0:00:01 Max Havey: Hello and welcome to another edition of Security Visionaries, a podcast all about the world of cyber data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max Havey, and today I'm also joined by my co-host Emily Wear Mouth because we are so excited about the guest we have today. So we both had to be on. Without further ado, today we're digging into the world of social engineering and how it's evolved with our guest Jenny Radcliffe, the people hacker. Jenny has a storied career as a con artist, a burglar for Hire, and now an ethical social engineering expert. So Jenny, welcome to the show. We're so happy to have you.
0:00:37 Jenny Radcliffe: Oh, it's nice to be here. Thank you. Thanks for having me.
0:00:41 Emily Wearmouth: Jenny. We played rock, paper, scissors three times and it was a fight. So we're both here. You get both of us.
0:00:50 Jenny Radcliffe: That's great.
0:00:51 Max Havey: So I mean to kick things off, Jenny, can you take us through just broadly, what is a "people hacker" and how did you get here? Take us through what that looks like.
0:01:01 Jenny Radcliffe: Well, "people hacker," I stole that because I was interviewed by a journalist years ago and I was explaining what I did and I said, look, I'm not a technical hacker at all. I said, I use psychology and cognitive biases and the way people think and all sorts of things. I trained a lot of people in corporate training, in negotiation and influence and all those things. And I said, so I use that and I guess we don't use tech, we use people. She said, oh, that makes you people hacker. Now what if does in security is it makes you a social engineer. And now I see people in the industry who are social engineers and they've got technical skills, which is brilliant. Show me someone who's good with people and good with the tech and you've got a CEO on the way if they want to be, which maybe these days they don't. But anyway, and so that's really what it is. And I guess I started out and still really am known for physical infiltrations because if you don't have the tech I used to get in, I say used to because I don't really do it as much anymore because I'm getting older and it's a very physical infiltration. Filtration is a very physical job. That's what people don't know, who don't do it. You are running around, you are hiding in place. But mostly we did reconnaissance, organized a lot of scripts and things to get us into buildings. And then once I was in buildings, I was hired to steal things or leave things behind or do something that meant that the technical people that we work with. So my technical hacker colleagues would have an easier time getting through and that's really what it is. And then over the years it just became a handle and then I made it the title, I wrote a book and I made it the title of the book. So it's the brand now, I suppose if we were going to be really corporate about it, which I'm so not, but there we are.
0:02:57 Emily Wearmouth: So is this pretty standard that if you are the CEO, the CIO, CISO of a large organization, you will generally be finding someone to try and come in and infiltrate your organization? We know that that's done. Penetration testing is a really normal process in cyber, but in the physical world, is this normal or are they particular types of organizations that are bringing you in?
0:03:20 Jenny Radcliffe: I think a lot of the time it's part of a compliance exercise and they just think we need to cover all our bases these days particularly. And if I get an inquiry like that, we tend to say no, but actually physical infiltration is still as important as it ever was for certain types of businesses just because you're getting through those outer layers of security. And also it's not always the system that is necessarily the biggest threat, it's the people that are the threat. So we're often there to look for insider threats or just look for strange behavior or very often we're asked to do it when they've already been breached and it's not public and they're like, it takes them a minute usually the clients to tell me that that's what's happened. So I'll get a call completely out of the blue, we're prepared to pay you your fees for you and whatever team you find appropriate to try and breach this site and find this thing. And the next question for me is what happened? And it nearly was like, well now you're set. Now you are asking me. Actually we did have an incident and someone walked. I mean I had one where they were like, no, no, we just want to be really thorough and we want to make sure that we've covered everything. And I was like, so nobody broke into your facility then? Well no. I said no. And they're like, well, you said break in. I mean they didn't break in. I went, did they walk in? I'm like, kind of. So I'd say there are industries right now, the legal industry, legal professions and financial are by far our biggest clients and also the security industry, obviously I would not say who, but can you imagine if your whole product, your whole brand, your whole business is built on being secure and then someone breaks in. So it's like, I'll get Jen, please don't say anything, but can you please get past.
