Smart Talks with IBM: The Good Hacker: Hacking Businesses before Criminals Do

matter the industry. Join hosts from your favorite Pushkin Industries podcast as they use their expertise to deepen these conversations. Malcolm Gladwell will guide you through this season as your host to provide his thoughts and analysis along the way. Look out for new episodes of Smart Talks with IBM every month on the I Heart Radio app, Apple Podcasts, or wherever you get your podcasts. And learn more at

IBM dot com slash smart Talks. Hello, Hello, Welcome to Smart Talks with IBM, a podcast from Bushkin Industries, I Heart Radio and IBM. I'm Malcolm Globwell. This season we're talking to new creators, the developers, data scientists, ct o s, and other visionaries who are creatively applying technology and business to drive change. Channeling their knowledge and expertise, they're developing more creative and effective solutions no matter the industry. Our

guest today is Stephanie Snow Cruthers. Snow is a hacker alias, and it's how we'll refer to Stephanie for the rest of this episode. Snow is the chief people hacker for x Force at IBM. She gets paid to hack into her client's businesses before criminal hackers do in order to test her client's information security. In today's show, you'll hear some of the more creative ways Snow has persuaded people

into sharing con udential information. She also talks about the state of cybersecurity and what businesses need to do to keep their data protected. Snow spoke with economics journalist Tim Harford, host of the Pushkin podcast Cautionary Tales and a longtime columnist at the Financial Times, where he writes The Undercover Economist in addition to publishing several books on the topic. Tim is also a BBC broadcaster with his show More or Less. Okay, let's now get to the interview with

Tim and Chief people hacker Snow. Before you tell me what achieve people. Hacker is what is hacking to you? I think if you ask the average person to close their eyes and envision a hacker, they are going to think of someone in a dark room with a black hoodieon and all the screen text behind them. Right. Um, But to me, a hacker doesn't even have to be technical. It's someone who finds creative solutions or just different ways to break apart something to make it work in a

unique way that maybe it wasn't intended to do. Whether that's computers, people devices, it could be a number of things. Right. We see food hackers, we see life hackers. That's absolutely a type of hacker. Yeah. And my my mother, I think, would have described herself as a hacker before she died. She loved to take apart computer. She had loved to

take apart software. She just wanted to know how everything worked, and when she put it back together again, it sometimes worked how she wanted it to work, rather than her it was originally designed. But how was it that you originally became interested in in this strange craft of hacking. I actually got involved and figured out I want to

do this a little bit late in life. I was in my mid twenties and I went to the world's largest hacking conference, which takes place every year in Las Vegas, and went with a group of friends in my husband and I had honestly no interest at all. I wanted to go to Vegas and sip drinks by the pool. But they got me a pass to attend this really cool conference and we sat in on the first talk

and it was extremely technical. They were going through step by step about how to reverse malware, and I fell asleep. I completely just zoned out. It didn't make sense to me. So I got up and I started wandering around this huge conference and I found what was called the lock picking Village. I was very confused by that, like why do people want to pick locks? I mean, there was a there was an obvious answer to that question, but okay, that's very true. So in that point in my life,

it did not like click at all. And so I'm walking and someone's like, hey, do you want to learn how to pick a lock? I said sure, and so they sat me down and taught me everything. And there's something magical that happens when someone picks a lock for the first time, like you can see it in their face where it's like, Wow, that was really cool and easy, and then that oh shit, I just picked a lock.

And they're envisioning everything in their life that's protected by locks, right, file cabinets, their door, things that protect their children, like all these things that you have locks to protect and you just picked it in seconds. Um. So that was the most eye opening moment for me, that really launched me into this career and thinking that I could do

it for a living. Well, there's I mean, it feels like a long gap between that, or big gap at least, maybe not a long one between that initial spark of wow, I can pick a lock. This is this matters to realizing there's a career in this and I might actually be good at this career. So how did you figure out there's a there's a job being a hacker, and how did you figure out that you actually might be

good at doing that job? So once I was at that conference, I had met so many different people who explained what they do for a living, and again, at that point in my life, it felt like that shouldn't be possible. Right, people are getting paid money to break into clients networks, into their computers and all these things

and it's still it didn't add up. But what for me really stood out was another village at the same conference, staf Con, called the Social Engineering Village, And when I walked in, they were actually placing live phone calls to people to try to elicit information. And so I'm sitting there in the audience listening to how these people were doing it. I'm like, wow, Like, I'm a people person,

I've done cells, I could absolutely do this. Um. So from there, I talked to a bunch of people that I just met, like my goal is just to meet people and ask questions at that point, and found every book I could on the subject matter, went home and practiced and taught myself, and actually went back and competed in that same competition three years in a row, and I went on my third year, which was huge, but that really was able to propel me into this career.

