Our lives are increasingly lived digitally. And while that has brought untold benefits, all of the information we provide is generally kept private by the flimsiest of methods. So how easy is it to get hold of that information? And what’s the worst that could happen if it got into the wrong hands? Courtney Devereux bravely/foolishly decided to let hackers try to infiltrate her online world – and all they found was everything.
‘If you’re reading this it’s too late,’ read my Netflix account panels.
Had this happened to anyone else, I can imagine it would invoke a fair amount of panic. But fortunately, I knew what was happening. I had been hacked.
But this hack wasn’t random. I had brought it on myself by employing a hacker named ‘c0mpl3x’ (his real name is Jason), who is part of a small basement-dwelling ‘hacker association’ called the ‘Hacky Sacks’. And yes, they are aware they sound like a boy-band.
The Hacky Sacks are a non-profit group that approaches businesses to show how easy it is to break through their systems. They then use that information to let the businesses know where their weak points are and how they can plug the holes. If a business refuses to hire the team, they will do it regardless.
Known as “white hat hackers”, these individuals are clever but perhaps not completely morally sound. A David M. Hafele study titled, Three Different Shades of Ethical Hacking: Black, White, and Gray from 2004 defined the different approaches and said the marriage of the term ethical with hacking is something of an oxymoron, analogous to calling someone an “honest criminal”. So I wanted to see how far this ‘honest criminal’ – or, as they are sometimes known, ‘penetration specialists’ – could get into my online life.
A panicked call from my mother reminded me that I completely forgot to tell her about this entire thing … She was unimpressed with the experiment.
Hack-in-a-box: the best/worst/most concerning/most creative hacks
Best at hiding in plain sight: This June, Russian hackers used Brittany Spear’s official Instagram to communicate by planting coded messages within comments on her posts. Random phrases like “#2hot make loved to her, uupss HHot #X” were actually ways to relay to other hackers where to drop stolen information in a malware scheme.
Worst company efforts: In September 2016, Yahoo discovered that at least 500 million user accounts had been breached. To make matters worse the company later disclosed the hack had happened in 2014 but had only just been found. To make matters even worse again mid-December Yahoo dropped another bomb that they had lost the data of one billion users in 2013 (Could you be among them? Head to www.haveibeenpwned.com to check).
Most creative: Just because you’re high up in a skyscraper, doesn’t mean you’re immune from WiFi hacking. Researchers in Singapore managed to steal confidential documents by using a mobile-enabled drone that sought out open WiFi printers.
Most worrying: Stuxnet was a malicious computer worm that was able to spy on industrial systems and even cause things like fast-spinning centrifuges to tear themselves apart, unbeknownst to the human operators at the plant. Although the creators of Stuxnet haven’t been officially identified, the size and sophistication of the worm has led experts to believe that it could have been created only with the sponsorship of a nation-state. Stuxnet was later thought to be used by the US and Israel to destroy centrifuges in an Iranian nuclear enrichment facility.
Similarly worrying: In 2016 a new type of malware targeted the city of Kiev. The malware aimed at the power gird and led to major outages in the Ukrainian capital. Similar to Stuxnet, this type of malware aims to cause actual physical disruption, rather than just digital. An updated version had the ability to ‘speak’ to the controls and could switch the flow of power on and off. That means Crash Override could perform blackout attacks more quickly, with far less preparation, and with far fewer humans managing it. It’s thought the malware gained access through a Phishing email.
Toys ‘r’ us: Early this year CloudPets, a connected toy that records personal messages and stores them on iCloud was the target for a hack. The details, which included email addresses and passwords, were leaked along with access to profile pictures and more than two million voice recordings of children and adults who had used the stuffed toys. The recordings were traded on an online site and CloudPets’ original database was wiped. CloudPets failed to alert customers of the breach until it became public. And with more connected devices coming on the market, security experts are predicting more breaches like this.
Just plain stupid: Donald Trump's senior aide Kellyanne Conway suggested Barack Obama could have monitored the President through a microwave. She claimed surveillance could be conducted with "microwaves that turn into cameras," and added: “We know this is a fact of modern life.”
