 From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're in our Palo Alto studios today. We got through March, this is some really crazy times, but we're taking advantage of the opportunity to reach out to some of the community leaders that we have in our community to get some good tips and tricks as to kind of how to deal with this current situation, all the working from home, school from home, and we're really excited to have one of the experts one of my favorite CUBE guests. We haven't had her on since October, 2017, which I find crazy, and would love to welcome into the CUBE via the remote dial in Rachel Tobek. She is the CEO of Social Proof Security. Rachel, great to see you, and I cannot believe that we have not sat down since 2017. I know, I can't believe it. It's been so much time. Thanks for having me back. Absolutely, but we're good Twitter friends, so it's like exchanging stuff all the time. So first off, great to see you. Just to kind of an introduction, tell us a little bit about Social Proof Security and your very unique specialty. Yes, Social Proof Security is all about social engineering and protecting you from those types of attackers. So basically we help you understand how folks manipulate you and try and gain access to your information. I'm an attacker myself, so I basically go out, try it, learn what we can learn about how we do our attacks, and then go in and train you to protect your organization. So training and testing. All right, well, I'm gonna toot your horn a little bit louder than that, because I think it's amazing. I mean, I think you are basically 100% undefeated in hacking people during contests, at conventions, live. And it's fascinating to me, and why I think it's so important is it's not a technical hack at all. It's a human hack, and your success is amazing, and I've seen you do it. There's tons of videos out there with you doing it. So what are kind of just the quick and dirty takeaways that people need to think about knowing that there are social hackers, not necessarily machine hackers out there trying to take advantage of them? What are some of our just inherent weaknesses that we just have built into the system? Yeah, thanks for your kind words, too. I appreciate that. The challenge with social engineering is that it leverages your principles of persuasion, the parts of you that you cannot switch off. And so I might pretend to be similar to you so that I can build rapport with you. And it's really hard for you to switch that off because you wanna be a kind person, you wanna be nice and trusting, but it's hard. It's a tough world out there, and unfortunately criminals will leverage elements of your personality and your preferences against you. So for instance, if I know you have a dog, then I might play a YouTube video of a dog barking and try and gain access to information about your systems or your data while pretending to be IT support, for example. And that's really tough because three minutes into the conversation, we're already talking about our dog breeds and now you wanna trust me more. But unfortunately, just because we have something in common, it doesn't mean that I am who I say I am. And so I always recommend people are politely paranoid. It just basically means that you use two methods of communication to confirm that people are who they say they are. And if they're trying to get you to divulge sensitive information or go through with a wire transfer, for instance, you wanna make sure that you check that first. We've just saw an example of this with Barbara Corcoran, famously on Shark Tank, where she has many investments in real estate. And unfortunately, a cyber criminal was able to take advantage and get almost, I think, $400,000 wired over to them and they did lose that money because they were able to take advantage of the bookkeeper, the accountant, and the assistant. And folks just were not checking back and forth that people are who they say they were with multiple methods of communication. It's crazy. A friend of mine actually is in the real estate business and we were talking earlier this year and he got a note from his banker. Looked like his banker's email. It was the guy's name that he works with all the time. He was talking about a transfer. It didn't have a bunch of weird misspellings and bad grammar and all kind of the old school things that kind of would expose it as a hack. And he picked up the phone and called the guy and said, we don't have a transaction happening right now. Why did you send this to me? So it gets really, really, really good. But let's dive into just a little vocabulary one-on-one. When people talk about phishing and spear phishing, what does that exactly mean for people that aren't really familiar with those terms? Sure. But most likely you're going to see it happen for email. In fact, with COVID-19 right now, we've seen through Google's transparency report on phishing that there's been a 350% increase in phishing attacks and I believe risk IQ did research that said that there were 300,000 plus suspicious COVID-19 phishing websites that were just spun up in the past couple of weeks. It's pretty scary, but basically what they're trying to do is get you to input your credentials. They're trying to get access to your machine or your credentials so that they can use them on other high value sites, gain access to your information, your data, your points, your sensitive data basically and use that against you. It's really tough. Unfortunately, criminals don't take a break even in crisis. Yeah, they're not self-isolating unfortunately. I guess they're sitting there with their computers. So that's interesting. So I was going to ask you kind of what is the change in the landscape now? So you answered it a little bit there, but then the other huge thing that's happening now is everybody's working from home. They're all on Zoom. They're all on Skype, WebEx. And you've actually had some really timely posts just recently about little things that people should think about in terms of just settings on Zoom to avoid some of the really unfortunate things that are popping in kind of randomly on Zoom meetings. So I wonder if you could share some of those tips and tricks with the audience. Yeah, absolutely. Some of the big issues that we're seeing recently is what people have coined as Zoom bombing. It's all over the news. So you've probably heard about it before, but in case you're wondering exactly what that is, it's whenever an attacker either guesses your Zoom ID code and you don't have a password on your Zoom call that you're in the middle of, or they might gain access to your Zoom ID code because maybe you took a screenshot of your Zoom and posted that to social media. And now if you don't have password protection or waiting rooms on, they can just join your call. And sometimes you might not notice that they're on the call which could lead to a privacy issue, data breach for instance, or just a sensitive data leak. If they join via the phone, you might not even notice that they're on the call. And so it is really important to make sure that you have password protection on for your Zoom and you have waiting rooms enabled. And you don't wanna take pictures of your workstation. I know that's really tough for