Modern cyberattacks aren’t just technical—they’re personal. And Rob Shapland knows how to exploit the human element better than anyone.
In this episode, Chris Massey sits down with Rob to unpack the wild world of social engineering—from sneaking into corporate offices disguised as a delivery driver to using AI voice clones to bypass MFA. With over 200 successful break-ins (all authorized, of course), Rob shares what IT leaders and MSPs are still getting wrong—and how to fix it.
They cover:
- Why the human layer is still the biggest vulnerability in security
- How attackers are already using AI for voice and video deepfakes
- What companies can do today to strengthen their weakest links
If your clients think MFA alone is enough, this episode proves otherwise.
Let us help you unlock your business's full potential.
N-able Business Transformation is Expert led and Peer informed.These valuable executive programs are tailored to provide effective guidance and a faster path to a scalable and successful business.
Book a Call with Chris Massey now to learn what Business Transformation can do for you!
'Now that's it: Stories of MSP Success,' dives into the journeys of some of the trailblazers in our industry to find out how they used their passion for technology to help turn Managed Services into the thriving sector it is today.
Every episode is packed with the valuable insights, practical strategies, and inspiring anecdotes that lead our guests to the transformative moment when they knew….. Now, that's it.
This podcast provides educational information about issues that may be relevant to information technology service providers.
Nothing in the podcast should be construed as any recommendation or endorsement by N-able, or as legal or any other advice.
The views expressed by guests are their own and their appearance on the podcast does not imply an endorsement of them or any entity they represent.
Views and opinions expressed by N-able employees are those of the employees and do not necessarily reflect the view of N-able or its officers and directors.
The podcast may also contain forward-looking statements regarding future product plans, functionality, or development efforts that should not be interpreted as a commitment from N-able related to any deliverables or timeframe.
All content is based on information available at the time of recording, and N-able has no obligation to update any forward-looking statements.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
One, two, three, four .
I delivered these flowers tothis rather bemused woman.
Then I went into a meeting roomand plugged a remote access
device into the network and thenused that to hack in afterwards
.
I got a massive buzz afterwardswhen I finished and left the
building Massive adrenalinehighs, like, okay, this is fun,
this is really fun.
You've got this horrible nervesbeforehand and this massive
(00:21):
elated feeling afterwards, soit's a real experience.
Speaker 2 (00:24):
But yeah then then it's like okay, well, I've got a
taste for this now welcome tonow that's it stories of msp
success, where we dive into thejourneys of some of the
trailblazers in our industry tofind out how they used their
passion for technology to helpturn managed services into the
thriving sector it is todaydisguises deep fakes, long lens
(00:46):
cameras.
Speaker 3 (00:47):
It's not the next fx siri with rami malik.
It's the true life of robshaplin.
After years inside one of theuk's earliest pen testing firms,
disguised as a cleaner, adelivery driver, even a fake
employee, rob has gainedunauthorized access to more than
200 companies, military basesand government facilities.
(01:09):
Today, rob runs his owncybersecurity firm focused on
social engineering and awarenesstraining.
I'm so excited to get intothese stories and more.
Welcome to the Now that's itpodcast, rob.
Nice Chris, it's great to be onand just I really appreciate
you being here.
A little extra special it's theend of event.
(01:29):
We're in an amazing event thisweek Enable Empower.
It might start to get a littleloud in the background because
it's going to be social hour ina few minutes, and so thanks for
taking a few minutes away fromnetworking with all the amazing
MSPs in the UK and Europe.
Speaker 1 (01:43):
Yeah, it's been a great event so far, so it's nice
to have a little bit of quietbefore the evening.
Speaker 3 (01:48):
It's calm before the storm.
That's right, all right.
So let's rewind a little bit.
Rob, you're in school, you makeyourself an admin at the
school's IT system, and whathappened?
What did that experience unlockin you?
Speaker 1 (02:06):
Yeah, I think that was my first exposure to hacking
as a as a thing.
It was quite early days and Iwas just messing around.
I didn't really know you coulddo hacking.
Um yeah, hacked into schoolsystems, left it all on like the
, the admin screen of everysingle computer, and then kind
of forgot about it, to be honest, because back then it was I
mean, it's already quite a nichecareer, but then it was even
more niche.
It was hardly anyone doing it.
I didn't know it existed as acareer.
So it took me a few yearsbefore I found out you can
(02:28):
actually do this as a job, andwhen I did find that, that was
quite exciting so at the moment,your teachers, your parents,
your friends they're probablynot looking at this as a talent
that you have probably not.
It's probably more of a negativething.
At that point there's always anegative connotation or
association with hacking isn'tthere?
You're going to be a black hat,You're going to be going to
prison, all that sort of stuff.
(02:48):
But the fact that you can do itnow as a job and help people,
it's really cool.
Speaker 3 (02:53):
It's awesome, but at the time it's Rob's in trouble
again.
Speaker 1 (02:57):
Yeah, that's it, yeah , yeah.
Speaker 3 (03:05):
It's how Rob goes to school and get told off by the
teacher again for hacking andmessing around.
I've gotten to know you prettywell in the last couple of days
and I just don't see thatcharacteristic in you.
But if that was your past, thatwas your past.
Speaker 1 (03:13):
Indeed, I mean, I never got in proper trouble.
I never went to jail or got theauthorities banging on the door
or anything like that.
Speaker 3 (03:19):
So at university you chose software testing right, a
fairly safe tech career.
What drew you to that path?
Speaker 1 (03:26):
To be honest.
So I was always good withcomputers, right, and I was
looking for a career that usedthat.
And my dad was very much likeyou are not going to finish
university and do nothing for afew months.
He's like circling jobs in anewspaper for me immediately you
know, this is early days beforewe did add all the online stuff
.
So he threw a newspaper at me,went what about that one about
(03:47):
software testing?
I have no idea what that is.
I have a look at it.
Uh, it sounded boring and itturned out to be just as boring
as I, as I thought it was goingto be not to offend any software
testers out there, but itwasn't for me.
Um, and I did that for three,three, four years.
In the end, different companiesum and found, you know, when
you're searching for a new joband you just I just typed in
(04:08):
testing online and it came upwith penetration testing, which
is the sort of alter ego ofethical hacking.
And, as you do at that age, Ihad a good laugh at the job
title and looked into it and I'mlike, hang on, that's hacking.
You can do that as a job.
That's amazing.
So I applied for it and I'mlike hang on, that's hacking.
You can do that as a job.
That's amazing.
So I applied for it and theycame back to me and said right,
(04:29):
okay, you've not got anyexperience.
Write me 500 words on SQLinjection I've got a Google SQL
injection to start with and findout what that is.
Wrote an article about it, usedthat to get the interview, did
the interview and then got thejob and that was my first kind
of exposure into properly doinghacking.
Speaker 3 (04:47):
That's great.
Why do you think that first jobwas painfully dull the software
testing?
Speaker 1 (04:52):
Because it uses your brain a bit, but not as much as
hacking does.
You're just checking stuffworks, so there's not like a lot
of lateral thinking to it,whereas hacking is very much
thinking outside the boxespecially when you throw in the
social engineering elements.
Speaker 3 (05:10):
What did, uh, so you get the job at uk is sort of one
of the first pen testing firmsthere, right?
What did training look like, Imean?
Speaker 1 (05:13):
training to start with was literally you're going
to make tea and watch us dostuff.
So the company was really small, like three or four people, and
I was just learning, justshadowing, like old school, none
of the nowadays where everyoneexpects to be thrown in and
doing all the really excitingstuff.
Right at the start it was verymuch okay read this 400-page
book on TCP IP and then watch usdo an infrastructure test and
then do that for six months andthen start getting involved in
(05:36):
the testing and then from theremove into application testing,
web apps, and then from thereand there there's more and more
stuff.
There's internal testing,there's mobile apps, all sorts
of stuff.
Speaker 3 (05:49):
So there's lots on the technical side that you can
do and I was doing at that stage.
Do you remember any of thoselike early assignments?
Just what it was like?
What was going through yourmind Like when did it sort of
click that this might be acareer for me?
Speaker 1 (05:59):
Yeah, I think it's when you start to do fun stuff,
like when we got a TV shipped tous for minus one pence, so they
basically they paid us to sendthe TV because we just
manipulated the price.
This was like a major websiteas well and you could just
change the pricing on there.
I did that a few times.
Different companies got moneypaid into me and items sent,
(06:20):
which was really fun.
And then it was when I startedgoing on site.
I would go to clients officesand test their internal networks
and you know when you couldtake control of the tvs in the
atrium of this huge company andjust say, like hacked by rob or
whatever, in the middle of that,in front of hundreds of people.
Speaker 3 (06:36):
It's like this is fun , like that felt like being in a
movie, taking control of thingsin a building it's, it's right
and like, I think, most of theMSP industry and the IT industry
, they understand the idea ofvulnerability, pen testing,
right.
But this was a different level,like this was you were breaking
in.
Speaker 2 (06:57):
Yeah, yeah.
