0:00:01 Max Havey: Hello and welcome to another edition of Security Visionaries, a podcast all about the world of cyber data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max Havey, and today I'm also joined by my co-host Emily Wear Mouth because we are so excited about the guest we have today. So we both had to be on. Without further ado, today we're digging into the world of social engineering and how it's evolved with our guest Jenny Radcliffe, the people hacker. Jenny has a storied career as a con artist, a burglar for Hire, and now an ethical social engineering expert. So Jenny, welcome to the show. We're so happy to have you.
0:00:37 Jenny Radcliffe: Oh, it's nice to be here. Thank you. Thanks for having me.
0:00:41 Emily Wearmouth: Jenny. We played rock, paper, scissors three times and it was a fight. So we're both here. You get both of us.
0:00:50 Jenny Radcliffe: That's great.
0:00:51 Max Havey: So I mean to kick things off, Jenny, can you take us through just broadly, what is a "people hacker" and how did you get here? Take us through what that looks like.
0:01:01 Jenny Radcliffe: Well, "people hacker," I stole that because I was interviewed by a journalist years ago and I was explaining what I did and I said, look, I'm not a technical hacker at all. I said, I use psychology and cognitive biases and the way people think and all sorts of things. I trained a lot of people in corporate training, in negotiation and influence and all those things. And I said, so I use that and I guess we don't use tech, we use people. She said, oh, that makes you people hacker. Now what if does in security is it makes you a social engineer. And now I see people in the industry who are social engineers and they've got technical skills, which is brilliant. Show me someone who's good with people and good with the tech and you've got a CEO on the way if they want to be, which maybe these days they don't. But anyway, and so that's really what it is. And I guess I started out and still really am known for physical infiltrations because if you don't have the tech I used to get in, I say used to because I don't really do it as much anymore because I'm getting older and it's a very physical infiltration. Filtration is a very physical job. That's what people don't know, who don't do it. You are running around, you are hiding in place. But mostly we did reconnaissance, organized a lot of scripts and things to get us into buildings. And then once I was in buildings, I was hired to steal things or leave things behind or do something that meant that the technical people that we work with. So my technical hacker colleagues would have an easier time getting through and that's really what it is. And then over the years it just became a handle and then I made it the title, I wrote a book and I made it the title of the book. So it's the brand now, I suppose if we were going to be really corporate about it, which I'm so not, but there we are.
0:02:57 Emily Wearmouth: So is this pretty standard that if you are the CEO, the CIO, CISO of a large organization, you will generally be finding someone to try and come in and infiltrate your organization? We know that that's done. Penetration testing is a really normal process in cyber, but in the physical world, is this normal or are they particular types of organizations that are bringing you in?
0:03:20 Jenny Radcliffe: I think a lot of the time it's part of a compliance exercise and they just think we need to cover all our bases these days particularly. And if I get an inquiry like that, we tend to say no, but actually physical infiltration is still as important as it ever was for certain types of businesses just because you're getting through those outer layers of security. And also it's not always the system that is necessarily the biggest threat, it's the people that are the threat. So we're often there to look for insider threats or just look for strange behavior or very often we're asked to do it when they've already been breached and it's not public and they're like, it takes them a minute usually the clients to tell me that that's what's happened. So I'll get a call completely out of the blue, we're prepared to pay you your fees for you and whatever team you find appropriate to try and breach this site and find this thing. And the next question for me is what happened? And it nearly was like, well now you're set. Now you are asking me. Actually we did have an incident and someone walked. I mean I had one where they were like, no, no, we just want to be really thorough and we want to make sure that we've covered everything. And I was like, so nobody broke into your facility then? Well no. I said no. And they're like, well, you said break in. I mean they didn't break in. I went, did they walk in? I'm like, kind of. So I'd say there are industries right now, the legal industry, legal professions and financial are by far our biggest clients and also the security industry, obviously I would not say who, but can you imagine if your whole product, your whole brand, your whole business is built on being secure and then someone breaks in. So it's like, I'll get Jen, please don't say anything, but can you please get past.
0:05:32 Max Havey: You're the expert for a reason. You know how to get in places where you're not supposed to get into.
0:05:37 Emily Wearmouth: Hold on, max, you've just thrown that one in. You have just said you are the, you know how to, and I know a lot of our listeners are going to know Jenny and they might know this story, but I think it's worth pausing for a moment and saying, Jenny, how on earth do you become the expert in breaking into buildings? How do you know this stuff?
