She has hacked a CNN reporter, a billionaire, a bank and many others. Rachel Tobac can hack just about anyone - including you. Learn how to protect yourself. // MENU // 0:00 - Intro 00:58 - Rachel Tobac introduction 01:36 - Hacker vs Criminal 02:28 - SocialProof Security // Hacking sea shanty video 04:02 - Hacking CNN's Donie O'Sullivan 05:36 - Flaws in phone call authentication 08:01 - Finding passwords through data breach repositories 09:00 - Preventing hacks // YubiKey & MFA 16:38 - Flaws in SMS authentication 18:01 - Creating "uncrackable" passwords 19:56 - Recommended password managers 21:26 - "Politely Paranoid" // Be vigilant 23:17 - Phone call authentication is in the dark ages 24:59 - Tips to prevent being hacked 26:41 - MFA fatigue // How a teenager hacked Uber 29:05 - "Hacking isn't that complicated" 30:07 - Hacking Jeffrey Katzenberg // Learn from examples 33:06 - Delete the cookies // Have a different computer for work and home 34:22 - Scenario: preventing hacks as the president 45:59 - Effective preventions // Password managers & MFA 47:51 - Hacking into a bank 49:33 - "Infiltrating" a company 51:53 - Technical-based vs human-based 53:31 - Getting into Social Engineering at DefCon 55:39 - Tips for getting into Social Engineering 57:36 - Final words // Conclusion // Rachel's SOCIAL // Twitter: twitter.com/racheltobac Instagram: instagram.com/racheltobac Mastodon: infosec.exchange/@racheltobac Website: www.socialproofsecurity.com/ // Videos Mentioned // - It was easy to hack a billionaire: kzread.info/dash/bejne/aWGgprSgqMW7Ybw.html - John Hammond // He tried to hack me: kzread.info/dash/bejne/q2WLyduLZMaTZKQ.html - Corridor Crew // Channel was terminated, we got hacked: kzread.info/dash/bejne/fZh5rsinYbqxYLQ.html - We asked a hacker to try and steal a CNN Tech Reporter’s data. She got it in seconds: kzread.info/dash/bejne/fo2dzrJmYbfdfco.html - Watch a CCN Reporter get hacked: kzread.info/dash/bejne/q317ls2NerfApbw.html - Watch How Easy It was to Hack this CNN Reporter: kzread.info/dash/bejne/iZZoj5aJfpvbZNo.html - 16 Secs to Break Wifi Networks Owned! kzread.info/dash/bejne/jIh9pJuEmZy8pLw.html - Modernize MFA with the Yubikey: kzread.info/dash/bejne/i4aFo6yzf9jVYZM.html - Inside the mind of and ethical hacker kzread.info/dash/bejne/h6uErcGildfbqMo.html - My KZread channel being hacked kzread.info/dash/bejne/mZ2dj6uGnNmcj7Q.html // Books // The Social Engineer’s Playbook by Jeremiah Talamantes amzn.to/3BmU3pq // David's Social // Discord: discord.gg/davidbombal Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal KZread Main Channel: kzread.info KZread Tech Channel: kzread.info/dron/ZTIRrENWr_rjVoA7BcUE_A.html KZread Clips Channel: kzread.info/dron/bY5wGxQgIiAeMdNkW5wM6Q.html KZread Shorts Channel: kzread.info/dron/EyCubIF0e8MYi1jkgVepKg.html Apple Podcast: davidbombal.wiki/applepodcast Spotify Podcast: open.spotify.com/show/3f6k6gERfuriI96efWWLQQ // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com

@delightgodson8503

Жыл бұрын

Good day Sir, your videos have be so great and i always download and study them. I'm working on an IoT project and i don't know if I'd be privileged to be assisted by you or whomsoever you know to be well informed in that area. The project is basically to simulate a botnet attack on a network of iot device. It's a senior year project. I just need assistance or guidance. I'm actually working towards going into IoT hacking so it's a great step but the issue is that my supervisor isn't convince that the project is feasible though I do believe it is. But he's given me an opportunity to reconsider before he approves it within 2 days. I currently researched about a good simulator that could model the iot network and also will be able to carry out the attack but I'm not convinced of the options that i came across. I do need assistance. I understand you're busy but if you can point me to a material or someone, I'd be forever grateful. But incase I don't get a reply, you're videos are very knowledge and information driven and they've helped me. This year, I'd put in the right discipline into my cyber security career. Thanks in advance as I await your humble and helpful response. God bless you 🙏

@Frostyz266

Жыл бұрын

Yo, are you South African by any chance? Your accent is quite familiar

@avineeshgosain1858

Жыл бұрын

Sir i forgot to note RFB PORT# in termux for kali hunter .what should I do now?