Speaker 1 (06:57):
And there's a big disconnect between seeing a
vulnerability on a screenwhether it's Qualys or Nessus,
whatever is reporting andrelating that to.
Actually that can be used to dothis.
I think you can just see it asoh, it's a red, I've got 500
reds or 10,000 reds or whatever,but actually some of those can
just be exploited in one clickand away you go.
So being able to go into anetwork, find a vulnerability,
(07:19):
then exploit it, then use thatto access other areas of the
network, move around laterallyand then download actual
important information.
It's fun to take it all the way, like that that's cool.
Speaker 3 (07:30):
All right, we're going to dig more into that here
in a minute, but there'sprobably listeners saying this
is kind of some crazy stuff here, and I heard a rumor that
you're a bit of an extreme sportguy, right, sort of an ultra
race guy.
Tell us more about what Spartanraces are all about.
Speaker 1 (07:49):
Yeah, yeah.
So my outside of my hackinglife, my other life, is obstacle
racing, so Tough Mudder,spartan race.
But there's also some morespecific, very technical races
that take place in Spain and allover Europe and I got involved
in that seven or eight years ago.
I just went on a fun run likeTough Mudder, like a lot of
people do, and then I realizedthere's a bit of a competitive
(08:10):
scene to it and I can't helpmyself getting involved in the
competitive scene of pretty mucheverything that I've ever done.
So when I realized I could dothat, I started training a bit
more, running a bit more andeventually qualified for the UK
national team.
So doing that in june for thefirst time, um, so that's gonna
be really fun.
I'll be out in portugal andthen world championships in
sweden in october.
Uh yeah, it's just fun swingingaround from monkey bars,
(08:34):
jumping over things, pickingthings up and running with them.
It was just yeah and you werenot.
Speaker 3 (08:38):
Not ex-military, no.
So this is what's fascinatingabout this is, um, you've got
this interesting brain.
Obviously there's a physicalside of it.
You're in great shape.
You're looking at this forenergy, exercise and
competitiveness, but theobstacles that you're going
through, they're pretty extremeright, and so you've got to have
(09:00):
a.
It's a mind game as well asmuch as it is a physical game.
Speaker 1 (09:04):
Oh yeah, it is.
When you're running between theobstacles obstacles you're
running as fast as you can like.
Imagine you're doing a 10k raceor whatever and you're going
flat out and then you get tosomething and now you've got to
pick up a 50 kilogram ball andgo with that and you've got to
put that down and then you'vegot to swing from these little
attachments and nunchucks andthings that hanging from monkey
bars and then drop off that andthen get going again.
It is hard, it's punishing andit's.
(09:24):
You get into that mental placewhere it gets a bit dark for a
while and then you come out theother side and actually I
enjoyed that.
Speaker 3 (09:30):
That was good there's something about you.
You know that.
I've listened as I listen.
You tell stories.
You've not come out and saidthis, but you have this
personality where I I can proveyou wrong, like I can do this, I
can get in there.
Do you agree with that?
Do you have that sort of yeah,yeah.
Speaker 1 (09:45):
I would much rather someone said to me like, if I'm
breaking into a building, don'tthink you can get in there.
Yeah, try your best.
What I hate is when people say,oh, that'll be easy.
Because then it's like, oh,there's the expectation that
you're going to get in, so, onthe off chance that you failed,
it would feel really awful.
But I much prefer the challengeof you know you you'll never
get in here, you know.
Okay, give me enough time, giveme enough budget to do it
(10:06):
properly.
I mean, yeah, if you give metwo hours to do it, that's
probably not going to work, butif you tell me I can have a few
weeks, then yeah, let's see whatwe can do.
Speaker 3 (10:13):
That's great, rob.
All right, let's talk a.
So you started to develop thisniche.
What does you know?
You call it social engineering,right?
So what does that mean?
How does that resonate to you?
Where did it come from?
What happened?
Speaker 1 (10:32):
Yeah, so to me, social engineering was always
associated with physicallybreaking into a company's
offices.
As a term, it encompasses morethan that.
It's really anything that whereyou're influencing or
manipulating people in some formform, whether it be phishing or
phone calls or whatever.
But to me it was always thephysical side and that's how I
started, and my boss at thefirst company was the one that
(10:53):
did it there and he decided hehad enough of it.
He wanted to hand it over tosomeone.
He said to me all right, whydon't you have a go?
And he set me a target of aclient in London and the task
was to get in and get hold ofthe Wi-Fi password they used and
that was used amongst all theirdifferent offices um, first one
(11:14):
, so nervous, absolutelybricking it.
To be honest, like it was, itwas so scary.
I must have walked past thatoffice 10 times before I went in
and I had a fake badge that I'dtaken from a social media post
that the company had done.
They put someone with theirbadge and I was like, okay, make
a copy of that.
Um, and then I had an ipad withsome like wi-fi signal strength
apps on it and I thought, okay,I'll go in, pretend to be IT
(11:36):
employee, ask them if they'vegot any problems with their
Wi-Fi, because everyone alwayshas problems with Wi-Fi, and
then maybe that can get me thepassword.
So I finally brought up thecarriage to walk into this
building, said I was there fromIT.
They said, okay, you need tosign in downstairs.
So I went down there and saidhave you got any problems with
Wi-Fi?
And they said, oh yeah, it'sterrible.
Especially down here, itdoesn't work at all.
I was like okay, I'm going toneed to log on if you've got the
(11:58):
password.
Speaker 2 (11:59):
He said oh, yeah, here you go.
Speaker 1 (11:59):
Just gave me a little paper with this 30-character
password on it.
I was like, well, that's reallysecure unless you give me that
thing on a piece of paper.
So I typed it all in the sameshared Wi-Fi network and take
anything I want, because now I'mauthenticated to corporate
resources and things as well.
So I got a massive buzzafterwards when I finished and
(12:22):
left the building Massiveadrenaline highs Okay, this is
fun, this is really fun.
You've got this horrible nervesbeforehand and this massive
elated feeling afterwards.
So it's a real experience.
But yeah, then it's like, okay,well, I've got a taste for this
, now I'll take it over.
Speaker 3 (12:36):
So cool, so obviously attacks have become more
sophisticated.
Essentially, users have right.
Mfa has become a thing thatpeople are saying you've got to
have, you've got to have, and AIhas become this exciting new
thing that companies are usingto become more efficient.
(12:57):
I heard you tell a story aboutAI and MFA.
Do you mind sharing?
Obviously leave names out tokeep the innocent.
Speaker 1 (13:06):
Yeah, absolutely yeah .
So to give an example, let'ssay I wanted to hack into an
email account.
So to get into someone's emailyou need their email address,
their password and they'reprobably to get past their
multi-factor authentication.
So the company that I wastargeting for this example, they
(13:28):
wanted me to get into one oftheir senior leaders' email
accounts.
I didn't mind which one, justget into someone's senior's
email account and see what youcan see inside there, and so I
thought, okay, email address.
Often for senior people you canfind that online fairly easily.
A bit of Googling, maybe on thewebsite, if not.
Pretty much everyone's emailaddress is available through
LinkedIn.
Although LinkedIn doesn't showme directly what your email
(13:50):
address is.
If I've got the name of theperson that's working there and
the company they work for, it'snot going to take a genius to
work out what their work emailaddress is, right.
So that's the first part, butthat's obviously the easiest bit
.
Second part is the password Nowfor this company.
How I got that was through adata breach.
So there's I'm sure most peopleare aware there's massive
databases full of breachedcredentials out there that have
already been stolen from otherwebsites, and one of their
(14:12):
senior leaders was in thisbreach database.
He'd had his email address andpassword stolen eight separate
times from eight completelyunrelated websites and he'd been
using his work email address toregister for everything,
including all his personalwebsites.
Now, in each of those eightdifferent examples his password
was the same.
So I've kind of figured.
Well, if he's using it foreight completely unrelated
(14:33):
websites, it's probably fair tosurmise that password is one he
uses absolutely everywhere.
A lot of people do that reusepasswords in places.
Not a lot of people reuse thesame one absolutely everywhere,
as this person seemed to bedoing.
But I thought, okay, I canprobably guess that that's going
to be the password he's goingto be using for his email
account as well.
Now there are other ways to geta password.
One of the other ways I've usedis simply to sit next to
(14:59):
someone on a train and watchthem type the password into
their laptop, which is verysimple.
Maybe you can't follow it inreal time, but I've got a pair
of glasses I use to record stuffwhen I'm doing social
engineering.
You can look at the keyboardand then reverse the footage,
slow it down and work out whatthey've typed.
So there's lots of differentways of getting a password.
It doesn't necessarily involvebrute forcing or guessing or
different combinations.
So, anyway, I thought that wasprobably the password he was
using.
But then I thought, okay, thisis quite a well-defended company
.
They're almost certain to haveMFA.
But before I log in as thisperson and trigger any alerts on
(15:24):
his phone, can I confirm, yesor no, whether they've got MFA
in some way?
So I went on to LinkedIn,searched for the company and
started looking at their ITemployees.
