I dared two expert hackers to destroy my life. Here’s what happened.
Written by Kevin Roose / Courtesy of Fusion.net
Several months ago, while I was typing a few e-mails at my dining room table, my laptop spoke to me.
“You…look…bored,” it said in a robotic monotone, out of nowhere.
Startled, I checked my browser tabs and my list of open applications to see if anything had been making noise. Nothing had. I hadn’t been watching any YouTube videos, browsing any pages with autoplay ads, or listening to any podcasts when the voice appeared.
Then I realized: this was the hacker. The same hacker who, for the prior two weeks, had been making my life a nightmare hellscape — breaking into my email accounts, stealing my bank and credit card information, gaining access to my home security camera, spying on my Slack chats with co-workers, and—the coup de grâce—installing a piece of malware on my laptop that hijacked my webcam and used it to take photos of me every two minutes, then uploaded those photos to a server owned by the hacker.
Hence the robot voice. From his computer on the other side of the country, the hacker spied on me through my webcam, saw that I was unenthused, and used my laptop’s text-to-speech function to tell me “you look bored.”
I had to admit, it was a pretty good troll. And I couldn’t even be mad, because I’d asked for it.
Last year, after reporting on the hacks of Sony Pictures, JPMorgan Chase, Ashley Madison, and other major companies, I got curious about what it felt like to be on the victim’s side of a data breach, in a time when so much of our lives is contained in these giant, fragile online containers.
So I decided to stage an experiment that, in hindsight, sounds like a terrible idea: I invited two of the world’s most elite hackers (neither of whom I’d ever met) to spend two weeks hacking me as deeply and thoroughly as they could, using all of the tools at their disposal. My only conditions were that the hackers had to promise not to steal money or any other assets from me, reveal any of my private information, or do any harm to me, my data, or anyone else. And then, at the end of the hack, I wanted them to tell me what they found, delete any copies they’d made, and help me fix any security flaws or vulnerabilities I had.
Fortune 500 companies do this kind of thing all the time. It’s called “penetration testing,” or “pentesting,” and it’s a staple of the modern corporate security arsenal. Large corporations and government agencies pay professional white-hat hackers thousands of dollars an hour to try to hack their servers, in the hopes that they’ll find holes and vulnerabilities that can be patched before a malicious hacker gets hold of them.
I’m not a Fortune 500 company, but I still wanted to subject myself to a personal penetration test to see how my security measured up. I’m a pretty privacy-conscious guy, and I’ve taken lots of steps to keep my data safe. I put two-factor authentication on my accounts; I have strong passwords and a password manager; and I use a VPN when I’m on public wifi networks.
If I had to give myself an overall digital security grade, I’d give myself an A-.
But as it turned out, it didn’t matter how good my defenses were. Against a pair of world-class hackers, my feeble protections were about as useful as cardboard shields trying to stop a rocket launcher. For weeks, these hackers owned the hell out of me. They bypassed every defense I’d set up, broke into the most sensitive and private information I have, and turned my digital life inside out. And then, when they’d had enough, I met them at DefCon (the world’s biggest hacker convention, held in Las Vegas every year) and they told me exactly how bad the damage was.
You can see the full, terrifying story of what happened to me in the video above. But here are the broad strokes.
Part 1: Social Engineering
The first hacker I called, Chris Hadnagy, specializes in what’s called “social engineering” — attacking a network by exploiting human weaknesses, rather than using code or malware. Most of these exploits are subtle—a cable company that will give out customer addresses over the phone without asking for a PIN, say, or an insurance company that only requires a Social Security number to access a customer’s policy details. But they can be dangerous, in that they can provide hackers access and data points to carry out larger attacks. (Social engineering is how hackers were able to wreck the digital life of my friend Mat Honan, by getting Apple and Amazon to divulge his personal details.)
I’d never met Chris, but his firm, Social-Engineer, came highly recommended, so I gave him my rules: he and his team had two weeks to hack me as hard as possible, using every tool at their disposal, but stealing no money or data and causing no permanent damage or fallout.
Before he began, Chris emailed me: “may God have mercy on you ;)”
Chris began by compiling a dossier on me, using publicly available information like my email address, my employer, and my social media accounts. Most of this was information I’d made available on purpose, but some of it wasn’t. (They found my home address, for example, by enlarging and zooming in on a photo I’d posted to Twitter of my dog, which had the address listed in tiny type on the dog’s tag.)
Once he had my personal information, Chris and his team went to work. They called Time Warner Cable and Comcast, pretending to be my girlfriend, and figured out whether or not I had an account with either of the companies. (I don’t.) They called the local utility company to see if I had an account there. (I do, but it’s not under my name.) They found my Social Security number on a special-purpose search engine, and took a survey of my social media activities. In total, their dossier on me added up to 13 pages.
Continue reading the original article over at Fusion.net.