Factually! with Adam Conover - Why You’re Not Safe from Hackers with Rachel Tobac

Episode Date: September 25, 2024

Last year alone, 880,000 people fell victim to cybercrime, losing a staggering $12.5 billion. While cybercrime might seem like an unstoppable epidemic, much of it is actually preventable. The... problem isn't that computers or software are too weak—it's that people are too easily fooled. This week, Adam talks with Rachel Tobac, an ethical hacker and CEO of SocialProof Security, to debunk common myths about hacking and share simple steps people can take to minimize their risk of becoming targets.SUPPORT THE SHOW ON PATREON: https://www.patreon.com/adamconoverSEE ADAM ON TOUR: https://www.adamconover.net/tourdates/SUBSCRIBE to and RATE Factually! on:» Apple Podcasts: https://podcasts.apple.com/us/podcast/factually-with-adam-conover/id1463460577» Spotify: https://open.spotify.com/show/0fK8WJw4ffMc2NWydBlDyJAbout Headgum: Headgum is an LA & NY-based podcast network creating premium podcasts with the funniest, most engaging voices in comedy to achieve one goal: Making our audience and ourselves laugh. Listen to our shows at https://www.headgum.com.» SUBSCRIBE to Headgum: https://www.youtube.com/c/HeadGum?sub_confirmation=1» FOLLOW us on Twitter: http://twitter.com/headgum» FOLLOW us on Instagram: https://instagram.com/headgum/» FOLLOW us on TikTok: https://www.tiktok.com/@headgum» Advertise on Factually! via Gumball.fmSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

Transcript
Discussion (0)
Starting point is 00:00:00 This is a HeadGum Podcast. You know, folks, we're in the middle of election season, and if you're anything like me, you've likely been pulling your hair out and lamenting, why does it feel like American democracy is unraveling before my eyes? Well, the answer is that it's the fault of our electoral system and its winner-take-all ideology. But is that really the best we can do in 2024? Spoiler, it's not. For the answer on why,
Starting point is 00:00:26 I highly recommend The Future of Our Former Democracy, the new podcast from more equitable democracy and large media. Hosts George Chung and Colin Cole dive into the fascinating history of Northern Ireland, exploring how they reformed their political system to overcome deep divides and ensure more equitable representation.
Starting point is 00:00:45 Each episode takes a closer look at why the US could learn from Ireland's journey and how a system like theirs might help us break free from the chaos of our own elections. If you're curious about how another country's experience can offer fresh ideas for our political future, check out their debut episode. So don't miss out, follow the future
Starting point is 00:01:03 of our former democracy on Apple podcasts, Spotify, or wherever you get your podcasts. And hey, tell the madam sent ya. You know, listeners have factually know that I take health seriously. When people ask me for advice on diet, exercise, or achieving a target body weight, my first recommendation is always to consult a doctor. And that is why I'm happy to recommend today's sponsor, Mochi Health. Mochi offers safe and affordable weight loss programs that also treat that process with intelligence, care, and respect.
Starting point is 00:01:32 And Mochi provides you that support by connecting you with real doctors who can offer you real medical advice and prescribe science-backed medications like GLP-1s if you and they decide that that is what is right for you. Plus you will work hand in hand with registered dieticians to achieve sustainable results.
Starting point is 00:01:50 Whether or not you have insurance, Mochi is affordable, accessible, and offers the peace of mind that comes with using FDA approved science backed medications under the guidance of real doctors. So if you are ready for a sustainable, supportive weight loss journey, visit joinmochi.com and use code FACTUALLY
Starting point is 00:02:09 to receive 40% off. That's code FACTUALLY at joinmochi.com. I don't know the truth. I don't know the way. I don't know what to think. I don't know what to say. Yeah, but that's all right. I think I don't know what to say. Yeah, but that's all right.
Starting point is 00:02:28 That's okay. I don't know anything. Hello and welcome to Factually. I'm Adam Conover. Thank you so much for joining me on the show again. On the show this week, we're talking about hacking. You know, it's easy to imagine that hackers, real hackers, are doing something super high tech. And the movies of the 90s literally trained me to think this. You know,
Starting point is 00:02:50 hackers were people who looked like they were in the matrix, who banged out code to their keyboard until the screen changed from red to green and went boop, boop, boop, boop, and then they said, we're in. Now, this is obviously not how hacking actually works. What hackers actually do is they find the weakest point in any system and exploit it. And the weakest point is probably not some snippet of code streaming down a screen in some 1997 hacker dungeon. The weakest point in a system is probably you,
Starting point is 00:03:20 or at the very least, another human, not a piece of technology. You know, there's a famous case that the tech reporter, Matt Honan, wrote about and wired about a decade ago. Hackers fished partial credit card info from an Amazon tech support customer service representative. And then they used that information
Starting point is 00:03:37 to contact an Apple tech support representative, and that person gave them his iCloud account and the keys to the kingdom. It wasn't a matter of computer engineering that let them in, it was social engineering figuring out what to say to the actual humans who controlled his accounts. And that is bad news, because it means that you are vulnerable to being hacked. 880,000 people were the victims of cybercrime last year, to the tune of $12.5 billion. And that is not something you can fix
Starting point is 00:04:09 with just better encryption or yet another high-tech device. Those things can help, but the real problem is people. And there is no way to make people perfect, clearly. I mean, just look at us. So what do we do? Well, we have an incredible guest on the show to talk to you about that today. But before we get into it,
Starting point is 00:04:29 I wanna remind you that if you wanna support this show and all the conversations we bring you every week, you can do so on Patreon. Head to patreon.com slash Adam Conover to chip in and get every episode of this show ad free. And big reminder, my new standup special, Unmedicated, is out now on Dropout. Head to dropout.tv to subscribe and watch it. It's a brand new hour of standup comedy.
Starting point is 00:04:52 Some of the most personal comedy I've ever done. I would love for you to see it. Dropout.tv to watch. And if you want to see me do standup on the road, I got brand new material. I'm touring all around North America. Coming up soon, I'm heading to Baltimore, Maryland, Portland, Oregon, Seattle, Washington, Denver, Colorado,
Starting point is 00:05:09 Austin, Texas, Batavia, Illinois, San Francisco, California, Toronto, Ontario, Chicago, Illinois, Boston, Massachusetts, and Providence, Rhode Island. Please come see me, AdamConover.net, for tickets and tour dates. And now, let's talk about hacking. To talk about the threats that we all face and how to protect ourselves against them,
Starting point is 00:05:27 we have the perfect guest on the show today. Rachel Tobak is an ethical hacker and the CEO of Social Proof Security. She is an absolute expert in the field. I cannot wait for you to hear this conversation. Please welcome Rachel Tobak. Rachel, thank you so much for coming on the show and welcome. I'm excited to be here, Adam. Okay, so you so much for coming on the show and welcome.
Starting point is 00:05:45 I'm excited to be here, Adam. Okay, so let's say I'm a hacker. I'm looking at the big juicy accounts of semi-famous comedian, Adam Conover. I wanna post some spam. I wanna sell people some crypto. This guy's got a TikTok, he's got a YouTube, he's got a Twitter.
Starting point is 00:06:00 How do I hack him? Please give my listeners instructions on how to hack me. Okay, yeah, I got you covered. All right, so if you're a hacker and you're listening to this, you wanna hack Adam, here's what you're gonna do. Number one, you're gonna look up what Adam's contact details are. So the very first thing you're gonna do
Starting point is 00:06:15 is you're gonna go to a data brokerage site or Google, and you're gonna type in Adam's name, and then the words phone number or email address so that you figure out how you're gonna contact Adam in the first place. Because sure, you could DM Adam, right? But you may or may not answer those. So you're much more likely to answer an email, phone call, or a text message.
Starting point is 00:06:34 We know that in the hacking space. Right now, we're seeing a huge increase in phone calls and texts, by the way. So that's probably the most likely way to be successful. Then you're going to look up what Adam's interests or dislikes are. So what is Adam like? Adam, you like Diet Coke or do you like Dr. Pepper? Right, we gotta know.
Starting point is 00:06:52 I like Diet Dr. Pepper. That's what I like too. A lot of people are talking about how this is the best diet soda. I've had it recently on Labor Day weekend. I had some, it was good. And they could listen to this podcast. They know I like Diet Dr. Pepper.
Starting point is 00:07:04 And it's not an endorsement, but I have enjoyed it. I am also a Diet Dr. Pepper enjoyer myself. So I would probably pretend to be from the Diet Dr. Pepper overarching brand and knowing these details. I haven't done any research, right? This is just from hacking you in these in the last 30 seconds. I pretend to be from their brand.
