July 27, 2022 • 29 mins
The headlines tell us cyberattacks are a big, consistent threat to business data – and ours. In this episode of Smart Talks with IBM, Malcolm Gladwell takes on this topic with Tim Harford, host of Cautionary Tales, and Stephanie “Snow” Carruthers, Chief People Hacker for X-Force, IBM. Snow and her team are finding creative solutions to test their clients’ security, including hacking into their systems before criminal hackers do.
This is a paid advertisement from IBM.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Hey everyone, it's Robert and Joe here. Today we've got
something a little bit different to share with you. It
is a new edition of the Smart Talks podcast series,
which is produced in partnership with IBM. This season of
Smart Talks with IBM is all about new creators, the developers,
data scientists, c t o s, and other visionaries creatively
(00:22):
applying technology and business to drive change. They use their
knowledge and creativity to develop better ways of working, no
matter the industry. Join hosts from your favorite Pushkin Industries
podcast as they use their expertise to deepen these conversations.
Malcolm Gladwell will guide you through this season as your
host to provide his thoughts and analysis along the way.
(00:45):
Look out for new episodes of Smart Talks with IBM
every month on the I Heart Radio app, Apple Podcasts,
or wherever you get your podcasts. And learn more at
IBM dot com slash smart Talks. Hello, Hello, Welcome to
(01:07):
Smart Talks with IBM, a podcast from Bushkin Industries, I
Heart Radio and IBM. I'm Malcolm Globwell. This season we're
talking to new creators, the developers, data scientists, ct o s,
and other visionaries who are creatively applying technology and business
to drive change. Channeling their knowledge and expertise, they're developing
(01:29):
more creative and effective solutions no matter the industry. Our
guest today is Stephanie Snow Cruthers. Snow is a hacker alias,
and it's how we'll refer to Stephanie for the rest
of this episode. Snow is the chief people hacker for
x Force at IBM. She gets paid to hack into
her client's businesses before criminal hackers do in order to
(01:51):
test her client's information security. In today's show, you'll hear
some of the more creative ways Snow has persuaded people
into sharing con udential information. She also talks about the
state of cybersecurity and what businesses need to do to
keep their data protected. Snow spoke with economics journalist Tim Harford,
(02:11):
host of the Pushkin podcast Cautionary Tales and a longtime
columnist at the Financial Times, where he writes The Undercover
Economist in addition to publishing several books on the topic.
Tim is also a BBC broadcaster with his show More
or Less. Okay, let's now get to the interview with
Tim and Chief people hacker Snow. Before you tell me
(02:37):
what achieve people. Hacker is what is hacking to you?
I think if you ask the average person to close
their eyes and envision a hacker, they are going to
think of someone in a dark room with a black
hoodieon and all the screen text behind them. Right. Um,
But to me, a hacker doesn't even have to be technical.
(03:00):
It's someone who finds creative solutions or just different ways
to break apart something to make it work in a
unique way that maybe it wasn't intended to do. Whether
that's computers, people devices, it could be a number of things. Right.
We see food hackers, we see life hackers. That's absolutely
(03:21):
a type of hacker. Yeah. And my my mother, I think,
would have described herself as a hacker before she died.
She loved to take apart computer. She had loved to
take apart software. She just wanted to know how everything worked,
and when she put it back together again, it sometimes
worked how she wanted it to work, rather than her
it was originally designed. But how was it that you
(03:42):
originally became interested in in this strange craft of hacking.
I actually got involved and figured out I want to
do this a little bit late in life. I was
in my mid twenties and I went to the world's
largest hacking conference, which takes place every year in Las Vegas,
and went with a group of friends in my husband
and I had honestly no interest at all. I wanted
(04:05):
to go to Vegas and sip drinks by the pool.
But they got me a pass to attend this really
cool conference and we sat in on the first talk
and it was extremely technical. They were going through step
by step about how to reverse malware, and I fell asleep.
I completely just zoned out. It didn't make sense to me.
(04:26):
So I got up and I started wandering around this
huge conference and I found what was called the lock
picking Village. I was very confused by that, like why
do people want to pick locks? I mean, there was
a there was an obvious answer to that question, but okay,
that's very true. So in that point in my life,
it did not like click at all. And so I'm
(04:48):
walking and someone's like, hey, do you want to learn
how to pick a lock? I said sure, and so
they sat me down and taught me everything. And there's
something magical that happens when someone picks a lock for
the first time, like you can see it in their
face where it's like, Wow, that was really cool and easy,
and then that oh shit, I just picked a lock.
And they're envisioning everything in their life that's protected by locks, right,
(05:12):
file cabinets, their door, things that protect their children, like
all these things that you have locks to protect and
you just picked it in seconds. Um. So that was
the most eye opening moment for me, that really launched
me into this career and thinking that I could do
it for a living. Well, there's I mean, it feels
(05:32):
like a long gap between that, or big gap at least,
maybe not a long one between that initial spark of wow,
I can pick a lock. This is this matters to
realizing there's a career in this and I might actually
be good at this career. So how did you figure
out there's a there's a job being a hacker, and
how did you figure out that you actually might be
(05:53):
good at doing that job? So once I was at
that conference, I had met so many different people who
explained what they do for a living, and again, at
that point in my life, it felt like that shouldn't
be possible. Right, people are getting paid money to break
into clients networks, into their computers and all these things
and it's still it didn't add up. But what for
(06:14):
me really stood out was another village at the same conference,
staf Con, called the Social Engineering Village, And when I
walked in, they were actually placing live phone calls to
people to try to elicit information. And so I'm sitting
there in the audience listening to how these people were
doing it. I'm like, wow, Like, I'm a people person,
(06:36):
I've done cells, I could absolutely do this. Um. So
from there, I talked to a bunch of people that
I just met, like my goal is just to meet
people and ask questions at that point, and found every
book I could on the subject matter, went home and
practiced and taught myself, and actually went back and competed
in that same competition three years in a row, and
(06:58):
I went on my third year, which was huge, but
that really was able to propel me into this career.
