She has hacked a CNN reporter, a billionaire, a bank and many others. Rachel Tobac can hack just about anyone - including you. Learn how to protect yourself. // MENU // 0:00 - Intro 00:58 - Rachel Tobac introduction 01:36 - Hacker vs Criminal 02:28 - SocialProof Security // Hacking sea shanty video 04:02 - Hacking CNN's Donie O'Sullivan 05:36 - Flaws in phone call authentication 08:01 - Finding passwords through data breach repositories 09:00 - Preventing hacks // YubiKey & MFA 16:38 - Flaws in SMS authentication 18:01 - Creating "uncrackable" passwords 19:56 - Recommended password managers 21:26 - "Politely Paranoid" // Be vigilant 23:17 - Phone call authentication is in the dark ages 24:59 - Tips to prevent being hacked 26:41 - MFA fatigue // How a teenager hacked Uber 29:05 - "Hacking isn't that complicated" 30:07 - Hacking Jeffrey Katzenberg // Learn from examples 33:06 - Delete the cookies // Have a different computer for work and home 34:22 - Scenario: preventing hacks as the president 45:59 - Effective preventions // Password managers & MFA 47:51 - Hacking into a bank 49:33 - "Infiltrating" a company 51:53 - Technical-based vs human-based 53:31 - Getting into Social Engineering at DefCon 55:39 - Tips for getting into Social Engineering 57:36 - Final words // Conclusion // Rachel's SOCIAL // Twitter: twitter.com/racheltobac Instagram: instagram.com/racheltobac Mastodon: infosec.exchange/@racheltobac Website: www.socialproofsecurity.com/ // Videos Mentioned // - It was easy to hack a billionaire: ruclips.net/video/7-lDRgxbU1Y/видео.html - John Hammond // He tried to hack me: ruclips.net/video/y1WgyR4c-4A/видео.html - Corridor Crew // Channel was terminated, we got hacked: ruclips.net/video/KdELfn1WK0Q/видео.html - We asked a hacker to try and steal a CNN Tech Reporter’s data. She got it in seconds: ruclips.net/video/LYilP-1TwMg/видео.html - Watch a CCN Reporter get hacked: ruclips.net/video/yIG4kTJTZuY/видео.html - Watch How Easy It was to Hack this CNN Reporter: ruclips.net/video/Wb4-4PN8u4w/видео.html - 16 Secs to Break Wifi Networks Owned! ruclips.net/video/ZTIB9Ki9VtY/видео.html - Modernize MFA with the Yubikey: ruclips.net/video/YRQAJzOuo10/видео.html - Inside the mind of and ethical hacker ruclips.net/video/UwPK_ietuxg/видео.html - My RUclips channel being hacked ruclips.net/video/gii-IMlv6_Q/видео.html // Books // The Social Engineer’s Playbook by Jeremiah Talamantes amzn.to/3BmU3pq // David's Social // Discord: discord.gg/davidbombal Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal RUclips Main Channel: ruclips.net/user/davidbombal RUclips Tech Channel: ruclips.net/channel/UCZTIRrENWr_rjVoA7BcUE_A RUclips Clips Channel: ruclips.net/channel/UCbY5wGxQgIiAeMdNkW5wM6Q RUclips Shorts Channel: ruclips.net/channel/UCEyCubIF0e8MYi1jkgVepKg Apple Podcast: davidbombal.wiki/applepodcast Spotify Podcast: open.spotify.com/show/3f6k6gERfuriI96efWWLQQ // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
Good day Sir, your videos have be so great and i always download and study them. I'm working on an IoT project and i don't know if I'd be privileged to be assisted by you or whomsoever you know to be well informed in that area. The project is basically to simulate a botnet attack on a network of iot device. It's a senior year project. I just need assistance or guidance. I'm actually working towards going into IoT hacking so it's a great step but the issue is that my supervisor isn't convince that the project is feasible though I do believe it is. But he's given me an opportunity to reconsider before he approves it within 2 days. I currently researched about a good simulator that could model the iot network and also will be able to carry out the attack but I'm not convinced of the options that i came across. I do need assistance. I understand you're busy but if you can point me to a material or someone, I'd be forever grateful. But incase I don't get a reply, you're videos are very knowledge and information driven and they've helped me. This year, I'd put in the right discipline into my cyber security career. Thanks in advance as I await your humble and helpful response. God bless you 🙏
addition to this video: Don't use LastPass as they got breached so many times. The most recent breach was a disaster and confirmed the company is not serious / to be trusted
WOW! You all packed a plethora of information into this conversation. Good job DB hosting industry professionals dropping real and relevant knowledge to educate the community. David B does it again!!👏
Surprised any "cybersecurity expert" would say anything about getting on tiktok without mentioning their privacy issues. If people don't even try to protect their info, what's the point of being concerned about it?
