11 Nov The Exciting World Of A Shapeshifting Pirate Queen and Nomad
Cybersecurity consultant Sarka Pekarova discusses her social engineering alter ego, as well as social engineering techniques
–Di Freeze, Managing Editor
Northport, N.Y. – Nov. 11, 2019
If you know of her but have never met Sarka Pekarova, security consultant for Dreamlab Technologies, you might wonder why people know her as simply Sarka, or even more often, as “The Pirate Queen.” First, she says that she “just loves pirates,” but there’s more to the explanation.
“I believe it’s important for social engineering purposes to disassociate your personality with your life’s experiences — and who you are and the way you think — and become someone else,” she says. “So, when I created my social engineering alter ego, I knew I wanted to be Grace O’Ḿalley, a real pirate queen from 16th century Ireland.”
And so Sarka became “The Pirate Queen.” However, not everyone relates to that alter ego. Her Twitter profile is evidence of that. The hand-drawn image of her shows her emerging from beneath a furry creature. “The artist contacted me to say he saw me as Nahual, a Mexican shapeshifter that can turn into any animal. The drawing is just incredible. And that person had no idea about the work I do, so I like that he saw me as a shapeshifter — which is, in a way, important in social engineering.”
Although she currently lives in Switzerland, where Dreamlab Technologies is based, she’s lived in so many places that she feels “more like a nomad. “I don’t really have roots anywhere. 127.0.0.1 is my home.”
Taking time away from her busy schedule, she talks about her very first “hack,” at the age of 8, which was to manipulate her blood glucose meter. “I needed better results,” she explained. “I was not great at taking care of my health at the time. So, I figured out when and how the meter scans the blood, and what makes it give better results, and then I figured a window of 9 seconds, when I could manipulate the results and how.”
Her next step towards her current role was courtesy of her father, who would bring home his work laptop when she was 14. “He always says I was pretty much stuck to the laptop ever since he brought it home. I was very curious. It was another world for me — a new, exciting world!”
At school, whenever anyone was looking for her, they knew right where to search. “My friends would always find me in the little room with four machines with public access to the internet, discovering all kinds of corners of the internet and the local school network.”
She took computer classes, but they didn’t instantly lead anywhere. “Due to issues I would rather not comment on, I was unable to continue and graduate from those. And yes, the mindset at the time was not favorable, but in the end, I just simply wanted to prove others wrong — and I did!”
As we know, she did eventually find her way back to IT. She said she started small — as IT support. “But I knew that cybersecurity was what I wanted to do, so I worked my way up, little by little, by working hard.”
After that IT support role, she worked as a technical support engineer for Fortinet. Then she received an offer from Apple to work as a technical support engineer for them. “I wanted to work in security, so I rejected the offer. About three weeks later, I got an offer to be the first SOC engineer for new SOC for British railways. I knew I was on the right path to what I wanted to do.”
Looking back, she doesn’t believe she had to overcome any obstacles on her career path due to her gender, but she did encounter issues with some “unprofessional individuals.” “It was nothing I could not deal with, because at the end of a day, it is all about skills and knowledge,” she said.
She describes her role as a security consultant to Dreamlab as amazingly varied and versatile. “I finally found a place where I can fully use my potential. I do audit/pentesting, consulting, I teach, I am supported to speak all over the world as well, and I am just starting a very exciting research project I wanted to do for a very long time. I get to work on building our products that help whole countries and governments.”
A frequent speaker on social engineering, she explains that it began as the social science of mass manipulation. “A good example would be Cambridge Analytica; it is about how whole nations or groups are being manipulated, and it is very fascinating to watch in the modern world. But social engineering in cybersecurity is manipulation of people into actions that are not in their interest. It could be in the form of letting someone inside your company physically or clicking on a link in a phishing email to divulge sensitive information.”
She says that in her case, she focuses more on physical intrusions. “I like to see the world, including cybersecurity, holistically. So, it is not just the machines we use, the programs and tools, the ones and zeros, but it is also humans, their behavior and policies and processes they follow at their workplace. It becomes full circle with the social engineering, as social science that does impact human behavior and decisions.”
Her experience has shown her that companies that get tested, care about their online presence and the security of their systems, together with the right company culture, and take time to raise awareness for its people, are unbreakable. “They are breaking the ‘humans are the weakest link’ absurdity. They trust in their people and help protect them by deploying complementary security controls.”
When asked to share some techniques behind her social engineering attacks, she says, “How much time do we have?” It’s obviously a subject she loves to discuss. “For me, since I see it as a holistic approach, I use psychology, facial expressions and body language, both to assess and read my targets, and to use for myself to make them do actions they should not do.”
She definitely enjoys sharing with companies how they can protect themselves from cyber “pirates” and increase awareness of social engineering techniques. “It is continuous work. First, they have to do that first step that many are afraid of and allow me inside to see their human vulnerabilities. But together, we can work on defying their current security posture, and work on a plan to strengthen their people, processes and technology. There is no one magic solution, but I’ve seen best results with companies I’ve worked with over time, with a layered approach, tailored to them and their needs to protect their employees as well as their crown jewels.”
Her enthusiasm is contagious, and she says she’s living the dream. “Right now, I am sitting in my office and one of my colleagues is playing guitar and singing in an impromptu little concert for us!”
She also can’t contain her excitement about speaking at a UNODC (United Nations Office on Drugs and Crime) event, which occurred in early November. “They train for cyber-affiliated government personnel, responsible for investigations into high tech crime/cybercrime, online child sexual exploitation, drugs, firearms or terrorism. That is incredible for me to be able to help on this scale!”
Are there skills or personality traits that make her excel at what she does? “I learn fast,” she says. “I enjoy stressful situations, and I am pretty versatile in my skills and interests. Also, I have sort of a sixth sense that plays a role in my social engineering skills.”
She advises those wanting to get involved with cybersecurity to define what they want to achieve. “I strongly believe that if you know what you want and you set your goals, you can always achieve it with enough time and effort. The resources are out there.”
She also believes strongly in the importance of mentors. “I always had a network of very, very smart people I could reach out to, and grow, thanks to them. Now with my new work and people we have at Dreamlab, my network grew substantially, and I am very thankful for that. I mentor people too, but I firmly believe in giving advice or direction rather than holding anyone’s hand.
Her network includes people she met through InfoSec Hoppers, which she co-founded; OWASP Manchester, where she served as a board member for a year; and people she met as ambassador for BSides Cairo and BSides Athens. She is also actively involved in the Paris DEFCON group DC11331, which she co-created. “We have an amazing little hacker family in Paris, with very smart and curious people, and we are trying to cultivate it in the French way, of course. We do a mix of talks and workshops, and just have fun. We are always looking for speakers, if any of the readers would be interested!”
She has talked publicly about “hacker mental health” and shares what helps her: Kendo, meditating and floating. “When I started to work from home, I realized I was isolating myself a lot. I am a lone wolf, but this seemed to have been impacting me. So, I did what I wanted to do for a very long time: I joined a local dojo and became Kendoka. Now, moving to a new country, I found a new dojo here. I keep practicing. I love the Japanese culture in general, but Kendo is not only good as physical activity, but it is also about respect, fair fight, breathing and posture. I strongly believe in maintaining a healthy mind and body, so meditation or floating is part of what I try to do for my mind to keep it balanced and resilient.”