DTExpo: "I know I can't hack a bank, but I can hack a person," says ethical hacker

Why hack your way in when you can simply talk your way in?

The idea that social engineering outweighs direct system attacks as a risk is age-old, but was well-illustrated at DTEXPO today by an ethical hacker who shared examples of his work.

"This is not a James Bond industry. This is not a super-skilled role where only the most technically capable can infiltrate a company," said the hacker.

"Sometimes, it just takes a bit of effort to infiltrate. I genuinely don't feel like I can rob a bank, even though I've been in three scenarios in my job with banks. I know I could never hack a bank, but I know that if we narrowed down the actual people, we can hack the people once they've been segregated from the business. It's about separating the weak away from the pack."

The hacker shared examples of physical infiltration tactics to easily gain access to systems that were vulnerable beyond a human security process.

"In one job, we had to recreate the scenario of blowing up a chemical vat in a terrorist event," said the hacker. "I looked at the site and tried to prepare or research the building, and the pressure was on: We had to climb the silo.

"I didn't know how I was going to do it. It came to a few hours before, and we'd researched the vat. We'd been told about a special floor valve that was unique to this vat design. So we then had something to talk about and use for the pretext."

With only two people even guarding this dangerous site, the hacker found that hi-vis jackets and boots, and turning up talking about this specific valve was enough to get swept into the workforce.

"We were guided through instructions and safety training and, before I knew it, I was one of them - I was guided towards one of these tanks."

Similarly, the hacker found that befriending a site worker outside in the smoking area was enough to accompany him to the entrance "man trap" that only allowed one person to access at once. "I didn't have ID, and still knew I couldn't talk my way in," the hacker said.

The hacker had the time he needed to carry out his task in the resulting confusion.

In another scenario, the hacker simply entered an office holding a keylogger device, but the office wasn't empty, as originally expected.

"I found myself being ‘the keylogger man' - a fictitious role that doesn't even exist in security. I said to them, ‘Hi, I'm the keylogger man, I'm here to raise awareness of threats'. Somebody saved me, asking from the back of the office, "What's a keylogger?" and giving me my opportunity to explain.

At the end of the day, the hacker explained, often in cyber security "It's just a person, and we can defend against this person if we all work together".