One thing I have not heard mentioned but I highly recommend to everyone, is to have a fraud alert put on all three major credit reporting agencies and 2FA on all those accounts as well. Whether you have been the victim of fraud or identity theft or not. That forces any company extending you credit to call your phone, adding that second level of verification. halts someone from getting credit accounts in your name when/if identity theft accompanies an account being hacked somewhere.
Man, I'm more into web dev and some low level tinkering from time to time, but I have to say I love your channel and how you always have fresh ideas for content with great professionals!
David, thank you, thank you, thank you. You and your amazing guests are bringing so much Awareness. I run a Cyber Security company and your insight is superb
From a desktop support tech at a computer repair shop 2FA is a pain in the ass, I loathe having to contact customers when trying to troubleshoot issues with computures.
Check out the recent Security Now(s) with Steve Gibson on the LastPass breach. Lot of folks are finding their vaults were still encrypted with "circa 2007" encryption standards.... And their vaults are trivial to crack with today's 'rigs', around 60 seconds or less. LastPass seems to be losing a tremendous amount of rep since their breach, and it's beginning to show just how negligent they were with a sizable amount of their customer's vaults. Ironically, it seems the longer you were a lastpass customer, the more vulnerable your vault is... They never upgraded user vaults to keep up with changing standards. From what I'm hearing, LastPass simply isn't "credible" anymore, and they may go under from this breach and it's fallout.
As a cybersecurity IT expert for many decades, considering postmodern bank security policies and methods, this hardly seems like earth-shattering news or a herculean accomplishment.
It's not to us in IT, but you'd be surprised how little the average user knows or understands. This surface level knowledge would prevent so many attacks
Since technology is growing at fast rate in terms of "security based on its technology" the only thing that left for hackers is "Human based security" which is why Social Engineering is the key piece in the moment..
How could an Android phone ever be a secure way of doing banking. I-phones yes I get it. But not Android, They don't even give more than 3years of Security updates.....Your a 5 star content provider. And you really try to help people who might not have the financial resources. Thank you for being a genuine person, and trying to help. Good info all around.
I did the same I couldn’t sleep so I loaded a interview and lay it down on the pillow beside me for 55mins i was glued to the interview and listened to every word.
@5:48 - I had to contact a bank (no account and previous transaction history) when someone was attempting to fraudulently open an account in my name. The representative said she would send me a "verification text" and then asked me what number I wanted it sent to! When I incredulously responded how that would "verify" me, she said that the bank "had a way to check the number" and that it was a process that they used all the time.
Just watched this! Wow! David, I would be interested in a show (if it doesn’t exist on your platform already) about hacking prevention on CCTV and Access Control systems.
Great content. I liked how you both highlighted the simple things are some of the most neglected in security. Get Steve Gibson on the show sometime. When Yubico was a startup with very humble beginnings, NO ONE would even listen to Stina. Steve did and immediately recognized the power in this tech. He encouraged Yubico to hang in there. Now they are a powerhouse in the space. Very interesting story.
A Yubikey would not work for some individuals at work because of policies in place that do not permit ANY unauthorized USB devices being plugged into the network.
Is there a term to describe actual hacking vs just social engineering? Social engineering definitely takes skill, but it feels very different than someone finding a bounds checking issue/writing shellcode and getting in without any social contact. Folks running metasploit and running through password lists used to be called “script kiddies”, but even that term has disappeared.
I would never ask a hacker for tips just look how big her smile gets when you ask her @ 19:58 the fact that she said lastpass is what makes me question her
Great video. The only problem with using yubikey is only some websites support them. I am trying to use it on all my accounts, but unfortunately, my bank, for example, does not support yubikey for some reason.
Id like to see a video on what happens to a Mac, Linux and Windows PC put on the net, no firewall, no antivirus, just bare bones and see what happens to it. Show what happens to the PC, what gets installed, what is sent to it, what gets taken or explored on the PC from the outside world.
Fingerprint passwords make it so police can get into your computer, taking your fingerprint is what they do first thing you get arrested. If you want the police out of your pc keep this in mind!
@@carsnanime4719 what’s the name of the forensic tool you are talking about? Just curious so I can study. Anything important is encrypted but i would love to get my hands on a device that just automatically copies password protected computers and phones. I want to know how it works 🤓
@@WebSurfer447 There are a bunch but here are some Open-Source ones, The Sleuth Kit (TSK), Autopsy, and the Digital Forensics Framework (DFF). Should be plenty of guides on youtube for how to use em!