They had 10 or 20 IT employeesin the company Pressed on their
profiles and some people onLinkedIn will just list all the
places they've worked.
You know, I was here five years, here three years, here two
years, but some will break downwithin those job roles what they
(15:46):
did.
And one of their IT employeeshad listed every project he'd
worked on since he started atthe company and one of those was
implemented MicrosoftAuthenticator, mfa.
I was like, okay, great.
So now I know the company'susing Microsoft MFA, so I can
probably guess it's going to bethe system where a number comes
up on the screen and then thatprompts a thing on their phone
(16:07):
and they have to type in thatnumber and match it.
Now how do you get around thatMFA, because that's the bit
that's supposed to protect you,right?
Okay, password is as well, butif you can get hold of someone's
password, great, but you can'tlog in because of the mfa.
It's the whole point of havingmfa.
So best way to get around issocial engineering, normally
through a phone call.
So perhaps I phone you up and Ipretend to be from it.
(16:27):
I'm doing some maintenance onyour account.
I've logged in as you, I've gotyour password, so it must be it
, and I just need you toauthenticate me through the MFA.
So that's the rough idea of howI was going to do it.
But I always get a bit carriedaway and I want to go to the
next level and see how far I cantake it.
So what I decided to do was canI clone the voice of one of
their IT employees?
It was probably far more than Ineeded, to be honest, because
(16:49):
the chances of them actuallyrecognizing the IT person's
voice is fairly slim.
But I thought, okay, it'd befun to try and maybe it's the
thing that is the convincer.
So best way to find a voiceYouTube normally.
I mean you could claim my voiceeasily.
There's enough YouTube videosand stuff out there of me.
So I started looking for all thedifferent IT employees on
YouTube to see if they were onthere and one of them had done a
(17:12):
conference bit, like we're atnow, and he did an hour talk and
it was all recorded on YouTubeand it was really high quality.
I was like, okay, that'sperfect, because that's an hour
recording.
Now for voice cloning throughthe AI systems, you don't need
an hour.
Two minutes, roughly speaking,is enough to create a passable
copy.
It's not going to be perfect,but it's enough on a phone call
that it will probably work.
(17:33):
So I cloned his voice and thenwith the software you can do a
couple of things.
So you can either do what'scalled text to speech, where I
type in exactly what I want tosay and it will read it out,
which is great if you've onlygot one thing, because if they
respond something different,you're suddenly typing.
There's going to be a reallyawkward pause.
The other thing you can do isyou can hook it up to ChatGPT or
Gemini or whatever AI systemyou want.
Give it a prompt, just like youwould in ChatGPT.
(17:56):
You are an IT employee, you aretrying to get this person to
give you an MFA code or type ina number onto the screen and it
will do that.
You have to engineer the promptin a certain way.
It doesn't like you trying toget passwords and things from it
, but it will work.
So I thought, okay, so I'llclone his voice and then I'll
(18:16):
get it to say something and then, if it goes off, beast, I'll
let the chat GPT kind of try andget the password for me
effectively, sorry, the MFA codefor me.
So all the parts are in place,I think anyway.
So I logged in as this person.
The password worked exactly.
It was the one from the databreach, exactly how I hoped.
So now it prompts on his phonean MFA prompt from Microsoft
(18:38):
Authenticator.
So now I phone him.
Now his phone number's on thewebsite.
So I made it very easy to dothat, phoned him up and then
essentially played the voicerecording saying hi, it's Steve
here from IT.
We're just doing somemaintenance on your account at
the moment.
You might have seen a MicrosoftAuthenticator prompt pop up on
your phone.
Would you mind just enteringthe number 23 for me please?
And he went oh, hi, steve.
Yeah, no problem.
Actually I've had a fewproblems with my laptop recently
(18:59):
, um, so that's great, you're onthe line.
I'll do that for you now.
So click pause, types in thenumber and I'm in, so straight
into the email.
Um, we end the phone call andnow I'm inside.
One of the most seniorexecutives email now.
You imagine he'd been there for15 years, never deleted an
email in his life, so there's somuch information within there.
(19:22):
But also, one of the powerfulthings you could then do is send
email as that person.
So authorizing money transfers,for example, would be a great
thing to do.
So the simple bit of socialengineering voice cloning tool.
It sounds well, that's quitetechnical.
It's not.
Honestly, it's about fivedollars a month for the, the
voice cloning tool.
It's so easy to use as well.
Honestly.
You just upload a voicerecording.
It creates the thing you typeout what you want to say happy
(19:43):
days and it works.
Um, so I'm not saying it'sincredibly difficult to do that,
um, but that system works andit.
I've tried that against a fewcompanies and this is very
successful so for anybody that'slistening, rob is actually here
, by the way.
Speaker 3 (19:57):
I just want to validate that for everybody.
This is not a clone, an AIclone of Rob.
He's actually here.
It sounds very sort ofnefarious, very devious what
you're doing, but companies arehiring you to do this, right,
like this is part of what you'vebeen tasked with, and so just
talk a little bit about how doesan engagement like this start,
(20:18):
right, like we just told, thestory of.
This is what happened.
But today, rob, if you're doingthis, if somebody is interested
, what sort of size does acompany typically get to, or
what are the characteristics ofwhy a company, a business, would
hire you?
And then, probably mostimportantly, what are the
outcomes?
(20:38):
What do you do with thisexercise?
Speaker 1 (20:40):
Yeah, okay, great question.
So for me, I like to work withclients that really care about
their security.
So some firms they just want tosay security's a box I need to
tick.
Yes, I've done my training.
Yes, I've done my pen testing,yes, I've done my vulnerability
scanning and that's all.
They need to get theirinsurance or whatever.
And that's the limit of whatthey want to do.
But other firms actually careabout it.
(21:01):
It's like, well, how good isthe training I'm doing?
Is doing just me learning goodenough, or could I do something
better?
And that's where I tend to stepin, because I will do these
engagements where I break intothe email or break physically
into the office, record it alland then show it in training for
those clients, and then that'sa really powerful message.
So, rather than just doing a 10minute video and doing a quiz
(21:23):
or something like that, failingthe quiz because they're doing
something else at the same time,then doing it again and finally
passing it, Instead they're ina room with me, I'm scaring them
, I'm showing them videos of meactually break into their office
, of cloning their CFO's voiceand asking for a money transfer
and things.
So what I want to do with thatis, enhance the company's
security properly in a waythat's memorable but also helps
(21:45):
them at home as well.
So a lot of what I do talkabout in training is to do with
their home life as much as theirwork life.
So I really like to work withclients that don't have to be
any particular size Likegenerally speaking they tend to
be medium-sized businesses,maybe a bit larger, just because
otherwise they're so focused onthe really basics of
cybersecurity, not reallythinking about employing someone
(22:05):
to go and break into theirbuilding or other bits and
pieces.
But the interesting thing aboutthat story I told you with the
MFA bypass is that didn't touchany security systems, if you
think about it.
So you could have your EDR inplace, your MDR, your email
quarantining everything.
All of it got bypassed by that,Never touched anything.
The only thing it touched.
(22:25):
The only layer it touched isthe human layer.
It's the person at the end ofthat call who gave me the code
or typed in the code for me.
Now if he'd been trainedcorrectly and had been engaged
in the training and listening,it had gone well.
There's no reason I ever shouldbe typing in a number that I
haven't logged in myself, or Ididn't want to log in myself and
I didn't initiate that callthat came from someone else.
(22:46):
I don't know who that person is, just because it's got a random
mobile number.
I don't know.
That's one of my IT people.
It could be anyone.
So by doing the training insuch a way that it's engaging
and interesting, you actuallymake that human layer really,
really effective, and most hacksnow come through that human
layer.
So why would you, why would youjust have the easiest option
with your training?
(23:07):
Why would you not go to that,that next level?
Wow.
Speaker 3 (23:10):
It's.
It's very scary as a businessowner, as a human right, the
fact that you know I have apodcast.
I have hours and hours andhours of my voice out there.
You just gave a couple of sortof pieces of advice there, but
what's something that maybebusinesses can just do better
with to protect themselves fromsome of these social engineering
(23:34):
type attacks?
Speaker 1 (23:35):
Yeah, I mean.
So the voice cloning stuff isinteresting because once your
voice is out there, it'savailable to be cloned.
You're not going to stripyourself off the internet and
all your podcasts, remove themall just on the off chance that
you get cloned, right.
So that's not going to happen.
So you have to educate peopleon how to defend against it.
And the main thing is what areyou being asked to do?
(23:57):
So?
If you've received a phone callfrom someone, what is that
person asking you to do?
Now, you know the voice kind oftechnology is out there and a
lot of people don't know that.
So, again, that's an educationpiece and a training piece.
If they phone you, what arethey asking you to do?
So?
Are they asking you to dosomething a bit unusual share a
(24:20):
password, authenticate throughmfa, do a money transfer, and
they give you the bank accountdetails on the call, that sort
of stuff.