And We're a company actually saw me placing these calls
and asked me like, hey, do you want a job?
And that's that was my first job. It was super exciting.
In three years, Snow went from amateur hacking enthusiasts to
hacking professional Companies started to pay her real money to
(07:20):
test their information security. But remember Snow's line of work
isn't just limited to email servers and data networks. She's
a people hacker. Instead of trying to bypass a firewall
or cracking a password, she uses what's called social engineering
to trick users into letting her into systems where she
doesn't belong. In her work on what's called a red team,
(07:44):
Snow explains how hacking, the technical and the human come together.
So a red team is a group of offensive security
or hackers. So IBM on our x fource team, we
have a whole team dedicated to our we call adversary simulation,
but our red team and how it works. As a
client comes in and says, these are our crown jewels,
(08:05):
we want to make sure you cannot access them. We
spend months trying to access them, and along the way
we have tons of meetings with our clients and giving
them status updates and where we are. Um but it's
it's a very long engagement to try to get access
to the most sensitive things that our clients have. So
(08:26):
how do they brief you, I mean, and how do
they brief you in such a way as to not
give away the stuff that they're trying to not give aways,
if that makes any sense. Yeah, So, so they stay
as high level as possible. They might say, um, let's
let's use I P for example. Right, they have this
their secret sauce that if their competitors get or anyone
(08:46):
else gets, they can pretty much copy their business. And
so that information probably lives on something that's very secure
in a couple of documents that hopefully limited people have
access to. So a certain a certain soft drinks secret
recipe for example, mentioning no particular brand names. Yes, exactly.
(09:07):
So they might say, okay, we have this secret recipe
and we want to see if you can get it.
They won't give us any details to where it's stored
or any other information, but they'll just say go. They
might have a couple of things that are off limits,
but in general it's can we get this by any
means possible. So a lot of social engineering is used,
(09:27):
whether it's phone calls or emails, sometimes on site, and
a good amount of technical hacking. Right, if we get
into one person's computer, can we move into another's? And
then can we move into a server? And it's a
lot of moving around and digging, But um, at the end,
of the day. We're pretty successful with these types of engagements.
And you mentioned certain things being off limits because really
(09:50):
the hackers that the bad hackers don't care what's off
limits and what is not. So what are the kinds
of things that people are the clients are saying, no,
you're not allowed to do that, that's cheating. Yeah, So
so we will see a good handful times is do
not mess with our executives, like don't send our CEO
and email, which again, bad guys do not have limits,
(10:11):
and they will absolutely continue to do that. Um, but
we have to expect those unfortunately. But we will every
once in a while run into a good handful things
or maybe they have another system that I don't know
runs something sensitive, right, maybe it's a medical device company.
They're like, okay, do not access this system because you know,
people's lives could be on the line. So we won't
(10:33):
even touch those types of systems. It really depends on
the end of the day. What what they don't want
us to have access to your people hackness, you're doing
it with people, So so I mean, what does that
what does that look like? I mean, is it is
it literally phoning people up and persuading them to give
you passwords or is it a bit more complicated than
that these days? So I break down social engineering in
(10:54):
two ways. You either have remote or on site. When
you look at the remote, you're looking at a couple
of different things. So the first one is what we
call OS and T, which stands for open source intelligence,
and that's actually not actively hacking a person, but it's
looking at their online accounts. Are they revealing information that
they shouldn't be that an attacker could leverage. So that's
(11:16):
that's one type of assessment. We have the fishing or
voice fishing, so that's placing those phone calls to get
information or maybe get them to do a task over
the phone. And then fishing and that's by far the
most common social engineering type of assessment. That's the malicious
email with a link or an attachment or even a conversation.
And then we move into the on site stuff, and
(11:38):
this is my favorite. It's the most tangible, but it's
actually breaking and entering, so it's trying to get access
to clients, sensitive locations, and sensitive data. So those are
the two um types of social engineering. Give me a
little bit of advice, then if if if you're trying
to find a weakness. If you're trying to persuade somebody
(11:58):
to do something they shouldn't be doing. What are the
kind of things that you're doing. So let's just take
the physical part for an example. Is tailgating? Right? That
sounds so easy and so obvious, but it's the number
one way that we break into buildings. It's just following
someone who badges in, who unlocks the door, who has
that access. We just follow them and people are trained
(12:22):
all the time, don't let anyone fall, you, check the
badge behind you, make sure people badge in. All of
these policies, but when it comes down to it, people
are a little bit scared to ask to see the badger,
to question them. It's rude for somebody. Yes, it's human
nature to want to help, so that goes against everything
(12:43):
that people are used to doing. So that's by far
the number one way that that we get into buildings. Now,
I understand that before you got into this game, you
were a makeup artist for independent films. Is there a
connection between It seems like a stretch, but between being
a makeup artist and being a people hecker, Yeah, you
(13:03):
would think those those things absolutely don't go together at all. However,
I've been pretty lucky where I've been able to leverage
a little bit of the makeup, art and special effects
to when we do the physical security assessments. So maybe
we get caught on the first day, or maybe someone suspicious,
so we don't want to go back and blow our cover,
so we'll change our appearance as much as possible when
(13:25):
we go back the next day. So absolutely something that
I leverage all the time. And it's it's a lot
of fun too. It just adds a little bit more
to the job. It sounds like it's more creative than
I would have expected a cybersecurity job to be. Oh. Absolutely.
