Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to Tech Stuff, a production from I Heart Radio.
This season of Smart Talks with IBM is all about
new creators, the developers, data scientists, c t o s
and other visionaries creatively applying technology in business to drive change.
They use their knowledge and creativity to develop better ways
(00:26):
of working, no matter the industry. Join hosts from your
favorite Pushkin Industries podcasts as they use their expertise to
deepen these conversations, and of course Malcolm Gladwell will guide
you through the season as your host and provide his
thoughts and analysis along the way. Look out for new
episodes of Smart Talks with IBM on the I Heart
Radio app, Apple Podcasts, or wherever you get your podcasts,
(00:49):
and learn more at IBM dot com slash smart talks. Hello, Hello,
Welcome to Smart Talks with IBM podcast from Bushkin Industries,
I Heart Radio and IBM. I'm Malcolm Globwell. This season,
we're talking to new creators, the developers, data scientists, c
(01:11):
t o s and other visionaries who are creatively applying
technology and business to drive change. Channeling their knowledge and expertise,
they're developing more creative and effective solutions, no matter the industry.
Our guest today is Stephanie snow Cruthers. Snow is a
hacker alias, and it's how we'll refer to Stephanie for
the rest of this episode. Snow is the chief people
(01:34):
hacker for x Force at IBM. She gets paid to
hack into her client's businesses before criminal hackers do in
order to test her client's information security. In today's show,
you'll hear some of the more creative ways Snow has
persuaded people into sharing confidential information. She also talks about
the state of cybersecurity and what businesses need to do
(01:57):
to keep their data protected. Snow spoke with economics journalist
Tim Harford, host of the Pushkin podcast Cautionary Tales and
a longtime columnist at the Financial Times, where he writes
The Undercover Economist. In addition to publishing several books on
the topic, Tim is also a BBC broadcaster with his
show More or Less. Okay, let's now get to the
(02:20):
interview with Tim and Chief people Hacker Snow. Before you
tell me what achieve people hacker is, what is hacking
to you? I think if you ask the average person
to close their eyes and envision a hacker, they are
going to think of someone in a dark room with
(02:42):
a black hoodieon and all the screen text behind them. Right. Um,
But to me, a hacker doesn't even have to be technical.
It's someone who finds creative solutions or just different ways
to break apart something to make it work a unique
way that maybe it wasn't intended to do. Whether that's computers,
(03:04):
people devices, it could be a number of things. Right.
We see food hackers, we see life hackers. That's absolutely
a type of hacker. Yeah. And my my mother, I think,
would have described herself as a hacker before she died.
She loved to take apart computer. She had loved to
take apart software. She just wanted to know how everything worked,
and when she put it back together again, it sometimes
(03:27):
worked how she wanted it to work, rather than her
it was originally designed. But how was it that you
originally became interested in in this strange craft of hacking.
I actually got involved and figured out I want to
do this a little bit late in life. I was
in my mid twenties and I went to the world's
largest hacking conference, which takes place every year in Las Vegas,
(03:49):
and went with a group of friends and my husband
and I had honestly no interest at all. I wanted
to go to Vegas and sip drinks by the pool.
But they got me a pass too attend this really
cool conference and we sat in on the first talk
and it was extremely technical. They were going through step
by step about how to reverse malware, and I fell asleep.
(04:12):
I completely just zoned out. It didn't make sense to me.
So I got up and I started wandering around this
huge conference and I found what was called the lock
Picking Village. I was very confused by that, like, why
do people want to pick locks? I mean, there was
a there was an obvious answer to that question, but okay,
that's very true. So in that point in my life,
(04:35):
it did not like click at all. And so I'm
walking and someone's like, hey, do you want to learn
how to pick a lock? I said sure, and so
they sat me down and taught me everything. And there's
something magical that happens when someone picks a lock for
the first time, Like you can see it in their
face where it's like, wow, that was really cool and easy,
and then the oh shit, I just picked a lock,
(04:58):
and they're envisioning every anything in their life that's protected
by locks. Right, file, cabinets, their door, things that protect
their children, like all these things that you have locks
to protect and you just picked it in seconds. Um.