@ikilledthemoon

Жыл бұрын

Is it a good thing that she's hacking people? Isn't that like...bad?

@hollyb5957

Жыл бұрын

Sent you a message on insta David plse reply Ty.

addition to this video: Don't use LastPass as they got breached so many times. The most recent breach was a disaster and confirmed the company is not serious / to be trusted

@davidbombal

Жыл бұрын

Agreed. This was recorded before all the details of what happened was made known.

@juang1one

Жыл бұрын

LasPass=fail..at this point it is safter to save passwords on Post It Notes.

@SebastianPerezG

Жыл бұрын

@@juang1one And in Safe ...

@An.Individual

Жыл бұрын

LostPass

@aktannoman2215

Жыл бұрын

@@davidbombal What is your opinion on 1pass David?

Surprised any "cybersecurity expert" would say anything about getting on tiktok without mentioning their privacy issues. If people don't even try to protect their info, what's the point of being concerned about it?

@UGPVlogsLA

Жыл бұрын

I know! That just doesn't make an sense to me.

WOW! You all packed a plethora of information into this conversation. Good job DB hosting industry professionals dropping real and relevant knowledge to educate the community. David B does it again!!👏

And she looks like a normal person not the typical hacker stereotypes.

@davidbombal

Жыл бұрын

An important lesson right there.

@davidomar742

Жыл бұрын

This is actually beneficial in the real world.

@myname-mz3lo

Жыл бұрын

nearly no hackers look like the stereotype

@Singlton

Жыл бұрын

Sssssnake

@sfurtado3

Жыл бұрын

You havent meet to many hackers obviously

Half way through this video...and I will say we absolutely need MFA for voting!

Man, I'm more into web dev and some low level tinkering from time to time, but I have to say I love your channel and how you always have fresh ideas for content with great professionals!

David allows interviewees to talk which is so rare on YT

David thank you for bringing such practical aspects and superb guest on show.

Another absolutely AWESOME interview!!! Notes were taken!

wow. one of the best interviews yet. thx for the content

One thing I have not heard mentioned but I highly recommend to everyone, is to have a fraud alert put on all three major credit reporting agencies and 2FA on all those accounts as well. Whether you have been the victim of fraud or identity theft or not. That forces any company extending you credit to call your phone, adding that second level of verification. halts someone from getting credit accounts in your name when/if identity theft accompanies an account being hacked somewhere.

David, thank you, thank you, thank you. You and your amazing guests are bringing so much Awareness. I run a Cyber Security company and your insight is superb

Excellent video thanks, David! I wish she also had a youtube channel; the way she explains it is straightforward to understand too! Thanks again.

Was the musk comment necessary.. especially seeing how there’s a ton of corruption being highlighted currently. Other than that, amazing content.

@--Morpheus--

Жыл бұрын

Easy way to show which way she leans at the voting booth. Which is not reassuring..

Check out the recent Security Now(s) with Steve Gibson on the LastPass breach. Lot of folks are finding their vaults were still encrypted with "circa 2007" encryption standards.... And their vaults are trivial to crack with today's 'rigs', around 60 seconds or less. LastPass seems to be losing a tremendous amount of rep since their breach, and it's beginning to show just how negligent they were with a sizable amount of their customer's vaults. Ironically, it seems the longer you were a lastpass customer, the more vulnerable your vault is... They never upgraded user vaults to keep up with changing standards. From what I'm hearing, LastPass simply isn't "credible" anymore, and they may go under from this breach and it's fallout.

