Skip to content
Modern WisdomModern Wisdom

What Is An Ethical Hacker? | Thomas Johnson | Modern Wisdom Podcast 105

Thomas Johnson is an ethical hacker and social engineer. Hacking is often thought of as a dark art. Dark basements and illegal activities. But there's an entire other world of hackers who are using their skills to subvert security systems both online and offline for good. Expect to learn just how Tom hacks both people and computers to break into secure buildings, how safe your information is online, what tools Tom uses to bypass the systems that are meant to keep him out and his best advice for staying secure online. Also get ready for him to hack into a university's CCTV system only using Google while we are recording. Extra Stuff: Check out everything I recommend from books to products and help support the podcast at no extra cost to you by shopping through this link - https://www.amazon.co.uk/shop/modernwisdom - Listen to all episodes online. Search "Modern Wisdom" on any Podcast App or click here: iTunes: https://apple.co/2MNqIgw Spotify: https://spoti.fi/2LSimPn Stitcher: https://www.stitcher.com/podcast/modern-wisdom - Get in touch in the comments below or head to... Instagram: https://www.instagram.com/chriswillx Twitter: https://www.twitter.com/chriswillx Email: modernwisdompodcast@gmail.com

Thomas (Tom) JohnsonguestChris Williamsonhost
Sep 23, 20191h 4mWatch on YouTube ↗

EVERY SPOKEN WORD

  1. 0:001:27

    Data is the new oil: why cyber conflict is the future of war

    1. TJ

      To me, you've got to understand that data now is worth more than oil. Um, so they're going to put a lot of money into securing that, and they're gonna put a lot of money into defending that. Now, I'm genuinely proud of, of living in England and in Britain, because we have some of the best security professionals in the world. But you have a lot of threat actors as well. So you've got China, you've got Russia, you've got North Korea. You've got all the states that wouldn't necessarily get on with us politically. And you have to understand that for the price of one fighter plane, you can hire 200 hackers. So information warfare is going to be the future of war.

    2. CW

      I am joined by Tom Johnson, ethical hacker and social engineer extraordinaire. Welcome to the show, Tom. It's great to have you on.

    3. TJ

      Hello. Thank you very much for inviting me.

    4. CW

      Uh, it's gonna be an exciting one today. This world of ethical hacking and social engineering is something that I've seen a little bit about online, but I don't really know all that much. But I guess we're gonna, we're gonna delve into it today, right?

    5. TJ

      Absolutely, yeah. I mean, would you like to start off at the beginning, how I got involved in it?

    6. CW

      Yeah, absolutely.

    7. TJ

      Or would you like me to tell you what it is, first of all? (laughs)

    8. CW

      (laughs) No. So yeah-

    9. TJ

      (laughs)

    10. CW

      Let's, let's, let's find out. How do you define ethical hacking and, and social engineering and what you do? And then, and then let's find about, out about the, uh, the genesis story.

  2. 1:272:31

    Defining social engineering: hacking the human, not the machine

    1. TJ

      Absolutely. Okay, so social engineering, according to a guy called Christopher Hadnagy in America, is the art of using human psychology or misusing human psychology to get a target to do something or say something they shouldn't do or say, and that is grassroots. So if you can talk someone into giving you the passwords or plugging a USB stick into the computer, then all of this very expensive sort of cybersecurity mitigation is useless, because they are literally giving you the keys to the kingdom. So that, in a nutshell, is what it is.

    2. CW

      I understand. Yeah. I suppose as these, uh, technological firewalls, uh, and safety measures become more sophisticated, the, uh, ways around it that don't require you to just brute force try and break through something that's heavily encrypted, I guess this sort of falls to the, the one remaining weak link in the chain, which is always going to be the, the several-million-year-old brain that sits inside of the person controlling the system, right?

  3. 2:313:20

    Your best defense: pattern recognition and the ‘gut feeling’ signal

    1. TJ

      (laughs) Well, uh, in my opinion, humans can be the weakest link, but they can also be the strongest link as well, because they think in a different way to how computers process information. So have you ever had a gut feeling before, Chris?

    2. CW

      Mm-hmm. Yeah.

    3. TJ

      Well, that gut feeling is your subconscious mind telling you that there is something not quite right in a pattern. So your subconscious mind is constantly processing everything around you, and then when you get that gut feeling, that is your subconscious mind saying to your conscious mind, "There's something not quite right here." So that is a really good way to defend against social engineers.

    4. CW

      Yeah.

    5. TJ

      That gut feeling.

    6. CW

      Got you. Okay, so let's start off, the genesis story. How do you ... So h- what happens whereby you are now sat opposite me with a microphone in front of you talking about ethical hacking-

    7. TJ

      (laughs)

    8. CW

      ... and social engineering? Where does it begin?

