Not all hackers are bad. A subset known as white hat hackers, or ethical hackers, use their knowledge and skills for good, testing companies' defenses and discovering vulnerabilities for them.
And those vulnerabilities can come in many forms! From pizza delivery driver disguises to voice synthesizers to bugged e-cigarettes – some hackers go all out, no matter which side they’re on.
To get an insider perspective on what it’s like to be a white hat hacker, we sat down with Jamie Woodruff on the Random but Memorable podcast. Woodruff is currently a chief technology officer and the cyber safety advisor for the Cybersmile Foundation, an organization that helps victims of cyberbullying. He’s an ethical hacker who has reported vulnerabilities to high profile businesses, websites, and social platforms.
Read the interview below (or listen to the podcast) to find out more about Woodruff’s unorthodox career path and why he thinks no company in the world is totally secure.
Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.
Michael Fey: As an ethical hacker, you’ve got a unique perspective on cybersecurity. What led you to start hacking and reporting bugs rather than exploiting them?
Jamie Woodruff: It’s a weird journey, really. I’m autistic, as well as dyslexic and dyspraxic. I’ve always disassociated myself from individuals or people. I didn’t get actively involved in making friendships during my childhood and stuff like that. I resonated more with technology. I’ve always been interested in how mechanical things work, and how you can take things apart. When I was nine years old my father brought a computer home. I started taking the computer apart and then put everything back together.
When my father came back to fire up the computer, it wasn’t working, and it went off to the local store to get repaired. I went to the store and it turns out I hadn’t slotted the RAM in correctly. I then started to break it deliberately. I would go to the store and sit with the guys who would teach me about different tech, and I’d learn a lot about how this side of things operated.
“I’d always wanted to help individuals and help people."
And then I started tinkering around, looking at different types of malware. I had that choice – if I went down the white hat path or the black hat path, and I’d always wanted to help individuals and help people.
I got into hacking at such a young age. I got expelled from school for hacking. And then I went to college and got expelled again for hacking. I hacked Moodle, which was their online learning CRM. I found and disclosed several vulnerabilities and they weren’t too happy about it at the time. So then I ended up working in the mental health sector with people with learning difficulties and different disabilities. I did that for about two to three years, which was wonderful for me because I could turn off work at 7:00 PM and all the residents would be asleep by 11:00 PM and I got to play on my laptop until 7:00 AM. I used to go after bug bounties to make extra money.
“I used to go after bug bounties to make extra money."
Then I got heavily involved in the social side. I wanted to focus primarily on the human side of security because when people make decisions, a lot of it’s random. If you wake up and decide one day that you’re going to rebel or go against everything you’ve ever done, it’s very difficult for AI to pick up on that. It’s very difficult to look at the human, emotional side of things and apply that to cybersecurity.
But then equally, we are very repetitive in what we do. If we wake up at a certain time, we have a routine – we drive to work using the same route, or we arrive at roughly the same time and have a preferred parking spot. Over time, you can pick up on individuals’ traits.
MF: We know that you’ve disclosed vulnerabilities at many notable tech giants. Do you have any particularly memorable examples?
JW: I recently disclosed one with Amazon and AWS. I don’t really go down the bug bounty route anymore, just when I’m bored or have free time on my hands. I tend to just have an explore-around. There was an issue with the identity and access management (IAM) permissions that I disclosed. I got one phone call from a tech lead that turned into 20 tech leads, which then turned into a lot of individuals.
MF: I read something about you impersonating a Domino’s pizza delivery driver…?
JW: Well, I wouldn’t say impersonating. I was employed for four days. But there are many notable attacks that I’ve done over the years. It’s all about thinking outside the box – that’s what we’ve got to do.
I have many different uniforms that I utilize: FedEx, DPD, UPS, DHL, Royal Mail. In this instance, it was Domino’s that allowed me to gain access to the company’s infrastructure. I’d been contracted by a particular organization to find a weakness.