Starting point is 00:07:27 I'd say, hey, we heard you on the last podcast. We're emailing you because we'd love to be a sponsor. Go ahead and click here to let us know your availability to chat. And that would be a hacking link. Well, so you they would pretend to be diet Dr. Pepper. Probably. Yeah. I mean, I just hacked you in the last 30 seconds by figuring out your interests. Right. Wait, you did? Oh, yeah. OK.
Starting point is 00:07:46 Don't check your email. Don't even pick up your phone. OK, OK. OK. So they're going to pretend to be diet Dr. Pepper and they're going to seduce me with money, which works. Yeah. They're going to say, hey, Adam, we'd love to give you X number of dollars to have you give another plug for diet Dr. Pepper during your next break. Maybe you lift one up. Maybe you're taking a sip or two during a funny chat that you have with somebody. And boom, there you go.
Starting point is 00:08:06 And so that's the way that we hack people. We figure out what do they like, what do they dislike, and we pretend to be those things to you. Ah, and that works really well if you're targeting a specific person, which like people with a lot of followers, such as myself, I'm not trying to brag, but it is the world that I live in,
Starting point is 00:08:27 we are used to being specifically targeted. Does the average person need to worry about that kind of attack that gets to know them very well? Yeah, so we call that your threat model. Your threat model is the likelihood of receiving an attack. And your threat model changes based on who you are and what you do. If you've got a lot of followers, let's say you're like Adam, you've got you know millions
Starting point is 00:08:47 of followers across platforms, your threat model is automatically high. If you are somebody who maybe has 40,000 followers for your dog's Instagram, your threat model is also high. People like to hack those and then of course push crypto scams. If you're a person who has a private Instagram, you've got no Twitch account, you don got no Twitch account, you don't have hundreds of thousands or millions of followers, and maybe you've got a couple of personal pictures,
Starting point is 00:09:11 you got a cat you post about your dinners, but it's private, it's less likely that you're gonna be on an attacker's radar. Unless you're up on Twitter or some other platform talking about your cryptocurrency, then an attacker is gonna be real curious about you, like, hmm, they're bragging about having a lot of money, or they're flashing their Rolex every day.
Starting point is 00:09:28 They wanna go after somebody they believe is going to be a juicy target. They're not just gonna go after random Joe Schmoes. So what do the attackers do after they trick on me, they trick me, they get me to click on the link to the Diet Dr Pepper endorsement form? What's the next step? Yeah, they'd probably try to get you to download malware. So if you have some sort of vulnerability
Starting point is 00:09:48 on your machine, let's say it's been a while since you've updated your operating system or your version. A lot of people do that, right? You get that little thing that pops up in the upper right hand corner. Hey, we're going to reset you overnight. You're like, I don't have time for this right now. You push it off for a little bit later. Well, little bit later is now two months ago. And now the attacker has kind of reversed with those changes to the vulnerabilities are, and they're able to craft malware for your machine. So if you're a normal human being, like most people,
Starting point is 00:10:14 you've put that off, you've gotten known vulnerabilities in your browser or your operating system. The problem is those update dialogues, it's that seductive little button that says not now. Who can resist not now? It's gonna happen later. But I wanna update now, not now, not now, later. When is it a good time?
Starting point is 00:10:33 It's never now. Always gonna be later, it's never gonna be now. I know, it's tough because we wanna give people options. We wanna give people an out. But of course, that means that people always take the out. Yeah, but that's like saying, you know, hey, we updated the locks on your front door or, you know, I mean, the thing that OS updates have most often
Starting point is 00:10:52 is security fixes almost. That's right. Yeah. And so a lot of times, if you look in your upper right-hand corner of your browser, it says you have to update that too. And people also not now that because they're like, I got 72 tabs open. I don't want to refresh all this stuff.
Starting point is 00:11:04 Now I got to re-log in. I got to get my credentials, tabs open. I don't want to refresh all this stuff. Now I got to re-log in. I got to get my credentials, et cetera. I don't want to deal with it. And so I just put it off till later. Well, unfortunately, if you have a high threat model because you're in the public eye, you're a celebrity, you're an activist, or you're being harassed by folks online, well, you have a likelihood that you're going to receive
Starting point is 00:11:21 some sort of attack, whether it's over text, email, phone call, in person, something like that. Now I can imagine that, you know, hey, I'm too smart to fall for a fake Dr. Pepper who tells me to, Dr. Pepper is telling me to download an application. I'm like, I don't think Dr. Pepper needs me to download software.
Starting point is 00:11:40 I do feel that I would be too intelligent for such a thing. Maybe some of our listeners do as well. Is that a dangerous way to think that you're too smart to get scammed? I think it is, unfortunately. Now the thing is you are smart, Adam. And so there is a likelihood. Thank you. You're welcome.
Starting point is 00:11:54 There is a likelihood that you would catch a lot of these attacks, but an attacker who is persistent, we call this an advanced persistent threat, E.P.T. in case you want to drop that fun knowledge to someone other times, Dr. Pepper, those types of attackers, they're going to try 10 times. You're going to catch them nine times. You're not going to catch them that one time. Right? And so they're going to also be smart because remember these criminals do this for a living. They know what they're doing. They know how to trick people. So they might pretend to be
Starting point is 00:12:23 Dr. Pepper and they might say, Hey So they might pretend to be Dr. Pepper. And they might say, hey, we want you to do the sponsorship deal. Go ahead and give us your availability. It looks like a link to sign up to give availability. And boom, you're hacked there. They're not going to ask you to download an app, because that's just too much work. So they want to make it easy for you.
Starting point is 00:12:41 Another thing they might do is they might give you a call, or they might call somebody that has your data. So like an agent, an assistant, something like that, and try to get to you from there. So yeah, all the people in the room with you right now should be sweating too. It's not just you, it's the people around you, right? And so a lot of times when I'm hacking an executive
Starting point is 00:13:01 or somebody with a really high threat model, I'm not actually targeting the executive directly, I'm hacking an executive or somebody with a really high threat model, I'm not actually targeting the executive directly, I'm targeting their executive assistant. I'm targeting the person who's setting up their calendar. Right, the person who is probably a little bit younger, probably not that feeling threatened themselves because they're a little bit more anonymous than maybe the person who's being hacked, right?
Starting point is 00:13:21 So maybe their guard is down a little bit, it's not their own information and they're used to fielding incoming and maybe they get yelled at if they let an opportunity go by like, what, you let Dr. Pepper go? And so they tend to be perhaps a little bit more easy entryway. That's exactly right.
Starting point is 00:13:37 And you have to really think about what is the relationship we have to the people that we work with. If we set up a relationship where people are like, oh, I'm really nervous if I don't get back to Dr. Pepper within 30 seconds, this person's gonna be mad. is the relationship we have to the people that we work with? If we set up a relationship where people are like, oh, I'm really nervous if I don't get back to Dr. Pepper within 30 seconds, this person's going to be mad. Well, they are in an increased position
Starting point is 00:13:53 to get attacked and tricked because their guard is already very stressed out and they feel like they have to respond to things immediately. And those are the types of folks that are the easiest to hack, which just goes to show that under capitalism, a lot of people are going to get easily tricked because we have this pressure responding immediately. So setting up natural opportunities for people to verify identity,
Starting point is 00:14:16 including you and your whole team makes, makes the relationship safer for everybody and more comfortable. And I'm sure that that's what you do. I've also seen, I mean, hopefully I don't, I don't think I have anybody who I work with right now who's able to get scammed on my behalf. Hopefully I do have a good relationship with anybody in the future who normally
Starting point is 00:14:36 I'm the stupid person. I'm in charge of making my own mistakes. But I've also noticed that even just the garden variety spam emails that try to scam you have gotten a lot smarter. I remember the first time I got an email that told me we have successfully charged you for, you know, a year of Norton LifeLock or whatever. I don't know why it's Norton LifeLock. It's particular. It always is. And they said we charged you for this and it's $500.
Starting point is 00:15:04 And if the charge is erroneous, please call us. And I remember the first time I got one, I had never seen one like that before. And I believed it for a second. And then I looked a little closer and I was like, this is from a weird email address, et cetera. Like it had one of the normal tells. But I was like, this is very clever
Starting point is 00:15:20 because if you are frightened by that, it makes you, it like triggers your loss aversion. Oh no, I'm gonna lose money. And instead of being the recipient of the scam, you are gonna be then active and call the number and say, no, no, no, no, no. I'm gonna get to the bottom of this because you don't think you're getting scammed.
Starting point is 00:15:38 You think you are stopping a scam. You think a sleazy company billed you by accident and now you have to call and yell at them and it puts you in a completely different frame of mind. And I'm sure you tell me, but I'm sure as soon as you call this number, the first thing they say is, okay, just give me your credit card number
Starting point is 00:15:52 so I can refund the charges or whatever it is, right? That's exactly right. So when we're hacking, there are two scenarios that we tend to set up. They all boil down to these two. Either I'm helping you or you're helping me. That's it. I'm helping you or you're helping me.
