144: Rachel

Darknet Diaries

Primary Topic

This episode delves into the fascinating world of social engineering, highlighted through personal anecdotes and a detailed analysis of a social engineering contest.

Episode Summary

In "Episode 144: Rachel," Jack Rhysider of "Darknet Diaries" explores the intriguing realm of social engineering through the experiences of Rachel Tobac, a renowned figure in the field. The episode provides a vivid recount of how Rachel, initially intrigued by hacking through social interactions, ended up making a career out of it after participating in the social engineering contest at Defcon. It illustrates her journey from a neuroscience and psychology student to a leading social engineering expert, highlighting her strategies and techniques, such as phone call manipulations and the art of pretexting in hacking endeavors. Through Rachel's narrative, the episode also sheds light on the psychological and technical aspects of social engineering, emphasizing its implications and the preventive measures businesses can adopt.

Main Takeaways

  1. Social engineering relies heavily on psychological manipulation, often using pretexting to gain trust.
  2. Competitions like the Defcon social engineering contest can be gateways for amateurs into professional cybersecurity roles.
  3. Effective social engineering defense requires robust training and awareness programs within organizations.
  4. Rachel's success underscores the importance of understanding human behavior in securing information systems.
  5. The episode highlights the evolving landscape of cybersecurity, where human factors play a pivotal role.

Episode Chapters

1. Introduction

Jack Rhysider introduces the episode and sets the stage for a deep dive into social engineering, using Rachel Tobac's story as a case study. Jack Rhysider: "Welcome to Darknet Diaries, a show featuring true stories from the dark side of the Internet."

2. Rachel's Background

Discusses Rachel's early interest in hacking and her academic background, which indirectly led her to cybersecurity. Rachel Tobac: "I never planned to get into social engineering; it was a mix of curiosity and circumstance that pulled me in."

3. The Defcon Experience

Covers Rachel's first experience at Defcon, where she participated in the social engineering contest and secured second place. Rachel Tobac: "Defcon opened my eyes to the real-world impact of social engineering."

4. Professional Growth

Explores how Rachel leveraged her skills to build a career, including founding her own security firm. Rachel Tobac: "After Defcon, I knew I had found my calling."

5. Techniques and Tactics

Details specific social engineering techniques Rachel uses, such as pretexting and psychological manipulation, to achieve her goals. Rachel Tobac: "It's about understanding the person on the other end of the line."

Actionable Advice

  1. Educate Employees: Regular training on social engineering tactics can enhance defensive measures.
  2. Implement Strict Protocols: Use multi-factor authentication and strict verification processes to reduce risks.
  3. Promote Security Awareness: Encourage a culture of security awareness that makes employees think critically about unusual requests.
  4. Conduct Regular Audits: Frequent security audits help identify and mitigate vulnerabilities.
  5. Simulate Attacks: Regularly simulate phishing attacks to test employee readiness and improve defenses.

About This Episode

Rachel Tobac is a social engineer. In this episode we hear how she got started doing this and a few stories of how she hacked people and places using her voice and charm.

Learn more about Rachel by following her on Twitter https://twitter.com/RachelTobac or by visiting https://www.socialproofsecurity.com/

Daniel Miessler also chimes in to talk about AI. Find out more about him at https://danielmiessler.com/.

Sponsors

Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.

Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.

Support for this show comes from ThreatLocker®. ThreatLocker® is a Zero Trust Endpoint Protection Platform that strengthens your infrastructure from the ground up. With ThreatLocker® Allowlisting and Ringfencing™, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker® provides Zero Trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware! Learn more at www.threatlocker.com.

Learn more about your ad choices. Visit podcastchoices.com/adchoices

People

Rachel Tobac

Companies

Leave blank.

Books

Leave blank.

Guest Name(s):

Leave blank

Content Warnings:

None

Transcript

Jack Rhysider

When I was in college, a scammer called me up. He's like, look, I'm not selling you anything or even telling you what to do. I just have information about a stock and I wanted to share it with someone. And you were just like the lucky guy I found in the phone book. Listen, stock Z is gonna go up next week.

That's all. I'll call you back next week to prove it. I was like, alright, that was a strange call, whatever. And yeah, he calls me back in a week and sure enough, the stock he told me about went way up. He was spot on.

He was all excited about how much money he made. But I told him he just got lucky and he should cash out and take a trip somewhere. He's like, no, no, no, it's not luck. There's an algorithm that can accurately predict this. And he said he knew which stock was gonna go up next.

I was like, all right, so which one's gonna go up next? And he tells me and says to keep an eye on it and he's gonna call me back next week to prove he was right. So yeah, another week goes by and the same guy calls me back and he's like, boom, you see what I mean? And he was all excited again and I was like, I don't see what you mean, but let me check the price. And I checked the price and again he was right.

And I was like, dang, good job, but I think you got lucky again. He said, no, he's been doing this for a solid year now and he's been right every time. And he tells me more about this algorithm and how he's analyzing different indicators and watching the stock market extremely close and just has everything dialed in. And he tells me about another stock that he says is surely going to go up and I'm like, okay, call me back in a week, let's see if you're right. And sure enough, after a week I checked and he was right again.

Three accurate stock price predictions in a row. And he called me back and he's like, dude. And I'm like dude? And he's like, you see that? I said, I saw that.

How are you doing this? And he's like, I cracked the code. But then like the snake he was, he tried to strike at me. He said, listen, the next one is the craziest one I've ever seen. There's this company whose stock price is gonna explode, but the best part is they're in the initial investor round, so you can get in on the ground floor if you want.

How much do you wanna invest? Ten grand. You've slept on three of these, you're not gonna wanna miss another, right? And I'm like, I'm a college kid, dude. I've got $30 in the bank.

I don't have ten grand. And he's like, ah, crap. He hung up the phone. But this fascinated me. Who was this guy that was always getting the stocks right?

What was his algorithm? So I looked into it. I met with a stock broker and I asked him, how is this possible? And he's like, oh, that guy was a scammer. And I'm like, duh, I know, but how did he get the stocks right every time?

And this guy broke it down for me. He said, okay, that guy called up a whole bunch of people on week one, told half of them the stock was gonna go up, told the other half the stock was gonna go down. Then he called back the people who he was right with and he told half of them about another stock that would go up. And the other half he would say that stock's going to go down. And then he did it a third time, calling back the people he was right two times with, telling half of them that the stock is going to go up and the other half saying it's going to go down.

So by the time he did that three times, he had this small pool of people who he was right with every time. But really he was just playing a math game with his victims. And I think this is such a long but brilliant scam. Seemingly, this guy was golden, perfect, getting it right every time. But what I didn't know is that he was getting his predictions wrong all over town.

And I was just one of the unlucky few that saw him get it right every time.

These are true stories from the dark side of the Internet.

I'm Jack Reseider. This is Darknet Diaries.