During the six-week investigation, I was looking at entry points, access points, exit points, employee parking facilities, associated third-party contractors. What CCTV systems are they using? The alarm companies, the engineers that are associated with that infrastructure – just delving into absolutely everything to find a particular weakness.
“In this instance, it was Domino’s that allowed me to gain access to the company’s infrastructure."
Every Friday, this guy would turn up with maybe five, 10 pizza boxes. He would get a visitor badge, he’d go inside the infrastructure, and then he’d return 10-15 minutes later. I followed him back to the Domino’s that he was working at and applied to be a delivery driver. I got a bum belt and a t-shirt from Domino’s, and then I worked for the period of four days before I quit. On that particular Friday, I did the delivery drop. I turned up to the infrastructure, I got a visitor’s badge, and I walked through the first layer of security, which was the first set of access doors.
You know how there are fire department plans and layouts and schematics and stuff – you can have a map to where things are, based on what you’re looking at. I was able to find one of the server rooms, and it wasn’t any of the access rights that we see nowadays. It used an old-school twist lock to get in. So I sprayed it with a luminol and the luminol shows up under a black light, and you can see the smudges of the person that last utilized that lock. I was able to shine a black light under it and then see where the pins were punched.
From there, I could have deployed ransomware, I could have deployed malware. And again, this took maybe a period of four to five weeks of just doing some investigative research and going through things such as planning, town hall submission applications, who they’re working with, who they’re utilizing from a third-party supply chain perspective.
“If malicious individuals want to target your organization, they’re going to find a way in.”
Nine times out of 10, attacks are crimes of opportunity. But if malicious individuals want to target your organization, they’re going to find a way in. No company around the world is secure. If you have time to conduct research or have financial means, then it’s fair game.
MF: In your experience, what are some of the most common mistakes or oversights that individuals or organizations make when it comes to securing their systems?
JW: Not having an adequate budget for their particular organization. I meet a lot of security and IT guys, and their budgets are constrained because C-level executives or board executives don’t really understand the nature of what they do. They just know that their systems remain online and operational.
The biggest threat that companies face now is ransomware or insider threats. That’s on a massive rise. There was some stuff published recently about how malicious individuals were reaching out to employees and trying to persuade them to run or execute malware internally, and then they’ll get a payout. They’re going above and beyond! They’re changing the way that they’re approaching organizations.
"[Hackers] are reaching out to employees and trying to persuade them to run or execute malware internally.”
There’s an interesting case that I’ve worked on recently that I think is relevant. I was working with a company that has about 180 employees. I got a phone call and they said, “Hey, Jamie, we’ve got a bit of an issue that’s quite serious and we don’t really know how to approach it.” I said, “Right, okay. What is it?” They said, “Well, we’ve got this guy internally and whatever he touches tends to get infected with ransomware.” I was like, “Okay, well, that sounds really fun.”
I went to the company and I followed him around his working day. I had lunch with him. I went out for a cigarette with him, and I just basically studied his behavior: the way that he was operating and what he was doing, what programs he was utilizing, etc. One thing that I noticed was, some days he’d come to work with his electronic cigarette, and it would be fully charged because he had charged it at home, but on one particular day it wasn’t. The battery was dead. He pulls out this cable from his desk drawer, plugs it into his machine, plugs it into his e-cigarette and starts to charge it. About 15 minutes later, their antivirus (AV) solution shows the computer gets completely isolated from the network. We found out that in this particular cable there was a hidden SIM card.
“In this particular charging cable there was a hidden SIM card."
When he plugged it in, it was going to a remote C&C server that was attempting to download and drop malware on his machine. His particular machine wasn’t fully patched and updated. Now, to me this was mad because, during the cleanup operation we went through all the WatchGuard firewall logs. We found out that the cable was bought from a malicious store on wish.com. The person behind the store had taken out paid marketing to target all employees of that particular company, and everybody within a 2-mile radius of that building.