0:05:32 Max Havey: You're the expert for a reason. You know how to get in places where you're not supposed to get into.
0:05:37 Emily Wearmouth: Hold on, max, you've just thrown that one in. You have just said you are the, you know how to, and I know a lot of our listeners are going to know Jenny and they might know this story, but I think it's worth pausing for a moment and saying, Jenny, how on earth do you become the expert in breaking into buildings? How do you know this stuff?
0:05:55 Jenny Radcliffe: Well, I can't say it was something I really wanted to be. I mean, I would naturally not want to be so public as I have become. I think it wasn't a strategy for me. I became good at this because I'd done it for years. I mean since I was a kid and I've told the story lots of times, but everyone always asks. So before you do, basically grew up in Liverpool and I had a few incidents when I was a kid that was quite worrying. So my mum and dad both were away. They worked shifts and things and so you've got to understand because so much younger than me, but we really did just used to be told to come in when it got dark and not to speak to any strange people and stuff like that. And I had a neighbor lock me in the house and not let me out. I mean some of this is in the book, but there was that and that was pretty worrying and nothing really happened, but it was quite traumatic for everyone because clearly there was mal intent. And then I went to the shop to buy sweets, candy for the American audience, and I got cornered in at an alleyway by this gang of local bullies, all boys kids, but they were in the habit of beating people up. And I had a can of pop, of soda, and I shook up the can and exploded in the head bully's face and then I crunched the can in half until it made a blade and then hit him over the head over and over again with this. So there's blood and red soda coming down his face and ran away. And after that my mom and dad were a bit worried about me being out on my own just a bit. So they asked my cousins look after me and they basically were getting into buildings what you called urban exploration, and we ended up sort of turning that into a business. So it's one of the reasons I kind of know so much about it and I've done so many buildings and done so much of it is because I started when I was like nine and it was always a side hustle. So I had a decent career, a proper respectable career in corporate for a long time and eventually into consultancy. But what the corporate career did was it enabled me to travel all over the world and whenever I was traveling, I'd get a job as what we would now say would be a physical penetration tester in all sorts of places, Asia, all over Europe and sometimes the states, although I was very cautious in America, and in any country where security guards could be armed, because I tend to be on my own, I have to be careful, I'm still careful about that now. And it's not just abroad. There are places in the UK where people are heavily armed as well. But I ended up doing that on the side and when I went into consultancy and I was training people in things like I say advanced negotiation techniques, sort of reading non-verbal communications, linguistic kind of patterns in language and people got curious why and how do you have this skillset? And I'd say tell stories vaguely masking exactly what I did because no one knew what that was. I mean even now I have to explain it for quite at length what it is to a non-security audience. And in the end it became obvious to me that this was the thing that really I should do full time. It was paying well, people knew me, word of mouth that got out that we were good at this I suppose. And so I just dumped everything else in the end. Well not quite dumped everything else. I still do some sort of work on that with some organizations, but generally speaking that was how it happened.
0:09:57 Emily Wearmouth: It's officially the coolest side hustle we've ever had on the podcast.
0:10:03 Jenny Radcliffe: I feel like as the fries on the side, people are always think that people think it's cool until they fall off a roof. And it was like, I want to do that job. And I'm like, do you want to be chased by guard dogs? I was cable tied to a gate by security I mean do you want that because you really think you do, maybe you don't.
0:10:25 Emily Wearmouth: I want to hear about it, but I'm happy to not do it. And sorry to have interrupted Max, but that was worth it.
0:10:31 Max Havey: Oh no, that was absolutely worth it. And so Jenny, that's kind of an interesting thing. In an episode we did a couple months ago, we were talking about the movie Hackers and our guest brought up the idea that a character gets locked up on a roof at one point and can't get out. He's like, that's the least believable thing about this movie because as a hacker, he absolutely has a lock pick in his bag and is going to pick that lock immediately. The physical security side of all of this is a thing that I think a lot of folks don't necessarily think about when it comes to cybersecurity or being a hacker and things of that sort. And so I think that kind of brings us really, that brings us into sharp focus here.