So that was the most eye opening moment for me
that really launched me into this career and thinking that
(05:19):
I could do it for a living. Well, there's I mean,
it feels like a long gap between that, or big
gap at least maybe not a long one between that
initial spark of wow, I can pick a lock. This
is this matters to realizing there's a career in this
and I might actually be good at this career. So
how did you figure out there's a there's a job
(05:40):
being a hacker, and how did you figure out that
you actually might be good at doing that job? So
once I was at that conference, I had met so
many different people who explained what they do for a living,
and again, at that point in my life, it felt
like that shouldn't be possible, right, people are getting paid
money to break into client's network, into their computers and
(06:01):
all these things, and it's still it didn't add up.
But what for me really stood out was another village
at the same conference staf Con called the Social Engineering Village.
And when I walked in they were actually placing live
phone calls to people to try to elicit information. And
so I'm sitting there in the audience listening to how
(06:22):
these people were doing it. I'm like, wow, Like, I'm
a people person, I've done cells. I could absolutely do this. Um.
So from there, I talked to a bunch of people
that I just met, like my goal is just to
meet people and ask questions at that point, and found
every book I could on the subject matter, went home
and practiced and taught myself, and actually went back and
(06:45):
competed in that same competition three years in a row,
and I went on my third year, which was huge,
but that really was able to propel me into this
career and where a company actually saw me placing these
calls and asked me like, hey, do you want a job,
And that's that was my first job. It was super exciting.
In three years, Snow went from amateur hacking enthusiasts to
(07:07):
hacking professional. Companies started to pay her real money to
test their information security. But remember, Snow's line of work
isn't just limited to email servers and data networks. She's
a people hacker. Instead of trying to bypass a firewall
or cracking a password. She uses what's called social engineering
(07:27):
to trick users into letting her into systems where she
doesn't belong. In her work on what's called a red team,
Snow explains how hacking, the technical and the human come together.
So a red team is a group of offensive security
or hackers. So IBM on our x fource team, we
have a whole team dedicated to our we call adversary simulation.
(07:50):
But our red team and how it works. As a
client comes in and says, these are our crown jewels.
We want to make sure you cannot access them. We
spend trying to access them, and along the way, we
have tons of meetings with our clients and giving them
status updates and where we are. Um, but it's it's
(08:10):
a very long engagement to try to get access to
the most sensitive things that our clients have. So how
do they brief you, I mean, and how do they
brief you in such a way as to not give
away the stuff that they're trying to not give aways?
If that makes any sense. Yeah, So, so they stay
as high level as possible. They might say, um, let's
(08:30):
let's use I P for example. Right, they have this
their secret sauce that if their competitors get or anyone
else gets, they can pretty much copy their business. And
so that information probably lives on something that's very secure,
in a couple of documents that hopefully limited people have
access to. Yeah, so a certain a certain soft drinks
(08:52):
secret recipe for example, mentioning no particular brand names. Yes, exactly.
So they might say, Okay, we have this secret recipe
and we want to see if you can get it.
They won't give us any details to where it's stored
or any other information, but they'll just say go. They
might have a couple of things that are off limits,
but in general it's can we get this by any
(09:14):
means possible. So a lot of social engineering is used,
whether it's phone calls or emails, sometimes on site, and
a good amount of technical hacking. Right if we get
into one person's computer, can we move into another's? And
then can we move into a server? And it's a
lot of moving around and digging, but um, at the
end of the day, we're pretty successful with these types
(09:35):
of engagements. And you mentioned certain things being off limits
because really the hackers that the bad hackers don't care
what's off limits. And what is not So what are
the kinds of things that people are the clients are
saying that you're not allowed to do that, that's cheating. Yeah,
So so we will see a good handful of times
is do not mess with our executives, like don't send
(09:58):
our CEO and email which a in bad guys do
not have limits and they will absolutely continue to do that. Um,
but we have to expect those unfortunately. But we will
every once in a while run into a good handful
of things. Or maybe they have another system that I
don't know runs something sensitive, right, maybe it's a medical
device company. They're like, okay, do not access this system
(10:20):
because you know, people's lives could be on the line.