There is no individual, group or organisation that is immune from possible attacks, and each may offer something of intrinsic value to a determined hacker. But individuals can sometimes be the easiest target because they have little to no security, and are easily tricked or blackmailed.
There has been a lot of cyber crime in the news recently, from international ransomware Wannacry threatening to steal business data in New Zealand by focusing on a vulnerability in old Windows software, to Trump’s team accusing Obama of spying on him with a microwave, to Romanian cyber criminals hacking into connected toys and leaking millions of voice recordings of children and adults.
My hack wasn’t of this scale, nor would it do any permanent damage to myself, outside parties or those included in the experiment (that is, if c0mpl3x kept his side of the bargain). And the advantage I had over a normal hack was I knew it was happening. The contract stated that no private information was to be shared, all personal information was to be returned, and the hacker had exactly one calendar week to get as much information as possible.
Before the hack began, I had 12 hours to set up as many defences as I could. I set up Norton Antivirus on my Mac to protect myself against any malware, or ‘malicious software’ that could gain access to my computer without my knowledge.
I changed all my passwords, updated my laptop and made my security questions difficult and creative.
I was advised against using open WiFi, as it makes it too easy for hackers to steal your connection and download illegal files, and unlinked my accounts from one another.
At first, this all seemed tedious. How could one person break through all the defences and cautionary measures I had taken?
Day 2: Gone phishin’
The type of cyber breach that catches most individuals is called ‘phishing’. Rather than focusing on the weaknesses of technological systems, it focuses on the weaknesses of humans, like tricking someone into opening a spam email, text message or encrypted link, or convincing them to hand over a password by impersonating someone. And while there is a perception that only idiots fall for phishing attacks, the level of sophistication can be impressive.
I received an email that morning telling me someone in India had successfully taken money out of my account and I needed to fill in my details to cancel it.
In a classic phishing attack, hackers create a fake site that looks like a real site and has a URL that’s similar to the official URL — say, firstname.lastname@example.org instead of email@example.com. Easy to confuse, but by logging into the fake account you have given out your details for the real site
I was lucky as I had drawn out money from PayPal the week before, meaning I had noticed the difference in emails, so I didn’t fall for it. I now almost felt like we were on equal playing fields and perhaps I could survive the worst of the hack after all.
Day 3&4: They’re always watching
I was in a constant state of anxiety and foreboding, even more so when required to use my laptop or send an email.
I haven’t ever used my laptop with the fear of someone watching me from the other end. This just seemed so farfetched and a product of paranoia. But during a cyber breach, the laptop camera almost feels like an all-seeing eye.
The late night, no make-up, double chin look I usually sport while on my laptop is not something I want anyone to see, let alone to store as an image.
The most common way someone can get through to a camera is with Trojan horse malware. This is malicious code hidden within seemingly innocent files that once downloaded will do its thing and give hackers backdoor control of your device.
They can type any code into the computer and it will carry out the requested action.
For the next couple of days, I just kept my daily schedule as usual, with the thought that everything I did was being watched in the back of my mind.
Day 5: Access granted
A panicked call from my mother reminded me that I completely forgot to tell her about this entire thing.
It was at this stage that “if you’re reading this it’s too late” appeared on Netflix.
I should have included her as a liability, as she can give away my personal information accidentally just as easily as I can. She was unimpressed with the experiment.
Day 6: Defensive pressure
My bank called to say someone had tried to answer my security questions. Like my mum, the bank representative was also thoroughly unimpressed when I told her not to worry about it.
My accounts happened to be on high alert from a previous breach attempt two years ago, so the added security had helped me the second time around. The bank secured the IP address of the hack and it was coming from the Auckland Central Public Library.
Halfway through the day, Vodafone also called me asking to confirm my address for the cancellation of my broadband line. I had been emailing their support team requesting to cancel it for almost three months because calling them is so frustrating that I needed to lay down and count to 10 afterwards. After an unexpectedly pleasant phone call, and only after I had given out my address, did it occur to me that the number wasn’t Vodafone’s. I had actually saved Vodafone’s number to my phone so I knew to ignore it.
I felt completely stupid. I had fallen for the oldest trick in the book and I was convinced they were all laughing at my naiveté on the other end of the phone.
