Social Engineering and People Hacking - With Jenny Radcliffe, founder and director of Human Factor Security

Gar is joined this week by Jenny Radcliffe, aka the People Hacker, founder and director of Human Factor Security. Jenny is a world-renowned Social Engineer, hired to bypass security systems through a mixture of psychology, con-artistry, cunning and guile.

Jenny talks us through her experiences of physical penetration testing, her background and how that fed into her success, and how to use emotions to socially engineer people.  

The Get Cyber Resilient Show Episode #58 Transcript

Garrett O'Hara: Welcome to the Get Cyber Resilient Podcast. I'm Gar O'Hara, and today I'm joined by Jenny Radcliffe, AKA the People Hacker, founder, and director of Human Factor Security. Jenny is a world-renowned social engineer, hard to bypass security systems through a mixture of psychology, con artistry, cunning, and guile.

As a burglar for hire, she has spent a lifetime talking her way into secure locations, protecting clients from scammers, and leading simulated criminal attacks on organizations of all sizes to help secure money, data, and information from malicious attacks. Top that with her being an incredible storyteller and excellent educator, host of the Human Factor Podcast, keynote and multi award winner.

We talk about her experiences of physical penetration testing, urban myths around penetration testing, her background and how that fit into her success, social engineering in general, emotions and how to use them socially to engineer people. Lots here, so over to the episode.

Welcome to the Get Cyber Resilient Podcast. I'm Gar O'Hara, and today, I'm joined by Jenny Radcliffe, the People Hacker and founder of Human Factor Security. How you going, Jenny?

Jenny Radcliffe: I'm good, thanks. Thanks for having me on the show.

Garrett O'Hara: Absolute pleasure. I'm actually very, very stoked to have you today. So, look, we, you know, we always start with a bio and yours is very, very interesting. I'm actually going to do something a little bit different, actually. Before you start, I'm going to read out one of your quotes because this to me is like a, it's, well, I have it literally written down as a movie quote.

Jenny Radcliffe: Ah.

Garrett O'Hara:   and I heard it in one of your interviews. And the quote is, "It doesn't matter what they put in place. If someone's got access, then I can access them, and then we're down to me versus the person."

And honestly, like, when I, when I heard you say that to me was the, it's a character in a movie, and it's one of those ones where the camera goes in close in the face and it's, you know, it's the badass kind of talking in the, in the movie.

Th- And that seems to be your life. What, what's your bio? How did you get to where you are today?

Jenny Radcliffe: Yeah. Well, I mean, yeah. D- That one, I, you know, you say these things in interviews, and then people pick up on them. Someone said that one, put that one up on Twitter and just said, "I'd always back Jen."

But I, I say that because People Hacker's a title. It wasn't a title that I, that I gave myself. A journalist called me People Hacker, and I thought, "I'm having that. It sounds really good." Because it describes what I do, which is nontechnical hacking.

So, I'm paid to gain access to systems or to premises, to data and information, but I'm not a technical hacker, really, so I don't really use technical means. I know a few things because I hang out with really smart technical people in the business.  but I mostly use psychology and physical infiltration techniques.

So what that translates into is I'm either going to burgle you so we're going to get past an alarm system in some way, shape, or form, and that's something I've done for a long time, or we're going to use psychology to write the email, to make the phone call, to make some sort of approach in person or on social media or whatever it is, that's going to hit all the right levers psychologically. You're going to push all the person's buttons so that that person gives up the information.

And that quote's about, you know, I've got past a lot of physical and technical security measures in my time because I can talk to someone. people trust me because I don't look particularly guilty or particularly dangerous.  and then if the pers- if someone's in charge of it, then that person is the way in.

So, the other quote I always say is, "I don't need to work on the lock. I need to work on the human." and that's what, that's what I teach, and that's also how we prevent the real bad guys using the same techniques as well.

Garrett O'Hara: Phenomenal. And, and so how did you get to the point where you are the person who's so good at hacking the humans or hacking the people?

Jenny Radcliffe: So, I mean, to cut a long story short w- I started out when I was a kid, really, in Liverpool.  I was held against my will by a neighbor as a little kid for a day.  I wasn't really hurt, but they didn't let me go. And my family, it being the kind of late '70s, early '80s, the fam- nobody told the police or did anything like that.

But my family decided that they'd let me hang out with my cousins who were older than me to, to sort of teach me a little bit about being more streetwise, right, because I followed the person to their house. and, and not long after that, I'd also followed someone to, a gang of kids into an alley and, and had to fight my way out of that.

And so, I think my mum and dad thought, "Oh, we'll make her a little bit more streetwise and let her hang out with my older cousins." But what they didn't know was that my older cousins were into something called urban exploration, which means getting into abandoned buildings. There were millions of them in Liverpool at the time.  and just, like, having a look around and, and kind of low-grade kind of trespass.

And so, they taught me a lot about getting past pe- you know, talking your way o- in and out of situations, scoping a building, seeing where the entry and exit points were, how to get past locks and, and, and lock picking, things like that.

Um, so I kind of did all that for a long time, and I started to sort of pull cons in Liverpool, little low-grade cons. They were, by this time, we'd got older. the boys were sort of doing security on the doors of some of the roughest [laughs] pubs and clubs in the city. And I wasn't d- going to do that, but I was like, I used to deliver packages and things for them and, and kind of work with them if it needed a, a, a sort of a, a more coherent script than they were [laughs] going to give.

Um, and, and eventually, we ended up getting paid by some of the soccer players in Liverpool to look at their houses and, and things and, and just check their security, check their security. In other words, can you break in? Yes, we can. You need to do this, this, and this.

Um, and really, I did that my whole life, but I didn't tell anyone I did it, because at the time, I'm quite old, and at the time, there wasn't sort of really a cyber security industry and I didn't know anything about what we now would call penetration testing or physical testing of a system.  it was just burglary. It was breaking and entering.

And even though I was being asked to do it, it wasn't, it didn't seem legit, you know, so I never really said anything. I had other career just a normal corporate career. And then I did a job in Asia that was, that kind of went wrong and was very dangerous, and I gave up doing it for a while.

And by the time I got back, the Internet had taken off, and suddenly, there was this whole industry. There were people writing books about it. There were courses. And I suddenly realized that what I, what I'd been trained to do since I was seven or eight years of age was actually a legitimate skill in a legitimate industry and people were interested in hearing how I did it.

