When Rachel Tobac was a student studying applied behavioral analysis and neuroscience at Allegheny College, she trained a rat in a lab to press a lever when it heard the rapper T-Pain, but not the rapper Ludacris. It was this experience, among other things, she says, that helped her become a winner of DEFCON’s Social Engineering Capture the Flag competition (SECTF) in 2016 and 2017.
“The things I was doing to train the rat are exactly the same things that I do on the phone when I’m vishing,” she says, referring to the social engineering practice of voice phishing, which participants are asked to do in front of a live audience during the DEFCON competition. “When the person on the other line is telling me something I need to infiltrate their company, my tone will be positive and I’ll reinforce them. If I’m not getting information that will help me hack them, I’ll use the strategy of extinction — I won’t give them positive acknowledgment for information that I already know, or information that won’t get me closer to hacking their company.”
Tobac also has a background in improv comedy, another skillset she says helped launch her cybersecurity career. “One of the biggest tools I use for hacking into a company is reciprocation, and a huge part of of comedy is reciprocation,” she explains. “We want to commiserate with people, we want to laugh with people, and you’re less threatening when you can do those things.”
Last week, Rachel and I had a call in which she made me laugh several times but did not try to social engineer me (to my knowledge). She did, however, answer questions about how becoming a white hat hacking superstar has changed her cybersecurity habits, and she shared a few common misperceptions about hacking that could help make you safer. Our edited conversation is below.
Since you won the DEFCON SECTF competition, you’ve become a highly in-demand speaker — at conferences and companies across the country. Why do you think people have been so drawn to your story — that of a special education teacher turned white hat hacker, with no prior technical experience?
Most people are not white hat hackers, so when they hear someone fell into that without experience, they can imagine themselves doing something similar. Then, when they hear about the way I do the white hat hacking — that also makes it very accessible. What I do doesn’t require learning how to write code. All of my hacking can happen through social media, phone, and email, which introduces cybersecurity issues people might not think about . For example, if I post something about going for a run with Fred every week on my Instagram, a hacker can find those posts, call me up and say, “I know Fred and run with him too” to earn my trust. Many people never imagine that that could be a way someone could hack them. It’s very eye-opening.
What are some of the reactions that you get?
There’s not one typical reaction. Sometimes a more technical hacker is usually excited that I’m talking about something that’s accessible or relatable to people, because they often express frustration that people haven’t taken their recommendations to heart, or people have called them paranoid. And then there are people who aren’t involved in the information security community. When they hear I came in as a noob and infiltrated these companies in 20 minutes in front of 400 people at DEFCON, the question I often get is: How do I have you come to my company and tell this story?
Have you been going to a lot of companies to do that?
I’ve gone to a fair share of companies so far.
Do they ask you to hack them, or show them where their vulnerabilities are?
My husband Evan and I co-founded a company — SocialProof Security. It’s doing exactly that. Sometimes a company wants to know: if you were to hack us, how would you do it? They want us to find all we can find on social media, and write up the phone scripts for how we would hack employees. We’re assessing how social media would open them up to social engineering risk with OSINT Security Assessments.
I’m finding information that anyone could find if they put in enough time. At some companies, I tell my story as a white hacker, and then I’ll break a group out into teams, identify a target, and have them do the hacking themselves in what’s called an OSINT CTF (Open Source Intelligence Capture the Flag), a competition in which groups race against the clock to find as many information “flags” as they can. The “flags” are pieces of information that a social engineer could find via open source channels like Reddit or Instagram — like, “what antivirus software are they running?” or “what operating system do they use?” Each flag is worth a certain number of points and the winning team earns a prize. Playing CTF really solidifies the threat for people because it makes it memorable. Now the next time they get on social media and use the geolocation feature on Instagram with an address, they’ll think oh wait a minute, I know exactly what someone would do with this information.
What would someone do with that?
If I’m looking to infiltrate a company, I’m going to start on Instagram or Twitter. I use geolocation to go and look through addresses tagged to that company. If you’re looking at a large company, you can find all of the pictures tagged to the geolocation tag of its headquarters. I’ll scour through every photo and comment and eventually I will find information that will help me — like work station photos. Someone is posing with their three-year work anniversary balloons and their laptop is behind them. I can see what browser they use, their OS, what version they’re on and what mail client they use. If I were one of those bad guys, I would use that to tailor an exploit to the machine, get them to click on a link over the phone, or send them an email or text phishing link and gain access to their computer. If you have a picture on your desk of your dog, I’m going to play a sound clip of a dog barking behind me when I call you, and we’re going to build a rapport. These seemingly innocuous pieces of information are so compromising for a company.
What are common misperceptions about what social engineering is, and what it’s not?
That a social engineer looks really creepy. That they’ll be lurking in the shadows. In reality, they will be right up in front of you, hiding in plain site. In a lot of scenarios they will walk right through the door and they’ll look really happy and smiley and you’ll hold the door for them. It’s not always going to be some creepy sounding person in a basement trying to hack. That’s a common misconception.
How has your experience social engineering changed the way you think about cybersecurity and your own social media habits?
Most people who work in infosec are at least slightly paranoid. I still use Twitter, but I think the big thing for me is understanding what to let someone authenticate with me on. If I post something to Twitter — “so happy to be at the Grace Hopper Conference,” and someone calls my phone number, and says they work at Grace Hopper, and they need to authenticate my badge number, so please click on this link, I would hang up. Sometimes that means I hang up on real people, but I think I’m helping myself not get vished.
Does that really happen?
It happens all the time, actually. I trash a lot of emails that are probably real. I have people everyday who say, if you want to schedule a call click on this link and I say nope, we’re going to do that manually. If people ask me to do surveys for them, I’ll ask to have a call instead.
What does everyone need to understand about the intersection of human psychology and cybersecurity?
When people hear about Robert Cialdini’s six principles of persuasion, they can see how easy it would be for someone to influence their employees [through tactics like reciprocation — the idea that we are more likely to offer up information about ourselves if our conversation partner shares first]. The more we talk about how human brains operate and how people are persuaded, the less we will victim blame. That’s something we hear a lot in the media — some big hack will happen, and someone will blame it on an individual, or the user. We will never get the phishing click through rate to zero percent. That’s not human nature, and it’s not the user’s fault. We need to own that this is how human beings act, that these hackers prey and understand how to persuade human beings, that any one of us could fall for a social engineering attack. That it’s the company’s responsibility to keep their employees in the know and their client’s information safe by baking security into their culture and products.
If we can get to a point where we’re security-conscious and empathetic, and clear with whose responsibility security is, that’s going to help people a lot. In other words, we won’t be trying to persuade people based on fear, but based on education — giving them the tools and examples they need to protect themselves.