Skip to content
Modern WisdomModern Wisdom

What Is An Ethical Hacker? | Thomas Johnson | Modern Wisdom Podcast 105

Thomas Johnson is an ethical hacker and social engineer. Hacking is often thought of as a dark art. Dark basements and illegal activities. But there's an entire other world of hackers who are using their skills to subvert security systems both online and offline for good. Expect to learn just how Tom hacks both people and computers to break into secure buildings, how safe your information is online, what tools Tom uses to bypass the systems that are meant to keep him out and his best advice for staying secure online. Also get ready for him to hack into a university's CCTV system only using Google while we are recording. Extra Stuff: Check out everything I recommend from books to products and help support the podcast at no extra cost to you by shopping through this link - https://www.amazon.co.uk/shop/modernwisdom - Listen to all episodes online. Search "Modern Wisdom" on any Podcast App or click here: iTunes: https://apple.co/2MNqIgw Spotify: https://spoti.fi/2LSimPn Stitcher: https://www.stitcher.com/podcast/modern-wisdom - Get in touch in the comments below or head to... Instagram: https://www.instagram.com/chriswillx Twitter: https://www.twitter.com/chriswillx Email: modernwisdompodcast@gmail.com

Thomas (Tom) JohnsonguestChris Williamsonhost
Sep 23, 20191h 4mWatch on YouTube ↗

EVERY SPOKEN WORD

  1. 0:0015:00

    To me, you've got…

    1. TJ

      To me, you've got to understand that data now is worth more than oil. Um, so they're going to put a lot of money into securing that, and they're gonna put a lot of money into defending that. Now, I'm genuinely proud of, of living in England and in Britain, because we have some of the best security professionals in the world. But you have a lot of threat actors as well. So you've got China, you've got Russia, you've got North Korea. You've got all the states that wouldn't necessarily get on with us politically. And you have to understand that for the price of one fighter plane, you can hire 200 hackers. So information warfare is going to be the future of war.

    2. CW

      I am joined by Tom Johnson, ethical hacker and social engineer extraordinaire. Welcome to the show, Tom. It's great to have you on.

    3. TJ

      Hello. Thank you very much for inviting me.

    4. CW

      Uh, it's gonna be an exciting one today. This world of ethical hacking and social engineering is something that I've seen a little bit about online, but I don't really know all that much. But I guess we're gonna, we're gonna delve into it today, right?

    5. TJ

      Absolutely, yeah. I mean, would you like to start off at the beginning, how I got involved in it?

    6. CW

      Yeah, absolutely.

    7. TJ

      Or would you like me to tell you what it is, first of all? (laughs)

    8. CW

      (laughs) No. So yeah-

    9. TJ

      (laughs)

    10. CW

      Let's, let's, let's find out. How do you define ethical hacking and, and social engineering and what you do? And then, and then let's find about, out about the, uh, the genesis story.

    11. TJ

      Absolutely. Okay, so social engineering, according to a guy called Christopher Hadnagy in America, is the art of using human psychology or misusing human psychology to get a target to do something or say something they shouldn't do or say, and that is grassroots. So if you can talk someone into giving you the passwords or plugging a USB stick into the computer, then all of this very expensive sort of cybersecurity mitigation is useless, because they are literally giving you the keys to the kingdom. So that, in a nutshell, is what it is.

    12. CW

      I understand. Yeah. I suppose as these, uh, technological firewalls, uh, and safety measures become more sophisticated, the, uh, ways around it that don't require you to just brute force try and break through something that's heavily encrypted, I guess this sort of falls to the, the one remaining weak link in the chain, which is always going to be the, the several-million-year-old brain that sits inside of the person controlling the system, right?

    13. TJ

      (laughs) Well, uh, in my opinion, humans can be the weakest link, but they can also be the strongest link as well, because they think in a different way to how computers process information. So have you ever had a gut feeling before, Chris?

    14. CW

      Mm-hmm. Yeah.

    15. TJ

      Well, that gut feeling is your subconscious mind telling you that there is something not quite right in a pattern. So your subconscious mind is constantly processing everything around you, and then when you get that gut feeling, that is your subconscious mind saying to your conscious mind, "There's something not quite right here." So that is a really good way to defend against social engineers.

    16. CW

      Yeah.