And We're a company actually saw me placing these calls and asked me like, hey, do you want a job? And that's that was my first job. It was super exciting. In three years, Snow went from amateur hacking enthusiasts to hacking professional Companies started to pay her real money to test their information security. But remember Snow's line of work isn't just limited to email servers and data networks. She's

a people hacker. Instead of trying to bypass a firewall or cracking a password, she uses what's called social engineering to trick users into letting her into systems where she doesn't belong. In her work on what's called a red team, Snow explains how hacking, the technical and the human come together. So a red team is a group of offensive security or hackers. So IBM on our x fource team, we have a whole team dedicated to our we call adversary simulation,

but our red team and how it works. As a client comes in and says, these are our crown jewels, we want to make sure you cannot access them. We spend months trying to access them, and along the way we have tons of meetings with our clients and giving them status updates and where we are. Um but it's it's a very long engagement to try to get access

to the most sensitive things that our clients have. So how do they brief you, I mean, and how do they brief you in such a way as to not give away the stuff that they're trying to not give aways, if that makes any sense. Yeah, So, so they stay as high level as possible. They might say, um, let's let's use I P for example. Right, they have this their secret sauce that if their competitors get or anyone

else gets, they can pretty much copy their business. And so that information probably lives on something that's very secure in a couple of documents that hopefully limited people have access to. So a certain a certain soft drinks secret recipe for example, mentioning no particular brand names. Yes, exactly. So they might say, okay, we have this secret recipe and we want to see if you can get it. They won't give us any details to where it's stored

or any other information, but they'll just say go. They might have a couple of things that are off limits, but in general it's can we get this by any means possible. So a lot of social engineering is used, whether it's phone calls or emails, sometimes on site, and a good amount of technical hacking. Right, if we get into one person's computer, can we move into another's? And then can we move into a server? And it's a lot of moving around and digging, But um, at the end,

of the day. We're pretty successful with these types of engagements. And you mentioned certain things being off limits because really the hackers that the bad hackers don't care what's off limits and what is not. So what are the kinds of things that people are the clients are saying, no, you're not allowed to do that, that's cheating. Yeah, So so we will see a good handful times is do not mess with our executives, like don't send our CEO and email, which again, bad guys do not have limits,

and they will absolutely continue to do that. Um, but we have to expect those unfortunately. But we will every once in a while run into a good handful things or maybe they have another system that I don't know runs something sensitive, right, maybe it's a medical device company. They're like, okay, do not access this system because you know, people's lives could be on the line. So we won't even touch those types of systems. It really depends on

the end of the day. What what they don't want us to have access to your people hackness, you're doing it with people, So so I mean, what does that what does that look like? I mean, is it is it literally phoning people up and persuading them to give you passwords or is it a bit more complicated than that these days? So I break down social engineering in two ways. You either have remote or on site. When you look at the remote, you're looking at a couple

of different things. So the first one is what we call OS and T, which stands for open source intelligence, and that's actually not actively hacking a person, but it's looking at their online accounts. Are they revealing information that they shouldn't be that an attacker could leverage. So that's that's one type of assessment. We have the fishing or voice fishing, so that's placing those phone calls to get information or maybe get them to do a task over

the phone. And then fishing and that's by far the most common social engineering type of assessment. That's the malicious email with a link or an attachment or even a conversation. And then we move into the on site stuff, and this is my favorite. It's the most tangible, but it's actually breaking and entering, so it's trying to get access to clients, sensitive locations, and sensitive data. So those are