When you think of cyber secuity, you just think of
someone sitting at a computer typing all day. That is
not my job at all. Um. It's it's pretty amazing
(13:47):
how much I could leverage creativity in what I do
day to day. Can you give me an example, so
I actually have a story, um, if you're ready for
a breaking story. It's one of the ones that slowly
went wrong. Our client was based out of the US
and they had just opened their European branch, their headquarters
(14:07):
in Amsterdam, and so They wanted us to test the
building's physical security to see if it's protecting their people
and their data, and so some of the goals were
to see if we can get insight past all the
badged areas where we shouldn't have access and see if
we see anything that's out of place or or maybe
red flags or something that they should fix. So we
(14:29):
always start with with our osen, our open source intelligence,
where we're going online investigating the location. We're looking at
Google Maps as much as we can. However, this building
was so new that they weren't even on Google Maps yet,
so we had a really hard time finding all of
this information. We decided we just had to show up
on site to to see what we can do. So
(14:52):
I walk, I walk into the building and walk into
the lobby. The second I walk in, the lady pretty
much kicked me out. I didn't even get to open
my mouth or explain why I was there, right out
of the gate, just get out. And so for doing
this type of an assessment, that was horrible. This client
paid all this money to get me out there to
(15:13):
test her physical security and here I am getting kicked
out within the first five minutes. So that was awful.
Physical security is pretty good. Yeah, yeah, no there their
Their receptionist was on her game. UM. So I went
back to my hotel room and like was binging my
head against the wall, like how do I get in?
I can't find information online. They're kicking me out before
(15:36):
I'm even trying, Like I was just wanting to go
in and see what it looked like because I had
no idea what I was walking into. So I went
back online, like, okay, I have to I have to
figure this out. And finally, out of nowhere, it popped
into my head. Okay, it has to be someone that's
not local because I'm not from Amsterdam, and I have
to leverage some type of position of authority, some reason
(15:58):
why I'm supposed to be there. And so I thought,
investor relations. I am going to pretend to be an
investor relations manager from the US and I'm going to
their new site meeting with some potential investors. And so
I called the receptionist. I spoofed my number, so I
made it look like I was calling from the US location,
(16:19):
and UM, changed my voice a little bit and said
that we have someone that's going to be coming on
site tomorrow. Please give them whatever they need. They're going
to be meeting with all these high end clients potentially, um,
so just make sure they're comfortable. The next day, I
walk in and again I had to change my parents
a bit because she saw me and she didn't that,
and I she welcomed me, She got me coffee, She
(16:41):
sent me up in an office where they had my
name on the on the front door, and I was like,
how can we help? So from there I was able
to go through and complete my objectives. But it's it's
kind of amazing how much you have to leverage creativity
and even kind of the on the spot improv sometimes too.
Who actually complete these objectives? Yeah, improv was the word
(17:05):
that springs to mind hearing that story. I would imagine
that there must be some playbook that there's a bunch
of things you try, but and then you have to
improvise if the playbook isn't working. Is that playbook always changing?
Is it? Is it this constant arms race? Constantly? It
also depends on who my target is. Right, I will
(17:27):
change the way I ask questions, the way I set
things up, just completely everything depending on if I'm talking
to someone younger or older, or male, or female. Like,
there's a lot of things that absolutely adapt to whoever
I'm speaking to at the end of the day, because
people are different and I want to try to make
(17:48):
sure whoever I'm talking to is comfortable and I can
get them to trust me. And is there a collaborative
process this kind of ethical hacking or is it very
much a lone wolf. It's really both. It just depends
on what the type of assessment is. And there's a
lot of variables. I prefer a team right, working with
(18:09):
as many people as possible, because I might be looking
at a problem from, you know, my perspective, but if
I have two or three other people with completely different
backgrounds and sets of experience, they're thinking about from another perspective.
So the more we collaborate and work together, typically the
more successful we can be as well. I'm curious about
(18:31):
a day in the life of Snow. I mean, on
a completely typical day, what is it that you're doing.
So that's what I love about my job is I
don't have a typical day. I could be one day
waking up in Manhattan breaking into the building, and the
next day I could be in my home office writing
(18:51):
a report like it's all over the place, and that's
what makes it super exciting that it's not mundane. It's
constantly change and I love that. It's like, yeah, one
day I'm writing a report, the other day, I'm breaking
into a building in Manhattan. It's perfectly One description I've
seen is that you're like a secret shopper, except instead
(19:12):
of being a secret shopper for a restaurateur or a
chain store, you're a secret shopper for breaking in and
stealing passwords. It is that accurate that I would I
would say that's accurate. And if people are hiring you
to probe their security and to find the weaknesses, have
you ever come back and said, no, it's perfect. I
got nothing couldn't get in. So I have broken into
(19:35):
over a hundred and thirty unique buildings. I've only had
one of those buildings I was not able to break into,
and that is because it was a small company in
the middle of nowhere where everyone knew each other. It's
not because necessarily because they had all these you know,
expensive security control that they had place. It was just
(19:56):
I stuck out like a sore thumb, and no matter
what I said, they knew I wasn't supposed to be there.
But it's kind of scary some of the very large
organizations in these famous skyscrapers that I've broken into, where
they've invested hundreds of thousands, if not millions of dollars
into their physical security, but I'm able to get in right.
(20:16):
That's kind of terrifying if you think about it. Whether
it's brick and mortar hacking or using something much more
high tech, it's all founded on the same principle, using
deception to get what you want. To round out their conversation,
Tim and Snow talk about the state of the global
cybersecurity industry, where the art of the corn is headed,
(20:38):
and how prepared companies are for any of it. Let's
zoom back a bit now and and take in what
you know the state of the global hacking industry if
that's a phrase, or the global security industry, and what
has changed in security and cybersecurity over the last few years.
What are the new trends? So what's changed? I would
(21:01):
say more of our lives are online, and and that's
kind of scary. Everything from your IoT lightbulb to your
oven to IoT being the the Internet of things. So
I just Basically every everything has a web a dress
now exactly, and so there's so much more of that now.
It's just it surrounds us are are just our lives
(21:23):
are online, and with that much being online, that's just
more that we have to protect or more that we
have to worry about. Unfortunately, that clearly raises the stakes.
