In this episode of Cyber Security Sauna, veteran hacker and red teamer Tom Van de Wiele answers questions our listeners submitted. Tom covers the ethics of ethical hacking, how to prioritize solving the myriad of security issues companies face, why he includes a banana in his hacking kit, the importance of communication skills in his job, and much more.
First question. While discussing cyber ethics, concepts of lawful and ethical are often confused. So what does ethical mean in ethical hacking?
Well, it means that we want to stick with the objective of what we’re trying to do, right? A company or an organization is really interested in having a certain worst case scenario play out, and they want to see, can we detect it? Can we contain it? Can we stop it? Do our security investments actually make sense? Are they vetted?
So the ethics basically comes from the fact that you have permission to do this.
Well, not only do we have permission to do it, we also need to stay within the law of the country where we’re operating.
That means criminals can do whatever they want, and they can take all kinds of weird turns to get to whatever it is they wanted to steal. And usually it’s money or something that can be monetized. But as ethical attackers, as part of what we call attack simulation or attack emulation, we need to stick within the law. But at the same time, that doesn’t really stop us from giving recommendations to organizations that want to better protect themselves.
The best example of that is, for example, identity theft. Any criminal can go to a telecom shop and have a new SIM card issued if you know what you’re doing, and with that try to take over a certain service that would depend on some kind of password recovery mechanism over phone or SMS. That is obviously an attack vector that could be valid for certain organizations or certain individuals, but it’s not something we can just do within any kind of country because it falls under identity theft, which is illegal. But as said, it doesn’t stop us from giving some good recommendations to our customers. And that’s really where we have to keep our ethical and moral compass.
What about ethics in reporting? Like if a customer asks you to, for example, omit a specific finding from the report, is that something you do?
That’s probably one of the most asked questions, and our answer is always that we only really want to test the process. We are technically not really interested in who is following the process. We’re only interested in – are people following the process? Does the process allow for any kind of deviations from it – maybe it’s not as accurate or as relevant as it should be to whatever situation it’s written for. And we want to find those, call them areas of increased risk that the organization might not even know about.
And that way we provide value in the sense that we want to make sure that the processes are being followed so that your security in whatever it is, is not just dependent on the person, but it’s dependent on the process.
Right. What’s the role of ethics in cyber security in general?
I would say it’s extremely important, because if you’re trying to improve security, that means you’re going to see the flaws, weaknesses and the dirty laundry of an organization and a company. And it’s very important that you are able to keep that to yourself. I mean, there are NDAs and there’s all kinds of other legal paperwork. But having the basic integrity as a person working in cyber security, it is very important to know what your limitations are.
Technically as part of free speech and the rest of it, you CAN go to a crowded theater and yell “fire,” but it’s not the thing to do. In the same way, when you see certain things play out at companies – and you know, companies and organizations are made of people, which means there will be politics, there will be drama, there will be corner cutting. And that’s why you’re there. You’re trying to improve the way that people work. You’re trying to improve people’s bottom line, not just financially, but also as a place to work, the function of that organization in the world. And that means that when you see certain things that might be exploitable or abusable doesn’t mean you have to perform them and cause that damage. You don’t need to trigger the fire alarm to give fire security advice.
So that’s really where a strong ethical background comes in. And you know, people sometimes do make the wrong call. Accidents do happen. But having that integrity is extremely important in the world of cyber security,
Do you feel that you have a responsibility to call out everything you see wrong with an organization? Or is it sometimes okay to give a pass on some things?
Well, you’re not at the company or organization that hired you to fix everything. You’re usually hired to help resolve or to improve a certain aspect of whatever it is that you’re there to improve. It could be a process. It could be the way that a piece of technology is used, could be the way that people perceive the tools they’re working with or their position in the world. And you won’t be able to change the world overnight, so to speak.
That means picking battles. That means making some kind of priority list based on what you think is more important. But that’s just your agenda. So putting all those agendas next to each other of not just the person who hired you, but also kind of the bigger cause, which is, you know, what is that company or organization trying to do? That’s really where you want to make that distinction of what should we focus on today? What should we focus on tomorrow? But you can’t do it all, and there will be things that are left unaddressed. I mean, you can try and put them on the table. You can try and find ownership for these issues. But you can’t change the world overnight.
In a previous episode, you talked about your work and you were showing your kit and some of the tools you use to, to do the hacking. One of the items that catches people’s eye in that was item number 8, the banana. So is there something you can hack with just the banana?
You probably can get into the gorilla cage of your local zoo. But the banana is really that if you can show to the organization whose building you’ve just broken into that you’re eating a banana, you’re holding something in your hands, you immediately look less suspicious.
