We Talk to Physical Penetration and Social Engineering Expert, Marina Ciavatta
When most people think of hacking their mind goes straight to breaking into computer systems. However, there's a different type of hacking that deals with the physical world and the people who inhabit it, and this type of hacking can be just as dangerous.
Hacking can also mean gaining entry to places you're not supposed to be by exploiting weaknesses in physical security such as locks, or by using social influence to bypass physical security. This week we talked to Marina Ciavatta who specializes in social engineering and physical penetration testing. Marina shared her story of how she got into the field and gave some helpful advice on how we can better protect ourselves. Before we delve into Marina's story, let's brush up on what these terms mean and how they fit into the wider hacking industry.
Physical Penetration Testing
The goal of physical penetration testing is to test the strength of physical security controls to discover their weaknesses before they can be exploited by a bad actor. If individuals or companies can see where their physical security is weak, they can make it stronger and better protect their assets.
Physical penetration testers will often gather information about a site through passive and active reconnaissance, covert photography, and other methods. Gathering information is essential to carrying out a successful physical penetration test because once you understand the security controls in place, you can work to bypass them.
Gaining unauthorized access can be done through character impersonation, picking, breaking or bypassing locks, bypassing biometrics, and many more ways. If you want to understand more about physical penetration testing, we recommend watching "I'll Let Myself In: Tactics of Physical Pen Testers".
Social engineering is an important part of the hacking landscape, both in the digital space and the physical space. It is also referred to as "people hacking". If you've ever received a phishing email, then you've seen social engineering in action. These black hat hackers will often impersonate a trusted company thereby lowering your defenses and try to convince you to part with your personal information.
Physical Penetration and Social Engineering In The Real World
There are high-profile examples of bad actors using these techniques to gain unauthorized access to places they shouldn't be. Let's take a look at a few.
The Isabella Stewart Gardner Museum Heist
In March 1990, security guards at the Isabella Stewart Gardner Museum in Boston heard a knock on the door. It was two policemen who claimed to be responding to a disturbance call, only, they weren't policemen at all.
By Miguel Hermoso Cuesta - Own work, CC BY-SA 4.0, Link
The guards were under strict instructions not to let anyone into the museum, but seeing two men in police uniform, they decided they must be trustworthy and they let the men in. The guards were then tied up and the uniformed men stole 13 works of art with a combined total value of $500 million.
"The Artistic Crime of The Century"
On 7 August 1974, French high-wire artist Philippe Petit walked on a high-wire between the Twin Towers of the World Trade Center in New York. It took Petit six years to plan the unauthorized high-wire walk and his planning included renting a helicopter to fly over the site and take photos, sneaking heavy equipment up to the roof, and observing the behavior of the workers at the World Trade Center.
Petit made fraudulent ID cards for himself and his team, posing as Americans who worked in the building. He took note of the clothes that construction workers in the building wore, and he copied them, even down to the types and brands of tools they carried.
Now, let’s hear Marina’s story.
How did you get started in the field?
I don't have a tech background like most people that work with hacking. I graduated as a Journalist and my first contact with the information security market was 6 years ago while I was making content and doing social media management for a Brazilian security awareness company. They were starting a new hacking conference for beginners and I got to run it.
The conference is called Roadsec and over the years it became the biggest hacking conference in Latin America, traveling to 23 states with talks, workshops and a CTF too. I was also the leader of the biggest volunteer program in Latin America, having directly trained more than 1,500 people.
If that was not enough, during the last year I was invited to help a friend of mine with a Social Engineering assignment called Physical Invasion (or physical pentest). Since I was very good at dealing with people, social engineering was extremely fun for me (it's human hacking, after all). It was so successful that the client hired us non stop for more assignments. And that's how I finally became a hacker!
I recently started doing talks about Social Engineering and Physical Invasions, having already talked at 5 conferences. I also participated in a few podcasts and hangouts too.
What were you most surprised to learn about physical penetration testing and social engineering?
What surprised me the most is how completely unaware most people are about basic security procedures. While a lot of people value personal security very highly, they often don't take the necessary steps to secure themselves. Most people indeed lock their windows and doors, but they don't do much beyond that.
It's crazy to think that I can potentially access someone's bank account or sit in the CEO's chair by just asking a few simple questions. I think a higher level of awareness and education around security is needed to adequately address these problems.
How do you see the world changing to address these threats?
We need to talk about it and keep talking about it! Hacking, the importance of privacy, social engineering, fraud, and secure passwords all need to be a prominent part of this discussion.
We need to steer the perception of hackers away from a shady computer whizz that is to be feared and towards a professional who can break things and fix them into something better. We want people to learn from us and to work WITH us. Security awareness is the key to a safer future for everyone.
What do you think are the biggest security threats that need urgent attention in this area?
It's alarming but I've had huge success in assignments by simply tailgating an employee and asking nicely if I can follow them in. People often don't see themselves as personally responsible for granting entry or leaking information and will absentmindedly break security protocol. It's a pattern that we also see in our daily lives. We often give too much power to people who we barely know or we shirk responsibility for bad things that happen around us.
How can people better protect themselves?
There are a lot of basic security measures everyone should practice. Everyone should learn how to create a strong password and only use strong passwords. Password vaults are also a basic but highly effective way of protecting your data, and they are often free on app stores.
You should never leave sensitive documents lying around for people to see and you should never write your passwords down. If you see something shady or something that doesn't sit right with you, then you should call it out - if you're wrong, then, oh well, nothing happens. But if you're right and you don't say anything, the consequences are much graver.
Also, don't be so quick to trust the information you're given. It's good practice to check where your information is coming from. Find good sources and trust those sources. Follow the advice of security professionals and educate yourself about the best practices. And lastly, do not CLICK ON SH*T.
What are some of the resources you would recommend for those interested in pursuing social engineering or physical penetration testing as a career?
This is a delicate field, to be honest. It's very hard to practice the hardcore part of social engineering if you are not hired to do so. Since you're working with fraud, manipulation, and trespassing you can easily find yourself on the wrong side of the law if you're not in a professional setting. However, if you dedicate time to studying human behavior and influence techniques, you'll gain a good understanding of how it works.
Psychology, sociology, and philosophy are very good friends of social engineering principles since you have to understand the commands the human mind is obeying to find it's vulnerabilities. You can start by reading some entry-level books on the subject like Kevin Mitnick's books which are filled with fun stories.
You can also study the different types of social engineering like phishing, vishing, smishing, physical pentest or physical invasions. I'd also recommend talking to professionals in the field by going to events or following them on social media. A lot of us are always talking at conferences and teaching tricks online and we're always happy to have a chat. Social engineers are a friendly bunch, the clue is in the name!
Leave a comment