This episode is brought to you by Varonis. So many security incidents are caused by attackers finding and exploiting excessive permissions. All it takes is one exposed folder bucket or API to cause a data breach crisis. The average organization has tens of millions of unique permissions and sharing links. Even if you could visualize your cloud data exposure, it would take an army of admins years to right size privileges with how quickly data is created and shared.

It's like painting the Golden Gate Bridge. That's why Varonis built least privilege automation. Varonis continuously eliminates data exposure while you sleep by making intelligent decisions about who needs access to data and who doesn't. Because Varonis knows who can and who does access data, their automation safely remediates risky permissions and links, making your data more secure by the minute. Even when you're not logged in, Varonis is classifying more data, revoking permissions, enforcing policies, and triggering alerts to their IR team to review on your behalf.

To see how Varonis can reduce risk while removing work from your plate, head on over to varronis.com darknet and start your free trial today. That's Varonis spelled varonis.com darknet.

This episode is sponsored by Threat Locker. These days, one wrong click of a button can lead to a catastrophic cyberattack on your organization, and nobody has time to keep training poor Doris in accounting on what not to click. Cyberattacks are devastating to businesses, and without the correct solution in place, your operation remains at risk. Threat Locker has built an endpoint protection platform that strengthens your infrastructure from the ground up, with zero trust security posture that protects business critical data while also mitigating cyber attacks. Threat lockers allow listing, ring fencing, storage control, elevation control, and network control solutions, to name a few, give you a more secure approach to blocking the exploits of known and unknown threats and application vulnerabilities.

Working together to deny applications by default, block inbound network traffic and ring fencing your applications. Threat Locker provides zero trust control at the kernel level. If you're looking for a proactive solution that will keep your business better protected in the face of cyberattacks, check out threat Locker's cyberheroes at www.threatlocker.com. That's threatlocker.com.

Gather around. In this episode, we're going to hear stories from Rachel Toback. And she's one of the best social engineers I've ever met. Let's start with your origin story. As a kid, how did you get interested in this type of work?

Rachel Tobac

Okay, my origin story. So my first time that I ever thought about being any sort of hacker was when I realized that being a spy is a job that people do, and it's a job that girls could do. And I learned this through the movie Harriet the spy. She goes around sneaking into people's houses, spying. She takes her notebook everywhere.

She sneaks through the dumbwaiter in this rich woman's house and gets caught. And I just thought, oh, my. I had no idea that a girl could be a spy. So that basically became my personality from my childhood. Did you get into computers when you were older or still in middle school?

I suppose I did not get into computers. I wanted to get into computers. I went to my guidance counselor and I think 6th grade, and I said, hey, I want to take these coding classes. And my guidance counselor, she said, you don't want. Rachel, you don't want to take those coding classes.

Those coding classes are 40 boys. You'd be the only girl there. Just take homex instead. Are you serious? I know.

And me being a child, I was like, oh, good call. I mean, yeah, I don't want to blame her for me never learning to code. I mean, I could have tried later in life, right? People try later in life all the time. But no, I've actually never written a single line of code.

I ended up getting my degree in neuroscience and behavioral psychology. I was a teacher's assistant for statistics. I never got into code. Neuroscience? Yeah.

So my path to infosec and hacking, to the untrained eye, it doesn't make any sense. It's almost completely nonlinear to me. Looking back, it makes a lot of sense. So I got my degree in neuroscience and behavioral psychology. I was doing improv on the weekends.

I was a teacher. I then was like, hey, I want to try and get into tech. I moved to San Francisco. I was a community manager at a tech company. I actually ended up leading a UX research team.

And then while I was at that tech company, my husband was in security the entire time. I actually met my husband in high school. I met him when I was 15 years old. So my husband was like, hey, I heard about this thing called Defcon. I think you would get a kick out of it.

And I was like, pass. I think I'm not gonna do that. Okay, so Defcon is the annual hacker conference in Las Vegas. It's wild there. You'll see people walking around with antennas sticking out of their backpacks, talks about how to bypass just about anything on a computer, and tons of villages that focus on specific areas of hacking.

Jack Rhysider

The social engineering village is one of the more popular ones. And when Rachel's husband went into this village and saw what they were doing, he immediately called her up to tell her what he was seeing. They do this thing where they put you in a glass booth. It's soundproof in front of an audience of 500 people. You call companies, and you try and solicit information out of them over the phone.

Rachel Tobac

It's the exact same skill that you use every month to get the bill lowered. When you call these companies, you build rapport. You get a deep discount on things like the cable bill. You'll love it. And she's still like, no, I'll pass, thanks.

He called me back, and he's like, I just saw more of these calls, these social engineering calls. You have to come. I promise you, if you don't like it, we'll just go gambling. As an aside, I love gambling. So I was like, okay, fine.

I pack my bags. I get the first flight out Saturday morning. And as you know, if you're at Defcon Saturday morning, like, Defcon's like a third over at that point, if not more. So I show up, I see a few calls. What she's watching was the social engineering contest.

Jack Rhysider

There's 14 contestants, and they're given the task to basically get enough information to hack into a company all through phone calls. So you have to prepare and figure out who would be an easy target to get information from and what's their phone number. And you better have backup numbers in case the person you call doesn't answer or hangs up on you. Once you do get someone on the phone, you get points for every bit of security data you can get off them. So if you can get them to tell you what operating system they use, you get a point or a flag.

And maybe from there, you try to figure out what browser they use, information about their security guards, what janitor service they use. You can't just ask these questions directly. It raises suspicion. So you gotta provide a pretext or pretend to be someone else, maybe someone who works in another department or someone brand new to the company who doesn't know anything but urgently needs to get a report done today. It's tricky.

It's intense, it's high stakes, because if you get caught on the phone, you're burned, and now you don't get any points. And the best part is the audience gets to watch all this live. I see a few calls and I'm like, oh, my, this is me. Like, I can do this. I was born for this.

Rachel Tobac

And my husband was like, I know, right? I told you. So. She immediately is like, okay, how do I compete in this? And, yeah, it's a whole process.

Jack Rhysider

You need to submit an application, create a video of yourself, and stand out from the crowd, because only 14 are chosen to compete out of hundreds of people who try out for it. And I was like, oh, I got just the thing. I made this twin peak style video to convince them to let me get in, and somehow they agreed to let me participate. Hundreds of people apply, and 14 contestants are selected every single year. Now, they actually give you the target company that you have to attack ahead of time so you can do your research on it, a lot of research, if you want, because you want to find as much information as you can about this company, like going through Google searches or just looking at public places.

Maybe you get a list of people and phone numbers to call so that when it's your turn to call, you know exactly who to call and what questions to ask. In fact, it becomes quite a lot of work to prepare for that moment for when youre going to call someone. You could spend a solid month learning everything you can about your target company so you can shine when youre in the booth. It was a major consulting firm, is really all I can say now these. Companies dont know theyre about to get hacked.

