Ep. 214: “DEF CON Redux with Rachel Tobac!”

“What the Hack?” is DeleteMe’s true cybercrime podcast hosted by Beau Friedlander

Rachel Tobac: Let’s sit down somewhere.

Beau Friedlander: Yeah, where do you want to sit?

Beau Friedlander: Okay. Welcome back. This is the second of a two-parter from DEF CON 33. This week it’s a conversation recorded live at DEF CON, the largest hacking conference in the world. Four days in Las Vegas, where tens of thousands of hackers, cybersecurity professionals, and just plain curious people gather to see just how breakable everything really is. You’ll hear the crowd and background noise, but more than anything you’re probably gonna hear the punch-drunk energy that comes from being on your feet for 14 hours straight in a place where almost everyone you meet is at least in theory trying to hack you. And somehow that’s part of the fun. My partner in acapella, that’s Rachel Tobac, CEO of SocialProof Security, entrepreneur, social engineer, hacker, and all-around expert on the all-too-human aspects of cybersecurity. Okay, that was Rachel Tobac. Thank you so much everybody. We’re done. Alright. I’m Beau Friedlander and this is What the Hack, the podcast that asks, in a world where your data is everywhere, how do you stay safe online?

Beau Friedlander: Rachel, thank you. Ready?

Rachel Tobac: Yeah. Can we please sit down?

Beau Friedlander: We can.

Rachel Tobac: I’m so excited to be sitting. I haven’t sat down in 12 hours.

Beau Friedlander: Are we not the loopiest people on earth at this point?

Rachel Tobac: 12 hours, it’s been 12 hours. It’s 6:43. That’s when I stood.

Beau Friedlander: Yeah, same.

Rachel Tobac: Is this your first time sitting?

Beau Friedlander: No, I went back to the hotel and I sat down for a little bit.

Rachel Tobac: Cheater.

Beau Friedlander: So good. By the time we found a quiet enough corner to talk, quiet was a relative term. So, so tell me about… all right, before we even start the interview, did you start in with social engineering?

Rachel Tobac: Yes.

Beau Friedlander: Or were you working? You did. Okay. So tell me, how did you get started in social engineering?

Rachel Tobac: Yes. So the year is, let’s see, I know it’s DEF CON 23. It’s a long time ago, over a decade ago. My husband, who’s working in security, I’m still working in UX research at a tech company. Previous to that I was a teacher. He goes, “I think you should come to this conference. It’s called DEF CON. They put people in a glass booth. And they hack in front of a live audience. I think you would be good at this, Rach, because you called the cable company and you get the bill lowered every month. I think you would be good at hacking over the phone. Do you wanna do it?” And I said, “Yeah, I think that would be interesting. I have no idea if I’d be good at that, but let’s give it a shot.” So I go, I show up at DEF CON. A total noob. I don’t know anything. I don’t know anybody. I make a fake badge to try to get past the goons. I get caught immediately.

Beau Friedlander: You didn’t… you tried to hack them?

Rachel Tobac: I tried to hack. I got caught immediately. Then I got a real badge.

Beau Friedlander: Rachel Tobac is a three-time runner-up in one of DEF CON’s most popular events: the Social Engineering village, specifically the competition. It’s a capture the flag thing. We talked about it in the last episode. In simple terms, it’s a live competition where contestants sit in a soundproof booth and get on the phone with real companies, real people from real companies and try to talk those strangers into giving them useful information. There’s a list of things they have to get, and the more of them they get, the more effectively they get those pieces of information, the higher their likelihood of winning. There’s no hacking tools, no breaking the law, just voice, charm, and quick thinking. The goal is to collect, you know, these specific pieces of data or flags, if you prefer a CTF frame, that could be used in an attack while the crowd cheers. It’s quite a thing.

Rachel Tobac: I got caught immediately. Then I got a real badge. Somebody loaned one to me. I went in, I watched my first call. They hit voicemail. They hit voicemail. I never got to see a real call. I then put in the world’s wackiest video application. It’s like Twin Peaks inspired. It’s truly…

Beau Friedlander: What are the high notes?

