A coffee with… Jenny Radcliffe, people hacker

For years, Jenny Radcliffe has been paid to break into buildings. Sometimes as a sole operator, at others with a small crew, she will persuade, influence, manipulate and deceive her way into a range of different properties to break into systems, steal data or for financial gain.

As a physical penetration tester — ‘pentester’ — she then explains to her clients how she manages to do this, to prevent malicious actors from carrying out similar attacks.

In her book, People Hacker: Confessions of a Burglar for Hire, and on the conference circuit, the fifty-year-old confesses to breaking into banks, offices, government organisations and theme parks (she had to lay down on the floor of a ghost train once, to avoid detection).

When TI caught up with Bootle-born Radcliffe at DTX Europe last month, her focus appeared to pivot more towards AI and the digital side of security, although she claims that most attacks tend to be a blended mix of physical and digital.

What’s your zone of genius?

It’s what it says on the tin. I hack people. The thing I’ve always been good at is getting people to trust what I say, convince people, replicate an attack and then, without making people feel bad about the experience, explaining why they are making mistakes and what they can do to improve.

What’s your biggest success so far?

I can’t talk about individual clients, but I’ve prevented things from happening that would have been very serious… I suppose the thing that makes me most happy is when someone has said they enjoyed the exercise and have then applied some of the learning.

On a personal note, this weekend I’m speaking in Liverpool at the literary festival at my old university being interviewed by the professor who taught me for my first [English language and literature] degree. And it’s like a big homecoming.

Biggest failure?

I think we fail every day. When you get older you sort of accept that there are certain things that are not down to you. And its ‘quite egotistical to imagine that they are. I suppose in the beginning I could blow things out of proportion when I made a mistake, now it is rare that I do that.

What percentage of physical pentesters are women?

Oh, I have no idea what the stats are. I’ve worked with plenty of women over the years and I’ve chosen to. People don’t expect a female attacker and people underestimate that a woman could be malicious, which as we know is insane!

Over the last year or so you’ve been talking more about AI and the digital side of pentesting. Why?

AI is something we can’t ignore, and technology is always incorporated into what I do in some way. People like to hear stories about the physical pentesting side of what I do because it’s exciting but there’s always been the digital side. There’s a social engineering side to most phishing emails. But in the last year — the last six months even — the focus on what AI can do is exponentially huge so it’s become more of a focus.

Will AI take over the need for physical pentesters?

I’ve yet to see AI replace what a physical social engineer can do. People are just the most unpredictable entity that you will ever come across. Stock responses and feeding off exponential learning from a machine is never going to be as intuitive as a human.

For instance, the things we feed off isn’t so much the responses that humans give us, but the absence of a response. You can read so much in what we call ‘response latency’, the things that someone avoids saying can be valuable data. That can be hard to teach a human I’m not sure we can even articulate that well for a machine to learn.

During DTX Europe you highlighted the recent MGM Resorts hack in Las Vegas, where the attackers allegedly gained access by going on LinkedIn, finding a number for someone who worked on the helpdesk then giving them a call: an attack that was both physical and digital…

One report said that company lost millions through a ten-minute conversation. But there would have been research that would have gone into it…. the bad actors will have stress tested it before they found out what works… that attack didn’t need AI. But AI is really going to help and so from the malicious side that’s really worrying.

What a lot of people don’t realise is that these are always blended attacks. That’s the way in but then it blended into a more technical attack. Social engineering these days is as much about gaining access to a target as it is anything else. We work in tandem with the cyber side. I think people see the physical and technical side as separate, but it’s always been blended.

Do you still practice physical pentesting or are you too well-known for that now?

On the security side people might know who I am, but outside of that I wouldn’t say that I was particularly well known.

[At this moment a delegate approaches Radcliffe to ask a question about her work]

You were saying….

Generally, people don’t recognise me outside of the cyber sec industry. But it’s not that, it’s the physical side of things. It’s very physically demanding; I’m getting older and sick of falling off roofs and being tasered and everything else.

The landscape is also changing the tech is better — there are cameras everywhere it’s more difficult to do.  It’s still there, but I’ve pulled back from that personally. But I still advise clients.

Can you tell us a little-known fact about what you do?

Staff understand security training quicker than you’d imagine, there’s an industry myth and a perception that people don’t. And number two, never underestimate how evil people can be once they understand the concept of social engineering. When you ask them to come up with their own schemes, they tend to be worse than anything you could ever imagine!

For instance, I was doing an exercise set in an airport and I asked a group how they would socially engineer their way in. One lady, who had been working at the company for 45 years, just about ready to retire, volunteered that she would shoot the pilot and steel their uniform. Her first thought was to kill someone!

What do you to do relax from what must be a very stressful job?

Explain to me this concept of relaxing!

I mean what do you do in your spare time, for fun?

That’s my answer. What’s relaxing? Even if I did do something, I wouldn’t tell you what it was…