Its really extraordinary to watch. Its basically a live hack with an unsuspecting target. So she gathers as much intel as she can and heads to Defcon to compete. I get in that glass booth now. All eyes and ears are on her.

Not only does she have to trick one person on the phone to give her the information they shouldn't be giving her, but she needs to do it in front of an audience. But she's done improv before and was absolutely ready for this. I contact my target company, I pretend to be an employee who's confused, who's just starting out, and I end up getting flag after flag. And I get out of the booth and I'm like, maybe I did okay. And then there's like a standing ovation.

Rachel Tobac

I'm like, oh, maybe I did better than okay. And I ended up getting second place that first time ever hacking anybody. That first time ever hacking somebody happened in a glass booth in front of 500 people. Dang. Second place.

Jack Rhysider

Of course, now she's hooked. That was fun as hell. The nerves, the adrenaline, hacking and social engineering. All of this she was just craving more of. So she applies to compete again the.

Rachel Tobac

Next year, and then I ended up getting second place the second year, and I got second place the third year. As well, competing three years in a row in the social engineering contest and getting second place all three years. That's what started her career in social engineering. After folks started seeing me get second place at Defcon, they'd see me on stage, they'd be like, hey, I wanna chat with you. Can you come speak at my company about how you hack and how we can catch you?

And I live in Silicon Valley, so I got really lucky that people started asking me to do things that, like, are a job, right? Like, I'm like, oh, I guess I need to make a company. So I made social proof security in 2017. And, I mean, I live in Silicon Valley. I was so lucky.

Some of my first clients were, like, Facebook, Snapchat, PayPal, Twitter. And from there, it was like, us. Air Force, NATO, Uber, Google, Cisco. It's like, oh, my gosh, you know, I feel like I just got really lucky in this life. The crazy thing is that I've heard this story over and over.

Jack Rhysider

Someone who has no interest in hacking goes to Defcon, sees the social engineering stuff going on there, immediately wants to compete, does pretty good in the competition, and then decides to do that for a living and start their own company. It's mind boggling how many lives have changed from people attending DefcoN. Oh, it's totally wild. I mean, if you would have asked me decades ago, like, what did you think you were going to get into? The word hacker?

Rachel Tobac

Would have never even made the top 100 list, because I didn't know it was possible, didn't know it could be a job, and I certainly didn't think I would be good at it. I. When I saw the concept of a hacker in tv or movies, it was usually a guy who wore a hoodie in a basement. And, I mean, I wear hoodies and basements are fine, but I didn't think that I was going to be good enough. So, yeah, you just have to see yourself in the position.

And I've had multiple women come up to me and say, like, hey, I saw you in that competition. Didn't realize it was possible for people like me, and now I do this for a living. Okay. So she started a company called social proof Security, which is basically social engineering for hire. And companies were starting to hire her to see if they were vulnerable to social engineering attacks and what they can do to stop them.

Jack Rhysider

And, of course, I'm fascinated by these social engineering stories. How do you hack into a company with just your voice or your term? So, a bank hired me to penetration test them effectively. They hired me to hack them, and they told me that I could hack via phone call, email, or chat. And my job was to take over multiple accounts and steal access, effectively steal the money out of the accounts.

You want to steal money out of out of customers accounts? Yes. And when we do a penetration test, it's very particular. I don't want to steal money from, like, everyday people. That would be horrible and really scary for bank customers to just randomly have money stolen because of a pen test.

Rachel Tobac

So what we do is we create fake bank accounts. We work with the team on the back end so that the support organization for all intents and purposes sees a real customer. But we've created fake bank accounts for me to steal so I don't actually harm real people. But the support team doesn't know they're fake. Okay, so this company is a bank and she's told that she can target customer support to see if she can access a customer's bank account.

Jack Rhysider

And she's given the options to use a phone call, email, or chat to get through. That's right. I started with the chat feature and I posed as a customer to see if I could take over a customer account with just chatting. So I told the bank support people my sob story. I lost access to my phone, my email, my laptop.

Rachel Tobac

I got lost and I had a night out and I'm traveling abroad. I mean, like the whole story, right? And I really need access to my bank account because I'm stuck and I don't have money. The first thing that I usually try when I'm trying to do an account takeover is I try to see if I can get them to change the email address or the phone number on the account. Because if I can do that, then I can change effectively the admin on the account just by changing the email address.

I can then reset the password or reset to a phone number that I control. There's Sim swapping and all of that. That could happen after that, but you know, that's basically how it works. And they're like, oh, well, we can't do that because we need to only send the password reset to the email address already on your account. Good for them.

Jack Rhysider

That's the protocol they're supposed to follow. That's exactly right. So good job, bank. Horrible for me as the pen tester. A lot of times I have to play both sides of this game.

Rachel Tobac

I have to train the company and update their protocols to prevent people like me from getting in. But when I'm first attacking them, it's so frustrating. So I try chatting with multiple other support people. I'm trying again and again. They will not make any exceptions for me.

It doesn't matter. My pretext, that's who I'm pretending to be. It doesn't matter how I contact them, what I say, my story, nothing. So I decide to switch to phone call based attacking because I tend to be much more successful. So I switch to phone calls.

It leaves less of a paper trailer. People tend to get less suspicious because I can build rapport. They can hear my voice, they can hear how trustworthy I sound. And also when I'm calling I can spoof phone numbers, and a lot of times that helps me gain access. Spoofing phone numbers.

Jack Rhysider

How is this still possible? You can download an app from the mobile App Store, and within a few taps, you can change what phone number you're calling from to have any phone number you choose. So you can make it look like where you're calling from is not actually where you're calling from. Now, when I was young, I used to do this with emails. I would love to send emails to my friends pretending to be from the FBI or the president of the United States.

And I'd be like, Bill, you're in serious trouble. We're coming to get you or something. And then my friend Bill would be like freaking out. And it was awesome fun. But then the email protocol got updated.

They implemented SPF records somewhere around 2006, and this ensures that the place you sent the emails from is where the emails are supposed to come from. This effectively put an end to email spoofing. Of course, not all companies configure their SPF records properly, and you can still spoof it, but at least the option is there if you want to block someone from spoofing your email. But for phones which have been around a lot longer than email, it's an unpatched vulnerability, in my opinion. You can still spoof phone numbers.

Rachel Tobac

Yeah, it's kind of wild in the US right now. It's still possible because all of the telcos have to make the same decisions at the same time. And unless all of the companies get together and make the same choices, it's going to be really hard to implement the right solution. So at least in the US, spoofing is still really possible for me. Now, since phone companies refused to fix this, their solution was to help pass a law making it illegal to spoof phone numbers.

Jack Rhysider

So for now, it just seems like telephone companies are just relying on the police to help keep people from doing this. But to me, this is an awful way to secure things. Telephone companies can fix this if they want. But while I see this as a vulnerability, telephone companies have historically said, wait, why are you using telephone numbers as identifiers? They were never meant to be identifiers.