Starting point is 00:16:10 So that scenario that you just mentioned of Norton, quote unquote, of course the attacker, saying, hey, we charge you 500 bucks. If this seems wrong, give us a call. They are helping you, right? They're trying to show that they are helping you and you're saying, nope, thank you for the support. Thank you for letting me know we got this wrong. Let's correct it immediately. And so oftentimes we'll pretend to be from your bank. So let's say you
Starting point is 00:16:35 use Wells Bargo or Chase. I don't actually know. I haven't hacked you out. I'm not going to because you haven't given me your consent and I'm an ethical hacker. But let's say you use one of those. going to because you haven't given me your consent and I'm an ethical hacker. But let's say you use one of those. You would get a phone call and they would pick the I'm helping Adam scenario. They say, hey, we're with loss prevention. We see there's a charge in Illinois for 500 bucks at Best Buy. Is this you? And you say, no, that's not me. And they say, okay, well, to verify your identity, go ahead and read that code off that we just texted you. Well, what's happening there? What's happening is they already got your password that's reused from another data breach. off that we just texted you. Well, what's happening there? What's happening is they already got your password that's reused from another data breach.
Starting point is 00:17:08 They're logging in as you. And that code that they just said to verify your identity to help you is to steal your multifactor authentication code. And this is one of the number one reasons why people lose access to their bank account and funds. And once it's gone, it's gone. They're logging in simultaneously
Starting point is 00:17:25 and the code was actually sent to your phone because it's a two factor authentication code and they're asking you to read it back. Which is why so many of those messages now come and say, no one will ask you for this code or whatever over the phone. I also have to say one of the reasons this is so successful is we do sometimes receive phone calls like this.
Starting point is 00:17:45 I remember just a couple years ago, I got a call from, hey, this is fraud prevention services. We detected a thing and yada yada. And I was like, well, how do I know you're actually from my bank? Because it was an incoming call. And they were like, well, we are from your bank or we're not, we're fraud protection services. We're a different company. And I was like, well, we are from your bank, or we're not, we're Fraud Protection Services,
Starting point is 00:18:05 we're a different company. And I was like, well, can I call my bank back? And like, you know, can we hang up? Can I call the bank? And they said, no, because we're not actually the bank we're this different company. And it was legit, but I had already had my sort of,
Starting point is 00:18:18 you know, antenna up because I'd received an incoming call knowing that like that's a reason to be suspicious because I didn't initiate it myself. And so like how much are these you know are the companies that we're interacting with to blame for not having good security practices themselves? Yeah, this is really interesting. A lot of the times the reason why people are so easily hacked is because the real interactions they have with the real companies are so hackery. Yeah. You got a real call that sounded just like a scam.
Starting point is 00:18:52 How could this possibly be real? And then it ends up being real. I always just tell people call whoever it is back at the known trusted number. So for your bank, it'd be the number on the back of your credit card. That's what I tried to do. But it was a different. That's what I was saying. It was like wild. Yeah, that your credit card. That's what I tried to do, but it was a different, that's what I was saying.
Starting point is 00:19:05 It was like not- That's wild. Yeah, that's my memory. That's wild, but that's real. It was a couple of years ago, but that was my memory. Maybe that was me calling you, Adam. We don't know. Folks, our partner for this week's episode is Delete Me. It's a service I have been using for ages and I am so excited to tell you about it.
Starting point is 00:19:24 How much of your personal info do you think is floating around online? Maybe you've got a public social media profile or an email out there, but that's it, right? Wrong. There is actually a mountain of your personal data being bought, sold and traded by data brokers. Stuff you never meant to be public,
Starting point is 00:19:41 like your home address, phone number, and even the names of your relatives. Anyone with an internet connection and some bad intent can dig up everything they need to make your life miserable. Recently, we've seen an uptick in online harassment, identity theft, and even real life stalking, all because of this easily accessible information.
Starting point is 00:19:59 You know, a couple of years back, I became a target of harassment for people who found my details online. So I signed up for Delete Me, and honestly, it is one of the best choices I've ever made. Their team of experts works tirelessly to hunt down our information, remove it, and keep it gone. You, your family, and your loved ones
Starting point is 00:20:16 deserve to feel safe from this kind of invasion of privacy. So do yourself a favor, check out Delete Me, not just for your security, but for your friends and family too. And guess what? You can get 20% off your DeleteMe plan when you go to joindeleteeme.com slash Adam and use promo code Adam at checkout. That's joindeleteeme.com slash Adam, promo code Adam. So in video games, there's this thing called min-maxing. I'll spare you the technical definition, but it's all about putting your effort in the right place to get the optimal results.
Starting point is 00:20:46 Well, you know, I found that kind of thinking helpful in real life too. I used to think of shopping for groceries, picking up dog treats, researching products that are gluten-free for my partner, and being mindful of taking care of my health as separate, discrete tasks. But when I realized that I could get all of these done
Starting point is 00:21:01 just by shopping at Thrive Market, it felt like I'd found a way to game the system. Now I do all of my grocery essential shopping with Thrive Market. I get my jovial gluten-free pasta for my partner, shameless pet's dog treats for my dog, all the health conscious goodies I like to enjoy for myself, and I have them delivered straight to my doorstep.
Starting point is 00:21:19 And as a Thrive Market member, I save money on every single grocery order. On average, I save over 30% every time. They even have a deals page that changes daily and always has some of my favorite brands. Best of all, when you join Thrive Market, you are also helping a family in need with their one-for-one membership matching program. You join, they give. So join in on the savings with Thrive Market today and get 30% off your first order plus
Starting point is 00:21:44 a free $60 gift, go to thrivemarket.com slash factually for 30% off your first order plus a free $60 gift. That's T H R I V E market.com slash factually. Also in terms of these companies, they're like like how common is it for the customer service person to get socially engineered in this manner, you know, to get your information from not from you, not from your assistant, but from the company itself. Yeah. So I think what you're referring to is the customer service agent picks up the phone,
Starting point is 00:22:18 right? And I say, hi, this is Adam. I need to change my email address and phone number on the account. I'm trying to take over your account by calling them, right? Well, it's so easy to do. I can very easily do what we call spoofing, make my caller ID look like it's calling from a number that it's not.
Starting point is 00:22:34 All I need is an app available on the app store. It costs less than a dollar per call. And I can go ahead and show your phone number, which again, I can find on Google or through a data brokerage site, which is why I recommend taking those details down. And I can pretend to be you, I can call them in a lot of times, think about how they verify your identity. Think about the last time you called support, what did they ask you? Mother's made a name, date of birth, address you grew up on,
Starting point is 00:23:00 last four digits of social. And unfortunately, a lot of that stuff is available on data brokerage sites, or it's available in a breach. And so I can verify through what we call knowledge-based authentication, KBA, the answers to questions like, mothers made a name, last four digits of social, to get into your account. This is why I recommend that it's really important
Starting point is 00:23:20 that all the details that you can take down off the internet do so, because it makes it way more obnoxious for me to target you as an attacker. Yeah, I mean, when I see those questions on a site where it's, you know, it's some bit of personal information, they all seem totally flawed to me. Like, there's mother's maiden name, or address,
Starting point is 00:23:40 or first job you had, that could all be publicly available information. Then there's like childhood, there's like preference-based ones, like childhood best friend or what's your favorite brand of whatever, which could be available, but also it could change over time.
Starting point is 00:23:58 And then there's some just have like completely bizarre, I remember like, I remember, I believe it was united.com. I was creating an account there once and their questions were like, what is your favorite sea creature? And then it was multiple choice. And it was like, there were a hundred different sea creatures.
Starting point is 00:24:15 So it was like sea urchin, abalone, dolphin. And I ended up choosing like favorite sea creature, abalone. I would say it, I would say it. I don't give a shit about my United account, that's not my main airline, and I'm not gonna tell you which one is. But it was also like, who is your,
Starting point is 00:24:33 what is your favorite, oh no, I'm sorry, it was, what is your favorite thing to read? And then the choices were like books, newspapers, magazines, or websites. And I was like, how would I even remember what I put? Like websites is the weirdest answer to that, that oh, I enjoy reading websites. But that's a bizarre, like what security professional
Starting point is 00:24:54 designed this quiz? It was like a bad Buzzfeed quiz. I love a good website myself. I love reading websites, but I just don't think I would put that as one of the questions. Yeah, that's a problem, right? KBA, knowledge-based authentication, is just inherently easy to crack because there's a few options. You can sometimes guess them right, or you can figure that out. There's someone's Facebook, Instagram, LinkedIn. A lot of times people are putting quotes up on their Instagram and it's from a specific book. And of course, I know that's their favorite book,
Starting point is 00:25:23 and I can answer that security question, right? So it's just, it's one of those things where I recommend people move towards MFA, multi-factor authentication, like a code to your email or phone, rather than KBA, like mother's maiden name, email address, your most recent address that you lived at, which I can easily find for you online.
