#105 - Thomas Johnson - What Is An Ethical Hacker?

Podcast Summary

• Manipulating Human Psychology: The Power of Social Engineering: Social engineering is a low-tech method that manipulates human psychology to bypass cybersecurity measures, highlighting the importance of addressing the human element in security alongside technological measures.

  While technological advancements can provide security, human behavior remains a significant vulnerability. Ethical hacker and social engineer Tom Johnson explained that social engineering is the manipulation of human psychology to gain access to information or systems. It's a low-tech approach that can bypass even the most sophisticated cybersecurity measures. Johnson's interest in this field began when he was a child, experimenting with games and eventually learning to program them. He eventually discovered the internet and it became his playground for exploration. He emphasized the importance of trusting our intuition and paying attention to our subconscious feelings as a defense against social engineering. Ultimately, Tom Johnson's story highlights the importance of being aware of the human element in security and the need to address it in addition to technological measures.

• From hacker to white hat: A journey of redemption: A past of hacking and criminal activity led an individual to social engineering, but through hard lessons learned and a shift in perspective, they transformed their skills into a legitimate career as a cybersecurity expert.

  The interviewee's early experiences with hacking online led him down a risky and criminal path, but ultimately, he was caught through social engineering and faced the consequences. This experience scared him straight and he lost interest in computers for a while. However, he eventually returned to the field, recognizing the potential for it to be a legitimate career. Now, he specializes in social engineering, which involves tricking people into doing things they shouldn't online, just like old-fashioned con artists do in person. He built a company around this skill and even worked with the police to educate them about social engineering threats. Despite his past, he has turned his skills into a successful career as a white hat, using his expertise to help protect against cyber threats rather than causing them.

• Unexpected opportunities from ethical hacking: Ethical hacking can lead to recognition and career advancement. Discovering vulnerabilities and reporting them responsibly can open doors to speaking engagements and professional certifications.

  Ethical hacking, when approached with the right intentions and skills, can lead to unexpected opportunities and recognition. The speaker, who started hacking at a young age, managed to bypass his university's smart card system and gained unauthorized access to various resources. His actions, which he only disclosed during a cybersecurity convention, led him to be invited as a keynote speaker at a major cybersecurity event, where he was awarded a certificate of appreciation from the National Police Chiefs Council and the FBI. This experience opened doors for him, and he is now pursuing an offensive security certified professional hacker qualification to further advance his skills and career. The story highlights the potential benefits of ethical hacking and the importance of recognizing and nurturing young talent in the field.

• Successful Social Engineering Hack using Kali Linux Tools: An ethical hacker used Kali Linux tools like USB Rubber Ducky and Bash Bunny for a social engineering hack, gaining access to a building and sensitive information.

  Kali Linux, a Debian-based offensive security tool, holds a globally recognized certification called OSCP (Offensive Security Certified Professional). While it's rare to find hackers with both exceptional social engineering skills and technical know-how, every hacker can attempt social engineering. The speaker, an ethical hacker, recently performed a successful social engineering hack on a large company by building staff profiles through social media, approaching them on LinkedIn with a pretext, and gaining access to the building using cloned cards. He used tools like the USB Rubber Ducky and Bash Bunny, which can mimic keyboard input and emulate Ethernet over USB, respectively. These tools are powerful and can steal password hashes or even bypass lock screens. Ethical hackers like the speaker carry various tools, including single-board computers like Raspberry Pies, which are compact, battery-powered, and function as full PCs. These tools expand the ethical hacker's capabilities, enabling them to test and improve organizational security.

• Technology's Dark Side: Hidden Threats Everywhere: Stay informed and take necessary precautions to protect against hidden threats in technology, including small devices, USB sticks, and even seemingly harmless items like lamps with hidden cameras or software-defined radio transceivers.

  Technology, no matter how small or seemingly harmless, can be used for malicious purposes. From tiny Raspberry Pi zeros the size of a matchbox to USB sticks carrying malware, and even everyday items like lamps with hidden cameras, the threat landscape is constantly evolving. Furthermore, even our security measures, such as antivirus systems, can fail us. A software-defined radio transceiver, which looks like a motherboard in a plastic shell, can intercept and decrypt conversations, snatch telephone calls out of the air, and even steal car keys using a relay attack. These devices can be powered through a USB port and don't require physical proximity to the target, making them even more dangerous. It's essential to stay informed and take necessary precautions to protect ourselves from these threats.