And they put the blame on us for doing that, because for a long time, our phones didn't have screens, so we never knew who was calling until you picked up the phone and said hello. But then telephone companies gave us caller id where our phones would show who's calling. And so I do blame telephone companies for making us think it is an identifier. Since they were charging extra for that feature back in the nineties. And mobile phones today all come with this feature.

So I say phone companies turn caller ID off if you don't want us to use it as an identifier. Otherwise, patch it so phone numbers can't be spoofed anymore. So anyway, Rachel was trying to get into a customer's account. Let's call the customer, Kelly. And she figured out what phone number Kelly had, and Rachel spoofs her number to look like she's calling from Kelly's phone.

Rachel Tobac

I spoof my phone number. I make it look like Kelly on the account. And by the way, on data brokerage sites when we're doing osint, open source intelligence, typically we can find most people's phone numbers within a minute or two. So when we're searching, we can just know, okay, this is Kelly. This is Kelly's phone number.

I'm going to go ahead and spoof that. I set that up. It usually costs me a dollar or so on the tools that are available on the App Store. These are not, like, heavily regulated. You can just find them on the App Store, and I go ahead and I place that call.

Jack Rhysider

Can you give me an example of how you sound on these calls? Gonna make me act? Yeah. Okay. Okay.

Rachel Tobac

Give me 1 second. I gotta get into character. I'm gonna change my clothes so I can get into character. Here we go. Okay, here we go.

Jack Rhysider

Ring, ring, ring, ring, ring. Oh, wait, we both said ring. Okay. Thank you for calling the bank. How can I help you today?

Rachel Tobac

Hi, I am so sorry. My name is Kelly Smith. So I'm traveling right now, and I just lost my laptop. My phone's not working. I cannot get access to any of my funds.

I'm super stressed out. Can you please, please help me?

Jack Rhysider

That was good. I won't make you do more. Thank you. So, yeah, I mean, they've got a script that they go through where they're just like, okay, well, you know, do you have the last four digits of your phone number or whatever the case is to verify you? Is that how your challenge or what happened?

Rachel Tobac

No. So is this bank knew that KBA knowledge based authentication, things like what's your address? What's the last four digits of your phone number? This bank knows that that information is very easily found online. So they don't use KBA knowledge based authentication to verify your identity.

They usually use MFA multi factor authentication. Now, this is great. This is exactly what I recommend, you know, send a code to the email address on file and make them read it out to you. Rather than going through this process of verifying identity with information that can be found by an attacker in five minutes online. So that's good.

But as an attacker, that's going to be a challenge, because I don't have access to that email address. And when I'm spoofing a phone number, I actually can't receive text messages. And if they call back, I'm not going to be the one that answers that phone call. I'm just spoofing. It looks like I'm calling, but I don't actually have access.

Now, of course, I could sim swap, and many criminals will do that, but for the purposes of this pen test, that's not what I'm testing. So they say, okay, we have an edge case here. Let me see if I can talk to my manager and have you send in a picture of your driver's license, your Social Security card, and a utility bill. And instantly I'm like, okay, bingo, we're in. The other half of social proof security is my husband, Evan.

He does all the technical stuff. I do all the human hacking stuff. This is great, because I need a fake driver's license. So I can't wait to hear how you got a fake driver's license. No.

Okay. So my husband, Evan, he gets to work editing a driver's license, a Social Security guard, and the utility bill to the exact information that they're expecting for this account, which, again, we can find through a data brokerage site. So we're hoping that this company does not know the actual driver's license number, the actual Social Security number, and they're just looking to ensure that the name and address that are on the account match those documents. I can find those pieces of information through Osint, and a lot of times, I've noticed that when they ask for these types of documents, they don't know the right info. They're just hoping that it matches, and they stop there.

Jack Rhysider

So you didn't need a real driver's license, Social Security card, you just needed a JPEG, right? Correct. And that's the trick there. So we spent Photoshop. Was your friend Photoshop?

Rachel Tobac

Yes. We spend all night on these driver's license, Social Security cards, and utility bills of the accounts we're trying to hack. I email the bank at 08:00 a.m. The next day. I tell them my story.

I tell them the edge case that we have set up with support. I send them the driver's license and Social Security card and utility bill by 09:00 a.m.. I have full admin access to the bank account. I have changed it to be controlled by my attacker controlled email address, and I can steal all of the money in the account. So once I finally get in, I have access to everything.

I use the same method again and again. I get access to two more accounts throughout the day. I end up spreading out the request so that we're not raising suspicion with the same attack method over and over again, back to back. And in the end, we took over each bank account that we were asked to to hack within two days. Hmm.

Jack Rhysider

It's truly astonishing, the sheer force of the human voice, its ability to persuade, to move, to manipulate, all through a simple phone call. It also reminds me of how vulnerable customer support is to this kind of exploitation. When you're met with a soft voice telling you a sad story, but wrapped in kindness, it tugs at your heartstrings. You find yourself eager to assist, especially if you just got off the phone with a real prick who was yelling at you about overcharging him $0.10. Contrast that with a kind voice that's truly asking for help, and it really makes it hard to say no.

Rachel Tobac

I know that in a lot of these organizations there are edge cases, so I'm helping companies say, okay, we did this pen test. We figured out what the edge case is. We figured out how we got access. How do we make sure we don't fall into this trap next time when the real criminals get here? So I then help them with, okay, let's set up some edge cases back to back so that we have something like a callback that would thwart spoofing.

If you don't want to use that, you can use email verification one time passwords, you know, sending a code or just a word to the email on file and having them read that out. SMS verification. Okay, they claim they're calling you from this phone number, but maybe they're just spoofing it. See if they can read out a text message. Callbacks towards spoofing service codes, pins, or verbal passwords.

If it's some sort of internal support ticket, you can loop in a manager. There's so many ways to do this right, that a huge part of the pen test is not just hacking the company, but helping the company figure out what is a real practical way that we can solve these edge cases in the future to verify identity the right way and make it harder for you to get in the next time. Because I'll go in, I'll make it harder for me to get in as an attacker. And then the next year I'm like, oh my, this is so hard for me to get in until the, to the point where I can't get in anymore. And that's when I'm like, okay, you've done the most that you can it do.

Jack Rhysider

It's time for a sponsor break, but stay with us because Rachel has a few more stories that she's going to share with us.

This episode is sponsored by Exonius. Complexity is increasing in it and cybersecurity control it with Exonius, the system of record for all digital infrastructure. The Exonius platform correlates asset data from existing tools to provide an always up to date inventory, uncover security gaps, and automate response actions. Go to Exonius.com Darknet to learn more and get a demo that's exonious, spelled Axonius Exonious.com darknet.

