When you hear the word “hacker,” you envision someone breaking into a computer, but did you know that people can be hacked? The manipulation and persuasion of people can lead to someone gaining physical access to a location or even data being leaked.
Today’s guest is Jenny Radcliffe. Jenny is the founder and director of Human Factor Security and is commonly known as the People Hacker. She’s a world-renowned social engineer hired to bypass security systems through a no-tech mixture of psychology, con-artistry, cunning, and guile. Jenny is also a podcaster, keynote speaker, talk show host, and panel chair.
“You want them to be astounded that you got in.” - Jenny Radcliffe Share on XShow Notes:
- [0:58] – Jenny explains social engineering as no-tech hacking and how she became known as the People Hacker.
- [2:32] – Chris shares how a pen tester recently made a mistake and Jenny describes some of the mistakes she has made on that job.
- [3:56] – Laughing at previous mistakes, Jenny shares a memorable experience where she almost got caught in the act.
- [5:55] – In her experience, it is better to use psychology over breaking into a physical location.
- [7:01] – Jenny shares a story about breaking into a museum as the first time she felt drawn to this lifestyle and years later it was an industry she could work for.
- [10:30] – After a physical engagement and success in gathering the objects or data needed for the job, Jenny describes her adrenaline and celebration.
- [13:05] – Physical entry can seem very theatrical as we’ve all seen in action movies like James Bond. But ideally, Jenny says that evidence someone was there should not be left behind.
- [14:57] – Jenny sometimes leaves business cards in locations after she breaks into them and takes photos that she has saved.
- [16:50] – There is an element of social engineering with pen testing.
- [17:45] – Apparent authority is one of the top strategies used in social engineering. Jenny explains how Covid has made this even easier to dupe someone.
- [19:40] – Criminals and social engineers capitalize on fear, uncertainty, and doubt.
- [20:47] – During pen testing, a no-blame culture is crucial. Otherwise, people won’t report in times of actual penetration.
- [22:12] – Even if you don’t think you are being scammed, you should always tell someone the second you are told to keep quiet about something.
- [23:27] – Chris and Jenny discuss ransomware. In some cases, there is not an organization with a business model.
- [25:01] – There have recently been a lot of high-profile ransomware hacks.
- [26:17] – You have to try to remove the emotion for the victim so that payment is not made. It’s horrible but if the money is paid, they’ll come back.
- [28:55] – How are these large companies getting hacked? How are hackers getting through?
- [29:36] – Have all the tech security in place but be aware that one person could still make a mistake.
- [30:54] – The reason the cyber security industry is so huge is because, despite our best efforts, mistakes happen.
- [32:07] – You can’t guarantee avoidance as long as humans are involved. With proper training and the right amount of suspicion, all we can do is hope everyone will remember to report anything unusual.
- [34:18] – In a compliance-minded organization, something as simple as a sign that says not to do something, they don’t question it.
- [36:49] – Jenny shares a story of being caught and them not ever saying anything that she was seen.
- [39:23] – “This is not my problem.” Chris and Jenny chat about Hitchhiker’s Guide to the Galaxy and how some of the scenes apply to her job.
- [41:39] – Cyber security is something that defines how good a business is these days.
- [42:27] – When asked about things that go wrong during physical pen tests, Jenny says there are so many experiences that she tries to give a different answer to everyone who asks.
- [45:19] – Jenny shares the most boring physical pen test she experienced.
- [48:11] – Usually something goes wrong, so when something goes absolutely to plan, it is surprising for Jenny.
- [49:12] – Jenny shares the 4 things to do to stay safe. What are her red flags?
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Human Factor Security Web Page
- People Hacker on Twitter
- Human Factor Security Podcast
- Human Factor Security on YouTube
Transcript:
Jenny, thank you so much for coming on the Easy Prey podcast today.
Thank you for having me. It's a pleasure to be here.
Thank you. Can you give me a little bit of background as to how you became known as The People Hacker?
Sure. Actually, I was being interviewed by a journalist a few years ago and I was explaining what I did. I'm a social engineer. What that means is no-tech hacking, whereas a normal hacker you might see in popular culture of the movie is usually a male in a hoodie behind a computer. I'm not that. I'm a people hacker.
What I do is I use psychology, persuasion, influence, and manipulation techniques to get passed people, to break security in order to fix that, and to amend it in case the real bad guys do those things. It's an education piece, but I don't really use technology. I do two things: physical infiltration, which is also known as breaking, entering, or burglary, but ethically somehow, I either do it by the person I'm robbing; and psychology. People Hacker fits quite well because I work with people rather than the tech.
I have a question about the physical breaking and entering. I recently heard a story of someone who was hired as a physical pen tester. They went into the wrong branch of the bank. Has that ever happened to you?