Great work David :D And Rachel seems awesometo would love to work at her company one day

From a desktop support tech at a computer repair shop 2FA is a pain in the ass, I loathe having to contact customers when trying to troubleshoot issues with computures.

can we talk about how many websites don't support sufficiently complex and long passwords in the first place? 🙃

As a cybersecurity IT expert for many decades, considering postmodern bank security policies and methods, this hardly seems like earth-shattering news or a herculean accomplishment.

@faizanalam1244

Жыл бұрын

Can u please elaborate sir

@WilliamWatrous

Жыл бұрын

It's not to us in IT, but you'd be surprised how little the average user knows or understands. This surface level knowledge would prevent so many attacks

@weniweedeewiki.6237

Жыл бұрын

you don't give your special sauce to everyone bro

@juang1one

Жыл бұрын

...because they still run Win95?

@rationalistfaith

Жыл бұрын

But women…. And simps 🤡

New year, new intro. Love it!!!

Hats off wonderful discussion many thanks from Pakistan Did try all these stuff on my own Thanks

Since technology is growing at fast rate in terms of "security based on its technology" the only thing that left for hackers is "Human based security" which is why Social Engineering is the key piece in the moment..

Another fantastic video! Great content and really good interviewing around such important topics and areas. Alot of people take these things for granted, it will always be this way which gives us more scope for white hats to make more money but does always amaze me how little people care about their own data until they then get hacked, after that, they cant get enough of it haha

This is a GREAT video. Thanks for sharing and helping us stay safe.

Excellent talk, thank you!

@5:48 - I had to contact a bank (no account and previous transaction history) when someone was attempting to fraudulently open an account in my name. The representative said she would send me a "verification text" and then asked me what number I wanted it sent to! When I incredulously responded how that would "verify" me, she said that the bank "had a way to check the number" and that it was a process that they used all the time.

great video David and Rachel, lots of great info

How could an Android phone ever be a secure way of doing banking. I-phones yes I get it. But not Android, They don't even give more than 3years of Security updates.....Your a 5 star content provider. And you really try to help people who might not have the financial resources. Thank you for being a genuine person, and trying to help. Good info all around.

David o just discovered your Chanel and is on 🔥 fire.

That was a great video, I learned a lot. She is amazing.

Pretty much everything she said it common sense. Lucky she is pretty otherwise she wouldn't be where she is today. Look at this comment section... Simps are crazy man...

The only channel that I enjoy watching a 50+ min video cuz it's helpful

@davidbombal

Жыл бұрын

Very happy to hear that!

@jamesfinlay1364

Жыл бұрын

I did the same I couldn’t sleep so I loaded a interview and lay it down on the pillow beside me for 55mins i was glued to the interview and listened to every word.

@ANAS-ty6rn

Жыл бұрын

@@davidbombal sir how can i start learning all these things?

You ask really good questions David.

Thank you David your Chanel always amazing me! Kepp up!

what a great video. Rachel is amazing.

Great video. The only problem with using yubikey is only some websites support them. I am trying to use it on all my accounts, but unfortunately, my bank, for example, does not support yubikey for some reason.

What the heck is a hacker of her caliber engaging on TikTok for? 😳

@The_One_0_0

3 ай бұрын

She said she wasnt lol

Thanks for the good video David 👏

THIS is the side of CS I want to get into. What's the way to get started with this type of social engineering/cybersecurity? EDIT: ok, the tips at the end are great!

After listening to this, I started wondering about the use of management software that promote a single pane of glass view - located in the cloud. Should I avoide those cloud based products and use on premise dedicated devices instead?

woow thx Mr Bombal very educational videos

@davidbombal

Жыл бұрын

Thank you Majid!

As someone starting to get into the world of CyberSec, this was a really interesting listen. Great interview! 👌

@davidbombal

Жыл бұрын

Glad you enjoyed it Jacob!

Just watched this! Wow! David, I would be interested in a show (if it doesn’t exist on your platform already) about hacking prevention on CCTV and Access Control systems.

I'm just going to assume that this was done before the extra information came out of the lastpass breach. Only passwords where encrypted and sometimes it was rather weak encryption.

A very cool video. We owe David for interviewing this super smart lady. Thanks a lot, David!

Very informative David. Thanks so much. Is it a risk to use a password manager?

@emuhill

5 ай бұрын

Use a password manager that you 100 percent control. In other words a password manager that doesn't store your data in the cloud.

