The Good Hacker: Hacking Businesses before Criminals Do
28:33 Share

Hello, hello. Welcome to Smart Talks with IBM, a podcast from Pushkin Industries, iHeartRadio, and IBM. I'm Malcolm Gladwell. This season, we're talking to new creators, the developers, data scientists, CTOs, and other visionaries who are creatively applying technology and business to drive change. Channeling their knowledge and expertise, they're developing more creative and effective solutions, no matter the industry.

Our guest today is Stephanie Snow Crothers. Snow is a hacker alias, and it's how we'll refer to Stephanie for the rest of this episode. Snow is the chief people hacker for X-Force at IBM. She gets paid to hack into her clients' businesses before criminal hackers do in order to test her clients' information security. In today's show, you'll hear some of the more creative ways Snow has persuaded people into sharing confidential information.

She also talks about the state of cybersecurity and what businesses need to do to keep their data protected. Snow spoke with economics journalist Tim Harford, host of the Pushkin podcast Cautionary Tales, and a longtime columnist at the Financial Times, where he writes The Undercover Economist.

In addition to publishing several books on the topic, Tim is also a BBC broadcaster with his show More or Less. Okay, let's now get to the interview with Tim and chief people hacker, Snow. Before you tell me what a chief people hacker is, what is hacking to you? I think if you ask the average person to close their eyes and envision a hacker, they are going to think of...

Someone in a dark room with a black hoodie on and all this green text behind them, right? But to me, a hacker doesn't even have to be technical. It's someone who finds creative solutions online.

Or just different ways to break apart something to make it work in a unique way that maybe it wasn't intended to do. Whether that's computers, people, devices, it could be a number of things, right? We see food hackers, we see life hackers, that's absolutely a type of hacker.

Yeah. My mother, I think, would have described herself as a hacker before she died. She loved to take apart computers. She loved to take apart software. She just wanted to know how everything worked. And when she put it back together again, it sometimes worked how she wanted it to work rather than how it was originally designed. But how was it that you originally became interested in this strange craft of hacking? I actually got involved and figured out I wanted to do this a little bit late in life.

I was in my mid-twenties and I went to the world's largest hacking conference which takes place every year in Las Vegas

and went with a group of friends and my husband and I had honestly no interest at all. I wanted to go to Vegas and sip drinks by the pool. But they got me a pass to attend this really cool conference and we sat in on the first talk and it was extremely technical. They were going through step by step about how to reverse malware and I fell asleep.

I completely just zoned out. It didn't make sense to me. So I got up and I started wandering around this huge conference and I found what was called the lock picking village. I was very confused by that. Like, why do people want to pick locks?

I mean, there is an obvious answer to that question, but okay. That's very true. So in that point in my life, it did not like click at all. And so I walk in and someone's like, hey, do you want to learn how to pick a lock? I said, sure. And so they sat me down and taught me everything.

And there's something magical that happens when someone picks a lock for the first time. Like you can see it in their face where it's like, wow, that was really cool and easy. And then the, oh shit, I just picked a lock.

and they're envisioning everything in their life that's protected by locks, right? File cabinets, their door, things that protect their children, like all these things that you have locks to protect and you just picked it in seconds. So that was the most eye-opening moment for me that really launched me into this career and thinking that I could do it for a living.

Well, it feels like a long gap between that, or a big gap at least, maybe not a long one, between that initial spark of, wow, I can pick a lock, this matters, to realizing there's a career in this and I might actually be good at this career. So how did you figure out there's a job being a hacker and how did you figure out that you actually might be good at doing that job?

So once I was at that conference, I had met so many different people who explained what they do for a living. And again, at that point in my life, it felt like that shouldn't be possible, right? People are getting paid money to break into clients networks and to their computers and all these things. And it's still, it didn't add up. But what for me really stood out was another village at the same conference, DEF CON called the social engineering village.