Starting point is 00:25:42 And is multi-factor authentication really that powerfully secure? Because a lot of times, you know, it seems very rote. You hit the thing, it sends to your text. Like, at this point, Mac OS does it all for me. You know, it just automatically fills the thing in. Like, it sort of seems like the edges have been so smoothed off of that experience that, I don't know, it doesn't give me the same halo of security
Starting point is 00:26:07 that it used to. What do you think? Yes, so we know that SMS-based multifactor authentication, like that code that comes to your text message, we know that that prevents the majority of attacks. So unless you've got somebody who's really gunning for you and they wanna do what we call a simswa, where they somebody who's really gunning for you, and they want to do what we call a sim swap, where they contact your telco pretending to be you, gain
Starting point is 00:26:29 access to your phone number, and in turn gain access to those codes, it's going to be hard for that to be hacked. So about 75% of attacks are going to be blocked through your SMS two factor. That's pretty good. Now it's not the best of the best. I'll keep telling you more. The best of the best is going through like app-based multi-factor authentication or something like a FIDO2 solution. I'll get there in a second because it's a little technical. So something like your app-based solution will be like,
Starting point is 00:26:56 you've probably seen Duo or Google Authenticator or Microsoft Authenticator, where you go to an app and you get a code and you have to type that in. That's gonna be a little bit harder to hack because I can't just contact your telephone provider, pretend I'm you, and then siphon out all of those codes of my own. I actually have to trick you
Starting point is 00:27:14 into providing the codes for me, which is something that I can do, but it's a little more, it's a little harder to do because I have to actually trick a person like you who might be a little bit more savvy than somebody who doesn't exactly know what I'm trying to do with the sim swap. Then from there, I could go towards something like your FIDO2 solution, which is almost
Starting point is 00:27:36 impossible to hack. A FIDO2 solution is something like a hardware security key or a passkey. This is something that is really, really hard for me to steal. I have to be with you in person, basically stealing from you, robbing you. That's not how most cybercriminals are. They don't want to punch you in the face and steal your keys with a Yuba key on it. They want to hack from far away from another nation, or they want to be in Florida while you're in LA. They don't want to do that. They don don't wanna do actual battery. So we have to recognize that that threat is way, way lower and in turn much safer if you use something
Starting point is 00:28:10 like a FIDO security key. What does FIDO stand for? I think it stands for Physical Identification Over Two Factor. Physical, well, it's an F. Let me actually get the, I'm gonna look it up for you because I don't actually know it and I don't wanna make something up. FIDO two stands for what?
Starting point is 00:28:27 Here we go. Fast identity online. Oh, okay. That sucks. Okay. That's, I'm sorry. What? Fast identity online. Is it 1998?
Starting point is 00:28:39 Like, what is this? Maybe that's when it was created. Fast identity, oh wow, it's online. Wow, very, very high tech. Let's come up with something better. So FIDO stands for, now that I know it's fast identity online too. Well, here's my problem with these solutions though,
Starting point is 00:29:00 is like I use that form of two factor, the one time password that is made by an application that I have. I use one password. I've been using it for years. It's very effective, but it's difficult to get the the one time password set up. Like I log into I create an account on a new service and it says, OK, create a one time password. Open your Google authenticator. They always tell me to use Google Authenticator.
Starting point is 00:29:26 I have never used Google Authenticator. I don't even know how to get Google Authenticator. I don't use Google products. So I have to know that when they say Google Authenticator, it means one password. And then it usually wants me to like scan a QR code, but not with my phone. It's like, I open one password and one password
Starting point is 00:29:44 can scan the QR code in a separate window and then it creates it and then it wants me to test it out. And this is something I can do because I've been, you know, using computers at a sort of high, relatively high level since I was like 15 years old. I would not, you know, ask my grandmother to do this, right? Or frankly, a lot of my friends. And so that's, this is a lot to ask of people to get this, to get the best form of security, right? Or frankly, a lot of my friends. And so that's, there's a lot to ask of people
Starting point is 00:30:06 to get this, to get the best form of security, right? Let alone having a hardware key. Like I know that that is the best form of security. I haven't even looked into how to do that. Yeah, it does take a level of digital literacy to be able to accomplish, especially what you're doing where you don't use the standard kind of Google Authenticator, Microsoft or Duo, and you're moving towards something
Starting point is 00:30:24 in one password, where some people are like, I don't know how to get there because it's not the thing that the app is telling me to do. Yeah. So when you've got folks who don't feel comfortable with the digital tools that are being requested of them, I just recommend people use the tool that's gonna protect most people,
Starting point is 00:30:41 especially if their threat model isn't high. So if you've got a friend who's like, listen, I don't have time for any of that. I just want to try and be as secure as I can without extra work. SMS two factor for the majority of the population, your grandma, your friend who does van life and goes on the internet once a week,
Starting point is 00:30:56 when they get access in a coffee shop, they don't need to worry about all this. Just do SMS two factor. I am all about harm reduction. So making sure that people have access to the tools and digital literacy that matches their digital literacy, as opposed to telling everyone that a one size fits all solution makes sense. Cause it doesn't.
Starting point is 00:31:13 I would not recommend your grandma get at you the key. I don't. I recommend that most people who have high threat models do have a digital literacy to support it. But this is a problem though, because I've read that, you know, SMS two factor covers a lot of people, but it is not the most secure option, but there is this literacy problem. And so now there are other solutions as well for logging in,
Starting point is 00:31:35 which have made the entire logging in process feel more chaotic because now there's so many different ways to do it. There's logging in via like Apple ID kind of thing. Like you go and- Pass keys. Pass keys, okay. Oh, is that a form of pass key
Starting point is 00:31:49 when it says log in via your Apple ID? Well, so the thing is, I don't know exactly what it is you're seeing. So I don't wanna tell you it's a pass key when it's not. When it's not a pass key. Sometimes you're gonna see something that allows you to log in with another form of authentication.
Starting point is 00:32:04 And right now they are seeing that there's a big increase in pass keys being used on consumer grade sites. So I think what you're referring to as a passkey and that's great. That is a FIDO2 solution. It's much harder to hack. So that's great. But I don't know if that's what you're referring to. That could also be someone trying to steal your password and your Apple ID.
Starting point is 00:32:22 Oh, wait, Hold on a second. I go to a website and it says create an account and it's like, you can either log, you can either create, you can put in a username or password or you can just click with your Apple ID. It'll do like, you know, you'll do touch ID on your Mac or face ID on your iPhone. That's a passkey. Okay. Okay.
Starting point is 00:32:43 We like that, Adam. Don't think you're getting hacked with that. Okay, good. Got it. Okay. That's a passkey. Okay. Yes. We like that, Adam. Don't think you're getting hacked with that. Okay, good. Got it. Okay, that's good to know. So that is more effective than these other solutions, that form of login. It is. It's much harder to hack.
Starting point is 00:32:57 And so most people, if they have a long random unique password to secure their Apple ID and they've got multi-factor authentication on there and it's hard to gain access to that. It's going to be really cool because it ties it to your device, the device you already trust. It feels natural to show your face ID.
Starting point is 00:33:12 It's something you already understand and don't have to really think about. Right? So it's like a lot easier for people to get a higher standard of security without having to think about what are you talking about? What app I have to download? Where I have to scan? But it's still, okay, it still has this problem where we've created this immense usability and security problem for people, because I think about it going, all right,
Starting point is 00:33:36 if I log, I start logging in everything with my Apple ID. Well, that's fine. Now my Apple ID is the linchpin for all these other accounts. And so now that password becomes even more important. And so now I have to trust that Apple is going to do a good job, not allow their customer service to be socially engineered, not have a big data breach. And you know what?
Starting point is 00:33:56 Apple, I would say, I don't trust any company, but out of all of the companies, their privacy records a little, you know, it's better than fucking Google, right? Apple's pretty solid. I think you can definitely trust that, yeah. I mean, Apple is bigger than most countries. So like, if you're gonna trust somebody, you might as well trust Apple, except that it means that Apple is more and more
Starting point is 00:34:14 of an attack, whatever target. And then also it makes my Apple ID password all the more important to me, that I keep that safe. And so then I keep, I don't have that memorized because it's a random string of digits. I have that in my one password, which like I have to remember the password of that. And then I have the little printed out like emergency kit
Starting point is 00:34:37 that they tell you to print out. And I like keep it in a safe and secure place in my home. And so there's like these levels of password that are all stacked on top of each other. And like this is a huge amount to ask of people just for the privilege of interacting with the internet, which is something that we all have to do now. Like you cannot go through life
Starting point is 00:34:58 without having a couple dozen accounts in different places just to pay your fucking utility bill. So is this not like, you know, too much to ask of people in a way? I would say it's a lot to ask of people, which is why security is so challenging for your everyday person. They just feel like it's unfair.