So we won't even touch those types of systems. It
really depends on the end of the day. What what
they don't want us to have access to. Well, you're
people hackers, so you're doing it with people. So so
I mean what does that what does that look like?
I mean is it is it literally phoning people up
and persuading them to give you passwords or is it
a bit more complicated than that these days? So I
(10:42):
break down social engineering in two ways. You either have
remote or on site. When you look at the remote,
you're looking at a couple of different things. So the
first one is what we call OSANT, which stands for
open Source intelligence, and that's actually not actively hacking a person,
but it's looking at their online accounts. Are they revealing
(11:03):
information that they shouldn't be that an attacker could leverage,
So that's that's one type of assessment. We have the
fishing or voice fishing, so that's placing those phone calls
to get information or maybe get them to do a
task over the phone. And then fishing, and that's by
far the most common social engineering type of assessment. That's
the malicious email with a link or an attachment or
(11:24):
even a conversation. And then we move into the on
site stuff and this is my favorite. It's the most tangible,
but it's actually breaking and entering, so it's trying to
get access to clients, sensitive locations, and sensitive data. So
those are the two um types of social engineering. Give
me a little bit of advice, then, if if if
(11:45):
you're trying to find a weakness, if you're trying to
persuade somebody to do something they shouldn't be doing, what
are the kind of things that you're doing. So let's
just take the physical part for an example. Is tailgating right?
That sounds so easy and so obvious, but it's the
number one way that we break into buildings. It's just
following someone who badges in, who unlocks the door, who
(12:08):
has that access. We just follow them and people are
trained all the time, don't let anyone fall, you, check
the badge behind you, make sure people badge in all
of these policies, but when it comes down to it,
people are a little bit scared to ask to see
the badger, to question them. It's rude for somebody. Yes,
(12:30):
it's human nature to want to help, so that goes
against everything that people are used to doing. So that's
by far the number one way that that we get
into buildings. Now I understand that before you got into
this game, you were a makeup artist for independent films.
Is there a connection between It seems like a stretch,
(12:51):
but between being a makeup artist and being a people hecker. Yeah,
you would think those those things absolutely don't go together
at all. However, I've been pretty lucky, or I've been
will to leverage a little bit of the makeup art
and special effects to when we do the physical security assessments,
so maybe we get caught on the first day, or
maybe someone suspicious, so we don't want to go back
(13:11):
and blow our cover, so we'll change our appearance as
much as possible when we go back the next day.
So absolutely something that I leverage all the time. And
it's it's a lot of fun too. It just adds
a little bit more to the job. It sounds like
it's more creative than I would have expected a cybersecurity
job to be. Oh. Absolutely. When you think of cyber security,
(13:31):
you just think of someone sitting at a computer typing
all day. That is not my job at all. Um.
It's it's pretty amazing how much I could leverage creativity
in what I do day to day. Can you give
me an example, so I actually have a story, um,
if you're ready for a breaking story, it's one of
the ones that absolutely went wrong. UM. Our client was
(13:53):
based out of the US and they had just opened
their European branch to their headquarters in Amsterdam, and so
they wanted us to test the building's physical security to
see if it's protecting their people and their data. And
so some of the goals were to see if we
can get insight past all the badged areas where we
shouldn't have access and see if we see anything that's
(14:15):
out of place or or maybe red flags or something
that they should fix. So we always start with with
our o SEN or open source intelligence, where we're going
online investigating the location. We're working at Google Maps as
much as we can. However, this building was so new
that they weren't even on Google Maps yet, so we
had a really hard time finding all of this information.