And when I walked in, they were actually placing live phone calls to people to try to elicit information. And so I'm sitting there in the audience listening to how these people were doing it. I'm like, wow.

wow, like I'm a people person. I've done sales. I can absolutely do this. So from there, I talked to a bunch of people that I just met, like my goal is just to meet people and ask questions at that point and found every book I could on the subject matter, went home and practiced and taught myself and actually went back and competed in that same competition three years in a row. And I won on my third year, which was huge. But that

really was able to propel me into this career and where a company actually saw me placing these calls and asked me like, "Hey, do you want a job?" And that was my first job. It was super exciting. In three years, Snow went from amateur hacking enthusiast to hacking professional. Companies started to pay her real money to test their information security. But remember, Snow's line of work isn't just limited to email servers and data networks. She's a people hacker.

Instead of trying to bypass a firewall or cracking a password, she uses what's called social engineering to trick users into letting her into systems where she doesn't belong.

In her work on what's called a Red Team, Snow explains how hacking the technical and the human come together. So a Red Team is a group of offensive security or hackers. So IBM on our X-Force team, we have a whole team dedicated to our, we call it adversary simulation, but our Red Team. And how it works is a client comes in and says,

these are our crown jewels. We want to make sure you cannot access them. We spend months trying to access them. And along the way, we have tons of meetings with our clients and giving them status updates and where we are. But it's a very long engagement to try to get access to the most sensitive things that our clients have. So how do they brief you? I mean, how do they brief you in such a way as to not give away information

that they're trying to not give away, if that makes any sense. Yeah, so they stay as high level as possible. They might say, let's use IP, for example, right? They have this, their secret sauce that if their competitors get or anyone else gets, they can pretty much copy their business. And so that information is,

probably lives on something that's very secure in a couple of documents that hopefully limited people have access to. Yeah. So a certain soft drinks secret recipe, for example, mentioning no particular brand names. Yes, exactly.

So they might say, okay, we have this secret recipe and we want to see if you can get it. They won't give us any details to where it's stored or any other information, but they'll just say go. They might have a couple things that are off limits, but in general, it's can we get this by any means possible? So a lot of social engineering is used, whether it's phone calls or emails, sometimes on site.

And a good amount of technical hacking, right? If we get into one person's computer, can we move into another's? And then can we move into a server? And it's a lot of moving around and digging. But at the end of the day, we're pretty successful with these types of engagements. And you mentioned certain things being off limits. Presumably the hackers, the bad hackers don't care what's off limits and what is not.

So what are the kinds of things that people, that clients are saying, no, you're not allowed to do that. That's cheating. Yeah. So we will see a good handful of times is do not mess with our executives. Like don't send our CEO an email, which again, bad guys do not have limits and they will absolutely continue to do that. But we have to respect those, unfortunately. But we will every once in a while run into a good handful of things. Or maybe they have another system that, I don't know, runs...

something sensitive, right? Maybe it's a medical device company. They're like, okay, do not access this system because, you know, people's lives could be on the line. So we won't even touch those types of systems. It really depends on the end of the day what they don't want us to have access to. Well, you're a people hacker, so you're doing it with people. So,

So, I mean, what does that look like? I mean, is it literally phoning people up and persuading them to give you passwords? Or is it a bit more complicated than that these days? So I break down social engineering in two ways. You either have remote or on-site. When you look at the remote, you're looking at a couple of different things. So the first one is what we call OSINT, which stands for open source intelligence. And that's actually not actively hacking a person, but it's looking at people.

their online accounts? Are they revealing information that they shouldn't be that an attacker could leverage? So that's one type of assessment. We have the vishing or voice phishing. So that's placing those phone calls to get information or maybe get them to do a task over the phone. And then phishing, and that's by far the most common social engineering type of assessment. That's the malicious email with a link or an attachment or even a conversation. And then we move into the on-site stuff and

This is my favorite. It's the most tangible, but it's actually breaking and entering. So it's trying to get access to clients' sensitive locations and sensitive data. So those are the two types of social engineering. Give me a little bit of advice then. If you're trying to find a weakness, if you're trying to persuade somebody to do something they shouldn't be doing, what are the kind of things that you're doing?

