>> Narrator: From theCUBE studios in Palo Alto and Boston connecting with thought leaders all around the world. This is theCUBE conversation. >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We are here in our Palo Alto studios today. We got through March, this is some really crazy time. So we're taking advantage of the opportunity to reach out to some of the community leaders that we have in our community to get some good tips and tricks as to know how to kind of deal with this current situation. All the working from home, school from home. And we're really excited to have one of the experts. One of my favorite CUBE guests. We haven't had her around since October 2017, which I find crazy. And we'd love to welcome into theCUBE via the remote dial-in, Rachel Tobac. She is the CEO of SocialProof Security. Rachel, great to see you and I cannot believe that we have not sat down since 2017. >> I know, I can't believe it, it's been so much time. Thanks for having me back. >> Absolutely, but we are good Twitter friends. >> Oh yeah >> Exchanging stuff all the time. So, first of, great to see you. Just a kind of of introduction, tell us a little bit about SocialProof Security and your very unique specialty. >> Yes. SocialProof Security is all about social engineering and protecting you from the those types of attackers. So, basically we help you understand how folks manipulate you and try and gain access to your information. I am an attacker myself so I basically go out, try it, learn what we can learn about how we do our attacks and then go on and train you to protect your organization. So, training and testing. >> Alright. Well, I am going to toot your horn a little bit louder than that because I think it's amazing. I think that you are basically 100% undefeated in hacking people during contests at conventions, live. And it's fascinating to me and why I think it's so important it's not a technical hack at all. It's a human hack, and your success is amazing. And I've seen you do it. There's tons of videos out there with you doing it. So, what are kind of just the quick and dirty takeaways that people need to think about knowing that there are social hackers, not necessarily machine hackers out there, trying to take advantage of them. What are some of these inherit weaknesses that we just have built into the system? >> Yeah, thanks for your kind words too, I appreciate that. The challenge with social engineering is that it leverages your principles of persuasion. The parts of you that you cannot switch off. And so, I might pretend to be similar to you so that I can build rapport with you. And it's really hard for you to switch that off because you want to be a kind person, you want to be nice and trusting. But it's hard, it's a tough world out there and unfortunately criminals will leverage elements of your personality and your preferences against you. So, for instance if I know you have a dog, then I might play a YouTube video of a dog barking and try and gain access to information about your systems and your data, while pretending to be IT support, for example. And that's really tough because, you know three minutes into the conversation we are already talking about our dog breeds and now you want to trust me more. But unfortunately just because we have something in common, it doesn't mean that I am who I say I am. And so, I always recommend people are politely paranoid. It just basically means that you use two methods of communication to confirm that people are who they say they are. And if they are trying to get you to divulge sensitive information or go through with a wire transfer, for instance, you want to make sure that you check that first. We just saw an example of this with Barbara Corcoran. Famously on Shark Tank. Where she has many investments in real estate. And unfortunately a cyber criminal was able to take advantage and get almost $400,000 wired over to them and they did lose that money because they were able to take advantage of the bookkeeper, the accountant and the assistant and folks just were not checking back and forth that people are who they say they were with multiple methods of communication. >> It's crazy. A friend of mine actually is in the real estate business. And we were talking earlier this year and he got a note from his banker. Looked like his banker's email. It was the guy's name that he works with all the time. Was talking about a transfer. It didn't have a bunch of weird misspelling and bad grammar. And all kind of the old school things that kind of would expose it as a hack. And he picked up the phone and called the guy, and said "we don't have a transaction happening right now. "Why did you send this to me?" So it gets really really really good. But lets dive into just a little vocabulary 101. When people talk about "fishing" and "spearphishing" what does that exactly mean for people that aren't really familiar with those terms? >> Sure. Most likely you are going to see it happen over email. In fact, with COVID-19 right now we've seen through Google's Transparency Report on fishing that there's been a 350% increase in fishing attacks. And I believe Brisk had this huge research that said that there were 300,000 plus suspicious COVID 19 fishing websites that were just spun up in the past couple of weeks. It's pretty scary but basically what they are trying to do is get you to input your credentials. They are trying to get access to your machine or your credentials so that they can use them on other high value sites, gain access to your information, your data, points, your sensitive data basically. And use that against you. It's really tough. Unfortunately, criminals don't take a break even in crisis. >> Yeah they are not self-isolating unfortunately, I guess they are sitting there with their computers. So that's interesting. So, I was going to ask you, kind of what is the change in the landscape now. So you answered a little bit there but then the other huge thing that's happening now is everybody is working from home. They are all on Zoom, they are all on Skype, WebEx. And you've actually had some really timely post just recently about little things that people should think about in terms on just settings on Zoom to avoid some of the really unfortunate things that are popping in kind of randomly on Zoom meetings. So, I wonder if you could share some of those tips and tricks with the audience. >> Yeah, absolutely. Some of the big issues that we are seeing recently is what people have coined as Zoombombing. It's all over the news. So you've probably heard about it before but in case you are wondering exactly what that is. It's whenever an attacker either guesses your Zoom ID code and you don't have a password on your Zoom call that you are in the middle of. Or they might gain access to your Zoom ID code because maybe your took a screenshot of your Zoom and posted that to social media. And now if you don't have password protection or your waiting room is on they can just join your call and sometimes you might not notice that they are on the call, which could lead to privacy issues, data breach for instance or just a sensitive data leak. If they join via the phone you might not even notice that they are on the call. And so it's really important to make sure that you have password protection on for your