By Taylor Armerding, CSO
Everybody knows, or ought to know, about the risks of being hacked. But it’s easy to slip into a level of denial about an amorphous threat and get careless if you don’t think anybody is out specifically to get you.
But what if a group of somebodies is out to get you, and you know they are and exactly who they are, because you arranged for them to try? That is what New York University Professor and PandoDaily editor Adam Penenberg did with Trustwave’s advanced research and ethical hacking team, SpiderLabs. He challenged them to conduct a personal “pen test” on him.
And the answer, at least in his case, is that knowing that they were out to get him didn’t stop them. He got hacked. As he wrote, in an account of the project last month, while conducting a class at NYU, “without warning, my computer freezes.
”I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. To receive the four-digit code I need to unlock it I’ll have to dial a number with a 312 area code. Then my iPhone, set on vibrate and sitting idly on the table, beeps madly.”
That was just the visible and audible damage, however. By the time Penenberg’s computer froze, the Trustwave team, led by Nicholas Percoco—at the time SpiderLabs’ senior vice president (he has since left to become a director in the information practice at KPMG)—had gained access to the Penenberg family’s W2s (with Social Security numbers), copies of credit card and bank statements, his checking and savings accounts, a corporate bond account, credit card statements, online bills, his Amazon, Facebook, and Twitter accounts, and his iCloud password, through which they put both his iPhone and laptop into stolen mode.
The team did a couple of relatively harmless things to demonstrate its success, like ordering 100 plastic spiders from Amazon and having them shipped to his home, and posting some fake tweets.
But the bottom line was, once they were inside his laptop, there were “few firewalls protecting my data, and (they were) mostly in the form of a pastiche of passwords and log-in credentials. These, I quickly learned, were not secure,” Penenberg confirmed.
Therefore, “I don’t delude myself into thinking I’m protected from prying eyes—the government’s or anyone else’s, if they belong to someone with the right combination of skills, resources and determination,” he wrote.
The story offers some moderately reassuring news, at least for those who aren’t prominent or wealthy enough to become a specific target for the black hats. While the SpiderLabs team was able to hack Penenberg, it took weeks, was difficult, complicated and very expensive. Without the stated challenge, he likely wouldn’t have been worth the trouble.
Garret Picchioni, a security analyst at Trustwave and a member of the hacking team, said he “worked more than 200 hours on just the onsite component of the entire project, which took approximately 12 days to complete. I was so tired afterwards; I spent the rest of Labor Day weekend sleeping.
”Other work was also done beforehand such as (digital forensics specialist) Josh (Grunzweig) writing the custom malware and performing research on Adam,” he said.
Picchioni didn’t provide the total cost of the project, and Penenberg declined to respond to questions from CSO, but James Arlen, senior security consultant with Leviathan Security Group and a hacking expert, estimated that it took, “about six person-weeks of effort plus expenses. Call it $50,000 or so. If anything, that’s low,” he said.
The time frame squares with Penenberg’s account. He wrote that his computer froze in his class about two months after he had challenged the SpiderLabs hacking team.
Picchioni did say the team kept its expenses to a minimum. Outside of hotel, food, and airfare costs, “we brought nearly every piece of technology equipment we owned with us eliminating the need to really purchase any additional items,” he said.
But he acknowledged that a pen test on a single person is more difficult and expensive than doing one on a company, given that with “dozens to thousands of employees, where each person most likely has his or her own computer, the number of possible attack vectors increases. In this case, we were limited to Adam and his wife.”
The task was also complicated by the need to avoid breaking any laws and arousing suspicion among Penenberg’s neighbors in Brooklyn Heights, New York. And when trying to compromise Penenberg’s home Wi-Fi network, the team was confronted by a virtual haystack of networks; 1200 of them within a tenth of a mile radius of his brownstone. “We couldn’t just start randomly compromising networks and checking to see if they happened to be Adam’s,” Picchioni said.
Social engineering scores
Perhaps another lesson of the project, however, is that it was not technology bells and whistles that finally led to success—it was human weakness. The plan included attempts to compromise Penenberg’s home Wi-Fi, leaving USB drives loaded with malware in strategic places, trying to overwhelm his wireless router, attempts to lure him to a malicious “blog,” visiting his office at NYU to try to identify his devices via the MAC (media access control) address in order to determine which wireless network he connected to at home, and trying to compromise Penenberg’s wife’s business—a Pilates studio. They even sent a fake student to one of the Pilates classes.
Ultimately, however, success came from the con art of the phish. The team sent an email using the name of an actual Pilates instructor to Penenberg’s wife, with a “video clip” containing malware that gave the team full access to her laptop whenever it was on the Internet. And through that, they got to Penenberg’s laptop and phone.
The technical term for getting access to the target through another person, Picchioni said, is “pivoting,” or “using a small fish to catch a big fish.”
But he added that the time and expense of this project should not make “average” users think they are not at much risk. The “double-edged sword” element for average users is that while it might be far too complex and expensive to attack them individually, it likely would be well worth it to hack a large company from which they make online purchases.
”What if an attacker compromises a company that has your credit card number on file or other sensitive information that could make identity theft extremely easy?” Picchioni said. “While no system or company is ever going to be 100 percent hack proof, for companies you’re giving your business to, it’s important to be aware of their security practices.”
And Deena Coffman, CEO of IDT911 Consulting, said it is not expensive for malicious hackers to cast a wide net for careless victims. “Efficient markets exist where intruders can purchase malware kits and widely distribute them via email, social networking sites—Facebook, Instagram, and Pinterest are the favorites currently—or hijack an unprotected website and plant malware on that site so that anyone who browses to it will pick up the malware without even knowing,” she said.
Arlen agreed, saying while it involves modern technology, it is based on the same “human-scale problems that make it possible for con artists to do what they’ve been doing for 10,000 years.”
Advice for would-be targets
Given that reality, how can people protect their confidential information without withdrawing entirely from the Internet? For starters, where should they keep all the complex, impossible-to-remember passwords they need for dozens of sites or accounts?
Arlen offers the advice Bruce Schneier, CTO at BT and security guru, offered eight years ago in a blog post: Write them down and keep them in your wallet. “The modern variant on this is of course the use of tools like KeyPass, LastPass, 1Password, etc.,” he said. “These tools make it very easy to have a completely unique, and complex, password for each authentication requirement you might have.”
Most experts recommend encryption, but Picchioni also suggests creating a passphrase rather than a word. Not only are they easier to remember, but they are difficult to crack. A simple password, he said, offers almost no protection at all. “Using Hello1234 as your home Wi-Fi password is comparable to locking the front door but still leaving the key in the lock outside,” he said.
And what about protecting all those sensitive documents, like Penenberg’s W2s and bank statements?
Start with encryption, encryption, encryption. “Strong encryption and properly managed keys enable people to keep sensitive e-documents on their computers,” said Paige Leidig, senior vice president and chief marketing officer at CipherCloud.
To that, Deena Coffman recommends another layer. “Keep them on an external hard drive, encrypted,” she said.
Picchioni and Arlen agree. “Not everything needs to be stored on a running computer,” Arlen said. “It is perfectly reasonable to store things like that off-line, on a USB key or in an encrypted container that does not auto-mount.”
Picchioni suggests multiple flash drives, with backups, that are kept in a safe or lockbox. “Think of the way we used to store sensitive records before the digital era,” he said. “In this case we don’t need to print them; we store them on a device of some sort.”