Starting point is 00:35:17 They feel confused. They don't have an IT person in their house. Most people don't to say, here's how to do it. Here's how to set up your password manager. They don't even know what a password manager is. So the fact that you have a password manager, you understand MFA, you're already in that huge digital literacy position.
Starting point is 00:35:34 And a lot of people just don't have access to that knowledge. So yeah, I think we're gonna need some pretty intense PSAs, which is something cool that I think SZA is doing. SZA is- SZA the R&B singer? No. She killed her boyfriend in a song.
Starting point is 00:35:49 That was, she's not a very secure individual, frankly. SZA is not, she was talking about killing people. She's not the person who is in charge of talking about password manager PSAs. Okay. I'm talking about SZA, C-I-S-A, like the Department of Homeland Security. Okay, okay, okay, got it.
Starting point is 00:36:07 So I didn't know that they were making music, but that's fine, go on, please. It's so funny that you say that because they actually have been making music videos. I'm not joking. You can enter that in right here and it'll be a very good not joking. Okay, well, SZA and SZA should do like a collab. They should like guest on each other's tracks
Starting point is 00:36:23 or something like that. That's genius. It'll help people pronounce SZA correctly too. a collab, you know, they should like guest on each other's tracks or something like that, you know? That's genius. It'll help people pronounce SZA correctly too. But I mean, PSA is like, that's, I don't know, isn't that kind of a half ass thing you do when you've already made something that's too difficult to use? You know what I mean? Like that's how you cover your ass after you've already created a problem, you know?
Starting point is 00:36:48 It's one of those things that we can't blame the problem on any one entity. Basically, the internet was started. Everybody was using AOL. It was kind of non-complex at that time, right? We all understood it was a series of tubes. We understood that. That's how the internet worked. Then from there, it was in your pocket with your iPhone, and now you have apps,
Starting point is 00:37:05 and you have the ability to log in with your face, and it's just kind of gotten bloated over time. So we can't blame any one organization, entity, company. It's just expanded with the way that the internet expanded. So we have to try and address it as best we can. And unfortunately, as human beings, the best we can is PSAs. Well, it's also created a,
Starting point is 00:37:25 we rely on our accounts and on the internet and on our devices to do so much now. Like, you know, half the time that I pay for something, I'm doing it with my phone. I was at the airport and there's a trial program to put your ID on your phone, your California state driver's license. And I can imagine a world where, you know,
Starting point is 00:37:46 10 years from now, the majority of business travelers, like, I don't even bring my wallet. I just like, you know, do my ID. That's how I get through the TSA checkpoint is, you know, I do it using Apple Pay, right? And so we're loading more and more of our lives into these devices, which makes them bigger and bigger targets. And they get more and more of our lives into these devices, which makes them bigger and bigger targets,
Starting point is 00:38:06 and they get more and more complex as you say. I think honestly what that tends towards is it makes the large players even more powerful. Like Apple's whole emphasis, if you look at them over the last five, 10 years, their emphasis has been on privacy and security. They're the private option. You can debate to what extent they are,
Starting point is 00:38:26 but they've clearly taken that approach because they are responsible for so much. They're like, okay, we need to like lock it all down. You know, like that is our new approaches. Everything is locked down. Even if the feds get your iPhone, they're not gonna be able to read what's on it. That's how much we're encrypting everything.
Starting point is 00:38:43 Which is okay, that's good as a solution to this immediate problem, but then the overall result is that this one company ends up massively powerful, right? I am so locked into the Apple ecosystem to keep all of my important shit safe that now I'm sort of stuck with them, right? Like the openness of the internet starts to break down
Starting point is 00:39:04 in the face of the security threats, you know? Does that trajectory track to you? I feel like a lot of people feel the same way. You know, they feel locked into specific providers, they feel locked in with specific tool sets or something like Apple or a specific telco provider who has a lot of control over our digital identity and preventing fraud.
Starting point is 00:39:22 So yeah, I don't blame you. I think that's a very normal feeling. In terms of how much data the average person has out there, I just saw some report that like a couple billion records were leaked from a, what was it? It was a major organization that had like tons of people's social security numbers and et cetera. You know the story I'm talking about?
Starting point is 00:39:43 Can you tell me the details because I'm misremembering them? Yeah, no worries. We actually don't know a lot of the details. So a lot of it is. Yeah, a lot of it is questioned on the internet because there's so many billion lines of data that were leaked.
Starting point is 00:39:58 People are like, are these the social security numbers of dead people? What's happening here? Are you breaking out address into a separate line? And that's why there's like 10 records per alive person. I don't think we know every single thing about this breach yet, but we do know that the social security numbers of many Americans, if not most, were unfortunately found online. So it's scary, right? The tools that we use to verify identity really shouldn't be used like that anymore. That's why I recommend even something like your last four digits of your social
Starting point is 00:40:27 or even your full social really shouldn't be used to verify identity. It should be something like multifactor authentication instead. Anything that you know is essentially KBA knowledge-based authentication and easily hacked. Yeah, it seems like we are living in a world now where so much data is just loose out there. Is it even worth worrying about the data? I mean, if everyone's social security number
Starting point is 00:40:49 is already on the internet, right? That's like, was 15 years ago, that was like the one piece of data you didn't want out there. Your social security number, oh, that's very, very frightening. But like, now if someone asks me for my social security number,
Starting point is 00:41:02 should I just be like, you know it already. Like, whatever scammer, go get it yourself. Why are you even asking me? Yeah, there is some barrier to entry where it can be hard to find some of these data breaches. And to be clear, the dark web isn't super easy to search. It's not like the regular clear net internet where you can go on Google
Starting point is 00:41:20 and find somebody's email address or phone number, right? It can be really cumbersome to try and find. And also, this stuff gets taken down, it gets moved, the feds try and take it down. So it's tough to find, it is out there. It doesn't mean that we should be nihilistic about it, though, so I wouldn't go around anybody who's asking you for your social security number,
Starting point is 00:41:40 handing it to them on a piece of paper. But it sort of goes to show that at this point, there's so much data that people have out there that anybody can be a target of this kind of attack. Like a dedicated person can find you and find your information. Yeah, I would say that with the right timing and the right pretext,
Starting point is 00:41:59 which is who we're pretending to be, anyone could be tricked, including a security professional. So it's one of those things where we just have to layer a lot of different steps together to stay safe. I'm sure we'll get into all of my takeaways, but I'm not gonna get into them yet. Have you ever been tricked?
Starting point is 00:42:12 People try, they try all the time. They try to convince me over email, they try to trick me over the phone. I got a text the other day that was so annoying. I mean, yeah, I mean, everybody gets those types of phishing messages. What's the most you've ever been tricked or what's the most interesting trick
Starting point is 00:42:27 someone tried to pull on you? People are always trying to get my address. They're trying to figure out what my email address is. They'll send me an email and it has like 45 different email addresses in the send bar because they're typing in every single email address they think could potentially be my email address. I'm like, just relax, just DM me on Twitter,
Starting point is 00:42:44 I'll answer you. I'm like, just relax, just DM me on Twitter, I'll answer you. In terms of the industry of hacking, right? In terms of the industry of hacking, right? Like who is doing this and why? I'm sure there's a lot of different reasons, but like, you know, how large is this problem
Starting point is 00:43:02 and who's doing it? There are so many different types of cyber criminals, but the one that I find the most interesting, and it's actually the most common right now that we see in the news, is a lone wolf young person. We're talking 17-year-old from Florida, 16-year-old from the UK. The Twitter hacker, the Uber hacker was,
Starting point is 00:43:21 I think both were 17-year-old boys. So we've got a lot of miners who are out there thinking, hey, I'm not 18 yet, it's not gonna be that big of a deal, it's not gonna stand my permanent record, I'll go ahead and try and hack a company for clout. And it's interesting because a lot of the times these, people we think of nation state actors, right? We're like, oh, was this North Korea doing this?
Starting point is 00:43:41 No, it was a 17 year old in Florida who was bored. Who just wanted to get, make some, in Florida who was bored. They wanted to feel cool. They wanted to talk to their friends on Telegram or on a forum and say, I did it. It's really that simple. Honestly, sometimes we're lucky that it's those people who are actually the ones that are successful and that are in the news. Because if it was not a 17-year-old from Florida trying to gain access to the DMs of former president Barack Obama, we'd probably have bigger problems on our hands. But it's just a 17 year old who's bored, wants clout,
Starting point is 00:44:10 and tries to push a crypto scam and makes $150,000 and then goes to jail for the rest of his life. I mean, I don't know what to tell you. It's the same thing over and over again. Wow. I mean, I understand when you're that age, it's like that, you know, any lock looks like it would be interesting to pick.
