After all the big breaches reported last year, Real Future's Kevin Roose wanted to see how well he would fare in a personal pen-test. Issuing such a “hack me” challenge is rarely wise as New York University Professor and PandoDaily editor Adam Penenberg found out a few years ago after asking TrustWave to hack him if it could. Roose posted a video showing “what happens when you dare expert hackers to hack you” and the resulting pwnage was not pretty.
When Roose asked to be hacked, social engineering pro Chris Hadnagy replied, “may God have mercy on you ;)”. Roose said he is a “pretty privacy-conscious guy” and believed he had good security hygiene, but “HumanHacker” Hadnagy, for example, pulled up Roose’s home address by zooming into a tweeted photo of Roose’s dog and grabbing his address off the dog’s tag.
And the vishing pulled off by social engineer specialist Jessica Clark was especially impressive as she called an unnamed cell phone provider to trick it into handing over Roose’s email address. Before she called, spoofing his phone number, she started a YouTube video of a baby wailing in the background. She pretended to be his non-existent wife. The call started at 2:29 in the video and by 2:59 she had his email address.
Roose also asked Dan Tentler, pentester and founder of the Phobos Group, to hack him. Although Roose promised himself he would be “extra-careful while the hackers were targeting” him, he fell for a phishing scheme. Tentler registered a domain name that was one letter off from Roose’s website host and sent an email allegedly from the host’s security team. After Roose clicked on the link to supposedly install a security certificate on his site, Tentler’s shell owned him.
At first Roose said he experienced a variety of fake pop-up boxes which appeared to be OSX legit, so he entered his admin password. Tentler used a keylogger to obtain the password for Roose’s 1Password manager and used the Dropcam credentials to “spy” on his house via his own security system. Additionally, Tentler installed a program that used Roose’s webcam to snap photos every two minutes. At one point, Roose said a “robotic montone” coming from his laptop said “you look bored.”
Later, when explaining the hack, Tentler told Roose:
“It’s ridiculous,” Dan said. “I have control of your digital life in its entirety. I have all your credentials. I have all your access to all your financial information, all your work information, all your personal information. I can pay people with your bank account or your Amex account.”
For all intents and purposes, he said, “I am you.
“I could have left you homeless and penniless,” he said.
If that’s not bad enough, all of this was revealed to Roose at DefCon where he surely would have been wise to be feeling a bit paranoid at any rate since he was surrounded by digital ninjas normally cloaked in cyber-ether. Although he reportedly wanted to toss his laptop into the ocean and go hide on a deserted island, security and privacy pro Morgan Marquis-Boire injected some sanity into the situation by pointing out that Roose would not normally be interesting enough to be targeted by such skilled hackers.
“Do you worry about trained martial artists beating you up on the street?” asked Marquis-Boire.
Roose admitted that he was not too worried about being attacked by ninjas on the street.
“But you’re aware that they exist,” Marquis-Boire said. “You’re also aware that you probably couldn’t do anything about it if one of them wanted to beat you up in the street.”
I highly recommend watching the video, whether for amusement or for a reminder that good things rarely come to those who ask to be hacked. On the serious side though, people are always the weak link. As Verizon said in its 2015 DBIR, “Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T über-patterns.”
Regular Jane and Joe Public may not issue challenges to be hacked or need to worry about the newest strain of “CEO fraud,” aka Business Email Compromise (BEC), that was reported by KnowBe4 – a company so confident its security awareness training works that it will “pay your ransom if you get hit with ransomware while you are a customer.” Yet Jane and Joe could be employees, the weak end user links to be targeted and exploited via BEC spear phishing attacks.
Over the last year there’s been a huge increase in BEC, according to a new report by PhishLabs, and “no security tool or training regimen will prevent” people from falling for phishing attacks – the toehold Tentler used in pwning Roose. Even if employees are extra cautious and wise about phishing, what about falling for vishing? You could be as security-wise about social engineering as possible, but if a company with which you do business isn’t, then that’s all it takes for an attacker to own you.