I've never broken into the wrong branch of the bank or the wrong building. There have been lots of mistakes. I've left identifying items behind in very serious situations. One time in Asia, I left a little torch behind the hotel I was staying in. When we realized that it's a gangster's house I was being asked to break into, that probably was a bad thing to do. We've certainly made lots of mistakes. I've locked myself in rooms and I had to climb out of windows.
I don't think I've ever broken into the wrong building entirely. I think that would be a new level of error for me.
I heard that story. I was like, oh, that is utterly scary.
He didn't see it happening.
Not necessarily the wrong address, but if you think you're dealing with a representative for the agency and it turns out that they're not actually a representative for that entity.
I see. I had jobs in the past where I didn't ask enough questions as to who the client was. Because I knew them a bit, I assumed that they were legitimate and cannot be half of whoever's property I was getting into. In hindsight, I probably should've asked a few more questions. Maybe I wouldn't have ended up lying on the ground with armed guards looking for me, but you roll with the punches.
You have to tell that story. How did you end up?
I've told it so many times. Just to give you the umbrella of it, I was asked to check someone's address book on a desk to see if there was a name in it. If that name was in it, I have to leave a message. I have to leave a Post-it note.
When I got there, it was a private residence. It was a completely empty house. The person who gave me the job gave me lots of jobs and was a legitimate security broker who gave lots of contracts out. But this particular woman was never really sure whether he knew the individual, it was a joke, and that the individual said, “My house is pretty secure,” or something like that, but there was something very off about the whole thing.
Everything went well until I was instructed to leave and the private security or by some guards of whoever owns the premises. I pulled off in these huge 4×4's outside. I ran out, but I couldn't run passed the vehicles because they were blocking the exits, the gate of the drive. I just pushed myself up against the wall and laid down flat, but I have very long hair and it got caught probably into the wheel of one of the cars.
I just remember thinking at the time, “This is so off. I don't have a get-out-of-jail-free or anything. In fact, if I'm caught, I'm probably on my own.” I was like, if they caught you, you're on your own. It was a higher-level job than usual. They're not usually like that, and people might have heard me say that before, so at least to say a different one. But yes, sometimes, you don't check or at least I didn't back in the day.
That is amazing. Let's talk about social engineering, the no-tech hack hopefully where you're not having to physically break and enter. How did you get involved in doing that aspect? What excited you about learning that?
Can I just say? I do say this is psychological and physical. It's always better to talk your way in than to break in. It's not plan A, but I landed on it when I was younger. Our family was in security and we're booked to urban exploration stuff around where I lived. They've taught me some of the tricks to get around alarm systems, lock picking, and things like that.
I suppose, gradually, that was all empty buildings and things when we started. Usually, you stop there. We got into the empty buildings within the neighborhood, but we started getting into places that weren't empty. Just to give a variety we were at a museum in Liverpool. It's got about four or five floors or something. I can't remember exactly.
We thought it'd be great to sleepover in the museum, to get in, to hide, and spend the night in the museum. I saw Night at the Museum the movie. I laughed my head off with the idea that everything came to life because when we did that, we got in. People always think that there are alarms and things. Nobody switches them on. If this is a security guard, the security guard tends to be walking around. They don't really put anything on. There were no alarms or anything. Nothing that was locked.
We went in the late afternoon. We hid out all on our own, so toilets and places. Nobody was caught. They locked the place off. The guy sat at his and started reading a newspaper and we just started going around this museum, which is still in Liverpool, my hometown in the Northwest of England, and still has most of the same exhibits that they had then.
But it's spooky as anything because there was an Egyptian mummy section, which is just at night. When you kill all the light, it's just terrifying. It was. There were insects and aquariums. I remember thinking that wasn't quite as scary as the mummies and things. We ended up going to the top, which was a planetarium, space, astronaut suits, and bits of rockets and things that Americans had sent to the moon. They have, for some reason, left those—some sort of NASA memorabilia.
In the end, we all congregated in the space part of the museum and spent the night up there—occasionally running away from the security guards that may be two patrols throughout the whole night—just because it was less frightening to be there than by the mummies, the Roman coins, and everything.
It didn't frighten me. It was exciting. You are up with a different thing than other people. It's this secret clandestine world and hobby that I was very drawn to. I was also drawn to the night. I like the nights of a city, the way cities move at night, and buildings move at night. I guess that was really very intriguing for me, so I absorbed as much as I could about doing that. Then, lo and behold (years later), it's an industry, and it's legit these days. I guess that's how it started.
That's amazing. Aside from the social, non-physical being plan A, do you like that more, or do you like the physical entry more?
I'm older now and I'm fatter. When I was younger, I was a bit slim and quite fit. It's a very physical job. It's a very demanding job physically. If you're doing it properly, you don't really spend a lot of time being still. If you do, it's inside a toilet cubicle, a cupboard, or something.
