8th Layer Insights 10.18.22
Ep 26 | 10.18.22

Social Engineering and Breaking into Stuff with Jenny Radcliffe

Transcript

Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights."

Perry Carpenter: If you've been watching programming trends for TV or YouTube or podcasts and books, then you know that there are large groups of people who are fascinated by true crime. Why do you think that is? Well, after doing just a bit of study, I think there are several reasons, and a few stand out. First of all, true crime is storytelling. We all know the power and the draw of a good story. There are fleshed-out characters. There's mystery and tension and a sense of struggle between good and evil. And there's often a resolution at the end, a sense of relief. There's also a sense that you are gaining knowledge and understanding about areas of life and society and personalities that usually hide in the shadows, beneath the surface or behind the mask. 

Perry Carpenter: In a lot of ways, you see a parallel between people's fascination with true crime stories and their love of spy movies. But in a way, true crime is like a great spy movie or a mystery, but without the gloss that Hollywood puts on it. It's the beat-up, dented, unvarnished reality. And in that reality, we are confronted with the fact that we are all vulnerable. And those vulnerabilities are baked into everything, from our buildings and locked doors that are often not much more than a facade of safety and security, to our procedures and our routines, to the way that we live our lives and interact with others. Vulnerabilities exist everywhere. 

Perry Carpenter: And, of course, now you see where I'm going with this. As cybersecurity professionals, one of our main mandates is to minimize the number of vulnerabilities we have or to mitigate the threats that those vulnerabilities pose. We do that through things like vulnerability scanning and various kinds of audits and assessments, and we also do that through what is referred to as red teaming. And a red team's job is to take on the mindset of an attacker and to use many of the methods that a real attacker would use and essentially become the true crime embodiment of the threats an organization or an individual might face. Their job is to peel back the often too thin veneer of safety and security and expose where we are most vulnerable. They do that. They adopt the mindset, and they use those methods so that hopefully we don't become the plot points or the characters of the next great true crime show. 

Perry Carpenter: And that brings us to today's guest, Jenny Radcliffe. She's a well-known speaker and podcaster and, important for today's show, Jenny is a professional social engineer and physical penetration tester. In other words, she is someone who specializes not only in tricking people into doing things they shouldn't do, but she also specializes in getting into places she shouldn't be and finding things she shouldn't be able to find. Her job is to embody the criminal mindset and use the skills of a criminal to find those vulnerabilities that a criminal would find. Stay tuned. 

Perry Carpenter: Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything, from why we think the things that we think to why we do the things that we do, and how we can all make better decisions every day. This is "8th Layer Insights," Season 3, Episode 6. I'm Perry Carpenter. 

Perry Carpenter: Welcome back. As I mentioned in the introduction, my guest today is Jenny Radcliffe. Jenny is known as the People Hacker. She's an expert social engineer, a physical penetration tester and is extremely good at showing organizations just how vulnerable they are. So without any further preamble, let's get to the interview. 

Jenny Radcliffe: Hi. My name's Jenny Radcliffe. I'm known as the People Hacker, and I'm a social engineer who specializes in psychology and physical infiltration. I describe myself as a lifelong social engineer because I started out when I was really little, though we wouldn't have labeled it social engineering back then. I had some family that sort of looked after me when I was little. My mum and dad both worked shifts, and I had some weird kind of stuff happen in the neighborhood. You know, I was kind of held by a neighbor and not let go for a little while, got into some fights and things, and I ended up hanging out with some of my older family. who were already into urban exploration. So they were going into empty buildings and things. You learn very quickly when you hang out with an older crowd like that, you know? So I learned a little bit about alarms and doors and things. 

Jenny Radcliffe: But more specifically for me, what always interested me was the patterns of life I'd see in a building, the heartbeat of a place, the energy of a place. And that became really something I was interested in. And over time, I ended up kind of doing bigger jobs, eventually more official jobs that I was paid to do. And it took a long time, Perry. But after a while, that became something that one could actually say - I do this job. I eventually kind of came out of the closet and said, yes, I'm a social engineer. And then suddenly everyone was interested in everything I did. 

Perry Carpenter: You use a couple phrases to describe yourself - people hacker, which I think equates to social engineer. But then also you say burglar, so you get straight into the physical piece of things. Can you talk about where those ideas connect and where they may also be separate things for you? 

Jenny Radcliffe: When I say burglar for hire, it's a good, I guess, attention-grabbing line on something like LinkedIn or if I was doing keynotes. It kind of focuses people on that physical infiltration side. I learned very early on, after doing some forced entries, that talking my way in was a much easier thing to do. It was safer. There was less repercussions afterwards with clients, et cetera. So for me, one of the reasons I talk about burglar for hire and the physical side is that actually, that is the more rare skill. And that's because phishing social media approaches are obviously far more common than they were when I learned to do this many years ago. 

