The Defense Department announced Wednesday it would allow trusted hackers to test its systems as part of a "hack the Pentagon" program, and computer security expert John McAfee says if he wanted to, he could get inside in about a month.
"You want to find the weakest link," McAfee says, in a phone interview with Tech Insider. "You're in and out, and you have everything."
To be clear, the Pentagon's challenge to hackers — which would require them to go through a background check and work only on certain systems — is a test to see if any vulnerabilities exist in the military's public-facing websites. What's not clear is whether those hackers will be allowed to physically go to the Pentagon building just outside downtown Washington, D.C.
If McAfee were to give it a try, that's precisely where he'd start.
"I would exclusively use social engineering," McAfee wrote in an email on Wednesday. "I would most likely use an 'audit authorization letter' on [Department of Defense] letterhead."
Good hackers don't always need to use sophisticated software tools or programming to gain access to a computer network or user account. In many cases, they just need a phone, or they can travel to a target's location and fake their way through questioning — a method of convincing people who are prone to trusting others that's called social engineering.
At 70 years old, McAfee is among the "old school" hackers who worked on computers in the 1960s and 70s long before they were mainstream and miniaturized. After programming stints with NASA, Xerox, Lockheed, and others, he became a multi-millionaire once he sold his shares in the world's first antivirus software company, which he founded, named McAfee Associates.
And that's about where his back story goes off the rails, as the software legend later moved to Belize, surrounded himself with guns and drugs, and then fled after being suspected as a "person of interest" in the murder of one of his neighbors (He denied any involvement and fled, thinking the government of Belize wanted to kill him).
McAfee is known for his paranoia — he's still creating software designed to thwart spying and once told Men's Journal the Sinaloa cartel was likely tracking his movements. "You'd be paranoid if you've lived through what I lived through," he told the magazine.
And yet, despite all this, his technical credentials are pretty well-established. He's like an eccentric movie star who says bombastic things. No matter how weird they might sound, you still know they can make a great flick. "This man is batshit crazy," one redditor recently wrote. "Undeniably brilliant, but batshit crazy."
McAfee's now back in the US and running for president on the Libertarian ticket. But most recently, he made headlines when he said he'd help the FBI decrypt the iPhone used by the San Bernardino shooter, free of charge.
And this is where I catch up with him, wondering how he might approach a hacking challenge posed by the US military.
'This technique seldom fails'
For his con, the eccentric antivirus software founder says he would type up an official-looking letter on Defense Department letterhead explaining to his target that he was there for a security audit, which he calls "the number one technique" for getting into high-security government agencies.
"This technique seldom fails," he wrote in an email.
He gives me a scenario: Let's say I'm a low-level soldier working in a Pentagon data center. In walks a person in a suit and tie leading a team of people who are clean-shaven, well-spoken, and have frowns on their faces. Then they pull out the letter.
"The last thing on your mind is going to be 'Can I see your credentials?'" Because what credentials [am I] going to have?" McAfee says, mentioning that he might pull out a fake ID. "[We] are going to have this letter and say 'Call the general.'"
He adds: "The people you hand this letter to are terrorized. Why? Because they know they fucked up. They know that they have problems. They know that they have flaws in the system."
Basically, McAfee says, he's head-faking his military target with a surprise inspection, which could be pulled off if his team has a plausible story and looks and acts confident enough.
But even if he were challenged at this point — let's say a suspicious soldier calls the phone number on the letter to verify McAfee's story — he's got a plan.
"If they do call the number, it's even worse," McAfee says, because the number is being answered by other social engineers who are trained to support the team inside. "The operator says, 'Yes, this is extraordinarily important. Tell them they're late and they better get [the audit report] in now. You have no idea how pissed off the general is.'"
'You identify the weakest link'
Before McAfee and his team of social engineers walk through the Pentagon's doors, they will have done about three or four weeks of research, he says.
"You identify the weakest link," McAfee says. He explains that the improvisation that happens while social engineering your way into a secure facility would be based on about a month of studying what's happening there beforehand.
He might do physical reconnaissance with telephoto lenses to snap photos of people's badges as they come and go. Those badges could later be counterfeited. Names of important people can be researched through public sources, or by calling the military's own phone operators.
"If they give you a name, you're in already because the security is totally fucked up from a social engineering standpoint."
Scamming his way through security
Sure, you've got this letter, you look legitimate, and you've scared the pants off a soldier. But first things first, I ask: How do you get through the main security into the building?
"That's trivial. We all know that's trivial," McAfee says. "You can always get into any fucking secure facility, all you've gotta do is watch it long enough."
Pentagon Force Protection Agency
He gives me another scenario. This time, McAfee tells me about a close friend who was hired by a major power company to try to break into its data center (He doesn't offer specifics, so the story can't be verified— though most companies who hire hackers to do penetration testing don't want to talk about their security flaws anyway).
"[My friend] noticed that every Thursday, the gardeners came in a whole line of pickup trucks, filled with lawnmowers and leaf blowers and all kinds of gear," he says. "But only the first truck in line had the paperwork."
In other words, they figured out that in a convoy of trucks, only the first one had to go through security. So the team made fake uniforms, bought a beat-up truck, and filled it with similar gear — then jumped into line with the other trucks.
"Now the gardeners, they know something is weird, but it's not their job to turn them in," McAfee says. "They're just there to clean the grounds and get the hell out."
Once inside the gate, they stripped off the uniforms to reveal suits underneath, then social engineered their way into the facility to a locked door for the data center — not much of a challenge for most hackers who make a hobby out of lock-picking.
"They make their report to the executives of the power utility, and they don't believe it's happened until they actually see the photographs," McAfee says. "Social engineering is this easy."
So does John McAfee's plan to social engineer his way into the Pentagon hold up? The strategy seems plausible and has been used to break into other facilities in the past. When asked whether it's possible to sneak in, a senior military officer who has worked at the Pentagon told Tech Insider: "I'd like to say no, but you and I both know it could be done ... if [you are] committed and determined to do so."
I guess we'll have to wait at least until April — when the "hack the Pentagon" program starts — to see if it might work. That is, if the Pentagon gives McAfee a call.
"It may sound simplistic, but that's what social engineering is," McAfee says. "If it's complex, you're doing it wrong."