
55:21
makeup, everybody's here for nothing, and I will just
55:23
have to basically demonstrate what I would have done.
55:27
That's not gonna be fun for anyone. And now, mind you, it's
55:29
like 7 a.m. So
55:31
this feels like the crack of dawn for all of us. People
55:33
have not even had a cup of coffee yet. So
55:36
people are like, okay, Rachel, sure, we'll do that.
55:41
So I walk over to my hacker laptop. I
55:44
announce to the room that I need to go help my
55:46
team with something back home. So before we get started for
55:49
the day, everyone get your coffee,
55:51
whatever, set up. They say, no worries. I
55:53
step out into the hallway. I
55:56
can't hear anything that's happening in the ballroom now where
55:58
we're filming. I just have
56:01
to hope that the sound and lighting
56:03
crew have successfully gotten Elizabeth into the
56:05
quote stand-in position with the sound and
56:07
lighting on because otherwise they're not going
56:09
to catch this and like I'm not
56:11
going to fake it for them later. It needs to be real. So
56:14
I'm just like praying this works. So
56:16
I open up my voice cloning tool
56:18
in the hallway. I type
56:20
in my opening line into the voice cloning tool
56:23
and to be clear this voice this voice cloning
56:25
tool. I cloned Sharon's
56:27
voice. I can then type in
56:29
any words and it will spit out those
56:31
words spoken in Sharon's voice. So
56:34
I type in my opening line. My opening line is
56:37
Elizabeth sorry need my passport number because Ukraine
56:39
trip is on can you read that out
56:42
to me. It has to
56:44
be short and sweet direct into the point
56:46
without requiring a lot of follow-up
56:48
because the issue with these tools
56:51
is there's a delay in me
56:53
typing it into the voice cloning tool and
56:55
when it spits out the words in Sharon's
56:57
voice. I'm also holding my phone up
56:59
to the computer so there's like kind
57:02
of a strange audio vibe going on with this phone call
57:04
and I just want to minimize it and make it happen
57:06
as fast as possible. So
57:09
I open up my spoofing tool on
57:12
my phone. I type in Sharon's number
57:14
to spoof. I type in Elizabeth's phone number to
57:16
call. I hit go. It
57:18
is 100% silent. I
57:21
hear Elizabeth's phone. It's
57:23
audibly ringing inside of the ballroom and I'm
57:25
just hoping she like goes over and picks
57:27
it up right. My stomachs and knots. I
57:30
am sweating profusely and then I hear her go. Hello
57:32
Sharon. Like I hear it through my phone and I
57:34
can also hear it in the ballroom and I'm like
57:36
oh my gosh you can like hear out here. So
57:39
I hit my voice cloning play
57:42
button. It starts playing
57:44
Sharon's voice asking for the passport number. Elizabeth
57:46
sorry need my passport number because the Ukraine trip is
57:48
on. Can you read that out to me? And
57:52
then silence. For
57:55
what feels like hours I am sick
57:58
to my stomach. My hands are shaking. this
58:01
forever silence that I was experiencing
58:03
with Elizabeth holding her phone in
58:05
her hand, looking at
58:07
the caller ID during the call to
58:09
ensure it really does say Sharon, because
58:11
the voice sounds weird. I mean,
58:13
I'm voice cloning plus spoofing.
58:15
So it looks like it's calling from Sharon, but it sounds
58:17
kind of far away because I'm holding my phone up to
58:20
the computer. Elizabeth finally
58:22
responds. Oh, yes, yes, yes, I
58:24
do have it. Okay,
58:27
ready? And then she reads out the
58:29
passport number I just asked her. I'm like,
58:31
let's just get off this call as soon as possible.