If I was dealing with a real, malicious hacker, then the hacker would probably attempt to keep his stranglehold on the network by installing backdoors that would allow him full control over an electronic device.
In addition, criminal attackers usually attempt to cover up their tracks by auditing and deleting various security logs on the network.
These additional phases of attack may or may not be used by the hacking team, but if they are, usually it’s to determine how strong of an audit trail the client network has and to see if anyone is following up on any audit anomalies.
In my case I didn’t have cyber security staff, so doing an audit on my data had limits past what I could control manually through my computer or phone.
Day 7: Sweet salvation
The official last day of the hack. C0mpl3x had until 12 am that night to secure as much information as he could.
I am not a high-flying business executive who holds a lot of high-value information or a high-risk target with a lot to lose or with anything that could ruin my ‘brand reputation’. But I do have plenty of private information.
My Facebook account alerted me with a well-timed ad about how I need to improve my security measures. Did they know? Or had my many Google searches for ‘hacking’ and ‘cyber breach’ tipped it off?
C0mpl3x only had a small window of time to access my information, but small windows are all they need. If I was employing him as an ethical hacker, it would be wise to allow him to have access to the first part of an internal network’s configuration, meaning he could spend time trying to breach what was most important, rather than just small unimportant information that was available to the public anyway.
In that case he would have the best chance of detecting weaknesses. But as I was going from a cyber breach standpoint, rather than a paid testing, it was up to him to gain access by himself.
The meet up: Let there be light
I was nervous going into the meeting with Jason and was worried about how much information he was able to get, but I still held a scrap of hope that he hadn’t managed to retrieve too much. I was so wrong.
He emailed me a PDF folder displaying all the information he had dug up. It was 30 pages long. Looking through this hefty document I felt sick.
A study conducted by Jay P. Kesan and Ruperto Majuca titled, Optimal Hackback (2009), says that when considering the best way combat a hack, you must look at the legal, technological and economic solutions before reacting.
I tried to play it cool as he explained the technology behind the hack when all I wanted to do was grab his laptop and sprint off into the distance.
He explained that hacking into my email account was the easiest. Email is often the first target for hackers as this account can usually gain them information that can then be used in other parts of the hack.
To crack my email, Jason said he had sent me a phishing email, which involved me being tricked into entering my email and password into a fake site. The site in question was well-designed, ripping off Countdown’s OneCard, of all things. The site said I needed to register my card with my email login, which I did. I hadn’t even realised the site was fake, it was so realistic and well-timed.
Funnily enough, the PayPal phishing email that I had expertly dodged wasn’t from Jason. It was an actual scam.
Jason also installed keylogging software, where malware in a computer records each and every keystroke a user types on a specific keyboard, passwords included. This is used if the hacker can’t gain access through human error.
After that, it was just a matter of him trawling through my emails and collecting as much information as he could. He said that because I don’t regularly delete all my emails, seeing all my information was easy.
“Besides passwords and security questions, you didn’t really have any security. Phishing is the easiest way to get information, because people get those kinds of emails all the time, the ones asking for information and details that you don’t think twice about.”
“So once I had access to your emails I was able to get a lot of information that would have been more difficult to find had you had the right security measures.”
What other information was Jason able to retrieve in just seven days?
- My Air New Zealand login details, sourced from an Airpoints update email.
- My tax number, and with that my IRD number from my tax return email.
- PayPal details and account balance from the withdrawal I made.
- My credit card number, sourced from the card saved on My Vodafone site.
- My Facebook login.
- My TradeMe login, which supplied my bank account number.
- My WordPress login, which is where I hid my customer data for the experiment.
- My Adobe logins.
- My physical address, and address of my two workplaces.
Believe it or not, that was only the tip of the iceberg. All that data was collected on the first day. When Jason explained that the entire hack only took him three days to complete I was both horrified and impressed.
The sheer ease with which he had broken through the first line of defence was astounding, and yes, I am fully aware I basically just gave him my password. But I didn’t know how much could be gained just from emails.
Apart from my opened emails, the call from the bank and Vodafone and the ominous Netflix panels, I hadn’t noticed any of what he had been taking.