0:11:07 Jenny Radcliffe: Well first of all, I've been trapped on tons of roofs. Second of all, lock picking is the lock pick thing. I mean certain people, I was speaking to a guy who he was an expert can pick any lock and pick it very quickly and I've got mates who are great lock pickers, but generally speaking that is not something that I would take on any job. If you are caught by a security guard and you have lock picks on you, that is hard to explain. And even if you can have get sort of disguised or have them in your boots or something, and I have other things down my boots that are also difficult to explain, but not that, but you wouldn't, the idea that you just lock picky way out of it to me is, it takes time, it takes effort even if you're good at it. And so for example, I always made sure or tried to make sure that any kit I had on me could be explained away or so well hidden that they probably wouldn't find it. By which I mean in things like a tampon tube, sorry Max, sorry to anyone who's offended by the, but it's very rare that anyone bothered looking in that. So we've maybe put the odd thing in there. But for example, we used to carry around giving away something now, which I've only really spoken about at BSides before, but we used to get these little black light torches and pens and use them to just scratch whether, so say there was five of us in a building, we'd have certain signs which are code for this has been done or don't go down there or we've already covered this bit because you'd have radio silence a lot of the time and everyone's have a little black light torch and we'd be able to just shine and we'd know where about to put them, but that's hard to explain. So what we changed to which is have sort of been successful and there's times it wasn't, we started to take know extra strong mints and I dunno, you have if they've got them in the states so much Max, but they're like chalky, big mint that works like chalk. So it works like chalk to reduce that instead to just put these lines on the floor on the walls because we could explain that you couldn't explain if someone caught you making a sign on the floor with one, but if you were caught by a security guard, they didn't immediately think, oh this is a black light and pen. So I'm very cautious about what I take on a job and I'm very careful that I can explain 99% of what I've got on me away quite easily. But yeah, I'm always well saying that though, when I started out for a long time I really did just make it up as I went along. There wasn't really anything, and there still is quite negligible amount of stuff, that you can study about social engineering that's any good or that's about the physical side. It's really a lot of it is trade craft, which obviously by its nature is quite hidden or very expensive to get hold of if you're looking for white papers and books and things. And so I was kind of making it up a little bit as I went along so I might just be incompetent, but I've been caught on many a roof and I don't think I've ever picked my way off a roof or almost anywhere to be honest. I'm just trying. I think there was one time, not so much a lock pick, but cards and there are tricks and there's stuff that you can use to open locks and things and we've used them sometimes, but generally speaking I would disagree with that. I wouldn't do that much. But everyone has their own experience and their own expertise and their own way of doing it. I speak to people sometimes and I say my con is not your con, right? You have to use who you are, what you have and what you know. So don't copy other people because what that might work perfectly for them. They might just know that they could do that.
0:15:10 Emily Wearmouth: Jenny, how much work do you do ahead of any of these sorts of jobs? If we are looking at a broad cyber and physical picture and physical access might be part of your way of gaining access to digital systems, how much work is being done at your desk ahead of time researching employees, finding ways to use their psychology to get into the organization?
0:15:34 Jenny Radcliffe: Well a stupid amount really. I mean because I'm only using my part of the operation before we hand it because social engineers are blended attack. So the social engineering, whether that's phishing, whether it's vision, whether it's physical entry, all of that really is to enable a handover a lot of the time to the cyber guys. So I can only speak to my part, but because I can't use any of that, my research was always very thorough and I mean it was a funnel of research. So would just said everything about that company, that target that person to a silly point of view really because I wanted to be at the point where I knew as much as anyone who didn't actually work in the day to day would be. So we'd sometimes send in B teams, we'd go and do research on site reconnaissance. So it was quite a lot. And honestly depending on the job and how serious the client would be, and by that I mean how much they were willing to pay for that kind of reconnaissance. Sometimes the clients think it needs almost nothing and we don't work like that. And sometimes they think it needs a lot and you don't know until you look into it, right? But it would be a lot, I mean at least two and a half times the amount of time it would take to do the actual infiltration, which we try and do in 90 minutes, but we'd have a week put aside looking for the right opportunity. So probably a couple of weeks really depending on what we find really in depth.