Not only that, it has kind of a double role in that you can fool your fight or flight mechanism, which will be triggered when you’re in a place that you’re not supposed to be. If you walk into the trading floor of a bank and you have to plug in a certain device that will give you access and control over the trading floor, at least to some extent, you’re not supposed to be there. And of course that comes with training and experience, but you can fool your own system a little bit by maybe eating a banana or an apple because your body thinks, hey, we’re, we’re eating. That means we’re supposed to be here then because if you’re in a stressful situation, you’re not going to be eating.
So it kind of plays a double role. But hacking a company with only a banana, I mean, you can walk into a fair amount of companies just by talking, and it kind of depends on what you’re trying to hack. But you know, the banana can be replaced with whatever you want depending on what you’re trying to do.
I guess you might be there a while, so maybe you just need a snack.
Maybe that’s also good reason to have one, yeah.
All right. Does your approach into red teaming change based on the size of the company, your target company? Is it easier with a larger company or a small company?
That’s actually a really good question. The approach will be different, because in smaller companies the security will be mainly based on the fact that everyone kind of knows each other. There’s more visibility on people’s actions. Whereas with a larger company, there’ll be less visibility as far as who is new and who is supposed to be there and not be there.
So the attack patterns or scenarios you want to try will be dependent on what the security model is based on. And the company or organization that’s asking for these tests might not even know. So they might just be a very trusting organization where everyone kind of knows each other, where there, you would probably use more phishing techniques or maybe more technical attacks, because people think that once something is there or they see it in front of them, it is just supposed to be there, because who else would have put it there? With larger organizations it’s easier to try out smaller attacks that can fail, because the visibility will be less.
So you can just pick up and try elsewhere.
Exactly. You have more targets, so to speak. You have more people to email with your phishing attacks, you have more people to call up, you can talk to more people. And even if you quote unquote “burn your face” when you didn’t get in, or they actually followed the process that they were supposed to follow, you can try and try again. So there’s definitely a difference in the methodology based on the size of the company.
Yeah, in a small organization, it’s like, “Hey, it’s that red teamer guy from last week.”
Well there’s that, but also you can use it to your advantage. If you show up as the handyman week after week –
I mean, this reminds me of a story where I had to borrow someone’s dog to go and walk the dog around the building just to be able to kind of pretend that I belonged there. People would all of a sudden look through their window and see me and then kind of look down again saying, “It’s the guy with the dog again.” And if I did that long enough – I walked that dog for quite awhile, as a dog sitter for a week, two weeks on end – then people didn’t really mind my presence anymore. So I kind of normalize their behavior in that I belong there, I’m just a guy walking his dog. But at the same time I was trying to see if I could get any kind of wireless keyboard signals or Wi-Fi signals coming out of their building to see what I could attack using that particular attack method.
Was the dog on board with this, or was he just sort of looking at you the whole time, like, who the heck is this?
The dog was just very happy to get outside for a walk.
What’s your number one most successful tactic to gain access?
Usually it’s phishing, because people just want to get their job done. And if you either play the helper or the person that is in need of help – I mean, every psychology book that you open, or a book on neurolinguistic programming will tell you, that if you want someone to like you, you should ask that person to do you a favor because it creates a certain bonding process. So phishing is certainly the number one way in, if not just to get your initial foothold, and from that moment on you will rely on more technical tricks to stay within the organization or to try and compromise whatever it is that our customer wants to have compromised.
What about physical access to premises? What’s something you always like to do?
For physical access, usually it can be achieved depending on where your office is located, kind of in the countryside versus the city. But usually you can just walk in. For most companies, especially the side doors are the main targets for us because there’s less visibility. People tend to rely on technology rather than human beings at a reception or a guard. So the first thing we look at when it comes to the physical side of things are the side entrances, the employee entrance that leads to the parking lot, because there’s naturally less defense mechanisms installed there. If that doesn’t work, we’ll try to scope out what is in and around the building. So we can use something in and around the building that a normal attacker coming from the internet who doesn’t have that visibility wouldn’t use.
For example, let’s say there’s road work or they’re trying to redo the bicycle infrastructure or whatnot, you can send a phishing email or call people up saying, “As you know, we’re redoing the bicycle shed, and for that reason we want you to park in a different parking spot. If you would like to have a parking spot there, then please fill in your license plate on the attached document,” which of course has been backdoored from here to hell.