So let's just take the physical part for an example is tailgating, right? That sounds so easy and so obvious, but it's the number one way that we break into buildings. It's just following someone who badges in, who unlocks a door, who has that access. We just follow them. And people are trained all the time. Don't let anyone follow you. Check the badge behind you. Make sure people badge in. All of these policies. But when it comes down to it,

People are a little bit scared to ask, to see the badge or to question them. It's rude. You're supposed to hold the door open for somebody. Yes. It's human nature to want to help. So that goes against everything that people are used to doing. So that's by far the number one way that we get into buildings. Now, I understand that before you got into this game, you were a makeup artist for independent films. Is there a connection between...

it seems like a stretch, but between being a makeup artist and being a people hacker? Yeah, you would think those things absolutely don't go together at all. However, I've been pretty lucky where I've been able to leverage a little bit of the makeup art and special effects too when we do the physical security assessments. So maybe we get caught on the first day or maybe someone's suspicious. So we don't want to go back and blow our cover. So we'll change our appearance as much as possible when we go back the next day. So absolutely something that

I leverage all the time and it's a lot of fun too. It just adds a little bit more to the job. It sounds like it's more creative than I would have expected a cybersecurity job to be. Oh, absolutely. When you think of cybersecurity, you just think of someone sitting at a computer typing all day. That is not my job at all. It's pretty amazing how much I can leverage creativity in what I do day to day. Can you give me an example?

So I actually have a story, if you're ready for a break-in story. It's one of the ones that absolutely went wrong. Our client was based out of the US and they had just opened their European branch, so their headquarters in Amsterdam. And so they wanted us to test the building's physical security to see if it's protecting their people and their data.

And so some of the goals were to see if we can get in sight past all the badged areas where we shouldn't have access and see if we see anything that's out of place or maybe red flags or something that they should fix.

So, we always start with our OSINT, our open source intelligence, where we're going online, investigating the location, we're looking at Google Maps, as much as we can. However, this building was so new that they weren't even on Google Maps yet, so we had a really hard time finding all of this information. We decided we just had to show up on site to see what we can do.

So I walk, I walk into the building and walk into the lobby. The second I walk in, the lady pretty much kicked me out. I didn't even get to open my mouth or explain why I was there. Right out of the gate, just get out. And so for doing this type of an assessment, that was...

was horrible. This client paid all this money to get me out there to test their physical security. And here I am getting kicked out within the first five minutes. So that was awful. Although it sounds like their physical security is pretty good. Yeah. Yeah. No, their receptionist was on her game. So I went back to my hotel room and like was banging my head against the wall. Like, how do I get in? I can't find information online. They're kicking me

out before I'm even trying. Like I was just wanting to go in and see what it looked like because I had no idea what I was walking into. So I went back online like, okay, I have to, I have to figure this out. And finally, out of nowhere, it popped into my head. Okay, it has to be someone that's not local because I'm not from Amsterdam. And I have to leverage some type of position of authority, some reason why I'm supposed to be there.

And so I thought investor relations. I am going to pretend to be an investor relations manager from the U.S. and I'm going to their new site meeting with some potential investors. And so I called the receptionist. I spoofed my number. So I made it look like I was calling from the U.S. location and

And changed my voice a little bit and said that we have someone that's going to be coming on site tomorrow. Please give them whatever they need. They're going to be meeting with all these high end clients potentially. So just make sure they're comfortable. The next day I walk in and again, I had to change my appearance a bit because she saw me and she didn't bat an eye. She welcomed me. She got me coffee. She sent me up in the office where they had my name on the on the front door and was like, how can we help?

So from there I was able to go through and complete my objectives, but it's kind of amazing how much you have to leverage creativity and even kind of the on-the-spot improv sometimes too to actually complete these objectives. Yeah, improv was the word that springs to mind hearing that story. I would imagine there must be some playbook that there's a bunch of things you try and

And then you have to improvise if the playbook isn't working. Is that playbook always changing? Is it this constant arms race?

constantly. It also depends on who my target is, right? I will change the way I ask questions, the way I set things up, just completely everything depending on if I'm talking to someone younger or older or male or female. Like there's a lot of things that absolutely adapt to whoever I'm speaking to at the end of the day because

People are different. And I want to try to make sure whoever I'm talking to is comfortable and I can get them to trust me. And is it a collaborative process, this kind of ethical hacking, or is it very much a lone wolf?