I think of the times I've been in a cupboard, crouched. It's your knees, your thighs, your hamstrings, your calf muscles hurt because you've been in these strange positions. It's fun, it's funny, and I've enjoyed doing it. I couldn't say I liked one more than the other, but that's definitely more of just the start.
With the physical stuff, there's a start, a middle, and an end. When you finish it—physical engagements—you leave a building, hopefully, you've done the job, you've managed to capture whatever it was that you're in there to take, you've taken the photographs, or you've downloaded the stuff. What we did was we celebrated.
I've always done it because the first couple of times I did it, the person I was with did it. We have a song selected. We pick a song, and it used to be on tapes or CDs, now I can just pick anything on Spotify. We used to have to preplan what song would work with a successful heist, but now I've seen we can pick anything.
I'd find it very, very calm until about 10 minutes afterward, then all the adrenaline loses. You feel like you're in a stroke, your legs go wobbly and stuff. We play a song and head-bang in the car. I usually have something sugary to eat just to reset everything chemically in the body. Obviously, if it's late, you’ll have a drink.
It's like a celebration to that, whereas with the psychological stuff, sometimes, when I'm waiting for someone to take the bait, to click on a phishing link, or if it's a colleague, I'm listening and we're waiting for him to give the last piece of information. That can be quite fun as well. I think the physical stuff is more theatrical and, I suppose, more dramatic. I'm very theatrical about it. I'm old-fashioned about it and it's more of a celebration.
It makes sense that there's a beginning, a middle, and an end for the physical stuff. Once you're waiting for someone to click on a phishing link, it's not like you're sitting at your computer for 18 hours—hopefully, you're not.
We can see them sometimes. You can see them open it and then the source of that. I think there's a picture on my Instagram, which is @realpeoplehacker. I'm sitting and waiting. We're waiting for them to take the bait because we can see it's being opened. My tech colleagues will be like, “They've opened it but now we wait for them to click.” I'm like, “God because that's our payday then.”
For the audience, I think physical entry, there are all sorts of intrigue. We've seen every James Bond movie, where it's all about the physical entry and all the Mission Impossible movies where they're climbing up the sides of the buildings.
There are a lot more explosions in the movies.
A lot more explosions.
Lots more destruction.
I think your goal is to never have any evidence that you were ever there.
You want them to be astounded that you got in because that convinces them of what they need to do with their security. -Jenny Radcliffe Share on XIdeally, you don't really want them to know you've done it. You want them to be astounded. I leave it at lock deposits, business cards, and things after. You want them to be astounded that you got in there because that does a good job of convincing them what they need to do with their security. Yeah, I do leave even if they would've never been in.
I guess if you're leaving trinkets behind—I wonder if people are more astounded. We'll make up a TV show plot where they open up the safe in the morning and the little octopus is in the safe. They're like, “Oh my gosh, how did they get in? How did Jenny get in and do this?” That's a little more theatrical than someone logged into my computer and downloaded my files.
Exactly right. What I found, certainly in the last few years, is people definitely hiring physical pen tester or certainly hiring me and my team because we're a little bit more unusual and we do things slightly…. Just because I'm not technical—I’m not a particularly technical person—so we do have to do things slightly in a more binary way. Even there we went physically in the place.
I'll talk early days. Let's take a few photographs sitting in the CEO's chair and stuff. I just thought it was a bit egocentric, so I thought instead of being me, there'll be evidence that we've been there. It used to always be business cards. I've got thousands and thousands of photographs on a drive that's locked away and hidden where those cards are. I don't even remember where some of them were taken…it will be a picture of a desk, a pipe, a roof, or a coffee pot with business cards in it. That goes in the report.
I'd number them sometimes. It might have 25 business cards with numbers on and a number saying, “If you ever find this, call the number.” I still, at odd hours, get a ring and say, “You told me to call this.” “That was from a pen test from 2007 and you found number 21.” “Hello, I found a business card number 21. I'm supposed to ring this number.”
That's got to be interesting. That person was probably not even there when the pen test happened.
I don't even remember which business it was or which test it was because we would put codes on it. I only started doing that latterly because of exactly that problem. People will say and go, “I found number 16. I've been told to ring and say I found number 16.” I'd be like, “That sounds really amateur to me.” He's going, “What company was that again, because there are quite a lot of this?” There are quite a lot of my business cards lying in offices all over Britain and the world, but particularly in the U.K. You could literally be anyone.
I'm going to start looking for business cards for when I travel, just see if I can find random things laying behind. Or maybe I should leave them around.
I've said it on your show and others. I’ve said it in public more than once that anyone could just be framing me.
That's a good answer. Even in the physical entry, there is a certain amount of social engineering involved in that as well. In one company I worked for, we were renting an office. The property management sent out a letter to all the tenants basically saying, “Watch out for people coming into your office carrying clipboards or briefcases.” They would walk into the office, head towards the conference room, not even talk to anybody, just with that air of authority of, “I'm supposed to go to that conference room.”