  4. 3:206:01

    Origin story: early hacking, mischief, and the internet as a playground

    1. TJ

      Right. It begins when I was about 12 years old, and I was pulled out of school by an overprotective mother. Um, I was a very small child in a predominantly council area in Wallsend, um, and it wasn't a very good time at school for me. And she was very overprotective, pulled me out, and had nothing to give me work-wise, so she just sat me in front of a computer. So I started playing games, what every child tends to do, and then I started getting bored of games. Um, and I couldn't afford new games, so I started working out how I could break the system and copy those games so I could get them for free. Not because I was a criminal, but because I wanted to play games. Uh, the games started getting boring, so I wanted to learn how the games worked. So I programmed the games, um, and things developed on and on and on. And then something amazing happened. This rudimentary thing called the internet come about, and it'd become my playground. Um, I was spending all of me time online. Um, I had no moral or ethical compass at that point in time. I was young. I, I wasn't a bad lad, but I'd done things because I was a bit mischievous. So I would hack random computers on the internet and download through all the ... Look through all the files, and then it started getting boring, so I started going a bit further. I started college. Um, I got thrown out of college for hacking an internal mail system.

    2. CW

      (laughs)

    3. TJ

      I was ... (laughs) Yeah, I was naughty, but I was sending messages from one lecturer to another saying that they were in love with each other or, or all sorts of different things.

    4. CW

      (laughs) Okay.

    5. TJ

      Getting some funny looks.

    6. CW

      Yeah.

    7. TJ

      I was great at doing things, but terrible at getting away with them.

    8. CW

      Ah, yeah.

    9. TJ

      So I actually got caught and, and thrown out of, uh, college. So I went back again. I lasted about two weeks, and I was thrown out again. Um, I locked the network manager out of his computer, and he didn't see the funny side.

    10. CW

      (laughs)

    11. TJ

      So you've got to understand, at the same time, uh, uh, me skills were developing, um, to a point where college wasn't really teaching me anything. So I was a bit bored, if that makes sense. So it just sort of encouraged me to do more and more risky things, silly things when I look back. I'm a white hat now, may I just add that? A white hat is somebody who puts ethics over morals, over everything. So I will only act within the boundaries of law. But in those days, anything online was fair game. Um, I was running me mother's phone bill because of course it was on dial-up at the time.

    12. CW

      (laughs)

    13. TJ

      Um, she used to put a little, um, key code on, so I wrote a little program that would go through every single key code and, and brute force it.

    14. CW

      Ah. (laughs)

  5. 6:017:05

    Getting caught (sort of): the ‘police arrest’ that was a social engineering lesson

    1. TJ

      So within an hour, I was back online again. And then one day, I heard a knock at the door. I answered the door, and there was two big, burly police officers standing in front of us. Um, they subsequently arrested me.... took me to the police station, locked me up for about 15 hours, threatened to extradite me to America where I'd get death by lethal injection and everything. And I was absolutely terrified. And in 20-

    2. CW

      How old were you, how old were you here?

    3. TJ

      I was about 16, 17-ish.

    4. CW

      Shit the bed. It's a young age-

    5. TJ

      And, uh-

    6. CW

      ... to be having such, uh, such, such heavy words thrown at you.

    7. TJ

      I'd had a, I'd had a slap about the head and everything.

    8. CW

      Yeah, yeah, yeah.

    9. TJ

      And 20 years later, I found out it was a social engineering attack on us. It was actually two of my mother's friends who were coppers, who she put them up to the task of scaring me straight.

    10. CW

      Oh, no way.

    11. TJ

      So it wasn't a real arrest. It was to fuck up with our phone bill. (laughs) So, that was my first taste of, of, um, social engineering, and believe you me, it was very effective.

    12. CW

      Wow. So did that-

    13. TJ

      And then-

    14. CW

      ... did that scare you straight?

  6. 7:058:45

    From black-hat impulses to white-hat career: university, ethics, and credentials

    1. TJ

      It scared me straight for a very long time. In fact, I lost me love of computers for a while. Um, I, I, I took it hook, line and sinker, and I was genuinely in fear of me life (laughs) . Um, and, and I just stayed away from computers. I set up a company. Um, I'd done all right out of the company. And then that went under and I just thought to meself, "What do I want to do? Do I want to earn minimum wage for the rest of me life?" So I looked at the skillset that I had and I thought, "I want to go back into cybersecurity." Now it is a, a job. It wasn't back then. It was a crime, but now it's a job. So, uh, I had no qualifications to me name, so I blagged me way onto a Tayside University course. Um, they give me a shot and I've received a, a first with honors in every module so far. So, I've done all right.

    2. CW

      Amazing. That's fantastic.