58:33
So I say thank you. She starts
58:35
asking me questions. You know, when am I going
58:38
to be down for the shoot? Do I need anything else? And
58:40
I have to do I have to deal with this
58:43
delay back and forth typing in my replies. So I'm
58:46
just thrilled that by this point, I like
58:48
siphoned out information. And I just wanted
58:50
to get off this call as fast as I possibly could. So
58:52
I said, I'm just coming down. And I
58:54
am in the call. I
58:57
walk into the ballroom. Elizabeth is
58:59
sitting under the lights with the mic pinned
59:01
on her. And I'm like, it worked. All
59:04
I have to do now is do the interview
59:07
with Sharon and explain the mechanics of the hack
59:09
to her live and make sure
59:11
that Elizabeth knows that anyone would fall for
59:13
this style of hack because most people don't
59:15
realize it's possible yet. I wanted to make
59:17
sure she didn't feel like horrible about it.
59:20
And yeah, she did the interview
59:22
and explained what just happened, how
59:24
she tricked Elizabeth into giving Sharon's
59:26
passport number. But after
59:29
listening to this story, I got
59:31
really curious about this voice cloning tool
59:33
and wanted to try it myself. So
59:38
to clone someone's voice, you give it
59:40
a bunch of audio of them talking
59:42
and using some advanced AI, it will
59:44
get to know that voice. And
59:46
whatever you type, it'll say it in their voice.
59:49
I spent a few hours playing around in
59:51
this tool. And I cloned my voice. I
59:54
think it's really interesting. Okay,
59:56
I want to show you, I'm going to play two clips
59:58
for you. I want you to listen and
1:00:00
try to figure out which one is
1:00:02
AI generated. Ready? Here's
1:00:04
clip one. Hey this is Jack
1:00:06
Resider. This morning I had a peanut butter
1:00:09
and chocolate smoothie for breakfast. Okay
1:00:11
here's clip two. Hey this is
1:00:13
Jack Resider. This morning I had a
1:00:15
peanut butter and chocolate smoothie for breakfast. Okay
1:00:18
punch in your votes. Ready for
1:00:20
me to tell you? Both clips were
1:00:23
AI generated. In fact what
1:00:25
you're hearing right now is AI generated
1:00:27
too. I switched to having
1:00:29
AI talk for me a few minutes back.
1:00:31
I just type whatever I want and
1:00:34
it'll narrate it for me. It's really
1:00:36
wild. It even adds in breaths like
1:00:38
this. Listen and sometimes it'll
1:00:40
even add plosives like how the P sounds
1:00:42
and nope. It's crazy how good
1:00:44
this sounds. Huh
1:00:47
okay okay I'll switch back to my normal voice
1:00:49
now. There is I'm using my
1:00:51
real voice now okay. The
1:00:54
future is going to be weird isn't it? Okay
1:00:56
so I just saw this article the other day
1:00:58
on CNN's website and it said there was this
1:01:00
guy working for a company in Hong Kong who
1:01:03
controlled the finances for that company and
1:01:05
he got invited to a video call with a
1:01:07
CEO and a few other colleagues that he recognized
1:01:09
and he saw them on the screen. He heard
1:01:12
their voices and he was positive. It was the
1:01:14
CEO and his colleagues and they
1:01:16
were telling him there's this new deal that just finished up
1:01:18
and they wanted him to send 25 million
1:01:20
dollars to another company. So
1:01:22
he did but the problem
1:01:24
was the video and the voices
1:01:26
were all AI clones. Scammers
1:01:29
tricked him into thinking he was on a
1:01:31
video call with the CEO and our
1:01:34
future is almost surely not going to be what we
1:01:36
think it's going to be. I have
1:01:38
a feeling we're going to have a
1:01:40
hard time knowing what's reality and what's
1:01:42
fiction. Yeah it's a good
1:01:44
point. Hey Jack can I jump in here? Yeah
1:01:47
who's this? This is Daniel Meisler.
1:01:50
Oh hey Daniel. Yeah what do you have to
1:01:52
say about this? Yeah so what I
1:01:54
find fascinating about this whole story is that
1:01:57
there's a very early concept in security about
1:02:00
How do I know it's you, right? And
1:02:02
we normally don't have to worry about this
1:02:05
with video because seeing has always been believing.