(14:38):
We decided we just had to show up on site
to to see what we can do. So I walk,
I walk into the building and walk into the lobby.
The second I walk in, the lady pretty much kicked
me out. I didn't even get to open my mouth
or explain why I was there, right out of the gate,
just get out. And so for doing this type of
an assessment, that was horrible. This client paid all this
(15:02):
money to get me out there to test her physical
security and here I am getting kicked out within the
first five minutes. So that was awful. Security is pretty good, Yeah, yeah, no,
they're their Their receptionist was on her game. Um, So
I went back to my hotel room and like was
banging my head against the wall, like how do I
(15:22):
get in? I can't find information online. They're kicking me
out before I'm even trying, Like I was just wanting
to go in and see what it looked like because
I had no idea what I was walking into. So
I went back online, like, Okay, I have to I
have to figure this out. And finally, out of nowhere,
it popped into my head. Okay, it has to be
someone that's not local, because I'm not from Amsterdam, and
(15:45):
I have to leverage some type of position of authorities,
some reason why I'm supposed to be there. And so
I thought, investor relations. I am going to pretend to
be an investor relations manager from the US and I'm
going to the new site meeting with some potential investors.
And so I called the receptionist. I spoofed my number,
(16:06):
so I made it look like I was calling from
the US location, and UM changed my voice a little
bit and said that we have someone that's going to
be coming on site tomorrow. Please give them whatever they need.
They're going to be meeting with all these high end
clients potentially, UM, so just make sure they're comfortable. The
next day, I walk in and again I had to
change my parents a bit because she saw me and
(16:26):
she didn't that, and I she welcomed me, she got
me coffee, she sent me up in the office where
they had my name on the on the front door,
and I was like, how can we help? So from
there I was able to go through and complete my objectives.
But it's it's kind of amazing how much you have
to leverage creativity and even kind of the on the
(16:48):
spot improv sometimes to to actually complete these objectives. Yeah,
improv was the word that springs to mind hearing that story.
I would imagine that there must be some playbook that
there's a bunch of things you try and then you
have to improvise if the playbook isn't working. Is that
(17:09):
playbook always changing? Is it? Is it this constant arms race? Constantly?
It also depends on who my target is, right, I
will change the way I ask questions, the way I
set things up, just completely everything depending on if I'm
talking to someone younger or older, or male or female. Like,
there's a lot of things that absolutely adapt to whoever
(17:33):
I'm speaking to at the end of the day, because
people are different and I want to try to make
sure whoever I'm talking to is comfortable and I can
get them to trust me. And is there a collaborative
process this kind of ethical hacking or is it very
much a lone wolf. It's really both. It just depends
on what the type of assessment is and there's a
(17:56):
lot of variables. I prefer a team right, working with
as many people as possible, because I might be looking
at a problem from, you know, my perspective, but if
I have two or three other people with completely different
backgrounds and sets of experience, they're thinking about from another perspective.
So the more we collaborate and work together, typically the
(18:16):
more successful we can be as well. I'm curious about
a day in the life of Snow. I mean, on
a completely typical day, what is it that you're doing.
So that's what I love about my job is I
don't have a typical day. I could be one day
waking up in Manhattan breaking into the building, and the
(18:39):
next day I could be in my home office writing
a report. Like It's all over the place, and that's
what makes it super exciting that it's not mundane. It's
constantly changed, and I love that it's like, yeah, one
day I'm writing a report the other day, I'm breaking
into a building in Manhattan. It's perfect. Absolutely. One description
I've seen is that are like a secret shopper, except
(19:02):
instead of being a secret shopper for a restaurateur or
a chain store, you're a secret shopper for breaking in
and stealing passwords. It is that accurate that I would
I would say that's accurate. And if people are hiring
you to probe their security and to find the weaknesses,
have you ever come back and said, no, it's perfect.