    17. TJ

      That gut feeling.

    18. CW

      Got you. Okay, so let's start off, the genesis story. How do you ... So h- what happens whereby you are now sat opposite me with a microphone in front of you talking about ethical hacking-

    19. TJ

      (laughs)

    20. CW

      ... and social engineering? Where does it begin?

    21. TJ

      Right. It begins when I was about 12 years old, and I was pulled out of school by an overprotective mother. Um, I was a very small child in a predominantly council area in Wallsend, um, and it wasn't a very good time at school for me. And she was very overprotective, pulled me out, and had nothing to give me work-wise, so she just sat me in front of a computer. So I started playing games, what every child tends to do, and then I started getting bored of games. Um, and I couldn't afford new games, so I started working out how I could break the system and copy those games so I could get them for free. Not because I was a criminal, but because I wanted to play games. Uh, the games started getting boring, so I wanted to learn how the games worked. So I programmed the games, um, and things developed on and on and on. And then something amazing happened. This rudimentary thing called the internet come about, and it'd become my playground. Um, I was spending all of me time online. Um, I had no moral or ethical compass at that point in time. I was young. I, I wasn't a bad lad, but I'd done things because I was a bit mischievous. So I would hack random computers on the internet and download through all the ... Look through all the files, and then it started getting boring, so I started going a bit further. I started college. Um, I got thrown out of college for hacking an internal mail system.

    22. CW

      (laughs)

    23. TJ

      I was ... (laughs) Yeah, I was naughty, but I was sending messages from one lecturer to another saying that they were in love with each other or, or all sorts of different things.

    24. CW

      (laughs) Okay.

    25. TJ

      Getting some funny looks.

    26. CW

      Yeah.

    27. TJ

      I was great at doing things, but terrible at getting away with them.

    28. CW

      Ah, yeah.

    29. TJ

      So I actually got caught and, and thrown out of, uh, college. So I went back again. I lasted about two weeks, and I was thrown out again. Um, I locked the network manager out of his computer, and he didn't see the funny side.

    30. CW

      (laughs)

  2. 15:0030:00

    Mm. …

    1. TJ

      as well.

    2. CW

      Mm.

    3. TJ

      So I take pleasure in teaching and- and communicating and- and helping organizations. And that in itself helps me sort of sharpen me social engineering toolset. Um, I've recently done a hack on a- on a large unnamed company.

    4. CW

      Mm-hmm.

    5. TJ

      Um, uh, uh, an ethical hack. I was employed to test their security. Um, and part of my training them allowed me to advance my social engineering, and I'll explain that. W- I was- I was approached by this company and asked if I could test their human firewall. So I spent three, about three weeks exfiltrating information, um, doing reconnaissance on them, passive and active, finding out who the staff were who they were talking to. Um, I trolled all of the Facebooks, the LinkedIn, all of the social media. I built up profiles on them. I prioritized five staff, um, who I thought would be the weakest, and I approached them over LinkedIn for my pretext, which was my lie. So I tried, um, multiple... I'll not go into the trade secrets, but I tried multiple lies and a couple of them were successful. I- I managed to- to hook a couple of them, but one I prioritized. I went and I held a meeting with them pertaining to something that didn't exist, um, and then left. And in that short amount of time I had already cloned all of the cards to get into the building.

    6. CW

      (laughs)

    7. TJ

      Um, so within 15 minutes of my actual, um, exploitation phase, I was in their inner sanctum through multiple coded doors, drinking cups of coffee in their tea station for three and a half hours unquestioned. Um, it was- it was good. It was interesting. It was exciting.

    8. CW

      Is that- is that what you call a successful hack?

    9. TJ

      Yes. Um, to- to be totally honest with you, they were very good on a lot of areas, um, but th- th- they just didn't expect an attack of that magnitude to take place. So the final straw was I was asking staff to step away from the computers when I was plugging in, um, covert, um, hacking tools, like the USB Rubber Ducky and the Bash Bunny, which look like USB devices but they aren't. Um, the- the tools-

    10. CW

      Tell us- tell us about those. I want to know what those do.

    11. TJ

      Right. Well, uh, USB Rubber Ducky was created by a company called Hak5. Shout-out to Shannon Morse and Darren Kitchen. Um, they created, um, a- a device called an HID, a human, uh, interface device. Now, it looks to the computer like it's a keyboard with somebody typing on the other end-

    12. CW

      Okay.