Jenny Radcliffe: And although physical infiltration is still something that many businesses and organizations still request, the links to cyber are the thing that people are more interested in, I think, on the day to day, because everyone's being phished. Because I'm not a technical hacker and I have really almost zero technical expertise, actually, the thing I'm hired to do more often than anything else is to steal something to prove that it can be stolen. So it really was a good description. 

Perry Carpenter: When you think about that aspect of the job, what typically gets you going? When somebody's given you scope and they say, I want you to do this, where do you start to smile and say, I can't wait to see if I can get away with that? 

Jenny Radcliffe: When I'm hired on my own or when it's with my crew, I'm as often as not told, show us what you can find. And that makes me smile. And they start - it's like, we don't really know exactly where our risk is. And what I'm hired, I guess, to do is to put that attack perspective that I've had since I was tiny and that kind of criminal mind and go in and say, this is what I found. This is what I could potentially have done with it. This is the art of the possible in terms of malevolence. That's down to imagination and putting that malicious hat on and say, in theory, I could have done this. 

Jenny Radcliffe: An example I'll give you - I had a little crew, and we got into a very secure site in the U.K. The client had assumed that we'd spoof a card, so they didn't want to pay for us to do that. So they said, we won't pay for you to do it. We'll just give you an access card. This is not particularly difficult. So they made an assumption - this is - OK, so assume that you've got that. We went on the debrief, and they said, well, you know, if we hadn't give you the card, what would you have done? What's the process of spoofing this card? And so we went through some technical stuff. Not difficult, as you know. 

Jenny Radcliffe: And then they said, OK, but assuming that you didn't have that machine, what would you have done? And I said, honestly, we'd have stolen it. They said, what (inaudible) - I mean, we'd have stolen it off one of the many staff that we see walking in. And they said, well, they would have reported it stolen straight away. And I said, well, we wouldn't because we'd have held them. (Inaudible) well, we'd have held them. We'd say, this is a security test. You need to comply. And we took - and we'd have held them. And they said, well, oh. It's that mentality of saying it is possible to do this. So I suppose the things that really set us alight are the jobs where they don't give us a real list, and then we surprised them with our deviance. 

Perry Carpenter: If somebody were to just drop you in front of a building with no prep and you've got to get in, and this building seems locked, there may be some guards, what would be your first step in trying to gain entry into that building? 

Jenny Radcliffe: Well, depending on time, you watch and see what else - what everyone else is doing. But, I mean, there's vulnerabilities everywhere. I think one of the mistakes people make is they say, well, it's security by deception, isn't it? It's - you know, well, this is - this door is marked locked. This door is alarmed. Not necessarily. These are the ways in. Most buildings have ways in through a combination of the regular doors. So always go for the - you know, you make your life easy if you can. Will someone let me in? Can I tailgate in? Is there somewhere open? So what we'd call an operational opening - is there a window or a door that's - you know, which is sadly the case - it's usually on most buildings, except if they're absolutely brand-new - but even then, at least one window or door that's not fitted properly, one alarm that's been switched off, something that's been jammed open or somewhat because everyone who works there wants to get around it as well. So we look for those things. 

Jenny Radcliffe: If that seems too solid and we can't do it, I mean, I always look to the people first. Who's coming and going? If we don't have that, what about the building that's adjacent to it? What's underneath it? What's around it? You know, you have to see the site as a whole, not just who comes and goes and lives and breathes, but what's it connected to, and where does it go? In the majority of cases, you'll see either a way in that's not been covered, a way in that's been broken or humans coming and going. And if all else fails, you've got to find a way to persuade or to get a human to let you in. 

Jenny Radcliffe: To give you an example, obviously, I live in the U.K. And we went on holiday, and we went to see these big castles. The U.K.'s got loads of these castles. We've got castles from like, you know, 1066, practically, all the way up to more new ones. And some of our castles have got rooms and things from every age. And we get to this castle, and in it - part of the attraction of this thing is that you go and see the dungeon, and it's a proper torture chamber dungeon. And this thing, Perry, oh, my God. The walls are, like, 12 feet thick, rocks, you know, just this massive wrought-iron gate. There is no vulnerability in the physical structure. And somebody who I was with said to me, so - you know, go on, then, genius. How would you get in or out of here? 

