Rachel Tobac

And then the next year, I'm like, oh my, this is so hard for me to get in until the point where I can't get in anymore. And that's when I'm like, okay, you've done the most that you can do.

And then the next year, I'm like, oh my, this is so hard for me to get in until the point where I can't get in anymore. And that's when I'm like, okay, you've done the most that you can do.

And so they approached me about doing a pen test to figure out how this M&A info was getting leaked. where they could possibly improve their training, their messaging, their internal protocols to figure out why is this happening? Why are folks being incentivized to talk about this and what can we do about it?

And so they approached me about doing a pen test to figure out how this M&A info was getting leaked. where they could possibly improve their training, their messaging, their internal protocols to figure out why is this happening? Why are folks being incentivized to talk about this and what can we do about it?

Yeah, so insider threats happen. But what is usually most common is people just make a mistake. I kind of live in this world where I assume that people are making mistakes and I try and help them. So we came out with a few different attack methods that might work to uncover where this is happening.

Yeah, so insider threats happen. But what is usually most common is people just make a mistake. I kind of live in this world where I assume that people are making mistakes and I try and help them. So we came out with a few different attack methods that might work to uncover where this is happening.

Number one, I was going to attempt to pose as a journalist and reach out to various team members, asking them via social media DMs, email, text message, et cetera, about their experience in tech and see if I could siphon out M&A info and just see where it goes.

Number one, I was going to attempt to pose as a journalist and reach out to various team members, asking them via social media DMs, email, text message, et cetera, about their experience in tech and see if I could siphon out M&A info and just see where it goes.

And number two, I was going to apply to their product manager role, go through the entire hiring process and see if I could extract M&A related info during the question portion of the hiring interview. I did not know what was gonna work and what wasn't, but I just wanted to try both.

And number two, I was going to apply to their product manager role, go through the entire hiring process and see if I could extract M&A related info during the question portion of the hiring interview. I did not know what was gonna work and what wasn't, but I just wanted to try both.

So we call these ghosts, we call them SOC accounts. Sometimes they'll be real people, and so we'll fashion them pretending to be a real person. Sometimes they'll be fake people, and they'll just have this full life online.

So we call these ghosts, we call them SOC accounts. Sometimes they'll be real people, and so we'll fashion them pretending to be a real person. Sometimes they'll be fake people, and they'll just have this full life online.

With the fake journalist, I figured it was going to be a lot easier to pretend to be a real journalist and just not actually be them than create an entire persona of a fake journalist and populate real content. So I built a fake journalist pretext, email, background, and social media based on a real journalist who I'm not going to name, of course.

With the fake journalist, I figured it was going to be a lot easier to pretend to be a real journalist and just not actually be them than create an entire persona of a fake journalist and populate real content. So I built a fake journalist pretext, email, background, and social media based on a real journalist who I'm not going to name, of course.

It's frightening. And I mean, the reality of the situation is that... Anybody can do a full background search in less than five minutes on most people in the U.S. And people don't realize that this information is out there about them. They have no idea that it's being sold. They just don't Google themselves.

It's frightening. And I mean, the reality of the situation is that... Anybody can do a full background search in less than five minutes on most people in the U.S. And people don't realize that this information is out there about them. They have no idea that it's being sold. They just don't Google themselves.

Exactly. Or we can reach out over social media DM, you know, DM on LinkedIn or Twitter or Instagram. And I mean, that's the thing. Journalists really do reach out using all of those methods. So it's hard to know what's real and what's fake sometimes.

Exactly. Or we can reach out over social media DM, you know, DM on LinkedIn or Twitter or Instagram. And I mean, that's the thing. Journalists really do reach out using all of those methods. So it's hard to know what's real and what's fake sometimes.

They let me know some minor details about excitement about potential M&A, but they're not going to confirm any juicy details. And I try to get people on the phone to talk with me, but I think there's just like this inherent distrust of this particular pretext. So I'm like, okay, I got to really go for the big guns here. I want to attack via the hiring process.

They let me know some minor details about excitement about potential M&A, but they're not going to confirm any juicy details. And I try to get people on the phone to talk with me, but I think there's just like this inherent distrust of this particular pretext. So I'm like, okay, I got to really go for the big guns here. I want to attack via the hiring process.