But you want to use those kind of physical traits to create enough context or pretexting as it’s called, to have someone perform that action that you want to as an attacker, because that’s what an attacker is going to do. And our customers simply cannot afford to lose data or have any kind of negative outcome just by a lack of creativity when it comes to the attacks. And that’s what we’re bringing.
Speaking of pretexting, what’s your favorite pretext or background story if you’re challenged within a place you’re not supposed to be?
Again, it’s context-driven, but all buildings need maintenance, and there’s only so many maintenance companies that exist in a certain country or a certain city. So the first thing we do is to try and find out who owns the building, find out what people would be used to seeing, if people are running around watering the plants, bringing the fruit, filling up the coffee machines, or just general maintenance. We try to mimic their uniforms, and usually we can get in without anyone asking us any kind of nasty question as far as what are you doing here and why are you here?
Yeah, so how good an actor are you? Cause, I’m thinking, you seem to care about your work a lot more than a lot of the maintenance guys I’ve met in my life.
We are very thorough, that’s correct. Yes. So if smoke detectors need checking, or there’s certain doors that are not closing and you know, whatever scenario that we’re trying to fit into, you need to be able to actually make it happen. If we want to get into a building pretending to be the after hours cleaning crew and they let you in, you do need to know how to know how to clean. Which means I need to teach some of my colleagues what to do or what will be normal in an office building, when you have to empty the dishwasher and start washing the windows and start cleaning desks. You need to look the part, which means, yeah, there’s a fair amount of acting involved.
One of our listeners wants to get a job in the field. What matters most, a formal education in the field, some certification or just experience from working with computers?
Well, they say that school ends but education never ends, and that’s kind of how we look at it. So this is a game where the goalposts are being moved constantly, because attacks only are getting cheaper and better. Which means if you want to get into this world of either the physical part of red teaming or the more cyber part of phishing, email, phone, but also knowing the ins and outs of networking applications, I mean, you can’t do it all.
So in the beginning you need to pick at least one domain. Try to see if you like that domain, be it access control, be it network security. Try to gain some level of expertise where either you are confident in not just breaking into those things, but also being able to set them up in a way that is controlled and quote unquote “secure.” Later on, you can kind of move over to, okay, how do we now chain all these different domains together? And that’s really where experience comes in. And that is only really learnable on the job. And to get into that, I would refer to the last episode that we did on this topic, together with the 21 tips that we gave out as kind of an entry point of getting into this world of not just red teaming, but also just information security testing.
Yeah. We’ll have a link to that episode in the show notes and in social media. Do I have to do anything illegal to get a job in this industry?
There’s a lot of people that think that you have to do that, but the answer is no. You do not have to do anything illegal to make a career for yourself in any domain of cyber security. Technology has come a long way –
And actually, there’s jobs where having done something illegal will disqualify you from that job.
Yeah. There’s this fetish belief that if you do enough illegal things, you kind of come out at the other end and then you get hired by some kind of government –
The Kevin Mitnick way.
Exactly. And unfortunately it doesn’t work like that, because you will go to jail, or worse. You know, some aspects of cyber security, or depending on what you’re doing, might even fall under terrorism. So you don’t want to go that way.
So reading of course will certainly give you an edge. There’s enough war games as they’re called, if you want to get into the network or application security part of things like hacking. There’s enough resources online to simulate hacker attacks or any kind of attack you want to try. And when it comes to the social engineering part, talk to people. Try to level with people. Try to pretend, you know. The next party you’re at, you’re at a wedding somewhere and a complete stranger asks you what you do. Try to pick an alternative life for yourself.
Convince them of something else.
Yeah. But in a very harmless way. If you go to pick up your coffee and they ask you for a name, pretend to be someone else. And if someone calls your name, your fake name, you know, try to be ready for it. So very small things that you can train yourself with is, you know, trying to pretend to be someone you’re not, trying to act the part.
So illegal things aside, are there some other things you shouldn’t be doing if cyber security is your field of choice?
Well as said, you want to keep it ethical. That means if you find something and it is important, I’m a very big believer in responsible disclosure. You cannot bribe people or blackmail people saying, “I have this knowledge of a security hole or a weakness, and I’m only going to tell you if -” you know, dot dot, dot.
Of course security is a business. But having that strong ethical background, and making sure that you can make the right calls when you need to make them, and understanding the risk and especially the impact of your actions or your inactions is something to think about.
So no dropping 0-day in Twitter.
Not dropping 0-days on Twitter, or you know, talking bad about whatever it is that you want to talk bad about. I mean, all of these things have implications and have consequences. So trying to, especially when it comes to a vulnerability or a weakness, trying to do your utmost to try and get something resolved or raise awareness is important, because you will have to use that later on in your career as well when it comes to cyber security. As said, you will see a lot of dirty laundry because you’re there to improve something. But being able to trade in secrets, so to speak, and keep the secrets to yourself, is not something that comes from one day to the other. That also takes experience.