• Protecting against keyless car theft with Faraday cages or moving keys: Be aware of keyless car theft risks, consider using Faraday cages or moving keys to temporarily protect against SDRs, and prioritize strong, unique passwords and regular data breach checks for online security.

  Modern keyless entry and start systems in cars can be vulnerable to theft through the use of technology like software defined radios (SDRs) that extend the range of the key signal. This allows thieves to unlock and start the car even when the key is not physically present. To protect against this type of theft, some suggestions include storing the key in a Faraday cage, such as a biscuit tin, or using keys that disable themselves unless they are moved. However, these measures may only be temporary solutions as cybercriminals continue to find ways around them. Additionally, other methods of hacking, such as using blank cards or button cameras, can be used to gain unauthorized access to buildings or information. It is important for individuals and companies to be aware of these threats and take steps to protect themselves. One effective measure is to use strong, unique passwords for all online accounts and to regularly check for data breaches that may have exposed those passwords. Overall, the use of technology brings convenience but also introduces new security risks that require constant vigilance.

• Exploiting Human Psychology in Social Engineering Attacks: Social engineering attacks use human psychology to gain access to sensitive information. Create strong, unique passwords using pneumonic password generation and protect your master password to avoid falling victim to these attacks.

  Social engineering attacks, like the one experienced with the unintentionally ordered Nando's meal, can exploit human psychology to gain access to sensitive information. People often create passwords using easily guessable patterns, making them vulnerable to dictionary attacks and brute force methods. Passwords can be cracked in a relatively short time, making it crucial to adopt more secure methods like pneumonic password generation. This involves creating a sentence with personal significance, using the first letter of each word and special characters to generate a strong, unique password. Remember, every possible combination of 8 characters or less can be run through in just 2 hours, so it's essential to prioritize password security. Additionally, be cautious about sharing account information and ensure that your master password remains protected.

• Importance of Strong Passwords and Physical Security against Hacking and Social Engineering: Strengthen passwords with at least 12 digits, avoid English words, and incorporate random characters and slang. Keep keyless entry car keys in a secure container and be cautious about sharing visitor passes. Beware of social engineering tactics and don't reveal sensitive information to strangers, even if they seem trustworthy.

  Password security is crucial, and using weak passwords like "password 1" with a capital p is a major risk. Hackers can easily guess such passwords, putting your personal information and assets at risk. To strengthen your password, aim for at least 12 digits, avoid using English words, and incorporate random characters and slang. Another important lesson from the discussion is the danger of social engineering. Ethical hacker Tom shared an experience where he gained unauthorized access to a company by cloning a visitor's pass and impersonated a photocopying technician to gain access to restricted areas. This incident highlights the importance of being aware of social engineering tactics and not revealing sensitive information to strangers, even if they seem trustworthy. Tom also emphasized the importance of physical security. He advised keeping keyless entry car keys in a secure container and being cautious about sharing visitor passes. These simple measures can help prevent unauthorized access to your personal and professional spaces. In summary, the discussion underscores the importance of strong passwords and physical security, as well as the risks of social engineering. By following best practices and staying informed, you can protect yourself from potential threats and maintain your privacy and security.

• The danger of underestimating a conversation's true purpose: Appearances can be deceiving, and seemingly casual conversations may hide ulterior motives. Be aware of your surroundings and ask follow-up questions to gain a more complete understanding.

  First impressions can be deceiving, and people often get so engrossed in talking about themselves that they forget to ask follow-up questions. This was exemplified in a conversation between the speaker and a colleague, during which the speaker was able to gather extensive information about his colleague while posing as an IT worker. However, the conversation took an unexpected turn when the speaker revealed that he was actually conducting an elaborate espionage operation, using devices like a covert camera, a facial recognition system, and a vibrating earpiece to gather sensitive information. The sophistication of these tools raises serious concerns about the potential for corporate espionage and the implications of having powerful entities behind such operations. Ultimately, the conversation serves as a reminder of the importance of being aware of one's surroundings and the potential for deception in everyday interactions.

• Cyber Threats Evolved: From Viruses to Targeted Attacks: Cyber threats have evolved from simple viruses and worms to sophisticated, targeted attacks like Stuxnet, which infected air-gapped systems and caused widespread damage. Medical devices are also vulnerable to cyber attacks, with potential for deadly consequences.