On another engagement, Rachel was hired by a company to help them sort out an issue that they kept encountering. It was a large technology company who would sometimes buy or acquire smaller companies. Now, when you're buying another company, you typically want to keep it quiet until the official announcement. It could affect share price or cause panic in the company if things aren't communicated properly. But for some reason, when this technology company would do any merger or acquisition, it would get scooped by some news agencies.

The announcement would show up on news sites way before the company was ready to tell the world. So this company was like, Rachel, maybe you can help us figure out how this news keeps slipping out ahead of schedule. And so they approached me about doing a pen test to figure out how this m and a info was getting leaked, where they could possibly improve their training, their messaging, their internal protocols to figure out why is this happening? Why are folks being incentivized to talk about this? And what can we do about it?

When you hear this, what's your mind? First, go into like, you've got an insider threat somewhere. You've got a breach, an active breach. Yeah. So insider threats happen.

Rachel Tobac

But what is usually most common is people just make a mistake. I kind of live in this world where I assume that people are making mistakes and I try and help them. So we came out with a few different attack methods that might work to uncover where this is happening. Number one, I was going to attempt to pose as a journalist and reach out to various team members, asking them, via social media, DM's email, text message, et cetera, about their experience in tech and see if I could siphon out m and a info and just see where it goes. And number two, I was going to apply to their product manager role, go through the entire hiring process and see if I could extract m and a related info during the question portion of the hiring interview.

I did not know what was going to work and what wasn't, but I just wanted to try both.

Jack Rhysider

All right, so if you're going to pose as either one of these people, it sounds like you're going to need a LinkedIn account or at least some online presence. You can't just show up as a nobody, right? Or I mean, at least it helps establish your background and your pretext. Definitely. Do you have any framework or methodology for how you establish an existing ghost in the world?

Rachel Tobac

Yeah, so we call these ghosts. We call them sock accounts. Sometimes they'll be real people, and so we'll fashion them pretending to be a real person. Sometimes they'll be fake people and they'll just have this full life online with the fake journalist, I figured it was going to be a lot easier to pretend to be a real journalist and just not actually be them, then create an entire Persona of a fake journalist and populate real content. So I built a fake journalist pretext, email background, and social media based on a real journalist, who I'm not going to name, of course.

Jack Rhysider

Interesting. Rachel tried to be another journalist that actually exists, maybe by doing something like using a similar email address or social media accounts. But the question is, how do you know who to ask in a company to get information about upcoming mergers and acquisitions? These are typically closely guarded secrets. But there is a website that's extremely helpful to social engineers.

There's a website that lists pretty much every company and most of the employees that work there. And it tells you their job title, role, what duties they have, and full name. The website is LinkedIn. And personally, I feel like LinkedIn is a security risk to most companies on there. It makes it really easy for someone like Rachel to go down the list of people who work at a company and pinpoint the exact person to target.

Once you have their name, it's probably easy to guess their email address. It's usually first Dot, last nameanyname.com. I mean, not only is there a list of people who work at most companies on LinkedIn, but they like to list their skills, too. And if someone says they've worked for a company for ten years as a database admin, and specifically they say they're excellent at Microsoft SQL Server. Now, you can guess with high confidence.

This company runs Microsoft SQL Server internally, and this person probably has the admin password for it. And we all know how susceptible people are to phishing emails. I mean my opinion is if you listen stuff like that, you just put in like a big old beacon over your head saying, hey, I'm the person you're going to want to hack. If you want to get in the database of this company, come at me. Essentially, the private information that should just be kept inside the company is posted publicly for anyone to see on LinkedIn.

And I mean here's a story where the company is wondering, hey, how come the public knows about one of our internal memos? I say start by auditing what your employees are posting to LinkedIn. If the company is totally cool with all this internal stuff getting posted publicly, then maybe that's perpetuating a culture that's okay to blab about exciting news to whoever asks. I had someone message me on LinkedIn the other day asking me, hey, how can I get my data taken off the Internet? Like is this your photo?

Is this where you work? Is this where you went to school? Is that your actual name? And you posted all this to LinkedIn. And you're wondering how come the Internet knows all this stuff about you?

Because the thing is, a lot of what data brokers know about us is from the stuff we post publicly. Data brokers are scouring our social media profiles, our blog posts, and any mentions of us on the Internet. And then data brokers store all that information about you that you posted. It's frightening. And I mean the reality of the situation is that anybody can do a full background search in less than five minutes on most people in the US, and people dont realize that this informations out there about them, they have no idea that its being sold, they just dont Google themselves.

I say we should take our own privacy seriously because the more we dont care about our privacy, the more companies wont care about your privacy. Anyway. As you can imagine, Rachel had this target company and was able to quickly guess at who might know about upcoming mergers and acquisitions and started hyper targeting them, doing full background searches on them, gathering up their details and just started reaching out, acting like a journalist, emailing them, wanting to see if she can easily get this information from people. Exactly. Or we can reach out over social media, DM, you know, DM on LinkedIn or Twitter or Instagram.

Rachel Tobac

And I mean that's the thing, journalists really do reach out using all of those methods. So it's hard to know what's real and what's fake sometimes. But it didn't work. No matter who she reached out to or how convincing her backstory was, people weren't freely giving her information about upcoming mergers and acquisitions. This method wasn't working.

They let me know some minor details about excitement, about potential m and A, but they're not going to confirm any juicy details. And I try to get people on the phone to talk with me, but I think there's just like this inherent distrust of this particular pretext. So I'm like, okay, I gotta, I gotta really go for the big guns here. I want to attack via the hiring process. Attack via the hiring process.

Jack Rhysider

What an interesting sentence to say. I don't think that idea crosses many people's minds that people applying for jobs might have malicious intent. I've heard of the evil maid attack, but what's this called? The phantom applicant attack? Theres a lot of information that you can get just from reading a job posting.

Like when a company lists the job duties, it might tip their hand into what endeavors the company is going to do next, or expose what technology they have in the company. And these things can be used against the company in social engineering attacks. I think if you read enough job listings, you could probably develop a map of the data center. Hacking into the company through the employment process is actually a decent attack vector. I don't think many companies would expect you to come in through that door.

Anyway, what Rachel was going to do was pose as a job candidate and try to get an interview. And in the interview she was going to see if she could get some insider information about upcoming mergers and acquisitions. Something to understand is as an attacker, this is not easy to do. I've never been a PM. So to apply for a PM role takes a lot of background research.

Rachel Tobac

I mean I led a UX research team at a tech company, so I do have a sense of what a PM, a product manager does. But I am in no way prepared for a PM interview. So I have to study for three full weeks for this role. I'm watching YouTube videos, I'm doing interview prep quizzes online. I'm taking free online courses.

Like, so you want to be a PM? Like the whole nine yards. So I'm building a full Persona, a resume, a Twitter, LinkedIn, Facebook. All of these stock accounts have photos, thousands of friends, reviews of my work from networking groups on LinkedIn. People I've never met that like you give them a review and they give you a review.