As they would walk by some woman's desk, they would just grab a purse and then walk out the other exit door. No one would even think to stop them, ask who they are, and what they're doing because they had that air of authority of intentionality.
It's one of Cialdini's talks: six influences, strategies, and authority. It's a cliche but it works. It's working now with the COVID thing. I used a pen test a couple of weeks ago. “COVID inspector, wait there.” And they all just waited.
Genuinely, we'd advise anyone here who's in charge of security, who's got anything to do with security, listen to this. We're recording it just as a lot of countries in the West at least are starting to hopefully tentatively go back to something like an on-prem working model.
Just know that people do not know which ways. If someone says, “COVID, wait,” they will wait. “Write down your email on the pads for the COVID check”—I just thought I'll try it—“and your password underneath. Do it now, thank you. It's a pain, I know. I had to do it as well, putting in your password. Stop.” Because nobody knows what the rules are anymore these days.
That even makes more sense. My wife's company—for her department during COVID, while everyone was remote—hired multiple people. They now are starting to do the hybrid and coming back into the office. There are people who've worked for the company for a year who have never set foot in the office. They don't know what the procedures are. If somebody came up to them and told them do this, do that—I don't know if you're the help desk guy.
Social engineers basically capitalize on fear, uncertainty, and doubt. What we've got, we have fear and doubt rampant in 2020. Now, we’re starting to go back to some uncertainty because nobody really knows what's going on. When I was in London doing the pen test, I did a few of the events and things.
Social engineers basically capitalize on fear, uncertainty, and doubt. We have fear and doubt rampant in 2020. -Jenny Radcliffe Share on XThis is London at mid-morning, empty tube stations, empty subway stations. It felt like a movie, some sort of post-apocalyptic drama that we're all living in. All of that stuff just adds to that, all the wilderness that criminals will capitalize on.
That's the whole reason why I do the podcast is because criminals are always exploiting this stuff. Especially when you have so much fear and uncertainty like, “What am I supposed to do? I don't know. If I do the wrong thing, I'm going to get fired, I’m going to get sick, I'm going to get my family sick.”
Exactly. That's why we always say when we're talking to people and doing tests, no one can be fired as a result of what we do because we will con them. We’re professional con artists, we will con you. Someone in that company's going to fall for something. We want to make sure that they don't fire them. But a no-blame culture is very important, and no one's going to say it outright that they're going to blame people for falling, but it's what's done clandestinely.
Underneath what the company's corporate policy is, is there really a blame culture going on? Because if there is, people just won't report when they think that they've been fooled or when they think something's in progress. Criminals, 100%, sins like the dark, crying likes the dark. It likes to be hidden. Truth likes the light, so what you've got to do is bring it all into the light.
Sins like the dark. It likes to be hidden. Truth likes the light, so you’ve got to bring it all into the light. -Jenny Radcliffe Share on XIt's like you tell kids. I've been on a few shows in the UK about children and protecting kids online. They say one piece of advice is if someone tells you to keep something secret, it's conned. Tell your kids it's conned, to come and tell you straight away. That's conned. It's a password, tell me straight away. That's almost the same thing we need to do with staff. We need to say, “If something feels wrong, you feel like you've done something wrong and this, call and tell the security team straight away and then the security team genuinely has to be sympathetic.”
That was one of my triggers in telling people. Even if you don't think you're being scammed by someone, as soon as they tell you not to talk to somebody or they start coaching you on what to say, that's huge.
The quicker you can do it the best. It’s like […] scams. The minute that you get that nagging doubt, get it out there right away because it's like a bully. It's like, you give the bully your lunch money. They say, “Just give me your lunch money today and I promise you I'll leave you alone.” Then Tuesday comes and then again, they've got your lunch money, and your bus fare, and everything else. You just have to kill it. As soon as you identify it, it just has to be out in the open and it will end. What you get is the beginning of the end of whatever it is, however bad that is.
There was always my fear of blackmail or ransomware. I've gotten a few, “Hey, we're gonna launch a seven-day 500 megabit denial service attack on your website if you don't send us two Bitcoins,” or whatever it was. The first thing that always goes through my mind is, “OK, you're dishonorable enough to steal from me, but you're honorable enough not to steal from me twice.”
It depends on the ransomware or with that whole model. In some ways, you always want to be dealing with an organized gang because they have a proper business model, which means they will do the best to honor what they say in as much as from a reputation point of view, they won’t make any money. They can only do it for so long. If you never get anything back and everything's destroyed, they scam you again, there are just no arguments. You don't pay because you know you're not going to get your data back.
It's a bit of a false argument, I sometimes think, to say, “There's no guarantee you get it back.” Well, I know that. There are ways that we can negotiate for proof of life and we can negotiate that we can decrypt, and we can get sent things back. They are not the only people who do. I'm not saying they're good people at best. I'm just saying that they have a business model, which kind of feeds into a victim pays and so you get it back because then they get a reputation for giving it back.
