The Penetration Tester Who Your Boss Hires to Hack Your Email

Photo: Benjamin Howell/Getty Images/iStockphoto

Leon Johnson, 38
Penetration Tester at Rapid7
Oakland, CA

I am a penetration tester — a.k.a. hacker, white-hat hacker, whatever you want to call it. A good-guy hacker, quote, unquote. A bad guy would be a black hat. They adopted those terms from Western movies, I assume.

My company uses data analytics to help cybersecurity and IT pros understand what’s happening on their networks. We started really focused on cybersecurity products and services — from pen testing (like I do), to incident detection and response, to vulnerability management — but over the past two or three years have moved increasingly into servicing IT operations as well.

The analogy I often use to describe what I do is to talk about myself as a professional burglar. You just bought some type of security system for your house and you want to know if it works, so you’re hiring me to come break into your house. When we’re talking about corporations, it gets larger than a house. It becomes a neighborhood, or even a city. And what I do is, I use a tool that just goes and checks the front door of every house. And it makes a report that says, hey these front doors are open on these houses.

I’ve done penetration tests from mom-and-pop shops up to Fortune 100 companies. You would know 75 percent of the companies I have tested. I’ve tested media, broadcasting companies, hospitals, gaming companies, small and large restaurants, credit bureaus, financial institutions — literally anyone who cares about their security, which is becoming more and more all-encompassing these days, as people are becoming more concerned about breaches and being compromised.

Essentially, what I’m usually doing is trying to break into something. At Rapid7, we don’t really try to define that — I could be breaking into a mobile application; I could be physically trying to break into a building. I could be sending phishing emails, trying to compromise a company, making cold calls to try to gain sensitive information from a call center, or just trying to break into a website externally or internally.

Sometimes, it’s as simple as, hey we’re a big company, we have a lot of money, and we spent all this money on securing our stuff. We want to see if you can break into it. Do whatever you want and write us a report, and we’re going to pay for a month of time, and we’re in these locations in these countries. Those are the best types of assessments because there are no limits.

And then there’s the alternative, where you have a company that handles PCI or HIPAA information, which basically means they have credit-card information and private patient information. And there are regulatory entities that make sure they’re taking care of the information they need to be taking care of. So then they reach out to a company like us and say, hey, I have these requirements, what can you do to help? And we can say, well, we can offer you a pen test. And they’ll say, Okay, what does that look like, because we’re scared; we don’t want you to take our infrastructure down. So we work out the details of what we’re willing to do. Sometimes, their requests are somewhat unrealistic: Can you test us but, like, don’t hack any of our sites? That doesn’t really work for us.

Sometimes, I travel. Sometimes, I work from home. When I work from home, I make up my own hours. Since it’s project-oriented, it doesn’t matter, as long as the work gets done.

All that’s needed to do this job, literally, is just a laptop. The last house I had, back in Texas, I had four monitors set up, and I had a $6,000 computer that I used for cracking passwords. But even though I had that rig and an ergonomic chair, most of the time, I would take my laptop and sit on the couch and watch TV while I was hacking.

I’m using a MacBook Pro. It’s probably about a year old, maybe two years. I ordered it custom with the most memory they had. I think my next laptop is going to be a gaming PC, just because I don’t like the way Mac’s going with their dongles. It’s getting ridiculous.

Now, we’re all in the cloud. I can create cloud-based instances, and I hop to those computers — and I hack from those computers, and so all I’m using my laptop for is a jump box. I have probably about five operating systems on my computer. I have OS X. I have probably, like, three Windows machines. And I have a bunch of Unix instances. I usually hack from Unix.

The hours vary as well because sometimes the client makes me stop. They only want testing between these hours and these hours. If the client does not make me stop, my girlfriend will have to make me stop, because I will go until late. Most people who do what I do tend to love it. We don’t know for sure if there’s a way to break into whatever we’re breaking into; but once we do, it’s hard to put it down. What happens, inevitably, is you start making way, and the next thing you know it’s 2 in the morning.

We have a lot of resources. We have about 30 guys on our team right now. We’re all basically in a chat room talking. Like, hey, how do I do this? And they write some code to do this thing I’m stuck on. So we’re usually just shooting jokes back and forth, but also figuring out, hey, can someone break this thing for me?

There are certain types of assessments that require you to go on-site. For instance, if you want to assess your wireless infrastructure, you have to be on-site. Physical assessments — meaning we’re testing the infrastructure, or you want us to see if we can breach your building — we have to go on-site to do that, clearly.

One assessment I had last year was an internal, a physical, and a wireless assessment. It required me to go to Australia. The company had their hands in a lot of things, but I think their primary business might be insurance.