All of this stuff is so gameable. I suppose this is stuff you do at social. Proof. There's just one person sitting over there like, hey, just keep making sock accounts all day, every day because I'm going to burn through them so fast. Unfortunately, yes, we do change the names of many Soc accounts, but then you have to populate a lot of new information.

It ultimately takes me about three weeks to build a believable social media account and enough examples of previous PM work to get anywhere near convincible during the interview process. Did you get help at getting your resume to the top of the pile? No, I just had to apply. That's not easy. You know, there's a lot of people don't get callbacks.

Well, during this period of time there, the tech hiring process wasn't as bad as it is in this current year. So I apply for the role. I get a phone screen. I am sweating bullets because if I don't get through this phone screen, I will not move on to a full interview process. I'm going to have to do a bunch of work to change my sock accounts on social media to match a new Persona.

It's going to be a lot more work for me. Luckily, it took like 45 minutes. I passed. I get moved on to the next round. The next round has six different interviewers.

Jack Rhysider

So is this in person? No, virtual, thank goodness. Did you try to gain any information on the first round? No, not during the phone screen. I wanted to.

You were like, I'm gonna wait for the right time. Yeah. I was terrified that they were gonna be like, this person's a weirdo. Like, let's not move them forward. So I waited until the actual official interviewers, and it's gonna be a packed day of interviews.

Rachel Tobac

I have six interviews back to back all day. These interviews are conducted over Zoom. I get all dressed up in my interview clothes that I haven't worn in years. I'm prepped with all my anecdotes, my strengths and weaknesses, my KPI's and success stories. And a lot of these examples I'm using are heavily focused on UX research because if you remember, that's something I used to do.

And many PM's do have advanced UX research skills. So I'm just like hoping that they don't think that's weird. So I get to the first interviewer and the interviewer is like, okay, asking me all these questions. I seem a little nervous, but they're like, oh, you know, don't worry about it. It's gonna be fine.

We go through all the PM related questions. This person's, you're nervous for all the wrong reasons. That's what's funny here. I know, but I have to pass. Yeah.

So I'm going through this. I mean, they're used to people being nervous, and so I could see them saying, oh, it's fine. You're doing great. Don't worry about it. And you're like, oh, thanks.

Jack Rhysider

Cause I'm trying to hack you. No, see, the funny thing is, when you're hacking people, a lot of times it makes sense for your pretext to match how you're actually gonna feel when you're hacking. Yeah. And a lot of times you are nervous when you're calling support because you can't gain access to your bank account. You are uncomfortable during an interview.

Rachel Tobac

These are normal human emotions, and so it's okay to not be way too overconfident. Sometimes that can even read as strange. So, yeah, I mean, I'm sweating bullets. It's clear I'm nervous. We finally get to the end, and the interviewer says, so, do you have any questions for me about the role?

I have never been sweatier in my life. This is it. If they get suspicious during this moment, all of my work is for nothing. So I say, I am so excited about this company. I hear there's a lot of opportunity for growth.

I did a bunch of research. I did find a few news stories that mentioned XYZ potential merger. I know you can't confirm anything, but I just want to understand what an integration process looks like at your company during an M and A. I know you can't confirm anything again, but I just want to understand how my role could potentially change over time. The interviewer takes a beat and says, you're right.

I can't confirm anything. And my heart sinks. I'm like, no, this person's trained. And then they go, but just because I can't confirm doesn't mean I can't talk in generalities, right? And winks.

Actually winks. I'm like, oh, this is going to be so good. So there's a lot of hand waving, and, you know, I can't confirm, but throughout the rest of these interviews, but it seems that everyone at this company knows you're not allowed to say information in plain language about M and A's. But that doesn't mean that I can't glean pretty serious details about the upcoming acquisition plans that have been clearly discussed internally. By the end of this day, I got M and a info out of three of the six interviewers.

So, 50%? What kind of info are we talking? Yeah, so they wouldn't tell me the names of the companies that were potentially going to be acquired. But I would say things like, I saw a rumor about XYZ company. Is this the type of company that you would be excited about?

And then the wink wink, hand waving process starts of, you know, I can't confirm it, but we are interested in integrating things like XYZ. So I was able to glean information such that when I reported it back to the team, they were like, I mean, yeah, you got the right information. Nobody said anything in plain language, but you can get people to say things kind of beating around the bush. So in the end, I got M and a info out of 50% of the interviewers, three out of six. I debrief with the security team.

I ask them when they want to discuss the results with the organization. They say, well, let's just wait up and just finish the hiring process so that it's not a distraction to them. And in the meantime, the next day, I actually get an email that I used to apply for this role, that I was being moved to the next stage of the interview process to get an offer. So not only did I siphon out the info I needed during the interview pen test, I also got the job, I guess. Well, congratulations.

Jack Rhysider

I hope that goes on your resume. I know I should put PM on there. So she meets with the security team and explains to them how she found out about all this upcoming mergers and acquisitions. And together they had a chat about whether this was just an obscure edge case or a bigger problem. They realized that when they explained to people that they were not allowed to say the words of the acquisition, they realized that they needed to be clearer in their communication.

Rachel Tobac

That, no, just because you're not saying we are acquiring XYZ company, it doesn't mean that friends, family, on social media, people can't glean information to understand, oh, they're interested in AI. This person's talking about how their role's going to change. They're talking about how much they love this specific technology, and they're tagging certain companies on Instagram or Twitter. They realized that they needed to be much more specific in their protocols and language, saying, when we're planning an acquisition, once we talk about it internally, please do not talk about it, even in a hand waving fashion with friends or family or on social media. Don't talk about how your role is going to change on LinkedIn.

Don't talk about what you're excited about upcoming on Instagram. They had to be really clear about that. And once they did that, those leaks stopped because it wasn't an insider threat. It was just people not 100% getting what an attacker is interested in and how they could find that info. Oh, so it did solve the problem.

It did, yeah. It doesn't necessarily mean that it's coming through the interview process now. Maybe it was, but it's probably just that people in general at the company didn't understand that when talking in generalities that can be used by attackers, too. Yeah. And then you probably had recordings to show concrete proof of.

Jack Rhysider

Here's. If you. When you say this, I'm hearing this. Exactly. And they were like, oh, I get it.

Rachel Tobac

So I can't say that we're talking about this technology and how it's going to change my role as a product manager, because that tips off people to understand that we're going to be acquiring XYZ company in the next six months. That's where these leaks are coming from.

Jack Rhysider

So, you know, you came on my radar because you saw sometimes just create these crazy viral instances online where I've seen you hack a. Who's Donnie from? Doni O'Sullivan from CNN. From CNN. So I've seen you hacked a CNN correspondent.