@@carsnanime4719 which encyrption service do you use for your pc? I know how to encrypt stuff but only after I’ve already passed logging in the regular way (altho i do use 2FA and a super long and mixed password so at the least it should take way longer if someone want in my pc). Or only using something like tails every time you use your pc? That’s the only way I would know how to do it (I’m very relatively new to hacking & security if that wasn’t already obvious lol)
One very important thing regarding the yubikeys that I think it has not been mentioned in the video (I am not sure - maybe I simply missed the part - but if so, it would probably be because it is something more than obvious for the two of you, thoguh maybe not for some viewers). This is that if you ever lose one of the keys, as soon as you realize that you don't have it, you have to quickly remove it from all services it was associated to; otherwise, if it got stolen instead of simply lost, the thief could already have your credentials, and now with the key they would have full access to those services. This also means making sure in a regular basis that the backup keys are where they are supposed to be (and if you are a super-high profile target, it would not be a bad idea to have some CCTV to make sure that nobody is picking-using-returning them). I also have to disagree with the part where it is said that PMaaS (Password Managers as a Service) are okay enough. The multiple databases breaches have proven that they are not. I don't know if these services force to use a strong master password, but if not I'd bet that many users will use an easy-to-remember-for-the-human password (while the encrypted credentials may contain long-random ones because they don't have to be remembered). Such "weak" vaults could really be broken without quantum computers but simply by brute force using modern GPUs, and imho, if this ever happens, it would be more the service provider's responsability rather than the user's fault. And for the being fully up-to-date, my younger me would fully agree... My current me, older and wiser (more older than wiser though), agrees but with caution, especially for those super-high profile targets... I would say that the most secure approach - assuming that it is not an open-source software update, is checking the change log of each update/patch. If the patch contains fixes for bugs that are considered low-risk - or not risk at all - AND includes new functionalities, then I would say "be careful, check that update in an isolated sandbox first and make a thorough testing, because new functionalities are the ones that come with new vulnerabilities" Though one could think otherwise, I really enjoyed the video, a lot in fact... so much that only now I realize it is almost 1 hour long - it was so interesting and dynamic that it only looked ~30 minutes to me. PS: When she was explaining the bank story, I could not avoid the "the sneakers" opening scene coming to my mind. 😂 PS2: Could it be that youtube has recently introduced a script injection vulnerability (e.g. in the comments' section) that would allow cross-site cookies stealing that someone is exploiting???? Just in case I'm gonna start logging off + deleting the session cookie every day or two (not joking, I've already heard about too many accounts reporting the same - or a very similar - thing in a short time)
THIS is the side of CS I want to get into. What's the way to get started with this type of social engineering/cybersecurity? EDIT: ok, the tips at the end are great!
I'm just going to assume that this was done before the extra information came out of the lastpass breach. Only passwords where encrypted and sometimes it was rather weak encryption.
Another fantastic video! Great content and really good interviewing around such important topics and areas. Alot of people take these things for granted, it will always be this way which gives us more scope for white hats to make more money but does always amaze me how little people care about their own data until they then get hacked, after that, they cant get enough of it haha
Not really understanding why she downplayed the vulnerability with SMS as an MFA. I get something is better than nothing, but SMS as a 2FA is demonized with justifiable reasons.
At 18:25 that was a very nervous laugh when she said "for example if someone had a Grateful Dead lyric as their password'. Was that a quiet nod to you David?
So does anybody know the implication of using an MFA app that doubles as a password manager? Do they all do this, Microsoft Authenticator does this. Is this a bad or good idea? Does it leave people more or less vulnerable?
I only recommend using a password manager that you 100 percent control. If the MFA app stores your data some place else other than your own computer, then you do not 100 percent control it.
i got videos which make you think 'o i didnt click this' would this be a good firewall? say a hacker gets to somewhere and in response they get my video streamed...
lastpass and others leave decrypted passwords in memory. Then with chrome extensions you don’t even need to be an admin on the machine. Non technical people should use One Time Pad Algorithm from a book or something.
I'm curious what kind of software was she using to spoof the callers number and mimic different voice at the same time. Anybody knows where to look for this information? Educational purpose only.
I get what mrs. Tobac is saying, but I reently watched a RUclips video, where a person using a Python script Hacked into an OFF-LINE Password system. MAN, NOTHING IS SAFE❗
Maybe it would make sense to differentiate hackers from scammers? I mean, if someone calls a vendor and impose other person to get access to account through vendors support - isn’t it just old plain scam scheme? Why we call it hacking?
@David Bombal I'd be really keen to hear your thoughts on Deviceless MFA. How much extra defence does this give a company, especially with the rise in popularity of reverse proxy tools?
Interesting how you say MFA, MFA, but not explain what that means. The Factors of MFA are 1: what you know; DOB, address, mother's maiden name, etc. 2: what you have; Yubi key, cell phone, etc. And 3: What you are; biometrics such as fingerprints. Using two or all three would be proper MFA. Your password examples are easier to crack than using a mix of upper case, lower case, numbers and special characters. Great example for social engineering to gain access. I have a couple elderly clients who for the life of them are paranoid about using tech like password managers. The important key is not to use the same password for every login, as she says.