That's the best thing for their illegitimate business.
Yeah, because otherwise, just you don't get it back anyway. The insurance company wouldn't tell them to pay whatever. They're not the only people who do it that are—what would you call them—lone cowboys or whatever. Sometimes I don’t think they know what they’re doing and that you don't get it back. That's why we always say never pay.
The trouble is, we're coming on the back of an awful lot of very high-profile ransomware attacks. The Colonial Pipeline was very recent, the Irish Health Service. AXA over in Asia was just hacked. We had Moss Bros, we had Toyota. There are all these companies these last couple of weeks being hacked. The problem with it is of course you shouldn't pay. You could be funding terrorists and probably is.
You're asking people with a gun to the head to see the bigger picture. What you’re saying to people at that moment is there’s either a 100% chance that you'll get nothing back. Whatever they're threatening you with, with all the data leaks, GDPR over here, all of that, that's definitely going to happen if you don't pay. Or your insurance company might well give you some parts of what they're asking for, and you might get back most of what you potentially have lost.
You're looking at a business and an event for a lot of businesses. That's why it's not straight that you saw very well for us in the industry to say you shouldn't pay. Well, of course, you shouldn't pay. That's the case of somebody whose pet was stolen. This was quite a while ago, and I'm not laughing because it's not funny. Just to say, the pet was fine.
It was a high-net-worth individual whose pet was stolen. They were going to kill the pet. Of course, you shouldn’t pay. They went on and did it again, and it's terrible. I’m sure there was a pet that died. We have to try and remove the emotion from the victim, see if we can negotiate it for them. Because at that point, they’ll pay anything because they don't want to see a video of their dog being shot, basically.
I think that's one of the challenges behind that. If you have a small business, it's ransomware. The business owner’s in the position of, “I pay a set amount of money, which either I can or I can't afford.” Let's assume they can afford it, somehow.
They will be able to afford it because what the ransomware gangs will do is that when they take—when they get onto their network, they look at things like the insurance policy. They look at the finances, and they will look and say, “What’s the downtime cost, what's an insurance policy covering?” They'll make sure that it's affordable. I mean, I would if I was them. I don’t think like a criminal.
The business person is put in the position of, “OK, I can afford to do this. But if I don't do this, then all the people that work for me, I can't pay them, they can't support their families.” Especially if it's going to put them out of business type of event.
It's definitely dumb.
There's so much emotion behind the decision.
It's not simple. You've got to think who's in that room. You’ve probably got the lawyer in the room, you've got the insurance company in the room. Depending on the size and impact, maybe law enforcement's in the room. Don't be a business case to pay it sometimes. That's why it's carrying on. If it was just as simple as just never pay, they wouldn't do it. We just need to get to a point where enough businesses prevent enough of it for it not to be profitable anymore. But I can't see that happening anytime soon, unfortunately, because it's despicable to attack a health service—it’s obviously despicable.
I don't want to excuse mom-and-pop organizations for not having best practices in place, but what's happening with these entities—Colonial Pipeline? They're big enough that they should have people on staff to be able to potentially address these types of situations. What's happening that they're not?
You could say the same thing about phishing. You can say 75% of organizations worldwide […] start in 2020. I've said that they had some sort of phishing attack—27% of them, I think, was via phish. Why are they getting through? The reason it's the most popular pastime for hackers is because it works.
Why does it work? Well, because you will only need to go through once. We social engineer, we only need one person to do it once. I only need one person to let me through a door and I’m in, it's breached. It's the same with tech. You need the technology and technical digital solutions to do the heavy lifting in terms of defense.
Have everything in place, have the antivirus, all of that in place. The minute that some employee is working from home, is very tired, an email comes through, and there’s a network from them, BYOD, shadow IT, on the go it once and that’s it. How long does it take to detect? Look at SolarWinds.
Yes.
Admittedly, that was quite a busy high-emotion time for everybody that lasted for six months or so for 2020. For all sorts of reasons we needn’t go into here, things went a bit mad. But they know that they were on those networks for months and months and months, and how did they get on there? Probably malware is delivered via email?
What you're saying is not necessarily that it's an issue of, “Well, as long as you have good network security, as long as you have real-time offline backups.”
You might be able to slow it down. You might be able to detect it quickly to slow it down if it gets there. You might be less likely to be hit. You might be able to filter a lot of things. At the end of the day, these things are such a problem in our industry. The cybersecurity industry is so huge because, despite our best efforts, mistakes happen.
If you talk about 95% roundabout, the stat that everyone's quoting of breaches. It sounds like human error or manipulation. As long as there’s a human in somewhere that's exploitable, that's what social engineers do, and it's what hackers do, it’s what criminals do. We will try and we block more than get through, but sometimes, something will get through
Do you see the point where there is enough training to prevent spear phishing, that prevents social engineering? Is there even enough training that could ever happen?