0:17:13 Emily Wearmouth:And I'm going to say the letters. Does AI help you with that research?br>
0:17:19 Jenny Radcliffe: So this is the thing, and this is why I didn't mention it then I knew you were going to ask me. AI has cut that down. First of all, the internet cuts it down. So I started sort of pre-internet real or pre good internet. And then the beginning, no internet, but I used to have to, and I always say this when I to give keynotes, I used to have to hang out near the site and sit in whichever bar they all went to on a Friday night and listen and listen out for things and note activity and note one of the things we always saw was the way employees use the site and the way employees broke the rules and got around security. We just followed what the employees did and then the internet came along and that s everything down and osis became easier and we managed to do that. But now we have ai, it makes that level of research quick. I mean really quick reducing from days and days down to minutes or even seconds not to get the same level of interpretation but to get the amount of data. The difference between somebody who does social engineering and somebody who feels that they're a really good social engineer isn't the quality even of the data. It's learning to interpret and find the story that's going to be the hook that's going to get you in. But AI has enable people to get 80% of the way they're very quickly.
0:18:47 Max Havey: I am curious in the AI world you talk about that sort of reducing time, reducing how things are happening here, how is that sort changing things and we're seeing AI automating tasks that humans do. Is social engineering at all on your end sort of now sort doing social engineering for AI and finding ways to trick that AI to get you the information that you need? How is something like that becoming a part of your toolkit at this point or is it becoming a part of your toolkit at this point?
0:19:13 Jenny Radcliffe: Well it is because AI is very, obviously it depends on what you want to think about AI. It's either it's going to kill everyone.
0:19:24 Emily Wearmouth: That's the pessimistic view, Jenny,
0:19:29 Jenny Radcliffe: Mmhmm it's probably true. No, it's probably true, but also it's very smart and it can do lots of things, but it's not as smart. In some ways it's smarter than humans and even a room or a stadium of humans, but in some ways it's not. So if you can imagine if you can fool a human into telling you things, you can fool AI and that's a bad thing because criminals know that and are using it that way. So you absolutely can socially engineer AI or some AI for some things right now by being very specific about what you ask. And by it not really being that good at detecting deception from a human yet, at least they're not the ones that I have seen.
0:20:21 Emily Wearmouth: So an organization's AI and particularly agentic AI can become one of the tools that you might use to get into the organization.
0:14:33 Kirk Ball: Yeah, it was just impactful for him to see the end impact that it would have on customers' lives.
0:20:31 Jenny Radcliffe:I wouldn't necessarily rely on that, but it's just a tool, right? It's a technique, but you don't have to be a lifelong social engineer who's done this for years and sort of feels like that you can speak to people like you about it to be almost as good. And that's the problem. You don't have to be brilliant at it. You just have to be good enough. And I think that's how it's being used as how it's weaponizing human nature, which is something that I always did was weaponize mistakes and psychology. I might be able to do that slightly better just because I'm a thinking living human who's done this for a long time, but sometimes you don't need me and this is why we turn jobs down sometimes times I say, well you don't need that. What? You just need a really good red team with a couple of people who are quite good at social engineering. So you don't need someone whose whole expertise is this one particular thing which is warping human psychology, but you don't always need that to get past. And we've seen that happen at scale. The difference is it's at scale. So whereas we are limited by just being physical humans and the size of the team and the workloads of what we do, but AI is not limited by that at all. So there's this trade off between having someone who will get past and it will keep trying as a human and will adapt, but only being able to do as much as we can physically take on to a machine that doesn't get tired. It sort of Terminator stuff, it doesn't get tired, it will absolutely not stop. And it will do that at like 60, 70% is effective but over and over again. So just statistically it's going to get through.
0:22:21 Emily Wearmouth: Can I ask you a question that flips to the other side of the AI thinking If you are the people hacker and a big tool for you is taking advantage of human psychology, I'm wondering whether you are yet seeing or anticipating seeing any changes to human psychology that AI might bring or as we grow in our dependence and use of AI systems, does that change the way humans think and operate that you think might leave more doors open for you?