Password managers can be compromised too, use prefixes and/or suffixes to add to passwords they generate for added security in case of breaches
2 года назад
From now on i use password manager for a password manager to another password manager to gain access for any site. All with 24bit inscription & passwords too. I'm not paranoid.... I'm just secure....😌😅
I was told by a former police officer, that a random password, made by a password manager generator, really isn't that strong, he said ; - Make up a ridiculous sentence, something one would never say, for example ; JesusThrewiPhonesOnTheGirl Something like that, that doesn't make any sense 🤔 Is this right, or is it not...??? - Stay Blessed - - Peace - 🙏❤✌ P's Love your channel David ❤
Yeah, cause that would be very strong against bruteforce with dictionary. Seriously, NO. Not that sentence at least... )) Computerphile did a few videos on passwords. Give it a try.
First of all that former police officer is an idiot. Don't trust anything he says concerning security matters. That kind of a password he recommends isn't secure. Take that password and change it to include numbers and other characters such as $!%#&*()/\ and so forth. Even better don't use words as a part of your password at all. Let the password manager create a long complicated password for you that is truely random. I generally use around 40 characters and have gone as high as 60 characters. The reason for that was in response to having my accounts getting broken into. All of my accounts now use truely random passwords that are long and complicated. Each account has a unique password as well. The amount of break ins have gone down as a result. I also now use unique user names as well. So if someone does break into one of my accounts. They are not going to be able to use that info to break into my other accounts. Also don't use a password manager that stores in the cloud. Only use one that stores on your computer only. Use one that also uses a keyfile. Make and use backups of the password manager's database and keyfile using methods that you 100 percent control. In other words no cloud back ups.
what site is she using the see the hash or even plaintext password from just email address because haveibeenpwned will not give the results but just the companies
After listening to this, I started wondering about the use of management software that promote a single pane of glass view - located in the cloud. Should I avoide those cloud based products and use on premise dedicated devices instead?
![Felix "Unfair" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/Oswujxm2Ag0/mqdefault.jpg)
She has hacked a CNN reporter, a billionaire, a bank and many others. Rachel Tobac can hack just about anyone - including you. Learn how to protect yourself.
// MENU //
0:00 - Intro
00:58 - Rachel Tobac introduction
01:36 - Hacker vs Criminal
02:28 - SocialProof Security // Hacking sea shanty video
04:02 - Hacking CNN's Donie O'Sullivan
05:36 - Flaws in phone call authentication
08:01 - Finding passwords through data breach repositories
09:00 - Preventing hacks // YubiKey & MFA
16:38 - Flaws in SMS authentication
18:01 - Creating "uncrackable" passwords
19:56 - Recommended password managers
21:26 - "Politely Paranoid" // Be vigilant
23:17 - Phone call authentication is in the dark ages
24:59 - Tips to prevent being hacked
26:41 - MFA fatigue // How a teenager hacked Uber
29:05 - "Hacking isn't that complicated"
30:07 - Hacking Jeffrey Katzenberg // Learn from examples
33:06 - Delete the cookies // Have a different computer for work and home
34:22 - Scenario: preventing hacks as the president
45:59 - Effective preventions // Password managers & MFA
47:51 - Hacking into a bank
49:33 - "Infiltrating" a company
51:53 - Technical-based vs human-based
53:31 - Getting into Social Engineering at DefCon
55:39 - Tips for getting into Social Engineering
57:36 - Final words // Conclusion
// Rachel's SOCIAL //
Twitter: twitter.com/racheltobac
Instagram: instagram.com/racheltobac
Mastodon: infosec.exchange/@racheltobac
Website: www.socialproofsecurity.com/
// Videos Mentioned //
- It was easy to hack a billionaire: ruclips.net/video/7-lDRgxbU1Y/видео.html
- John Hammond // He tried to hack me: ruclips.net/video/y1WgyR4c-4A/видео.html
- Corridor Crew // Channel was terminated, we got hacked: ruclips.net/video/KdELfn1WK0Q/видео.html
- We asked a hacker to try and steal a CNN Tech Reporter’s data. She got it in seconds: ruclips.net/video/LYilP-1TwMg/видео.html
- Watch a CCN Reporter get hacked: ruclips.net/video/yIG4kTJTZuY/видео.html
- Watch How Easy It was to Hack this CNN Reporter: ruclips.net/video/Wb4-4PN8u4w/видео.html
- 16 Secs to Break Wifi Networks Owned! ruclips.net/video/ZTIB9Ki9VtY/видео.html
- Modernize MFA with the Yubikey: ruclips.net/video/YRQAJzOuo10/видео.html
- Inside the mind of and ethical hacker ruclips.net/video/UwPK_ietuxg/видео.html
- My RUclips channel being hacked ruclips.net/video/gii-IMlv6_Q/видео.html
// Books //
The Social Engineer’s Playbook by Jeremiah Talamantes amzn.to/3BmU3pq
// David's Social //
Discord: discord.gg/davidbombal
Twitter: twitter.com/davidbombal