We’ll always beat humans. People forget and they get tired. Sometimes something will get through that just resonates. It could be the most obvious 419 scams, but it really resonates with that person. Something's happened that day where it rings true. You'll always get something to get through. But the role of training and awareness is always huge because the more suspicious people are—and I hate saying this because people don't want to be suspicious—they don't want to be part of it.
We’re in security so we are anyway we can't cure it. The pandemic hit, we all had our survival plans, or at least friends that did. But your normal person, you just have to keep repeating it because it’s not their biggest problem or priority, so you just have to keep repeating it, and we hope. I guess we just hope that on the day that mail hits them they remember. But you can't bulletproof everything. You can’t guarantee; otherwise, I wouldn't have a job.
Let’s talk about stories. There’s a story where the guy had said to me, “You'll never get in. We’ve spent £2 million on the perimeter.” He said, “There are fences, locks, cameras, infrared, and guards. The only way you'll get onto our site is if someone leaves the door open for you.” I got a piece of paper and I wrote on it, “Please do not (underscored not) close this door,” and signed it like HR. Just pinned it, taped it up to the door, and I just sat and waited.
Someone opened it and I followed. Got a bit of a card like an Amazon box and just wedged the door open. Then I just stood there, “See, this is fish in a bottle.” Then everyone's going backward and forwards through the door, no one’s closing it. But why? Because it's got written on it, “Please do not close this door.” They just walked in, just did the job and minced them completely. If it’s being criminals that have been absolutely compromised, data stations, personal data, the works.
I just said that seems very easy—it’s not. It's simple, but it's not easy. I have to know the way that business works. I have to know that they obeyed rules and it was hierarchical. You have to observe to know those things and to know that that would work because it takes a lot of cheek to try that one. But it worked like a charm. Yes, you have to know.
I'm just laughing as you're telling me. I need to understand the corporate mindset. I'm thinking, “Well, that wouldn't work in a company where everybody hates HR and does everything they can despite HR.” HR puts a sign on the door that says, “Huh, I'm going to close it just to make HR mad.”
In that case, you'd work with that the opposite way.
This door must always be closed.
Well, I've got a post, again, on Instagram. I've got a photograph. I couldn't resist. It a window and it says, ‘It cannot be opened', and it's already just open. It was a place I was staying in. Yes, it can. People will joke just to sort of stick it to the man type of thing. If you've identified that in a culture, that's very powerful, actually, but it's less reliable than compliance, I think. It depends on what people think.
That's really interesting that in a really compliant-minded organization, that something seemingly as simple as “Don't close this door.” “OK, then I shouldn't close it.”
Honestly, even if they’re suspicious of it. I did a talk called “The Seven People You Meet in Pen Test.” One of the people that you meet in a pen test—and anyone who does physicals on pen test will tell you—you’ll meet someone who absolutely makes sure they know that you shouldn't be there. They look and think that’s suspicious. You see them do it and then they decide for whatever reason not to pursue it. They're looking in and they go, “I'm on to you,” and then didn’t do anything about it.
There was one job in particular where it was me and my accomplice. We were definitely caught. We were sitting drinking coffee and pretending to work in a quiet part. This guy went passed us. I always remember—I’m not going to say how but he had a big identifier. Let’s say it was a great big beard but it wasn't, but let’s say it was that. You couldn't miss them, absolutely couldn't miss them.
He went passed and he gave a look and gave a look. I made eye contact and then my accomplice made eye contact and just held for too long. He kept on going, he knows, that guy knows. We got on and we went out. We walked to the smoking shelter outside the place we were in. Just to kill time, just to not be on the inside. This guy, so now he's come out, and he didn't come over to the smoking shell. He just did a circuit of the building, looked at us again, and did another circuit of the building.
I said to him—to the guy who was there—”That would be the third time. The security will be looking for him at any moment, but no.” Finished the whole thing, left. Only later went, but where was the beard guy? What did he do? Nothing. Then we go present the findings and then part of the follow-up to that was they asked me to do an all-hands keynote using footage from the bloody break-in. “This is a story, this is in your toilet. This is my friend climbing on the roof for absolutely no reason, just because he likes to do certain things.”
I could see the beard guy in the audience and I said, not to him directly, but to the clients. “That guy with the beard, I'm sure he saw us.” He said, he told us later, he did. “Why didn’t you do anything?” They just have no answer as to why he didn't do anything. He thought it was some sort of test.
It was a test.
It was a test and he failed it. How strange is that? But I see that almost all the time. People say that they knew you were fake or actually clearly did and genuinely you were busted. Because it’s not their problem, it’s not their business, it’s adding hassle to a day that they don’t need. They don’t need to know this, they don't need to get involved. Especially in Britain, I just do not want to get involved.
