 Live from Orlando, Florida, it's theCUBE covering Grace Hopper Celebration of Women in Computing, brought to you by SiliconANGLE Media. Welcome back everybody, Jeff Frick here with theCUBE. We are winding down day three of the Grace Hopper Celebration of Women in Computing in Orlando. It's 18,000 mainly women, a couple of us men hanging out. It's been a phenomenal event. Again, it always amazes me to run into first timers that have never been to the Grace Hopper event. It's a must do if you're in this business and I strongly encourage you to sign up quickly because I think it sells out in about 15 minutes like a good rock concert. But we're excited to have our next guest. She's Rachel Faber-Tobak, UX Research at Course Hero. Rachel, great to see you. Thank you so much for having me on. Absolutely, so Course Hero, give people kind of an overview what Course Hero is all about. Yep, so we are an online learning platform and we help about 200 million students and educators master their classes every year. So we have all the notes. 200 million. Yes, 200 million. We have all the notes, study guides, resources, anything a student would need to succeed in their classes and then anything that an educator would need to prepare for their classes or connect with their students. And what ages of students, what kind of grades? They're usually in college, but sometimes we help high schoolers like AP students. Okay, but that's not why you're here. You want to talk about hacking. So you are what you call a white hat hacker. White hat. So for people that aren't familiar with the white hack, we all know about the Black Hat Conference. What is a white hack hacker? So a white hat hacker is somebody who's- So it's hard to say three times fast. I know, it's a tongue twister. A white hat hacker is somebody who is a hacker, but they're doing it to help people. They're trying to make sure that information is kept safer rather than kind of letting it all out on the internet. Right, right, you're like the old secret shoppers that we used to have back in the pre-internet days. Exactly, exactly. So how did you get into that? It's a very non-linear story. Are you ready for it? Yeah. So I started my career as a special education teacher and I was working with students with special needs and I wanted to help more people. So I ended up joining Core Zero and I was able to help more people at scale, which was awesome, but I was interested in kind of more of the technical side, but I wasn't technical. So my husband went to DEFCON because he's a cybersecurity researcher and he calls me at DEFCON about three years ago and he's like, Rach, you have to get over here. I'm like, I'm not really technical. It's all going to go over my head. Why would I come? He's like, you know how you always call companies to try and get our bills lowered, like calling Comcast? It's like, well, they have this competition where they put people in a glass booth and they try and have them do that, but it's hacking companies. You have to get over here and try it. So I bought a ticket to Vegas that night and I ended up doing the White Hat Hacker competition called the Social Engineering Capture the Flag and I ended up winning second, twice in a row as a noob. So insane. So you're hacking, if I get this right, not via kind of hardcore command line assault, you're using other tools. So what are some of the tools that are vulnerabilities that people would never think about? So the biggest tool that I use is actually Instagram, which is really scary. 60% of the information that I need to hack a company, I find on Instagram via geolocation. So people are taking pictures of their computers, their workstations. I can get their browser, their version information and then I can help infiltrate that company by calling them over the phone. It's called phishing. So I'll call them and try and get them to go to a malicious link over the phone and if I can do that, I can own their company by kind of presenting as an insider and getting in that way. It's terrifying. So you know phishing, right? I keep wanting to get the million dollars from the guy in Africa that keeps offering it to me and I don't know whether to bite on that or some other opportunity. Don't click the link. Don't click the link. But that's interesting. So people taking selfies in the office and you can just get a piece of the browser data in the background of that information and that gives you what you need to do. Yeah, so I'll find a phone number from somebody and maybe they take a picture of their business card, right? I'll call that number, test it to see if it works and then if it does, I'll call them in that glass booth in front of 400 people and attempt to get them to go to malicious links over the phone to own their company or I can try and get more information about their workstation. So we could, I mean, quote unquote, tailor an exploit for their software. We're not actually doing this, right? We're white hat hackers, but if we were the bad guys. We're trying to expose the vulnerability. The risk. And what is your best ruse to get them, I mean, who are you representing yourself as? Yeah, so the representation thing is called pretexting. It's who you're pretending to be. If you've ever watched, like catch me if you can. Right, right. Like Frank Abagnale Jr. So for me, the thing that works the best are low status pretexts. So as a woman, I will kind of use what we understand about society to kind of exploit that. So, you know, right now if I'm a woman and I call you and I'm like, I don't know how to troubleshoot your website. I'm so confused. I have to give a talk. It's in five minutes. Can you just