Sec-1 Ethical Hacking Seminar, Manchester, May 13, 2016
‘And here’s the obligatory image of a computer hacker,’ says Gary O’Leary-Steele, indicating a shadowy, hooded figure that has just flashed up on the presentation screen.
Thankfully Gary’s being ironic and his knowledge of the field goes way beyond the stereotype of the sinister loner hunched over a laptop in a darkened room.
In fact, we’re about to learn that far from requiring you to don a hoodie or switch off the lights, you can hack a network in broad daylight while wearing kitten heels…
Easy does it
We’re at the Victoria & Albert Hotel in Manchester, with an audience of around 150 professionals, techies and managers who are here presumably because they worry about the threat hacking – and those benighted, behooded hackers – pose to their respective businesses.
Sitting a few feet away from Gary as he makes his introduction to the day’s seminar is Holly Grace Williams, a colleague of his who certainly throws some preconceptions of what a hacker is into doubt.
With a wry, almost boastful smile, Holly describes her job as ‘breaking into buildings’. We assume she’s joking until she explains that she is a ‘physical hacker’ – when programming experts like Gary have exhausted the possibilities of cracking passwords or corrupting code to gain access to a secure system, Holly does it the old-fashioned way. She sneaks in.
What makes this all the more remarkable is that Holly is a striking woman – she’s at least six feet tall, has a cascade of auburn hair and her big brown eyes brim with mischief. It’s hard to imagine that she can go anywhere without people noticing her, but going unnoticed is precisely her talent.
Gary and Holly work for Sec-1, a provider of ‘penetration testing’ and ‘white hat’ hacking. Companies hire them to find the flaws in security systems and report back before the black hats discover and exploit them. But while Gary will bombard your website and computer network with every hacking toolkit known to man, Holly simply slinks quietly into your office and wanders about until she finds an unguarded PC.
Softly, softly, catchee vulnerability.
The alarming (geddit?) thing is that breaking into a large office building, as Holly explains, does not involve rappelling off the roof or dangling from an elaborate pulley system like someone in Mission Impossible – at most offices you can usually walk in the front door.
Once inside, people may notice Holly, but because she walks the corridors and open-plans with assurance and apparent purpose, they assume she belongs. Sometimes she’ll lay the groundwork by spending a few days hanging around the outdoor smoking area. People get used to seeing her and take her for a colleague from another department. If anyone asks, she knows the names of the department heads and can bluff her way through the small talk.
Getting into the building is usually straightforward. A door code can be observed from a distance while swipe-card systems are easily circumvented by tailgating. Most people will hold the door for someone following them in, even a complete stranger. In the odd case where the door-holder is suspicious, Holly will employ some canny theatrics such as spilling a cup of coffee down herself – who is going to ask someone for ID when they are drenched in scalding cappuccino?
After gaining entry, it’s then simply a case of finding a computer that someone has left logged-in while they visit the loo or the water-cooler. It takes Holly 30 seconds to download one of Gary’s viruses and the returning worker will have no clue their workstation has been compromised. Even if the machine is locked, a nefarious device can be plugged into the back to hijack communication with the network.
With a single compromised computer, Gary can remotely access the network and hack his way up to administrator level, leaving him free to download the sensitive information it contains or take it over for malicious purposes. But for Holly, the jackpot of physical hacking is finding the server room itself. If you’ve ever seen a server, you’ll know they are usually rigged with a tangle of cables, perfect for hiding a small USB device that might go unnoticed for months.
Holly tells us that during one penetration test, the arrogant client didn’t believe she would be able to reach the server room due to the security measures the firm put in place, so she stole the sign saying ‘Do not leave anyone unattended in this room’ as a memento of her raid. Point proven.
Sec-1’s penetration tests are done with the knowledge of senior management and usually the IT team, but for everyone else it’s a secret shopper experience. Holly usually carries a letter from the CEO explaining her real purpose – a get-out-jail-free card in case the police are called. Someone from the audience asks if she’s ever been caught. ‘Once or twice,’ she says. ‘One time I was escorted out of the back of the building by security, then went straight round to the front door and snuck in again.’
There’s an infectious swagger about Holly and her deviousness is admirably creative. Her nonchalant approach to crime and the satisfaction she gets from outsmarting the system are probably all she has in common with the rogue amateur hacker, although she does operate on the technical side of things too. When not breaking into offices, she’ll target them with sophisticated phishing campaigns – the best time to send a scam email, she says, is at 4:30pm on Friday when people just want to go home and will rush through an apparently genuine security procedure without stopping to check the details.
Trust no one
It’s all about human psychology and our tendency to trust each other out of politeness, laziness or preconceived ideas. We might like to think of hackers as disgruntled teenagers in dingy bedrooms, but some of them are tall brunettes with coffee-stained blouses.
Holly is one of the good guys in the hacking war, but if she can waltz into your office unchallenged, so could the baddies. I’m not saying you should now start barking ‘Show me your papers!’ at any unfamiliar women you see hanging around your work place or slamming the door on people with second-degree latte burns, just that it might be a good idea to press CTRL+ALT+DELETE to lock your screen before your next comfort break. You never know who is around.
The main point being made by the juxtaposition of Gary’s stock-photography hacker and his enterprising colleague Holly is that hackers come in literally all shapes and sizes. In an age when corporate giants actually invite the hoodie-wearing teenagers to hack their systems and reward them financially for flagging up vulnerabilities, malicious hacking is a far more sophisticated affair. From powerful crime syndicates to foreign governments, your hacking threat is probably more refined than you think – perhaps even refined to the point of a smart trouser suit and handbag full of computer viruses.