Instagram: instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
RUclips Main Channel: ruclips.net/user/davidbombal
RUclips Tech Channel: ruclips.net/channel/UCZTIRrENWr_rjVoA7BcUE_A
RUclips Clips Channel: ruclips.net/channel/UCbY5wGxQgIiAeMdNkW5wM6Q
RUclips Shorts Channel: ruclips.net/channel/UCEyCubIF0e8MYi1jkgVepKg
Apple Podcast: davidbombal.wiki/applepodcast
Spotify Podcast: open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
// MY STUFF //
www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
Good day Sir, your videos have be so great and i always download and study them. I'm working on an IoT project and i don't know if I'd be privileged to be assisted by you or whomsoever you know to be well informed in that area. The project is basically to simulate a botnet attack on a network of iot device. It's a senior year project. I just need assistance or guidance. I'm actually working towards going into IoT hacking so it's a great step but the issue is that my supervisor isn't convince that the project is feasible though I do believe it is. But he's given me an opportunity to reconsider before he approves it within 2 days. I currently researched about a good simulator that could model the iot network and also will be able to carry out the attack but I'm not convinced of the options that i came across. I do need assistance. I understand you're busy but if you can point me to a material or someone, I'd be forever grateful. But incase I don't get a reply, you're videos are very knowledge and information driven and they've helped me. This year, I'd put in the right discipline into my cyber security career.
Thanks in advance as I await your humble and helpful response. God bless you 🙏
Yo, are you South African by any chance? Your accent is quite familiar
Sir i forgot to note RFB PORT# in termux for kali hunter .what should I do now?
Is it a good thing that she's hacking people? Isn't that like...bad?
Sent you a message on insta David plse reply Ty.
addition to this video:
Don't use LastPass as they got breached so many times. The most recent breach was a disaster and confirmed the company is not serious / to be trusted
Agreed. This was recorded before all the details of what happened was made known.
LasPass=fail..at this point it is safter to save passwords on Post It Notes.
@@juang1one And in Safe ...
LostPass
@@davidbombal What is your opinion on 1pass David?
WOW! You all packed a plethora of information into this conversation. Good job DB hosting industry professionals dropping real and relevant knowledge to educate the community. David B does it again!!👏
David allows interviewees to talk which is so rare on YT
Surprised any "cybersecurity expert" would say anything about getting on tiktok without mentioning their privacy issues. If people don't even try to protect their info, what's the point of being concerned about it?
I know! That just doesn't make an sense to me.
One thing I have not heard mentioned but I highly recommend to everyone, is to have a fraud alert put on all three major credit reporting agencies and 2FA on all those accounts as well. Whether you have been the victim of fraud or identity theft or not. That forces any company extending you credit to call your phone, adding that second level of verification. halts someone from getting credit accounts in your name when/if identity theft accompanies an account being hacked somewhere.
Man, I'm more into web dev and some low level tinkering from time to time, but I have to say I love your channel and how you always have fresh ideas for content with great professionals!
David, thank you, thank you, thank you. You and your amazing guests are bringing so much Awareness. I run a Cyber Security company and your insight is superb
Half way through this video...and I will say we absolutely need MFA for voting!
Another absolutely AWESOME interview!!! Notes were taken!
wow. one of the best interviews yet. thx for the content
From a desktop support tech at a computer repair shop 2FA is a pain in the ass, I loathe having to contact customers when trying to troubleshoot issues with computures.
Excellent video thanks, David! I wish she also had a youtube channel; the way she explains it is straightforward to understand too! Thanks again.
Check out the recent Security Now(s) with Steve Gibson on the LastPass breach. Lot of folks are finding their vaults were still encrypted with "circa 2007" encryption standards.... And their vaults are trivial to crack with today's 'rigs', around 60 seconds or less.
LastPass seems to be losing a tremendous amount of rep since their breach, and it's beginning to show just how negligent they were with a sizable amount of their customer's vaults. Ironically, it seems the longer you were a lastpass customer, the more vulnerable your vault is... They never upgraded user vaults to keep up with changing standards.
From what I'm hearing, LastPass simply isn't "credible" anymore, and they may go under from this breach and it's fallout.
As a cybersecurity IT expert for many decades, considering postmodern bank security policies and methods, this hardly seems like earth-shattering news or a herculean accomplishment.
