The hacker had promised us a surprise, so we should have been ready when she handed us each folded strips of paper with our passwords written neatly inside. We shuddered and grimaced. We had asked Stephanie Carruthers, or "_sn0ww" as she's known to her colleagues at IBM Security, to spend a month hunting for our personal data online. It took her less than a week to discover enough information to fill a 20-page report. She had found this very personal information without actually hacking anything at all.
Most hackers attack computers systems by taking advantage of technical exploits hidden within computer programs. Carruthers is a social engineer, which means she "hacks" people as often as she attacks code. She's an expert at devising lures to trick targets into divulging sensitive information, and _sn0ww uses a toolkit of spy gadgets that lets her physically access facilities. She can also code mobile apps that spoof almost any phone number, or clone hotel and office ID cards, allowing her to sneak into buildings undetected, and she can role-play characters while wearing a disguise.
_sn0ww is employed by IBM X-Force Red and does not break the law. Instead, she and her colleagues help organizations stop malicious attackers by hunting for analog and digital loopholes. Companies hire hackers like _sn0ww because she's good at thinking like a criminal. The job of a social engineer is to gauge the cyber-readiness of an organization by fooling people into revealing critical information like passwords or the location of sensitive information. She describes her work as "hacking the psyche" because her targets rarely realize they were duped.
"If I dress in street clothes and march into a building, then demand they give me their passwords, I won't get very far," explained _sn0ww. "But when I chat you up in disguise you'd never guess that I was secretly gathering information or that the device in my bag is copying your office ID."
Like many social engineers, _sn0ww has a collection of corporate ID badges, many forged or painstakingly recreated from images she discovers online. _sn0ww hunts for corporate badge design in pictures posted by employees to social media and video uploaded to YouTube. Then, wearing a disguise, she will visit the corporate office of her target and stand near an employee in the lobby. She uses a special device hidden in her purse to copy the unique key data imprinted on an employee's ID card. Finally, she copies the key to a blank badge, and uses a home printer and Photoshop to recreate the corporate ID design. The final result is a near-perfect replica.
Social engineers also frequently rely on publicly-available open source intelligence, or OSINT, to research targets. OSINT is information like court documents, the location of military bases, broadcast transmission data, financial assessments, corporate email addresses, social media sites and other forms of data that's publicly available but often scattered or difficult to obtain.
"Hacking is all about combining solid research with the art of deception," said Carruthers. "Some is digital, some is in person. All of it helps me target later hacks, like phishing."
_sn0ww used a combination of social engineering and OSINT to generate our personalized dossiers. Everything she did to learn about us was legal, but she warned that there are plenty of cyber-attackers with similar skills who hack for criminal, financial, or political motivations. These social engineers take advantage of the data leaked through major hacks to gather information ranging from personal financial data to addresses and passwords, using this material to further hone in on their targets as they move from the digital realm to real-world interactions.