Learning how to deal with those kinds of things, knowing very well that the organization or the company where you’re working might not act on your advice. You know, there would be a lot of depressed doctors if they would all get depressed, depending on whether or not the patient would take their advice or not. So being able to gain that experience, the fact that you cannot change the world on your own overnight, and having that pragmatism that you have to pick your battles, are going to be the most valuable things in your career. And again, that does not mean you have to resort to anything illegal.
So let’s picture you’re in an office, you got in and you were able to sit down on an unlocked PC. What’s the first thing you typically do?
Well, the fact that I’m already sitting there means that me as an attacker, or any real criminal gang, has to do a fair amount of investment to get to that spot. So you don’t want to redo that investment. So the first thing you’re looking for is persistence. Trying to dig yourself in, trying to find a foothold in the network or the computer so that you have remote access to that computer or the network. So you can use it as an entry point for any other attack that you want to do, and try to compromise as many machines as possible to attain whatever objective that you have set forward, which could be gaining access to certain pieces of information or just staying on the network. There’s some customers that ask for that, saying,”Can you stay on the network and move around on the network without being detected ?” So persistence is the one thing that you want to focus on first.
Do you have a favorite technique for that?
Well, you kind of have to live off the land, as they call it.
So what’s normal for that environment.
Yes. If they’re sanitized on a certain product or a service, you want to try and use that against the organization. You don’t want to introduce anything new that will stick out. So you want to look at any kind of weaknesses you can find on the laptop with, for example, services that get started when you boot the laptop. Or you want to look at what applications the user or the employee will be running the most, and make sure that it runs your little program first, and then runs a legitimate program.
So it really depends on what you have in front of you. And that means you need to know quite a few techniques to be able to accomplish that. Trying to, you know, buy a commercial tool or device or gadget will only get you so far. It really has to do with what the company is doing when it comes to hardening, what kind of threat scenarios they’re trying to detect and avoid, and trying to swim past those.
That make sense. What is the biggest misconception people have about your job?
The problem is that there’s this mysticism that has to do with hackers, and we see these people with blue hair and sunglasses and hoodies on and Hollywood and CSI: Cyber and whatnot. The fact of the matter is that the truth can be a little bit underwhelming, maybe. If you’ve prepared well and if you’ve looked at all different outcomes that might happen when you perform a certain attack, if you know what you’re doing, it’s going to be very underwhelming. Sometimes it’s very exciting, ranging from very exciting to very boring, depending on how well you’ve prepared or how many different exceptions or weird defense you might come across. You know, things that you haven’t foreseen sometimes happen and you need to know how to deal with those.
But the biggest misconception seems to be that we run into companies and then trigger the fire alarm and then walk out with a laptop or whatnot. Which you could do, but no criminal is actually going to do that in order to steal a laptop or an algorithm or whatever it is. The fact of the matter is that information leaks from companies as it is, from people changing jobs or people in the industry talking to their peers. But real criminals trying to cause damage or steal money, they will just use phishing or whatever it is that they can get into as part of the path of least resistance. You don’t have to resort to all the things you see in Hollywood or in series, although some series do, do come pretty close.
What’s your favorite misconception that people have?
I think my favorite is I have heard someone, in a conversation I’ve had, refer to the movie Hackers as a documentary.
That’s awesome. What about the time element in hacking? Cause I see a lot of people, when they see a hacker who’s built a device that can do a specific trick, and they just wave the device and something magical happens and people are like, “Oh, it’s that easy to hack that thing.” No, that was four months of research what you just saw there culminating, and so that whole sort of time element of it.
Yeah. Well there’s two aspects to this. One is that you’re completely right. I mean, buying a really expensive knife is not going to make you a Michelin chef. So you need to know how to use it and know when not to use it.
But as you mentioned, just because the hack or whatever you’re doing takes a very short time doesn’t mean that a tremendous amount of effort and research didn’t go into it. You can best compare this with going to the doctor, right? You’re paying, maybe for a few minutes of their time, but knowing that those people have studied half of their life to be able to come to that conclusion, that diagnosis that quickly.
Certain things are easier than others and for certain things, yeah you can buy gadgets, but buying a gadget from a commercial hacker store is not going to make you a real hacker, whatever that means, or a real consultant that can deliver value to an organization of trying to map how vulnerable they are to a certain scenario. Which again, they consider the worst case scenario where the business might depend on.