    3. TJ

      Yeah. Thank you.

    4. CW

      So, that's, that's the journey that you've taken yourself on there. So, how do you go from the online to the offline? Is it off- offline hacking?

    5. TJ

      Right, yeah. Well, it's, it's more in person. It, it, it's like, it's like the, the good old-fashioned con. That's exactly what it is, but it's got a cyber element to it.

    6. CW

      Okay.

    7. TJ

      So, if you remember the old conmen or conwomen who would trick you into doing something, that is exactly what social engineering can be.

    8. CW

      Mm-hmm.

    9. TJ

      It's tricking somebody into doing something or saying something they shouldn't. So, I set up a little company. Um, I started doing a little bit of work with the police, um, little bits and bobs here and there. Um, and then I done a talk at Cyberfest. Have you heard of Cyberfest, the convention?

    10. CW

      No.

  7. 8:4510:24

    Offline social engineering in action: cloning university smart cards

    1. TJ

      It's, it's a north- northeast convention, Northeast of England. Um, and then I was invited from that talk, um, to do a talk at the, um, local government level. Now, the talk that I done was based upon a hack that I carried out, an ethical hack, on the university that I studied at. So, I was a first-year student, bearing in mind, when this took place and I approached the school of computing, "Can I test your security, please?"

    2. CW

      Hmm.

    3. TJ

      And they said yes. They didn't realize I'd been a hacker from being about 12 years old.

    4. CW

      Oh, did they just think that it was some, some student who didn't really know what he was doing? Didn't realize they were coming up against boss level 55 hacking skills?

    5. TJ

      (laughs) I wouldn't say I'm that good. Uh, but yeah, they, they, they got a bit of a shock. Um, within 24 hours, I worked out how their, um, smart card system worked and I built a cloner that could clone the cards. So I then dressed up as a security guard, and this is the social engineering side of things, put the high-vis on, done me Superman change, shaved me head, looked completely different, and then went round and skimmed all of the staff's cards. Um, and with those cards I had access to all areas, free parking for six months me I had.

    6. CW

      (laughs)

    7. TJ

      Um, free food (laughs) , free food, um, library books. Everything you could ever want was all there, free. Um, I didn't tell Tayside University until Cyberfest, which was a little bit naughty.

    8. CW

      Oh.

    9. TJ

      Um, and then I sort of gave away all the secrets and it got a little bit of attention. (laughs)

    10. CW

      I bet it did, yeah.

  8. 10:2413:13

    Recognition and escalation: speaking to law enforcement and the Home Office/FBI connection

    1. TJ

      It did. Um, but then I got invited to the ICDDF, the Information, Communication, Data and Digital Forensics Convention, which is, uh, Europe's largest closed cybersecurity convention for, uh, police, law enforcement and military. So I was invited by the National Police Chief's Council to do a talk there. Um-

    2. CW

      Real epicenter of, of this sort of stuff then.

    3. TJ

      Absolutely, absolutely. It's about as big as you can get. Um, it was invite only, you know, you couldn't get through the doors unless you were invited. So I arrived, um, I expected to be shut in a little side room, just doing a little filler talk, and I was in the big county suite, uh, and I was a keynote speaker, so it was absolutely terrifying.

    4. CW

      (laughs)

    5. TJ

      So I had to talk in front of 600 of some of the world's best professionals on cybersecurity and, and especially social engineering.

    6. CW

      Shit the bed.

    7. TJ

      Absolu- Do you wanna see what I got as well? I got that.

    8. CW

      What's that? That's a plaque. Certificate of-

    9. TJ

      It's a cert-

    10. CW

      ... Appreciation. That's so cool. That's from-

    11. TJ

      It i-

    12. CW

      Is that from the Home Office?

    13. TJ

      That's from the Home Office, yeah. Um, let me just see. I've got something else kicking about somewhere. (rustling) Oh, there it is. Bear with me one moment. I've dropped it. This is even cooler. This is an honor coin that I was given, believe it or not, off the Home Office-

    14. CW

      Okay.

    15. TJ

      ... and the FBI.

    16. CW

      Oh. So it's an AT&T NTAC-

    17. TJ

      This-

    18. CW

      What, what does, what does that mean and what is it? It's like a big plastic-

    19. TJ

      So, it-

    20. CW

      ... plastic coin.

    21. TJ

      No you know, it's not. It's a metal coin. (laughs)

    22. CW

      Metal c- Oh, inside of a pla- inside of a plastic sleeve?

    23. TJ

      It's in a plastic container. See if I can get it out for you.

    24. CW

      Oh, right. Yeah, yeah. So what, what does it mean?

    25. TJ

      And-

    26. CW

      What does it do?