Rachel Tobac: Have you seen Fire Walk With Me?

Beau Friedlander: Yeah.

Rachel Tobac: Yeah, where Bob, the scary guy comes climbing over the couch? I do that.

Beau Friedlander: Nice.

Rachel Tobac: Yes. Very creepy. It’s like a face swap before deepfakes existed. I ended up getting selected, so I go and I’m gonna go compete. I talk with all of Evan’s friends from security, and I’m like, “How do I even do social engineering?” They stay up until three in the morning with me trying to teach me how to do it. I get in the booth, I get second place. I’m like, “Oh, maybe I have a knack for this.” I do it again the next year, I get second place. I do it a third year in a row, I get second place again. After each time, more and more companies come up to me and say, “Hey, can you train our team? Can you help us understand? Can you pen test us? Can you show us what you did in the booth to our company?” So I’m like, “Sure, I guess I need to LLC; I should probably start SocialProof Security.” So we started SocialProof Security in 2017 to meet the need of the companies in the audience at DEF CON. It was extremely organic.

Beau Friedlander: Now, social engineering is really about connecting.

Rachel Tobac: Yeah. Building rapport.

Beau Friedlander: It’s building rapport. But it’s also, I was really struck today by a vibe that happened in the room consistently when somebody decided to hang up, and the vibe was red balloon floating off into the sky. Now from the balloon’s point of view, that’s great. Safe. Didn’t do the wrong thing.

Rachel Tobac: Right.

Beau Friedlander: Now, from the room’s point of view, “Oh, what a drag.” You know, so tell me about that gamification of pen testing. So, we’re gamifying pen testing, which makes it an attractive thing to do, which makes people better at it.

Rachel Tobac: Correct. Yeah. It basically pressure tests and celebrates the people who do something that is interesting and fun, right? And because social engineering is such a personable thing to do and you’re building rapport very quickly over the phone, you’re essentially building like an Olympic spectator sport.

Beau Friedlander: A hundred percent.

Rachel Tobac: You know, something that people can participate in. The audience feels like they’re a contributing member of the team.

Beau Friedlander: Alright, so I had that experience and you’re about to hear it. As the competition unfolds, the audience becomes a sort of mob of DEF CON punch-drunk cliches of aspirational hacker-dom, and it’s a thing of beauty. Everybody in there by the end of this thing thinks they could probably hack their way into the NSA. In fact, learning how to hack a person really does emerge here though, as something different. Learning how to hack a person is the first step in becoming harder to hack. I think of this one where I’m not horrible at it, and I think, you know, there’s a point where I could go “ring, ring” and they go, “What?” And then I just can say, “Ah, oh, excuse me. Sorry, my cat just jumped at me.”

Rachel Tobac: Right.

Beau Friedlander: Everyone knows what that is, and all of a sudden you’re not just somebody being annoying. You’re somebody who just had an annoying experience and they might talk to you. How do you establish that connection fast? What is the trick there?

Rachel Tobac: Well, I think it’s something that you probably saw when we first walked up to one another is we’re building rapport with each other through comedy. It’s essentially like improv, like we’re “Yes, and’ing” each other. You “mahna mahna’d” me and I “buh-buh-duh-buh’d” you back, right?

Beau Friedlander: Alright. Social engineering is the art of human connection, of meaningful bonding, or a believable simulacrum of bonding anyway, with an ulterior motive. Definitely with that ulterior motive. But here’s the cool part: At DEF CON Social Engineering Community Village, the motive is not adding to the swamp of cyber insecurity we all live in, right? The goal is to make us more secure.

Rachel Tobac: That’s pretty much what social engineering is.