Jenny Radcliffe: You know, and I looked. I stood there, and it took me a minute or two. 'Cause, you know, you sort of - so I do my usual things. So you work in - anyone's who's military or former military, you'll know what I mean. What you do is sweep left to right, top to bottom. So you do a sweep for vulnerabilities (inaudible). No, no, no. I'm kind of very quickly assessing there is no vulnerability here. But, of course, someone locks the door and someone unlocks the door, and human beings can be bribed, coerced, persuaded and influenced. The oldest tricks in the book is what applies in that situation in a fortress. And that's why I say - and I use it all the time in keynotes. I have this saying, which is I don't need to work on the lock. I need to work on the human. 

Perry Carpenter: Soon as you've closed a deal - and by closed a deal, I mean somebody has called you. They said, we want you to do this job. You've agreed to it. Maybe you've signed something that says that you're authorized to do it. What's your next step? 

Jenny Radcliffe: Let's imagine that we get this contract in and someone said - right? - we want to hire you. Got a physical security job for you. This is the site, signed, sealed and then off you go. We will have always agreed a particular window of time that we will be allowed on that site. And often, that can be very, very restricted. The one I remember most particularly being difficult was I had an 11-minute window to get to a secured area where everyone was stood down. And then after that, you know, armed response and a million other things would just kick back in because there is always that - the chances are slight but never impossible that you're in the middle of something and then something actually happens, and everyone's being stood down. 

Jenny Radcliffe: And actually, that's quite clever. That's how I did it some way. The number of times that we've got into buildings through fire doors, alarmed doors in the middle of a fire drill, I can't even - I couldn't even count - hundreds, probably. So, you know, it's always good to use whatever's happening. 

Jenny Radcliffe: But once we're in that position, it would depend on the job. So depending on the type of team I need, I would look to my network and start assembling people. I usually need at least one access specialist hacker. What we tend not to take on or even recommend people for this sort is the pure red teaming from, you know, a technical perspective. But I like it. I know some access specialists, and I tend to have someone who is very much a forced entry type of person. If you're listening to this interview, you know I'm talking about you. 

Jenny Radcliffe: And then I have a - there's a variety of people who specialize in maybe spoofing cards or that type of thing, and. Then there's everything from role players - lots of those - to fence hoppers - you know, some parkour people, that type of thing - and some other social engineers. One of the most important things is you fit the crew to the job. You don't say, I have this crew and we're going to use everybody on this. We look at the job, and then I'll pick who we use. And I would usually have a war room not long after that with everyone in, and then start assembling our intelligence and our plans of the actual physical site. And we task a couple of people on different areas of reconnaissance. 

Jenny Radcliffe: So we'll be looking at a funnel of information based on the physical site. The top of the funnel, the wide part, would be the macroenvironment for that business, that organization, that company, then down to the company itself. So when I say macroenvironment, everything that's impacted on that firm, from political influences - you know, we just did a job, just before summer, of a firm that was massively impacted by a conflict that's going on. And it changed their strategy. So we need to know that because when we're on site, I need to know what's on people's minds at work - all the way down to the business itself, to the actual sites, the physical locations and all the different personalities from the different locations. 

Jenny Radcliffe: And we see this very much in the States - when we did some work in the States. Depending on whereabouts in America you were, there were very different energies, shall we say, and different personalities. You know, every state's got a personality. It's the same in the U.K. You know, people in London - and I'm generalizing - but people in London may be different than people in the northwest or in Scotland or something. 

Jenny Radcliffe: So all of that. Narrow it down to 20 to 30 individuals, and then we start narrowing that down to teams and where sources of information lie and access and privilege lies, until we've narrowed it to about six or so people - six or less. And then I'd know everything about those people, and that's because they're the people we expect to meet on a pen test. And that's all done before we even go, this is the best way in. And then we'll come back and we'll (inaudible) the best way in. We will also do some dummy runs, send in disposable B teams, and lots and lots of phone work. So, for example, one of the things we might do is call up and say, you know, I just think I've just seen someone on site without a pass. What's the best thing for me to do now? I think I've seen someone climbing over the fence. What - where do I go? And just find out a little bit what - how different people react to those. 

Perry Carpenter: Is there a job over your career that stands out as, like, if every job could go like this, this is what I would love? 

Jenny Radcliffe: We had a job in a great big mall in London, and I had a whole crew put aside. Client was well-financed, happy to pay. We studied the layout, which was extensive. It was like a city. You know these great big malls. It was like a city and got lost lots of times on reconnaissance and dummy runs and things. And then we researched the security team really well, and, you know, the firm and everything they did in the protocol. So we were looking to see hierarchies. You know, would they obey orders if it came from the "office," in quotation marks, or were they a bit more creative and that - and all of this, did all of that. And then we looked at the management team, ton of OSINT, files of all the names and, you know, the kids - where the kids went to school and the kids' hobbies and all sorts of things, looking for all the different ways in. And all of that's off site, more or less. And it took a long time. It was a big site. 