So that's the shortened version of probably what's probably a very long story.

Garrett O'Hara: It's, it is, and an amazing story, by the way. But you're, you're interview on Darknet Diaries, highly recommend people go and listen to that as well, because it gives you the extended version of the story of when it went wrong in Asia, which was, yeah, it was-

Jenny Radcliffe: [laughs]

Garrett O'Hara: ... [laughs] incredible. You've just, so you've just described-

Jenny Radcliffe: [crosstalk 00:07:08].

Garrett O'Hara: ... [laughs] you’ve just described kind of starting on the, the physical side, right, and the, the sort of you know, getting into buildings, getting into, getting past perimeters, essentially. When, you know, you kind of go in, you're working as a pen tester, what's the things that are, you know, the, the worst or the, the things that when you see them, you're like, "Ugh, you know, I'm going to, got some work ahead of me here tonight?" You know, or today, whenever it may be.

Jenny Radcliffe: So, I mean, you know, one of the problems is is that there's often a lot of security in place in a facility, but se- it only works if someone actually uses the security, which sounds crazy. But like, for example, I've seen very secure doors held open with fire extinguishers. I mean, I've seen that in just the last couple of weeks.  or doors that are fitted badly, you know, so you've got, like, a really ultra strong door, but it's kind of like it, it, it's not fitted so well, uh-

Garrett O'Hara: Okay.

Jenny Radcliffe: ... so that you can kind of get something in between. You can get a tool in between and kind of push the lock through.  seen doors that y- you know, and windows that aren't really closed. I mean, there's, I think I've got on my, on my Instagram feed, but I've got a photograph of a window with a sticker on it saying, "This window cannot be opened," and it's o- you know, I mean, it's open. So, I mean, the first thing is, is-

Garrett O'Hara: [laughs]

Jenny Radcliffe: ... you know, badly fitted or equipment, doors, windows, you know, safety, security p- measures that are not fitted properly or broken or, or, or humans have bypassed it.

And I mean, and that's the other thing. In any building or any facility, what you'll have is, you know a core contingent of human beings, you know. You're in the meet space at this point and th- those humans will find the quickest, simplest ways around whatever security is in place, with no mal intent at all, just for convenience. And so, when we sort of look at someone within reconnaissance, I really only need to look at what the people who are legitimately supposed to be there are doing to get around things, to really find out how to, how to get in.

And you have numerous, numerous occasions where the front of a building has been like a fortress. I'm thinking of one place particularly in London where it was just you know scanning and cameras and security guards. And that, I mean, and that's the thing. If there's a human person, I've got to talk to kind of get in and sign in and be escorted around th- that, that's a good measure.

But no, but hopeless, because we went 'round to the back of the building, and there's this whole delivery bay. It was a huge, big office building, so you know, we've got our coffee shops and canteens and cleaners and sort of gardeners, you know, maintenance people in and around that put all these expensive office plants that they had.

But none of them went in through the front door. Right? Everybody goes in through the, like, service entrance, which is not at all watched or particularly difficult to get into.

And literally just picked up a box from, from a skip 'round the corner, just picked up a box and just stood there. And of course, people just, oh, they just let me in because, you know, your staff, right, so you're not going to be required to sign in and be shown around.

So, I think it's, it, it's, it's, the, the e- the ones that are most often is equipment that doesn't work, equipment that's broken or badly fitted measures that are ignored or just idiotic things like having, you know, the, the most secure entrance and then, like, a, a completely open service entrance. And I mean, those are things that, that we see most often and most stupidly, I suppose. So, security only works if you use it-

Garrett O'Hara: Mm-hmm [affirmative].

Jenny Radcliffe: ... and you use it properly. What, what presents a challenge is a human asking the questions, a human scanning people going in and just the opposite of all those things, if people stick to procedure, if the doors are locked, if the padlocks are locked. And we have been on, I've seen doors where the padlock's there but open, where the combination locks have the combination written next to it.

Um, you know, if people stick to the things that they've already got, that makes life harder, because somebody somewhere will have designed some security most of the time. But it's no good unless you use it, you know, so-

Garrett O'Hara: Yeah. Definitely get that. What are the [inaudible 00:11:29] right? I've seen, I've seen videos posted on LinkedIn, some of the stuff that's online where, like, it may or may not be true. Right? I'm not a pen tester, but it seems logical. You know, there's the, the famous one of the, the person who walks up to the glass kind of office doors, and they've got the automatic sensor, and they just blow, I think it's a vapor cigarette through the little gap between the doors. It hits you know-

Jenny Radcliffe: Uh no. Vapor wouldn't work. It's a, it's an infrared, but w- but-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ... most of the time what you're looking at is an infrared sensor. An infrared sensor, if you break it, will open it, mostly for safety reasons, if they think there's smoke. Right? But people blow, vapor wouldn't work. Actual smoke might work. But what works very well is all you've got to do is break the beam.

Garrett O'Hara: Mm-hmm [affirmative].

Jenny Radcliffe: So, j- if you ever have those do you know when you've got to clean your keyboard, and it's like a can of compressed air? I've probably got one-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ... right on my desk, probably, or you should have one 'round. They come with like, a little plastic straw, usually so they, so that you basically angle in the air to clean the dust from your keyboard. Something like that if you put it through. And again, the doors, if they're fitted properly, they shouldn't close a- and it should be quite difficult to do, maybe not impossible-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ... but they should fit very tightly. But fairly often, they're just not, and there's a gap. And if you can put that compressed air, as long as you break the beam, the door'll, the door will open if it's an infrared beam.  harder to do with vape smoke, but, but possible.

Garrett O'Hara: Yeah. And are, are there any that you see, maybe in movies or, or even online these days, where you sort of think, "Well, yeah, it looks cool, but it's not the reality of the job?" You know, it's like, it's exciting, but that's not practical. You know any of those kind of-

Jenny Radcliffe: I would say, yeah, yeah, I mean, maybe, so, yeah, what we try and avoid is breaking things. [laughs]

Garrett O'Hara: Yeah. Okay.