try my link and see if it works on your end? You know, right? You know, you believe that because there's things about our society that help you understand and believe what I'm trying to say, right? That's crazy. So do you make money white hacking for companies? Do they pay you to do this? Or is it like as part of a service? It didn't start that way. I started off just doing the social engineering to capture the flag, the SECTF at DEF CON. I've done that two years in a row. But recently my husband Evan and I co-founded a company, Social Proof Security. So we work with companies to train them about how social media can impact them from a social engineering risk perspective. And so we can come in and help them and train them and understand, you know, if you have a webinar, 10 minute talk, or we can do a deep dive and have them actually step into the shoes of a hacker and try it out themselves. Well, I just thought the only danger was they know I'm here, so they're going to go, you know, steal my bike out of my house. On the West Coast. I'm just curious, and you may not have a perspective, because you have a niche that you execute. But between, say, you know, kind of what you're doing, social engineering, you know, front door, God, on the telephone, versus kind of more traditional fishing, you know, please click here. There's a million dollars if you'll click here. Versus, you know, what I would think it was more hardcore command line, people really going in. I mean, do you have any sense for what kind of the distribution of that is in terms of what people are going after? Right, we don't know exactly, because usually that information's pretty confidential when a hack happens, but we guess that about 90% of infiltrations start with either a phishing email or a phishing call. So they're trying to gain information so they can tailor their exploits for your specific machine. And then they'll go in and they'll do that like actual, you know, technical hacking. But I mean, if I'm phishing you right and I'm talking to you over the phone and I get you to go to a malicious link, I can just kind of bypass every security protocol you've set up. I don't even need a technical hacker, right? I just got into your computer because I'm in now, yeah. The other kind of low profile way I used to hear is that you go after the person that's doing the company picnic WordPress site, that's not thinking that that's an entry point in, kind of these less obvious access points. That's something that I talk about a lot actually is sometimes we go after mundane information, something like what pest service provider you use or what janitorial service you use. We're not even going to look for software on your machine. We might start with a softer target. So if I know what pest extermination service provider you use, I can look them up on LinkedIn, see if they've tagged themselves in pictures in your office. And now I can understand how do they work with you, what do their visitor badges look like and then emulate all of that for an on site attack, something like, you know, really soft, right? So you're sitting in the keynote, right? Faye Lee is talking about computer visualization learning and, you know, Google running kajillions of pictures through an AI tool to be able to recognize the puppy from the blueberry muffin. I mean, that just represents ridiculous exploitation opportunity at scale that even, you know, you kind of hacking around the Instagram account can't even begin to touch. As you said, your other thing you did and then you did it at scale. Now, the same opportunity here, both for bad and for good. I'm sure AI is going to impact social engineering pretty extremely in the future here. Hopefully they're protecting that data. Okay, so give a little plug so they'll look you up and get some more information, but what are just some of the really easy basic steps that you find people just miss that should just be, they should not be missing some of these basic things. The first thing is that if they want to take a picture at work like a hashtag TBT, right? It's their third year anniversary at their company. Step away from your workstation. You don't need to take that picture in front of your computer, because if you do, I'm going to see that little bottom line at the bottom and I'm going to see exactly what browser, version, OS and everything like that. Now I'm able to exploit you with that information. So step away when you take your pictures. And if you do happen to take a picture on your computer, I know you're looking at computer nervously, right? I know, I'm like, don't turn my computer out of the cameras, you're scaring me, Rachel. If you do take a picture of that, then you don't want to let someone authenticate with that information. So let's say I'm calling you and I'm like, hey, I'm with Google Chrome. I know that you use Google Chrome for your service provider. Has your network been slow recently? Everyone's network's been slow recently, right? So of course you're going to say yes. Don't let someone authenticate with that info. Think to yourself, oh wait, I posted a picture of my workstation recently. I'm not going to let them authenticate and I'm going to hang up. Interesting. All right, Rachel. Well, I think the opportunity in learning is one thing. The opportunity in this other field is infinite. So thanks for sharing a couple of tips. Yes, thank you for having me. Hopefully we'll keep you on the good side. I won't let you go to the dark side. I won't, I promise. All right, Rachel, favorite towback. I'm Jeff Frick. You're watching theCUBE from Grace Hopper, Celebration of Women at Computing. Thanks for watching.