the two um types of social engineering. Give me a little bit of advice, then if if if you're trying to find a weakness. If you're trying to persuade somebody to do something they shouldn't be doing. What are the kind of things that you're doing. So let's just take the physical part for an example. Is tailgating? Right? That sounds so easy and so obvious, but it's the number one way that we break into buildings. It's just following someone who badges in, who unlocks the door, who has

that access. We just follow them and people are trained all the time, don't let anyone fall, you, check the badge behind you, make sure people badge in. All of these policies, but when it comes down to it, people are a little bit scared to ask to see the badger, to question them. It's rude for somebody. Yes, it's human nature to want to help, so that goes against everything that people are used to doing. So that's by far

the number one way that that we get into buildings. Now, I understand that before you got into this game, you were a makeup artist for independent films. Is there a connection between It seems like a stretch, but between being a makeup artist and being a people hecker, Yeah, you would think those those things absolutely don't go together at all. However, I've been pretty lucky where I've been able to leverage a little bit of the makeup, art and special effects

to when we do the physical security assessments. So maybe we get caught on the first day, or maybe someone suspicious, so we don't want to go back and blow our cover, so we'll change our appearance as much as possible when we go back the next day. So absolutely something that I leverage all the time. And it's it's a lot of fun too. It just adds a little bit more to the job. It sounds like it's more creative than I would have expected a cybersecurity job to be. Oh. Absolutely.

When you think of cyber secuity, you just think of someone sitting at a computer typing all day. That is not my job at all. Um. It's it's pretty amazing how much I could leverage creativity in what I do day to day. Can you give me an example, so I actually have a story, um, if you're ready for a breaking story. It's one of the ones that slowly

went wrong. Our client was based out of the US and they had just opened their European branch, their headquarters in Amsterdam, and so They wanted us to test the building's physical security to see if it's protecting their people and their data, and so some of the goals were to see if we can get insight past all the badged areas where we shouldn't have access and see if we see anything that's out of place or or maybe

red flags or something that they should fix. So we always start with with our osen, our open source intelligence, where we're going online investigating the location. We're looking at Google Maps as much as we can. However, this building was so new that they weren't even on Google Maps yet, so we had a really hard time finding all of this information. We decided we just had to show up on site to to see what we can do. So I walk, I walk into the building and walk into

the lobby. The second I walk in, the lady pretty much kicked me out. I didn't even get to open my mouth or explain why I was there, right out of the gate, just get out. And so for doing this type of an assessment, that was horrible. This client paid all this money to get me out there to test her physical security and here I am getting kicked out within the first five minutes. So that was awful. Physical security is pretty good. Yeah, yeah, no there their

Their receptionist was on her game. UM. So I went back to my hotel room and like was binging my head against the wall, like how do I get in? I can't find information online. They're kicking me out before I'm even trying, Like I was just wanting to go in and see what it looked like because I had no idea what I was walking into. So I went back online, like, okay, I have to I have to figure this out. And finally, out of nowhere, it popped

into my head. Okay, it has to be someone that's not local because I'm not from Amsterdam, and I have to leverage some type of position of authority, some reason why I'm supposed to be there. And so I thought, investor relations. I am going to pretend to be an investor relations manager from the US and I'm going to their new site meeting with some potential investors. And so

I called the receptionist. I spoofed my number, so I made it look like I was calling from the US location, and UM, changed my voice a little bit and said that we have someone that's going to be coming on site tomorrow. Please give them whatever they need. They're going to be meeting with all these high end clients potentially, um,

so just make sure they're comfortable. The next day, I walk in and again I had to change my parents a bit because she saw me and she didn't that, and I she welcomed me, She got me coffee, She sent me up in an office where they had my name on the on the front door, and I was like, how can we help? So from there I was able to go through and complete my objectives. But it's it's kind of amazing how much you have to leverage creativity and even kind of the on the spot improv sometimes too.