Jenny Radcliffe: [crosstalk 00:13:18] avoid sort of explosions and, and anything that really is, is, is a noisy entry, unless we are-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ... deliberately trying to distract. So I do, I have smoke bombs with me a lot of the time.  as a good way of just getting everybody to dash to one area, smoke's a really good way. You wouldn't do it inside a buil- this is the thing. I've said this before, and I think people were just incredulous.

First of all, there's a couple of things. We're paid to do this. Right? Someone's asked us to do this, so in that, at that point, things like first responders, emergency services, would be aware of the fact that during this particular time, and I might even se- you know, text the team in the office to say, "Right. We're going ahead with it now." So that there's not, like, a, an emergency response. We don't want to waste people's time. But, like, with a smoke bomb-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ...  all they're used for in the UK, anyway, really, is for, is for chimneys. Right? So, you, you put a smoke bomb in the chimney and just see if the chimney's clear.

But if you light one of those, it really just gives off a tremendous amount of smoke [laughs] which, if you put in a bin, you know, near, not on a building, someone will notice it fairly quickly and start running towards it.

And any security that you've got also play a role in kind of you know, sort of watching for the general peace and quiet of a site. Now, obviously, a, a bin on fire isn't peace and quiet. And they'll run to it, and we've used that more than once just to get past, like, for example a security guard watching CCTV.

So, there was one that we had two security guards just sitting there all day, just watching a bank of CCTV, and we just couldn't. Like, we n- we saw one guy always went and did something else. I mean, I could tell you what he used to do. [laughs]

But there was this one guy. He was very k- like, the two security guards, and one of them was a lollipop man. And so, at the same time every day, he left his security post for, like, not even half an hour, maybe 15 minutes, just to cross all the kids from the school across the road with, you know, with a, with a lollipop, right, leaving one guy.

And we thought, "Well, what we need to do is we need to get..." I'm not going to try and bypass your CCTV, right, because that's a technical thing, and I'm not going to do that. All we need to do is get this guy away from the CCTV just for that 15 minutes, just for even a minute during that 15 minutes that the other guy is seeing the kids [laughs] is seeing the k- I'm just laughing [inaudible 00:15:41] remember thinking about this and plotting it out in the hotel with the team.

Um, we just need to get him away just for a couple of minutes. Then we'll just run past. Right? And then, and then once we're on site, we're on site. It won't matter so much. But we just needed... So we wait for the guy to go with the lollipop to see the kids across the road [laughs] and then [inaudible 00:16:00] I'm just going to say hiya to Team Member R, who'll, who'll probably listen to this, actually.

Garrett O'Hara: [laughs]

Jenny Radcliffe: [inaudible 00:16:06] so they just lit this [laughs] this smoke bomb for a chimney, threw it in the, in the litter bin on the other side of the site, and just went. And I'm waiting and waiting and waiting and waiting. And then all, and then sure enough [inaudible 00:16:18] like, oh, my God, the bin's on fire. Guy runs away. We just, and that's how I just got onto the general premises.

Now, after that, you know, they're still watching CCTV inside the premises. There's a chance that they're going to see me. But, like, I'm only going to be about 20 minutes on site. I knew exactly where I was going.

Garrett O'Hara: Yeah.

Jenny Radcliffe: You know, it's a huge site. And by the time he kind of sees me, and I'm avoiding it wherever possible, time he sees me and runs to me, I'll probably be, be gone. But we needed him away. So, you know, when I see Hollywood things where... We actually have clauses in the contract that says, "We will [laughs] endeavor to use our best efforts not to use destructive means." So-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ... in other words, I'm not going to break a door. I'm not going to blow a door up. I mean, you just don't use explosions and things the way that it's done in movies. But most of the time it's funny, because people say that there are people who I work with who say it's not very, what they do isn't very much, isn't very dramatic.

But I think because I don't use tech, A, there's an element of theater to what we do, because you have to think of these big schemes sometimes to get past, because I can't just shut the computer down or whatever.  and B, some of it is quite dramatic, really.

Garrett O'Hara: Yeah. Definitely [inaudible 00:17:32]. I, you know, as you're telling that story, the thing that's in my head is like, how is the security guy doing [inaudible 00:17:38] as a lollipop manager in the day, you know? Sort of a, was it a corporate social responsibility thing or like [laughs] what was-

Jenny Radcliffe: [crosstalk 00:17:43] I think he was just, I don't think that, it was a kind of quite a, it was quite a specific place. I can't really say what, what, what the, what the-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ... facility was. But it was in a small little town, and I don't think it was even an official capacity. I just think it's like, it's 15 minutes. There's another guy there. Just sort of well, we, he did it all the time. It was like, we surveyed them for quite a while before we moved on them. he did it all the time.

So, I think it was just unofficially somebody m- you know, one or the other of them just helped the kids across the road, because that's what nice people do, and someone was required, and it probably saved the school, I don't know, from hiring a lollipop man. I don't know.

Garrett O'Hara: Yeah.

Jenny Radcliffe:   I don't know if it was an official thing at all, but that's [inaudible 00:18:29] see and, and, and you don't want to be the person that stops that, but we-

Garrett O'Hara: Yeah. Definitely.

Jenny Radcliffe: ... [crosstalk 00:18:36] the art of the possible for our clients.

Garrett O'Hara: And I suppose that-

Jenny Radcliffe: [crosstalk 00:18:41].

Garrett O'Hara: ... and that's the, the thing. Like, I'm, I'm guessing your, your mindset and how you're h- how you're approaching that stuff is, like, what's happening, kind of what's possible, and thinking kind of dynamically? I, I sort of [laughs] came off the call last time and weirdly ended up watching Red Dragon. I think it was within, like, a day or two of our conversation.

Jenny Radcliffe: [laughs]

Garrett O'Hara: And I don't know if you've seen that movie, right, but you know, it's-

Jenny Radcliffe: Years ago. Years and years ago.

Garrett O'Hara: So, yeah. Like, e- Ed Norton is the, you know, the detective, gets in the head of, you know, serial killers, is able to, like, think like them, and is kind of uncomfortable about that, you know, attribute of himself, but it makes him really good at his job. And there's a bit where Hannibal Lecter actually socially engineers his location from, you know, the police department using, like, standard stuff, you know, sort of pressure and you know, all of that stuff, the, the cult of authority.