I would have hoped there's also more awareness. People don't
fall for the most obvious scams and tricks anymore. And
(21:45):
do you think companies put enough emphasis on security? Is
it a high enough priority at the c suite level?
I wish I could say yes. However, it's all over
the board. I've I've worked with clients who they put
everything they have into stopping attackers, into securing their environment.
I've seen some clients in the past to just want
to get the check in the box that they did
(22:06):
their assessments and they want to move on to something else. So, unfortunately,
it's a pretty big range of types of people who
really have that security mindset. And I'm always reading stories
in the news about breaches and they these security breaches,
and they sometimes they sound very sensational. Sometimes they sound
(22:29):
incredibly banal, like, oh yeah, somebody just stuck all the
passwords online in plain text books. I mean, is there
a standard procedure for the bad actors? Is there a
way that breaches happen like this? Not these days, just
because there's so many different ways they get in. I mean,
(22:51):
most of them are financially motivated. So at the end
of the day, once they get in there going for
they're going to see if they can get money somehow,
whether it's ransom where or they're looking for credentials to
high end executives. Right, it kind of depends on their angle,
but really it's it's how they're getting in is It's
pretty tricky again. Social engineering is one of the number
(23:14):
one ways to get in, typically through fishing, um sending
some type of malicious payload and if their target does
open it, that gets them into their environment and then
they kind of pivot from there and see what they
could get access to and how much does it cost
when security has breached? So ibmed at a report the
(23:34):
one from one the cost of an average data breach
was over four million dollars, which is insane to think about.
It kind of makes you wonder why they don't put
more emphasis on their security and security awareness. Training and
updating their machines and things like that. When when you
think about how big that number is, why, there's tons
(23:57):
of reasons they could have finds that they have to
pay out depending on what industry they're in, they have
to pay out for things like credit monitoring for whoever
is effective, UM, legal fees like there's there's tons and
tons of things that are involved. When when a company
actually gets breached, there's a couple of things they could
do to try to prevent them UM. And the first
(24:18):
one is higher folks like myself to come in and
test their environments to see where those vulnerabilities are so
they can patch them. UM, to do ongoing training for
their internal team to make sure they're up to date
they know how to stop these type of attacks, and
really just care about security in general goes a long way. No,
(24:41):
I mean, in some ways what you're describing is is
tremendously varied, lots of creativity, lots of improvisation, lots of variety.
In other ways, it's it seems kind of simple. You're
trying to break into places, So what's the state of
the art and how do you advance the state of
the art? In people hacking. Unfortunately, social engineering is is
kind of stagnant. I mean, if you if you go
(25:03):
it feels it feels kind of like it might be
good news for me. It's unfortunate. Okay, I'm looking from
the attack or point of view, So that's very correct. Um,
but if you go back to the Middle Ages, there
were cons that people were doing back then. Um, there's
tons of cons from the early nineteen hundreds and still
we're taking some of those kinds of cons and just
(25:24):
adapting it to today's digital world, which there's there's improvements there,
but in general social engineering there's there's not much that's
that's changing. So that's actually one of the things that
I have put a lot of emphasis on the last year,
especially with my team, is once we go in and
we complete an assessment, we spend the last trying something new,
(25:48):
trying something novel. Can this technique work? Maybe it's walking
into a building saying, hey, I shouldn't be here, will
someone stop us? Right? Any little thing like that. What
can we actually get away with? And that's that's something
that I've enjoyed doing and pushing my team to see
what we can learn and where those boundaries are. Can
you give me an example of a medieval con very curious. Yes, okay,
(26:11):
So in the Middle Ages there is have you ever
heard the term pig and a poke? Uh? Yeah, I've
heard the term. I always wanted where it came from. Yeah,
So pig and a poke came from vendors at the times,
or people who worked on the street and sold different
various goods and foods. They would put a suckling pig
(26:32):
inside of what they called a poke, which is a
burlack sack, and so did it shut, and that's what
they would sell on people by then eat that for dinner. However,
at the time, there were no shortage of small dogs
and cats, So what some creative folks would do is
put those types of animals inside of the sack and
so it shut, and make a lot of money and
(26:53):
then move on to the next city and continue that
con So again, cons have been around four are the
longest time. I suppose the fact that cons themselves haven't
changed that much. In a way, it seems to make
life easy, right then nothing nothing changes. But in another way,
that just goes to show that we are just all
(27:16):
have the same vulnerabilities over and over again, and people
have been exploiting them for centuries. Exactly if it's not broke,
why fix it? Yes, or if it's broken away that
will enable you to take it. Really enjoyed this conversation.
Thank you so much and goodbye. Absolutely, thank you so
much for having me. Snow mentioned something that's really hard
(27:39):
to forget. She's tried to break into over a hundred
and thirty unique buildings, and out of those, she's had
only one one that she wasn't able to break into.
That's bananas. What Snow start us is that we have
to think of information security in a much more holistic way.
It has to involve networks and computers, but also employees
(28:01):
and office buildings. Of course, no defense is ever perfect,
and that's why it's important for companies to have people
like Snow on their side, because in a world where
business is bound to be hacked, the real question is
is there a good hacker hacking for you. On the
next episode of Smart Talks with IBM the Mayflower Autonomous Ship,
(28:25):
how IBM's artificial intelligence is powering the world's very first
autonomous vessel. We talked with Brett Fanoff and Don Scott
about how they're using IBM tech to revolutionize oceanography. Smart
Talks as IBM is produced by Molly Sosha, David jaw,
Royston Reserve and Edith Russelo with Jacob Goldstein were edited
(28:48):
by Jan Guerra. Our engineers are Jason Gambrel, Sarah Brugare
and Ben Tolliday. Theme song by Gramoscope. Special thanks to
Carlie Megliori, Andy Kelly, the Callaghan and the Eight Bar
and IBM teams, as well as the Pushkin marketing team.