    13. TJ

      ... but it can type at thousands of characters a minute. So I could spend a full day coding exploits to- to compromise their systems, and then I plug this device in and it types it out locally-

    14. CW

      Ah, yes. Okay.

    15. TJ

      ... on the system. Yeah. So it- it thinks it's a person typing. And the Bash Bunny is an attack, a multi-attack platform, um, which can emulate, uh, ethernet over USB, which is trusted by Windows, iOS and Linux-... um, and you can run payloads, steal password hashes, do all sorts with it, even through a lock screen on a computer.

    16. CW

      Shit the bed.

    17. TJ

      Yeah. Yeah. (laughs)

    18. CW

      This is serious stuff.

    19. TJ

      Oh, it gets worse. It gets worse. (laughs)

    20. CW

      Oh, come on. I want to find out, what are the other, what's the other, like, atomic weapons? Or what ... If we were to open up the ethical hacker's toolkit or the bag, what have you got inside of it? You've got the rubber ducky, you've got-

    21. TJ

      I've, I've got all sort of things.

    22. CW

      ... the bash, you've got the bash bunny.

    23. TJ

      In fact, I've got, I've got some bits here if you want me to show you them.

    24. CW

      You can just run-

    25. TJ

      Would you like me to show them?

    26. CW

      You can just run through them if you want to. You can just run us through everything that'd be in there.

    27. TJ

      Right. Okay. Well, I've got them, and I'll show you at the same time.

    28. CW

      Cool.

    29. TJ

      So we've got, um, little single board computers, Raspberry Pis. Really useful, they run off a battery. Uh, they've got wifi, Bluetooth, and that's a full PC there.

    30. CW

      Okay.

  3. 30:0045:00

    Is that brute force…

    1. TJ

      and we'll use a rule set to capitalize the first letters, or not, and put numbers at the end from one to 3,000, and then that reduces that character set down massively. So you can, you can crack a lot of passwords relatively quickly.

    2. CW

      Is that brute force stuff there, where you just start, you'll set some sort of program away and it will just start cycling through version one, version two, version three, version four?

    3. TJ

      No, brute force isn't very efficient. Uh, the eight-character set, which I said can be cracked in its entirety, that is a brute force attack.

    4. CW

      Yes.

    5. TJ

      As you start getting to nine, 10, it's inconceivably long.

    6. CW

      Yeah.

    7. TJ

      So what you do is you use rule sets-

    8. CW

      Yes.

    9. TJ

      ... and dictionaries.

    10. CW

      Understand.

    11. TJ

      So it's not, uh, a brute force. You're not going through like, 0000A, 0000-

    12. CW

      Yep, yep, yep.

    13. TJ

      ... 0000AB. You're, you're literally combining different words together and using sort of different numbers and rule sets alongside it. But a lot of people use, um, it's, it's called hackerish, it's where you substitute, uh, a letter for a number. So I becomes one, O becomes zero-

    14. CW

      Mm-hmm.

    15. TJ

      ... A becomes three. A lot of people use that in their passwords 'cause it's easier to remember. But that's the first thing somebody's gonna try. They're gonna use a rule set to try that. So now we've got what you call GPU hacking, uh, sorry, cracking. We use something called Hashcat, and you can put together graphics cards, uh, a number of graphics cards, which are very, very good at, um, mathematics, so they're, they're much, much quicker than CPU cracking. So it's just, you know, it's, it's getting much, much tougher. Now, I can give you a really good hint. One-pass, things like, uh, password safes, they're all good and well unless somebody gets your master password, and then they've got the wh- all the keys to the kingdom. So you can create something called mnemonic password generation. Have you heard of that?

    16. CW

      No.

    17. TJ

      So you think of, uh, a sentence, uh, specific to you.

    18. CW

      Mm-hmm.

    19. TJ

      For example, "Tom ate 27 pies and now he is fat."

    20. CW

      Yes.

    21. TJ

      Which is not very good.

    22. CW

      Yeah.

    23. TJ

      And then you take the first letter and all the special characters from the se- first letter of each word and all the special characters and numbers-

    24. CW

      Mm-hmm.