English people, British people tend to be like, “I’m not seeing you.” They’re completely nosy like everyone is slowing down for the car accident. They’re called rubbernecking over here, I don’t know what it’s called in the States. Slowing down to look at the car crash or just completely nothing to see. I’m just blind to everything that isn’t to do with my job, my coffee, my lunch. Someone lets you spontaneously combust in the corner of the dining area and they're just not going to say anything. They're just going to carry on drinking tea and getting on with their day because it's like quarter to five on a Friday and nobody wants the hassle of that. You can rely on that as well.
I'm going to date myself. You're in England, so hopefully… Did you ever read Hitchhiker's Guide to the Galaxy or any of that series?
Of course. Douglas Adams is amazing.
Amazing. There was invisibility on a ship. When the ship would land, nobody would see. It wasn't really that nobody would see it. Everybody would see it, but it was somebody else's problem.
I have a slide in my keynote that says this. This is NOT my problem. Do you know what the other thing is? You probably would have heard it, but if you don’t, people will love it. But the other thing for die-hard Douglas Adams fans is the bit where they say they're going to wipe out the earth. They say, “Stop complaining, you've been told.” You were issued with the gnosis, and the gnosis is in the basement behind a lot of cupboards with a jacket, guards in it.
That's what security used to be like, and some security still hides away in like little tiny cupboards, kind of the end of a corridor with all the curtains and doors closed that you can't even find them. That's what it used to be like.
One of the problems in the industry was we kind of like the invisibility of the whole function, the complexity of the function, and now we're being brought into the light a bit more and asked to comment on things. Some people in the industry love being around shows. This little mayhem, millions of shares all time. I am never tired of talking about social engineering because I always think, we always need to remind people and talk to people about it.
But I've got friends and colleagues who are just embarrassed and mortified at the thought of having to talk about what they do. They want to keep it in the basement. “For goodness sake, do I have to say what I do?” “Yeah, unfortunately.” Cyber is a business differentiator now. Cybersecurity is differentiated. It is business against business. That is something that defines how good a business is. That does mean that a lot of us have to come out of the basement and start really saying what we think, which people seem to be just one or the other. They either can’t shut up or they don't want to at all.
We have to take off the hoodie, get out from the dark corner, turn on the lights.
Who wants to do that, right? Nobody. Nobody wants to do that.
You are a great storyteller. I appreciate you telling these stories because I think it helps to lighten the topic. It could be a very tense topic.
It can be. The ones you tend to do better are the things that go wrong, and they're the ones that certainly the industry wants me to tell. Nobody wants to hear, “Well, we prepared really well, we went into an office, we got everything we needed, and we left without incidents.” That's not the best story in the world. It's still great, but it's not the best story.
Everybody wants to know the stories where something unusual happened or something went wrong. I've been asked over these things like, “What's the strangest thing that ever happens on a physical pen test?” I try to give different answers every time. Unfortunately, there's a bank—things go wrong a lot, or the unexpected happens a lot. The one thing that I tell all the time is I did a thing where I was there. It was late at night, and I've made up my mind not to leave until the morning. I was going to stay—just bunk down really and just stay there.
I am in a building, a huge place on my own, only me, and a couple of security guards. They weren’t even in the building. It was a huge facility and they were right on the other side. One of them knew I was on site just for safety reasons, the other one didn't. If the other one would see me, that would have been interesting and it would have gotten me out of jail free. I don’t know if I’ve told this exact one.
There was a room; it was quite comfortable. There was a sofa and it was dark. There was no way anyone was coming anywhere near me. I thought, “I'm just going to sit for the night.” I have a little backpack, I had a drink. I've been to the bathroom, a few snacks. I was just in a way peaceful. The job’s done. I’ll wait for everything to sort of die down. Security guards do their change of shift at about 6:00 AM. I'll set the alarm on my phone for like half five, and I'll just kind of settle down here. It must have been about 1:00 AM by then. I'll just chill.
Great Wi-Fi, which I'm on so I thought I'll just watch a bit of Netflix. I’m just watching a horror film about human organ harvesting, of all things on, Netflix, and then got incredibly spooked by the fact that I'm on my own in this building until I ring someone. I kind of hear something, just ridiculous really. I’ve probably been to 500 or 600 different buildings in my time and I still managed to freak myself out when everything was fine. It was fine.
Why didn’t I just read a nice calm book or watch Grace and Frankie, or something that's very chill and funny, and just not worry about it? Why did I have to do that? Those are the same things I'm always asked. What was the funniest thing, or what was the most unusual thing? It was things like that, and it's nearly always inevitably my own fault. I know what I should be doing. I know exactly what the rules are. I set them out, I train people, people know exactly. But I was bored, wasn’t I? I was to waste, the job’s done, nobody’s there. I’ll just watch this horrible film and then frighten myself off to death.