Smart Talks with IBM is a production of Pushkin Industries
(29:09):
and I Heart Media. To find more Pushkin podcasts, listen
on the I Heart Radio app, Apple Podcasts, or wherever
you listen to podcasts. Hi'm Malcolm Gladwell. This is a
paid advertisement from IBM.
Hey everyone, it's Robert and Joe here. Today we've got
something a little bit different to share with you. It
is a new edition of the Smart Talks podcast series,
which is produced in partnership with IBM. This season of
Smart Talks with IBM is all about new creators, the developers,
data scientists, c t o s, and other visionaries creatively
(00:22):
applying technology and business to drive change. They use their
knowledge and creativity to develop better ways of working, no
matter the industry. Join hosts from your favorite Pushkin Industries
podcast as they use their expertise to deepen these conversations.
Malcolm Gladwell will guide you through this season as your
host to provide his thoughts and analysis along the way.
(00:45):
Look out for new episodes of Smart Talks with IBM
every month on the I Heart Radio app, Apple Podcasts,
or wherever you get your podcasts. And learn more at
IBM dot com slash smart Talks. Hello, Hello, Welcome to
(01:07):
Smart Talks with IBM, a podcast from Bushkin Industries, I
Heart Radio and IBM. I'm Malcolm Globwell. This season we're
talking to new creators, the developers, data scientists, ct o s,
and other visionaries who are creatively applying technology and business
to drive change. Channeling their knowledge and expertise, they're developing
(01:29):
more creative and effective solutions no matter the industry. Our
guest today is Stephanie Snow Cruthers. Snow is a hacker alias,
and it's how we'll refer to Stephanie for the rest
of this episode. Snow is the chief people hacker for
x Force at IBM. She gets paid to hack into
her client's businesses before criminal hackers do in order to
(01:51):
test her client's information security. In today's show, you'll hear
some of the more creative ways Snow has persuaded people
into sharing con udential information. She also talks about the
state of cybersecurity and what businesses need to do to
keep their data protected. Snow spoke with economics journalist Tim Harford,
(02:11):
host of the Pushkin podcast Cautionary Tales and a longtime
columnist at the Financial Times, where he writes The Undercover
Economist in addition to publishing several books on the topic.
Tim is also a BBC broadcaster with his show More
or Less. Okay, let's now get to the interview with
Tim and Chief people hacker Snow. Before you tell me
(02:37):
what achieve people. Hacker is what is hacking to you?
I think if you ask the average person to close
their eyes and envision a hacker, they are going to
think of someone in a dark room with a black
hoodieon and all the screen text behind them. Right. Um,
But to me, a hacker doesn't even have to be technical.
(03:00):
It's someone who finds creative solutions or just different ways
to break apart something to make it work in a
unique way that maybe it wasn't intended to do. Whether
that's computers, people devices, it could be a number of things. Right.
We see food hackers, we see life hackers. That's absolutely
(03:21):
a type of hacker. Yeah. And my my mother, I think,
would have described herself as a hacker before she died.
She loved to take apart computer. She had loved to
take apart software. She just wanted to know how everything worked,
and when she put it back together again, it sometimes
worked how she wanted it to work, rather than her
it was originally designed. But how was it that you
(03:42):
originally became interested in in this strange craft of hacking.
I actually got involved and figured out I want to
do this a little bit late in life. I was
in my mid twenties and I went to the world's
largest hacking conference, which takes place every year in Las Vegas,
and went with a group of friends in my husband
and I had honestly no interest at all. I wanted
(04:05):
to go to Vegas and sip drinks by the pool.
But they got me a pass to attend this really
cool conference and we sat in on the first talk
and it was extremely technical. They were going through step
by step about how to reverse malware, and I fell asleep.
I completely just zoned out. It didn't make sense to me.
(04:26):
So I got up and I started wandering around this
huge conference and I found what was called the lock
picking Village. I was very confused by that, like why
do people want to pick locks? I mean, there was
a there was an obvious answer to that question, but okay,
that's very true. So in that point in my life,
it did not like click at all. And so I'm
(04:48):
walking and someone's like, hey, do you want to learn
how to pick a lock? I said sure, and so
they sat me down and taught me everything. And there's
something magical that happens when someone picks a lock for
the first time, like you can see it in their
face where it's like, Wow, that was really cool and easy,
and then that oh shit, I just picked a lock.
And they're envisioning everything in their life that's protected by locks, right,
(05:12):
file cabinets, their door, things that protect their children, like
all these things that you have locks to protect and
you just picked it in seconds. Um. So that was
the most eye opening moment for me, that really launched
me into this career and thinking that I could do
it for a living. Well, there's I mean, it feels
(05:32):
like a long gap between that, or big gap at least,
maybe not a long one between that initial spark of wow,
I can pick a lock. This is this matters to
realizing there's a career in this and I might actually
be good at this career. So how did you figure
out there's a there's a job being a hacker, and
how did you figure out that you actually might be
(05:53):
good at doing that job? So once I was at
that conference, I had met so many different people who
explained what they do for a living, and again, at
that point in my life, it felt like that shouldn't
be possible. Right, people are getting paid money to break
into clients networks, into their computers and all these things
and it's still it didn't add up. But what for
(06:14):
me really stood out was another village at the same conference,
staf Con, called the Social Engineering Village, And when I
walked in, they were actually placing live phone calls to
people to try to elicit information. And so I'm sitting
there in the audience listening to how these people were
doing it. I'm like, wow, Like, I'm a people person,
(06:36):
I've done cells, I could absolutely do this. Um. So
from there, I talked to a bunch of people that
I just met, like my goal is just to meet
people and ask questions at that point, and found every
book I could on the subject matter, went home and
practiced and taught myself, and actually went back and competed
in that same competition three years in a row, and
(06:58):
I went on my third year, which was huge, but
that really was able to propel me into this career.
And We're a company actually saw me placing these calls
and asked me like, hey, do you want a job?
And that's that was my first job. It was super exciting.