    25. TJ

      ... and it generates your password. So in our minds, we can remember the sentence because we've evolved over millions of years' language. Um, but on paper, it looks like a very long string of random numbers, letters, and special characters, and it's super secure.

    26. CW

      Okay, that's interesting. Yeah, I, uh, I'm, it's terrifying to know that every different permutation of eight characters up, uh, uh, eight characters, special characters, letters, et cetera, can be run through in the space of two hours. That's, I mean, that, that, that is really, really concerning. So I guess, you know, first off, it-

    27. TJ

      That's like every possible password (laughs) .

    28. CW

      Yes. That's under eight-

    29. TJ

      Yeah.

    30. CW

      ... that's under eight characters. And I think most websites now just dictate that it needs to be a min- a minimum of eight characters, one uppercase, and sometimes one special character. So I'm gonna guess most people will take the path of least resistance and choose exactly eight characters, exactly one special character, exactly one number as well.

  4. 45:001:00:00

    (laughs) …

    1. TJ

      I mean, there's, there's amazing things which happen all of the time. This device that I showed you before, the little, uh, radio transceiver, um, there was a guy called Barnaby Jack who was a New Zealand-based, uh, ethical hacker. Uh, he was the guy who used to hack bank machines, and he could dial something into his phone and then the bank machine would put JACKPOT on the screen and start emptying the cassettes of its money.

    2. CW

      (laughs)

    3. TJ

      Yeah, he, he was a showman, an absolute showman, super genius. Um, he discovered that, um, pacemakers and morphine pumps, um, were, and insulin pumps, a lot of them, not all of them, uh, were susceptible to an SDR attack. So, he potentially could defibrillate the person by pressing enter on his keyboard-

    4. CW

      Oh, my God.

    5. TJ

      ... from about 100 yards away. Um, and he approached the big, uh, company and s- companies and said, "Look, you know, this is a major security flaw." And they said, "We're not interested." Um, so he was gonna sort of tell everyone how it was done at a big convention, and unfortunately he died before the convention.

    6. CW

      Was that a suspicious death?

    7. TJ

      Who knows?

    8. CW

      Well, he, he died.

    9. TJ

      Who knows?

    10. CW

      He died.

    11. TJ

      He died of a, a drug overdose of a speedball of drugs two days before his big convention, so I'm led to believe off what I've read.

    12. CW

      Wow. And he was a- just a young guy? He wasn't, like...

    13. TJ

      He was a young guy, he was famous, he had an amazing career, a beautiful family, you know, he had it all.

    14. CW

      Wow. I mean, this-

    15. TJ

      Money, cars.

    16. CW

      It's weird, isn't it? Like, when we talk about all of this stuff-

    17. TJ

      (clears throat)

    18. CW

      ... it, it's, it's fascinating, really, I, I, I love learning about it, and it's really interesting, but there's just... When you finish laughing about whatever the point is and you remember, if this gets into the r- the hands of the wrong people, if this is used on the wrong sort of facility, it's, the implications are really scary, aren't they?

    19. TJ

      Make no d- like, make no doubt about it, yeah, this is, is in the hands of the wrong people. Yeah? They have it now, they use it now. And what gets me is, the media tend to demonize hackers, yeah? We're, we're, we're told, like, uh, they, they tell everyone that we are the bad guys, we are... The hackers are the good guys. The cyber criminals are the bad guys. They're the ones who... If you're... How can I put it ............................ Right, okay, think of Gordon Ramsay-

    20. CW

      Yeah.

    21. TJ

      ... and Jeffrey Dahmer.

    22. CW

      (laughs)

    23. TJ

      Yeah? Yeah? So, Gordon Ramsay will use a knife to cook you a meal.

    24. CW

      Yep.

    25. TJ

      And it'll be beautiful.

    26. CW

      Mm-hmm.

    27. TJ

      Jeffrey Dahmer would use a knife to kill you and eat you.

    28. CW

      Yep.

    29. TJ

      Yeah? That knife is hacking. Does that make sense?

    30. CW

      Yes.

  5. 1:00:001:04:19

    Absolutely. Uh, I mean,…

    1. CW

      it means that it won't be long before someone will be able to ... they're already doing it, 3D printing guns. There we go, perfect example. You've got technology with some coding that's come together, you can 3D print a gun. How long before you can 3D print a bomb of some kind or, you know, all of these things? So I suppose what that means is we need to be even more security conscious because the stakes of getting it wrong increasingly get worse and worse.