0:22:51 Jenny Radcliffe: Yes, because everyone's got lazier and therefore you're not as sharp If you don't read the book, but you just read a summary of the book, then you haven't really absorbed the learning in the book. If you are asked to give, I dunno, a presentation and you don't write the presentation, then you don't really know as much about that presentation. And this has been a problem in security for a long time that there are people in security, you are there just purely for the showboating side of it and whatever, make a living however you can. But this is security. If you give the wrong advice or if you don't know what you're talking about, that's dangerous stuff. And I don't just mean financially or reputationally, that's dangerous in lots of ways. That's a problem. It's made it easy for people to look as if they know what they're talking about and to get lazy as a social engineer, we can absolutely exploit the fact that you probably dunno what you're talking about that certain people dunno what they're talking about and if they're on the defensive side, we'll get past that easier than if they really knew about it. And that's on the security side, nevermind just people who are not in security, not really thinking that defense is part of their job as just an employee who does something else well. So that is a problem. That's how humans are changing.
0:24:22 Emily Wearmouth: I'm utterly fascinated to see, I've got a number of teenagers within my household and I'm fascinated to see the way their brains interact with the world in different ways to how mine did at that age because of their expectation of what's going to be done for them by systems. And we didn't have that. And so I think that psychology change is going to be fascinating in the next few years and yet it potentially exposes new risks for organizations.
0:24:50 Jenny Radcliffe: But I think as well there is some merit, I agree with you, but I think that there is some merit in the fact that younger people, teenagers and even kids have been born into a world where this is normal and where this is usual, which means as humans, I have faith in humans mostly, most humans most of the time to kind of adapt to that and understand the risks just instinctively see the risk in it. And that's a strange thing to say because people often ask me when I am consultant and stuff, how worried are you about kids online and all that kind of the dark side of the internet and all the exploitation and everything. And of course it's a massive worry because younger kids and youngsters might not see what we see the potential of the evil of the bad things that's out there. But the flip side of that is that they're so used to it, they've been warned about it and seen it from when they were very young that in a way this is their world now. And they will, I hope and I think that they will adapt better than we will. We are more kind of fearful of it, I think. And in some ways that's great we should be because we're there to guide the next generation as to what could be so bad out there. But I'm always heartened by the fact that that kids kind of take it all with a bit of a pinch of salt as well. That's also kind of heartening for me. It's like they're getting well bound to happen. There's something nice about that nonchalance. I think the charm of teenage nonchalance.
0:26:27 Max Havey: Yeah, the power of being sort of a digital native.
0:26:30 Jenny Radcliffe:Yeah, no, but max, you're right though. It's that it's the fact that there are positives that come with that. They expect it.
0:26:40 Max Havey: No 100%. And I think that's kind of the interesting thing, taking it all in the notion of convenience as a risk factor and the idea of people who have lived in this world who they understand sort of the risks, they sort of see some of the signs whether they realize it or not. I feel like that's the way. Growing up on the internet, that was often my case where I developed a real detector. I'm like, that seems fake. Anything that seems too good to be true, that's probably somebody who wants something from me, whether it's my information or for me to sign up for some sketchy credit card.
0:27:14 Jenny Radcliffe: There's a cynicism, which is kind of awful, but also has got a positive perhaps
0:27:22 Max Havey: The silver lining of cynicism.
0:20:04 Emily Wearmouth: That sounds like your book title. Can I ask a question about failure? Firstly, I was intrigued to know Jenny, people are paying you to get into their organizations. What is your success rate? And then for whatever the percentage is where you can't get in, how long do you keep trying? What parameters do you put around that?