    27. TJ

      Oh, it's stuck. So this is what you call an honor coin. Um, and it's what I was awarded for doing the talk.Um, and it- I'll show you. So, that's the side there, that's the important one.

    28. CW

      Okay.

    29. TJ

      That's, uh, the National Police Chief's Council, our central government-

    30. CW

      Yeah, yeah.

  9. 13:1315:00

    Building the technical toolkit: OSCP, Kali Linux, and the social vs technical skill gap

    1. TJ

      I'm getting a fair few job offers all the time, to be, to be fair. Um, but I'm currently putting them on hold. I've went on another journey now, which is the technical side. I'm currently studying, uh, OSCP, which is Offensive Security Certified Professional hacker. Um, I should receive that in two months. And then (claps hands) the world is my oyster.

    2. CW

      What's that most recent qualification? What does that mean?

    3. TJ

      Um, that is... We have an operating system, and you'll see it just behind me here.

    4. CW

      Yeah.

    5. TJ

      That's a Kali Linux, which is not a Windows-based system, it's a, it's a Debian-based system. And, uh, Offensive Security, who make Kali Linux have an accreditation called OSCP. Um, and it's called PWK, Penetration With Kali Linux. So once I get that, it's a- a globally recognized certification.

    6. CW

      Okay. And that is, like you said, on the technical side. So is it rare to find, uh, hackers who have the in-person skills alongside the technical know-how? Or do you find-

    7. TJ

      I think-

    8. CW

      Do you find- do you find people who have that mindset with regards to just trying to open doors? Whether it's online or offline, they're just interested either way?

    9. TJ

      I think you have more technological hackers than you have social engineers. Um, s- sorry, let's rephrase that. You have more good technical hackers than you have good social engineers.

    10. CW

      Gotcha.

    11. TJ

      So every- every hacker has the potential to attempt social engineering-

    12. CW

      Mm-hmm. Mm-hmm.

    13. TJ

      ... techniques and- and tactics, but some are better than others. Um, and- and it's relatively rare to find a nerd like meself with the ability to be able to talk to people as well.

    14. CW

      Mm.

  10. 15:0016:54

    Inside a real corporate test: reconnaissance, pretexts, and rapid physical compromise

    1. TJ

      So I take pleasure in teaching and- and communicating and- and helping organizations. And that in itself helps me sort of sharpen me social engineering toolset. Um, I've recently done a hack on a- on a large unnamed company.

    2. CW

      Mm-hmm.

    3. TJ

      Um, uh, uh, an ethical hack. I was employed to test their security. Um, and part of my training them allowed me to advance my social engineering, and I'll explain that. W- I was- I was approached by this company and asked if I could test their human firewall. So I spent three, about three weeks exfiltrating information, um, doing reconnaissance on them, passive and active, finding out who the staff were who they were talking to. Um, I trolled all of the Facebooks, the LinkedIn, all of the social media. I built up profiles on them. I prioritized five staff, um, who I thought would be the weakest, and I approached them over LinkedIn for my pretext, which was my lie. So I tried, um, multiple... I'll not go into the trade secrets, but I tried multiple lies and a couple of them were successful. I- I managed to- to hook a couple of them, but one I prioritized. I went and I held a meeting with them pertaining to something that didn't exist, um, and then left. And in that short amount of time I had already cloned all of the cards to get into the building.

    4. CW

      (laughs)

    5. TJ

      Um, so within 15 minutes of my actual, um, exploitation phase, I was in their inner sanctum through multiple coded doors, drinking cups of coffee in their tea station for three and a half hours unquestioned. Um, it was- it was good. It was interesting. It was exciting.

    6. CW

      Is that- is that what you call a successful hack?

  11. 16:5418:54

    Hacker gadgets explained: Rubber Ducky, Bash Bunny, and stealth payload delivery

    1. TJ

      Yes. Um, to- to be totally honest with you, they were very good on a lot of areas, um, but th- th- they just didn't expect an attack of that magnitude to take place. So the final straw was I was asking staff to step away from the computers when I was plugging in, um, covert, um, hacking tools, like the USB Rubber Ducky and the Bash Bunny, which look like USB devices but they aren't. Um, the- the tools-

    2. CW

      Tell us- tell us about those. I want to know what those do.

    3. TJ

      Right. Well, uh, USB Rubber Ducky was created by a company called Hak5. Shout-out to Shannon Morse and Darren Kitchen. Um, they created, um, a- a device called an HID, a human, uh, interface device. Now, it looks to the computer like it's a keyboard with somebody typing on the other end-

    4. CW

      Okay.

    5. TJ

      ... but it can type at thousands of characters a minute. So I could spend a full day coding exploits to- to compromise their systems, and then I plug this device in and it types it out locally-

    6. CW

      Ah, yes. Okay.