And have you initiated any partof this yourself, or is it all
inbound to you?
Is it all calls, emails,messages, whatever that's come
to you?
And that's the point whereyou're being asked something to
do something weird.
The way that you can defendagainst it is to stop the call,
the video, whatever it is,because it could be default
video as well and initiate backon a number or an address or
whatever.
That you can defend against.
It is to stop the call thevideo, whatever it is, because
it could be a default video aswell and initiate back on a
number or an address or whateverthat you know is definitely
that person, because that killsthe attack dead, because now you
(24:42):
know you're speaking to theright person, you can check.
Well, did you just phone me andask me for my password and
they'll go?
Well?
No, because we shouldn't everdo that.
And then you've stopped it.
So it's little bits like that.
It's thinking about theunderlying reason and being the
one in charge of the situation.
That tends to be the thing thatdefends companies.
Speaker 3 (24:59):
That's great, great advice, rob.
I appreciate you sharing thatwith the listeners.
You spent over a decade at acompany that felt like home, and
now you're starting your ownthing.
What changed?
Speaker 1 (25:10):
Yeah, I mean we just so.
When I started we were fourpeople.
It was a proper, proper,family-run business and I know
that sounds oh yeah, it's notreally a family, is it?
It's just work.
But it genuinely was, becausewe got on so well we're all
still friends now and we builtthat up to, you know, not big 20
, 25 people and then the ownersold the business to a slightly
(25:31):
larger business and that wasokay, it was good.
And then it got bought by aneven larger business and you
know, things change right.
There's nothing wrong with thatlarger business, it's just it
wasn't really a fit between thetwo of us.
So I'd been thinking in the backof my mind for ages like I
should set up on my own, andpeople had always been telling
me that we don't understand whyyou work for someone else.
(25:51):
Like you, come in and do thetraining, you do the social
engineering, it's all you there.
We don't care who you work for.
So you know, let us know if youever set up on your own.
So I thought, well, I've gotsome friendly clients waiting in
the wings potentially, and youknow that's what you want when
you start a business.
I couldn't be doing cold callsand linkedin messages and all
that sort of stuff.
Um, so, when the kind of timewas right, I thought, okay,
(26:12):
let's do it, let do it, let'sset up and let's go for it and
let's see how it goes.
And it's been hard work.
Anyone that's listening to this, that's owned a business or any
point owns one now knows whatit's like and it's very personal
.
You take everything personally,whether it's a job well done or
a job rejected or whatever.
But yeah, I'm really enjoyingit so far.
(26:33):
It's nice to be in control anddo everything the way that I
think it should be done.
Speaker 3 (26:38):
That's great.
Talk a little bit about how youanticipate the future of sort
of social engineering attacks,and I mean, how quickly do you
think things are going to evolve?
What do you think, what do youexpect?
Speaker 1 (26:52):
I think the voice clone and the deepfake video is
going to be the big thing.
I mean, it already is big, butit's going to be huge over the
next couple of years.
It's going to be to the pointwhere anything inbound to you
you're basically not going to beable to trust because you just
don't know who you're talking toanymore.
Yeah, it's already a case ofthe basic level.
(27:12):
Phone numbers can be spoofedright, so your bank phones?
You already a case of that.
At a basic level, phone numberscan be spoofed right.
So your bank phones?
You don't know it's your bank,but the vast majority of the
public don't know that.
They trust the fact that itsays their bank's name on the
screen.
They answer the phone expectingit to be the bank and now
someone fraud, defrauds of amoney.
Um, combine that with a clone ofa voice and a video of someone.
It becomes incredibly difficultand the technology is advancing
(27:33):
so fast.
You know, now you can create adeep fake video, real time over
microsoft teams using a singleimage of someone's face, and
it's pretty good.
To be honest, it doesn't.
It's not those days of needingthousands of images and stills
from videos and all sorts ofstuff.
You now can do it with a singleimage, so you know if your
image is out there, which almosteveryone's is in from social
media or on the company website,I can now create a clone of
(27:55):
that.
Call you video.
Call you whatever I'm going todo and and potentially trick you
into doing something.
And the rate that technology isis advancing is going to mean
that in a couple of years it'sgoing to be so hard to spot.
So that's what I foresee beingthe big problem and again that
is going to come down totraining on on little techniques
of how you defend against thatLittle silly things like if
(28:17):
you're on a video call withsomebody you're not quite sure
if it's them, ask them to passtheir hand in front of their
face because it breaks the maskthat the deep fake video uses.
Stuff like that you would neverknow unless you played around
with it yourself.
It's going to take that sort oflevel of training to help
people protect against it Scaryand pair that.
Speaker 3 (28:34):
Can you imagine pairing that with?
We're in an age where you knowour devices, know like they see
what we're searching for, theysee what we're looking for out
on the Amazon or whatever.
And then someone calls you andsays, hey, I got a deal on this.
And you're like, oh, I was justlooking at that.
I mean, it's that knowledgethat the hackers, the bad guys,
(28:55):
have about you.
You built that trust, you know,and what's going on?
Speaker 1 (29:01):
Scary scary stuff, yeah, and kind of related to
that.
We're going to move more intobiometrics right as a system to
authenticate us, becausepassword's a bit out of date now
.
Speaker 2 (29:11):
I'm just waiting for the sorry.
Speaker 1 (29:12):
I'm just waiting for the big first biometric hack
where someone steals all thefingerprints or iris scans and
I'm so worried about thatbecause you can't change that
stuff.
At least with a password youcan change it.
Right.
If you take one of my irisscans, that's it.
You can authenticate toeverything and I can't change my
eyes.
So yeah, I think that's anotherfuture thing to worry about.
Speaker 3 (29:33):
Very good, so you've spoken to hundreds of companies,
educated them on risk.
You've spoken at tons ofconferences.
What's something that stillsurprises you today?
That you hear from companies.
Speaker 1 (29:49):
To be honest, it's that they still get the very
basics wrong.
You know, you still getcompanies that don't have MFA
everywhere.
You still get people clickingon stuff and you look at it and
you go how, like I know to mostpeople IT isn't their thing.
Right, when you work insecurity or IT in general, you
can look at things and go.
(30:09):
You know how does anyone everfall for that?
But you know, most people it'snot their job.
They don't know the differencebetween a dash and a dot and an
email address and why would they?
But some of them are reallyobvious and you think, oh god,
that whole company was hackedbecause someone got an email
from the ceo and just somerandom gmail address that had
nothing to do with the company.
So I think it's that that stillsurprises me that, as a criminal
(30:29):
, you know I talk aboutsophisticated methods, voice
cloning, all that sort of stuff.
Honestly, most of the time youdon't need any of that stuff.
I could probably could havejust phoned up and said hi, it's
bob from it, you can have yourpassword and you might have got
it.
Um, so it's that it's simple.
That's, that's the thing.
I think it's the simpletechniques that normally work
and most companies that arehacked.
It is those, those simplethings, a patch that they didn't
(30:50):
bother to apply because they'reon a four-week patching cycle.
For some unknown reason, orthey just don't want to patch
that system that's 10 years outof date, or they can't patch it.
And it's just simple things andthat always surprises me.
Speaker 3 (31:03):
So my last question I like to ask this to every one
of my guests.
We call this the now that's itpodcast.
Rob, when did you know?
Now that's it?
Speaker 1 (31:12):
I think it was one of the first building intrusions I
did when I got in.
I got in dressed as a flowerdelivery man, so I came in with
a bunch of flowers and I pickedsomeone to give them to.
Just randomly off of LinkedIn.
(31:33):
I picked this woman to givethem to and I went into the
building and said I want todeliver these by hand, is that
okay?
And I delivered this, theseflowers, this rather bemused
woman who took them, and then Iwent off to use the toilet.
I say that in inverted commas,because then I went into a
meeting room and plug the remoteaccess device into the network
(31:54):
and then used that to hack inafterwards and I thought this is
cool, this is really exciting.
I left the building and I wasactually coming back the next
day to do an internal pen test,so I'm allowed in the building.
They know I'm there now thesocial engineering part's done
and I came in and she was.
I thought she was happy tostart with about the flowers.
(32:14):
Turns out she wasn't.
Um, she'd actually broken upwith someone not very long ago.
I thought the flowers were likea reconciliation thing.
So I felt quite awful afterthat.
But but I mean that soundsawful.
Now I'm saying that's when Ilike when I upset someone.
That's not really it, but it'sthe thrill of the different
things that you can try and thatyou can make work.
(32:37):
You know, you can get deliveredinside a very large Amazon
parcel, which I've done.
It's just really fun stuff.
And each time you get in it'smore and more fun.
And from there it justsnowballed and I thought, yeah,
this is what I want to do.
This is fun.
I'm not waking up on a Mondaymorning going, oh, I've got a
week of work.
Speaker 2 (32:56):
I'm waking up on a Monday morning going.
Speaker 1 (32:57):
What fun am I having this week, which is so different
?
Speaker 3 (33:04):
to the first couple of jobs I had.
So cool Rob, every one of ourguests on.
