Stephanie Carruthers is a “white hat” hacker known as Snow whose clients include both Fortune 100 companies and startups. In 2014, she won the Social Engineering Capture the Flag competition at DEF CON, one of the world’s oldest and largest hacking conferences. She’s a frequent presenter at hacking conventions and shares her expertise with businesses hoping to beef up their online security.
We asked Snow over Twitter about the work she does and what tips she has for keeping people safer online.
“I don't think that I'll ever feel safe online.”
What exactly is a white hat hacker?
A white hat hacker is an ethical hacker. Specifically, I am a social engineer, which is a people hacker. One of the easiest ways to explain what I do is by saying, “I lie and break into buildings.” I perform different types of assessments, such as phishing campaigns and physical security assessments. My work is performed with the goal of being able to show my clients where their vulnerabilities are so that they can fix them before an actual attacker finds them.
How did you get into doing this?
Social engineering became a passion while competing in the Social Engineering Capture the Flag at DEF CON, and I’ve been lucky enough to be able to grow into this career.
How safe do you feel personally online?
I would never say that I am un-hackable. Data breaches are occurring at such a constant rate, it feels like a norm, and for that reason, I don’t think that I’ll ever feel safe online. Therefore, I take precautions to protect myself as much as possible.
What are some of the dumb things you’ve seen people post online?
I try not to label things as dumb, but uneducated. I would hope that if someone truly understood the risk of the content which they are putting online, that they would reconsider posting it.
That being said, some of the things that I’ve seen online where the individual doesn’t understand the risk are:
New drivers: Excited teens (or even parents) taking a proud but up-close picture [of their new license] that has all their personal information, including home address.
New homeowners: Homeowners taking a celebratory picture of their new house key and geo-tagging their new house without realizing that it is [easy] to duplicate a physical key from a photo.
Employees: Employees will often take selfies with complete disregard for what’s in the foreground or background of the picture, including passwords/sensitive information on whiteboards, computer monitors, voicemail passwords taped to their phones, etc. Also, for some crazy reason, employees post pictures of things like their paycheck. While some people may see nothing wrong with these types of posts, attackers can use these types of pictures to their advantage.
What should people never do on social media?
Post without thinking. Period. Before you post something, ask yourself these questions: What information am I putting online? What is in the background of my image? If I wanted revenge on myself ― how would I use this information against me?
In your opinion, which social media site exposes our vulnerability the most?
I think Facebook exposes the most information ― mainly because Facebook correlates a huge amount of data, such as your friends, co-workers, family, your job, your hobbies, your kids, etc. Many answers to security questions [used for bank transactions and password resets] can be found just by looking at someone’s Facebook account.
On top of that, Facebook doesn’t do a great job in protecting your privacy by design ― social media doesn’t work well when everyone is tightlipped and restrictive. For many users, trying to add privacy settings they should have isn’t intuitive ― that is if they even consider it.
“Lie when you answer common security questions.”
Would facial recognition technology stop fake profiles from being created by scammers?
Facial recognition technology may help reduce some scam accounts, but it won’t end them. Hackers are very crafty people and enjoy figuring out ways to overcome these type of obstacles. It’s very much a cat-and-mouse game. On the other hand, to empower Facebook, we would need to provide more personal information. I’ve known many people who value their privacy to the point where they use fake names and a non-human photo on social media. In order to prevent a fake profile, they would need to supply Facebook with their name and face. This is akin to Facebook’s idea on how to combat revenge porn by asking for your nude photos. If they have them, it makes it easier to search and destroy from an automation standpoint. However, we get back to the issue of trust and which is the lesser of two evils.
Passwords and security questions: Why are there so many breaches?
Data breaches can occur for several reasons, such as social engineering attacks, application vulnerabilities, unpatched servers, lack of physical security controls, weak or stolen credentials, etc. If these vulnerabilities constantly exist, then data breaches will only continue.
Something that is beneficial for everyone is to adopt good password habits. Passwords are a mix between individual and corporation responsibility. Here are a few things you can do to protect yourself:
Stop password reuse, change your passwords often, and use a password manager. You should have a strong, unique password for anywhere you have a login.
Lie when you answer common security questions. You don’t have to fill out your mother’s maiden name correctly. Use something else that cannot be easily guessed for the question, such as “Nutella” or “Disneyland.”
Use two-factor authentication. Most sites have an option where you can set up this extra security setting.
Who are all these scammers/hackers who want our information?
Scammers are attackers of opportunity. Like any other illegal activity, they gravitate to situations where the reward outweighs the risk. In most places, this is because the local laws don’t carry much risk against the activity. It doesn’t matter who or where the attacker is at the end of the day, it’s the fact that there is information they want, and they have the means and ability to obtain it ― provided it’s worth the reward. In many cases, they are wildly successful because, in many of these shops, it’s a numbers game. They have a call center full of scammers very much akin to telemarketing campaigns. They have lead-generation, dialogue scripts, internal escalation, training and even quotas.
What’s the single most important thing for casual users of the internet to keep in mind?
Just to remember that these security issues aren’t going away anytime soon. Additionally, you can’t make yourself the most secure person in the world. However, you can make yourself more secure than others ― and as a result, hopefully attackers give up and move on to someone else. As the saying goes, “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.”
This interview has been edited for length and clarity.