0:05:55 Jenny Radcliffe: Well, I can't say it was something I really wanted to be. I mean, I would naturally not want to be so public as I have become. I think it wasn't a strategy for me. I became good at this because I'd done it for years. I mean since I was a kid and I've told the story lots of times, but everyone always asks. So before you do, basically grew up in Liverpool and I had a few incidents when I was a kid that was quite worrying. So my mum and dad both were away. They worked shifts and things and so you've got to understand because so much younger than me, but we really did just used to be told to come in when it got dark and not to speak to any strange people and stuff like that. And I had a neighbor lock me in the house and not let me out. I mean some of this is in the book, but there was that and that was pretty worrying and nothing really happened, but it was quite traumatic for everyone because clearly there was mal intent. And then I went to the shop to buy sweets, candy for the American audience, and I got cornered in at an alleyway by this gang of local bullies, all boys kids, but they were in the habit of beating people up. And I had a can of pop, of soda, and I shook up the can and exploded in the head bully's face and then I crunched the can in half until it made a blade and then hit him over the head over and over again with this. So there's blood and red soda coming down his face and ran away. And after that my mom and dad were a bit worried about me being out on my own just a bit. So they asked my cousins look after me and they basically were getting into buildings what you called urban exploration, and we ended up sort of turning that into a business. So it's one of the reasons I kind of know so much about it and I've done so many buildings and done so much of it is because I started when I was like nine and it was always a side hustle. So I had a decent career, a proper respectable career in corporate for a long time and eventually into consultancy. But what the corporate career did was it enabled me to travel all over the world and whenever I was traveling, I'd get a job as what we would now say would be a physical penetration tester in all sorts of places, Asia, all over Europe and sometimes the states, although I was very cautious in America, and in any country where security guards could be armed, because I tend to be on my own, I have to be careful, I'm still careful about that now. And it's not just abroad. There are places in the UK where people are heavily armed as well. But I ended up doing that on the side and when I went into consultancy and I was training people in things like I say advanced negotiation techniques, sort of reading non-verbal communications, linguistic kind of patterns in language and people got curious why and how do you have this skillset? And I'd say tell stories vaguely masking exactly what I did because no one knew what that was. I mean even now I have to explain it for quite at length what it is to a non-security audience. And in the end it became obvious to me that this was the thing that really I should do full time. It was paying well, people knew me, word of mouth that got out that we were good at this I suppose. And so I just dumped everything else in the end. Well not quite dumped everything else. I still do some sort of work on that with some organizations, but generally speaking that was how it happened.
0:09:57 Emily Wearmouth: It's officially the coolest side hustle we've ever had on the podcast.
0:10:03 Jenny Radcliffe: I feel like as the fries on the side, people are always think that people think it's cool until they fall off a roof. And it was like, I want to do that job. And I'm like, do you want to be chased by guard dogs? I was cable tied to a gate by security I mean do you want that because you really think you do, maybe you don't.
0:10:25 Emily Wearmouth: I want to hear about it, but I'm happy to not do it. And sorry to have interrupted Max, but that was worth it.
0:10:31 Max Havey: Oh no, that was absolutely worth it. And so Jenny, that's kind of an interesting thing. In an episode we did a couple months ago, we were talking about the movie Hackers and our guest brought up the idea that a character gets locked up on a roof at one point and can't get out. He's like, that's the least believable thing about this movie because as a hacker, he absolutely has a lock pick in his bag and is going to pick that lock immediately. The physical security side of all of this is a thing that I think a lot of folks don't necessarily think about when it comes to cybersecurity or being a hacker and things of that sort. And so I think that kind of brings us really, that brings us into sharp focus here.