It's really both. It just depends on what the type of assessment is. And there's a lot of variables. I prefer a team, right? Working with as many people as possible because I might be looking at a problem from, you know, my perspective. But if I have two or three other people with completely different backgrounds and sets of experience, they're thinking of it from another perspective. So the more we collaborate and work together, typically the more successful we can be as well.

I'm curious about a day in the life of snow. On a completely typical day, what is it that you're doing?

So that's what I love about my job is I don't have a typical day. I could be one day waking up in Manhattan, breaking into the building. And the next day I could be in my home office writing a report. Like it's all over the place. And that's what makes it super exciting that it's not mundane. It's constantly changing. I love that. It's like, yeah, one day I'm writing a report. The other day I'm breaking into a building in Manhattan. It's perfect. Yes.

One description I've seen is that you're like a secret shopper, except instead of being a secret shopper for a restaurant or a chain store, you're a secret shopper for breaking in and stealing passwords. Is that accurate? I would say that's accurate. And if people are hiring you to probe their security and to find the weaknesses, have you ever come back and said, nope, it's perfect. I got nothing. Couldn't get in.

So I have broken into over 130 unique buildings. I've only had one of those buildings I was not able to break into. And that is because it was a small company in the middle of nowhere where everyone knew each other. It's not because...

necessarily because they had all these, you know, expensive security controls that they had in place. It was just, I stuck out like a sore thumb and no matter what I said, they knew I wasn't supposed to be there. But it's kind of scary. Some of the very large organizations in these famous skyscrapers that I've broken into where they've invested hundreds of thousands, if not millions of dollars into their physical security, but I'm able to get in, right? That's kind of terrifying if you think about it.

Whether it's brick and mortar hacking or using something much more high-tech, it's all founded on the same principle, using deception to get what you want.

To round out their conversation, Tim and Snow talk about the state of the global cybersecurity industry, where the art of the con is headed, and how prepared companies are for any of it. Let's zoom back a bit now and take in the state of the global hacking industry, if that's a phrase, or the global security industry. What has changed in security and cybersecurity over the last few years? What are the new trends? Tim Snow

So what's changed? I would say more of our lives are online. And that's kind of scary. Everything from your IoT light bulb to your oven to... IoT being the Internet of Things, right? Just basically everything has a web address now. Exactly. And so there's so much more of that now. It's just it surrounds us. Our lives are online now.

And with that much being online, that's just more that we have to protect or more that we have to worry about, unfortunately. So that clearly raises the stakes. I would have hoped there's also more awareness. People don't fall for the most obvious scams and tricks anymore. And do you think companies put enough emphasis on security? Is it a high enough priority at the C-suite level?

I wish I could say yes. However, it's all over the board. I've worked with clients who they put everything they have into stopping attackers and to securing their environment. I've seen some clients in the past who just want to get the check in the box that they did their assessments and they want to move on to something else. So unfortunately, it's a pretty big range of types of people who really have that security mindset. And I'm always reading stories in the newsreel

the news about breaches and these security breaches. Sometimes they sound very sensational. Sometimes they sound incredibly banal. Like, oh yeah, somebody just stuck all the passwords online in plain text. Oops. I mean, is there a standard procedure for the bad actors? Is there a way that 90% of breaches happen like this?

Not these days, just because there's so many different ways they get in. I mean, most of them are financially motivated. So at the end of the day, once they get in, they're going to see if they can get money somehow, whether it's ransomware or they're looking for credentials to high-end executives. It kind of depends on their end goal, but really it's how they're getting in is...

It's pretty tricky. Again, social engineering is one of the number one ways to get in, typically through phishing, sending some type of malicious payload. And if their target does open it, that gets them into their environment and then they kind of pivot from there and see what they could get access to. And how much does it cost when security is breached?

So IBM did a report, the one from 2021, the cost of an average data breach was over $4 million, which is insane to think about. It kind of makes you wonder why they don't put more emphasis on their security and security awareness training and updating their machines and things like that when you think about how big that number is. Why is it so big?

