Not everyone can sit in a meeting with hard-headed senior officials at a major defence contractor and introduce themselves as Freaky Clown. But this guy can. When you’ve broken into thousands of military and government buildings, you get a certain level of self confidence.
Freaky Clown, who calls himself FC for short, is a UK-based cybersecurity pro and co-founder of Cygenta, a security consulting company that teaches organizations how to do security properly. He has been using his handle for so long that it stuck, and now he doesn’t use anything else because he prefers to keep a low profile.
“The hacker alias started when I was a kid. But now it’s my name,” he says. “Anyway, there are some aspects of my life I do have to keep secret for the safety of my family and friends due to the work I have done in the past.” While he acknowledges that a determined investigator could track his real name down if they tried, every little helps.
He’s been hacking for as long as he has had that handle, which means 25 years or so. He began using old-school phone-phreaking equipment as a teen before graduating to an Amstrad CPC64. He effectively bought himself up, and would explore the innards of its software for hours. “That was how I survived childhood,” he says.
After leaving school and jobbing as a sysadmin, he progressed onto security and worked for penetration testing customers for a while before getting into management. Eventually he started Cygenta with his partner, Dr Jessica Barker. The company can still hack an electronic box with the best of them, but its specialty is more holistic.
“We see a lot of security companies focusing on just the technical side, just penetration testing,” he says. “No one really understands that security is made up of three areas. If any of those is not up to scratch, you’re not secure.”
A different kind of hacking
Alongside the technical, the other two faces to security are human, and physical, says FC. So his company hacks buildings, and people.
Failures in these two aspects of security have enabled FC to walk the corridors of military and other government sites, and banks, without being challenged – with armed guards nodding good morning.
That’s what he will be talking about at SecTor in October. He’ll be describing some of his exploits infiltrating buildings seen, but unnoticed. He has some amazing stories to tell, like the time that he infiltrated a government facility that had a fingerprint reader newly installed on a secure room.
He hadn’t bought the equipment he normally uses to clone fingerprints, and so he walked backwards and forwards past the reader to try and identify it. A face appeared in the door’s small window, and a woman looked at him suspiciously.
This is it, he thought. I’ve been rumbled.
The woman opened the door. “I saw you walking around out here,” she said, staring at him.
He took a deep breath.
“Would you like to come in?” she asked.
Catch me if you care
If anything, FC has to work hard to get caught. “You want the client to win. It isn’t about proving how good you are. You’re trying to help them,” he says. But he almost never gets challenged: “People don’t like confrontation, no matter what you’re doing.”
After he enters a building, his modus operandi is to achieve his goal, which might be to leave a message on someone’s desk to prove that he was there. From that point, he starts doing increasingly obvious things to get noticed, until he verges on the ridiculous.
He once spent the day having infiltrated a client’s site stealing phones and chairs from other peoples’ desks (including the chief security officer’s), and ended up building a massive office for himself down the hall. While on another job, he convinced the HR and finance departments that he was conducting a team building exercise, and persuaded them all to help him build teepees out of coats. He’ll show you a picture of that in his talk.
That’s the problem with security today, he says. People are worried about sophisticated nation-state attacks with shady operatives burning zero-day vulnerabilities to plunder secrets. “That’s almost certainly never going to happen. I’ve worked at that level, and the reality is that they try to do the simple things first.”
FC will reveal a lot more on October 2 in his talk, Security is an Illusion: How I Rob Banks. Don’t miss it.