A physical assessment is kind of open-ended. It means I can break into rooms and do what I need to do to get the information from a physical standpoint. They’re not going to yell at me if I walk into someone’s office and steal their laptop. They didn’t have a specific goal in mind. They just wanted to see what I could get.

I had to be on-site on Monday. So Sunday, I decided to go take a look at their office building and see what I was dealing with. The building’s closed. I’m just kind of casing the joint. It’s in a highly touristy area, so I don’t look out of place at all. I’m walking around and a person walks out of the building, so I just walk in after him. They don’t question me.

The elevator doesn’t work because it requires a badge. I go into the staircase to see if I can go upstairs. I prop the door open, so I’m not locked in. I walk up to the ninth floor, which is where the office is located. I try to get out, and it’s locked. So I fire up my laptop, and I see if I can see their wireless access point from the stairway, and I can. So I document that, but you know I look kind of suspicious sitting in the stairway with a laptop, so I go back down. As I get down, there’s a guy on the elevator going up, so I just jump on the elevator with him. He doesn’t question me, and I hit the button for the ninth floor. I get out, and again I can’t get into their offices because it’s locked, but I get an idea what it looks like.

As soon as you get off the elevator, the receptionist can see you. There aren’t a lot of places to hide. So I’m just getting a feel of the land. I leave that building, and I go to the building next door, and it’s really, really close. I see that there’s a floor that’s empty, as in there’s no office, and it’s rather close to the floor that I’m testing, but it’s locked. So I’m like, okay. I’m just making mental notes.

Monday comes and I go back to the building next door, and below the empty office, there’s a lawyer’s office. So I walk in and say, hey, I’m with the building and I’m testing some of the connections, the signal strength of certain things, can I borrow your office? And they’re like, yeah go ahead — which, obviously, if I were doing an assessment against the lawyer’s office, they would have failed. Basically, I start seeing if I can see their signal and I can, but I don’t want to sit in this guy’s office for too long because eventually he’ll get suspicious. I go to the floor above it, and the empty floor is unlocked now. So I walk in there and tuck myself in a corner and fire up my laptop, and I start watching the wireless signals that are going across the air. And I start attacking the wireless signals. Eventually, I get enough information that I’m able to form an attack and hack into their wireless.

So now I have access to anybody who’s using the wireless. They’re all going through me. I can see everything they’re doing. I’m getting their passwords; I’m getting their emails; I’m getting whatever I want from that person that’s using the wireless network.

Sometimes, it makes you nervous because you’re doing something that’s somewhat illegal. Your heart starts racing. I’ve hacked a major sports league, and a Fortune 500 company that caused me to lead a team of guys that went to ten different countries. I hacked a major credit bureau, and police departments. I’ve hacked cities and created scenarios to essentially simulate a terrorist attack. I hacked an airport after they just had a security assessment that told them they were unhackable. I’ve done assessments for banks before. I’ve done nuclear power plants. And I’ve always been slightly like, man, what if they have like a shoot-first policy? If I do get caught, I’m just like, all right, here’s my get-out-of-jail-free card saying call this person. He’ll vouch for me that I’m supposed to be doing this.

A lot of thought goes into what to wear in these situations. It’s called pretexting. Guys on our team will go to Goodwill and buy like a Coca-Cola shirt or some kind of vendor clothing, just so they can show up and pretend to be that vendor, and say, oh, yeah, I’m here to change … And they let them into areas they’re not supposed to be in. When I tested the bank, I showed up in a suit. The guy who tested the power plant, he went and bought himself a hard hat and, like, a lunch pail. When the gate guard was deciding whether to let him in, they started bonding over the thermos he brought. Like, You got that thermos? My wife bought me that thermos! I’ve got the same one. And he’s like, all right, I’ll let you in.

My girlfriend’s always yelling at me because we’ll go somewhere, and we’re standing in a hallway, and there’s a door that says, “Do not enter,” and the first thing I do is test the door. Wherever I go, I see vulnerabilities. I see people walking away from their workstations. I see weak passwords. I see people logging into their computers, using the same password for multiple things; I just kind of shake my head, like, ugh, you’re lucky I’m not attacking you. That’s a bad thing to do, man.

The salary is amazing. I earn over $100,000, with bonuses. People constantly hit me up on LinkedIn for jobs that pay about $150,000. I think the highest pen tester I’ve seen is probably like $180,000. I get hit up literally every day with job offers. Security’s become a hot commodity, and there aren’t a lot of people who have the experience to touch on all these different areas.

I feel like I’m going to be a pen tester for quite a long time. My endgame or my retirement plan is to teach. Just have, like, a class somewhere at some university, and teach them how to do hacking and the stuff that worked when I was around, and the ideas behind it. I really do love it.

The Tester Who Your Boss Hires to Hack Your Email