Once Jason had explained how easy my emails had made everything, he moved on to getting access through my laptop.
When you connect to the internet via your home or business network, your computer is virtually assigned an IP address that uniquely identifies it to the rest of the internet. Think of it like a postal address: everything you send out has a return address so that the recipient knows exactly where to reply.
Usually, with finding an IP address, the radius can be relatively broad, but Jason
could find where my network was connected to using an internet router that provides network address translation (NAT) and trace that router to my physical address.
The router itself took on the assigned IP address, then provided internal IP addresses to each connected computer.
After he had found my device, Jason could do what I was most paranoid about: access my webcam. Which, according to him is creepy yet insanely easy to do.
All it took was software called Meterpreter installed onto my device. Meterpreter is a service that gives the hacker command shell capability and communicates back to the hacker in code so it isn’t recognised by any antiviruses.
Jason explained that he had quite quickly been able to get past the antivirus on my computer because “we are not a virus; we are a hidden code”.
How did he manage to install it onto my device? With a hidden PDF file that was encrypted to open on my device, once I opened a blank email that had appeared to be sent from myself.
After opening the email, the code was able to download itself onto my device and be used as a back door controlling system.
From there Jason explained that you cannot watch someone through a webcam, but can install a code that makes the camera take a snapshot every few minutes or so, depending on how often you set it for.
“I had tried the first day taking a photo every 1 hour to see if you took your laptop with you to work,” said Jason.
Which I don’t.
“After realising you didn’t, I started setting up a snapshot timer for every ten minutes after 8 pm, and lo and behold, there you were.”
And yes, there I was. Hair up, no make-up, double chin exposed to the world and The Sims 2 reflected in my glasses. This was me at my most vulnerable, a pure state of unselfconsciousness that usually only my mother is lucky enough to see.
The common quote goes, “accept your weaknesses so no one can use them against you”. The loss of so much personal information showed me that this is easier said than done.
Unfortunately, the only way to combat webcam codes is either to install a very expensive anti-virus that works as a code block or cover your laptop camera with a sticker. I have chosen the latter option.
Through my emails Jason had seen that I requested to cancel my Vodafone modem. Using this to his advantage, he got one of his fellow ‘Hacky Sacks’ to call me, following a script, to gain my Vodafone login details. Through this, he accessed my bank account details, which are saved to my Vodafone account.
“Having your bank account details opened up a world of possibilities. If I was rogue I could have transferred your savings to a different account, or purchased anything under your name,” said Jason.
“It’s not a good idea to have credit details saved to sites. Yes, it makes things easier, but convenience lessens security. Once someone has your login, it’s only a matter of going through the retail sites you frequent and seeing which one has saved your whole number.”
“I tried to log into your bank account, but after failing all the security questions it alerted me that your account was on high watch, which was one thing you did right.”
“Think of a hack like chopping down a tree. There is no use whacking away at the leaves that only give you a little bit of information. You need to hit the roots that in the end can topple everything.”
Jason explained to me that bank details are easy to get, but banks are harder to work with as they have the highest security measures available. He also told me that changing my mother’s maiden name to King Henry the eighth was cheating. I disagreed.
It was not just the loss of personal and customer data that added to the stress of the experiment, but the fact that he now knew almost everything about me.
He knew when my next doctor’s appointment was, he knew that I have been avoiding my orthodontist emails for three months, he knew that I had paid $50 to download the Sims 2 ultimate collection expansion pack.
The experiment showed that doing the minimum requirements to keep my information private did, excuse my French, fuck all. And the speed and ease with which all my personal details were collected and stored has continued to make me feel exposed and vulnerable online long after the experiment concluded.
Glenn Greenwald, one of the reporters who worked to tell Edward Snowden’s story and a co-founder of The Intercept, often hears people claiming they have nothing to hide, so they therefore have nothing to worry about. His response is to ask them to send their email login and password and let someone else decide if that’s true.
If you think about it, there are so many parts of our life that we want to keep private; all the small stuff that seems unimportant until someone knows it without your permission. And with more and more of our information online, it pays to be pro-active. You know they will be.