This employee had only spent £3.50 buying a cable that looked really good. It didn’t look sketchy at all. And then to have a SIM card embedded into it to target that particular company just goes to new heights. So yeah, that really did blow my mind.
MF: You mentioned budget as a security oversight. If you’re someone who is trying to manage a very small security budget within a company, how do you bring more attention to it, or what steps do you take?
JW: I recommend companies work directly with vendors. People will often buy some software and just try and implement it or install it themselves. Especially if it’s a smaller IT department in an SME. Also, a lot of people take on cloud services but don’t understand if it’s a managed service or if it’s an unmanaged service until something affects them. Then, all of a sudden, they can’t get any support or access to their stuff.
Another big thing: companies say, “My data is protected.” Well, what are the most critical systems? What systems do you need to get back online after an attack or after a breach to ensure that your employees can continue working and you’re not just hemorrhaging money?
“A lot of companies go into liquidation and end up shutting down just because a breach has occurred."
Another one is cybersecurity insurance. A lot of companies don’t have any cybersecurity insurance, so if they become victim to a malicious attack, insurance won’t pay out. A lot of companies go into liquidation and end up shutting down just because a breach has occurred.
So, it’s important to relay all this information, look across the entire company, make a plan, make an inventory to understand exactly what’s occurring. Taking a step back to think, what new stuff have we had? What new vendors have we worked with? What third-party supply chain perspectives are we utilizing? What’s the communication level? Who has access to the required rights to do their roles? Again, a lot of people still have local administrative rights, for instance, in SMEs, which is a big danger.
MF: How does the development of AI and this surge we’re seeing in large language models impact social engineering attacks? Does it add another layer of complexity?
JW: If we look at the rise of ChatGPT, this has revolutionized everything from recruitment – getting individuals inside of an organization – to understanding there’s an issue with your programming. For instance, say we’re writing a LUIS (Language Understanding Intelligent Service) script. You’ve got a bug. You just copy-paste it into ChatGPT, and it’ll tell you what’s wrong with it or what function needs to be added, or what library needs to be added, etc. It has also made it so much easier to access information about weaknesses from a malicious side. You can dig in, you can gather research, you can learn from facts, statistics, and trends of what’s happening.
"[ChatGPT] has also made it so much easier to access information about weaknesses from a malicious side."
There’s a bank in the Middle East that got breached in January of last year. What they did was they used Fruity Loops, the software that anyone can download and use for editing music and creating different tracks. To synthesize the voice of the CEO, they looked for all the YouTube videos and press releases that the CEO had done, and they found out through some phishing attacks of the way he treated and spoke to his employees. They then called up the bank and managed to transfer millions to an offshore account that then got laundered back through cryptocurrency.
MF: I have a closing question, which I’m almost wary to ask, which is: is there any optimism about the current cybersecurity landscape?
JW: From a vendor perspective, there’s a lot of outreach now towards companies. I’ve worked with quite a lot of managed service providers (MSPs) that have dealt with multiple clients, end-user level, and they’re getting support now.
There’s stuff like the new Microsoft security standards. Mandatorily pushing stuff like multi-factor authentication (MFA), for instance. And that helps a company by having the vendor display different training material that they could utilize, explaining some of the benefits of services, but not directly pushing a product down a person or an organization’s throat.
“We all need to work together. It’s a community-led approach."
That’s one thing that I am seeing change. People understand that the threats are out there. They’re in the wild. There are zero days every millisecond of us talking. There’s going to be a new way in, and every time you patch one place, it creates another problem. And that other problem will be found by somebody else.
So we all need to work together. It’s a community-led approach. It’s amazing to see a lot of companies now pushing open-source technologies. You are actually seeing how that software is operating or how that program is being utilized, and how even that can be adapted for different services. I’m quite intrigued to see how the landscape’s going to change over the next 10 to 20 years.