David, do you know of any up and coming defcon / infosec equivalents in the UK this year?

Hey David. I am learning cybersecurity, but the AI has been on the hype for a while. Can an AI replace a cybersecurity professional or how important cybersecurity is for AI.Should I keep my hopes high and continue learning cybersecurity or should I switch to AI/ML/DS. Will really appreciate your time .

David, you are right in the middle of high Threat model.

Yubikey runs NFC, right? Is that not a massive security flaw in itself? I'm just learning this side of the world, but it seems easy enough to clone the key? Or am I wrong on that

This women is a boss !! How do I get into this and become a hacker ??

Is there a term to describe actual hacking vs just social engineering? Social engineering definitely takes skill, but it feels very different than someone finding a bounds checking issue/writing shellcode and getting in without any social contact. Folks running metasploit and running through password lists used to be called “script kiddies”, but even that term has disappeared.

@badassdahn654

Жыл бұрын

Exactly I feel this lady is more a social engineer than a hacker. Other videos from David show the technicality and examples

Only the best hackers and cyber security professionals on this channel

Astounding. A script kiddy is today considered a 'hacker'. Mind bending.

David, I love your channel

Great video, very informative interview.

Love this interview

About 2 years ago I called a hospital and my doctor and requested my own medical record. I got it fairly easily.

Love this!! She’s good

“In the short run, the market is a voting machine. In the long run, it is a weighing machine.” Benjamin Graham

Rachel is amazing!!!

Why she didn't sing a 2nd time? That was nice. Thx for the Vdeo ... Nice story :)

“The intelligent investor is a realist who sells to optimists and buys from pessimists.” Benjamin Graham

I would never ask a hacker for tips just look how big her smile gets when you ask her @ 19:58 the fact that she said lastpass is what makes me question her

Before show the video , your are the best

@davidbombal

Жыл бұрын

Thank you very much!

thanks for sharing such knowledge

Nice to see Rachel Tobac!

David, great video 👍👍

This is one of my favorite

@David Bombal I'd be really keen to hear your thoughts on Deviceless MFA. How much extra defence does this give a company, especially with the rise in popularity of reverse proxy tools?

A Yubikey would not work for some individuals at work because of policies in place that do not permit ANY unauthorized USB devices being plugged into the network.

What app does she use to spoof calls?

One very important thing regarding the yubikeys that I think it has not been mentioned in the video (I am not sure - maybe I simply missed the part - but if so, it would probably be because it is something more than obvious for the two of you, thoguh maybe not for some viewers). This is that if you ever lose one of the keys, as soon as you realize that you don't have it, you have to quickly remove it from all services it was associated to; otherwise, if it got stolen instead of simply lost, the thief could already have your credentials, and now with the key they would have full access to those services. This also means making sure in a regular basis that the backup keys are where they are supposed to be (and if you are a super-high profile target, it would not be a bad idea to have some CCTV to make sure that nobody is picking-using-returning them). I also have to disagree with the part where it is said that PMaaS (Password Managers as a Service) are okay enough. The multiple databases breaches have proven that they are not. I don't know if these services force to use a strong master password, but if not I'd bet that many users will use an easy-to-remember-for-the-human password (while the encrypted credentials may contain long-random ones because they don't have to be remembered). Such "weak" vaults could really be broken without quantum computers but simply by brute force using modern GPUs, and imho, if this ever happens, it would be more the service provider's responsability rather than the user's fault. And for the being fully up-to-date, my younger me would fully agree... My current me, older and wiser (more older than wiser though), agrees but with caution, especially for those super-high profile targets... I would say that the most secure approach - assuming that it is not an open-source software update, is checking the change log of each update/patch. If the patch contains fixes for bugs that are considered low-risk - or not risk at all - AND includes new functionalities, then I would say "be careful, check that update in an isolated sandbox first and make a thorough testing, because new functionalities are the ones that come with new vulnerabilities" Though one could think otherwise, I really enjoyed the video, a lot in fact... so much that only now I realize it is almost 1 hour long - it was so interesting and dynamic that it only looked ~30 minutes to me. PS: When she was explaining the bank story, I could not avoid the "the sneakers" opening scene coming to my mind. 😂 PS2: Could it be that youtube has recently introduced a script injection vulnerability (e.g. in the comments' section) that would allow cross-site cookies stealing that someone is exploiting???? Just in case I'm gonna start logging off + deleting the session cookie every day or two (not joking, I've already heard about too many accounts reporting the same - or a very similar - thing in a short time)

Fantastic 😍!! David does she teach about cyber security? "Like ethical hacking"....