Now that's it.
Our amazing guests haveinteresting lives, but you have
one of the most unique ones andmost fun Scary but fun.
I really appreciate you beingpart of this.
For those listening that wantto get a hold of you, what's the
easiest way?
Speaker 1 (33:22):
It's probably find me on LinkedIn.
So, rob Shaplin, on LinkedIn mycompany is called Psionic, so
you can drop me an email, butit's quite a long email address,
so probably easy just to findme on LinkedIn and then we can
hook up from there.
Speaker 3 (33:34):
Find me on LinkedIn and then we can hook up from
there.
That's great, and now we'llmake sure we get your URL and
LinkedIn details in the pod aswell.
Thank you so much, Rob.
Really been a pleasure to getto know you, hear you tell your
stories.
You're a great storyteller andI think you do something really
great for companies help themfigure out what's broken and how
to prepare for risk.
So thank you so much.
(33:55):
Thanks for having me on.
One, two, three, four .
I delivered these flowers tothis rather bemused woman.
Then I went into a meeting roomand plugged a remote access
device into the network and thenused that to hack in afterwards
.
I got a massive buzz afterwardswhen I finished and left the
building Massive adrenalinehighs, like, okay, this is fun,
this is really fun.
You've got this horrible nervesbeforehand and this massive
(00:21):
elated feeling afterwards, soit's a real experience.
Speaker 2 (00:24):
But yeah then then it's like okay, well, I've got a
taste for this now welcome tonow that's it stories of msp
success, where we dive into thejourneys of some of the
trailblazers in our industry tofind out how they used their
passion for technology to helpturn managed services into the
thriving sector it is todaydisguises deep fakes, long lens
(00:46):
cameras.
Speaker 3 (00:47):
It's not the next fx siri with rami malik.
It's the true life of robshaplin.
After years inside one of theuk's earliest pen testing firms,
disguised as a cleaner, adelivery driver, even a fake
employee, rob has gainedunauthorized access to more than
200 companies, military basesand government facilities.
(01:09):
Today, rob runs his owncybersecurity firm focused on
social engineering and awarenesstraining.
I'm so excited to get intothese stories and more.
Welcome to the Now that's itpodcast, rob.
Nice Chris, it's great to be onand just I really appreciate
you being here.
A little extra special it's theend of event.
(01:29):
We're in an amazing event thisweek Enable Empower.
It might start to get a littleloud in the background because
it's going to be social hour ina few minutes, and so thanks for
taking a few minutes away fromnetworking with all the amazing
MSPs in the UK and Europe.
Speaker 1 (01:43):
Yeah, it's been a great event so far, so it's nice
to have a little bit of quietbefore the evening.
Speaker 3 (01:48):
It's calm before the storm.
That's right, all right.
So let's rewind a little bit.
Rob, you're in school, you makeyourself an admin at the
school's IT system, and whathappened?
What did that experience unlockin you?
Speaker 1 (02:06):
Yeah, I think that was my first exposure to hacking
as a as a thing.
It was quite early days and Iwas just messing around.
I didn't really know you coulddo hacking.
Um yeah, hacked into schoolsystems, left it all on like the
, the admin screen of everysingle computer, and then kind
of forgot about it, to be honest, because back then it was I
mean, it's already quite a nichecareer, but then it was even
more niche.
It was hardly anyone doing it.
I didn't know it existed as acareer.
So it took me a few yearsbefore I found out you can
(02:28):
actually do this as a job, andwhen I did find that, that was
quite exciting so at the moment,your teachers, your parents,
your friends they're probablynot looking at this as a talent
that you have probably not.
It's probably more of a negativething.
At that point there's always anegative connotation or
association with hacking isn'tthere?
You're going to be a black hat,You're going to be going to
prison, all that sort of stuff.
(02:48):
But the fact that you can do itnow as a job and help people,
it's really cool.
Speaker 3 (02:53):
It's awesome, but at the time it's Rob's in trouble
again.
Speaker 1 (02:57):
Yeah, that's it, yeah , yeah.
Speaker 3 (03:05):
It's how Rob goes to school and get told off by the
teacher again for hacking andmessing around.
I've gotten to know you prettywell in the last couple of days
and I just don't see thatcharacteristic in you.
But if that was your past, thatwas your past.
Speaker 1 (03:13):
Indeed, I mean, I never got in proper trouble.
I never went to jail or got theauthorities banging on the door
or anything like that.
Speaker 3 (03:19):
So at university you chose software testing right, a
fairly safe tech career.
What drew you to that path?
Speaker 1 (03:26):
To be honest.
So I was always good withcomputers, right, and I was
looking for a career that usedthat.
And my dad was very much likeyou are not going to finish
university and do nothing for afew months.
He's like circling jobs in anewspaper for me immediately you
know, this is early days beforewe did add all the online stuff
.
So he threw a newspaper at me,went what about that one about
(03:47):
software testing?
I have no idea what that is.
I have a look at it.
Uh, it sounded boring and itturned out to be just as boring
as I, as I thought it was goingto be not to offend any software
testers out there, but itwasn't for me.
Um, and I did that for three,three, four years.
In the end, different companiesum and found, you know, when
you're searching for a new joband you just I just typed in
(04:08):
testing online and it came upwith penetration testing, which
is the sort of alter ego ofethical hacking.
And, as you do at that age, Ihad a good laugh at the job
title and looked into it and I'mlike, hang on, that's hacking.
You can do that as a job.
That's amazing.
So I applied for it and I'mlike hang on, that's hacking.
You can do that as a job.
That's amazing.
So I applied for it and theycame back to me and said right,
(04:29):
okay, you've not got anyexperience.
Write me 500 words on SQLinjection I've got a Google SQL
injection to start with and findout what that is.
Wrote an article about it, usedthat to get the interview, did
the interview and then got thejob and that was my first kind
of exposure into properly doinghacking.
Speaker 3 (04:47):
That's great.
Why do you think that first jobwas painfully dull the software
testing?
Speaker 1 (04:52):
Because it uses your brain a bit, but not as much as
hacking does.
You're just checking stuffworks, so there's not like a lot
of lateral thinking to it,whereas hacking is very much
thinking outside the boxespecially when you throw in the
social engineering elements.
Speaker 3 (05:10):
What did, uh, so you get the job at uk is sort of one
of the first pen testing firmsthere, right?
What did training look like, Imean?
Speaker 1 (05:13):
training to start with was literally you're going
to make tea and watch us dostuff.
So the company was really small, like three or four people, and
I was just learning, justshadowing, like old school, none
of the nowadays where everyoneexpects to be thrown in and
doing all the really excitingstuff.
Right at the start it was verymuch okay read this 400-page
book on TCP IP and then watch usdo an infrastructure test and
then do that for six months andthen start getting involved in
(05:36):
the testing and then from theremove into application testing,
web apps, and then from thereand there there's more and more
stuff.
There's internal testing,there's mobile apps, all sorts
of stuff.
Speaker 3 (05:49):
So there's lots on the technical side that you can
do and I was doing at that stage.
Do you remember any of thoselike early assignments?
Just what it was like?
What was going through yourmind Like when did it sort of
click that this might be acareer for me?
Speaker 1 (05:59):
Yeah, I think it's when you start to do fun stuff,
like when we got a TV shipped tous for minus one pence, so they
basically they paid us to sendthe TV because we just
manipulated the price.
This was like a major websiteas well and you could just
change the pricing on there.
I did that a few times.
Different companies got moneypaid into me and items sent,
(06:20):
which was really fun.
And then it was when I startedgoing on site.
I would go to clients officesand test their internal networks
and you know when you couldtake control of the tvs in the
atrium of this huge company andjust say, like hacked by rob or
whatever, in the middle of that,in front of hundreds of people.
Speaker 3 (06:36):
It's like this is fun , like that felt like being in a
movie, taking control of thingsin a building it's, it's right
and like, I think, most of theMSP industry and the IT industry
, they understand the idea ofvulnerability, pen testing,
right.
But this was a different level,like this was you were breaking
in.
Speaker 2 (06:57):
Yeah, yeah.
Speaker 1 (06:57):
And there's a big disconnect between seeing a
vulnerability on a screenwhether it's Qualys or Nessus,
whatever is reporting andrelating that to.
Actually that can be used to dothis.
I think you can just see it asoh, it's a red, I've got 500
reds or 10,000 reds or whatever,but actually some of those can
just be exploited in one clickand away you go.
So being able to go into anetwork, find a vulnerability,
(07:19):
then exploit it, then use thatto access other areas of the
network, move around laterallyand then download actual
important information.
It's fun to take it all the way, like that that's cool.
Speaker 3 (07:30):
All right, we're going to dig more into that here
in a minute, but there'sprobably listeners saying this
is kind of some crazy stuff here, and I heard a rumor that
you're a bit of an extreme sportguy, right, sort of an ultra
race guy.
Tell us more about what Spartanraces are all about.
Speaker 1 (07:49):
Yeah, yeah.