You commonly get asked what was the craziest thing. What's the most boring uneventful thing—the quickest physical pen test?
I could tell you. I know exactly this one. We got this job. I got a job, for me personally, but there was a team. I thought we need a few just looking at it. It was a mall—a big shopping center. We call it a shopping center, a great big shopping center in London, a mall. Huge vast place. There's an admin office. That's where all the health and safety is, and that's where all the security—the maintenance guys—and everyone goes. It's an office that manages the building, the site.
We spent a couple of weeks doing surveillance, looking at it, in and out of it. At different times—day and night, weekends, evenings, everything. Did […]. This is the guy who runs it, this is the woman who's in charge of the staff. Maybe you can try pretext X, A, B, C, D, E. I don't always do that. This is the shop, and we've got good visibility there, and we've got good visibility there. My team: there’s a guy waiting with a car in the car park in case we have to run.
I had somebody watching for me; it’s another person at this big complicated pretext. It was about a temporary clean and contract thing, uniform and everything ready in the bag. I remember we decided to do that on a Tuesday morning at about half-eight, so it’s just waking up, but people are kind of settling in.
Literally, I just walked off, it was wide open, just walked in, did the thing I needed to do, took a photograph of what I needed to take, I took about 25 seconds. Nothing that we’ve done, which required no sense, no intelligence, no reconnaissance, no surveillance, nothing, no uniforms. I literally could have walked in there in a pair of pajamas, done the job, and walked out. There was just nothing. You just think, “OK. Are you pleased?” “Well, yeah, but I mean.”
Yes, I put all this work into it and I didn't have to use all my work.
Even ready, if anything went wrong. Does anything go wrong? No, nothing, there was nobody there. Literally, nobody was there. An open door, an open office—there was nothing to do. You do get quite a few standard. Again, ask any physical pen tester, you are always surprised if nothing goes to plan because generally there’s something that doesn't. I also think that's the worst thing to happen to a newbie.
If you take someone on their very first pen test and just nothing ever happens, the confidence it gives them is so misplaced. Because the next time there's going to be tasers, dogs, alarms, police, and fires. I remember I've said to people, “It doesn't always go that smoothly.” In fact, almost never.
I had to ask the question that no one ever asks you: What’s the most boring uneventful thing that's ever happened?
It was very uneventful that Tuesday. It was great.
That is awesome. Jenny, thank you so much for coming on the Easy Prey Podcast. I don't know that we told anybody what they need to do to keep themselves safe.
No, we didn’t. I’d tell you that in just four things. Look out for four things. If someone rushes you, if someone asks you about money, if someone asks you to do something that's outside what you normally do, and if they throw in urgency. Do this quickly, if you feel emotional, if they mention money, and a call to action of some kind—click on something, open something, send something. They’re red flags. They’re my four red flags.
Any of those happen—and certainly, if it's more than one of them happens—stop, don't do it. Other than that, in terms of security, it’s basic cyber-hygiene; all the things that I’m sure that the guests have said. Don't reuse passwords, update all your apps. Don't add a Zoom call with your bank statements and your passport pinned to the notice board behind you. It sounds obvious, but it happens a lot in lockdown—our first lockdown. It’s the basics that let people through.
I forget where I saw it. It was a still frame of a video of a journalist who is working from home during the lockdown. They had their camera showing them working at their desk, and on their monitor, they had the Post-its with usernames and passwords. This was a live broadcast of their usernames and passwords.
For the love of cyber, take it out. Don't use passwords “I love you” or “1234567.”
12345678 is OK?
Yeah.
Or 9.
If people want to find you online, how can they find you? Facebook, Instagram, Twitter, website, or LinkedIn?
Ironically, I'm crazy-easy to find online, obviously. My handle tends to be The People Hacker. You’ll find The People Hacker. You’ll find that on Twitter I’m @jenny_radcliffe, I’m easy to find on there. LinkedIn as well. The website and the business is humanfactorsecurity.co.uk. But most people find me online. Instagram is @realpeoplehacker, but really Twitter’s the one where people DM me and ask me questions.
The other thing, Chris, is I have my own podcast, Human Factor Security Podcast. Because that podcast began a long time ago, people have been very generous coming on and being guests. I almost always say yes to an interview. If people want to hear me talk, if they just put in anything—YouTube link, anything, Jenny Radcliffe—you will find enough to bore you to death about me talking about my job and what I do.
The reason I do is because people talk to me about it. It matters that the word gets out there about this stuff because it's too easy sometimes. The bad guys do it and it's devastating when it happens for you, which is why I will always—even if I annoy everyone—never should have […] people about social engineering. That's partly why as well.
I think that's a great philosophy to have. Again, thank you for coming on the podcast.
It's been amazing. Thanks for having me.
Leave a Reply