Amazing podcast ❤

Can anyone recommend a good and reliable password manager? no names of "password manager" was mentioned in the vid. thanks

At 18:25 that was a very nervous laugh when she said "for example if someone had a Grateful Dead lyric as their password'. Was that a quiet nod to you David?

Id like to see a video on what happens to a Mac, Linux and Windows PC put on the net, no firewall, no antivirus, just bare bones and see what happens to it. Show what happens to the PC, what gets installed, what is sent to it, what gets taken or explored on the PC from the outside world.

From now on i use password manager for a password manager to another password manager to gain access for any site. All with 24bit inscription & passwords too. I'm not paranoid.... I'm just secure....😌😅

thank you for sharing this

loved>>"I hacked into a bank" live action maybe one day can show this sorcery

this video should be as a tutorial for cybersecurity people

She mentioned Swiss Cheese model. I think she met the lasagna model Layers of security. 🤔

I was literally planning a video on this same story...back to the drawing board I guess haha

Fingerprint passwords make it so police can get into your computer, taking your fingerprint is what they do first thing you get arrested. If you want the police out of your pc keep this in mind!

@carsnanime4719

Жыл бұрын

Not that big of a deal when they can literally copy everything on your phone/computer in a few hours with forensic tools. Encryption is what ya need.

@WebSurfer447

Жыл бұрын

@@carsnanime4719 what’s the name of the forensic tool you are talking about? Just curious so I can study. Anything important is encrypted but i would love to get my hands on a device that just automatically copies password protected computers and phones. I want to know how it works 🤓

@carsnanime4719

Жыл бұрын

@@WebSurfer447 There are a bunch but here are some Open-Source ones, The Sleuth Kit (TSK), Autopsy, and the Digital Forensics Framework (DFF). Should be plenty of guides on youtube for how to use em!

@WebSurfer447

Жыл бұрын

@@carsnanime4719 which encyrption service do you use for your pc? I know how to encrypt stuff but only after I’ve already passed logging in the regular way (altho i do use 2FA and a super long and mixed password so at the least it should take way longer if someone want in my pc). Or only using something like tails every time you use your pc? That’s the only way I would know how to do it (I’m very relatively new to hacking & security if that wasn’t already obvious lol)

@WebSurfer447

Жыл бұрын

@@carsnanime4719 & thanks a ton for the recommendations!!!!

i love it your content thank you so much😍😘😍😀

lastpass and others leave decrypted passwords in memory. Then with chrome extensions you don’t even need to be an admin on the machine. Non technical people should use One Time Pad Algorithm from a book or something.

what site is she using the see the hash or even plaintext password from just email address because haveibeenpwned will not give the results but just the companies

Stunning, smart, always keep you on your feet. Seems legit. Hehe Great video.

Hello David. Great video. Thank you and Rachel for the amazing content. Maybe I missed it, but why wasn't recommended the use of incognito or in-private browser sessions to prevent browsing history, cookies, or information entered from being saved on the device?

I get what mrs. Tobac is saying, but I reently watched a KZread video, where a person using a Python script Hacked into an OFF-LINE Password system. MAN, NOTHING IS SAFE❗

Rachel looks like she is a relative of Anna Kendrick. haha.

Great video!

David, great episode, you sound South African.. if so, do you know if we can get these usb auth dongles down here ? cheers

Rachel is just amazing, the Infosec world needs 1000 more people like her 👍

great video, didn't know about YubiKey pretty cool.

@davidbombal

Жыл бұрын

Glad you liked it!

Not really understanding why she downplayed the vulnerability with SMS as an MFA. I get something is better than nothing, but SMS as a 2FA is demonized with justifiable reasons.

God bless you David

anyone knows realtime voice changeing app that she used? or something else?