So my outside of my hackinglife, my other life, is obstacle
racing, so Tough Mudder,spartan race.
But there's also some morespecific, very technical races
that take place in Spain and allover Europe and I got involved
in that seven or eight years ago.
I just went on a fun run likeTough Mudder, like a lot of
people do, and then I realizedthere's a bit of a competitive
(08:10):
scene to it and I can't helpmyself getting involved in the
competitive scene of pretty mucheverything that I've ever done.
So when I realized I could dothat, I started training a bit
more, running a bit more andeventually qualified for the UK
national team.
So doing that in june for thefirst time, um, so that's gonna
be really fun.
I'll be out in portugal andthen world championships in
sweden in october.
Uh yeah, it's just fun swingingaround from monkey bars,
(08:34):
jumping over things, pickingthings up and running with them.
It was just yeah and you werenot.
Speaker 3 (08:38):
Not ex-military, no.
So this is what's fascinatingabout this is, um, you've got
this interesting brain.
Obviously there's a physicalside of it.
You're in great shape.
You're looking at this forenergy, exercise and
competitiveness, but theobstacles that you're going
through, they're pretty extremeright, and so you've got to have
(09:00):
a.
It's a mind game as well asmuch as it is a physical game.
Speaker 1 (09:04):
Oh yeah, it is.
When you're running between theobstacles obstacles you're
running as fast as you can like.
Imagine you're doing a 10k raceor whatever and you're going
flat out and then you get tosomething and now you've got to
pick up a 50 kilogram ball andgo with that and you've got to
put that down and then you'vegot to swing from these little
attachments and nunchucks andthings that hanging from monkey
bars and then drop off that andthen get going again.
It is hard, it's punishing andit's.
(09:24):
You get into that mental placewhere it gets a bit dark for a
while and then you come out theother side and actually I
enjoyed that.
Speaker 3 (09:30):
That was good there's something about you.
You know that.
I've listened as I listen.
You tell stories.
You've not come out and saidthis, but you have this
personality where I I can proveyou wrong, like I can do this, I
can get in there.
Do you agree with that?
Do you have that sort of yeah,yeah.
Speaker 1 (09:45):
I would much rather someone said to me like, if I'm
breaking into a building, don'tthink you can get in there.
Yeah, try your best.
What I hate is when people say,oh, that'll be easy.
Because then it's like, oh,there's the expectation that
you're going to get in, so, onthe off chance that you failed,
it would feel really awful.
But I much prefer the challengeof you know you you'll never
get in here, you know.
Okay, give me enough time, giveme enough budget to do it
(10:06):
properly.
I mean, yeah, if you give metwo hours to do it, that's
probably not going to work, butif you tell me I can have a few
weeks, then yeah, let's see whatwe can do.
Speaker 3 (10:13):
That's great, rob.
All right, let's talk a.
So you started to develop thisniche.
What does you know?
You call it social engineering,right?
So what does that mean?
How does that resonate to you?
Where did it come from?
What happened?
Speaker 1 (10:32):
Yeah, so to me, social engineering was always
associated with physicallybreaking into a company's
offices.
As a term, it encompasses morethan that.
It's really anything that whereyou're influencing or
manipulating people in some formform, whether it be phishing or
phone calls or whatever.
But to me it was always thephysical side and that's how I
started, and my boss at thefirst company was the one that
(10:53):
did it there and he decided hehad enough of it.
He wanted to hand it over tosomeone.
He said to me all right, whydon't you have a go?
And he set me a target of aclient in London and the task
was to get in and get hold ofthe Wi-Fi password they used and
that was used amongst all theirdifferent offices um, first one
(11:14):
, so nervous, absolutelybricking it.
To be honest, like it was, itwas so scary.
I must have walked past thatoffice 10 times before I went in
and I had a fake badge that I'dtaken from a social media post
that the company had done.
They put someone with theirbadge and I was like, okay, make
a copy of that.
Um, and then I had an ipad withsome like wi-fi signal strength
apps on it and I thought, okay,I'll go in, pretend to be IT
(11:36):
employee, ask them if they'vegot any problems with their
Wi-Fi, because everyone alwayshas problems with Wi-Fi, and
then maybe that can get me thepassword.
So I finally brought up thecarriage to walk into this
building, said I was there fromIT.
They said, okay, you need tosign in downstairs.
So I went down there and saidhave you got any problems with
Wi-Fi?
And they said, oh yeah, it'sterrible.
Especially down here, itdoesn't work at all.
I was like okay, I'm going toneed to log on if you've got the
(11:58):
password.
Speaker 2 (11:59):
He said oh, yeah, here you go.
Speaker 1 (11:59):
Just gave me a little paper with this 30-character
password on it.
I was like, well, that's reallysecure unless you give me that
thing on a piece of paper.
So I typed it all in the sameshared Wi-Fi network and take
anything I want, because now I'mauthenticated to corporate
resources and things as well.
So I got a massive buzzafterwards when I finished and
(12:22):
left the building Massiveadrenaline highs Okay, this is
fun, this is really fun.
You've got this horrible nervesbeforehand and this massive
elated feeling afterwards.
So it's a real experience.
But yeah, then it's like, okay,well, I've got a taste for this
, now I'll take it over.
Speaker 3 (12:36):
So cool, so obviously attacks have become more
sophisticated.
Essentially, users have right.
Mfa has become a thing thatpeople are saying you've got to
have, you've got to have, and AIhas become this exciting new
thing that companies are usingto become more efficient.
(12:57):
I heard you tell a story aboutAI and MFA.
Do you mind sharing?
Obviously leave names out tokeep the innocent.
Speaker 1 (13:06):
Yeah, absolutely yeah .
So to give an example, let'ssay I wanted to hack into an
email account.
So to get into someone's emailyou need their email address,
their password and they'reprobably to get past their
multi-factor authentication.
So the company that I wastargeting for this example, they
(13:28):
wanted me to get into one oftheir senior leaders' email
accounts.
I didn't mind which one, justget into someone's senior's
email account and see what youcan see inside there, and so I
thought, okay, email address.
Often for senior people you canfind that online fairly easily.
A bit of Googling, maybe on thewebsite, if not.
Pretty much everyone's emailaddress is available through
LinkedIn.
Although LinkedIn doesn't showme directly what your email
(13:50):
address is.
If I've got the name of theperson that's working there and
the company they work for, it'snot going to take a genius to
work out what their work emailaddress is, right.
So that's the first part, butthat's obviously the easiest bit
.
Second part is the password Nowfor this company.
How I got that was through adata breach.
So there's I'm sure most peopleare aware there's massive
databases full of breachedcredentials out there that have
already been stolen from otherwebsites, and one of their
(14:12):
senior leaders was in thisbreach database.
He'd had his email address andpassword stolen eight separate
times from eight completelyunrelated websites and he'd been
using his work email address toregister for everything,
including all his personalwebsites.
Now, in each of those eightdifferent examples his password
was the same.
So I've kind of figured.
Well, if he's using it foreight completely unrelated
(14:33):
websites, it's probably fair tosurmise that password is one he
uses absolutely everywhere.
A lot of people do that reusepasswords in places.
Not a lot of people reuse thesame one absolutely everywhere,
as this person seemed to bedoing.
But I thought, okay, I canprobably guess that that's going
to be the password he's goingto be using for his email
account as well.
Now there are other ways to geta password.
One of the other ways I've usedis simply to sit next to
(14:59):
someone on a train and watchthem type the password into
their laptop, which is verysimple.
Maybe you can't follow it inreal time, but I've got a pair
of glasses I use to record stuffwhen I'm doing social
engineering.
You can look at the keyboardand then reverse the footage,
slow it down and work out whatthey've typed.
So there's lots of differentways of getting a password.
It doesn't necessarily involvebrute forcing or guessing or
different combinations.
So, anyway, I thought that wasprobably the password he was
using.
But then I thought, okay, thisis quite a well-defended company
.
They're almost certain to haveMFA.
But before I log in as thisperson and trigger any alerts on
(15:24):
his phone, can I confirm, yesor no, whether they've got MFA
in some way?
So I went on to LinkedIn,searched for the company and
started looking at their ITemployees.
They had 10 or 20 IT employeesin the company Pressed on their
profiles and some people onLinkedIn will just list all the
places they've worked.
You know, I was here five years, here three years, here two
years, but some will break downwithin those job roles what they
(15:46):
did.
And one of their IT employeeshad listed every project he'd
worked on since he started atthe company and one of those was
implemented MicrosoftAuthenticator, mfa.
I was like, okay, great.
So now I know the company'susing Microsoft MFA, so I can
probably guess it's going to bethe system where a number comes
up on the screen and then thatprompts a thing on their phone
(16:07):
and they have to type in thatnumber and match it.
Now how do you get around thatMFA, because that's the bit
that's supposed to protect you,right?
Okay, password is as well, butif you can get hold of someone's
password, great, but you can'tlog in because of the mfa.
It's the whole point of havingmfa.
So best way to get around issocial engineering, normally
through a phone call.