Beau Friedlander: I keep thinking about the teenage hackers we talked to in episode 213. They did a phenomenal job. The most striking thing for me was that they really understood the assignment so well that it didn’t matter that they really weren’t the best actors on earth. And no offense, guys, I thought you were awesome, but if you’re listening, here’s what they did really well. They understood who they were talking to. It’s not terribly different from any business transaction. Success is often a byproduct of just listening and responding to the needs that are being communicated to you. One of the things that I was struck by is because they’re younger, they haven’t developed completely, and in older people doing it, I noticed there was sometimes a compunction, like they were like, “Oh, this, I’m sort of doing something transactional here.” Where with the kids, it wasn’t there, and I’m wondering, you know, like, so it’s an ethical assignment. You’re not doing something mean.

Rachel Tobac: No.

Beau Friedlander: But there’s something slightly mean about it because you’re…

Rachel Tobac: Yeah. People can feel uncomfortable sometimes when they’re hacking because they know that potentially somebody in the room might be thinking, “Ah, this guy’s a sucker.” You know? And we have empathy. And so because of that, we watch this person getting hacked. Even though we don’t know them really by name, we hear them and we go, “Oh, that could be my aunt, that could be my cousin. That could be my friend.” And we feel bad for them. But I think the thing we have to remember is this is all anonymous. This is, you know, for the greater good. If you think about it from a utilitarian perspective, I think most people can understand that we’ve gotta learn so that we can keep everybody safe, and we can’t really learn until we do it, until we try.

Beau Friedlander: Yeah. And I don’t think anyone’s questioning that. And what we’re trying to do is actually make people harder to hit.

Rachel Tobac: Correct. That’s exactly right.

Beau Friedlander: And how does that work? Like you go in and pen test a company, what is the process of making them, hardening them as a target?

Rachel Tobac: You basically have to imitate what the criminals are doing in real life. So for instance, Scattered Spider. They love to attack over the phone. They call up your service desk, they say, “Hey, it’s Beau. I dropped my phone in the toilet. Nothing’s working. I need to reset my password and my multi-factor authentication.” The way that you’re looking at me right now makes me think you did drop your phone in the toilet and I’m actually hitting on something right now.

Beau Friedlander: I’m very sad. Keep going.

Rachel Tobac: So that’s essentially what they do. It’s so low-tech that literally anybody could do it. And companies, I think they’re very hardened against like email-based attacks.

Beau Friedlander: Yeah, a hundred percent.

Rachel Tobac: They’ve been trained on that. They understand it. They can’t quite make the link between, “I posted on social media that I started at this new job and I’m receiving a phone call now, and that person says they’re my boss and they need gift cards,” or “I’m receiving a text message.” They’re not making the link between what is publicly available and what somebody could do to harm you or your company with that information. So we kind of showcase that in social engineering community via phone attacks only.

Beau Friedlander: Well, I think because phone attacks are, you know, people know the minute…on the phone today you noticed over and over again, the minute they were like, “Can you go to this website?”

Rachel Tobac: They’re like, “I feel like I’m not supposed to do that.”

Beau Friedlander: They know.

Rachel Tobac: They know that. They don’t understand the rest, like the elicitation. They don’t understand, “Oh, I just gave away the information about who I work with for sanitation.”

Beau Friedlander: After the break: why knowing who takes out the garbage at your company might be an extinction-level event. We’ve been talking about how the smallest detail can give a threat actor a way into your company. You know, in the wrong hands, it doesn’t take much. That’s not just harmless trivia, right? It’s the first step to taking over your entire digital life or commandeering your company from a cyber point of view. So, back to DEF CON and back to Rachel Tobac. Now, for our listeners, explain why it would matter if you know who takes the garbage away.

Rachel Tobac: Right. Now, it matters about who takes the garbage away because then I can pretend to be that garbage company to the individual that works there and say, “Hey, I need to collect at a different time. I need you to grant me access to the building,” and you can go in and gain access to the organization, stealing IP, leaving malicious USB sticks around, right? Once you grant access to somebody physically, like a sanitation company, there can be really big physical consequences.