    7. TJ

      ... on the system. Yeah. So it- it thinks it's a person typing. And the Bash Bunny is an attack, a multi-attack platform, um, which can emulate, uh, ethernet over USB, which is trusted by Windows, iOS and Linux-... um, and you can run payloads, steal password hashes, do all sorts with it, even through a lock screen on a computer.

    8. CW

      Shit the bed.

    9. TJ

      Yeah. Yeah. (laughs)

    10. CW

      This is serious stuff.

    11. TJ

      Oh, it gets worse. It gets worse. (laughs)

    12. CW

      Oh, come on. I want to find out, what are the other, what's the other, like, atomic weapons? Or what ... If we were to open up the ethical hacker's toolkit or the bag, what have you got inside of it? You've got the rubber ducky, you've got-

    13. TJ

      I've, I've got all sort of things.

    14. CW

      ... the bash, you've got the bash bunny.

    15. TJ

      In fact, I've got, I've got some bits here if you want me to show you them.

    16. CW

      You can just run-

    17. TJ

      Would you like me to show them?

    18. CW

      You can just run through them if you want to. You can just run us through everything that'd be in there.

  12. 18:5427:24

    From covert cameras to software-defined radio: the expanded attack surface (including cars)

    1. TJ

      Right. Okay. Well, I've got them, and I'll show you at the same time.

    2. CW

      Cool.

    3. TJ

      So we've got, um, little single board computers, Raspberry Pis. Really useful, they run off a battery. Uh, they've got wifi, Bluetooth, and that's a full PC there.

    4. CW

      Okay.

    5. TJ

      Um, but they do get smaller. You can get the little Raspberry Pi Zeroes, which are absolutely tiny.

    6. CW

      That's ju- n- not much bigger than the size of a matchbox, but it's essentially a computer in your, in your pocket.

    7. TJ

      Pretty much. But they get even smaller.

    8. CW

      And that's one-

    9. TJ

      That is the full PC there.

    10. CW

      ... that is one which is probably the size of, just bigger than a lighter, but totally two-dimensional.

    11. TJ

      Well, there's a USB stick.

    12. CW

      Yeah.

    13. TJ

      And there's a-

    14. CW

      About ... Just a bit bigger than a USB stick. Yeah. Wow.

    15. TJ

      Yeah. So that's how you-

    16. CW

      Unbelievable.

    17. TJ

      ... how you ... So just standard USB sticks with, uh, malicious software on them.

    18. CW

      Okay. Yeah.

    19. TJ

      Uh, you can, you can generate malware, and then you can, um, use a crypter, like Veil Evasion, to mask its file signature-

    20. CW

      Okay.

    21. TJ

      ... so the antivirus, uh, systems don't pick up on it.

    22. CW

      Okay.

    23. TJ

      So the very system that you use to protect you works against you because it doesn't flag you of any problems.

    24. CW

      Perfect. And you, and you think that you're safe as well, so you're probably-

    25. TJ

      Absolutely.

    26. CW

      ... probably a little bit more complacent about the security that you should have in place. "Oh, well, even if someone does get through, the antivirus will catch it."

    27. TJ

      Yeah. Absolutely. So we've got a, a normal, like that cheapy six quid off eBay, really useful. It's got a little covert camera in the bottom of it.

    28. CW

      No way.

    29. TJ

      And this bit comes off and it's a, it's a USB stick. Really handy, leave them in cigarette areas and stuff to, to record stuff and then exfiltrate information from that.

    30. CW

      That's awful.

  13. 27:2441:58

    Password reality check: reuse, cracking strategies, and mnemonic generation

    1. CW

      Fucking hell. So, um, LinkedIn had a data breach not so long ago, uh, and a bunch of, um, a bunch of logins, uh, account information was taken from that. Mine was one of them. One thing that I didn't do, although I have done now with a, a updated password protector, shout out to 1Password, Tiago Forte's suggestion to me, which has been an absolute lifesaver. Um, I had the same password for LinkedIn as my Deliveroo, um, and-

    2. TJ

      No, no!

    3. CW

      ... I know, I-

    4. TJ

      Don't share passwords!

    5. CW

      I know, I know.

    6. TJ

      Do not share passwords.

    7. CW

      That was a bad, that was a bad idea. And, um-

    8. TJ

      Yeah.

    9. CW

      ... so, I, I got a mess- woke up one morning with a message off my business partner, and he said, uh, uh, "Is this you ordering Nandos in London on my card?" 'Cause his card was on my account. I must have ordered something for him.

    10. TJ

      (laughs)

    11. CW

      So, uh, I was like, "No. No, no, not at all. Not at all." Went on-

    12. TJ

      (laughs) I shouldn't laugh, I'm sorry.