But I was thinking about, funny, thinking about you, not that you're a serial killer, obviously, but more so the Ed Norton character-

Jenny Radcliffe: [laughs]

Garrett O'Hara: ... and that idea that, you know, do you, do you, when you're on a job, have to sort of put yourself in a mindset of somebody who's, you know, an attacker? And, and how does that work for you? Is it just a natural talent? Or is there things that you've had to notice and learn as you've gone along?

Jenny Radcliffe: I think some of it's natural, and it's not and, and, and it, it, and that, and that side of it is quite is, isn't [inaudible 00:20:01]. I think I always, I always did come at things in a different way of thinking-

Garrett O'Hara: Mm.

Jenny Radcliffe: ... than a lot of people did, and I think that would've come out [laughs] you know, in some way, shape, or form, even without years of hanging out with, you know, if you like, dubious characters and, and, and sort of coming into this job.

Um, and I can give you an example. I mean, I mean, I, you know, I definitely am now, you know, with years of experience, I definitely look at, look at places with an attack perspective. But, you know, I can give you an example.

There was an there was a high security location inside a facility, a high security facility that the job was to see if you could get into. And I had a team to get me over the perimeter, over an internal perimeter. So we had an outer, an outer fence, and then an internal perimeter measure [inaudible 00:20:51] that was to get me into the facility. Once I was into the facility, though, I was on my own.

And the idea was to get to this very secure inner sanctum. Once I was through the door of that, that would be it. Th- Th- They would consider themselves breached, and I would, I had a letter to say, "This is the end of a, a, of a security test." Basically said that I wouldn't be probably forcibly restrained, at best once I was inside.

Uh, and you know, i- it took a bit of time, and it took some effort, but we got, but I got all the way up to the outer door. and there was a, a guy there who, who I had he, he'd been for his lunch, actually. And he had his lunch in one hand, and he had, like, something else in another hand. I don't know what it was, maybe a file or his phone or I c- I don't know what it was. [inaudible 00:21:49] it would've been a phone inside the facility [inaudible 00:21:51]. So his hands are pretty full, and he stops-

Garrett O'Hara: Mm.

Jenny Radcliffe: ... [inaudible 00:21:55] to kind of grab his pass and put his pass and then put the number in three factor on the doors. and I got all the way up, and he almost let me in, so I almost talked my way in. and remember, all I have to do is get through the door. I just need to put a foot in to be on that door, and they're breached. Right?

Um, and he almost let me in, and he was just kind of wavering a little bit. And, like, it's that [inaudible 00:22:20] you know, I knew I could get him. And then his, but his colleague was there and said, "No. You know, you're, we're not supposed to... No. I don't think we're supposed to let anyone in and, oh, you need to just check your pass again." Or something like that. She said something to me that stopped it.

Now, what happened was, I called it at that point, but I know how I'd have got past. Like, so if I would've been a criminal, I would've I'd have kneed him in the groin, and as he'd have doubled down, I'd have grabbed his pass.

And he'd already put the first two numbers of that entry code in. There was only one more number. The pad, I could sort of see was cleaner on three keys than on the rest, and it's details like that that you see in the moment. So he'd already put, let's say it was one, two, three. It wasn't, but let's say it's one, two, three. He'd already put one, two, and the only other n- key that was clean was the three. So I had a fairly good chance of knowing it was just one button.

So if I'd have been a criminal, I'd have kneed him in the groin at best, grabbed his pass, done that, pressed the three and the foot would've been through. Now, that client considered that a breach, because they knew how close I'd gotten there, and they said pretty much that would've worked.

But, like, a normal view of that situation probably wouldn't have thought, "Well, I'll just injure the guy to get in." But that's what a criminal would've done. And I did not plan that but in the moment. That's immediate what I thought of, that I'd just grab, grab it. I mean, he's going to go down like a ton of bricks. I'm going to grab his pass, touch the three, and we'll be in.

So tactical adaptation and thinking about things like that is, is a criminal, is an attack perspective that I don't see in everyone.

Garrett O'Hara: And, and, and part of that would be, you know, like your ability to read people, right, so that, you know, the micro expressions, whatever, like a sixth sense for what's going through somebody's mind and stuff like that. And you sort of talked about it a little bit and, you know, you did the research. I've, I've heard you speaking about growing up in Liverpool and some of the, the shenanigans back there.

Jenny Radcliffe: Mm-hmm [affirmative].

Garrett O'Hara: And I you know I'm inferring that that was a, you know, I'd say kind of a working class environment, and, you know, sometimes that comes with various types of anxiety. You know, there's, there's a sort of people, lovely people, but also there's, you know, there's things that are threatening in those environments.  I grew up in Dublin, so I kind of, I get that.

And I think, is there something around that anxiety leading into, like, I, I call it hyperaware, but an ability to, to really pay attention to, like, what, what's happening in an environment? Do you think that's kind of fed into your ability or your, your sixth sense for, you know, in that moment, kind of being able to say, "Oh, and that guy's thinking this, or I can get him?" Or how do you think that plays out?

Jenny Radcliffe: [laughs] Yeah. I, I, I think, you know, it's, it's, I'm not saying it's the only environment that, that can breed, you know, that type of thinking, but I, I think, I mean, for example, you know, I've got members of my family who went to some very expensive boarding schools from when they were, like, six who've-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ... similar instincts about whether people are-

Garrett O'Hara: Really?

Jenny Radcliffe: ... hostile or not, because you know, from a young age, they were kind of looking out for themselves to a certain extent. I'm not talking about cliches, but just to a certain extent.

But, yeah. I think, I th- I think that, you know, what happens in your early years, how much independence you have, and how much kind of you have to watch your own back, probably feeds in a lot to observations of people and of groups of people, and recognizing hostility.

Uh, and, like, we recognize things like w- like I'd always isolate an alpha, male or female, within a group and, and, and sort of if it's a group exercise that we've, we've got to kind of get information from, from within that or, or it's some sort of infiltration covert work, then I'd always look at that. And, and I think knowing that the person who's the loudest or the person who seems to be in charge isn't always the person who seems to be in charge.

Um, a lot of that is, is informed by that environment I had growing up.  and in fact, with reading nonverbal signals and particularly facial expressions individuals who grew up in abusive environments I'm not saying my, my environment was abusive, but I'm just saying j- it's just on the same kind of flavor as this, tend to be very good at reading expressions, because it's, it's part of a survival mechanism.