Can u please elaborate sir
It's not to us in IT, but you'd be surprised how little the average user knows or understands. This surface level knowledge would prevent so many attacks
you don't give your special sauce to everyone bro
...because they still run Win95?
But women…. And simps 🤡
And she looks like a normal person not the typical hacker stereotypes.
An important lesson right there.
This is actually beneficial in the real world.
nearly no hackers look like the stereotype
Sssssnake
You havent meet to many hackers obviously
As someone starting to get into the world of CyberSec, this was a really interesting listen. Great interview! 👌
Glad you enjoyed it Jacob!
You ask really good questions David.
David thank you for bringing such practical aspects and superb guest on show.
Since technology is growing at fast rate in terms of "security based on its technology" the only thing that left for hackers is "Human based security" which is why Social Engineering is the key piece in the moment..
David o just discovered your Chanel and is on 🔥 fire.
A very cool video. We owe David for interviewing this super smart lady. Thanks a lot, David!
can we talk about how many websites don't support sufficiently complex and long passwords in the first place? 🙃
Great work David :D
And Rachel seems awesometo would love to work at her company one day
How could an Android phone ever be a secure way of doing banking. I-phones yes I get it. But not Android, They don't even give more than 3years of Security updates.....Your a 5 star content provider. And you really try to help people who might not have the financial resources. Thank you for being a genuine person, and trying to help. Good info all around.
The only channel that I enjoy watching a 50+ min video cuz it's helpful
Very happy to hear that!
I did the same I couldn’t sleep so I loaded a interview and lay it down on the pillow beside me for 55mins i was glued to the interview and listened to every word.
@@davidbombal sir how can i start learning all these things?
New year, new intro. Love it!!!
@5:48 - I had to contact a bank (no account and previous transaction history) when someone was attempting to fraudulently open an account in my name. The representative said she would send me a "verification text" and then asked me what number I wanted it sent to! When I incredulously responded how that would "verify" me, she said that the bank "had a way to check the number" and that it was a process that they used all the time.
Just watched this! Wow! David, I would be interested in a show (if it doesn’t exist on your platform already) about hacking prevention on CCTV and Access Control systems.
Hats off wonderful discussion many thanks from Pakistan
Did try all these stuff on my own
Thanks
What the heck is a hacker of her caliber engaging on TikTok for? 😳
She said she wasnt lol
Was the musk comment necessary.. especially seeing how there’s a ton of corruption being highlighted currently.
Other than that, amazing content.
Easy way to show which way she leans at the voting booth. Which is not reassuring..
Thank you David your Chanel always amazing me! Kepp up!
Great content. I liked how you both highlighted the simple things are some of the most neglected in security.
Get Steve Gibson on the show sometime. When Yubico was a startup with very humble beginnings, NO ONE would even listen to Stina. Steve did and immediately recognized the power in this tech. He encouraged Yubico to hang in there. Now they are a powerhouse in the space. Very interesting story.
Thank you Chad! Great suggestion!
About 2 years ago I called a hospital and my doctor and requested my own medical record.
I got it fairly easily.
woow thx Mr Bombal very educational videos
Thank you Majid!
Only the best hackers and cyber security professionals on this channel
Thanks for the good video David 👏
A Yubikey would not work for some individuals at work because of policies in place that do not permit ANY unauthorized USB devices being plugged into the network.
Fantastic 😍!! David does she teach about cyber security? "Like ethical hacking"....
“In the short run, the market is a voting machine. In the long run, it is a weighing machine.”
Benjamin Graham
That was a great video, I learned a lot. She is amazing.
Excellent talk, thank you!
great video, didn't know about YubiKey pretty cool.
Glad you liked it!
Is there a term to describe actual hacking vs just social engineering? Social engineering definitely takes skill, but it feels very different than someone finding a bounds checking issue/writing shellcode and getting in without any social contact. Folks running metasploit and running through password lists used to be called “script kiddies”, but even that term has disappeared.
Exactly I feel this lady is more a social engineer than a hacker. Other videos from David show the technicality and examples
“The intelligent investor is a realist who sells to optimists and buys from pessimists.”
Benjamin Graham
David, you are right in the middle of high Threat model.
Before show the video , your are the best
Thank you very much!
This women is a boss !! How do I get into this and become a hacker ??
great video David and Rachel, lots of great info
I would never ask a hacker for tips just look how big her smile gets when you ask her @ 19:58 the fact that she said lastpass is what makes me question her
David, great video 👍👍
Great video. The only problem with using yubikey is only some websites support them. I am trying to use it on all my accounts, but unfortunately, my bank, for example, does not support yubikey for some reason.