Starting point is 00:44:25 So a lot of them are just doing it for fun? Or how much are we, how do we tell the difference between somebody's doing it for fun and an actual online crime ring of some sort? Because that must exist as well. Oh, 100%. I mean, you've got your ransomware gangs, essentially. You think about how crime works on the street, right?
Starting point is 00:44:45 You've got gangs, then you got lone wolves who just wanna punch you in the face to take your phone. There's all different types of criminals and that exists online as well. So yeah, your ransomware gangs, oftentimes they're funded by nation states and they're very capable. And you don't know that they're in there
Starting point is 00:44:59 until they brag about it and tell you, that's the thing. Ransomware gangs funded by nation states. Nation states such as, are there examples of this? Because you hear about it and tell you, that's the thing. Ransomware gangs funded by nation states. Nation states such as, are there examples of this? Because you hear about it, but it often seems a little bit difficult to trace back to the source, right? Yeah, attribution's really hard, but sometimes they'll brag and say, we're from Russia or we're from North Korea.
Starting point is 00:45:18 So we sometimes take them at face value. But I remember, okay, this was like 10 years ago now, but the Sony hack, where Sony Pictures was hacked by a group that claimed to be associated with North Korea and they were mad about the Seth Rogen movie about Kim Jong-un, right? But at the time, I saw a lot of skepticism about whether this was actually North Korea
Starting point is 00:45:42 because they were writing a lot of like, you know, we revere the great leader in like English, you know, in a way that like you would think an American would maybe like, you know, just like pretend to be a North Korean. And then also they were like releasing all of Sony executive Amy Pascal's emails with George Clooney, which like,
Starting point is 00:46:00 if you're North Korea, why do you give a shit? You know, like it was, seems to be taken at face value that like, yes, of course're North Korea, why do you give a shit? You know, like it was, it seems to be taken at face value that yes, of course, North Korea hacked Sony because they were mad about a movie. Until you thought about it, you're like, wait, is that what happened or was somebody using that as a cover to have fun or what? I don't even remember how that story ended,
Starting point is 00:46:19 but it's like to the point that attribution is difficult, right? Attribution is one of the hardest problems we have in cybersecurity. We can do our very best guess. We can do as much forensics as we can. And we, a lot of times get really close
Starting point is 00:46:31 to being a hundred percent sure, but still, I mean, plausible deniability exists. Someone pretending to be from North Korea is possible, but yeah, it's a really hard problem to solve. Or North Korea paying some group of people who are then, you know, but they're not North Koreans. They're maybe they're freelancing a little bit. Like it can be murky, like what actually happened. That happens all the time.
Starting point is 00:46:54 I mean, we just have a new story that's going live this past week about Russia paying some influencers in the U.S. I think it was with Tenant Media and they were paying them hundreds of thousands or millions of dollars to kind of push specific talking points. So yeah, sometimes it's very hard to follow the money, and people claim they didn't even know
Starting point is 00:47:10 that they were a part of this specific propaganda campaign. Now, whether or not they knew or didn't know, that's not for me to answer, but I guess the feds will find out. Yeah, very fascinating. And you know, by the way, we just did an episode a couple of weeks ago about foreign influence
Starting point is 00:47:25 on American government and how big of an industry that is. So of course you can imagine some of it's clandestine. And then that's not even to talk about the stuff that is actually happening secretly like the espionage side of it, which is probably even deeper. Like I can only imagine what like, I don't know, the CIA and the NSA are doing to their counterparts
Starting point is 00:47:44 and vice versa to try to like, you know, the CIA and the NSA are doing to their counterparts and vice versa to try to like, you know, the real deep, like actual spy shit. But this also happens on a more trivial level, right? Like you always read about hospitals being held ransom, which is, you know, probably, not a lot of people would think that, you know, a local school district would need to be worried about,
Starting point is 00:48:03 you know, a ransomware attack, or would need to have really high security, but those become targets as well, yes? Yeah, absolutely. Unfortunately, attackers have learned that those targets are softer, so they go after a hospital or a school district or a therapist's office and threaten to release notes based on those therapy clients. They go after the places that they believe don't have enough security to secure their actual infrastructure and have such sensitive data,
Starting point is 00:48:29 whether it's about students, their health, their learning, or patients that they think that the ransom will be paid. And oftentimes, even when you pay the ransom, they still release the data anyway. That's a thing. You don't have any sort of guarantee. It's kind of like negotiating with a terrorist. That's the thing. You don't have any sort of guarantee. It's kind of like negotiating with a terrorist.
Starting point is 00:48:46 That's really wild. Is this something that they have gotten any better at recently? Or, I mean, have we succeeded in, you know, making these places harder targets at all? I wish I could say yes. I mean, I'm an optimist at heart, but I want to be honest with you. No, we see ransomware increase year after year, typically.
Starting point is 00:49:06 So these attackers, they recognize that they have some soft targets. They try to go after them. There's millions upon millions of these soft targets. And so they don't really need to change their playbook until people wise up and change their infrastructure. So no, I mean, they're still quite successful quite frequently.
Starting point is 00:49:22 [♪upbeat music playing.♪ Folks, today's episode is brought to you by Alma. No, I mean, they're still quite successful quite frequently. Folks, today's episode is brought to you by Alma. Look, life is full of challenges. Even the best of us can feel bogged down by anxiety, relationship issues, or the weight of major life transitions. And going it alone is not really a great strategy. I cannot recommend it as someone who's tried a little bit too much to do so. What I can recommend is finding someone who truly understands what you're going through
Starting point is 00:49:48 to help you through your tough times. And if you're thinking about getting some licensed expert help to navigate your own challenges, I really recommend giving Alma a try. Therapy can be an incredibly effective tool to help you get through your day to day. But you know what? I know from personal experience that it is so much more effective when you find someone who feels like they are truly hearing and understanding you.
Starting point is 00:50:10 Getting help is not just about having any therapist. It's about finding the right therapist for you. And that is exactly what Alma helps you do. You can easily browse their directory and filter to find a caring person who fits your needs with preferences like gender, sexuality, faith, and more. Alma is also designed to filter to find a caring person who fits your needs with preferences like gender, sexuality, faith, and more. Alma is also designed to help you find a therapist
Starting point is 00:50:29 who accepts your insurance. Over 95% of therapists at Alma take insurance, including Aetna, Cigna, UnitedHealthcare, and others. People who find in-network care through Alma save an average of 77% on the cost of therapy. And getting started is effortless because you can browse the directory without having to create an account
Starting point is 00:50:49 or share any payment information. Plus, you can book a free 15 minute consultation call with any therapist you're interested in. It's a perfect way to see if they're the right fit for you so you can find someone you really click with. Alma can help you find the right therapist for you, not just anyone. So if you want to get started on your therapy journey,
Starting point is 00:51:08 visit helloalma.com slash factually to get started and schedule a free consultation today. That's helloalma.com slash factually. Did you know that learning actually makes a sound? It's true, listen. That's the sound of you mastering a new language with Babbel. Learning a new language can be one of the toughest
Starting point is 00:51:29 yet most rewarding challenges out there. So if you're ready to dive in, make sure you're using the right tools to get the job done. From minute one, Babbel is concerned with helping you get out there and put a new language into practice in the real world. I mean, I've lived in LA for years and a great deal of the population here speaks Spanish.
Starting point is 00:51:47 So starting Spanish with Babbel has been rewarding to me in ways I didn't even anticipate. I'm excited to learn more to see what else it opens up for me, and that is just my experience. But studies from Yale, Michigan State University, and others have shown that Babbel is effective. One study even found that using Babbel for 15 hours is equivalent to a full semester of a college language course. And guess what? Here's a special, limited time deal for Factually listeners. Right now you can get up to 60% off your Babbel subscription,
Starting point is 00:52:16 but only for our listeners at babbel.com slash factually. Get up to 60% off at babbel.com slash factually. That's spelled B-A-B-B-E-L dot com slash factually. Rules and restrictions may apply. When we're talking about social engineering, something that strikes me is that, you know, I'm very critical of AI technology on this show and the way that it's been marketed.
Starting point is 00:52:41 One of the things that it can do is, you know, give people the ability to mimic a particular piece of content, whether an image or a sound, pretty effectively. If you look at, you know, the software that now allows people to do vocal mimicry, things like that, it makes me wonder how effective, you know, that will be at scams in the future. I remember a couple of years ago,
Starting point is 00:53:04 my grandmother who has now passed away, so I won't embarrass her by telling this story, but she was called by a scammer who pretended to be me, said that I had gotten in an accident and needed her to wire me some money and had some details about me. And look, she was in her late 80s, early 90s at this point. I'm sure they didn't need anything high tech.