0:27:45 Jenny Radcliffe: Same question honestly, because the truth is we keep going until we do get in, so the success rate is a hundred percent and everyone says, oh, no, no, no, you must have been, no, we've been stopped lots and lots of times with various exciting consequences. But if we are stopped, we'll go back even to the point where it costs me money to put the team in again because I had a reputation, my ego couldn't have handled it. I had a reputation to maintain. But I suppose it sort of depends. I've seen places that would be extremely difficult to get past. I've not been tasked with getting in, but I've seen how difficult it would be. And for something like that, it's a longer bin and often that is not commercially viable. They can't say we would let you do it. But there's ones that have essentially if we are stopped to the point where we have to abort or were retain away, which is rare, so the amount of times that happens is less than 10%, but of that 10% we have always gone back and then we'll hit them again and again and again as many times as I need to hit them so that in the end I can go to that client in whatever coffee shop or conference room and present them a win that we did it because otherwise, why would you hire me? I mean there's times when I've looked at, say I've had a client that's given me four sites and said, we want you to break into this one or this one, and I've gone of the four sites that you've given me, that one's the hardest one. So I can rank them just from reconnaissance, I can rank them and say, that's going to be the hardest one. So that's going to cost you more for us to do it. It's going to take us longer. I'm going to need more people. Am I going to need kit? And that kit might be expensive. Do you still want me to do it? And they say yes sometimes and they'll pay for that. But generally speaking, I mean there's times I can look at a site and go, you won't do that on social engineering alone, high security stuff. So
0:30:03 Emily Wearmouth: At that point you might need a crane and a power tool for instance.
0:30:10 Jenny Radcliffe: You very well... no, because that wasn't that particularly difficult.
0:30:14 Emily Wearmouth: So I'm referring to the Louvre heist for anyone unsure of the methodology that was used in Paris last autumn, but do you have thoughts on that one, Jenny?
0:30:26 Jenny Radcliffe: As you know Emily, I do. So the day that happened or the day after, I got so many emails and calls wanting me to comment, and I wouldn't comment specifically on all of my theories on the Louvre. But what I'll say is that there's a lot of lessons here for security. And it's not that whatever the password was Louvre or whatever it was, and that it's that when these things happen, the lesson is is that you have to look at any breach holistically and you have to ask the question. Everyone was asking how, how did they get past security, why was security terrible? All of this type of thing. But the real question is not ever that you always have to ask why. And I know that one of the problems, and I speak to very senior people sometimes, they say, well, it's financial. It's always financial, it's never, ever, no matter what it is, it's never just financial. You have to look at the secondary motive and then the motive under that and then the people that you're dealing with. And for the Louvre you have to think about what was taken and when was it taken. And I've heard good people, good security people say, well, they did it in broad daylight so that people weren't as suspicious I mean you wouldn't rob some in broad daylight. So people were less suspicious. And that's true, but it's also so that people can see that something has been done. It's what we call a vanity heist. You are showing people what you've done and specifically the people who want that loot. And for me, that tells you everything about who's behind it, who funded it, why it was done at that time. And you have to look at the bigger picture in the world. And that's what people never do. Instances seen as far too isolated, right? It was an attack on us, on this business. But when you look at the TTP of things, when you look at the patterns, it'll give you a lot more information as to who's behind these things and why. And if you take money, almost take money out of it and look at everything else. The money side of it, we deal within the incidentally and the aftermath of the incident and how we all cope with that and get all our systems back online. But the real question is things are connected. And this is where I revive my podcast series of the Tim Foil Hat Club from lockdown. But you really do need to think that these things are connected and they're connected to a wider network than what is immediately obvious. And as soon as you start looking at things like that, you see things differently. And that's what helped us, me and my team with a lot of investigations and things that we've done in the past, is to take, if we take the money out of this, what's going on?
0:33:28 Emily Wearmouth: And is that in particular when it's very public, because some of these things are never public and they're kept very quiet. And so the motivations are different. Is this principally for when it's done deliberately to be visible, some of the big hacks that we saw in the UK last year, they were designed to be very visible. Are those the sorts of ones where we should be looking at a slightly different non-financial motive?