So perhaps I phone you up and Ipretend to be from it.
(16:27):
I'm doing some maintenance onyour account.
I've logged in as you, I've gotyour password, so it must be it
, and I just need you toauthenticate me through the MFA.
So that's the rough idea of howI was going to do it.
But I always get a bit carriedaway and I want to go to the
next level and see how far I cantake it.
So what I decided to do was canI clone the voice of one of
their IT employees?
It was probably far more than Ineeded, to be honest, because
(16:49):
the chances of them actuallyrecognizing the IT person's
voice is fairly slim.
But I thought, okay, it'd befun to try and maybe it's the
thing that is the convincer.
So best way to find a voiceYouTube normally.
I mean you could claim my voiceeasily.
There's enough YouTube videosand stuff out there of me.
So I started looking for all thedifferent IT employees on
YouTube to see if they were onthere and one of them had done a
(17:12):
conference bit, like we're atnow, and he did an hour talk and
it was all recorded on YouTubeand it was really high quality.
I was like, okay, that'sperfect, because that's an hour
recording.
Now for voice cloning throughthe AI systems, you don't need
an hour.
Two minutes, roughly speaking,is enough to create a passable
copy.
It's not going to be perfect,but it's enough on a phone call
that it will probably work.
(17:33):
So I cloned his voice and thenwith the software you can do a
couple of things.
So you can either do what'scalled text to speech, where I
type in exactly what I want tosay and it will read it out,
which is great if you've onlygot one thing, because if they
respond something different,you're suddenly typing.
There's going to be a reallyawkward pause.
The other thing you can do isyou can hook it up to ChatGPT or
Gemini or whatever AI systemyou want.
Give it a prompt, just like youwould in ChatGPT.
(17:56):
You are an IT employee, you aretrying to get this person to
give you an MFA code or type ina number onto the screen and it
will do that.
You have to engineer the promptin a certain way.
It doesn't like you trying toget passwords and things from it
, but it will work.
So I thought, okay, so I'llclone his voice and then I'll
(18:16):
get it to say something and then, if it goes off, beast, I'll
let the chat GPT kind of try andget the password for me
effectively, sorry, the MFA codefor me.
So all the parts are in place,I think anyway.
So I logged in as this person.
The password worked exactly.
It was the one from the databreach, exactly how I hoped.
So now it prompts on his phonean MFA prompt from Microsoft
(18:38):
Authenticator.
So now I phone him.
Now his phone number's on thewebsite.
So I made it very easy to dothat, phoned him up and then
essentially played the voicerecording saying hi, it's Steve
here from IT.
We're just doing somemaintenance on your account at
the moment.
You might have seen a MicrosoftAuthenticator prompt pop up on
your phone.
Would you mind just enteringthe number 23 for me please?
And he went oh, hi, steve.
Yeah, no problem.
Actually I've had a fewproblems with my laptop recently
(18:59):
, um, so that's great, you're onthe line.
I'll do that for you now.
So click pause, types in thenumber and I'm in, so straight
into the email.
Um, we end the phone call andnow I'm inside.
One of the most seniorexecutives email now.
You imagine he'd been there for15 years, never deleted an
email in his life, so there's somuch information within there.
(19:22):
But also, one of the powerfulthings you could then do is send
email as that person.
So authorizing money transfers,for example, would be a great
thing to do.
So the simple bit of socialengineering voice cloning tool.
It sounds well, that's quitetechnical.
It's not.
Honestly, it's about fivedollars a month for the, the
voice cloning tool.
It's so easy to use as well.
Honestly.
You just upload a voicerecording.
It creates the thing you typeout what you want to say happy
(19:43):
days and it works.
Um, so I'm not saying it'sincredibly difficult to do that,
um, but that system works andit.
I've tried that against a fewcompanies and this is very
successful so for anybody that'slistening, rob is actually here
, by the way.
Speaker 3 (19:57):
I just want to validate that for everybody.
This is not a clone, an AIclone of Rob.
He's actually here.
It sounds very sort ofnefarious, very devious what
you're doing, but companies arehiring you to do this, right,
like this is part of what you'vebeen tasked with, and so just
talk a little bit about how doesan engagement like this start,
(20:18):
right, like we just told, thestory of.
This is what happened.
But today, rob, if you're doingthis, if somebody is interested
, what sort of size does acompany typically get to, or
what are the characteristics ofwhy a company, a business, would
hire you?
And then, probably mostimportantly, what are the
outcomes?
(20:38):
What do you do with thisexercise?
Speaker 1 (20:40):
Yeah, okay, great question.
So for me, I like to work withclients that really care about
their security.
So some firms they just want tosay security's a box I need to
tick.
Yes, I've done my training.
Yes, I've done my pen testing,yes, I've done my vulnerability
scanning and that's all.
They need to get theirinsurance or whatever.
And that's the limit of whatthey want to do.
But other firms actually careabout it.
(21:01):
It's like, well, how good isthe training I'm doing?
Is doing just me learning goodenough, or could I do something
better?
And that's where I tend to stepin, because I will do these
engagements where I break intothe email or break physically
into the office, record it alland then show it in training for
those clients, and then that'sa really powerful message.
So, rather than just doing a 10minute video and doing a quiz
(21:23):
or something like that, failingthe quiz because they're doing
something else at the same time,then doing it again and finally
passing it, Instead they're ina room with me, I'm scaring them
, I'm showing them videos of meactually break into their office
, of cloning their CFO's voiceand asking for a money transfer
and things.
So what I want to do with thatis, enhance the company's
security properly in a waythat's memorable but also helps
(21:45):
them at home as well.
So a lot of what I do talkabout in training is to do with
their home life as much as theirwork life.
So I really like to work withclients that don't have to be
any particular size Likegenerally speaking they tend to
be medium-sized businesses,maybe a bit larger, just because
otherwise they're so focused onthe really basics of
cybersecurity, not reallythinking about employing someone
(22:05):
to go and break into theirbuilding or other bits and
pieces.
But the interesting thing aboutthat story I told you with the
MFA bypass is that didn't touchany security systems, if you
think about it.
So you could have your EDR inplace, your MDR, your email
quarantining everything.
All of it got bypassed by that,Never touched anything.
The only thing it touched.
(22:25):
The only layer it touched isthe human layer.
It's the person at the end ofthat call who gave me the code
or typed in the code for me.
Now if he'd been trainedcorrectly and had been engaged
in the training and listening,it had gone well.
There's no reason I ever shouldbe typing in a number that I
haven't logged in myself, or Ididn't want to log in myself and
I didn't initiate that callthat came from someone else.
(22:46):
I don't know who that person is, just because it's got a random
mobile number.
I don't know.
That's one of my IT people.
It could be anyone.
So by doing the training insuch a way that it's engaging
and interesting, you actuallymake that human layer really,
really effective, and most hacksnow come through that human
layer.
So why would you, why would youjust have the easiest option
with your training?
(23:07):
Why would you not go to that,that next level?
Wow.
Speaker 3 (23:10):
It's.
It's very scary as a businessowner, as a human right, the
fact that you know I have apodcast.
I have hours and hours andhours of my voice out there.
You just gave a couple of sortof pieces of advice there, but
what's something that maybebusinesses can just do better
with to protect themselves fromsome of these social engineering
(23:34):
type attacks?
Speaker 1 (23:35):
Yeah, I mean.
So the voice cloning stuff isinteresting because once your
voice is out there, it'savailable to be cloned.
You're not going to stripyourself off the internet and
all your podcasts, remove themall just on the off chance that
you get cloned, right.
So that's not going to happen.
So you have to educate peopleon how to defend against it.
And the main thing is what areyou being asked to do?
(23:57):
So?
If you've received a phone callfrom someone, what is that
person asking you to do?
Now, you know the voice kind oftechnology is out there and a
lot of people don't know that.
So, again, that's an educationpiece and a training piece.
If they phone you, what arethey asking you to do?
So?
Are they asking you to dosomething a bit unusual share a
(24:20):
password, authenticate throughmfa, do a money transfer, and
they give you the bank accountdetails on the call, that sort
of stuff.
And have you initiated any partof this yourself, or is it all
inbound to you?
Is it all calls, emails,messages, whatever that's come
to you?
And that's the point whereyou're being asked something to
do something weird.
The way that you can defendagainst it is to stop the call,
the video, whatever it is,because it could be default
video as well and initiate backon a number or an address or
whatever.
That you can defend against.
It is to stop the call thevideo, whatever it is, because
it could be a default video aswell and initiate back on a
number or an address or whateverthat you know is definitely
that person, because that killsthe attack dead, because now you
(24:42):
know you're speaking to theright person, you can check.
Well, did you just phone me andask me for my password and
they'll go?
Well?
No, because we shouldn't everdo that.
And then you've stopped it.
So it's little bits like that.
It's thinking about theunderlying reason and being the
one in charge of the situation.
That tends to be the thing thatdefends companies.
Speaker 3 (24:59):
That's great, great advice, rob.
I appreciate you sharing thatwith the listeners.