    13. CW

      Oh, it's okay. It wasn't my money, it was his. Although he did, he, he then did, uh, make sure that I was billed for it on the company account. But, uh, yeah, and then sure enough-

    14. TJ

      (laughs)

    15. CW

      ... they, they'd used my details and they must have just brute force checked a whole bunch of other platforms to see, does this email and password combination appear on this, this, this, this, this, this, this, this, this? And sure enough, on Deliveroo it did. And 45 quid worth-

    16. TJ

      Absolutely.

    17. CW

      ... of Nandos later, they'd, they'd had it away.

    18. TJ

      That is social engineering 101. The human psychology make... The way that you're wired makes it difficult to remember complex random passwords, so what we do is we create something that we know. Most passwords have a capital first letter and have numbers at the end. Why? Because through school, we're taught to capitalize the first letter of a sentence. So when we're generating our password, we capitalize the first letter 'cause we know it needs a capital.

    19. CW

      Mm-hmm.

    20. TJ

      We're putting the number at the end because it's at the end and we'll remember it. It's normally two digits or four digits, a date of birth, or a memorable date, um, or something simple like one, two, three, four at the end of the password. Passwords are normally constructed out of, if you're English, English words, um, which can be found in a dictionary. Um, and it doesn't take very long to crack a password. The entire character set of eight characters, including uppercase, lowercase, numbers, and special characters, in its entirety, can be cracked in two hours now. So, I mean-

    21. CW

      Jesus Christ.

    22. TJ

      (laughs) Yeah. If, if, if you're looking at longer passwords, if it's constructed of English words and numbers and letters, we use dictionary attacks, so we'll say, okay, we'll try dictionary one and dictionary two, and we'll use a rule set to capitalize the first letters, or not, and put numbers at the end from one to 3,000, and then that reduces that character set down massively. So you can, you can crack a lot of passwords relatively quickly.

    23. CW

      Is that brute force stuff there, where you just start, you'll set some sort of program away and it will just start cycling through version one, version two, version three, version four?

    24. TJ

      No, brute force isn't very efficient. Uh, the eight-character set, which I said can be cracked in its entirety, that is a brute force attack.

    25. CW

      Yes.

    26. TJ

      As you start getting to nine, 10, it's inconceivably long.

    27. CW

      Yeah.

    28. TJ

      So what you do is you use rule sets-

    29. CW

      Yes.

    30. TJ

      ... and dictionaries.

  14. 41:5851:37

    When attackers have a country behind them: Stuxnet, medical devices, and ‘good vs evil’ tools

    1. TJ

      Nation state are on a whole new level. A whole new level. Have you heard of Stuxnet?

    2. CW

      Uh, I've heard the name. I don't know why. What is it?

    3. TJ

      Stuxnet, um, without going into too much technical detail, it was a, uh, a virus that had infected a large volume of computers across the globe. Um, and it took Symantec several weeks to work out what this virus was. Normally, it takes them about 10, 15 minutes to say, "Oh, this is a worm, this is this, this is how it works, this is how it propagates."... but Stuxnet, they didn't know what it was for a long time. It had bits of code that they didn't know what it was and, and how it worked. And it was infecting computers on a level that they had never seen before. Um, it was infecting USB sticks, removable media, transferring it everywhere, and it wasn't doing anything. Yeah.

    4. CW

      Oh, right.

    5. TJ

      And they were like-

    6. CW

      Okay, just sitting there being, been very intimidating. (laughs)

    7. TJ

      Uh, no, it was being very quiet. That's the scary thing about it.

    8. CW

      Yeah. Okay, yeah.

    9. TJ

      And it turned out, it was looking for one system, um, and that system was the Iranian Nuclear Enrichment Program. And this bug was so sophisticated, it had four zero-days in it, and a zero-day is worth about a million dollars. It's like a hole, an unknown hole in an operating system or a service.

    10. CW

      Okay.

    11. TJ

      And this had four in it, which pointed to Nation State. And what it done when it found, um, this power plant, all this unknown code was to control the industrial controllers of the factory. So, what it done is it recorded, uh, stats covertly of the factory for about 30 days. It then disabled the safety mechanisms, 'cause they were all through a computer, and then it replayed the good stats. So, do you know, like in films, where the, the, they capture a bit of footage and then they'll loop that footage while they're committing a crime-

    12. CW

      Mm-hmm.

    13. TJ

      ... on a C- CCTV camera? Well, this was doing it on, doing it on a nuclear enrichment system. So, once it was playing back the good stats, it started speeding up and slowing down all the centrifuges until it exploded, and it blew up thousands of centrifuges, physically exploded.

    14. CW

      This actually happened? When was this?