0:11:07 Jenny Radcliffe: Well first of all, I've been trapped on tons of roofs. Second of all, lock picking is the lock pick thing. I mean certain people, I was speaking to a guy who he was an expert can pick any lock and pick it very quickly and I've got mates who are great lock pickers, but generally speaking that is not something that I would take on any job. If you are caught by a security guard and you have lock picks on you, that is hard to explain. And even if you can have get sort of disguised or have them in your boots or something, and I have other things down my boots that are also difficult to explain, but not that, but you wouldn't, the idea that you just lock picky way out of it to me is, it takes time, it takes effort even if you're good at it. And so for example, I always made sure or tried to make sure that any kit I had on me could be explained away or so well hidden that they probably wouldn't find it. By which I mean in things like a tampon tube, sorry Max, sorry to anyone who's offended by the, but it's very rare that anyone bothered looking in that. So we've maybe put the odd thing in there. But for example, we used to carry around giving away something now, which I've only really spoken about at BSides before, but we used to get these little black light torches and pens and use them to just scratch whether, so say there was five of us in a building, we'd have certain signs which are code for this has been done or don't go down there or we've already covered this bit because you'd have radio silence a lot of the time and everyone's have a little black light torch and we'd be able to just shine and we'd know where about to put them, but that's hard to explain. So what we changed to which is have sort of been successful and there's times it wasn't, we started to take know extra strong mints and I dunno, you have if they've got them in the states so much Max, but they're like chalky, big mint that works like chalk. So it works like chalk to reduce that instead to just put these lines on the floor on the walls because we could explain that you couldn't explain if someone caught you making a sign on the floor with one, but if you were caught by a security guard, they didn't immediately think, oh this is a black light and pen. So I'm very cautious about what I take on a job and I'm very careful that I can explain 99% of what I've got on me away quite easily. But yeah, I'm always well saying that though, when I started out for a long time I really did just make it up as I went along. There wasn't really anything, and there still is quite negligible amount of stuff, that you can study about social engineering that's any good or that's about the physical side. It's really a lot of it is trade craft, which obviously by its nature is quite hidden or very expensive to get hold of if you're looking for white papers and books and things. And so I was kind of making it up a little bit as I went along so I might just be incompetent, but I've been caught on many a roof and I don't think I've ever picked my way off a roof or almost anywhere to be honest. I'm just trying. I think there was one time, not so much a lock pick, but cards and there are tricks and there's stuff that you can use to open locks and things and we've used them sometimes, but generally speaking I would disagree with that. I wouldn't do that much. But everyone has their own experience and their own expertise and their own way of doing it. I speak to people sometimes and I say my con is not your con, right? You have to use who you are, what you have and what you know. So don't copy other people because what that might work perfectly for them. They might just know that they could do that.
0:15:10 Emily Wearmouth: Jenny, how much work do you do ahead of any of these sorts of jobs? If we are looking at a broad cyber and physical picture and physical access might be part of your way of gaining access to digital systems, how much work is being done at your desk ahead of time researching employees, finding ways to use their psychology to get into the organization?
0:15:34 Jenny Radcliffe: Well a stupid amount really. I mean because I'm only using my part of the operation before we hand it because social engineers are blended attack. So the social engineering, whether that's phishing, whether it's vision, whether it's physical entry, all of that really is to enable a handover a lot of the time to the cyber guys. So I can only speak to my part, but because I can't use any of that, my research was always very thorough and I mean it was a funnel of research. So would just said everything about that company, that target that person to a silly point of view really because I wanted to be at the point where I knew as much as anyone who didn't actually work in the day to day would be. So we'd sometimes send in B teams, we'd go and do research on site reconnaissance. So it was quite a lot. And honestly depending on the job and how serious the client would be, and by that I mean how much they were willing to pay for that kind of reconnaissance. Sometimes the clients think it needs almost nothing and we don't work like that. And sometimes they think it needs a lot and you don't know until you look into it, right? But it would be a lot, I mean at least two and a half times the amount of time it would take to do the actual infiltration, which we try and do in 90 minutes, but we'd have a week put aside looking for the right opportunity. So probably a couple of weeks really depending on what we find really in depth.
0:17:13 Emily Wearmouth:And I'm going to say the letters. Does AI help you with that research?br>
0:17:19 Jenny Radcliffe: So this is the thing, and this is why I didn't mention it then I knew you were going to ask me. AI has cut that down. First of all, the internet cuts it down. So I started sort of pre-internet real or pre good internet. And then the beginning, no internet, but I used to have to, and I always say this when I to give keynotes, I used to have to hang out near the site and sit in whichever bar they all went to on a Friday night and listen and listen out for things and note activity and note one of the things we always saw was the way employees use the site and the way employees broke the rules and got around security. We just followed what the employees did and then the internet came along and that s everything down and osis became easier and we managed to do that. But now we have ai, it makes that level of research quick. I mean really quick reducing from days and days down to minutes or even seconds not to get the same level of interpretation but to get the amount of data. The difference between somebody who does social engineering and somebody who feels that they're a really good social engineer isn't the quality even of the data. It's learning to interpret and find the story that's going to be the hook that's going to get you in. But AI has enable people to get 80% of the way they're very quickly.