In three years, Snow went from amateur hacking enthusiasts to
hacking professional Companies started to pay her real money to
(07:20):
test their information security. But remember Snow's line of work
isn't just limited to email servers and data networks. She's
a people hacker. Instead of trying to bypass a firewall
or cracking a password, she uses what's called social engineering
to trick users into letting her into systems where she
doesn't belong. In her work on what's called a red team,
(07:44):
Snow explains how hacking, the technical and the human come together.
So a red team is a group of offensive security
or hackers. So IBM on our x fource team, we
have a whole team dedicated to our we call adversary simulation,
but our red team and how it works. As a
client comes in and says, these are our crown jewels,
(08:05):
we want to make sure you cannot access them. We
spend months trying to access them, and along the way
we have tons of meetings with our clients and giving
them status updates and where we are. Um but it's
it's a very long engagement to try to get access
to the most sensitive things that our clients have. So
(08:26):
how do they brief you, I mean, and how do
they brief you in such a way as to not
give away the stuff that they're trying to not give aways,
if that makes any sense. Yeah, So, so they stay
as high level as possible. They might say, um, let's
let's use I P for example. Right, they have this
their secret sauce that if their competitors get or anyone
(08:46):
else gets, they can pretty much copy their business. And
so that information probably lives on something that's very secure
in a couple of documents that hopefully limited people have
access to. So a certain a certain soft drinks secret
recipe for example, mentioning no particular brand names. Yes, exactly.
(09:07):
So they might say, okay, we have this secret recipe
and we want to see if you can get it.
They won't give us any details to where it's stored
or any other information, but they'll just say go. They
might have a couple of things that are off limits,
but in general it's can we get this by any
means possible. So a lot of social engineering is used,
(09:27):
whether it's phone calls or emails, sometimes on site, and
a good amount of technical hacking. Right, if we get
into one person's computer, can we move into another's? And
then can we move into a server? And it's a
lot of moving around and digging, But um, at the end,
of the day. We're pretty successful with these types of engagements.
And you mentioned certain things being off limits because really
(09:50):
the hackers that the bad hackers don't care what's off
limits and what is not. So what are the kinds
of things that people are the clients are saying, no,
you're not allowed to do that, that's cheating. Yeah, So
so we will see a good handful times is do
not mess with our executives, like don't send our CEO
and email, which again, bad guys do not have limits,
(10:11):
and they will absolutely continue to do that. Um, but
we have to expect those unfortunately. But we will every
once in a while run into a good handful things
or maybe they have another system that I don't know
runs something sensitive, right, maybe it's a medical device company.
They're like, okay, do not access this system because you know,
people's lives could be on the line. So we won't
(10:33):
even touch those types of systems. It really depends on
the end of the day. What what they don't want
us to have access to your people hackness, you're doing
it with people, So so I mean, what does that
what does that look like? I mean, is it is
it literally phoning people up and persuading them to give
you passwords or is it a bit more complicated than
that these days? So I break down social engineering in
(10:54):
two ways. You either have remote or on site. When
you look at the remote, you're looking at a couple
of different things. So the first one is what we
call OS and T, which stands for open source intelligence,
and that's actually not actively hacking a person, but it's
looking at their online accounts. Are they revealing information that
they shouldn't be that an attacker could leverage. So that's
(11:16):
that's one type of assessment. We have the fishing or
voice fishing, so that's placing those phone calls to get
information or maybe get them to do a task over
the phone. And then fishing and that's by far the
most common social engineering type of assessment. That's the malicious
email with a link or an attachment or even a conversation.
And then we move into the on site stuff, and
(11:38):
this is my favorite. It's the most tangible, but it's
actually breaking and entering, so it's trying to get access
to clients, sensitive locations, and sensitive data. So those are
the two um types of social engineering. Give me a
little bit of advice, then if if if you're trying
to find a weakness. If you're trying to persuade somebody
(11:58):
to do something they shouldn't be doing. What are the
kind of things that you're doing. So let's just take
the physical part for an example. Is tailgating? Right? That
sounds so easy and so obvious, but it's the number
one way that we break into buildings. It's just following
someone who badges in, who unlocks the door, who has
that access. We just follow them and people are trained
(12:22):
all the time, don't let anyone fall, you, check the
badge behind you, make sure people badge in. All of
these policies, but when it comes down to it, people
are a little bit scared to ask to see the badger,
to question them. It's rude for somebody. Yes, it's human
nature to want to help, so that goes against everything
(12:43):
that people are used to doing. So that's by far
the number one way that that we get into buildings. Now,
I understand that before you got into this game, you
were a makeup artist for independent films. Is there a
connection between It seems like a stretch, but between being
a makeup artist and being a people hecker, Yeah, you
(13:03):
would think those those things absolutely don't go together at all. However,
I've been pretty lucky where I've been able to leverage
a little bit of the makeup, art and special effects
to when we do the physical security assessments. So maybe
we get caught on the first day, or maybe someone suspicious,
so we don't want to go back and blow our cover,
so we'll change our appearance as much as possible when
(13:25):
we go back the next day. So absolutely something that
I leverage all the time. And it's it's a lot
of fun too. It just adds a little bit more
to the job. It sounds like it's more creative than
I would have expected a cybersecurity job to be. Oh. Absolutely.
When you think of cyber secuity, you just think of
someone sitting at a computer typing all day. That is
not my job at all. Um. It's it's pretty amazing
(13:47):
how much I could leverage creativity in what I do
day to day. Can you give me an example, so
I actually have a story, um, if you're ready for
a breaking story. It's one of the ones that slowly
went wrong. Our client was based out of the US
and they had just opened their European branch, their headquarters
(14:07):
in Amsterdam, and so They wanted us to test the
building's physical security to see if it's protecting their people
and their data, and so some of the goals were
to see if we can get insight past all the
badged areas where we shouldn't have access and see if
we see anything that's out of place or or maybe
red flags or something that they should fix. So we
(14:29):
always start with with our osen, our open source intelligence,
where we're going online investigating the location. We're looking at
Google Maps as much as we can. However, this building
was so new that they weren't even on Google Maps yet,
so we had a really hard time finding all of
this information. We decided we just had to show up
on site to to see what we can do. So
(14:52):
I walk, I walk into the building and walk into
the lobby. The second I walk in, the lady pretty
much kicked me out. I didn't even get to open
my mouth or explain why I was there, right out
of the gate, just get out. And so for doing
this type of an assessment, that was horrible. This client
paid all this money to get me out there to
(15:13):
test her physical security and here I am getting kicked
out within the first five minutes. So that was awful.