  Cyber threats have evolved far beyond common viruses and worms. The Stuxnet virus, which infected computers across the globe around 2010, was a game-changer. It was designed to target a specific system, in this case, the Iranian nuclear enrichment program. Stuxnet was so sophisticated that it had four zero-day exploits, making it worth millions of dollars. It didn't need an internet connection to spread; it infected USB sticks and spread through removable media. Once it found its target, it recorded data for 30 days, disabled safety mechanisms, and then replayed the good data, causing the centrifuges to explode. This attack was terrifying because it was air-gapped, meaning it was not connected to the internet. A single person infecting their computer with a USB stick could cause widespread damage. Another example is the potential vulnerability of medical devices like pacemakers and insulin pumps to SDR attacks. Ethical hacker Barnaby Jack discovered this, but when he approached the companies, they weren't interested. Tragically, Jack died before he could reveal his findings at a convention, leading to suspicions of foul play. These examples show that cyber threats can have devastating consequences, and it's essential to take them seriously.

• The line between good and evil in cyber world is blurred: Investments in cybersecurity and education are necessary to protect valuable data from hackers and cyber criminals, as information warfare becomes the future of war.

  The line between good and evil in the cyber world is blurred, as both hackers and cyber criminals use similar tools for different purposes. Hacking, like a knife, can be used to create or destroy. The value of data has surpassed that of oil, making it a coveted resource for nations and individuals alike. To protect this valuable resource, significant investments in security and education are necessary. Information warfare is the future of war, and neglecting cybersecurity defenses can leave individuals and nations vulnerable. Governments have a responsibility to protect their citizens, but individuals also need to practice common sense and take necessary precautions. The ongoing battle between good and evil in the cyber realm requires constant vigilance and investment.

• Protecting Your Online Presence: Unique Passwords, IoT Caution, and Data Privacy: Unique passwords are essential, avoid reusing them. Be cautious with IoT devices. Data privacy is a concern, be aware of potential risks when sharing information.

  While having strong passwords is important, it's equally crucial not to reuse them across different platforms. Hackers can gain access to one account and potentially access all linked accounts with the same password. Additionally, be cautious when purchasing IoT devices, as some may lack adequate security. Another alarming trend is the increasing threat of online attacks, with cybercriminals not only targeting below-the-line hacking but also manipulating willingly given data. Techniques like Google Hacking, which involves using advanced search operators to find misconfigured systems, can be used to access sensitive information, such as unsecured CCTV cameras. Furthermore, apps and challenges, such as the 10-year puberty challenge, can be used to collect data for machine learning models, raising concerns about privacy and potential misuse of information. The stakes are high, and the threats are not limited to underground hackers but also extend to the manipulation of data we willingly share. In summary, protecting your online presence involves using strong, unique passwords, being cautious when purchasing IoT devices, and being aware of the potential risks associated with data sharing. It's essential to stay informed and take proactive measures to safeguard your information.

• Staying Ahead of Potential Threats: The Importance of Data Security: As technology advances, prioritizing data security is crucial to prevent destructive capabilities from causing harm. Invest in education and inspire ethical hackers to meet the growing demand for skilled penetration testers and stay ahead of potential threats.

  As technology advances, the potential for both good and bad uses increases, making data security more crucial than ever. In the past, causing significant harm was limited, but with the increasing understanding and distribution of destructive capabilities, the stakes are higher than ever. For instance, 3D printing guns or ransomware attacks on essential infrastructure are just a few examples of potential threats. To stay ahead, we need to prioritize education and inspire the next generation of ethical hackers. The demand for skilled penetration testers is growing, with an average salary of £65,000 to £120,000 a year, and a projected job deficit of 1.8 million within the next three years. We must adapt and invest in our future to ensure we don't fall behind and risk causing irreversible damage.

• From minimum wage to cybersecurity: Tom's inspiring journey: Tom quit his minimum wage job, blagged himself into university, and seized opportunities to pursue a career in cybersecurity. Dedication and the right resources can help anyone achieve their desired career path.

  With determination and hard work, anyone can change their career trajectory, even if they don't have the necessary skills or resources at the moment. Tom, a guest on the podcast, shared his inspiring story of quitting his minimum wage job and blagging himself into university to pursue a career in cybersecurity. He emphasized the importance of seizing opportunities and putting in maximum effort to succeed. For those interested in learning more about hacking and cybersecurity, Tom recommended several resources. Hack the Box is a website that offers legal hacking challenges and opportunities to learn new skills. Over the Wire war games and Mercer Labs, which is affiliated with GCHQ, also provide safe environments for individuals to practice hacking and test their abilities. Overall, Tom's story serves as a reminder that with dedication and the right resources, anyone can pursue their desired career, even in fields that may seem intimidating or inaccessible at first.