    15. TJ

      This actually happened, oh, 2009-ish, I think. I might be wrong.

    16. CW

      Wow. I'm not, uh, s- I'm not massively au fait with news and stuff like that, so I very well might have missed it, but that is terrifying. And obviously, the, the implications are that could be for pretty much, you know, if they can get into the Iranian Nuclear Enrichment plant, like, what, what really is left after that? What's got more security than that?

    17. TJ

      (laughs) Well, the scary thing was, is it wasn't even connected to the internet.

    18. CW

      Okay, right. So it was totally off-

    19. TJ

      So it wasn't connected-

    20. CW

      ... totally offline, totally isolated.

    21. TJ

      That's... Yeah, it was called air- air-gapped, so that's why they were infecting removable media. So one person plugged that stick into that computer and that system was doomed, absolutely doomed. I mean, there's, there's amazing things which happen all of the time. This device that I showed you before, the little, uh, radio transceiver, um, there was a guy called Barnaby Jack who was a New Zealand-based, uh, ethical hacker. Uh, he was the guy who used to hack bank machines, and he could dial something into his phone and then the bank machine would put JACKPOT on the screen and start emptying the cassettes of its money.

    22. CW

      (laughs)

    23. TJ

      Yeah, he, he was a showman, an absolute showman, super genius. Um, he discovered that, um, pacemakers and morphine pumps, um, were, and insulin pumps, a lot of them, not all of them, uh, were susceptible to an SDR attack. So, he potentially could defibrillate the person by pressing enter on his keyboard-

    24. CW

      Oh, my God.

    25. TJ

      ... from about 100 yards away. Um, and he approached the big, uh, company and s- companies and said, "Look, you know, this is a major security flaw." And they said, "We're not interested." Um, so he was gonna sort of tell everyone how it was done at a big convention, and unfortunately he died before the convention.

    26. CW

      Was that a suspicious death?

    27. TJ

      Who knows?

    28. CW

      Well, he, he died.

    29. TJ

      Who knows?

    30. CW

      He died.

  15. 51:371:01:16

    Everyday exposure: IoT risk, Google dorking, live CCTV compromise, and what individuals can do

    1. CW

      Does this need to happen at a state level or are there things that at, at an individual level which we all should be doing as well, apart from 12 string passwords and not using the password "password1"?

    2. TJ

      Uh, I think... I think governments do have a responsibility to protect us. Um, that's what we were elected for. And, uh, so far I think the UK have done a fantastic job, you know. There is gonna be attacks all the time but how many they stop and how many they defend against it, you know, we will never know.

    3. CW

      Mm-hmm.

    4. TJ

      But they are doing their bit. Um, but I think common sense is a big thing. You know, don't just have super complex passwords but just don't share them between all sorts of different platforms, 'cause if I get your LinkedIn, there's a very good chance your email's gonna have the same password as your LinkedIn or something similar.

    5. CW

      Mm-hmm.

    6. TJ

      So I'm gonna target your email 'cause then I can recover all your passwords to your email from all your other accounts.

    7. CW

      Mm-hmm.

    8. TJ

      Does that make sense?

    9. CW

      Mm-hmm.

    10. TJ

      Remember a few things. Whatever you put on the internet will always remain on the internet. There's no getting rid of it. It's gonna be there, it's gonna be spidered, it's gonna be captured. Um, if you're using IOT devices, so internet of things like, um, CCTV cameras and things like that, buy them from reputable places, you know. Do your homework. Um, if you're buying a camera from China that's 20 quid and the same one in, from a, a British manufacturer or whatever's 150 quid, there's a reason why.

    11. CW

      (laughs)

    12. TJ

      Do you know what I mean?

    13. CW

      (laughs)

    14. TJ

      Um, that reason tends to be the fact that they're, they're rubbish, they're crap, they don't protect you. In fact the very devices that we use to protect us sometimes works in the favor of the cyber criminals. One of my demonstrations is something called Google Dorking. Have you heard of Google Dorking?

    15. CW

      No. Take us through it.

    16. TJ

      Really, really simple technique. It's, um, using advanced search operators in Google to look for misconfigured systems.

    17. CW

      Right.

    18. TJ

      Um, now anybody can do it without any technical capabilities whatsoever. Um, they just need to know where to look. Now I'm not gonna tell you where to look-

    19. CW

      Okay.

    20. TJ

      ... but it's called, it's called Google Hacking-

    21. CW

      Yeah.

    22. TJ

      ... if you're interested in looking.

    23. CW

      Yeah.

    24. TJ

      Um, and you can put in a string and you can exfiltrate, um, broken cameras or cameras... When I say broken, I mean cameras that aren't set up correctly. Now with one line of code I can find 500 web cameras that I can log into. Some of them are CCTV cameras. So, you know, it's- it's really, really scary stuff.