0:18:47 Max Havey: I am curious in the AI world you talk about that sort of reducing time, reducing how things are happening here, how is that sort changing things and we're seeing AI automating tasks that humans do. Is social engineering at all on your end sort of now sort doing social engineering for AI and finding ways to trick that AI to get you the information that you need? How is something like that becoming a part of your toolkit at this point or is it becoming a part of your toolkit at this point?
0:19:13 Jenny Radcliffe: Well it is because AI is very, obviously it depends on what you want to think about AI. It's either it's going to kill everyone.
0:19:24 Emily Wearmouth: That's the pessimistic view, Jenny,
0:19:29 Jenny Radcliffe: Mmhmm it's probably true. No, it's probably true, but also it's very smart and it can do lots of things, but it's not as smart. In some ways it's smarter than humans and even a room or a stadium of humans, but in some ways it's not. So if you can imagine if you can fool a human into telling you things, you can fool AI and that's a bad thing because criminals know that and are using it that way. So you absolutely can socially engineer AI or some AI for some things right now by being very specific about what you ask. And by it not really being that good at detecting deception from a human yet, at least they're not the ones that I have seen.
0:20:21 Emily Wearmouth: So an organization's AI and particularly agentic AI can become one of the tools that you might use to get into the organization.
0:14:33 Kirk Ball: Yeah, it was just impactful for him to see the end impact that it would have on customers' lives.
0:20:31 Jenny Radcliffe:I wouldn't necessarily rely on that, but it's just a tool, right? It's a technique, but you don't have to be a lifelong social engineer who's done this for years and sort of feels like that you can speak to people like you about it to be almost as good. And that's the problem. You don't have to be brilliant at it. You just have to be good enough. And I think that's how it's being used as how it's weaponizing human nature, which is something that I always did was weaponize mistakes and psychology. I might be able to do that slightly better just because I'm a thinking living human who's done this for a long time, but sometimes you don't need me and this is why we turn jobs down sometimes times I say, well you don't need that. What? You just need a really good red team with a couple of people who are quite good at social engineering. So you don't need someone whose whole expertise is this one particular thing which is warping human psychology, but you don't always need that to get past. And we've seen that happen at scale. The difference is it's at scale. So whereas we are limited by just being physical humans and the size of the team and the workloads of what we do, but AI is not limited by that at all. So there's this trade off between having someone who will get past and it will keep trying as a human and will adapt, but only being able to do as much as we can physically take on to a machine that doesn't get tired. It sort of Terminator stuff, it doesn't get tired, it will absolutely not stop. And it will do that at like 60, 70% is effective but over and over again. So just statistically it's going to get through.
0:22:21 Emily Wearmouth: Can I ask you a question that flips to the other side of the AI thinking If you are the people hacker and a big tool for you is taking advantage of human psychology, I'm wondering whether you are yet seeing or anticipating seeing any changes to human psychology that AI might bring or as we grow in our dependence and use of AI systems, does that change the way humans think and operate that you think might leave more doors open for you?
0:22:51 Jenny Radcliffe: Yes, because everyone's got lazier and therefore you're not as sharp If you don't read the book, but you just read a summary of the book, then you haven't really absorbed the learning in the book. If you are asked to give, I dunno, a presentation and you don't write the presentation, then you don't really know as much about that presentation. And this has been a problem in security for a long time that there are people in security, you are there just purely for the showboating side of it and whatever, make a living however you can. But this is security. If you give the wrong advice or if you don't know what you're talking about, that's dangerous stuff. And I don't just mean financially or reputationally, that's dangerous in lots of ways. That's a problem. It's made it easy for people to look as if they know what they're talking about and to get lazy as a social engineer, we can absolutely exploit the fact that you probably dunno what you're talking about that certain people dunno what they're talking about and if they're on the defensive side, we'll get past that easier than if they really knew about it. And that's on the security side, nevermind just people who are not in security, not really thinking that defense is part of their job as just an employee who does something else well. So that is a problem. That's how humans are changing.
0:24:22 Emily Wearmouth: I'm utterly fascinated to see, I've got a number of teenagers within my household and I'm fascinated to see the way their brains interact with the world in different ways to how mine did at that age because of their expectation of what's going to be done for them by systems. And we didn't have that. And so I think that psychology change is going to be fascinating in the next few years and yet it potentially exposes new risks for organizations.