Physical security is pretty good. Yeah, yeah, no there their
Their receptionist was on her game. UM. So I went
back to my hotel room and like was binging my
head against the wall, like how do I get in?
I can't find information online. They're kicking me out before
(15:36):
I'm even trying, Like I was just wanting to go
in and see what it looked like because I had
no idea what I was walking into. So I went
back online, like, okay, I have to I have to
figure this out. And finally, out of nowhere, it popped
into my head. Okay, it has to be someone that's
not local because I'm not from Amsterdam, and I have
to leverage some type of position of authority, some reason
(15:58):
why I'm supposed to be there. And so I thought,
investor relations. I am going to pretend to be an
investor relations manager from the US and I'm going to
their new site meeting with some potential investors. And so
I called the receptionist. I spoofed my number, so I
made it look like I was calling from the US location,
(16:19):
and UM, changed my voice a little bit and said
that we have someone that's going to be coming on
site tomorrow. Please give them whatever they need. They're going
to be meeting with all these high end clients potentially, um,
so just make sure they're comfortable. The next day, I
walk in and again I had to change my parents
a bit because she saw me and she didn't that,
and I she welcomed me, She got me coffee, She
(16:41):
sent me up in an office where they had my
name on the on the front door, and I was like,
how can we help? So from there I was able
to go through and complete my objectives. But it's it's
kind of amazing how much you have to leverage creativity
and even kind of the on the spot improv sometimes too.
Who actually complete these objectives? Yeah, improv was the word
(17:05):
that springs to mind hearing that story. I would imagine
that there must be some playbook that there's a bunch
of things you try, but and then you have to
improvise if the playbook isn't working. Is that playbook always changing?
Is it? Is it this constant arms race? Constantly? It
also depends on who my target is. Right, I will
(17:27):
change the way I ask questions, the way I set
things up, just completely everything depending on if I'm talking
to someone younger or older, or male, or female. Like,
there's a lot of things that absolutely adapt to whoever
I'm speaking to at the end of the day, because
people are different and I want to try to make
(17:48):
sure whoever I'm talking to is comfortable and I can
get them to trust me. And is there a collaborative
process this kind of ethical hacking or is it very
much a lone wolf. It's really both. It just depends
on what the type of assessment is. And there's a
lot of variables. I prefer a team right, working with
(18:09):
as many people as possible, because I might be looking
at a problem from, you know, my perspective, but if
I have two or three other people with completely different
backgrounds and sets of experience, they're thinking about from another perspective.
So the more we collaborate and work together, typically the
more successful we can be as well. I'm curious about
(18:31):
a day in the life of Snow. I mean, on
a completely typical day, what is it that you're doing.
So that's what I love about my job is I
don't have a typical day. I could be one day
waking up in Manhattan breaking into the building, and the
next day I could be in my home office writing
(18:51):
a report like it's all over the place, and that's
what makes it super exciting that it's not mundane. It's
constantly change and I love that. It's like, yeah, one
day I'm writing a report, the other day, I'm breaking
into a building in Manhattan. It's perfectly One description I've
seen is that you're like a secret shopper, except instead
(19:12):
of being a secret shopper for a restaurateur or a
chain store, you're a secret shopper for breaking in and
stealing passwords. It is that accurate that I would I
would say that's accurate. And if people are hiring you
to probe their security and to find the weaknesses, have
you ever come back and said, no, it's perfect. I
got nothing couldn't get in. So I have broken into
(19:35):
over a hundred and thirty unique buildings. I've only had
one of those buildings I was not able to break into,
and that is because it was a small company in
the middle of nowhere where everyone knew each other. It's
not because necessarily because they had all these you know,
expensive security control that they had place. It was just
(19:56):
I stuck out like a sore thumb, and no matter
what I said, they knew I wasn't supposed to be there.
But it's kind of scary some of the very large
organizations in these famous skyscrapers that I've broken into, where
they've invested hundreds of thousands, if not millions of dollars
into their physical security, but I'm able to get in right.
(20:16):
That's kind of terrifying if you think about it. Whether
it's brick and mortar hacking or using something much more
high tech, it's all founded on the same principle, using
deception to get what you want. To round out their conversation,
Tim and Snow talk about the state of the global
cybersecurity industry, where the art of the corn is headed,
(20:38):
and how prepared companies are for any of it. Let's
zoom back a bit now and and take in what
you know the state of the global hacking industry if
that's a phrase, or the global security industry, and what
has changed in security and cybersecurity over the last few years.
What are the new trends? So what's changed? I would
(21:01):
say more of our lives are online, and and that's
kind of scary. Everything from your IoT lightbulb to your
oven to IoT being the the Internet of things. So
I just Basically every everything has a web a dress
now exactly, and so there's so much more of that now.
It's just it surrounds us are are just our lives
(21:23):
are online, and with that much being online, that's just
more that we have to protect or more that we
have to worry about. Unfortunately, that clearly raises the stakes.
I would have hoped there's also more awareness. People don't
fall for the most obvious scams and tricks anymore. And
(21:45):
do you think companies put enough emphasis on security? Is
it a high enough priority at the c suite level?
I wish I could say yes. However, it's all over
the board. I've I've worked with clients who they put
everything they have into stopping attackers, into securing their environment.