Starting point is 00:53:25 They just sort of made their voice sound a little weird because they were crying and had a detail or two that helped. And she drove to a Western Union and wired them money. And that, and you know, it was horrible. It was very distressing to find out about. She did you out of love for me, right? She was embarrassed. It luckily wasn't a life-changing amount of money.
Starting point is 00:53:43 It was a small time scam. But, you know, that sort of thing, I would imagine could be done even more effectively now if you look at how much of my voice is available out there, right? Yeah. That someone could do a voice print on if they wanted to. So how much is that an issue of concern?
Starting point is 00:54:02 It is an issue of concern. First of all, I'm sorry that you dealt with that because that sucks. I was on 60 minutes talking about that specific attack last year and I did a voice clone demo using an AI tool and hacked Sharon Alfonsi through her assistant by pretending to be Sharon. So all I need is about 1.5 to two minutes of your voice
Starting point is 00:54:22 and you've got hours upon hours out there to create a good vocal clone. So unfortunately we are seeing scammers get a little more savvy with their AI tools. They are uploading people's voices, they're sounding quite distressed in your actual cadence, tone, timbre, as opposed to before just sounding hysterical.
Starting point is 00:54:41 Somebody's calling on your behalf and it's a little harder to see if it's really that person. Now, there's a lot of my voice out there, but it's all me doing my podcast voice, which is very shouty. I really project. And so I think if they tried to use this on any of my relatives now, they'd be like,
Starting point is 00:54:55 the call would be like, Mom, I need you to wire $500. They'd be like, why is Adam sounding so up? Like, he's really, he has a lot of energy when he's upset What's your normal voice sound like I'm not gonna do that I'm not gonna do that It is very much. It is very much sort of the thing from sneakers right? My passport my voice my passport. I mean that was
Starting point is 00:55:24 What are the better hacking movies ever made? But yeah, I mean, in terms of like deep fakes, you often hear people talk about them and, oh, Trump uploaded a deep fake of Kamala or whatever. Right. I don't know. That is what it is like. Whether or not that's a big issue in the election,
Starting point is 00:55:44 that seems to me to be a smaller issue than the pettier use of this kind of technology. Is that, do you feel that way? I think it's both, unfortunately. We have a lot of folks who struggle with their digital literacy around AI deepfakes on social media. So we're seeing deepfake pictures, videos, audio
Starting point is 00:56:03 that is trying to influence the election, such as a robo call that sounds like it's coming from a candidate telling you that your election or polling location has changed and to not vote that day, to vote a different day. Those types of attacks are unfortunately quite effective because it really sounds like it's coming from that candidate. People don't know better. Maybe they're older. Maybe they're not familiar with these types of attacks and they believe it and they don't exercise their right to vote. Or they hear a candidate's video talking about
Starting point is 00:56:30 something that they've never said before, and they think, well, I don't agree with that, I'm not voting for them. When in reality, that's fake, it's not real. So the concept of fake news isn't new, but it has evolved and become more believable, and unfortunately people are falling for it. Now it's less likely that you or I would,
Starting point is 00:56:47 folks in our age range and group aren't falling for it as much, but folks that are older than us, we're definitely seeing fall for these deep fakes. Yeah. And I can imagine that would be even more effective if it's a targeted thing on a particular person, trying to like exploit information about that person
Starting point is 00:57:03 in order to get them to do a very specific thing in order to drain their bank account. 100%. I'm a pen tester, I'm a hacker. So ethically I get asked to do this all the time and I only do it when I sign a contract too, not for any other reason, but I have hacked many everyday regular people
Starting point is 00:57:23 as a part of their job, pretending to be from finance, asking for wire transfers, asking for, asking somebody in HR to change billing details, stealing money. It's easy to do, unfortunately, in both people's personal life and their professional life. Tell me more about that as an ethical hacker.
Starting point is 00:57:40 How did you get into that and what does that work like? Yeah, I got started at Defcon, the world's largest hacker conference. So about 30 to 40,000 hackers descend on Vegas every August or July. We go there, we'd learn the latest attack techniques and I got started, I think like 10 years ago at this point, where they put me in a glass booth
Starting point is 00:57:58 in front of an audience of 500 hackers. And I had to hack a real company target live in front of that audience within 20 minutes. Wow. I ended up getting second place in that competition three years in a row, which kind of jumpstarted my career as a hacker. And then organizations like the large tech companies, large law firms started contacting me.
Starting point is 00:58:17 US Air Force asked me to hack them. And from there, it's a little bit of social proof, which is why I named my company that, where they kind of target, they want to talk about how safe they are. They want to talk about the fact that they've actually pressure tested their systems and they do that and it kind of just spreads from there. I wish we had opened with that anecdote.
Starting point is 00:58:35 That's really cool. What did you find from that corporation in 20 minutes? Like what does hacking entail and what is the audience looking at? They're looking at, I assume, a screen share of some kind on a monitor. Yeah. So everything we try to not go too deep and actually touch infrastructure. So what we do during the competition is demonstrate how elicitation works.
Starting point is 00:58:55 We've been joking and I've been doing elicitation with you all day. The Dr. Pepper thing was part of it. Me saying, what does your normal voice sound like? And is an example, right? Obviously, you're not going to fall for it. You're extremely savvy. But we try to... I like being asked questions about myself,
Starting point is 00:59:09 and I feel like I fall for it very easily. But it's just because I know you're a hacker. And the average guest could get any kind of info out of me. But please go on. So we try to get people to tell us information that would be useful. So for instance, it's useful for me to know which password manager you use, which multifactor
Starting point is 00:59:26 authentication tool you use, which websites you like to go to. If I know those specific sites, I can craft my phishing attacks or my malware to work on your specific machine. So getting people to say, oh, I use the Apple ecosystem. Well, now I know I have to use Mac based exploits. I'm not going to be able to attack you on a Google based device or Android phone, right? So it's helpful for me to understand what type of operating systems, versions, tool sets you use.
Starting point is 00:59:52 And that's what we really seek during the social engineering competitions at DEF CON. We're trying to demonstrate how we would gather that information to then trick somebody using a phishing attack or malware. This is a social engineering competition. So you were getting information from people that you- Yeah, just human hacking.
Starting point is 01:00:10 So I didn't actually touch their systems with any code or malware, but demonstrating how I would. Human hacking is a really good way to put it. Human hacking, like is frankly a better phrase than social engineering because it really makes it clear how vulnerable humans are. Because let me tell you something, our operating system never gets updated. I'm exactly as stupid today as I was a year ago
Starting point is 01:00:33 and I'll be even stupider in a couple of years. Don't tell me that, Adam. You're gonna give me heart palpitations over here. I'm gonna stay on after, I'm gonna get your systems up to date. I mean, for real, like, you know, one of the things about people that I think about all the time is, you know,
Starting point is 01:00:49 every problem in the world was caused by people and people, you know, we don't change that much. Like, you know, culture changes, civilization changes, but you know, people are greedy, they are careless, they are inattentive. They are, you know. Tired. Tired, yeah, absolutely. And they always will be.
Starting point is 01:01:08 And you know, they'll never stop being that way because they are human beings. They're flesh and blood, you know. And we will never be able to perfect ourselves. And we'll always be the weakest link in the system, right? I unfortunately always say that I have job security. I wish that that wasn't the case. I wish that we could get humans perfect. But humans aren't robots. We are fallible. We will
Starting point is 01:01:29 always make mistakes. I don't use the phrase weakest Lincoln security. I twist it a little bit and say, you're the first line of defense. You're the first thing that could catch me. You're the first thing that will report me. And I do get caught all the time. So once people know what to look for, they understand how my persuasion techniques work, how do I build rapport, how we make jokes, how we talk, you know, all the ways we've been talking today, they go, oh, I didn't realize that that rapport building is actually soliciting information.
Starting point is 01:01:57 I'm giving the info that the attacker needs. I didn't recognize that in the moment. And then they're able to catch it later. So yeah, I get caught all the time. It's kind of empowering actually, it's exciting. Well, this brings us to my final two questions. The first one is, I just want to talk again about, what blame the companies whose systems we interact with
Starting point is 01:02:18 have for this problem? Because, we're fallible humans, we will never not be fallible. Yeah. And yet we are forced to interact with these extremely complex systems. And, you know, the burden is on us to freeze our credit file, to have, pick a good password, to use a password manager,
Starting point is 01:02:39 blah, blah, blah, blah, blah, blah. We didn't ask to be working with all these insecure systems, right? And half the time, you know, I just went and re-froze my credit files the other day, but half of these companies have had their own data breaches. Like the credit bureaus themselves have had data breaches. The customer service people at these companies are hackable,
Starting point is 01:03:02 et cetera, et cetera. And so, I mean, how much is this a problem where humans need to do better about being secure on our hands, but how much is it the companies themselves that need to be held responsible for creating, A, systems that require such great security, and B, for creating security holes that are constantly being exploited. They're never punished when they, you know, when they leak all of our private data, are they? Well, they get fines,
Starting point is 01:03:31 which are essentially a slap on the wrist. But you know, I would say that you're right, that we have to hold the companies that we trust with our data to a higher standard. And there are a lot of things that companies can do better. So if a company is not using multi- multifactor authentication internally that matches their threat model, that's not good.