0:24:50 Jenny Radcliffe: But I think as well there is some merit, I agree with you, but I think that there is some merit in the fact that younger people, teenagers and even kids have been born into a world where this is normal and where this is usual, which means as humans, I have faith in humans mostly, most humans most of the time to kind of adapt to that and understand the risks just instinctively see the risk in it. And that's a strange thing to say because people often ask me when I am consultant and stuff, how worried are you about kids online and all that kind of the dark side of the internet and all the exploitation and everything. And of course it's a massive worry because younger kids and youngsters might not see what we see the potential of the evil of the bad things that's out there. But the flip side of that is that they're so used to it, they've been warned about it and seen it from when they were very young that in a way this is their world now. And they will, I hope and I think that they will adapt better than we will. We are more kind of fearful of it, I think. And in some ways that's great we should be because we're there to guide the next generation as to what could be so bad out there. But I'm always heartened by the fact that that kids kind of take it all with a bit of a pinch of salt as well. That's also kind of heartening for me. It's like they're getting well bound to happen. There's something nice about that nonchalance. I think the charm of teenage nonchalance.
0:26:27 Max Havey: Yeah, the power of being sort of a digital native.
0:26:30 Jenny Radcliffe:Yeah, no, but max, you're right though. It's that it's the fact that there are positives that come with that. They expect it.
0:26:40 Max Havey: No 100%. And I think that's kind of the interesting thing, taking it all in the notion of convenience as a risk factor and the idea of people who have lived in this world who they understand sort of the risks, they sort of see some of the signs whether they realize it or not. I feel like that's the way. Growing up on the internet, that was often my case where I developed a real detector. I'm like, that seems fake. Anything that seems too good to be true, that's probably somebody who wants something from me, whether it's my information or for me to sign up for some sketchy credit card.
0:27:14 Jenny Radcliffe: There's a cynicism, which is kind of awful, but also has got a positive perhaps
0:27:22 Max Havey: The silver lining of cynicism.
0:20:04 Emily Wearmouth: That sounds like your book title. Can I ask a question about failure? Firstly, I was intrigued to know Jenny, people are paying you to get into their organizations. What is your success rate? And then for whatever the percentage is where you can't get in, how long do you keep trying? What parameters do you put around that?
0:27:45 Jenny Radcliffe: Same question honestly, because the truth is we keep going until we do get in, so the success rate is a hundred percent and everyone says, oh, no, no, no, you must have been, no, we've been stopped lots and lots of times with various exciting consequences. But if we are stopped, we'll go back even to the point where it costs me money to put the team in again because I had a reputation, my ego couldn't have handled it. I had a reputation to maintain. But I suppose it sort of depends. I've seen places that would be extremely difficult to get past. I've not been tasked with getting in, but I've seen how difficult it would be. And for something like that, it's a longer bin and often that is not commercially viable. They can't say we would let you do it. But there's ones that have essentially if we are stopped to the point where we have to abort or were retain away, which is rare, so the amount of times that happens is less than 10%, but of that 10% we have always gone back and then we'll hit them again and again and again as many times as I need to hit them so that in the end I can go to that client in whatever coffee shop or conference room and present them a win that we did it because otherwise, why would you hire me? I mean there's times when I've looked at, say I've had a client that's given me four sites and said, we want you to break into this one or this one, and I've gone of the four sites that you've given me, that one's the hardest one. So I can rank them just from reconnaissance, I can rank them and say, that's going to be the hardest one. So that's going to cost you more for us to do it. It's going to take us longer. I'm going to need more people. Am I going to need kit? And that kit might be expensive. Do you still want me to do it? And they say yes sometimes and they'll pay for that. But generally speaking, I mean there's times I can look at a site and go, you won't do that on social engineering alone, high security stuff. So
0:30:03 Emily Wearmouth: At that point you might need a crane and a power tool for instance.
0:30:10 Jenny Radcliffe: You very well... no, because that wasn't that particularly difficult.
0:30:14 Emily Wearmouth: So I'm referring to the Louvre heist for anyone unsure of the methodology that was used in Paris last autumn, but do you have thoughts on that one, Jenny?