Who actually complete these objectives? Yeah, improv was the word that springs to mind hearing that story. I would imagine that there must be some playbook that there's a bunch of things you try, but and then you have to improvise if the playbook isn't working. Is that playbook always changing? Is it? Is it this constant arms race? Constantly? It

also depends on who my target is. Right, I will change the way I ask questions, the way I set things up, just completely everything depending on if I'm talking to someone younger or older, or male, or female. Like, there's a lot of things that absolutely adapt to whoever I'm speaking to at the end of the day, because people are different and I want to try to make sure whoever I'm talking to is comfortable and I can

get them to trust me. And is there a collaborative process this kind of ethical hacking or is it very much a lone wolf. It's really both. It just depends on what the type of assessment is. And there's a

lot of variables. I prefer a team right, working with as many people as possible, because I might be looking at a problem from, you know, my perspective, but if I have two or three other people with completely different backgrounds and sets of experience, they're thinking about from another perspective. So the more we collaborate and work together, typically the more successful we can be as well. I'm curious about

a day in the life of Snow. I mean, on a completely typical day, what is it that you're doing. So that's what I love about my job is I don't have a typical day. I could be one day waking up in Manhattan breaking into the building, and the next day I could be in my home office writing a report like it's all over the place, and that's what makes it super exciting that it's not mundane. It's constantly change and I love that. It's like, yeah, one day I'm writing a report, the other day, I'm breaking

into a building in Manhattan. It's perfectly One description I've seen is that you're like a secret shopper, except instead of being a secret shopper for a restaurateur or a chain store, you're a secret shopper for breaking in and stealing passwords. It is that accurate that I would I would say that's accurate. And if people are hiring you to probe their security and to find the weaknesses, have you ever come back and said, no, it's perfect. I got nothing couldn't get in. So I have broken into

over a hundred and thirty unique buildings. I've only had one of those buildings I was not able to break into, and that is because it was a small company in the middle of nowhere where everyone knew each other. It's not because necessarily because they had all these you know, expensive security control that they had place. It was just I stuck out like a sore thumb, and no matter what I said, they knew I wasn't supposed to be there.

But it's kind of scary some of the very large organizations in these famous skyscrapers that I've broken into, where they've invested hundreds of thousands, if not millions of dollars into their physical security, but I'm able to get in right. That's kind of terrifying if you think about it. Whether it's brick and mortar hacking or using something much more high tech, it's all founded on the same principle, using

deception to get what you want. To round out their conversation, Tim and Snow talk about the state of the global cybersecurity industry, where the art of the corn is headed, and how prepared companies are for any of it. Let's zoom back a bit now and and take in what you know the state of the global hacking industry if that's a phrase, or the global security industry, and what has changed in security and cybersecurity over the last few years.

What are the new trends? So what's changed? I would say more of our lives are online, and and that's kind of scary. Everything from your IoT lightbulb to your oven to IoT being the the Internet of things. So I just Basically every everything has a web a dress now exactly, and so there's so much more of that now. It's just it surrounds us are are just our lives are online, and with that much being online, that's just more that we have to protect or more that we

have to worry about. Unfortunately, that clearly raises the stakes. I would have hoped there's also more awareness. People don't fall for the most obvious scams and tricks anymore. And do you think companies put enough emphasis on security? Is it a high enough priority at the c suite level? I wish I could say yes. However, it's all over the board. I've I've worked with clients who they put everything they have into stopping attackers, into securing their environment.

I've seen some clients in the past to just want to get the check in the box that they did their assessments and they want to move on to something else. So, unfortunately, it's a pretty big range of types of people who really have that security mindset. And I'm always reading stories in the news about breaches and they these security breaches, and they sometimes they sound very sensational. Sometimes they sound incredibly banal, like, oh yeah, somebody just stuck all the

passwords online in plain text books. I mean, is there a standard procedure for the bad actors? Is there a way that breaches happen like this? Not these days, just because there's so many different ways they get in. I mean, most of them are financially motivated. So at the end of the day, once they get in there going for they're going to see if they can get money somehow, whether it's ransom where or they're looking for credentials to

high end executives. Right, it kind of depends on their angle, but really it's it's how they're getting in is It's pretty tricky again. Social engineering is one of the number one ways to get in, typically through fishing, um sending some type of malicious payload and if their target does open it, that gets them into their environment and then they kind of pivot from there and see what they could get access to and how much does it cost

when security has breached? So ibmed at a report the one from one the cost of an average data breach was over four million dollars, which is insane to think about. It kind of makes you wonder why they don't put more emphasis on their security and security awareness. Training and