Beau Friedlander: “Rachel, I am really sorry about this, but we lost all of our payment information. Can you? I’m sorry. You know, but we can’t even actually collect the garbage until you re-up.”

Rachel Tobac: That’s another really good point is…

Beau Friedlander: “And we need your ABA routing. This can’t be a credit card.”

Rachel Tobac: Right, “We need all the new banking information. Can you go ahead and give us those details right now?”

Beau Friedlander: And it is striking that vishing still works and I wonder if you have any thoughts as to why? Because I think it goes beyond… people know that there are vishers. People know about romance scams. People know that they may get a phone call or some kind of communication that leads to a phone call.

Rachel Tobac: I think one of the common misconceptions for people is that they think when they get this phone call, the person is going to be mean, rude, demanding. They don’t expect that this person is going to be kind and helpful. And we kind of break up these attacks into two main categories. Either “I’m helping you” or “you are helping me.” That’s pretty much it. So examples of “I’m helping you” are, “I’m calling you and I’m IT, I need to remote into your computer so that it works while you’re traveling.” And then “you are helping me.” That’s like what we see in the social engineering community village, which is, “I can’t get access to my computer. Can you help me with X, Y, Z?” Or “I need to do this audit,” or “My boss is gonna be screaming at me later. Can you help me understand who does your sanitation?” etc., etc.

Beau Friedlander: “I have these things I need to know, or my boss is going to kill me.”

Rachel Tobac: Exactly. So you’re displacing the blame.

Beau Friedlander: Yeah. Now, what can somebody do if they know what biometric tool you use to log into your computer? Why would anyone wanna know that?

Rachel Tobac: Yeah. Because it just makes it easier to create a believable phish, right? If I know that you use “insert tool here,” and I could say, “Hey, I’m ‘insert tool here.’ Your payment didn’t go through. Click here.”

Beau Friedlander: Okay, I’m back to the teenage hackers. I mean, listen to this. Now I can tell you when we were in the audience and that guy said he hadn’t checked his email for a year, the whole room cringed. What went through your mind when he said that?

Seth: I think I sort of in that competitor mindset of just go with whatever happens. I have these objectives I know I need to get, and we are on a time limit here, so I can’t let that little thing catch me off guard and I need to keep moving.

Beau Friedlander: Let me put you in the room since I couldn’t record. By the way, I couldn’t record because it’s illegal. There are laws, specifically federal wiretapping laws that force me to paraphrase here. But there were two young men in a soundproof booth, and they were trying to get information out of various targets and they finally got this guy on the phone and he really had not paid attention or maybe taken the security trainings that had been provided to him by the company he was from. He was in sales. That’s all I’m gonna say about that. But the more they dug, the more they found out sort of really ludicrous things, ne of them being that he hadn’t checked his email for over a year, but there were others and he was an open book and it was a huge problem. Huge.

Brian: I mean, when he said his email in a year, I just thought that was hilarious. I was just laughing. I was laughing with the audience.

Beau Friedlander: So anyway, so they had this guy on the phone and he’s just like, “We wanna know.” “Okay, sure. Yeah. Oh, what my social security number? Yep.” And he’s just going off, and at one point he said, “Well, do you know, we could actually just use email for this.” And the guy goes, “Oh, I haven’t checked my email in a year.”

Rachel Tobac: Right. Yeah.

Beau Friedlander: And that’s the guy. So you get that guy on the phone and you’re like, “Oh my God, are you from Indiana?” And they’ll be like, “No. “You sound like my cousin from Indiana.” “No, I’m not. I’m from Florida.” “Oh my God, I know someone from Florida.”

Rachel Tobac: You can build rapport with anybody. If you can just turn on a time…

Beau Friedlander: And then boom, and then you’re like, “Actually, I’m gonna get killed. Can you tell me what your password is? Because I have to log in as you to prove that I talked to you.”

Rachel Tobac: Right, and the thing is that people don’t think that that kind of attack will happen over the phone, especially to somebody that sounds kind. They’re just not trained.