0:30:26 Jenny Radcliffe: As you know Emily, I do. So the day that happened or the day after, I got so many emails and calls wanting me to comment, and I wouldn't comment specifically on all of my theories on the Louvre. But what I'll say is that there's a lot of lessons here for security. And it's not that whatever the password was Louvre or whatever it was, and that it's that when these things happen, the lesson is is that you have to look at any breach holistically and you have to ask the question. Everyone was asking how, how did they get past security, why was security terrible? All of this type of thing. But the real question is not ever that you always have to ask why. And I know that one of the problems, and I speak to very senior people sometimes, they say, well, it's financial. It's always financial, it's never, ever, no matter what it is, it's never just financial. You have to look at the secondary motive and then the motive under that and then the people that you're dealing with. And for the Louvre you have to think about what was taken and when was it taken. And I've heard good people, good security people say, well, they did it in broad daylight so that people weren't as suspicious I mean you wouldn't rob some in broad daylight. So people were less suspicious. And that's true, but it's also so that people can see that something has been done. It's what we call a vanity heist. You are showing people what you've done and specifically the people who want that loot. And for me, that tells you everything about who's behind it, who funded it, why it was done at that time. And you have to look at the bigger picture in the world. And that's what people never do. Instances seen as far too isolated, right? It was an attack on us, on this business. But when you look at the TTP of things, when you look at the patterns, it'll give you a lot more information as to who's behind these things and why. And if you take money, almost take money out of it and look at everything else. The money side of it, we deal within the incidentally and the aftermath of the incident and how we all cope with that and get all our systems back online. But the real question is things are connected. And this is where I revive my podcast series of the Tim Foil Hat Club from lockdown. But you really do need to think that these things are connected and they're connected to a wider network than what is immediately obvious. And as soon as you start looking at things like that, you see things differently. And that's what helped us, me and my team with a lot of investigations and things that we've done in the past, is to take, if we take the money out of this, what's going on?
0:33:28 Emily Wearmouth: And is that in particular when it's very public, because some of these things are never public and they're kept very quiet. And so the motivations are different. Is this principally for when it's done deliberately to be visible, some of the big hacks that we saw in the UK last year, they were designed to be very visible. Are those the sorts of ones where we should be looking at a slightly different non-financial motive?
0:33:50 Jenny Radcliffe: Não, acho que essa é uma boa pergunta. E não se trata de uma suposição, mas eu não acho que seja verdade. Não importa quantas pessoas veem, mas sim quem vê. Portanto, não precisa ser público para ser nefasto nesse aspecto. Mas posso te contar uma coisa engraçada. Não vou dizer quem foi, mas um daqueles grandes ataques cibernéticos do ano passado não me surpreendeu nem um pouco, porque eu estava trabalhando em uma missão de engenharia social com um colega, estávamos em um hotel e só iríamos começar o trabalho na noite do dia seguinte. Então quebrei minha regra e estávamos tomando uma taça de vinho ou duas, conversando, e era verão e estávamos na varanda do hotel, nos jardins, e foi adorável. E atrás de nós havia um grupo de executivos, todos homens, falando alto e sendo muito desagradáveis com os funcionários, o que é uma das coisas que mais detesto. Eu detesto pessoas que ficam chamando garçons e coisas do tipo, e você não consegue ignorá-las. Então, conseguíamos ouvir o que eles estavam dizendo, e descobrimos que eram da equipe de segurança, a equipe de cibersegurança de uma grande empresa. Então decidimos ver o que conseguiríamos arrancar deles por diversão, só para dar risada
0:35:20 Emily Wearmouth: Jogos de bar.
0:35:23 Jenny Radcliffe: Nós iniciamos uma espécie de conversa, o que foi fácil de fazer. Como eu disse, eles eram barulhentos e desagradáveis. Já estava ficando muito tarde e eles também estavam bêbados, mas nós não estávamos. Tínhamos bebido vinho, mas não estávamos bêbados. E eu disse: "Olá, então você trabalha na segurança." Isso significa que vocês vão impedir os hackers? E eles respondem: "Sim". E eu perguntei: o que é um hacker? São pessoas que querem sua senha? E eles disseram, ah, bem, sim. E foi tipo, ah, bem, mocinha. Sim. E eu disse, ah, eu disse, então se a minha senha for 1, 2, 3, isso é ruim? Eles ficam tipo, sim, isso é ruim. E eu disse: "Ah". Eu perguntei: então, que tipo de coisas vocês fazem a respeito disso? E eu os incluí nessa conversa, e se eles não tivessem sido tão horríveis e condescendentes, eu teria parado por aí, mas não parei. E eles acabaram nos contando muita informação de um jeito meio... enfim. E aí eles disseram tipo, ok, boa sorte. Tchau. E quando saímos, simplesmente coloquei uma das minhas cartas, que é uma ficha de pôquer, no bolso de um deles. E então isso aconteceu alguns anos antes de tudo isso ocorrer no ano passado. E eu sempre penso que aquele cara, se algum dia tivesse pesquisado sobre mim, teria pensado: "Meu Deus, eu fui manipulada socialmente". Mas, apesar de todas as explicações que ouvi na imprensa e em todos os outros lugares, isso não me surpreende. Não me surpreendeu nem um pouco que eles tenham sido hackeados, porque o que eles fazem é fisicamente no mundo físico, eles estão vazando tudo. O sistema deles poderia ter sido perfeito. E eu já sabia muito, não apenas informações detalhadas — e quero dizer informações detalhadas mesmo — sobre quais sistemas eles usavam e coisas do tipo. Poderíamos perguntar a eles de uma forma que nos fizesse explicar como se estivéssemos falando com uma criança, mas nós não somos crianças. Temos colegas que poderiam explicar até para mim o que perguntar. Mas também a arrogância dessa cultura, e essa arrogância é uma das coisas que, como engenheiro social, eu vou focar e destruir completamente, porque se uma empresa acha que nunca será pega ou que é tão boa que pode falar sobre isso sem que ninguém se importe, então melhor que seja eu do que um dos "verdadeiros vilões". Eu tinha informações que, se tivesse optado por vender a pessoas nefastas, valeriam uma fortuna. Mas o que importava era o tempo até que fossem hackeados.