Jenny Radcliffe: On the day, we walked in, walked up to the management offices of the most - like, a separate little floor. Wasn't completely separate, but more or less, they have their own offices above everything else. And the door was open. There was nobody there, really. Couple of people kind of on monitors and things. They weren't really doing anything. I mean, I just walked in, went straight to where we were meant to go, picked up what we needed to pick up and walked out, almost wanting someone to challenge me so we could test all of our intel and all our, you know - we'd made all these kind of sexy backstories. And we had all these ideas, and there was a B team, and I had drivers at every exit. And the whole thing's kind of over in less than an hour, really. I mean, and that's only because it was such a big place for me to leave. And then we got paid. Mission accomplished. 

Jenny Radcliffe: And so I suppose in one way, that was great because I didn't get chased by security guards. I didn't hurt myself. So I didn't fall over or get locked somewhere. I didn't have to persuade or argue with anybody. There was no kind of waiting around. It was just a very easy job. It's very anticlimactic. There was kind of nothing to celebrate. At the end of every job, we do celebrate. We do fat chips, another lager or a glass of wine and kind of play some heavy metal in the car. Genuinely, we have all these rituals, you know, and just kind of decompress. And there was no reason to do it. So do I wish every job went that way? Professionally, I should. 

Perry Carpenter: Have you ever had a job where after you've finished it, you've adapted your process to say, here's where I think I can be more effective? 

Jenny Radcliffe: So the difference between someone who's good at a job and someone who's excellent at a job is review, right? You have to review, review, review. What went well? What went badly? What would we change? Right? So review is very important, and you need to do it as soon as you can after the job, so next day, certainly within 48 hours, but then again about a month later. So we review, review, review. I adapt personally on the crew depending on who I use because I can track them. So I use different people for different jobs depending on what specialisms I need. But we all have to do that, and that's a condition of the being paid, is that they commended the review. In that sense, I adapt after every job. However, probably what's more an answer to you is when things go wrong. And it's more that it becomes a silly rule, right? It becomes a heuristic for my life. 

Jenny Radcliffe: So for example, I have things like you're not allowed to eat anything on a job, and that's partly hygiene because, you know, you're sometimes very hungry. You've been in a bathroom for hours or hiding behind garbage cans for hours, or, you know, sit and wait in the back of a van or something. And you do get actually quite hungry, and I don't want people to eat. I don't want you to be starving, but visceral urges like needing to go to the bathroom or being thirsty. So there's kind of a level of hydration that you need to kind of maintain, not too much and not too little. 

Jenny Radcliffe: Don't wait to be hungry so your stomach doesn't rumble because I was in a job at an office years ago. This was years, Perry. But I was in this job. I hadn't eaten anything for ages, and I was hiding behind, like, a big - kind of like a screen that you use when you go to something like InfoSec or RSA with the company logo on it. But it was huge, right? And they're there in some giant - not even a meeting room, almost like a hotel where they always have presentations and stuff, just like a little stage. But I was behind this big thing hiding, listening to this conversation, and my stomach rumbled. And one of the ladies said, was that your stomach, James? And he went, no. Was it yours? And I'm behind the thing thinking, no, it's mine. Oh, my gosh. 

Jenny Radcliffe: So from there on in, you couldn't be hungry, but you shouldn't eat because every time I've eaten anything on a job - and you find food all the time in these jobs. It's such a strange profession. You know, every building has its secrets, just like people have their secrets, Perry. Buildings have secrets, and people stash things. And the amount of secret stashes of all kinds of things we've found, but mostly food, would just make you raise your eyebrows in disbelief. So I think there's something - so I say, you mustn't eat on the job. You mustn't insert yourself into the client's story. It's tempting to do that sometimes, to make it about you and about yourself. 

Jenny Radcliffe: But the biggest one was I went - I did one job, which I've spoken about in lots of shows and interviews, but there was a job I did that went very wrong. I was on my own, and I think that's another thing I do differently to a lot of the people in the profession is I work most often on my own or with one other person. So I'll have a driver or a backup much more often than I'm with a crew. And I went in a day early. Because I'd gone in a day early, there was no get-out-of-jail-free. There was no cold calling. And it happened to be a very dangerous area. And so because it was a good opportune moment and I got complacent, I think, and a bit cocky, and I just went in and did it, and then, you know, it was an armed response team. And there was no getting out of it. You know, I couldn't have talked my way out of it. It was just - I was more or less caught red-handed. I happened to get away. I was lucky that I wasn't caught and seriously hurt. But that made me stop the job for two years. I didn't take a job for about two years while I was very scared. And I thought, I won't do it again. 