Um, even even with lie detection, you know, the basic population tends to only be able to pick out a lie half the time, so no better than chance, really. Studies or meta studies by, by academics like [DePaulo 00:26:58] would point to that.

But h- criminals in h- in maximum security facilities tend to be able to pick out lies and deception much quicker, and that's obviously because it's linked to their s- immediate survival.

So, yeah. Th- There's a certain amount of nurture, I think, involved in sharpening someone's reflexes and senses to that type of o- of thing. Yeah. For sure.

Garrett O'Hara: How does that t- translate, then, as, because you work internationally, right, and, and sort of have done for some time. But, like, i- in my mind, excuse me, there are those cultural differences and expressions and, and what people will express or not express. And that, that's part of their nurture.

As you kind of go overseas, how do you prepare yourself for arriving in a country where, you know, maybe the expressions that you would've grown up with in Liverpool don't translate, or they're different, or w- how do you approach that?

Jenny Radcliffe: Well, so in terms of, well, there's two things. Th- There's a lot there. So from a, so our, our, our nonverbals, when we're analyzing nonverbal communication, we don't call it body language in the trade, because that's, like, not really body language really.

Garrett O'Hara: Mm.

Jenny Radcliffe: We, we talk about gait and gesture, so they're only kind of really one part of it, and posture and things. So you analyze people in two ways, really in terms of in terms of of, of nonverbal comms.

First is as an individual, we all have individual quirks and baselines. Right? Some people have certain ways they move. We all have certain ways we move our faces. Not some people. Everyone has certain ways they move their face.

We have a baseline of normal behavior that we can what we would do is we'd attempt to get that baseline. So we'd talk to someone about something they've, is not stressful, they've no reason to lie. The traffic, the, the game, you know, the weather.

Um, and then you see how someone is normally when they're not stressed or deceptive, and then you just look for a change in that. And it's the change that is the potential key, although there's no Pinocchio's nose. We can't just read someone and say, "This means they're a serial killer."

But on the other hand, there are universal expressions, down to the fact that we are homo sapiens. Right? So th- like, it's the m- it's literally looking at the human anatomy, particularly the facial anatomy and the psychophysiology of what any human does. Well, their universal more or less, and they're the same.

So, like, someone from, you know, Asia, say, parts of Asia, and someone from South America, who by a lot of cultural measurements, in quotation marks, will be opposite ends of certain scales, so, like, things like attitude to hierarchy and that type of thing when an emotional event happens in the brain, their micro expression will be the same, because they're all, we're all human.

So in, in some ways, it's wonderful, because like, under our skin, we're all exactly the same. And it's that that we read. So I'll read a human. What does a human body do und- under stress conditions? What chemicals are produced under emotional conditions? How do people typically react? And then how is that h- and then contextually and individually, how does that person react?

And that means it's very, it's a very granular and complicated process that we go through, which is why we're, A, expensive, and B, pretty exclusive in what we do. From a cultural point of view so that's, like, the human point of view.

From a cultural point of view, because we go to that granular level of detail, what we're really going to do is make some informed assumptions about what things mean within that culture. So is this a culture that accepts and takes on board something like confrontation?

So a culture like Mediterranean cultures wouldn't shy from an argument, but it very rarely explodes into actual physical confrontation, whereas a lot of the time in somewhere like the UK, particularly, you know, Britain England, we might shy away from, like, public confrontation, because it's just not something, alth- although again, it depends where you are and the context. but people might back down more readily, is the point.

I remember I actually was in Ireland once, and I, and I said, "There are lots of things about being human that makes us you know, easy to exploit." And I said, you know, "Irish people tend to be very helpful."

So what I find is as a Scouser, as someone from Liverpool going over to Ireland, whether that's Northern Ireland or over into, into Southern Ireland into Dublin, first of all, I'm welcomed like I'm family, and secondly, people would do anything to help you, like, to the extent of, you know, oh, oh, I'll come and pick you up later, because, like, the taxis might not be working, or you might get lost. You know, just lovely, friendly people.

But of course, that, that tendency to helpfulness can be something that's exploited, because you know, if you're not if, if you're someone with mal intent, then you can capitalize on the fact that someone'll talk a lot and help you out and tell you how things operate. That was put in the paper in Ireland as Irish people are nice, so therefore, they're stupid, or something like that, by the journalists, which is not what I meant at all.

Garrett O'Hara: W- W- We did at one point have our little we were in the dictionary, weren't we, Oxford Dictionary when you looked up Irish, it literally [laughs] ver- until very recently had had stupid, I think, in today's society, that is not acceptable, so-

Jenny Radcliffe: [crosstalk 00:32:13] what it said about Scousers as well.

Garrett O'Hara: [laughs]

Jenny Radcliffe: You know, I-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ... [crosstalk 00:32:17] think one of the reasons that I was o- like s- accepted so much in Ireland was because Liverpool is seen as fairly close to Ireland, both geographically and in culture.

Garrett O'Hara: Yeah.

Jenny Radcliffe: But I don't think it's that at all. I just think it's friend, it, it's just friendly people.  and so, you know, I d- it, it's, it's, it's, you could say the same of people from, say, Sheffield or [inaudible 00:32:36] internationally.

I did a lot of work in Taiwan, and Taiwanese people are exactly the same. Taiwanese people are some of the nicest people I've ever worked with in my life, and they're the friendliest people, would just do anything for you.  so when I, when someone asks me the friendliest people I've ever come across, people from Sheffield and people from Taiwan, bizarrely.

Garrett O'Hara: Yeah.

Jenny Radcliffe: That is true.

Garrett O'Hara: Or Irish people after seven pints of Guinness. They tend to be pretty nice. [laughs]

Jenny Radcliffe: [crosstalk 00:33:02] Irish people [inaudible 00:33:02] but not the way n- nothing like the, you know... There are a lot of cultures [inaudible 00:33:04] a lot of places that'd do anything for you, but I've never seen anything like you know, Taiwan, Sheffield, Ireland.

And then in the UK, all the kind of, the big river cities that, that, that were decimated in the '80s by, by various government policies, so Glasgow, Newcastle, Belfast, Liverpool, all have that kind of... and Sheffield [inaudible 00:33:26] it's sort of, it's what you were saying before, isn't it? That it's a working class thing, I guess.