0:33:50 Jenny Radcliffe: No, I think that's a good question. And it's not about assumption, but I don't think it's true. It's not how many people see it, it's who sees it. So it doesn't have to be public for it to be nefarious in that aspect. I can tell you something funny though. I'm not going to say who it was, but one of those big hacks last year did not surprise me at all because I had been on a social engineering job with a colleague and we'd been in a hotel and we weren't doing the job until the evening of the next day. So I break my rule and we're having a glass of wine or two and we're having a chat, and it was summer and we were out in the balcony part of this hotel in the gardens and it was lovely. And behind us there was a group of corporate all men just saying, who were very loud and very obnoxious to the staff and everything, which is one of my pet hates. I hate people who to waiters and things and you couldn't ignore them. And so we could hear stuff they were saying, and it transpired that they were the security team, the cybersecurity team of a large company. And so we decided to see what we could get them to tell us as for fun, for the lols
0:35:20 Emily Wearmouth: Bar games.
0:35:23 Jenny Radcliffe: We initiated sort of conversation, which was easy to do. They were, like I say, they were loud and obnoxious. It was getting very late and they were drunk as well, and we were not drunk. We'd had wine, but we were not drunk. And I said, hi, so you're in it security. Does that mean that you stop hackers? And they go, yeah. And I went, what is a hacker? Is that people who want your password? And they went, oh well, yeah. And it was like, oh well, little lady. Yes. And I said, oh, I said, so if my password's password 1, 2, 3, is that bad? They're like, yes, that's bad. And I said, oh. I said, so what sort of things do you do about that? And I got them in this conversation, and if they hadn't been so bloody awful and patronizing, I would've left it there, but I didn't leave it there. And they ended up telling us so much information in a very kind of, oh well. And so they'd were like, okay, well good luck. Bye. And as we went out, I just slipped one of my cards, which is a poker chip into the pocket of one of them. And then this is going, this was a few years before this all happened last year. And I just always think that guy must, if he'd ever looked me up, he'd thought, oh God, I was socially engineered. But then it doesn't surprise me to hear that despite every explanation I've heard in the press and everywhere else, it does not surprise me. It did not surprise me one little bit that they got hacked because what they're doing is physically in the physical world, they are leaking everything. Their system could have been perfect. And I already knew far too much about not only detailed inform and I mean detailed information about what systems they used and stuff. We could ask them in a way that they were explain it like it was to a child, but we're not children. We've got colleagues who could explain even to me more what to ask. But also just that the arrogance of that culture and the arrogance of that culture is one of the things that as a social engineer, I will zoom in on and I will absolutely destroy you because if a business thinks that they will never be caught or that they're that good that they can talk about it, no one cares then better it's me than one of the "real bad guys." I had information, if I'd have chosen to sell that in nefarious people, that would've been worth a fortune. But it only mattered time before they were hacked.
0:37:53 Max Havey: I think it's so interesting here as you're laying out all of these stories and things from your career, that much of your approach to social engineering, at least in the psychological sense, is just asking the right questions and knowing the sorts of things to ask people whether they realize they are being socially engineered or not. And that's the most interesting thing for people like Emily and I, who our job is asking people questions for contextualizing things. It's so interesting to hear how you are using that for other means here. That's fascinating.
0:38:29 Emily Wearmouth: I want to be your work experience girl, Jenny.
0:38:32 Jenny Radcliffe: Until you fall off a roof, I've told you or have to do 10 dumpster dives. But I think one of the things about what you said, max, it's so interesting because it is asking the right questions, it's being able to read people, and that's being able to read their physicality. So understanding psycho physiology, it's being able to understand linguistics to a certain extent. So I'm limited outside my own language because there are nuances in the way people speak, but it's also sort of from a social point of view, looking at the way groups interact and looking at people's identity within a group and then their identity as what they present the public face and being able to, and this is so evil, but being able to see what would shatter that. So that's the art of a really sharp spearfish is really being able to get to the heart of someone because then they question themselves. And if they question themselves, then you introduce doubt. And it's the doubt that we play on, and that's evil in the wrong hands. But to do that, you have to study widely outside of your discipline. And I think that's one of the things, back to your question, Emily, about AI. That's one of the things that we've got to be careful not to lose is building up interdisciplinary knowledge and expertise. Because without that, you can't be as good at my type of social engineering. You can't just go in and know five things that influence people that'll get you so far and that'll be great. You might make a career, but if you want to get really good at it, and have a signature type of social engineer, and there are signatures on my attacks where if you know me and the industry, you'd know it was me. If you want to get to that stage, then I think you need to study outside of your discipline really. But who knows whether that's even required as much anymore? It's a niche profession, and there's only really even, we don't only do a few a year now, really, because I don't think most businesses don't need to pay for or have that level of psychology behind it. Like I say, it's more tradecraft than anything, I guess you call it.