Jenny Radcliffe: So I think that's the type of thing that - I've got stricter and stricter because I made all these mistakes myself. And as I say, we don't take that many standard sites. So it does tend to be a complicated site, something where there is an element of risk that, whilst I might put myself at that risk maybe back in the day, I certainly wouldn't put my team at those risks and also because things have changed, because there's a lot more armed responses, even in the U.K. And I think there's just - I'm older. You know, your risk appetite diminishes as you age, I think, and that's what's happened. I can't imagine letting people do some of the things I did. I just wouldn't let them do it. 

Perry Carpenter: I'd like to know if you have observations on pre-pandemic versus post-pandemic physical security. 

Jenny Radcliffe: You know, the pandemic changed everything. In some ways, when we returned to offices and things, it was a gift to people like me because, you know, I only have to say COVID to people. I got asked to do a few pen tests during the pandemic, when Britain was in semi-lockdown. We still weren't sure about things. And when we're in the case of kind of - there's a sort of cognitive fog that we use in phishing emails and we use in cons when we approach people to facilitate that kind of bypassing of rationale that you know about as well, you know, that logic. If I can raise emotion, decision-making goes down. Give them a few options. And people tend - given a choice, they'll go one way or the other. And I found that afterwards, that that lingered. 

Jenny Radcliffe: I think now what's kind of happened in a little bit is people have gone back to work, work from home or hybrid model, and they had all the security lessons for working from home. They were told that working from home could be a security issue, and they were told to be careful from a cyber perspective. Then they get back to the office, and it's that weird kind of reverse psychology feeling. Well, I must be safe now because I'm back at work. And someone pointed that out to me quite recently, and it's true that that's what I saw as well. But I think the pandemic focused people more particularly on the fact that it - security wasn't about the building necessarily and that it was probably more down to them that if they lost something, that the calvary wasn't really coming at. 

Jenny Radcliffe: I don't think we'll ever go back to that - to what we were before, which sounds very dramatic, but I don't think we will. I think it indelibly changed the way people approach their life and therefore their security. And most people who work for a company got a lot of training. But from a physical point of view, it's always contextual, and it's just so adaptable because there's a human carrying on that pen test or committing that burglary or persuading another human. It's just infinite, the directions you can go in at any point. 

Perry Carpenter: As we wrap up today's episode, I think it's important to recap two key points that Jenny made. I really enjoyed hearing about the story when a friend asked her how she might escape from the dungeon that they were touring. She sized it up, realized there weren't any physical vulnerabilities that she could exploit and then said, well, of course, a person is in charge of locking and unlocking the doors. I'd exploit the person. I don't need to work on the lock. I need to work on the human. 

Perry Carpenter: Jenny also said the difference between someone who is good at a job and someone who is excellent at a job is review. You have to review, review, review. If we want to continually improve, then we need to commit to looking back on our work and evaluating what we did well and where we can improve. And I think that's a great point. If you remember, Episode 1 of this season was all about the concept of mindfulness and how that applies within the context of security. We improve by being mindful, by allowing the lessons of our past to inform our future efforts. 

Perry Carpenter: And with that, thanks so much for listening. And thank you to my guest, Jenny Radcliffe. Be sure to check out Jenny's podcast, where she interviews tons of great guests about human behavior, social engineering, business, security and life. That podcast is called "Human Factor Security." Jenny also has a book that should be coming out in early 2023. So be on the lookout for more about that as well. I've loaded up the show notes with more information about Jenny, as well as all the relevant links and references to the information that we covered today. 

Perry Carpenter: If you've been enjoying "8th Layer Insights" and you want to know how you can help make the show successful, there are, as always, two big ways you can do so, and both are still super important. First, if you haven't yet, go ahead and take just a couple seconds to give us five stars and to leave a short review on Apple Podcasts or Spotify or any other platform that allows you to do so. That helps other people who stumble onto the show have the confidence that this show is worth their most valuable resource - their time. And the second big way that you can help is by telling someone else about the show. Word-of-mouth referrals are the lifeblood of helping people find good podcasts. If you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. 

Perry Carpenter: This show was written, recorded, sound designed and edited by me, Perry Carpenter. Artwork for "8th Layer Insights" is designed by Chris Machowski at ransomwear.net - that's W-E-A-R - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter, signing off.