Id like to see a video on what happens to a Mac, Linux and Windows PC put on the net, no firewall, no antivirus, just bare bones and see what happens to it. Show what happens to the PC, what gets installed, what is sent to it, what gets taken or explored on the PC from the outside world.
This is a GREAT video. Thanks for sharing and helping us stay safe.
Nice to see Rachel Tobac!
Fingerprint passwords make it so police can get into your computer, taking your fingerprint is what they do first thing you get arrested. If you want the police out of your pc keep this in mind!
Not that big of a deal when they can literally copy everything on your phone/computer in a few hours with forensic tools. Encryption is what ya need.
@@carsnanime4719 what’s the name of the forensic tool you are talking about? Just curious so I can study. Anything important is encrypted but i would love to get my hands on a device that just automatically copies password protected computers and phones. I want to know how it works 🤓
@@WebSurfer447 There are a bunch but here are some Open-Source ones, The Sleuth Kit (TSK), Autopsy, and the Digital Forensics Framework (DFF). Should be plenty of guides on youtube for how to use em!
@@carsnanime4719 which encyrption service do you use for your pc? I know how to encrypt stuff but only after I’ve already passed logging in the regular way (altho i do use 2FA and a super long and mixed password so at the least it should take way longer if someone want in my pc). Or only using something like tails every time you use your pc? That’s the only way I would know how to do it (I’m very relatively new to hacking & security if that wasn’t already obvious lol)
@@carsnanime4719 & thanks a ton for the recommendations!!!!
this video should be as a tutorial for cybersecurity people
This is one of my favorite
what a great video. Rachel is amazing.
Astounding.
A script kiddy is today considered a 'hacker'.
Mind bending.
Amazing podcast ❤
God bless you David
One very important thing regarding the yubikeys that I think it has not been mentioned in the video (I am not sure - maybe I simply missed the part - but if so, it would probably be because it is something more than obvious for the two of you, thoguh maybe not for some viewers). This is that if you ever lose one of the keys, as soon as you realize that you don't have it, you have to quickly remove it from all services it was associated to; otherwise, if it got stolen instead of simply lost, the thief could already have your credentials, and now with the key they would have full access to those services. This also means making sure in a regular basis that the backup keys are where they are supposed to be (and if you are a super-high profile target, it would not be a bad idea to have some CCTV to make sure that nobody is picking-using-returning them).
I also have to disagree with the part where it is said that PMaaS (Password Managers as a Service) are okay enough. The multiple databases breaches have proven that they are not. I don't know if these services force to use a strong master password, but if not I'd bet that many users will use an easy-to-remember-for-the-human password (while the encrypted credentials may contain long-random ones because they don't have to be remembered). Such "weak" vaults could really be broken without quantum computers but simply by brute force using modern GPUs, and imho, if this ever happens, it would be more the service provider's responsability rather than the user's fault.
And for the being fully up-to-date, my younger me would fully agree... My current me, older and wiser (more older than wiser though), agrees but with caution, especially for those super-high profile targets... I would say that the most secure approach - assuming that it is not an open-source software update, is checking the change log of each update/patch. If the patch contains fixes for bugs that are considered low-risk - or not risk at all - AND includes new functionalities, then I would say "be careful, check that update in an isolated sandbox first and make a thorough testing, because new functionalities are the ones that come with new vulnerabilities"
Though one could think otherwise, I really enjoyed the video, a lot in fact... so much that only now I realize it is almost 1 hour long - it was so interesting and dynamic that it only looked ~30 minutes to me.
PS: When she was explaining the bank story, I could not avoid the "the sneakers" opening scene coming to my mind. 😂
PS2: Could it be that youtube has recently introduced a script injection vulnerability (e.g. in the comments' section) that would allow cross-site cookies stealing that someone is exploiting???? Just in case I'm gonna start logging off + deleting the session cookie every day or two (not joking, I've already heard about too many accounts reporting the same - or a very similar - thing in a short time)
THIS is the side of CS I want to get into. What's the way to get started with this type of social engineering/cybersecurity? EDIT: ok, the tips at the end are great!
David, I love your channel
I'm just going to assume that this was done before the extra information came out of the lastpass breach. Only passwords where encrypted and sometimes it was rather weak encryption.
Love this!! She’s good
Very informative David. Thanks so much. Is it a risk to use a password manager?
Use a password manager that you 100 percent control. In other words a password manager that doesn't store your data in the cloud.
Another fantastic video! Great content and really good interviewing around such important topics and areas. Alot of people take these things for granted, it will always be this way which gives us more scope for white hats to make more money but does always amaze me how little people care about their own data until they then get hacked, after that, they cant get enough of it haha
Rachel! 🎉🎉🎉
Love this interview
David today I'm the first man to see your video
Rachel is amazing!!!
Why she didn't sing a 2nd time? That was nice.
