Despite many major security breaches reported last year, Real Future’s Kevin Roose wished to find out how nicely he would fare in a personal pen-test. Issuing such a “hack me” challenge is never sensible as New York University Professor and PandoDaily editor Adam Penenberg found out a couple of years ago after asking TrustWave to hack him if they could. Kevin posted a video exhibiting what can occur whenever you dare professional hackers to hack you, and the ensuing pwnage was epic!
When Kevin asked to be hacked, social engineering professional Chris Hadnagy replied, “may God have mercy on you ;)”. Kevin stated he’s a “fairly privacy-conscious guy” and believed he maintained good safety precautions, however “HumanHacker” Hadnagy, for instance, pulled up Kevin’s house address by zooming right into a tweeted picture of Kevin’s dog and grabbing his address off the canine’s tag.
And the vishing (aka voice phishing) pulled off by social engineer specialist Jessica Clark was particularly spectacular as she called an unnamed cellular service provider to trick it into handing over Kevin’s e-mail address. Before she called, spoofing his phone number, she started a YouTube video of a baby crying in the background. She pretended to be his (non-existent) spouse. The call begins at 2:29 within the video and by 2:59 Jessica has his e-mail.
Kevin also requested Dan Tentler, pentester and founder of the Phobos Group, to hack him. Though Kevin promised himself he would be “extra-cautious while the hackers were focusing on” him, he fell for a phishing scheme. Dan registered a domain address that was one letter off from Kevin’s web host and sent an e-mail allegedly from the hosting company’s security staff. After Kevin clicked on the link to supposedly install a security certificate on his website, Dan’s shell owned him.
At first Kevin stated he experienced a variety of fake pop-up boxes which gave the impression to be OSX legit, so he entered his admin password. Dan used a keylogger to obtain the password for Kevin’s 1Password manager and used the Dropcam passwords to “monitor” his own home via his own personal security system. Moreover, Dan lodged a software that used Kevin’s Laptops built-in webcam to take pictures every couple of minutes. At one point, Kevin mentioned a “robotic montone” coming from his laptop saying “you look bored.”
Later, when explaining the hack, Dan informed Kevin:
“It’s ridiculous. I’ve control of your digital life in its entirety. I’ve all of your credentials. I’ve all your access to all your financial data, all your work info, all of your private info. I can pay people with your bank or your Amex account.
For all intents and purposes, I’m you.
I could have made you homeless & penniless,”
If that is not bad enough, all this was revealed to Kevin at DefCon where he surely would have been wise to be feeling a bit paranoid at any rate since he was surrounded by digital ninjas normally cloaked in cyber-ether. Although he reportedly wanted to toss his laptop into the sea and go hide on an abandoned island, privacy and security professional Morgan Marquis-Boire injected some sanity into his state of affairs by pointing out that in a normal situation, Kevin wouldn’t be interesting enough to be targeted by expert hackers.
“Do you worry about trained martial artists beating you up on the street?” asked Morgan. To which Kevin admitted that he wasn’t too worried about being attacked by ninjas on the road.
“However you are aware that they exist,” Morgan stated. “You are also aware that you probably could not do anything about it if one of them wanted to beat you up on the street.”
Regular folks might not challenge the hackers or need to fret about the latest strain of “CEO fraud,” aka Business E-mail Compromise (BEC), that was reported by KnowBe4 – an organization so confident that its security awareness coaching works that it will “pay your ransom in the event you get hit with ransomware when you are a buyer.” But regular folks may very well be employees of an organization, the weak links to be targeted and exploited through BEC spear phishing attacks.
During the last year there has been a huge upsurge in BEC, based on a new 2016 report by PhishLabs, and “no security tool or training routine will prevent” individuals from falling for phishing assaults – the toehold Dan used in pwning Kevin. Even when workers are extra cautious and clever about phishing, what about falling for vishing? You may be as security-conscious about social engineering as possible, but when an organization with which you do business is not, then that’s all it takes for an attacker to own you.
We highly recommend that you watch the video posted by Kevin, whether for entertainment or for a gentle reminder that great things hardly ever come to those that ask to be hacked.