Okay. Had you known that you were destined to become a hacker, what are some of the things you would have wished maybe you could have worked on more or developed better growing up?
As technology moves so fast, it’s really hard to come up with any kind of skill that would really give you an edge later on as to where we are now. Having said that, having communication skills and being able to level with whoever it is that you have in front of you, from a top level executive to whoever it is that brings you your food or your coffee. Being able to communicate efficiently is very important in any line of work. But especially if you’re dealing with something as subjective as security.
Because as we all know, there’s a certain psychological aspect of security where we all see things in the media that look really, really dangerous, but will maybe never happen in our lives, versus things that we know will happen but that we kind of don’t want to focus on right now because it’s not exciting enough. So people see a lot of information, and we get a little bit dull when it comes to being able to process the information, which means the media has to reserve to these kinds of slogans of “This attack could be done in only 30 seconds,” or what have you. And that starts missing the point pretty fast. And that leads to kind of a false sense of security in some situations, which is kind of what we’re trying to prove or disprove, as far as what works and what doesn’t.
Coming back to your point about dealing with people, how would you learn that? Is that having a bunch of conversations with a bunch of different people, or is that taking a writing class or…?
If you can take a complex topic and explain it to someone who has no real prior knowledge about that topic, being able to explain it to that person in what we call layman’s terms so they understand the basic concepts of it, that’s really important. That’s really a skill to develop. Which isn’t easy. You can practice that with your friends and family when explaining technology to them, if you’re into technology. But that could also be history, that could be anything, really, that you’re interested in. And being able to distill what matters and come to actually the core information, being able to communicate that effectively.
Not just trying to inform people, but maybe also have people take certain actions is a crucial skill, especially in security, but also in other areas, because at the end of the day we are dealing with security. It is something that you want to communicate to people that, you know, this is important for your own sake, but also for your organization or the company’s sake, and to tell people that they have a personal responsibility. That’s easier said than done.
So there is a certain psychological aspect of this as well, to show people that this actually matters because it has a direct influence on their life. Because as said, there is so much to worry about, people kind of make their own priorities. And you want to be able to influence those priorities by saying, look, no, this is more important than the other thing that you’ve been talking about. But as said, there’s no one size fits all. It has to do with basic psychology. And to be able to learn that you just have to talk to a lot of people, or kind of throw yourself into a presentation like these organizations like Toastmasters or PechaKucha or whatever it is, to just be able to present on any topic, be able to distill what is core information or what is kind of fluff, and being an effective communicator.
I mean, you can be the best hacker in the world, but if you cannot explain to someone why it matters, you’re not going to be successful. Hackers keep saying that they can social engineer anyone, but then when they explain security problems to management, they keep saying that management doesn’t get it. Which one is it? Either you’re a massive social engineer or you know, it’s one of the other.
Yeah. Sometimes people can become blind to their own failures and shortcomings. It’s tough for a lot of writers to proofread their own work, for example. As a red teamer secure security expert, do you have fellow hackers check your own personal security?
Well, any kind of niche market or specialization will suffer from tunnel vision, and people in security are no exception. You will find loads of stories of professional security researchers or even consultants that have very bad information security hygiene, badly chosen passwords, bad practices, because they don’t really follow what they preach. So it certainly has merit to have someone else with quote unquote “external eyes” look at the work you’re doing, how you’re doing it, why you’re doing it, and just keep each other honest and challenge each other. So it certainly has value. Of course you have to look at your own threat model as well as far as what we’re trying to achieve. But it certainly has merit to have someone else look at your work periodically.
What’s your usual workflow when it comes to red teaming assignments? Is there a science to your art?
It will come as no surprise that if you want to attack any target, and I don’t want to make this sound like a very militarized way of looking at things, but gathering information about what you’re supposed to attack or what you want to gain access to is usually two thirds of the work. So finding out where your target lives, or who else has access to the same building or network, or just in general finding out where the information is located – because it’s usually information we have to steal – that’s very important.
So having a good workflow or knowing where to look as part of a methodology that’s reproducible is very important. Because the more you will know about your target, maybe the less effort you have to do as an attacker, because you will know or learn about certain weaknesses inherently, as part of what you’re trying to steal, or where you’re trying to gain access to.
I like the information gathering thing. I was thinking of the expression “Measure twice, cut once.”
Yeah, the whole thing of if I have 100 days to cut a tree, I’ll spend 99 days sharpening my ax.
Yeah, pretty much. Yeah. That’s all we have time for today. Thanks for all the questions and thank you, Tom.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.