Garrett O'Hara: I think it is. Yeah. My dad it's funny, my, my tie to Liverpool is my dad stowed away in a, a boat out of Dublin and arrived over the Liverpool. So he got to, he got to be there for a little while when he was, he was a young lad, so-

Jenny Radcliffe: Awesome. [laughs]

Garrett O'Hara: ... there you go. And here, here's a question for you, maybe a two parter, actually. So y- you, you're talking about that your ability, and maybe partly sixth sense and partly trainable to, to kind of read people and, you know, the cultural cues, the human, you know, sort of homo sapiens baseline stuff.

Is, is that something that, if you're aware of it, you can not do? So, like, for example, you as a, you know, as a, an expert in this field, are you somebody who, because you're aware of it, you, you, you can control those things so somebody couldn't socially engineer you or, or hack you?

Jenny Radcliffe: Well, that's two different things. So the first question is, can you switch it off and not see it? So what I do when I teach people [laughs] I always say, "Right, so I'm about to teach you a little bit about reading nonverbals. Once, once I tell you this, you'll never unsee it. Right? So just be warned."

Now, that doesn't mean that you see every single thing and that we're always paying that level of attention. To pay that amount, it's a sort of acute attention focused watching, focused listening, is, is very exhausting mentally, and we don't do it all the time.

But if I teach you, like, so for an example, the micro ex- expression for disgust involves the number nine, which is the wrinkling of the nose, and it pulls the upper lip back. So if you think of a food you hate, right now, everyone listening, think of a food you hate. So I, I can't bear canned tuna fish, right, because I was sick with it once, and so you don't like it.

So if I think of canned tu- tuna fish, I'll wrinkle my nose, number nine, and my lip goes up, often accompanied by the vocalization, "Ugh." Right? And this is the thing, because what the body's doing is it's opening up your air passage a little bit so you can take in more oxygen to lessen the smell of something that we don't like. So it's a, it, it's a, a biological response to something we find repulsive. Right? An object [laughs] or person that we find repulsive, often accompanied by a bad smell.

Well, the thing is, that's quite an easy one to spot. Now I've told you that, if you now say to your significant other the next time you cook, "How's the lasagna, dear?" And you see the nose wrinkle and the lip go back, you've seen it now, and you're going to go, "My God. Was that disgust?"

Now, that could be disgust at anything. They could be disgusted they might've just remembered something someone said or, you know, it might be that they got, you know, they got near the bin or something, and the bin smelled bad. But you will always [laughs] you will notice it once you know that that's what that means. And so what we teach, really, is acute observation-

Garrett O'Hara: Mm.

Jenny Radcliffe: ... focus and what that may be connected to. But the, the point being, and it's like with open source intelligence, all you're doing at that point is collecting data. We cannot fit a story around the data we collect, however much we like, we would like to do that.

So so the first answer is, I will always see it. I might see it sometimes more readily than other times. It'll depend on the person, depend on their face and how expressive their face is, how well I know them how relaxed, how tired I am, if I've had a few drinks. It depends on so many things whether I can see it and n- you know, how clearly I can see it.

Um, but can I stop it? Well, to an extent, because I know what makes a good lie, and I know, you know, spent a lot of time detecting deception, to a certain extent, yes, I can.  but I can't stop my biology, and I can't stop the... So if I s- so if someone opens a can of... See, I even did it then, just thinking about-

Garrett O'Hara: [laughs]

Jenny Radcliffe: ... if someone opens a can of tuna fish anywhere near me, my nose is going to wrinkle. And, and how we know it's true is it's fleeting and it'll disappear quite quickly. If I pull it for any length of time, it's a macro, and it's deliberate.

So the subconscious, it's not subconscious. It's opaque to consciousness. Your consciousness isn't aware of you making those expressions, but you'll make them anyway. Very hard to suppress.

Much more effective than our words, because we can lie very easily with our words. You know, I can tell you that it's midnight here in the UK, and I've just played tennis, but my body and my face is going to tell you the truth if it's a, a strong enough emotional reaction.

Garrett O'Hara: Do you watch the TV show Would I Lie to You? Because I, I, I'd imagine your, your-

Jenny Radcliffe: [laughs]

Garrett O'Hara: ... hit rate on that must be hilariously high.

Jenny Radcliffe: I'll tell you something right now. I'm not allowed to watch that show in this house. So my family there was actually [laughs] a family intervention, and they said they quite liked the show and they just said, "Well, you're, you're boring."

Garrett O'Hara: [laughs]

Jenny Radcliffe: Honestly, and, and they just said, "Y- You're just insufferable when the show is on." Because I-

Garrett O'Hara: There you go.

Jenny Radcliffe: ... can tell sometimes when the, when the other side knows whether or not it's the truth or a lie, and it's just sort of balance across the things. and of course, there's times I'll call it out, and it would be wrong. And I'd be like, "That's not wrong, because X, X, X. Oh, okay. Because it's TV. Right." And I've done TV myself a little bit, and, and, and it's just for a good show. But I've been banned. My whole family have banned me from watching it. They won't watch it with me.

Garrett O'Hara: There you go. Have you ever been socially engineered? Has anyone ever got to, got your-

Jenny Radcliffe: I mean, yeah. I mean, I mean, the w- the example I always give is one time, there was the guy, his wife was pregnant. And he ran up to me in a conference and said, "Oh, she's just rang me and the phone cuts out. Can I borrow your phone?" [inaudible 00:38:55] yeah. And then he just took a photograph of himself saying, "I socially engineered Jenny Radcliffe's phone," and put it on the social, you know. he doesn't sleep too, too peacefully anymore, I have to say.

Garrett O'Hara: [laughs]

Jenny Radcliffe:   but I think more to the point, I've been socially engineered by people, but it's, it's also by people in the industry who, to a certain extent, it's not really social engineering, but there's a lot of people in this industry who, who are not really what they say they are.

And particularly in social engineering, though, it sounds like a sexy job. It sounds like a fun job. It also sounds like something that, you know, at an amateur level, it's quite easy to replicate. And I suppose what I've done, what I will count as social engineering is helping people get started in, you know, in, in the arena and then realizing that they were really only in it for attention or, or, you know, just to-

Garrett O'Hara: Mm.