1:02:08
And the same with hearing for audio. But
1:02:11
now with deepfakes, for both video
1:02:13
and audio, we need a whole nother layer.
1:02:16
So what I actually expect to see here is products coming
1:02:20
out that are basically like, how
1:02:22
do I establish like early trust?
1:02:24
Like as soon as you join a company, you'll
1:02:27
probably establish like keys across like
1:02:29
all of Slack or across like
1:02:32
all of Microsoft Teams or something. And
1:02:34
that's like your predetermined channel. I
1:02:37
think this is a good idea. If you
1:02:40
can cryptographically sign something, then that'll prove the
1:02:42
message or video came from you. So I
1:02:44
imagine this could cut down on people falling
1:02:46
for fakes. If it's not actually signed
1:02:48
by the person who sent it, don't trust it. Initially
1:02:51
getting your key would be interesting though. You
1:02:53
still have to prove who you are at
1:02:56
the beginning, right? And one way
1:02:58
to do that is to verify who you
1:03:00
are in the meet space, the real world.
1:03:02
When you're face to face and in person,
1:03:05
it's still a valid verification technique that you
1:03:07
are you. But with
1:03:09
everyone having their own cryptographic keys to
1:03:11
prove someone is real, the
1:03:14
threat then moves to securing the
1:03:16
key. If someone else grabbed
1:03:18
the key, they could make it look like
1:03:20
you sent something when really you didn't. They
1:03:22
just signed it using your key. Yeah,
1:03:25
yeah, absolutely. We're gonna need something like
1:03:27
that for all remote calls essentially. Cause
1:03:29
it's like, first of all, the AI
1:03:31
can copy both of our voices because we have our
1:03:33
voice out there and that's
1:03:36
easy to copy. But very soon, like I
1:03:38
won't know honestly if this is you right
1:03:40
now on this call. I
1:03:42
just imagine like making a whole caption network for
1:03:44
everyone I know, right? So my dad calls me
1:03:46
on the phone and it says, before you can
1:03:48
connect to this party, please solve this caption. Exactly,
1:03:51
exactly. There's still gonna be some sort
1:03:53
of challenge or like predetermined
1:03:56
like key exchange, yeah. Oh
1:03:58
my gosh. I personally, I'm
1:04:00
excited about our future. We
1:04:02
are smarter than ever and more
1:04:04
advanced than ever, and it feels
1:04:06
like the human race is going
1:04:08
through a Cambrian explosion of sorts,
1:04:10
with all new technologies and advancements
1:04:12
popping off almost daily. We're
1:04:15
living in the exponential era.
1:04:18
Time will move faster from here
1:04:20
on out, and we get
1:04:22
to witness it. We have
1:04:24
tickets to watch the birth of
1:04:27
human 2.0. 2.0, how special is that?
1:04:32
Whatever comes next will
1:04:34
surely be exciting. A
1:04:46
big thank you to Rachel Toback for coming
1:04:48
on the show and sharing these stories with
1:04:50
us. She wrote a free ebook on social
1:04:52
engineering, and you can find a link to
1:04:55
it in the show notes. Besides doing social
1:04:57
engineering for companies, she also does security awareness
1:04:59
training. And in fact, she started a whole
1:05:01
video production company where she creates fun and
1:05:03
entertaining training videos. You can learn more about
1:05:05
what she's doing by visiting socialproofsecurity.com. Also
1:05:08
thanks to Dan Miesler for giving us some insights
1:05:10
into AI. This episode was
1:05:12
created by me, the backseat writer,
1:05:14
Jack Recider. Our editor is the
1:05:16
gourmet sorbet, Tristan Ledger. Mixing done by
1:05:19
Proximity Sound, and our intro music is by
1:05:21
the mysterious Brickmaster Cylinder. How
1:05:23
does a computer...
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More