Big companies regularly get their security posture assessed for weak links. To that end, they invite penetration testers who try to compromise the organizations’ IT infrastructure and gain access to proprietary sensitive information. This proactive strategy aims at giving the management an idea of what improvements can be made to better protect the company against data breaches and deter malicious attackers. In the meanwhile, the notorious hacks of Ashley Madison, JPMorgan Chase, and Sony have demonstrated just how vulnerable companies can get, even with significant resources on their hands.
Should individuals care about adopting countermeasures of that sort? On the one hand, the average person is certainly an easier target for offenders. On the other, cyber perpetrators are not likely to become interested in attacking you unless you stand out from the crowd.
Kevin Roose, the news director at Fusion, ventured into setting up an experiment where he asked two renowned white hat hackers to try and retrieve his sensitive information over the course of two weeks. Mr. Roose considers himself a fairly security-savvy person, so he didn’t really think the researchers could obtain a lot of his personally-identifiable data along the way. He uses two-factor authentication for accessing online accounts, takes password strength seriously and surfs the web over VPN when on insecure public wireless networks. A few conditions of the deal were as follows: the hackers were not supposed to steal money from the target’s bank accounts and disclose any private information.
The first vector of the hack was social engineering. This concept denotes an attack framework where offenders take advantage of human vulnerabilities rather than malicious code. Whereas direct impact from this activity tends to be mild, it can open a loophole for a large-scale compromise. Kevin dared Chris Hadnagy, a well-known security consultant, to try and learn some of his private data this way.
Mr. Hadnagy and his team kicked off by building a profile of the volunteer victim. They analyzed publicly available online resources and were able to easily get the email address and occupation details. A picture of Kevin’s dog that he had posted on Twitter allowed the social engineers to find out where he lived – they simply zoomed in and read the home address in fine print on the collar tag.
The fun part, however, started after the preliminary data mining was completed. Posing as the target’s girlfriend, researchers called Comcast, Time Warner Cable and the local utility company to learn whether Kevin Roose had accounts with those companies. Among other things, they managed to get hold of the victim’s Social Security number.
The apotheosis of the hack was a voice phishing “vishing” attempt aimed at gaining access to Roose’s account with his cell phone company. A girl working on the social engineering team called the customer service, pretending to be Kevin’s wife this time – even though he’s not married. To be more persuasive, she was playing an audio of a crying baby in the background during the conversation. She told the call center agent a made-up story about how badly she needed to access her “husband’s” account in order to allegedly get some information to apply for a loan. Believe it or not, the customer service rep fell for it and provided her with full access to the account. Even more, they let the impostor change the password.
If an actual criminal sets his or her mind on pulling off a social engineering attack like that, the damage could be enormous. Not only would real-world scoundrels be able to harvest a person’s sensitive details, but they could also use them to conduct a more serious assault like draining their victim’s bank account. All it takes is a search engine, a telephone, and some manipulative skills.
Now that it’s clear how easy it is to exploit human vulnerabilities, how about leveraging more of a technical approach to hack someone? Kevin outsourced this part of his experiment to Dan Tentler, a computer security celebrity with years of research and pentesting background. The test started with a phishing attack. Dan did a Whois lookup on Roose’s personal website and quickly figured out the hosting provider, which was Squarespace. Then, he registered a domain name that looked very similar to that of the hosting service and designed it as if it were the company’s security page.
The next phase was to send the would-be victim an email recommending him to install a security certificate. By clicking a link provided in this email, Kevin ended up on the above-mentioned fake page where he installed the certificate. He wasn’t aware at that point that it was a piece of malicious software. This harmful code ultimately enabled the hacker to get a shell on the targeted Mac. Dan could, therefore, access the machine remotely and run arbitrary commands on it.
He installed a keylogger, which is a program that records one’s keystrokes, and thus got hold of the master password for Roose’s password manager. This way, the remote attacker effectively owned all of the victim’s passwords. Consequently, he could watch the live video stream from the Dropcam system, access bank accounts, make screenshots, take pictures with the laptop’s webcam and do a lot more things furtively.
All in all, the results of Kevin Roose’s experiment were terrifying. The hackers could steal his money and identity, delete all data stored on his computer, read his emails – basically, do anything they wanted. If it were a real-world attack, the consequences could get really devastating.
Here are some tips on how not to be a moving target for cybercriminals and avoid the worst-case scenario if someone decides to hack you:
- Use multi-factor authentication,
- Steer clear of suspicious links in emails, IMs
- Set strong passwords and change them once in a while
- A program that watches your network traffic would come in handy because it raises some red flags when a random application attempts to establish connection with a dubious server.
- Antivirus software isn’t very likely to safeguard you from a well-orchestrated breach, but it can add an extra layer of protection by preventing known-malicious code from being remotely executed.