An IBM X-Force Red team member explains how her background in makeup and sales helps her social engineering career. Also, she demonstrates how cybercriminals can easily clone your work ID badge.
CNET and CBS News Senior Producer Dan Patterson and CBS Investigative Reporter Graham Kates spoke with Stephanie "Snow" Carruthers, chief people hacker for IBM's X-Force Red team, about how she got into hacking and, specifically, social engineering. The following is an edited transcript of their interview.
This is part three in a four-part series. Download the entire series: How an IBM social engineer hacked two CBS reporters--and then revealed the tricks behind her phishing and spoofing attacks (free PDF).
Dan Patterson: Stephanie, your background is not necessarily in computers or in hacking. You come from the makeup world and from the world of practical effects. Explain to me a little bit about your background, and then how did you become a hacker, and how did you specifically get into social engineering?
Stephanie Carruthers: My background is in sales with makeup products. I really enjoyed seeing what made people tick and what sales techniques worked and didn't work. And with that love of makeup, I then learned special effects makeup, and I was able to really transform people. And I enjoyed that, and I had no clue that those were two things that I would be using in my career now.
But if you fast forward a couple of years, I attended DEF CON for the first time, which is the world's largest hacking conference. I went with my spouse and had no interest at all in being there. When I was there, I found a social engineering competition. And that competition is where people are making live phone calls to targets trying to get information from them. And when I was in there, we're in the room listening to the calls; I realized that that was made for me. All the tricks that I had learned in the past with convincing people to buy things, I knew I could do that.
From there, I got every book on the subject matter I could find. I went to the mall and would talk to people, and I competed three years in a row in that contest, and I won on my third year. And I've now been doing this professionally for several years.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (free PDF) (TechRepublic)
Dan Patterson: Tell me how a hacker in the wild might combine actual hard computer skills, which you do have, along with these other skills that you have of social engineering.
Stephanie Carruthers: A great example of that would be phishing or sending out a malicious email with links or attachments. You need the social engineering piece to craft the email specific to your target. You need to know different influence techniques or things that I learned from sales to really convince them and sell it. And then, you need the technical skills to actually build the website or the payload.
Dan Patterson: Stephanie, I'm in fact told that you are in disguise right now. Can you help me understand how makeup and disguises help you with your job as a hacker?
Stephanie Carruthers: Absolutely. So I am in disguise now. This is not what my hair looks like at all, so I use disguises a lot when I go on site because I don't want to be recognized, or I might have to use multiple personalities. If something doesn't work the first time, I'll have to try something else, and this really helps me. Or if I'm pretending to be someone specific, like a flower delivery person, I'm going to change into a uniform.
The wig that I use is something I would use for an auditor, and I'd wear a suit. I actually go online and try to find information and pictures of people in those same job roles to look as much like them as I can.
Graham Kates: Snow, you've now taken off your disguise, you are dressed as yourself presumably, and you're getting ready to take us through how you might access the CBS News building if you were trying to sneak inside. You brought along tools that could show us how you would be able to do that if you wanted.
Stephanie Carruthers: Absolutely! I actually made you a fake card. Can I see that? To show how this would work, this is like a regular RFID system that many buildings have, so you need to badge in to get access to the building. Your card is programmed, and it works. What I would then do is take my RFID capturing device, which is a long-range reader. I hide it in my purse, and nobody knows it's there.
What I do is I wear my purse around, right? Just on my shoulders normal, and I would stand next to you in an elevator, in line at the coffee shop, and all I would need is 20 inches of distance between my purse and your badge, and I would be able to capture all of the data that is on your badge. Then I would go back to my hotel room, and I would get the data off of this reader.
I have a micro SD card in here that I would then pull out, plug into my computer, and I would use this proxmark. What this does is it will clone the data that I give it onto a new card. I'm taking the data that I captured from your card, and I am programming it to this new card. It will now work just as if it was your card.
Graham Kates: I didn't do anything wrong, but you were able to get access to the building using me as a vulnerability.
Stephanie Carruthers: Exactly, and that's just a very, very close distance. I don't even have to be at your building. I could be in line for lunch or somewhere just close to employees.
Additional reporting by Graham Kates.
Don't miss this related coverage: A hacker invaded 2 CBS reporters' lives without writing a single line of code (CBS News) | This hacker will trick you, and you'll be glad she did (CNET)
Part four of this series will be published soon.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Vendor risk management: A guide for IT leaders (free PDF) (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)