There's tons of reasons. They could have fines that they have to pay out depending on what industry they're in. They have to pay out for things like credit monitoring for whoever is effective, legal fees. Like there's tons and tons of things that are involved when a company actually gets breached.

There's a couple things I could do to try to prevent them. And the first one is hire folks like myself to come in and test their environments to see where those vulnerabilities are so they can patch them. To do ongoing training for their internal team to make sure they're up to date, they know how to stop these type of attacks. And really just care about security in general goes a long way.

Now, I mean, in some ways what you're describing is tremendously varied, lots of creativity, lots of improvisation, lots of variety. In other ways, it seems kind of simple. You're trying to break into places. So what's the state of the art and how do you advance the state of the art in people hacking?

Unfortunately, social engineering is kind of stagnant. I mean, if you go back... Is that unfortunate? It feels kind of like it might be good news. For me, it's unfortunate. Okay, got it. Okay, I'm looking from the attacker point of view, so that's very correct. But if you go back to the Middle Ages, there were cons that people were doing back then.

There's tons of cons from the early 1900s. And still, we're taking some of those kinds of cons and just adapting it to today's digital world, which there's improvements there. But in general, social engineering, there's not much that's changing. So that's actually one of the things that I have put a lot of emphasis on the last year, especially with my team, is once we go in and we complete an assessment, we spend the last 20%.

Trying something new, trying something novel. Can this technique work? Maybe it's walking into a building saying, hey, I shouldn't be here. Will someone stop us? Right. Any little thing like that. What can we actually get away with? And that's that's something that I've enjoyed doing and pushing my team to see what we can learn and where those boundaries are.

Can you give me an example of a medieval con? I'm very curious. Yes. Okay. So in the Middle Ages, there is, have you ever heard the term pig in a poke? Yeah, I've heard the term. I always wondered where it came from.

Yeah. So pig in a poke came from vendors at the times or people who worked on the street and sold different various goods and foods. They would put a suckling pig inside of what they called a poke, which is a burlap sack and sewed it shut. And that's what they would sell. And people would buy that and eat that for dinner.

However, at the time, there were no shortage of small dogs and cats. So what some creative folks would do is put those types of animals inside of the sack and sew it shut and make a lot of money and then move on to the next city and continue that con. So again, cons have been around for the longest time.

I suppose the fact that cons themselves haven't changed that much. In a way, it seems to make life easy, right? Nothing changes. But in another way, that just goes to show that we just all have the same vulnerabilities over and over again, and people have been exploiting them for centuries. Exactly. If it's not broke, why fix it? Yes. Or if it's broken in a way that will enable you...

To take it. Really enjoyed this conversation. Thank you so much and goodbye. Absolutely. Thank you so much for having me. Snow mentioned something that's really hard to forget. She's tried to break into over 130 unique buildings. And out of those, she's had only one, one that she wasn't able to break into. That's bananas.

What Snow's taught us is that we have to think of information security in a much more holistic way. It has to involve networks and computers, but also employees and office buildings. Of course, no defense is ever perfect. And that's why it's important for companies to have people like Snow on their side. Because in a world where business is bound to be hacked, the real question is, is there a good hacker hacking for you?

On the next episode of Smart Talks with IBM, the Mayflower Autonomous Ship, how IBM's artificial intelligence is powering the world's very first autonomous vessel. We talk with Brett Vanoff and Don Scott about how they're using IBM tech to revolutionize oceanography. Smart Talks with IBM is produced by Molly Socha, David Jha, Royston Preserve, and Edith Rusillo with Jacob Goldstein.

We're edited by Jen Guerra. Our engineers are Jason Gambrell, Sarah Bruguere, and Ben Tolliday. Theme song by Gramascope. Special thanks to Carly Migliore, Andy Kelly, Kathy Callahan, and the 8 Bar and IBM teams, as well as the Pushkin marketing team.

Smart Talks with IBM is a production of Pushkin Industries and iHeartMedia. To find more Pushkin podcasts, listen on the iHeartRadio app, Apple Podcasts, or wherever you listen to podcasts. I'm Malcolm Gladwell. This is a paid advertisement from IBM.