Beau Friedlander: Or they just became a best friend.

Rachel Tobac: Correct. You build that rapport and why would you not?

Beau Friedlander: So, okay, so here’s the part where I feel like The Talented Mr. Ripley, and I’m sure other people who do this, you know, pen testing for a living do too. Yeah. I mean, if I show up at a door, physical pen testing, it’s the old trick that Deviant Ollam talks about, which is you go to the door and you just, you bobble whatever’s in your hand as someone’s walking in…

Rachel Tobac: Oh, you drop something? Yeah.

Beau Friedlander: …and you walk in with them after they pick your shit up.

Rachel Tobac: Right. It’s that level of empathy. It really is built quite quickly within one interaction.

Beau Friedlander: “I’m so stupid. Oh, thank you.” Now, because that’s what we’re doing, how… like are the people who are, and this is tough ’cause I’m good at it, you’re good at it. But my most self-critical self is like, “You know why you’re good at it, Beau? ‘Cause you’re a sociopath. That’s why you’re good at it.”

Rachel Tobac: You’re not a sociopath.

Beau Friedlander: No, but you know what I mean? What do you think about the conflict? Is there one ever or is this like we’re doing it for the greater good?

Rachel Tobac: I think everybody who does pen testing feels conflicted about it.

Beau Friedlander: Okay.

Rachel Tobac: I don’t think there’s anybody that would say, “Oh no, this is 100% completely positive at all times.” I actually turn down the majority of pen tests that are requested of me.

Beau Friedlander: Why is that?

Rachel Tobac: The reason why is because most organizations aren’t ready for a pen test. I don’t wanna go in there and hack them within 30 seconds. That’s demoralizing, and they’re not gonna learn anything because they’re gonna be on the defensive and feeling uncomfortable.

Beau Friedlander: And then they’re never gonna be comfortable.

Rachel Tobac: Right, because it hurts morale. So most of the time, organizations need to update their protocols to verify identity. And it’s much easier to do that when you can talk about it without feeling defensive. And so most of the times, you know, when people talk about, “Oh, we wanna pen test, we wanna do this, we wanna do that, we wanna see what you’re gonna get,” it’s like, “Well, how do you verify identity at the service desk level? If I call in and say, ‘I’m Beau,’ how do you check that I’m Beau? Okay, well here’s how I would thwart that. And here’s how you can change your protocols.”

Beau Friedlander: So you’re hardening them for a while before you get to the pen testing?

Rachel Tobac: Usually for at least a year. Yeah.

Beau Friedlander: Oh, that’s great.

Rachel Tobac: Yeah. And then by the time I get in there, it’s really obnoxious and I’m like, “Why did I do this?”

Beau Friedlander: But are you doing that with, do you have written… do you have a curricula or is this all training?

Rachel Tobac: So we do a workshop to actually update their protocols. I call it a protocol update workshop.

Beau Friedlander: Okay.

Rachel Tobac: So the team makes the decision from the ground up. It’s not just the execs saying, “Hey, this is your new protocol.” It’s me talking with the team and saying, “Alright, tier one support, let’s say I call, how do you verify identity now?” Here’s how I would thwart it. Here’s a menu of options to choose from. What do you think makes the most sense for your SLA? What would make the most sense for you personally? What do you feel most comfortable doing? And then whatever they feel most comfortable doing, what makes the most sense for their SLA, what the executives like and what they like, that’s probably what they’re gonna choose. And that’s typically what happens.

Beau Friedlander: Now, I worked for years with Adam Levin at CyberScout and that’s where I learned this stuff. Adam was a big fan of saying that cybersecurity isn’t secure unless it’s from the mailroom to the boardroom.

Rachel Tobac: Yeah, that’s true.

Beau Friedlander: Now, can you talk a little bit about how you handle an organization? Like when you come in, where are you starting? Is it all hands or is it…how do you start at a company?

