A member of IBM's X-Force Red team hacked two CBS reporters for three weeks. Find out what information she gathered, as well as what phishing entails.
CNET and CBS News Senior Producer Dan Patterson and CBS Investigative Reporter Graham Kates spoke with Stephanie "Snow" Carruthers, Chief People Hacker for IBM's X-Force Red team, about the methods hackers can use to steal your information. The following is an edited transcript of their interview.
This is part one in a four-part series. Download the entire series: How an IBM social engineer hacked two CBS reporters--and then revealed the tricks behind her phishing and spoofing attacks (free PDF).
Dan Patterson: Stephanie, you are a social engineer, and your title is Chief People Hacker at IBM. That is the coolest job title ever. And for the past three weeks, you have been hacking, attacking, and social engineering my colleague, Graham Kates, and myself. You found so much information that it generated a 20-page report. That is amazing and horrifying.
Well, let's start with the basics. When we say social engineering, what do you mean specifically? What does this type of hacking entail?
Stephanie Carruthers: Social engineering is convincing people to perform an action or give out information that's not normally something they would do. It's really going out there and seeing what information you can get from them. Specifically, we look at phishing, so that's sending out an email with malicious links or attachments. And what a lot of people don't realize is if they click on the link or open the attachment, it could give someone access to their information or even their computer.
Dan Patterson: Okay, so phishing, big tactic. You definitely use computers in many capacities, but you don't rely on computers to do the vast majority of your work. When you social engineered us, tell me specifically about some of the techniques you used.
Stephanie Carruthers: When I was looking at both of you, I did what's called open source intelligence gathering or OSIG for short. That's really your online investigation phase. Before any attacker or someone like me starts a campaign, they spend most of their time doing research to see what information they can find out about their target or yourselves. And when they do that they're able to then learn about you and kind of see what makes you tick, what your interests are. And they're able to use all the information, and then they craft their campaigns, whether it's through the phone, through email, or even in person.
Dan Patterson: The information you found was pretty staggering. And even if you are familiar with the InfoSec or the information security world, you're kind of familiar with, "OK, a phish might result in you accessing my email account," but 20 pages of information. Tell me specifically, what did you find?
Stephanie Carruthers: For yourself, I was able to find addresses. I was able to find family members, their full names, their birthdays, phone numbers. I was able to find four email addresses that you had, which were all included in about 13 different data breaches.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (free PDF) (TechRepublic)
Dan Patterson: Data breaches, email addresses, that's fine. You also found my current mailing address, my street address, as well as my three previous street addresses. That, to me, seems pretty intimate, but for those who are still kind of skeptical and say, "Well, you know all your information's out there," what's important about your ability to find where I live?
Stephanie Carruthers: There's a handful of things that attackers could do with that information. If they find out where you live, and they know that you're traveling or on vacation, that your home is most likely vacant. Something else that attackers can do with your address is actually target you in person. One of the things that I like to do is badge cloning, and to do that, I have to get close to you, and if I know kind of when you leave or come home from work, I can be in close proximity to you to get your badge credentials.
Graham Kates: You found out a lot about Dan. But you found out just a crazy amount about me and my whole family. My wife, my young daughter, when she was born, my address, my cell phone number. It's kind of a whole different world of information about me. And I'm curious what that could give you access to.
Stephanie Carruthers: With your cell phone number and seeing different accounts you have, I know that you're interested in food, and you like to take pictures of food. As an attacker, I could use that information and send you a text message, but it could contain a malicious link. Just like Dan, if I know that you're out of town, and I did see a post where the family was going on vacation, that's something that, as an attacker, I would know that your house is most likely vacant.
Additional reporting by Graham Kates.
Don't miss this related coverage: A hacker invaded 2 CBS reporters' lives without writing a single line of code (CBS News) | This hacker will trick you, and you'll be glad she did (CNET)
Parts three and four of this series will be published soon.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Vendor risk management: A guide for IT leaders (free PDF) (TechRepublic)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)