I've seen some clients in the past to just want
to get the check in the box that they did
(22:06):
their assessments and they want to move on to something else. So, unfortunately,
it's a pretty big range of types of people who
really have that security mindset. And I'm always reading stories
in the news about breaches and they these security breaches,
and they sometimes they sound very sensational. Sometimes they sound
(22:29):
incredibly banal, like, oh yeah, somebody just stuck all the
passwords online in plain text books. I mean, is there
a standard procedure for the bad actors? Is there a
way that breaches happen like this? Not these days, just
because there's so many different ways they get in. I mean,
(22:51):
most of them are financially motivated. So at the end
of the day, once they get in there going for
they're going to see if they can get money somehow,
whether it's ransom where or they're looking for credentials to
high end executives. Right, it kind of depends on their angle,
but really it's it's how they're getting in is It's
pretty tricky again. Social engineering is one of the number
(23:14):
one ways to get in, typically through fishing, um sending
some type of malicious payload and if their target does
open it, that gets them into their environment and then
they kind of pivot from there and see what they
could get access to and how much does it cost
when security has breached? So ibmed at a report the
(23:34):
one from one the cost of an average data breach
was over four million dollars, which is insane to think about.
It kind of makes you wonder why they don't put
more emphasis on their security and security awareness. Training and
updating their machines and things like that. When when you
think about how big that number is, why, there's tons
(23:57):
of reasons they could have finds that they have to
pay out depending on what industry they're in, they have
to pay out for things like credit monitoring for whoever
is effective, UM, legal fees like there's there's tons and
tons of things that are involved. When when a company
actually gets breached, there's a couple of things they could
do to try to prevent them UM. And the first
(24:18):
one is higher folks like myself to come in and
test their environments to see where those vulnerabilities are so
they can patch them. UM, to do ongoing training for
their internal team to make sure they're up to date
they know how to stop these type of attacks, and
really just care about security in general goes a long way. No,
(24:41):
I mean, in some ways what you're describing is is
tremendously varied, lots of creativity, lots of improvisation, lots of variety.
In other ways, it's it seems kind of simple. You're
trying to break into places, So what's the state of
the art and how do you advance the state of
the art? In people hacking. Unfortunately, social engineering is is
kind of stagnant. I mean, if you if you go
(25:03):
it feels it feels kind of like it might be
good news for me. It's unfortunate. Okay, I'm looking from
the attack or point of view, So that's very correct. Um,
but if you go back to the Middle Ages, there
were cons that people were doing back then. Um, there's
tons of cons from the early nineteen hundreds and still
we're taking some of those kinds of cons and just
(25:24):
adapting it to today's digital world, which there's there's improvements there,
but in general social engineering there's there's not much that's
that's changing. So that's actually one of the things that
I have put a lot of emphasis on the last year,
especially with my team, is once we go in and
we complete an assessment, we spend the last trying something new,
(25:48):
trying something novel. Can this technique work? Maybe it's walking
into a building saying, hey, I shouldn't be here, will
someone stop us? Right? Any little thing like that. What
can we actually get away with? And that's that's something
that I've enjoyed doing and pushing my team to see
what we can learn and where those boundaries are. Can
you give me an example of a medieval con very curious. Yes, okay,
(26:11):
So in the Middle Ages there is have you ever
heard the term pig and a poke? Uh? Yeah, I've
heard the term. I always wanted where it came from. Yeah,
So pig and a poke came from vendors at the times,
or people who worked on the street and sold different
various goods and foods. They would put a suckling pig
(26:32):
inside of what they called a poke, which is a
burlack sack, and so did it shut, and that's what
they would sell on people by then eat that for dinner. However,
at the time, there were no shortage of small dogs
and cats, So what some creative folks would do is
put those types of animals inside of the sack and
so it shut, and make a lot of money and
(26:53):
then move on to the next city and continue that
con So again, cons have been around four are the
longest time. I suppose the fact that cons themselves haven't
changed that much. In a way, it seems to make
life easy, right then nothing nothing changes. But in another way,
that just goes to show that we are just all
(27:16):
have the same vulnerabilities over and over again, and people
have been exploiting them for centuries. Exactly if it's not broke,
why fix it? Yes, or if it's broken away that
will enable you to take it. Really enjoyed this conversation.
Thank you so much and goodbye. Absolutely, thank you so
much for having me. Snow mentioned something that's really hard
(27:39):
to forget. She's tried to break into over a hundred
and thirty unique buildings, and out of those, she's had
only one one that she wasn't able to break into.
That's bananas. What Snow start us is that we have
to think of information security in a much more holistic way.
It has to involve networks and computers, but also employees
(28:01):
and office buildings. Of course, no defense is ever perfect,
and that's why it's important for companies to have people
like Snow on their side, because in a world where
business is bound to be hacked, the real question is
is there a good hacker hacking for you. On the
next episode of Smart Talks with IBM the Mayflower Autonomous Ship,
(28:25):
how IBM's artificial intelligence is powering the world's very first
autonomous vessel. We talked with Brett Fanoff and Don Scott
about how they're using IBM tech to revolutionize oceanography. Smart
Talks as IBM is produced by Molly Sosha, David jaw,
Royston Reserve and Edith Russelo with Jacob Goldstein were edited
(28:48):
by Jan Guerra. Our engineers are Jason Gambrel, Sarah Brugare
and Ben Tolliday. Theme song by Gramoscope. Special thanks to
Carlie Megliori, Andy Kelly, the Callaghan and the Eight Bar
and IBM teams, as well as the Pushkin marketing team.
Smart Talks with IBM is a production of Pushkin Industries
(29:09):
and I Heart Media. To find more Pushkin podcasts, listen
on the I Heart Radio app, Apple Podcasts, or wherever
you listen to podcasts. Hi'm Malcolm Gladwell. This is a
paid advertisement from IBM.
Stuff To Blow Your Mind News
Hosts And Creators
Robert Lamb
Joe McCormick
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com