You spent over a decade at acompany that felt like home, and
now you're starting your ownthing.
What changed?
Speaker 1 (25:10):
Yeah, I mean we just so.
When I started we were fourpeople.
It was a proper, proper,family-run business and I know
that sounds oh yeah, it's notreally a family, is it?
It's just work.
But it genuinely was, becausewe got on so well we're all
still friends now and we builtthat up to, you know, not big 20
, 25 people and then the ownersold the business to a slightly
(25:31):
larger business and that wasokay, it was good.
And then it got bought by aneven larger business and you
know, things change right.
There's nothing wrong with thatlarger business, it's just it
wasn't really a fit between thetwo of us.
So I'd been thinking in the backof my mind for ages like I
should set up on my own, andpeople had always been telling
me that we don't understand whyyou work for someone else.
(25:51):
Like you, come in and do thetraining, you do the social
engineering, it's all you there.
We don't care who you work for.
So you know, let us know if youever set up on your own.
So I thought, well, I've gotsome friendly clients waiting in
the wings potentially, and youknow that's what you want when
you start a business.
I couldn't be doing cold callsand linkedin messages and all
that sort of stuff.
Um, so, when the kind of timewas right, I thought, okay,
(26:12):
let's do it, let do it, let'sset up and let's go for it and
let's see how it goes.
And it's been hard work.
Anyone that's listening to this, that's owned a business or any
point owns one now knows whatit's like and it's very personal
.
You take everything personally,whether it's a job well done or
a job rejected or whatever.
But yeah, I'm really enjoyingit so far.
(26:33):
It's nice to be in control anddo everything the way that I
think it should be done.
Speaker 3 (26:38):
That's great.
Talk a little bit about how youanticipate the future of sort
of social engineering attacks,and I mean, how quickly do you
think things are going to evolve?
What do you think, what do youexpect?
Speaker 1 (26:52):
I think the voice clone and the deepfake video is
going to be the big thing.
I mean, it already is big, butit's going to be huge over the
next couple of years.
It's going to be to the pointwhere anything inbound to you
you're basically not going to beable to trust because you just
don't know who you're talking toanymore.
Yeah, it's already a case ofthe basic level.
(27:12):
Phone numbers can be spoofedright, so your bank phones?
You already a case of that.
At a basic level, phone numberscan be spoofed right.
So your bank phones?
You don't know it's your bank,but the vast majority of the
public don't know that.
They trust the fact that itsays their bank's name on the
screen.
They answer the phone expectingit to be the bank and now
someone fraud, defrauds of amoney.
Um, combine that with a clone ofa voice and a video of someone.
It becomes incredibly difficultand the technology is advancing
(27:33):
so fast.
You know, now you can create adeep fake video, real time over
microsoft teams using a singleimage of someone's face, and
it's pretty good.
To be honest, it doesn't.
It's not those days of needingthousands of images and stills
from videos and all sorts ofstuff.
You now can do it with a singleimage, so you know if your
image is out there, which almosteveryone's is in from social
media or on the company website,I can now create a clone of
(27:55):
that.
Call you video.
Call you whatever I'm going todo and and potentially trick you
into doing something.
And the rate that technology isis advancing is going to mean
that in a couple of years it'sgoing to be so hard to spot.
So that's what I foresee beingthe big problem and again that
is going to come down totraining on on little techniques
of how you defend against thatLittle silly things like if
(28:17):
you're on a video call withsomebody you're not quite sure
if it's them, ask them to passtheir hand in front of their
face because it breaks the maskthat the deep fake video uses.
Stuff like that you would neverknow unless you played around
with it yourself.
It's going to take that sort oflevel of training to help
people protect against it Scaryand pair that.
Speaker 3 (28:34):
Can you imagine pairing that with?
We're in an age where you knowour devices, know like they see
what we're searching for, theysee what we're looking for out
on the Amazon or whatever.
And then someone calls you andsays, hey, I got a deal on this.
And you're like, oh, I was justlooking at that.
I mean, it's that knowledgethat the hackers, the bad guys,
(28:55):
have about you.
You built that trust, you know,and what's going on?
Speaker 1 (29:01):
Scary scary stuff, yeah, and kind of related to
that.
We're going to move more intobiometrics right as a system to
authenticate us, becausepassword's a bit out of date now
.
Speaker 2 (29:11):
I'm just waiting for the sorry.
Speaker 1 (29:12):
I'm just waiting for the big first biometric hack
where someone steals all thefingerprints or iris scans and
I'm so worried about thatbecause you can't change that
stuff.
At least with a password youcan change it.
Right.
If you take one of my irisscans, that's it.
You can authenticate toeverything and I can't change my
eyes.
So yeah, I think that's anotherfuture thing to worry about.
Speaker 3 (29:33):
Very good, so you've spoken to hundreds of companies,
educated them on risk.
You've spoken at tons ofconferences.
What's something that stillsurprises you today?
That you hear from companies.
Speaker 1 (29:49):
To be honest, it's that they still get the very
basics wrong.
You know, you still getcompanies that don't have MFA
everywhere.
You still get people clickingon stuff and you look at it and
you go how, like I know to mostpeople IT isn't their thing.
Right, when you work insecurity or IT in general, you
can look at things and go.
(30:09):
You know how does anyone everfall for that?
But you know, most people it'snot their job.
They don't know the differencebetween a dash and a dot and an
email address and why would they?
But some of them are reallyobvious and you think, oh god,
that whole company was hackedbecause someone got an email
from the ceo and just somerandom gmail address that had
nothing to do with the company.
So I think it's that that stillsurprises me that, as a criminal
(30:29):
, you know I talk aboutsophisticated methods, voice
cloning, all that sort of stuff.
Honestly, most of the time youdon't need any of that stuff.
I could probably could havejust phoned up and said hi, it's
bob from it, you can have yourpassword and you might have got
it.
Um, so it's that it's simple.
That's, that's the thing.
I think it's the simpletechniques that normally work
and most companies that arehacked.
It is those, those simplethings, a patch that they didn't
(30:50):
bother to apply because they'reon a four-week patching cycle.
For some unknown reason, orthey just don't want to patch
that system that's 10 years outof date, or they can't patch it.
And it's just simple things andthat always surprises me.
Speaker 3 (31:03):
So my last question I like to ask this to every one
of my guests.
We call this the now that's itpodcast.
Rob, when did you know?
Now that's it?
Speaker 1 (31:12):
I think it was one of the first building intrusions I
did when I got in.
I got in dressed as a flowerdelivery man, so I came in with
a bunch of flowers and I pickedsomeone to give them to.
Just randomly off of LinkedIn.
(31:33):
I picked this woman to givethem to and I went into the
building and said I want todeliver these by hand, is that
okay?
And I delivered this, theseflowers, this rather bemused
woman who took them, and then Iwent off to use the toilet.
I say that in inverted commas,because then I went into a
meeting room and plug the remoteaccess device into the network
(31:54):
and then used that to hack inafterwards and I thought this is
cool, this is really exciting.
I left the building and I wasactually coming back the next
day to do an internal pen test,so I'm allowed in the building.
They know I'm there now thesocial engineering part's done
and I came in and she was.
I thought she was happy tostart with about the flowers.
(32:14):
Turns out she wasn't.
Um, she'd actually broken upwith someone not very long ago.
I thought the flowers were likea reconciliation thing.
So I felt quite awful afterthat.
But but I mean that soundsawful.
Now I'm saying that's when Ilike when I upset someone.
That's not really it, but it'sthe thrill of the different
things that you can try and thatyou can make work.
(32:37):
You know, you can get deliveredinside a very large Amazon
parcel, which I've done.
It's just really fun stuff.
And each time you get in it'smore and more fun.
And from there it justsnowballed and I thought, yeah,
this is what I want to do.
This is fun.
I'm not waking up on a Mondaymorning going, oh, I've got a
week of work.
Speaker 2 (32:56):
I'm waking up on a Monday morning going.
Speaker 1 (32:57):
What fun am I having this week, which is so different
?
Speaker 3 (33:04):
to the first couple of jobs I had.
So cool Rob, every one of ourguests on.
Now that's it.
Our amazing guests haveinteresting lives, but you have
one of the most unique ones andmost fun Scary but fun.
I really appreciate you beingpart of this.
For those listening that wantto get a hold of you, what's the
easiest way?
Speaker 1 (33:22):
It's probably find me on LinkedIn.
So, rob Shaplin, on LinkedIn mycompany is called Psionic, so
you can drop me an email, butit's quite a long email address,
so probably easy just to findme on LinkedIn and then we can
hook up from there.
Speaker 3 (33:34):
Find me on LinkedIn and then we can hook up from
there.
That's great, and now we'llmake sure we get your URL and
LinkedIn details in the pod aswell.
Thank you so much, Rob.
Really been a pleasure to getto know you, hear you tell your
stories.
You're a great storyteller andI think you do something really
great for companies help themfigure out what's broken and how
to prepare for risk.
So thank you so much.
(33:55):
Thanks for having me on.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.