Most hackers attack software. _sn0ww hacks the real world. She's a master of disguise who carries gadgets that can secretly copy your keyfobs, she can program a mobile app to copy and mimic your phone, and she discovered our passwords without writing a single line of code.
Stephanie Carruthers, known in cybersecurity circles as _sn0ww, is one of IBM X-Force Red's best "social engineers" and is as adept at exploiting people as she is at cracking software. Her job is to discover, exploit and document loopholes in physical security systems. She never breaks the law, but she does think like a criminal in order to help companies and law enforcement agencies find physical and digital vulnerabilities.
"It's [the job of the social engineer] to think outside the filter bubble, no matter what that bubble might be. And then to find the exploits you're not even thinking about," _sn0ww explained. "If I do my job right, you'll never know you got hacked."
Watching her work is thrilling and frightening. _sn0ww is so talented that when she visited our studio at CBS News we didn't realize she was in disguise until she dramatically ripped off her wig and glasses, halfway through our interview. She then pulled a slender mechanical device from her handbag and demonstrated how, from a short distance away, she could easily scan and copy office security keys.
_sn0ww uses secret mobile applications to mimic cellphone information, like a telephone number, contact names, and other seemingly legitimate caller information. She uses this tool to establish trust and fool targets into revealing information.
"A good social engineer can easily pose as your bank or your university or any organization that has a legitimate reason to ask you personal questions," she said. "I ask a series of questions, and if the call is coming from a trusted contact most people don't think twice about sharing details."
She was able to discover our passwords by researching our work and school history on LinkedIn. Then, posing as a curious relative, she was able to find enough information to discover personal details about that seemed to be hidden from the open web but weren't. These details helped her verify personal information scraped from a data breach that contained our passwords.