    25. CW

      It is scary stuff. I, n- and some of the listeners will know I had, uh, Roger McNamee who was one of the early investors in Facebook, personal advisor to Mark Zuckerberg, he was the, the guy that got Sheryl Sandberg on board. Um, then, uh, just before that I spoke to Professor David Carroll who was the man-

    26. TJ

      Yeah.

    27. CW

      ... the professor from The Great Hack, uh, on Netflix. Spoke to both of those guys within a couple of days of each other and, um, it definitely does feel at the moment like everything is gathering pace and the...... the online attacks, or the online threats are just, they're increasing in their magnitude across all, all platforms, as far as I'm concerned.

    28. TJ

      Absolutely.

    29. CW

      So it's, it's not just that you have this sort of below the line, underground, black hat hacker things that are going on, but also even the data which we're willingly giving away is being manipulated in more, more and more sophisticated ways. And, you know, it- it really is, it's getting ... it's getting more serious, isn't it?

    30. TJ

      It absolutely is. All these, uh, apps like, uh, the T- uh, FaceApp and the 10 Year Puberty Challenge.

  16. 1:01:161:04:19

    The security talent gap and how to get started (legally)

    1. CW

      Are you guys ... I'm going to guess the answer is yes, but you guys will be paid fairly well for your services. It will be a specialized, uh, and small group of people who have skills up to the standard that are required.

    2. TJ

      Well, the average wage for a- a qualified penetration tester with a bit of experience, uh, is between 65 and 120,000 pound a year.

    3. CW

      Mm-hmm.

    4. TJ

      Um, and there is going to be a 1.8 million job deficit within the next three years. So nobody will have the skillset to do that. Um, my suggestion would be if you want a career change, do what I done, you know, quit your minimum wage job, blag yourself into university and smash it the best you possibly can. Jump in headfirst, take on every opportunity, do the best you possibly can and change your life, 'cause you can do it.

    5. CW

      Tom, what an unbelievable way to end the podcast. Thank you so much for coming on, man. If, uh, if anyone who is listening wants to learn a little bit more, are there any blogs that you like or have you got anything online? Uh, um, are you on Twitter? Is- is-

    6. TJ

      Uh, no, I'm very careful on what I go on online believe it or not. (laughs)

    7. CW

      I imagine- I thought- for some reason I was- I thought that you might say that.

    8. TJ

      I'm a tad paranoid, I only got a phone about a month ago. (laughs)

    9. CW

      Okay. Okay. Fair enough.

    10. TJ

      Yeah, what I would suggest is if you want to learn more, uh, get yourself on Hack The Box. It is a website designed to teach hacking and you can legally hack their networks, um, they allow you to do it and have di- different capture the flag challenges.

    11. CW

      Ah.

    12. TJ

      Things like that.

    13. CW

      That's awesome.

    14. TJ

      You've got Over The Wire War Games, have a go at that. Um, learn Kali Linux the best you can. And if you're a student or you've got access to an academic email, get yourself on Immersive Labs, um, which was set up in conjunction with our sorta GCHQ technical sorta departments of the government. Um, and they have sorta labs that you can learn on there as well. So it's brilliant.

    15. CW

      And you can have a little play around- play around in these safe environments where you can do a little bit of hacking, see if you're any good and then maybe flog your skills for 120 grand a year?

    16. TJ

      Absolutely. Absolutely.

    17. CW

      Unbelievable.

    18. TJ

      Yeah. Go for it.

    19. CW

      Well, and do you know what it is, I don't- I don't think that we could have done a better recruitment video if we'd tried.

    20. TJ

      (laughs)

    21. CW

      Tom, uh, links to everything that we've spoken about today, uh, Naval Ravikant on Rob Reed's After On, links to Hack The Box, Over The Wire and some of the other bits and pieces we've gone through will be in the show notes below, as always. If you enjoyed this, please don't forget to give us a like and hit subscribe, it really does make me happy. Tom, man, thank you so much. I'm- I'm really excited to see what happens next. I guess we'll have to wait a couple of years until the- your non-disclosure agreement probably frees up and you can actually talk about it. But, yeah, what an awesome day. Thank you so much, man.

    22. TJ

      Fantastic. Thank you, mate.

    23. CW

      Outfits. Ah, yeah. Oh, yeah. Outfits.

Episode duration: 1:04:20

Install uListen for AI-powered chat & search across the full episode — Get Full Transcript

Transcript of episode 1SkPp-kVUmQ

Get more out of YouTube videos.

High quality summaries for YouTube videos. Accurate transcripts to search & find moments. Powered by ChatGPT & Claude AI.

iOSAndroidClaudeChrome