I got nothing I couldn't get in. So I have
(19:25):
broken into over a hundred and thirty unique buildings. I've
only had one of those buildings I was not able
to break into, and that is because it was a
small company in the middle of nowhere where everyone knew
each other. It's not because necessarily because they had all
these you know, expensive security controls that they had place.
(19:46):
It was just I stuck out like a sore thumb,
and no matter what I said, they knew I wasn't
supposed to be there. But it's kind of scary some
of the very large organizations in these famous skyscrapers that
I've broken into, where they've invested hundreds of thousands, if
not millions of dollars into their physical security, but I'm
able to get in right. That's kind of terrifying if
(20:09):
you think about it. Whether it's brick and mortar hacking
or using something much more high tech, it's all founded
on the same principle, using deception to get what you want.
To round out their conversation, Tim and Snow talk about
the state of the global cybersecurity industry, where the art
of the corn is headed, and how prepared companies are
(20:30):
for any of it. Let's zoom back a bit now
and and take in what you know the state of
the global hacking industry if that's a phrase, or the
global security industry, and what has changed in security and
cybersecurity over the last few years. What are the new trends?
So what's changed? I would say more of our lives
(20:54):
are online and and that's kind of scary. Everything from
your IoT lightbulb to your oven to IoT being the
the Internet of things, so I just basically every everything
has a web address now exactly, and so there's so
much more of that now. It's just it surrounds us
are are just our lives are online and with that
(21:16):
much being online, that's just more that we have to
protect or more that we have to worry about. Unfortunately,
that clearly raises the stakes. I would have hoped there's
also more awareness. People don't fall for the most obvious
scams and tricks anymore. And do you think companies put
(21:37):
enough emphasis on security? Is it a high enough priority
at the c suite level? I wish I could say yes. However,
it's all over the board. I've I've worked with clients
who they put everything they have into stopping attackers, into
securing their environment. I've seen some clients in the past
to just want to get the check in the box
that they did their assessments and they want to move
(21:58):
on to something else. So unfortunately, it's a pretty big
range of types of people who really have that security mindset.
And I'm always reading stories in the news about breaches
and they these security whiches, and they sometimes they sound
very sensational. Sometimes they sound incredibly banal, like, oh yeah,
(22:22):
somebody just stuck all the passwords online in plain text. Boops.
I mean, is there a standard procedure for the bad actors?
Is there a way that breaches happen like this? Not
these days, just because there's so many different ways they
get in. I mean, most of them are financially motivated.
(22:44):
So at the end of the day, once they get
in there going for their going to see if they
can get money somehow, whether it's ransomware or they're looking
for credentials to high end executives. Right, it kind of
depends on their angle. But really it's it's how they're
getting in is It's pretty tricky again. Social engineering is
one of the number one ways to get in, typically
(23:07):
through fishing, um sending some type of malicious payload and
if their target does open it, that gets them into
their environment and then they kind of pivot from there
and see what they could get access to and how
much does it cost when security has breached? So ibmed
at a report on the one from one the cost
(23:27):
of an average data breach was over four million dollars,
which is insane to think about. It kind of makes
you wonder why they don't put more emphasis on their
security and security awareness training and updating their machines and
things like that. When when you think about how big
that number is, why there's tons of reasons they could
(23:48):
have finds that they have to pay out. Depending on
what industry they're in, they have to pay out for
things like credit monitoring for whoever is effective, UM, legal
fees like there's there's tons and tons of things that
are involved. When when the company actually gets breached, there's
a couple of things they could do to try to
prevent them UM and the first one that is higher
(24:09):
folks like myself to come in and test their environments
to see where those vulnerabilities are so they can patch them. UM.
To do ongoing training for their internal team to make
sure they're up to date they know how to stop
these type of attacks, and really just care about security
in general goes a long way. No, I mean, in
(24:32):
some ways, what you're describing is is tremendously varied, lots
of creativity, lots of improvisation, lots of variety. In other ways,
it's it seems kind of simple. You're trying to break
into places, So what's the state of the art and
how do you advance the state of the art in
people hacking? Unfortunately, social engineering is is kind of stagnant.