Jenny Radcliffe: ... you know, or, or if, have such a, such a vastly exaggerated CV. and it c- of course the truth comes out when, when they're on a job or when you're asked three or four questions. So they're not really social engineers. They're social media engineers. And there's a few people that, in the beginning, I believed in and, and, and then kind of realized fairly quickly that it was all BS. So, so to me, that, that would be, that is social engineering, but it's not what we would term social engineering. It's just deception, really.

Garrett O'Hara: Yeah.

Jenny Radcliffe: And not very skilled, but this is the world we're in now. You know?

Garrett O'Hara: Yeah. So almost like manipulation or something like that, really. Yeah.

Jenny Radcliffe: Just plagiarism, just [inaudible 00:40:23] plagiarism.

Garrett O'Hara: Yeah.

Jenny Radcliffe: You have to spend a lot of time devoted to looking into somebody and what they put out as content sometimes to really [inaudible 00:40:29] people can be very skilled. Like, like, one of the things I will say is being sly is not being clever. Right? People can be very-

Garrett O'Hara: Mm.

Jenny Radcliffe: ... skilled at you know, doing things that are deceptive and projecting themselves in a v- in a certain way, but that doesn't make them clever. It just makes them sly.  and, and, yeah. Once you do put, you know, some thought and some time to it, and you can see it very clearly.  and I see, and I see that.

And the thing is that, in any other industry, that wouldn't be such a big deal, would it? But this is security. People can lose money and peace of mind and identity very quickly, and ultimately actually be injured physically or worse if we give bad security advice, so we shouldn't really pretend that we know what we don't.

Garrett O'Hara: Yeah. Big things at stake. Um.

Jenny Radcliffe: And if you can fool me for a while, you're going to fool the masses, because my job and my life has been spotting people who do it, you know, so-

Garrett O'Hara: I get you. That's pretty heavy [laughs] pretty heavy to, to think about. But I mean tho- you know, those people exist. That's the, that's the reality of the world. Right?

Jenny Radcliffe: And the job's heavy, Garrett. I mean, that's the thing.

Garrett O'Hara: Yeah.

Jenny Radcliffe: The job's heavy. That m- I mean, it sounds, because, like, this, it's so, it sounds like so much fun, you know. It's like like w- like you spoke about Darknet Diaries. I was talking about, oh, you know, tell us a time when w- you know, when, when, you know, you foo- you fooled somebody into giving them your PIN number or you got into an office.

And all that sounds like great fun, but what you forget is, like, what goes with job well is, as well is surveillance operations, fairly dangerous situations, meaningful assignments that, you know, you can't even talk about that might prevent genuinely, you know, serious injury, sometimes to, to really quite a lot of people.

I mean, the job I was talking about w- with the guy with his lunch that I would've kneed in the groin and everything else, like, that was considered a breach of, of, of a very, very serious place, which, which none of us can afford to ever be breached.

Garrett O'Hara: Mm-hmm [affirmative].

Jenny Radcliffe: So you know, it, it, it's, it's a, sometimes the job is heavier, I think, than people give it credit for, you know.

Garrett O'Hara: Yeah. It's, it's funny how we can listen to those stories, you know, and I did, and they're highly entertaining, but you somehow can disconnect the, the gravity of what's at stake from the, the, air quotes, adventure of the description of what's happening.  and I think you're a natural storyteller as well, you know, so I think that, you know, that partly lends to it you know, the, the, the descriptions of-

Jenny Radcliffe: [crosstalk 00:42:54] things [crosstalk 00:42:54].

Garrett O'Hara: [laughs] There you go. It's time in pubs that I honestly reckon-

Jenny Radcliffe: [laughs]

Garrett O'Hara: ... the training you get sitting in a bar or sitting in a pub at home, just trying to make people laugh, telling stories it just gets ingrained in you, you know. So, and you, and I think you appreciate it also when you hear good storytelling. There's something, yeah, just lovely about that and kind of resonates.

I've got a couple of last questions and, and they're around how you use emotions. And this is something I've heard you talk about like, emotions to trigger things. And you, you've sort of alluded to some of that already.

But I'd love to get a, a, get your thoughts on, you know, as you kind of engage with a person w- how do you figure out, okay, you know, as you're, as you're getting the kind of measure of them, what, like, what are the triggers?

What are the buckets that are going to, you know, are going to work for this particular type of person or, or individual? Like, what's, how's that work? Without giving too much away, obviously. [laughs]

Jenny Radcliffe: So, so I, I there are, there are seven meta emotions according to an academic called Paul Ekman. Right?  so you've got disgust, fear, sadness, contempt, anger, surprise, and happiness. Right? So they're your b- they're your meta seven. And then everything else human experience tends to come underneath all of them. So I'm Ekman trained, so I'm always going to tell you that. Right? There's other academics who say different things.

Um, and at any, at, at various points, you can bring up one of those emotions in a mark or in another person. Right? So what you're looking for is, does someone have a tendency towards tho- one of those more than the other?

Um, and obviously, most of them are quite negative int- do you know what I mean? There's only really happiness that's a positive emotion. [laughs] All the others... surprise sometimes is. But all of the other emotions kind of are not really that that positive. Well, happiness, fortunately, is a massive sort of drag factor for all the other negative ones.

And what you're really looking for is that baseline, again. You're looking to see what someone's really gen- generally like. So is this a serious individual, or is this someone who's quite lighthearted, you know?

And, and, and there's a lot that would, would feed into that, so age, status, background, economics.  there's lots of things. And then the situation that you're in. So it's, it's different for everyone.  it, it's situationally different.

What we'd try w- what I would try and establish is for the team and and then we'd use, would be, what's the situation we're looking for? What do we need that person to respond to particularly?  what are their go to emotions in certain certain scenarios that we give?

So, like, if someone, so if you have some s- do you ever have, like, someone who's just, do you ever have a boss who's just an angry individual, is just angry all the time? That's just their base-

Garrett O'Hara: Yeah.

Jenny Radcliffe: ... like, state? Well, then we'd say, "Okay. So that's a person who's angry all the time. And, and, and so do we use that? Or do we shy away from that? Because they're always like that. It might be hard to provoke it and to kick out the logic, you know, raise the emotion, kick the logic out."

So we just so, so you know, and then you just, once you establish what those are and what the triggers are, there are universal triggers for all emotions. So the universal trigger for... So even though this individual thinks, "There's things that make me angry that w- that won't make you angry." Right?

