Internet security expert Pete Herzog opines on the ethics behind certain types of hacking and legal ways to get past inefficient HR practices to land a job.
Ah, human resources. Don’t we all have a story about them?
HR plays a valuable role in keeping the crazies out of companies. It can be your biggest advocate, getting your resume to the right people and answering all of your stupid questions so you can get them out before the “real” interview. But the people in human resources are humans themselves. They go though decision fatigue, like our best judges. They let phenomenal candidates stay in no man’s land because of resume keyword mismatches and ridiculous job requirements. They are flooded with information and must make snap judgments, rejecting candidates for reasons that will forever be a mystery to their applicants. If they’re lucky, those applicants get a form rejection that teaches them nothing.
Being in perpetual limbo is hard on the heart. There’s no greater human need for some than to feel like one is contributing to or one is acknowledged by society. So one woman made damn sure she passed HR. The following is an interview with Pete Herzog, founder of Hacker Highschool and an expert on Internet security. He offers his opinion on the ethics behind certain types of hacking and the (completely legal) ways to get past inefficient practices designed to weed out candidates.
A hacker and his life
Eve Lampenfeld: You published a great story on LinkedIn about a woman who did this and became a huge asset to the company that hired her. Can you tell us about how she helped?
Pete Herzog: There are a significant number of companies who don’t even think about competitiveness as information that can be stolen. So the woman in the story had the skills to uncover competitive information that her colleagues in the marketing department had no idea about. She could look for source of the information and even extract out that which the competitor wasn’t even aware it could be viewed publicly.
In this case, it happened to be a race to be the first to market with a new line of business with a new website. But it could have been a brand makeover or the firing of an executive or even the end of a major product. All of that information will have an effect on somebody’s money from shareholders to employee bonuses and most of all for competitors. So this woman was able to not only find out that their main competitor knew about the new line of business and their new website, but how long they knew and how close they were to launching with their counter initiative. In the story, this seems small, but the real situation it’s based on, there were tens of millions of dollars invested in the initiative. So the information she insinuated from their public areas helped her company to step up launch time and be the first to market.
What are some of the dumbest ways people get caught hacking, and does it happen often?
I personally don’t know anyone who has gotten caught criminally hacking. Mostly if you do get caught, it’s because you are probably picking high-profile targets with deep pockets for security while living in a western country, or you bragged about what you did, or you didn’t know that what you were doing was illegal. Criminal hacking has a lot of gray areas, and many times it’s a witch hunt to find someone who should pay for the loss, damage, inconvenience or embarrassment.
Would you recommend that every company doing market research hire a hacker? What are some specific sectors that could benefit the most from that?
Hiring a hacker is smart because you get a two-edged sword. You get the offense and the defense. A hacker can offensively get at open and public information that regular marketing people can’t because it’s obfuscated or requires some clever coding to handle timing or correlation. These are things that no commercial, automated marketing or intelligence software can or will do. Additionally, hackers can help a department configure their website to get a lot more information about visitors than web analytic software ever can.
Defensively, hackers will be able to make sure your products, services, infrastructure and human resources aren’t exposed in information leaks or aren’t open to being abused in fraud or phishing attacks.
But while marketing departments would do well to hire hackers, any industry that works with anything over networks can benefit from traditional hacker skills.
Hacker extraordinaire Pete Herzog. (LinkedIn.com photo)
Human resources screens some candidates out for important reasons, such as lack of experience. When do you think companies could benefit from candidates who are able to hack past HR, and when do you think it harms companies?
I’m torn on how to answer this. If we compare how much harm a person motivated to be employed at a particular company does by playing the HR game (with inside information, so they say and show all the right things to a company who uses resume keyword search to find capable candidates), then I think we’ll have rethink the whole hiring process. As of this moment, I found 14,946 books on Amazon for hiring employees and 23,949 books containing job hunting. That tells me that there’s a lot of advice out there on the way to do it, of which almost all of it will be about being better prepared despite which side of the HR hiring desk you sit on.
Whether HR hackers help or harm companies depends on the job. Realistically, a person [who] can hack their way past HR are probably at least as motivated as any other eager job candidate but come already capable of doing in-depth research, reading people, using technology with high skill and having a high level of security awareness. Those are crucial skills in some industries and don’t really matter in others.