folks because they want to showcase how connected they are during these difficult times. I do understand that, but realize that when you take those screenshots of your workstation, this is something that we just saw in the news with Boris Johnson just a few days ago, he posted an image of his Zoom call and it included some of the software that he used. And so you just mentioned spearfishing, right? I can look at some of that software, get an idea for maybe the version of his operating system, the version of some of the software he might be using on his machine and craft a very specific spearfish just for him that I know will likely work on his machine with his software installed because I understand the version and the known vulnerabilities in that software. So there's a lot of problems with posting those types of pictures and as a blanket rule, you're not gonna wanna take pictures of your workstation, especially not now. Okay, so I remember that lesson that you taught me when we're in Houston at Grace Opera. Do not take selfies in front of your work laptop because as you said, you can identify all types of OS information and app information that gives you an incredible advantage when you're trying to hack into my machine. Yeah, that's true. And I think a lot of people don't realize, you know, they're like, well, everybody uses a browser, everybody uses PowerPoint, for example, but sometimes the icons and logos that you have on your machine really give me good information about the exact version and potentially the versions that might be out of date on your machine. When I can look up those known vulnerabilities pretty easily, that's a pretty big risk. The other thing that we see is people will take screenshots and I can see their desktop. And when I can see your desktop, I might know the naming convention that you use for your files, which I can name drop with you or talk about on the phone or over email to convince you that I really do have access to your machine like I am IT support or something. Yeah, it's great stuff. So for people who want more of this great stuff, go to Rachel's Twitter handle. I'm sure we have it here on the lower third. You've got the great piece with the last week with John Oliver with hacking the voting machines, like a week before the elections last year, which was phenomenal. And now I just saw you're in this new HBO piece where you actually just sit down at the desk with the guy running the show and hacking the system. So really good stuff, really simple stuff. Let's shift gears one more time, really in terms of what you're doing now, you said you're doing some help in the community to directly help those in need as we go through this crisis and people are trying to find a way to help. Tell us a little bit more about what you're doing. Yeah, as soon as I started noticing how intense COVID-19 was wreaking havoc on the hospital and healthcare systems in the world, I decided to just make my services available for free. And so I kind of put out a call on all my social medias and let folks know, hey, if you need training, if you need support, if you just want to walk through some of your protocols and how I might gain access to your systems or your sensitive data through those protocols, let me know and I'll chat with you. And I've had an amazing response, being able to work with hospitals all over the world for free to make sure that they have the support that they need during COVID-19. It really does mean a lot to me because it's tough. I feel kind of powerless in the situation. There's not a lot that I can personally do. There are many, many brave folks who are out there risking it all every single day to be able to do the work to keep folks safe. So just trying to do something to help support the healthcare industry as they save lives. Well, that's great. I mean, and it is great because if you're helping the people that are helping, you know, you are helping maybe not directly with patients, but that's really important work. And, you know, there's a lot of stuff now that's coming out in terms of, you know, kind of this tunnel vision on COVID-19 and letting everything else kind of fall by the wayside, including other medical procedures and, you know, that there's going to be a lot of collateral damage that we don't necessarily see because the COVID situation has kind of displaced everything out and kind of blown it out. So, you know, anything that you can do to help people get more out of their resources, protect their vulnerabilities is nothing but goodness. So thank you, thank you for doing that. So give you the last word, what's your favorite, your favorite kind of closing line when you're at Black Hat or RSA to these people to give them the last little bit, you know, come on, don't do stupid things. There's some simple steps you can take to be a little bit less vulnerable. Yeah, I think something that we hear a lot is that people kind of give a blanket piece of advice, like don't click links. And that's not really actionable advice because a lot of times you are required to click links or download that PDF attachment from HR. And many times it is legitimate for work. And so that type of advice isn't really the type of advice I like to give instead. I like to say just be politely paranoid and use two methods of communication to confirm it is legitimate before you go ahead and do that. And it'll take a little bit of time. I'm not gonna lie, it'll take you an extra 30 seconds to 60 seconds to just chat somebody and say, hey, quick question about that thing you sent over. But you can start to change the security consciousness of your culture and maybe they'll put out a chat while they send out an email from HR to let you know that it is legitimate. And then you're kind of starting the cycle at the beginning and people don't have to, not every single person has to ask individually. You can start getting that security consciousness going where people are politely paranoid and they know that you're going to be too. So they're going to preempt it and make sure you understand something's legitimate with the second form of communication. Great tip. I'm a little taken aback. Everybody now wants to get their scores so high, their customer satisfaction score. So like after every transaction you get these silly surveys, you know, how is your time at Safeway, your Bank of America, all these things. Survey monkey, I don't even know how those businesses stay in anymore. I'm not click on any Bank of America customer satisfaction or Safeway customer satisfaction link. But I will be politely paranoid and look for the right ones to click on. That's good, that's good. And use two methods of communication to confirm they're real. That's right, two factor authentication. All right, well, Rachel, thank you for taking a few minutes of your time. Thank you for your good work with the hospitals and the community and really enjoy catching up as always, love your work. And I'm sure we'll be talking to you more on Twitter. Thanks for having me on again and I'll see you on the internet. All right, be safe. Thank you. All right, that was Rachel. I'm Jeff, you're watching theCUBE. We're coming to you from our Palo Alto studios. Thanks for watching. Stay safe and we'll see you next time.