So, so you know, someone mentions they buy a certain newspaper in the UK. That makes me angry because I'm a Scouser and because they said horrible things about a disaster that happened in a soccer match years ago [inaudible 00:46:15] by The Sun. Right? That might not make someone else angry. They might not care about that.

So, but there are universal ang- angry triggers as well, and the universal trigger for anger is r-  blocking someone's access to an object or goal. So if you can imagine even a baby, if you hold a s- milk in front of, a bottle of milk, and then just knock its hands away, first time, it's sad [inaudible 00:46:37] but if it keeps reaching, you keep knocking the hands away, eventually, that baby even will get angry.

So when an adult just, like, blocks someone's intention, blocks someone's route, and they tend to get angry. So everyone gets angry for that, but people get angry for different things.

So what we have to do to provoke an emotion is understand what the trigger emotionally is cognitively is for that emotion, and you can make that person exhibit that emotion. Now, how long it lasts and how ferocious it is, how potent it is, depends entirely on the context and the person and experience and all sorts of things. But you can pretty much guarantee that you'll make someone angry if you block their, their barrier.

Garrett O'Hara: [crosstalk 00:47:14].

Jenny Radcliffe: [crosstalk 00:47:14] example I give. I'll tell you an example. We used it in a phishing email [laughs] on this business. And what they said is, "We want as many people as possible to click on the email, right, and to click on the link." And the link was a monitoring link to send to their tech team. It wasn't malicious.

So we sent this email. This email was great. And it said "As you were informed yesterday at 10:00, well, in two minutes' time the wifi system will go down. If you have not logged on to the backup wifi, please do so now. Click on the link. Otherwise, you will lose all of the work that you've done in the last 24 hours, including emails and documents you've worked upon, which will not be saved locally on your computer or on the server. If you have any questions about this or any concerns, call this number." Right?

We sent that out at, like, 9:58 to 270 people. By 9:59 [laughs] like, 250 odd people had clicked on the link, but nearly all of them were also trying to get through to the number, the phone number that we had given them, to complain that they hadn't had the first email, that they hadn't had enough notice, that this was inconvenient, that this was badly planned, and because we'd just blocked what they were doing.

Um, and the ones that didn't do it, there were a few of them outside with, talking to me outside [laughs] and others that were, like, off prem. But you know, the way that we know-

Garrett O'Hara: [crosstalk 00:48:42].

Jenny Radcliffe: ... that that's going to annoy people, by telling them that this, you know, you're in the middle of something. You're going to lose it, you see. And of course, they clicked on the link.

Garrett O'Hara: [inaudible 00:48:48].

Jenny Radcliffe: [inaudible 00:48:48] didn't lose anything. It didn't clear anything. They were fine. But it did make [crosstalk 00:48:53].

Garrett O'Hara: I heard a similar one in the US where the, and, and, and now it kind of makes more sense why it worked, where they had said it was on the way into Thanksgiving, and the email was something along the lines of, "Hey, we've had issues with the leave system and unfortunately, any leave that has been put in has been canceled.  you know, you need to reapply for leave. And if it's not done by close of business today, we'll assume that, you know, you're going to work through Thanksgiving."

And similar thing, you know. Th- That, in, in the context of what you just said, the response rates were huge and that, that sort of makes makes a lot of sense.

Jenny Radcliffe: [inaudible 00:49:27].

Garrett O'Hara: We're, we're we're h- we're about to hit time here. I, I did want to just check in and see, like, what are you up to?  you've obviously got your own pod. We'll include links to that in the show notes.  but, like, what else is going on for you these days? Anywhere you're, you're talking or anything going on that you want to let us know about?

Jenny Radcliffe: Yeah. Yeah. So I obviously, Human Factor Security Podcast is just interviewing people in the industry and, and related industries. And we've got a sort of a, a little bit of a flawed insight on that at the moment. But we, you know, that's a show that's been going for four years. We don't really take sponsorship or anything like that. It's just, it's just meant to be for the community.

We've also got Bsides Liverpool coming up 24th of September, Bsides Liverpool, which is obviously a not for profit little hacker community thing, very small. We were canceled 2020 because of COVID, but, like, so th- we will livestream that, and that's at the, um done at the Albert Dock in Liverpool [inaudible 00:50:24] the Maritime Museum at the Albert Dock in Liverpool, so [inaudible 00:50:27].

I host a show on a Tuesday, a live talk show called TeissTalk every Tuesday, which is all for CISOs and, yeah, just we, we tend to put a news item, which at the moment seems to be ransomware almost every week and talk about that. And so that, that's live.

Uh, we also have I'm doing lots and lots of kinds of talks and work conferences and, and speaking. But I, I guess the bigger news is that we are putting together, as a company a big curriculum of advanced social engineering training which we're hoping to have ready by the winter of 2021 and will be on the website, which is humanfactorsecurity.co.uk.

And if you follow me either on social media or on that website, you should be able to see to be trained to be able to see how we can train you in some of these skills if you pass our, we we do have quite strict interviews before we start training people [laughs] how to do some of this stuff, as you can imagine.  but we're, yeah, [inaudible 00:51:27] public trainings ready in winter of this year.

Garrett O'Hara: And that's northern hemisphere winter for, for our Australian listeners-

Jenny Radcliffe: Yeah.

Garrett O'Hara: ... for, for clarity.

Jenny Radcliffe: Indeed.

Garrett O'Hara: Brilliant. Jenny, absolute pleasure to have you on the show.  really enjoyed the conversation.

Jenny Radcliffe: [crosstalk 00:51:42].

Garrett O'Hara:   just f- phenomenal.

Jenny Radcliffe: Thanks for having me. I've spoke with you guys at Mimecast off and on for years. You're friends. It's my pleasure.

Garrett O'Hara: Brilliant. Well, thanks for having th- thanks for taking the time and yeah. We'll hopefully have you on again soon.

Jenny Radcliffe: Thank you.

Garrett O'Hara: Huge thanks to Jenny for that highly entertaining conversation. What a great storyteller. As always, thank you for listening to the Get Cyber Resilient Podcast. Jump into our back catalog of episodes and like, subscribe, and leave us a review. For now, stay safe, and I look forward to catching you on the next episode.