I've seen you hack voting machines before. I've seen you do all kinds of crazy things that suddenly you've got, like, a million views on this thing. And I'm just like, well, there she is again. Rachel's out there doing things. But one thing was interesting was when you went on 60 Minutes.

Rachel Tobac

Yeah. Last year or so, I started talking more on Twitter about how I'm seeing AI get used by criminals to trick people. So I'm talking about this. Scammers are tricking grandparents out of $1,500, posing as their grandson, spoofing the grandson's phone number, voice cloning, or just, like, modulating the pitch to sound like the grandson and saying they need money for Bailey. Just talking about these examples.

60 minutes sees this, they email me, they reach out, they say, hey, we want you to do a hack live. It's actually got to trick somebody. Can you do that with us? And I'm like, I mean, yeah, I can do that, but it's complicated. I've done a lot of these live hacks over the years for large media pieces.

I need consent before I do any sort of hacking. I get consent. Like when I hacked CNN's Tony Osullivan. I hacked him through his service providers, and I also hacked him through his leak passwords, and I had his consent with a lengthy contracting process and scope discussion before I was able to contact his service providers pretending to be him, before I was able to log into his LinkedIn using his breached passwords and the things that I found online. So I started explaining to them how much consent I'm going to need.

And they're like, I mean, we'll try. We'll just try and see what happens.

So I start to talk to them about who my target is going to be. They want my target to be Sharon Alphonse. She's an awesome correspondent for 60 minutes. Rachel Toback is what's called an ethical hacker. She studies how these criminals operate.

So ethical hackers, we step in and show you how it works. So the mission was to use AI to somehow trick and scam the host of 60 minutes while on the show. But the problem is the host needs to consent to being targeted, which if she knows she's going to be scammed while on her show, it'll really put her guard up, right. So this was going to be tricky. How do you trick someone who's asking you to trick them?

She's got a lot of information about her online. So I do my osint. Because the host of 60 minutes has been on tv for years, Rachel realized there is a lot of audio of Sharon talking, and this might be useful. Maybe she can somehow use Sharons voice to do something. I determined through OSINT open source intelligence that the best way to do this hack was to trick her coworker while pretending to be Sharon.

Because sometimes our coworkers have just as much info and access on us as we do about ourselves. So I needed to get consent from the coworker. And here's the massive challenge. I needed to get her coworker's consent because she was a major part of the hack. This coworker is named Elizabeth.

I contacted her, I was like, hey, this is what we're going to do. We're going to do this hack. You need to consent to essentially being part of the hack, but you don't know when, where, or how it's going to happen. You don't know who I'm going to pretend to be. You're not going to know the method of the attack, whether it's going to be a phone call, email, text, contacting your service providers, pretending to be you.

Elizabeth is awesome. She's like, that's fine. That's like completely fine. I'm really excited, and I'm like, okay, let's do this. So I decided that I wanted to do a phone call because I wanted to call, clone Sharon's voice, and spoof Sharon's phone number to Elizabeth and trick her during a phone call to reveal some sort of personal information to me.

Now, Sharon is a famous reporter, so her voice is everywhere. I grabbed about five minutes worth of samples of her voice just from YouTube videos, from 60 minutes. I put her voice into my voice cloning tool. I start tweaking the tool. There's voice clone settings for things like clarity, voice stability, style, exaggeration.

And I finally get the settings tweaked to a point where I feel like it's going to be credible at all during a phone call, but it's not 100% perfect. And I do my open source intelligence to find the right phone numbers to spoof and the right phone numbers to call. Like I said, data brokerage sites have personal contact details for almost everyone, and I need to find the right details to use during the hack, like upcoming travel, the right information to try and siphon out for the demo. You can find most of the stuff through social media when people talk about their lives. The only issue now, I'm gonna have to somehow get Elizabeth to participate in this hack without her realizing it's the hack itself going down.

How am I gonna do that? She's already consented to this, and she knows it's coming. So I figure the only way that this is going to work is if it feels natural within the filming day. Otherwise, how is the film team going to catch the hack live so that anyone in the audience can watch it? Yeah.

Jack Rhysider

So when you, so they've got the cameras on you, they've got you in the studio, they've got Sharon there? Not yet. Let me tell you these details. So I get my hair and makeup done for 60 minutes, right? I'm doing my vocal warm ups.

Rachel Tobac

I'm like, la, la, la. I'm getting ready for recording. Sharon's still in her room prepping for the day. The light and the sound crew are getting the gear ready for the shoot. Elizabeth shows up.

She's getting ready. I pull aside the head of the sound and lighting crew, and I let them know that I think the only way they're going to be able to catch this hack on camera live is I'm going to go out into the hallway with my computer and phone. You. The camera crew cannot follow me because it'll be way too obvious to Elizabeth if you follow me. And it really shouldn't matter anyway, because it will be me on the other end of the phone call.

So you should catch the interaction from her end. Anyway, so you, the crew, must ask Elizabeth to stand in for Sharon so you can get lighting, sound, everything prepped so that when Sharon finally comes down, she can just slide into the shot, and we can get started. That way, when I start the hack, you'll be able to actually see and hear Elizabeth and be able to catch the attack in motion. Wow. The crew is like, what did we sign up for?

Ridiculous. I am so nauseated by this plan. Like, I'm so freaked out by this, because if this doesn't work and Elizabeth is like, sure, crew, I'll stand in for Sharon and immediately realizes what is happening. Then this entire shoot, all 15 members of the 60 minutes team, the lighting crew, sound, hair, makeup, everybody's here for nothing. And I will just have to basically demonstrate what I would have done.

That's not going to be fun for anyone. And now, mind you, it's like 07:00 a.m. So this feels like the crack of dawn for all of us. People haven't even. They have not even had a cup of coffee yet.

So people are like, okay, rachel, uh, sure, we'll do that. So I walk over to my hacker laptop. I announce to the room that I need to go help my team with something back home. So before we get started for the day, everyone get your coffee, whatever set up. They say, no worries.

I step out into the hallway. I've got my laptop and phone. I can't hear anything that's happening in the ballroom now where we're filming. I just have to hope that the sound and lighting crew have successfully gotten Elizabeth into the, quote, stand in position with the sound and lighting on, because otherwise, they're not going to catch this, and I'm not going to fake it for them later. It needs to be real.

So I'm just praying that this works. So I open up my voice cloning tool in the hallway. I type in my opening line into the voice cloning tool. And to be clear, this voice cloning tool, I cloned Sharon's voice. I can then type in any words, and it will spit out those words spoken in Sharon's voice.

So I type in my opening line. My opening line is, Elizabeth, sorry, need my passport number because Ukraine trip is on. Can you read that out to me? It has to be short and sweet, direct and to the point without requiring a lot of follow up, because the issue with these tools is there's a delay in me typing it into the voice cloning tool. And when it spits out the words in Sharon's voice.