updating their machines and things like that. When when you think about how big that number is, why, there's tons of reasons they could have finds that they have to pay out depending on what industry they're in, they have to pay out for things like credit monitoring for whoever is effective, UM, legal fees like there's there's tons and tons of things that are involved. When when a company actually gets breached, there's a couple of things they could

do to try to prevent them UM. And the first one is higher folks like myself to come in and test their environments to see where those vulnerabilities are so they can patch them. UM, to do ongoing training for their internal team to make sure they're up to date they know how to stop these type of attacks, and

really just care about security in general goes a long way. No, I mean, in some ways what you're describing is is tremendously varied, lots of creativity, lots of improvisation, lots of variety. In other ways, it's it seems kind of simple. You're trying to break into places, So what's the state of the art and how do you advance the state of the art? In people hacking. Unfortunately, social engineering is is kind of stagnant. I mean, if you if you go it feels it feels kind of like it might be

good news for me. It's unfortunate. Okay, I'm looking from the attack or point of view, So that's very correct. Um, but if you go back to the Middle Ages, there were cons that people were doing back then. Um, there's tons of cons from the early nineteen hundreds and still we're taking some of those kinds of cons and just adapting it to today's digital world, which there's there's improvements there, but in general social engineering there's there's not much that's

that's changing. So that's actually one of the things that I have put a lot of emphasis on the last year, especially with my team, is once we go in and we complete an assessment, we spend the last trying something new, trying something novel. Can this technique work? Maybe it's walking into a building saying, hey, I shouldn't be here, will someone stop us? Right? Any little thing like that. What

can we actually get away with? And that's that's something that I've enjoyed doing and pushing my team to see what we can learn and where those boundaries are. Can you give me an example of a medieval con very curious. Yes, okay, So in the Middle Ages there is have you ever heard the term pig and a poke? Uh? Yeah, I've heard the term. I always wanted where it came from. Yeah, So pig and a poke came from vendors at the times, or people who worked on the street and sold different

various goods and foods. They would put a suckling pig inside of what they called a poke, which is a burlack sack, and so did it shut, and that's what

they would sell on people by then eat that for dinner. However, at the time, there were no shortage of small dogs and cats, So what some creative folks would do is put those types of animals inside of the sack and so it shut, and make a lot of money and then move on to the next city and continue that con So again, cons have been around four are the longest time. I suppose the fact that cons themselves haven't changed that much. In a way, it seems to make

life easy, right then nothing nothing changes. But in another way, that just goes to show that we are just all have the same vulnerabilities over and over again, and people have been exploiting them for centuries. Exactly if it's not broke, why fix it? Yes, or if it's broken away that will enable you to take it. Really enjoyed this conversation. Thank you so much and goodbye. Absolutely, thank you so much for having me. Snow mentioned something that's really hard

to forget. She's tried to break into over a hundred and thirty unique buildings, and out of those, she's had only one one that she wasn't able to break into. That's bananas. What Snow start us is that we have to think of information security in a much more holistic way. It has to involve networks and computers, but also employees

and office buildings. Of course, no defense is ever perfect, and that's why it's important for companies to have people like Snow on their side, because in a world where business is bound to be hacked, the real question is is there a good hacker hacking for you. On the next episode of Smart Talks with IBM the Mayflower Autonomous Ship, how IBM's artificial intelligence is powering the world's very first autonomous vessel. We talked with Brett Fanoff and Don Scott

about how they're using IBM tech to revolutionize oceanography. Smart Talks as IBM is produced by Molly Sosha, David jaw, Royston Reserve and Edith Russelo with Jacob Goldstein were edited by Jan Guerra. Our engineers are Jason Gambrel, Sarah Brugare and Ben Tolliday. Theme song by Gramoscope. Special thanks to Carlie Megliori, Andy Kelly, the Callaghan and the Eight Bar and IBM teams, as well as the Pushkin marketing team. Smart Talks with IBM is a production of Pushkin Industries

and I Heart Media. To find more Pushkin podcasts, listen on the I Heart Radio app, Apple Podcasts, or wherever you listen to podcasts. Hi'm Malcolm Gladwell. This is a paid advertisement from IBM.