Rachel Tobac: Yeah. Typically an organization is gonna hire me first to train at the all-hands level. So we’ll do like one 60-minute all-hands-style.

Beau Friedlander: It’s like a lunch and learn or a fireside?

Rachel Tobac: Yeah, it’s like a fireside chat or a lunch and learn. Then after that, the most common thing that they do is they bring me in to train their client-facing teams, so that’ll be your service desk, customer support, finance, HR.

Beau Friedlander: People who can give away the farm.

Rachel Tobac: The people who can give away the keys to the castle.

Beau Friedlander: You say castle, I say farm. Now and then when you get in, at that point are you heading into pen testing or no?

Rachel Tobac: Mm-mm. That’s when they want to head into pen testing and I say we’re not ready for that yet.

Beau Friedlander: That’s great. Where do you see this business going in the next five years?

Rachel Tobac: I think everything is gonna change.

Beau Friedlander: Coming up. Why the next big cyber threat might not be some super hack, but a clumsy email you send (I send?) on a busy day. We’ll talk about AI mistakes, voice clones, and the surprising reason even your dog’s Instagram could make you a target. Pen testing, short for penetration testing, is like hiring a burglar to break into your house to show you how easy it is to do, but legally. Companies do it to find weak spots before criminals do. It’s hacking for good at DEF CON. Right? It’s ethical hacking. I was asking Rachel Tobac where she thought pen testing and this kind of hands-on security training was headed. Where do you think pen testing and this form of active cybersecurity training is going to go in the next five years? I’m sure you’re gonna tell me something about AI agents.

Rachel Tobac: That’s exactly right.

Beau Friedlander: Let me give you a good prompt. So when I met you, I was so busy that I sent you, I had written an email to you that was perfectly fine, and I looked at it and I was like, “That’s a bit clipped for someone I’ve never met.” And so I put it into AI and I said, “Gemini AI, it seems a little clipped.” And Gemini AI, as you saw, said, “This is friendly enough, but it’s not quite businesslike enough.” And it rewrote it. And I was like, “Well, that’s good enough.” I took the whole thing, so I was busy and I sent you the entire prompt to which my colleague said, “Oh dear. Did you just send Rachel the whole prompt?” And that was how you knew…

Rachel Tobac: Yeah.

Beau Friedlander: That I was friend or foe.

Rachel Tobac: Right.

Beau Friedlander: Because I wrote back to you and said, “Well, that happened.”

Rachel Tobac: Yep. And do you remember my reaction?

Beau Friedlander: Yes.

Rachel Tobac: I went, “LOL, did you just include the prompt? That’s actually hilarious. We should talk about that in the pen test.”

Beau Friedlander: And here we are.

Rachel Tobac: And here we are. Because I think AI is gonna radically change the way that everybody does work from, you know, you using AI to write an email to me and accidentally including the prompt. Can you imagine if you included sensitive information related to the prompt?

Beau Friedlander: Totally can happen.

Rachel Tobac: It totally could happen. We’re gonna see stuff like that because most attacks are not actual attacks. They’re just human error. Just someone messes up and happens to give away something they shouldn’t. And you just happen to not include super sensitive information…

Beau Friedlander: Oh shut up.

Rachel Tobac: …in that prompt. But I think in all seriousness, we’re gonna see these attackers use voice clones more. Right? We’re already seeing that where they pretend to be the executive to the EA and they clone the executive’s voice. They spoof the executive’s phone number. It looks like it’s them on the caller ID. They pick it up. It sounds like it’s the executive. They’re asking for a wire transfer. Why would I not? Until they update their protocols, they’ll fall for this.

Beau Friedlander: And that means that there has to be another multiple in the authentication process.

Rachel Tobac: Correct. Human-based MFA. Another method of communication.

Beau Friedlander: And so, so there’s phone and then there would have to be email, something. You have something, you know, something you are…

Rachel Tobac: I would probably say something like if you get a call, Signal message, Slack, email, any other method of communication…

Beau Friedlander: It can even be a safe word if you think about it. You can change it every day.