    2. TJ

      Absolutely. Uh, I mean, that rounds it up lovely. You know, uh, as things are progressing we're gonna be faced with lots of new challenges, and if we don't adapt as a race, we're gonna end up destroying ourselves. I mean now, you know, it's possible, very unlikely, but it's possible for a rogue hacker to shut down a power plant or to...... um, do a ransomware attack on a, on a water treatment factory and- and flood the water with loads of chlorine or, you know. Th- there's so many different things you can do that are damaging with technology now. And if we don't stay one step ahead of it, if we don't have a good educational system and- and people to inspire young minds and to get them involved in being a white hat and an ethical hacker, you know, we're gonna be in a world of hurt. We genuinely are.

    3. CW

      Are you guys ... I'm going to guess the answer is yes, but you guys will be paid fairly well for your services. It will be a specialized, uh, and small group of people who have skills up to the standard that are required.

    4. TJ

      Well, the average wage for a- a qualified penetration tester with a bit of experience, uh, is between 65 and 120,000 pound a year.

    5. CW

      Mm-hmm.

    6. TJ

      Um, and there is going to be a 1.8 million job deficit within the next three years. So nobody will have the skillset to do that. Um, my suggestion would be if you want a career change, do what I done, you know, quit your minimum wage job, blag yourself into university and smash it the best you possibly can. Jump in headfirst, take on every opportunity, do the best you possibly can and change your life, 'cause you can do it.

    7. CW

      Tom, what an unbelievable way to end the podcast. Thank you so much for coming on, man. If, uh, if anyone who is listening wants to learn a little bit more, are there any blogs that you like or have you got anything online? Uh, um, are you on Twitter? Is- is-

    8. TJ

      Uh, no, I'm very careful on what I go on online believe it or not. (laughs)

    9. CW

      I imagine- I thought- for some reason I was- I thought that you might say that.

    10. TJ

      I'm a tad paranoid, I only got a phone about a month ago. (laughs)

    11. CW

      Okay. Okay. Fair enough.

    12. TJ

      Yeah, what I would suggest is if you want to learn more, uh, get yourself on Hack The Box. It is a website designed to teach hacking and you can legally hack their networks, um, they allow you to do it and have di- different capture the flag challenges.

    13. CW

      Ah.

    14. TJ

      Things like that.

    15. CW

      That's awesome.

    16. TJ

      You've got Over The Wire War Games, have a go at that. Um, learn Kali Linux the best you can. And if you're a student or you've got access to an academic email, get yourself on Immersive Labs, um, which was set up in conjunction with our sorta GCHQ technical sorta departments of the government. Um, and they have sorta labs that you can learn on there as well. So it's brilliant.

    17. CW

      And you can have a little play around- play around in these safe environments where you can do a little bit of hacking, see if you're any good and then maybe flog your skills for 120 grand a year?

    18. TJ

      Absolutely. Absolutely.

    19. CW

      Unbelievable.

    20. TJ

      Yeah. Go for it.

    21. CW

      Well, and do you know what it is, I don't- I don't think that we could have done a better recruitment video if we'd tried.

    22. TJ

      (laughs)

    23. CW

      Tom, uh, links to everything that we've spoken about today, uh, Naval Ravikant on Rob Reed's After On, links to Hack The Box, Over The Wire and some of the other bits and pieces we've gone through will be in the show notes below, as always. If you enjoyed this, please don't forget to give us a like and hit subscribe, it really does make me happy. Tom, man, thank you so much. I'm- I'm really excited to see what happens next. I guess we'll have to wait a couple of years until the- your non-disclosure agreement probably frees up and you can actually talk about it. But, yeah, what an awesome day. Thank you so much, man.

    24. TJ

      Fantastic. Thank you, mate.

    25. CW

      Outfits. Ah, yeah. Oh, yeah. Outfits.

Episode duration: 1:04:20

Install uListen for AI-powered chat & search across the full episode — Get Full Transcript

Transcript of episode 1SkPp-kVUmQ

Get more out of YouTube videos.

High quality summaries for YouTube videos. Accurate transcripts to search & find moments. Powered by ChatGPT & Claude AI.

Add to Chrome