Starting point is 01:03:49 They need to do that because they're protecting our data. We have to protect our data with MFA, and they have to protect our data with MFA for their internal credentials too. If they're not using password managers, and most enterprises aren't fully using password managers across the board yet, they have to make sure that they're doing that.
Starting point is 01:04:05 They've got to make sure that they get their employees' information off the internet. They've got to remove their personal details, otherwise they're just going to get hacked personally, which will probably affect their work life as well because they're reusing passwords. And so there's so many things that organizations have to do that mimic what we have to do in our personal lives that we need to hold our organizations to a higher standard for. So I think you're exactly right. People have to take all of these actions and the workplaces that we are entrusting with
Starting point is 01:04:35 our data essentially have to do this as well. I have a bunch of takeaways that are specific to organizations like making sure that your customer service team knows how to verify identity appropriately and has updated those protocols and doesn't just ask, hey, what address did you live on? What's your date of birth? Because that's not sufficient
Starting point is 01:04:52 to protect your privacy or your security. I mean, how are we supposed to even be able to tell which companies take our security seriously and which ones don't? Like again, I'm a little bit more tech savvy than most people, so I can look at one company and say, all right, this one has better practices. But I look at something like, if the average person
Starting point is 01:05:10 is trying to decide whether to use Signal or Telegram, right, both of which claim to be encrypted services, but it has come out recently, my understanding is, that Signal is, as far as I know, quite well encrypted. Telegram never had encryption on by default. Most communications were not encrypted, and in fact, was harboring so much cybercrime on their service that I believe the vice president
Starting point is 01:05:34 of the company or an extremely high-placed executive, was the CEO, excuse me, the CEO was just arrested. And this is one of the largest messaging apps in the world. More people use Telegram than use Signal, I believe. So how is the average person supposed to know, hey, this one is safe, whereas this one is a privacy and security nightmare. They both claim that they're doing a good job,
Starting point is 01:05:57 only one of them is. If you're looking for really good security information, I recommend, and I know this is something people disagree about, I recommend you follow security people on Twitter. We have been talking about the fact that Signal is end-to-end encrypted and Telegram is not end-to-end encrypted for like four, five years at this point. If you can follow those folks where they talk about it all the time that are actually providing
Starting point is 01:06:19 that analysis, I think it'll really help people. We try to get this information out and I think I talked to the Washington Post or something about this specific issue recently, but it's not something like you mentioned that the average consumer understands. And the average consumer isn't going to go into the TNCs to see, wait, is it actually end-to-end encrypted or do I have to enable that? Is it end-to-end encrypted just naturally? People don't understand that. They don't understand opt-in versus opt-out. So yeah, you want to use a tool that's end-to-end encrypted just naturally? Yeah. People don't understand that. They don't understand opt-in versus opt-out. So yeah, you want to use a tool that's end-to-end encrypted. You want to have good safe practices
Starting point is 01:06:50 and you want it to be something on a default. Signal has that. Yeah. And it, you know, it'll auto delete your messages if you turn that on, which is really good. If you're texting a drug dealer, I don't know, whatever you might want. There's a lot of, a legal one in California.
Starting point is 01:07:06 I don't know, whatever, cut that out or leave it in. I don't give a shit. We're at the end of the podcast and I'm getting loopy. What are your, so for the average person though, we talked about how we're all a part of this giant security capitalism nightmare where our security is always compromised and yet we must interact with it.
Starting point is 01:07:27 So what are the best practices that we can take to protect ourselves? Give us a couple of concrete tips that people can use here at the end of the podcast. Absolutely. Number one, use long, random, unique passwords stored in a password manager. There are a million good password managers out there.
Starting point is 01:07:44 Adam, you've talked about one password. Bitwarden happens to be free if you wanna get a free option. That I highly recommend, good encrypted options. And then you wanna make sure that you have multi-factor authentication on. That second step when you log in for every account. You might think,
Starting point is 01:08:00 oh, I don't care if I lose my Instagram or not. Well, your followers do. Because if you lose your Instagram, they're going to push crypto scams. They're going to try and scam your family and friends. You're going to try and scam the people around you. So it does matter. Make sure you have a long, random unique password. Multi-factor authentication is on.
Starting point is 01:08:15 Number three, I call this being politely paranoid. This means verifying that people are who they say they are before taking a sensitive action. Somebody says, hey, I got into a car accident. I need you to send bail money to this location. Say, no problem, I'm here to help you. I messaged you. I sent you a text. I sent you an email.
Starting point is 01:08:37 I sent you a Facebook DM. I sent you a WhatsApp message, whatever, any other method of communication. Go ahead and read that word out to me. If they can't do that, you've got to be able to verify identity before sending passwords, What's that message, whatever, any other method of communication, go ahead and read that word out to me. If they can't do that, you've gotta be able to verify identity before sending passwords, sensitive access,
Starting point is 01:08:50 wiring money, et cetera. And number one. That's a really great tip. Also, a lot of these password managers now will let you, if you ever wanna send a password, they will let you send it in a secure way using the password, rather than just pasting it into your text app or whatever,
Starting point is 01:09:06 which I also think is helpful. But verifying is really, really useful. Or your signal. That's another reason why you might use signal if you don't have that password manager yet, but you're trying to send secure end-to-end encrypted data. And then the last one is, take your sensitive details off the internet.
Starting point is 01:09:21 I call this delisting yourself. A lot of people use that phrase. Delisting yourself means taking your sensitive details, like your address, your phone number, your email address, off of the internet. For most people, I can find multiple email addresses. And when I type them into these data breach repository sites, I'm able to find 13 to 14 breach passwords
Starting point is 01:09:42 that people reuse across their sites. I don't even need to contact you to hack you. I just find out what email address you use and then I log in as you with a breach password. And I recommend doing this. You can pay to do it or you can do it for free. If you do it for free, you just click the three dots on the side of Google
Starting point is 01:09:57 or send a fax to the data brokerage site. Most require a fax, which is really annoying. Or you could pay a service. Delete Me by a company called Abine is one that I have used before, so highly recommend that too. Yeah, Delete Me has sponsored this show. As people who listen to the show know,
Starting point is 01:10:11 I've used them for many years. Excellent service, and they just automatically send opt-outs to all the different data brokers to get your data taken off as many as possible. Works great. Those are all really good tips. And now you said that people should follow security professionals on what we now call x.com
Starting point is 01:10:31 or other services. You'll never call it x. You'll never call it, I finally started typing in x. Because the auto complete just stopped working on Twitter entirely, because they started referring us directly to x. So where can people find you, I'm sorry Rachel, on X or other platforms?
Starting point is 01:10:48 Are you on Threads or are you on Blue Sky? Are you on Mastodon perhaps? I'm on everything with the same handle, at Rachel Tobak, no space. Well isn't that a security hole if you're using the same handle on every single one? Now people find a one handle, they know all of them Rachel. Well not if I've got a good long random unique password
Starting point is 01:11:03 stored on a password manager with multifactor authentication and I use the lead me and. Oh, good. So now you just have to spend one week a year updating all your fucking passwords and doing all your security hygiene. I know I'm still frustrated we have to do it, but I'm really glad that you came on to tell us about how.
Starting point is 01:11:22 Rachel, thank you so much for coming on the show. Thank you. It was a pleasure having you. It was so good to be here. Thanks for chatting with me, Adam. Well, thank you once again to Rachel Tobak for coming on the show. If you want to support the show,
Starting point is 01:11:32 head once again to patreon.com slash Adam Conover. Five bucks a month gets you every episode of the show ad free. For 15 bucks a month, I will read your name in the credits of the show and put it in the credits of every single one of my video monologues to thank you for helping support what I do. This week I wanna thank Cam, Darren Kay,
Starting point is 01:11:50 Steven Volcano, Angelina Montoya, Matthew Reimer, Ethan Barak Pelled, Gabriel Guerra, and Kerry Hill. Thank you so much to all of you for supporting the show, patreon.com slash Adam Conover, if you'd like to join them. Once again, I am taking my new standup out on the road. Head to adamconover.net for tickets and tour dates. If you want to watch my brand new special, unmedicated, dropout.tv, I hope you watch it.
Starting point is 01:12:14 I am so proud of it, dropout.tv, to watch it. I want to thank my producers, Sam Rodman and Tony Wilson, everybody here at HeadGum for making the show possible. Thank you so much for watching and we'll see you next time on Factually. That was a HeadGum podcast.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.