0:41:01 Emily Wearmouth: I have to say, I dunno about you, Max. I feel very vulnerable. I feel very like I'm being watched and interpreted at all times in this conversation. I didn't at the beginning, but by this point I feel vulnerable.
0:41:12 Jenny Radcliffe: People always say that to me and I always say, are you paying me to do that? And if you're not paying me to do it, I'm not doing it for you. Fear is true. People say, oh, you're doing it now. You're doing it now. If you've robbed me. I said, are you paying me to rob you? No. Well then I'm not robbing you.
0:41:28 Emily Wearmouth: But the motivations aren't always the money. Jenny, I've picked that up in this conversation.
0:41:32 Jenny Radcliffe: No, that's also true. That's also true. And if I don't like you, I might do it as well. There are people I don't like who I would do for nothing.
0:41:42 Max Havey: This is a good reason to stay on Jenny's good side here.
0:41:45 Jenny Radcliffe: Well, it's been said
0:41:48 Max Havey: Well, so Jenny, we've kind of talked around this a bit, but from your years in being a social engineer like this, what is one tip you want to leave folks with, whether that's in physical security, cybersecurity, any realm of security, what's one tip you want to leave folks with?
0:42:04 Jenny Radcliffe: People need to shut up honestly. Stop talking about yourself, what you like, what you don't like, what makes you frightened? Be private. Be more private, right? In corporates as well. Be more private. Think who is listening. Think about what someone can do with that information online in person. Stop it. Stop it. Privacy used to be such a currency. It's such an elegant quality to protect. And yet I see security professionals putting details about their personal lives and stuff all over the place. And you think, I understand that this should be harmless. It isn't, right? It isn't. So we still have free speech more or less here, and you can choose what you want to do, but please make it a choice and not just be lulled into this sense of I can say anything and nothing will happen. It will. I don't need much to grab you. I don't need much to understand how your brain works and what you feel about yourself. And so the more that you put out there, the more vulnerable you're making yourself. So why do it? I've written a whole book, a whole autobiography, and I still meet people who say, I don't really know much about you and you don't.
0:43:25 Emily Wearmouth: I'm an oversharer, so I'm going to take this tip on board.
0:43:30 Max Havey: Well, wonderful, Jenny, thank you so much for taking the time here. This has been such an interesting conversation. I can only imagine our listeners and viewers are going to think the same thing. So thank you so much for joining us. This was so great.
0:43:43 Jenny Radcliffe: Oh, no, it's been such a pleasure. Lovely to chat to you both.
0:43:47 Emily Wearmouth: And Jenny, can I put in a request for your next book? Because you know there's loads of books about who was Jack the Ripper. I feel like there's a book waiting to be written, Jenny's Theory on the Louvre heist, and you can tell us exactly who you think it is. I didn't probe too much with the questions. I couldn't work out if you wanted to tell us, but I feel there's a book there.
0:44:06 Jenny Radcliffe: No, well no. The next book is not that.
0:44:10 Max Havey: Well. With that, you've been listening to the Security Visionaries podcast. I've been your host, Max Havey, and if you enjoyed this episode, share with a friend and some subscribe to security visionaries on your favorite podcast platform there. You can listen to our back catalog of episodes and keep an eye out for new ones dropping every other week. Also, if you like our episodes, please be sure to rate, review, and subscribe. That really helps us and we want to keep doing cool episodes like this. So please do that. You'll either find episodes hosted by myself or my co-host Emily, or our other co-host, Bailey Pop. And with that, we'll catch you on the next episode.
){kind=icon}
