It was really interesting listening to Jamie Woodruff, The Ethical Hacker, talking about how he can break into anyone’s system. It’s pretty easy when you know how. His discussion shows just how easy it is, if you have confidence to con. This reminded me of Tony Sales who spoke at the Financial Services Club three years ago, and said that it’s all about bluff and confidence. That’s how the tricksters work and you only have to watch Hustle or similar TV shows to see the tricks that might be played. It’s all about social engineering.
Much of this is predicated on our natural willingness to trust people. For example, Jamie’s first task was to break into the server farm of a bank. The secure data store room. The one with the complex codes and access keys. Well, not really. In this case, Jamie just sat outside the bank for a few days, reading a newspaper and looking as though he was waiting for someone.
The bank has strong security and you must have an employee access card to get through the locked gates, or report to reception and sign in. But Jamie noticed that most days a pizza delivery was made. The pizza boy would walk in and security just buzzed them through.
Jamie applied to the pizza firm for a job as a delivery boy, got the outfit and walked into the bank with a bunch of pizza boxes. The boxes contained no pizza but, rather, had gateway access boards to place in the servers for easy access to the network. Of course, security buzzed him straight through.
Up on the fifth floor, Jamie found the server farm. It had a PIN access secure code on the door. Hmmm … so Jamie sprayed the PIN board with infrared spray paint and went and ate a pizza. Returning ten minutes later, he shined his infrared pen on the PIN board and, sure enough, someone had been in the room and the PIN code was clear.
Get the idea? Oh, and if you’re wondering, that’s pretty much how Target got hacked via their air conditioning company.
The other story I enjoyed or feared – Jamie told many – was the fact that you can easily track, trace and hijack someone’s data using a simple beacon. The beacon can pick up whose phones are looking for Wi-Fi and which Wi-Fi networks they’re trying to connect to or are connected with. When the beacon finds the phones, it relates back to the hacker the details and the hacker can choose which one to kick off the network. For the person using their phone, they see the network drop for a second and then it comes back up again. Just that now you’re connected with a fake network and everything you enter is sent to the hacker.
That all sounds pretty average?
Well, the point Jamie made was brilliant. Put the beacon on a drone and fly the drone onto the top of the banks’ headquarters. The beacon has a pickup distance of around 15 metres or, in other words, the top five floors of the bank.
Now, who sits in the top five floors of a banks’ HQ?
… oh, the C-suite!
More about Jamie
Jamie failed all his GCSEs apart from IT where he gained an A* as computing comes naturally to him. He then went on to college where he was given a test which identified that he had both Dyslexia and Dyspraxia, which went unnoticed throughout his school years. Not content at college, Jamie got a job as an IT programmer. One day at work Jamie decided that he had much more to offer, so he started looking into the possibility of getting into university. Jamie was interviewed by Dr Stephen Marriot the admissions tutor at the School and his technical knowledge and work experience was enough to gain a place at Bangor. Dr Marriot said: “Jamie entered under the mature student’s scheme. This was a result of a personal interview in which I recognized a potential to succeed and a willingness to learn. Jamie is well known for disclosing worldwide Exploits/Vulnerabilities within leading security applications such as Facebook, YouTube, Twitter, Apple, Google, NewAer, Daily Mail, The TrainLine, PlusNet, Simple, Microsoft, Multiple Institutions and within the Government sector.