0:37:53 Max Havey: Acho muito interessante você estar contando todas essas histórias e experiências da sua carreira, e perceber que grande parte da sua abordagem à engenharia social, pelo menos no sentido psicológico, consiste em fazer as perguntas certas e saber que tipo de coisa perguntar às pessoas, independentemente de elas perceberem ou não que estão sendo alvo de engenharia social. E isso é o mais interessante para pessoas como eu e a Emily, cujo trabalho é fazer perguntas às pessoas para contextualizar as coisas. É muito interessante ouvir como você está usando isso para outros fins aqui. Isso é fascinante.
0:38:29 Emily Wearmouth: Eu quero ser sua estagiária, Jenny.
0:38:32 Jenny Radcliffe: Até você cair de um telhado, eu já te disse, ou terá que fazer 10 mergulhos em contêineres de lixo. Mas acho que uma das coisas que você disse, Max, é tão interessante porque se trata de fazer as perguntas certas, de ser capaz de ler as pessoas, e isso significa ser capaz de ler sua fisicalidade. Portanto, compreender a psicofisiologia é, até certo ponto, ser capaz de compreender a linguística. Então, estou limitado fora do meu próprio idioma porque existem nuances na maneira como as pessoas falam, mas também é uma questão de ponto de vista social, observando a forma como os grupos interagem e a identidade das pessoas dentro de um grupo, e depois a identidade que elas projetam em público, e sendo capaz, e isso é tão cruel, mas sendo capaz de ver o que poderia destruir isso. Então, a arte de um pescador de arpão realmente afiado é ser capaz de atingir o âmago da questão, porque aí a pessoa começa a questionar a si mesma. E se eles questionarem a si mesmos, você estará introduzindo a dúvida. E é essa dúvida que alimentamos, e isso é maldade nas mãos erradas. Mas para isso, você precisa estudar bastante além da sua área de atuação. E acho que esse é um dos pontos, voltando à sua pergunta, Emily, sobre IA. Uma das coisas que precisamos ter cuidado para não perder é a construção de conhecimento e experiência interdisciplinares. Porque sem isso, você não consegue ser tão bom no meu tipo de engenharia social. Não dá para simplesmente chegar lá e achar que saber cinco coisas que influenciam as pessoas vai te levar longe e que isso será ótimo. Você pode até construir uma carreira nisso, mas se quiser se tornar realmente bom e desenvolver um estilo próprio de engenharia social, e existem características marcantes nos meus ataques que, se você me conhece e conhece o setor, saberá que fui eu. Se você quer chegar a esse nível, então acho que você precisa estudar fora da sua área de formação. Mas quem sabe se isso ainda é tão necessário assim? É uma profissão de nicho, e na verdade só existem alguns profissionais por ano, porque acho que a maioria das empresas não precisa pagar por isso ou ter esse nível de conhecimento psicológico envolvido. Como eu disse, é mais uma questão de astúcia do que qualquer outra coisa, eu acho que você pode chamar assim.
0:41:01 Emily Wearmouth: Tenho que dizer, não sei quanto a você, Max. Eu me sinto muito vulnerável. Tenho a forte impressão de que estou sendo observada e interpretada o tempo todo nesta conversa. No início eu não
sentia
, mas agora me sinto vulnerável. 0:41:12 Jenny Radcliffe: As pessoas sempre me dizem isso e eu sempre respondo: vocês estão me pagando para fazer isso? E se você não me pagar para fazer isso, eu não farei para você. O medo é real. As pessoas dizem: "Ah, você está fazendo isso agora." Você está fazendo isso agora. Se você me roubou. Eu disse: você está me pagando para te roubar? Não. Então eu não vou te roubar.