I mean, if you if you get that unfortunate, it
(24:54):
feels it feels kind of like it might be good
news for me, it's unfortunate. Okay, I'm looking from the
attack or point of view, so that's very correct. Um,
But if you go back to the Middle Ages, there
were cons that people were doing back then. Um, there's
tons of cons from the early nineteen hundreds, and still
we're taking some of those kinds of cons and just
(25:15):
adapting it to today's digital world, which there's there's improvements there,
but in general social engineering there's there's not much that's
that's changing. So that's actually one of the things that
I have put a lot of emphasis on the last year,
especially with my team, is once we go in and
we complete an assessment, we spend the last trying something new,
(25:38):
trying something novel. Can this technique work? Maybe it's walking
into a building saying, hey, I shouldn't be here, Will
someone stop us? Right? Any little thing like that. What
can we actually get away with? And that's that's something
that I've enjoyed doing and pushing my team to see
what we can learn and where those boundaries are. Can
you give me an example of a medieval con? Very curious? Yes? Okay,
(26:02):
so in the Middle Ages, there is have you ever
heard the term pig and a poke. Uh, yeah, I've
heard the term. I always wanted where it came from. Yeah,
So pig and a poke came from vendors at the times,
or people who worked on the street and sold different
various goods and foods. They would put a suckling pig
(26:22):
inside of what they called a poke, which is a
burlack sack, and so did it shut, and that's what
they would sell on people by then eat that for dinner. However,
at the time, there were no shortage of small dogs
and cats, So what some creative folks would do is
put those types of animals inside of the sack and
so it shut, and make a lot of money and
(26:44):
then move on to the next city and continue that
con So again, cons have been around for the longest time.
I suppose the fact that cons themselves haven't changed that much.
I mean, you know it seems to make life easy,
right then nothing nothing changes. But in another way, that
(27:04):
just goes to show that we just all have the
same vulnerabilities over and over again, and people have been
exploiting them for centuries. Exactly, if it's not broke, why
fix it, yes, Or if it's broken away that will
enable you to take it really enjoy this conversation. Thank
you so much and goodbye. Absolutely, thank you so much
(27:25):
for having me. Snow mentioned something that's really hard to forget.
She's tried to break into over a hundred and thirty
unique buildings, and out of those, she's had only one
one that she wasn't able to break into. That's bananas.
What snowstat us is that we have to think of
information security in a much more holistic way. It has
(27:48):
to involve networks and computers, but also employees and office buildings.
Of course, no defense is ever perfect, and that's why
it's important for companies to have people like Snow on
their side, because in a world where business is bound
to be hacked, the real question is is there a
good hacker hacking for you. On the next episode of
(28:12):
Smart Talks with IBM, the Mayflower Autonomous Ship, how IBMS
artificial intelligence is powering the world's very first autonomous vessel.
We talked with Brett Fanoff and Don Scott about how
they're using IBM tech to revolutionize oceanography. Smart Talks with
IBM is produced by Molly Sosha, David jaw, Royston Reserve,
(28:35):
and Edith Rousselo with Jacob Goldstein, were edited by Jan Guerra.
Our engineers are Jason Gambrel, Sarah Brugair and Ben Tolliday.
Theme song by Gramoscope. Special thanks to Carlie Megliori, Andy Kelly,
Kathy Callaghan and the Eight Bar and IBM teams, as
well as the Pushkin marketing team. Smart Talks with IBM
(28:58):
is a production of Pushkin Industries and I Heart Media.
To find more Pushkin podcasts, listen on the i Heart
Radio app, Apple Podcasts, or wherever you listen to podcasts.
Hi'm Malcolm Gladwell. This is a paid advertisement from IBM.