Rachel Tobac: There can be. However, I will say I’ve siphoned out safe words in the past.

Beau Friedlander: Really?

Rachel Tobac: Yes.

Beau Friedlander: And so people do try that strategy and it is fallible.

Rachel Tobac: It’s fallible. Well, here’s the thing, nothing is unhackable. Anyone who tells you otherwise doesn’t know what they’re talking about. So safe phrases that you use with a colleague are hackable. Any machine is hackable, software is hackable, all of it. Humans are hackable. Everything is…

Beau Friedlander: No. And a hundred percent. And so like the big organizations that are dealing with things that really matter, like money, like finance, FinTech, they will have a protocol where they’re backing up and air-gapping every hour at an offsite. Now, most companies are not doing that, and so the stakes there are very lax because nobody thinks it matters.

Rachel Tobac: Oh, absolutely. Most people say, “Well, I have nothing to hide.” I say, “Well, what about all the stuff that you’d like to protect?” It’s not about just hiding. You have your family, you have your friends, your pets, your livelihood, your money that you’re saving, your Instagram account for your dog with 40,000 followers. You’re not trying to hide that. You’re trying to protect it. You wanna keep it.

Beau Friedlander: So in the future we’re gonna be seeing more human-based exploits that use AI to further obfuscate the truth from, you know, make believe.

Rachel Tobac: Yes.

Beau Friedlander: And it is make-believe, right? ‘Cause you’re like, actually, imperative, make believe. Let’s make that person believe.

Rachel Tobac: Yeah, that’s accurate. I would say it doesn’t change the attack in any way. It makes it more believable and it makes it more scalable. Because now it’s not just me using like a voice modulator that changes the pitch of my voice, like when I did that Donie attack for CNN, I had to change the pitch of my voice to sound more like Donie, and then I put on a really bad Irish accent.

CNN Clip: I am here in Las Vegas for two of the world’s biggest hacking conferences, and for some reason I have agreed to be hacked. I’m meeting Rachel Tobac, who specializes in a special form of hacking called social engineering, and I’m very nervous.

Rachel Tobac: I feel like I know pretty much everything about you.

CNN Clip: I instantly don’t trust you.

Rachel Tobac: So I’m gonna be doing these phone calls. I’m gonna be actually live hacking, so when I call, your phone number is gonna display on their caller ID.

CNN Clip: This is Donie O’Sullivan.

CNN Clip: Who are you really?

CNN Clip: No, this is Donie O’Sullivan. I can tell you my address, phone number, date of birth, whatever you need to know to verify that that’s really me.

CNN CLIP: That’s wild.

Rachel Tobac: We don’t have to do that anymore. I can just use an AI agent, and I don’t even need to be the one that places the call. The AI agent does everything. I just sit back.

Beau Friedlander: And are you getting enough nuance on that?

Rachel Tobac: Yeah. Yes.

Beau Friedlander: So that is terrifying.

Rachel Tobac: You’re gonna see it all tomorrow.

Beau Friedlander: We’ve done episodes in the past about AI voice cloning, and the truth is it feels like it’s getting better every single day, especially when you’re hearing it over a bad connection or a glitchy Zoom call. Those little gateways that used to tip you off just aren’t there anymore. Which means the old mental checklist—voice sounds right, number looks right—it doesn’t save you anymore. Trust is easy to hack, and once that happens at scale, it’s not just banks and big companies that need to worry. It’s anyone with anything worth taking, which when you think about it, is all of us. And that’s sort of the point of DEF CON. Alright, so anything I’ve left out that you think we should be talking about here?

Rachel Tobac: Yeah, I mean if you wanna make sure that your information is harder for me to find when I’m trying to choose who I’m targeting, you have to take your information off the internet. I don’t wanna be able to find your phone number. I don’t wanna be able to find your email address. I want it to be annoying to me, which is why I recommend tools like DeleteMe to people, without even…you guys don’t pay me to say that. I just genuinely think it’s a really good idea.