I'm also holding my phone up to the computer, so there's, like, kind of a strange audio vibe going on with this phone call, and I just want to minimize it and make it happen as fast as possible. So I open up my spoofing tool on my phone. I type in Sharon's number to spoof. I type in Elizabeth's phone number to call. I hit go.

It is 100% silent. I hear Elizabeth's phone. It's audibly ringing inside of the ballroom. And I'm just hoping she, like, goes over and picks it up, right? My stomach's in knots.

I am sweating profusely. And then I hear her go, hello, sharon. Like, I hear it through my phone, and I can also hear it in the ballroom, and I'm like, oh, my God, she can hear out here. So I hit my voice cloning play button. It starts playing Sharons voice, asking for the passport number.

Elizabeth. Sorry, need my passport number because the Ukraine trip is on. Can you read that out to me? And then silence for what feels like hours. I am sick to my stomach.

My hands are shaking. This forever silence that I was experiencing was Elizabeth holding her phone in her hand, looking at the caller id during the call to ensure it really does say Sharon, because the voice sounds weird. I mean, I'm voice cloning plus spoofing so it looks like it's calling from Sharon, but it sounds kind of far away because I'm holding my phone up to the computer. Elizabeth finally responds, oh, yes, yes, yes, I do have it. Okay, ready?

It's. And then she reads out the passport number I just asked for. I'm like, let's just get off this call as soon as possible. So I say, thank you. She starts asking me questions, you know, when am I going to be down for the shoot?

Do I need anything else? And I have to. I have to deal with this delay back and forth, typing in my replies. So I'm just thrilled that by this point, I, like, siphoned out information. And I just wanted to get off this call as fast as I possibly could.

So I said, oh, I'm just coming down. And I end the call. I walk into the ballroom. Elizabeth is sitting under the lights with the mic pinned on her, and I'm like, oh, my God, it worked. All I have to do now is do the interview with Sharon and explain the mechanics of the hack to her live and make sure that Elizabeth knows that anyone would fall for this style of hack, because most people don't realize it's possible yet I wanted to make sure she didn't feel like horrible about it.

Jack Rhysider

And yeah, she did the interview and explained what just happened, how she tricked Elizabeth into giving Sharons passport number. But after listening to this story, I got really curious about this voice cloning tool and wanted to try it myself. So to clone someone's voice, you give it a bunch of audio of them talking and using some advanced AI, it will get to know that voice and whatever you type, it'll say it in their voice. I spent a few hours playing around in this tool and I cloned my voice. I think its really interesting.

Okay, I want to show you, im going to play two clips for you. I want you to listen and try to figure out which one is AI generated. Ready? Heres clip one. Hey, this is Jack Resider.

This morning I had a peanut butter and chocolate smoothie for breakfast. Okay, heres clip two. Hey, this is Jack Resider. This morning I had a peanut butter and chocolate smoothie for breakfast. Okay, punch in your votes.

Ready for me to tell you. Both clips were AI generated. In fact, what youre hearing right now is AI generated, too. I switched to having AI talk for me a few minutes back. I just type whatever I want and itll narrate it for me.

Its really wild. It even adds in breaths like this. Listen. And sometimes itll even add plosives like how the p sounds in. Nope.

Its crazy how good this sounds, huh? Okay. Okay, I'll switch back to my normal voice now. There, I'm using my real voice now. Okay.

The future is going to be weird, isn't it? Okay, so I just saw this article the other day on CNN's website, and it said there was this guy working for a company in Hong Kong who controlled the finances for that company. And he got invited to a video call with a CEO and a few other colleagues that he recognized. And he saw them on the screen, he heard their voices, and he was positive it was the CEO and his colleagues. And they were telling him there's this new deal that just finished up and they wanted him to send $25 million to another company.

So he did. But the problem was the video and the voices were all AI clones. Scammers tricked him into thinking he was on a video call with the CEO. And our future is almost surely not going to be what we think it's going to be. I have a feeling we're going to have a hard time knowing what's reality and what's fiction.

Daniel Meisler

Yeah, it's a good point. Jack, can I jump in here? Yeah. Who's this? This is Daniel Meisler.

Jack Rhysider

Oh, hey, Daniel. Yeah. What do you have to say about this? Yeah. So what I find fascinating about this whole story is that there's a very early concept in security about how do I know it's you?

Daniel Meisler

Right. And we normally don't have to worry about this with video because seeing has always been believing. And the same with hearing for audio. But now with deepfakes for both video and audio, we need a whole nother layer. So what I actually expect to see here is products coming out that are basically, like, how do I establish, like, early trust?

Like, as soon as you join a company, you'll probably establish, like, keys across, like, all of slack or across, like, all of Microsoft Teams or something. And that's like, your predetermined channel. Hmm. I think this is a good idea. If you can cryptographically sign something, then that'll prove the message or video came from you.

Jack Rhysider

So I imagine this could cut down on people falling for fakes. If it's not actually signed by the person who sent it, don't trust it initially. Getting your key would be interesting, though. You still have to prove who you are at the beginning. Right.

And one way to do that is to verify who you are in the meat space, the real world, when you're face to face and in person. And it's still a valid verification technique that you are you. But with everyone having their own cryptographic keys to prove someone is real, the threat then moves to securing the key. If someone else grabbed a key, they could make it look like you sent something when really you didn't. They just signed it using your key.

Daniel Meisler

Yeah, yeah, absolutely. We're gonna need something like that for all remote calls, essentially. Cause it's like, first of all, the AI can copy both of our voices because we have our voice out there, and that's easy to copy. But very soon, I won't know. Honestly, if this is you right now.

Jack Rhysider

On this call, I just imagine making a whole captcha network for everyone I know, right? So my dad calls me on the phone, and it says, before you can connect to this party, please solve this caPtcha. Exactly. Exactly. There's going to be some sort of challenge or predetermined key exchange.

Daniel Meisler

Yeah. Oh, my gosh. I personally am excited about our future. We are smarter than ever and more advanced than ever. And it feels like the human race is going through a cambrian explosion of sorts, with all new technologies and advancements popping off almost daily.

Jack Rhysider

We're living in the exponential era. Time will move faster from here on out and we get to witness it. We have tickets to watch the birth of Human 2.0. How special is that? Whatever comes next will surely be exciting.

A big thank you to Rachel Toback for coming on the show and sharing these stories stories with us. She wrote a free ebook on social engineering and you can find a link to it in the show notes. Besides doing social engineering for companies, she also does security awareness training and in fact she started a whole video production company where she creates fun and entertaining training videos. You can learn more about what she's doing by visiting socialproofsecurity.com. Also, thanks to Dan Meisler for giving us some insights into AI.

This episode was created by me, the Backseat rider Jack. Our editor is the gourmet sorbet Tristan Ledger mixing done by proximity sound and our intro music is by the mysterious brickmaster cylinder. How does a computer get drunk? It takes screenshots. This is Darknet diaries.