Some types of hacking can land people in jail. Do you recommend any alternative, legal ways to stand out as a candidate while respecting the HR structure, even with all of its flaws?
A typical “hacker” skill known as social engineering is not illegal unless you misrepresent yourself such as a police officer or carry fraudulent ID. During university, I worked for a chain to uncover cases of embezzlement. In some cases, the managers were aware of my role to play the up-for-whatever employee to gain the trust of my colleagues. Sometimes, though, the manager was the one under surveillance, and I needed to be straight-up hired. That meant I had to have a resume, references, the right skills and, most importantly, I had to be likable. To do this, I used social engineering, which let me redefine myself as someone trustworthy and likable. When I moved into my professional career, that skill did help me get jobs. And with time, the Internet and later, social networks, this has been made easier than ever to do. But in all cases, getting hired is just one hurdle; you need to master many other skills to stay employed and climb the ladder.
In social engineering, you get to know your target. So in this process, you need to research the person who will be doing the interviews and the hiring. You craft your resume to be the person they want to meet, but never lie about your skills and experiences. You are adapting to be the person they want to hire and not misrepresent yourself to be the professional you’re not. So each resume and cover letter will need to be unique. It’s hard work, but being just another resume floating through the HR system is wasted effort. Then you use their direct contact e-mail from the information you gathered about them, even if all you can find is their personal e-mail, and you craft a friendly, personal message with your phone number and send them your resume.
Once you get the interview, you adapt yourself to like what they like and hate what they hate. Even if you’re a different gender than them, you can still copy how they dress and how they look right down to the part in their hair if necessary. The idea is to be like them, yet make it clear you admire them for who they are, even if they aren’t happy with themselves. Maybe you need to be a little nervous about meeting them. Enthusiasm and gentle flattery is infectious and will make you more likable.
But it’s actually not as easy as it seems because it’s not straightforward. You need to really know them. You need to know when to be someone that reminds them of someone they like or admire, when to be flawed and when to drop your folder and be a little embarrassed. Then in the actual job interview, you need to be able to adapt to play to the direction that the interview goes.
It’s not unusual to spend days role-playing and rehearsing different kinds of answers and different ways to say them. You need to drill how you sit, how you stand, even which ear you talk to when you shake hands. You practice how to make and use distractions, apply stress and prompt answers you want them to say. You practice all the social engineering tricks to hijack their amygdala and essentially get in their heads.
Now I understand this seems like a lot of work to just get a job. You also might think this a dirty, dishonest and maybe even underhanded thing to do. And I agree. But if you need to get a job, then this is how you make sure you get it. Of course, keeping it is a different effort.
But then how can companies protect themselves from people who socially engineer themselves into the job only to perform poorly?
I got an EU grant a few years ago to research trust, and we developed trust metrics to hire employees. We published a practical version … but recently we expanded it to measure vendors, partners and other 3rd parties. Using something like this is a step toward getting the right people. However, I think there’s a bigger problem because people, even HR professionals and seasoned managers, fall for the same tricks and fraud as everybody else.
We spent the last six years researching neuro-hacking and how people are tricked, manipulated, and defrauded. I tried to do seminars on the topic but I couldn’t get much of an audience because most people think it doesn’t happen to them. It does.
People do not think optimally. Most people run on cruise-control. So the best way for a company to guard itself against bad employees is learning this kind of security awareness. It tells you how your mind works, and teaches you to feel when something is wrong, because all research shows you won’t see it happening. To address that, we released new tactics in security awareness called SALT, but if you want to see it in action, here is a recent talk I did about it.
When do you think this “knowledge gathering” passes from gray area to completely unacceptable on the part of an applicant?
Pete: Again, for me, it depends on how much you need that job. Obviously, any kind of criminal activity, like hacking their home computer and watching them through their cam is too far, very illegal and pretty creepy. However, studying pictures they post about themselves online, joining the same online communities, knowing how they value family and even which team they cheer for, can help land the job. And that’s the goal, so there’s no reason to take it into creepy, stalking and blackmail territory.