Zoom and you have waiting rooms enabled. And you don't want to take pictures of your workstation. I know that's really tough for folks. because they want to showcase how connected they are during these difficult times I do understand that. But realize that when you take those screenshots of your workstation, this is something that we just saw in the news with Boris Johnson just a few days ago. He posted an image of his zoom call and it included some of the software they used. And so, you just mentioned spearphishing, right? I can look at some of that software get an idea for maybe the version of his operating system the version of some of the software he may be using on his machine and craft a very specific spearfish just for him that I know will likely work on his machine, with his software installed because I understand the version and the known vulnerabilities in that software. So, there's a lot of problems with posting those types of pictures. As a blanket rule you are not going to want to take pictures of your workstation. Especially not now. >> Okay, so, I remember that lesson that you taught me when we're in Houston at Grace Hopper. Do not take selfies in front of your pics, in front of your work laptop. 'Cause as you said, you can identify all types of OS information. Information that gives you incredible advantage when you are trying to hack into my machine. >> Yeah, that's true. And I think a lot of people don't realize they are like, "everybody uses the browser, everybody uses Power Point", for example. But sometimes, the icons and logos that you have on your machine, really give me good information about the exact version and potentially the versions that might be out of data in your machine. When I can look up those non-vulnerabilities pretty easily that's a pretty big risk. The other things that we see is people take screenshots and I can see their desktop and when I can see your desktop, I might know the naming convention that you use for your files which I can name drop with you or talk about on the phone or over email to convince you that I really do have access to your machine like I am IT support or something. >> Yeah, it's great stuff. So for people who want more of this great stuff go to Rachel's Twitter handle. I'm sure we have it here on the lower third. You've got the great piece with. Last week with John Oliver hacking the voting machines like a week before the elections last year which was phenomenal. Now I just saw your in this new HBO piece where you actually just sit down at the desk with the guy running the show and hacker disciplines systems. Really good stuff. Really simple stuff. Let's shift gears one more time, really in terms of what you are doing now. You said you are doing some help in the community to directly help those in need as we go through this crisis. People are trying to find a way to help. Tell us a little bit more about what you are doing. >> Yeah, as soon as I started noticing how intense COVID-19 was wreaking havoc on the hospital and healthcare systems in the world I decided to just make my services available for free. And so I put out a call on my social medias and let folks know "Hey if you need training ,if you need support if you just want to walk through some of your protocols and how I might gain access to your systems or your sensitive data through those protocols, let me know and I'll chat with you" And, I've had an amazing response. Being able to work with hospitals all over the world for free to make sure that they have the support that they need during COVID-19 it really does mean a lot to me because it's tough I feel kind of powerless in this situation there's not a lot that I can personally do there are many brave folks who are out there risking it all every single day to be able to do the work to keep folks safe. So, just trying to do something to help support the healthcare industry as they save lives. >> Well, that's great. I mean, it is great 'cause if you are helping the people that are helping ,you know, you are helping maybe not directly with patients but that's really important work and there's a lot of stuff now that's coming out in terms of, kind of of this tunnel vision on COVID-19 and letting everything else kind of fall by the wayside including other medical procedures and there is going to be a lot of collateral damage that we don't necessarily see because the COVID situation has kind of displaced everything out and kind of blown it out. Anything that you can do to help people get more out of the resources, protect their vulnerability is nothing but goodness. So, thank you for doing that. So, I will give you a last word. What's your favorite, kind of closing line when you are at Black Hat or RSA to these people to give them the last little bit "Come on, don't do stupid things. There is some simple steps you can take to be a little bit less vulnerable" >> Yeah, I think something that we hear a lot is that people kind of give a blanket piece of advice. Like, don't click links. And, that's not really actionable advice. Because a lot of times you are required to click links or download that PDF attachment from HR. And, many times it is legitimate for work. And so, that type of advice isn't really the type of advice I like to give. Instead, I like to say just be politely paranoid and use two methods of communication to confirm if it is legitimate before you go ahead and do that. And, it will take a little bit of time I'm not going to lie it'll take you an extra 30 seconds to 60 seconds to just chat somebody and say "Hey quick question about that thing you sent over" But it can start to change the security consciousness of your culture. And maybe they'll put out a chat while they send out an email from HR to let you know that it is legitimate and then you are kind of starting this cycle at the beginning. Not every single person has to ask individually you can start getting that security consciousness going where people are politely paranoid and they know that you are going to be too so they are going to preempt it and make sure that you understand something is legitimate with a second form of communication. >> Great tip, I am a little taken aback, everybody now wants to get their score so high their customer satisfaction score so after like every transaction you get this silly surveys "How was your time at SafeWay? "Or Bank of America?" All these things Survey Monkey. I don't really know how those businesses stay in anymore. I am not clicking on any Bank of America customer satisfaction or Safeway customer satisfaction link. But I will be politely paranoid and look for the right ones to click on. (giggle) >> That's good and use two methods of communication to confirm they are real. >> That's right,two-factor authentication. Alright,well Rachel, thank you for taking a few minutes of your time. Thank you for your good work with hospitals in the community and really enjoyed catching up. As always, love your work and I'm sure we'll be talking you more on Twitter. >> Thanks for having me on again and I'll see you on the Internet. >> All right, be safe. >> Rachel: Thank you >> All right, that was Rachel. I am Jeff. You are watching theCUBE. We are coming to you from our Palo Alto Studios. Thanks for watching. Stay safe and we'll see you next time. (instrumental music)