0:41:28 Emily Wearmouth: Mas as motivações nem sempre são o dinheiro.
, percebi
nesta conversa. 0:41:32 Jenny Radcliffe: Não, isso também é verdade. Isso também é verdade. E se eu não gostar de você, posso fazer isso também. Existem pessoas de quem eu não gosto
que eu faria de graça. 0:41:42 Max Havey: Este é um bom motivo para continuarmos do lado bom da Jenny.
0:41:45 Jenny Radcliffe: Bem, já foi dito
0:41:48 Max Havey: Bem, Jenny, nós já conversamos um pouco sobre isso, mas com base nos seus anos de experiência como engenheira social, qual é a principal dica que você gostaria de deixar para as pessoas, seja em segurança física, segurança cibernética ou qualquer área de segurança?
0:42:04 Jenny Radcliffe: As pessoas precisam calar a boca, sinceramente. Pare de falar sobre você, do que você gosta, do que você não gosta, do que te assusta? Mantenha a privacidade. Seja mais reservado, certo? Também no mundo corporativo. Seja mais reservado. Pense em quem está ouvindo. Pense no que alguém pode fazer pessoalmente com essas informações, mesmo que estejam online. Pare com isso. Pare com isso. A privacidade costumava ser uma moeda de troca valiosa. É uma qualidade tão elegante que vale a pena proteger. E, no entanto, vejo profissionais de segurança divulgando detalhes sobre suas vidas pessoais e outras coisas do tipo por toda parte. E você pensa: "Entendo que isso não deve causar problemas." Não é, né? Não é. Portanto, ainda temos mais ou menos liberdade de expressão aqui, e você pode escolher o que quer fazer, mas, por favor, faça uma escolha consciente e não se deixe levar pela ideia de que pode dizer qualquer coisa e nada acontecerá. Ele vai. Não preciso de muito para te conquistar. Não preciso de muito para entender como seu cérebro funciona e o que você sente sobre si mesmo. Portanto, quanto mais você expõe, mais vulnerável você se torna. Então, por que fazer isso? Escrevi um livro inteiro, uma autobiografia completa, e ainda encontro pessoas que dizem:
Eu realmente não sei muito sobre você
, e você não sabe mesmo. 0:43:25 Emily Wearmouth: Eu compartilho demais, então vou levar essa dica em consideração.
0:43:30 Max Havey: Bem, maravilhoso, Jenny, muito obrigado por dedicar seu tempo aqui. Essa conversa foi muito interessante. Imagino que nossos ouvintes e telespectadores pensarão o mesmo. Muito obrigado por se juntarem a nós. Isso foi ótimo.
0:43:43 Jenny Radcliffe: Oh, não, foi um prazer enorme. Foi um prazer conversar com vocês dois.
0:43:47 Emily Wearmouth: E Jenny, posso fazer um pedido para o seu próximo livro? Porque você sabe que existem muitos livros sobre quem foi Jack, o Estripador. Tenho a impressão de que há um livro esperando para ser escrito, "A Teoria de Jenny sobre o roubo do Louvre", e você pode nos dizer exatamente quem você acha que é. Não aprofundei muito nas perguntas. Não consegui entender se você queria nos contar, mas sinto
daria um livro. 0:44:06 Jenny Radcliffe: Não, bem, não. O próximo livro não é esse.
0:44:10 Max Havey: Bem. Com isso, você acabou de ouvir o podcast Security Visionaries. Eu fui seu apresentador, Max Havey, e se você gostou deste episódio, compartilhe com um amigo e inscreva-se no Security Visionaries na sua plataforma de podcasts favorita. Você pode ouvir nosso catálogo de episódios anteriores e ficar de olho nos New episódios que são lançados a cada duas semanas. Além disso, se você gostou dos nossos episódios, não se esqueça de avaliar, comentar e se inscrever. Isso nos ajuda muito e queremos continuar fazendo episódios legais como este. Então, por favor, faça isso. Você encontrará episódios apresentados por mim, pela minha co-apresentadora Emily ou pela nossa outra co-apresentadora, Bailey Pop. E com isso, nos vemos no próximo episódio.
){kind=icon}