Thx for the Vdeo ... Nice story :)
Not really understanding why she downplayed the vulnerability with SMS as an MFA. I get something is better than nothing, but SMS as a 2FA is demonized with justifiable reasons.
Rachel is just amazing, the Infosec world needs 1000 more people like her 👍
At 18:25 that was a very nervous laugh when she said "for example if someone had a Grateful Dead lyric as their password'. Was that a quiet nod to you David?
So does anybody know the implication of using an MFA app that doubles as a password manager? Do they all do this, Microsoft Authenticator does this. Is this a bad or good idea? Does it leave people more or less vulnerable?
I only recommend using a password manager that you 100 percent control. If the MFA app stores your data some place else other than your own computer, then you do not 100 percent control it.
i got videos which make you think 'o i didnt click this' would this be a good firewall? say a hacker gets to somewhere and in response they get my video streamed...
Add random number combinations to the end of your security question answers so they are more difficult to guess.
lastpass and others leave decrypted passwords in memory. Then with chrome extensions you don’t even need to be an admin on the machine. Non technical people should use One Time Pad Algorithm from a book or something.
I'm curious what kind of software was she using to spoof the callers number and mimic different voice at the same time. Anybody knows where to look for this information? Educational purpose only.
Yea same. I'd also like to know as well
Build one
She was probably using a speech to text app that in turn was going to a natural robotic voice app.
Great video, very informative interview.
I get what mrs. Tobac is saying, but I reently watched a RUclips video, where a person using a Python script Hacked into an OFF-LINE Password system. MAN, NOTHING IS SAFE❗
thank you for sharing this
loved>>"I hacked into a bank" live action maybe one day can show this sorcery
What is the website to check data breach David ?
Maybe it would make sense to differentiate hackers from scammers? I mean, if someone calls a vendor and impose other person to get access to account through vendors support - isn’t it just old plain scam scheme? Why we call it hacking?
@David Bombal I'd be really keen to hear your thoughts on Deviceless MFA. How much extra defence does this give a company, especially with the rise in popularity of reverse proxy tools?
Can anyone recommend a good and reliable password manager? no names of "password manager" was mentioned in the vid. thanks
i love it your content thank you so much😍😘😍😀
Just to let you know you can track people's ip when they sign into your account
Interesting how you say MFA, MFA, but not explain what that means. The Factors of MFA are
1: what you know; DOB, address, mother's maiden name, etc.
2: what you have; Yubi key, cell phone, etc. And
3: What you are; biometrics such as fingerprints.
Using two or all three would be proper MFA.
Your password examples are easier to crack than using a mix of upper case, lower case, numbers and special characters.
Great example for social engineering to gain access.
I have a couple elderly clients who for the life of them are paranoid about using tech like password managers. The important key is not to use the same password for every login, as she says.
Password managers can be compromised too, use prefixes and/or suffixes to add to passwords they generate for added security in case of breaches
From now on i use password manager for a password manager to another password manager to gain access for any site.
All with 24bit inscription & passwords too.
I'm not paranoid.... I'm just secure....😌😅
I was told by a former police officer, that a random password, made by a password manager generator, really isn't that strong, he said ;
- Make up a ridiculous sentence, something one would never say, for example ;
JesusThrewiPhonesOnTheGirl
Something like that, that doesn't make any sense 🤔
Is this right, or is it not...???
- Stay Blessed -
- Peace -
🙏❤✌
P's
Love your channel David ❤
Yeah, cause that would be very strong against bruteforce with dictionary.
Seriously, NO. Not that sentence at least... ))
Computerphile did a few videos on passwords. Give it a try.
First of all that former police officer is an idiot. Don't trust anything he says concerning security matters. That kind of a password he recommends isn't secure. Take that password and change it to include numbers and other characters such as $!%#&*()/\ and so forth. Even better don't use words as a part of your password at all. Let the password manager create a long complicated password for you that is truely random. I generally use around 40 characters and have gone as high as 60 characters. The reason for that was in response to having my accounts getting broken into. All of my accounts now use truely random passwords that are long and complicated. Each account has a unique password as well. The amount of break ins have gone down as a result. I also now use unique user names as well. So if someone does break into one of my accounts. They are not going to be able to use that info to break into my other accounts. Also don't use a password manager that stores in the cloud. Only use one that stores on your computer only. Use one that also uses a keyfile. Make and use backups of the password manager's database and keyfile using methods that you 100 percent control. In other words no cloud back ups.
Our government should just pay people, for letting them, live as they do
thanks for sharing such knowledge
what site is she using the see the hash or even plaintext password from just email address because haveibeenpwned will not give the results but just the companies
After listening to this, I started wondering about the use of management software that promote a single pane of glass view - located in the cloud. Should I avoide those cloud based products and use on premise dedicated devices instead?