Beau Friedlander: No, it’s a phenomenally good idea. It’s important because at the end of the day, most scammers, the real deal, they have the same reaction to failure as people here in the community, which is, “Oh, they hung up on me. Next.”

Rachel Tobac: Right.

Beau Friedlander: And so if your stuff’s not online, they’re not gonna go looking for it.

Rachel Tobac: For most people’s threat model, no.

Beau Friedlander: Unless you’re Jeff Bezos or something. But if you’re not, then…

Rachel Tobac: If your threat model’s not super high, you removing your contact details from the internet makes it much more annoying for attackers to even think about you in any way. They’ll just move on to someone else.

Beau Friedlander: A hundred percent. Rachel Tobac, thank you so much for joining me.

Rachel Tobac: Thanks so much for having me, Beau.

Beau Friedlander: Now mahna, mahna. Okay, it is time for the Tinfoil Swan, our paranoid takeaway to keep you safe on and offline. This week I want to talk about how to make yourself as annoying as possible to potential hackers and scammers and attackers in the world of social engineering. These people (I use that term loosely) are looking for the path of least resistance. Right? We just heard that from Rachel. They wanna find your information pretty easily. If they can’t, they’re gonna move on. This is a job. They don’t have time to mess around. And it’s great news for you because it means you don’t need to be perfectly secure. You don’t need to be Fort Knox. You don’t need to be, well, I don’t know. I can’t think of a good example ’cause we’re all really vulnerable. You just need to make yourself harder to attack than the next person. So how can you do that? It’s all about reducing your digital footprint and taking control of the information that is publicly available. Alright, here’s a big one. Just clean up your digital clues. Clean up your act. So, and I’m really not one to talk, but anyway, social engineers and scammers are masters at using small pieces of public information to build a believable story, and they’re gonna look for everything from your email address and phone number to where you went to school, where you’ve worked, name of your dog. They’re gonna look at social media for sure. Think of everything that you do online as an open-door policy for your personal data, and then consider whether or not you want to have that door open. Data brokers and people search sites, like Whitepages, Spokeo and others. There’s a lot. There’s a lot of ’em. They can legally collect and sell your personal data. They’ve privatized privacy, right? Anyway, trying to contact each one and request a removal is yeah, also not fun. A bit like whack-a-mole. It’s because, you know, even if you get it to go away, they might get it somewhere else and put it up again. So a very good practice here is to use a data broker removal service. I call it a personal information removal service. It’s a service like DeleteMe, which makes this podcast possible, and it’s a human-assisted solution to the problem, which will make finding and requesting the removal of your personal information a thing that you no longer need to worry about. By proactively doing these things to remove your information from the internet, you’re closing doors. They say that locks are for honest people, right? Because a criminal wants to get into your house, they don’t care if there’s a lock on the door. They’re gonna go through the window. They’re gonna break through the wall, cut through the wall with a saws-all. Sheetrock and all. Did I just say that out loud? Anyway, yeah. They’re gonna get in. Locks are for honest people and for lazy hackers. So put a lock on the door, do the easy stuff. Get rid of the low-hanging fruit. In the woods, if you’re being chased by a bear, you don’t need to outrun the bear. You just need to outrun the person who posts a lot on social media and has their information everywhere online. That’s it. Did that make any sense? Stay safe out there and see you next week. What the Hack is brought to you by DeleteMe. DeleteMe makes it quick and easy and safe to remove your personal data online, and was recently named the number one pick by New York Times’ Wirecutter for personal information removal. You can learn more if you go to joindeleteme.com/wth. By the way, if you do use that URL, joindeleteme.com/wth, you’re gonna get a 20% discount on DeleteMe’s product, so check it out and again, stay safe out there.

Learn More:

• Learn about what social engineering is and how it works
• Listen to our previous episode about DEF CON 33
• Learn more about the DEF CON conference coming in April