Hacking a Reporter
December 6, 2013 7:13 AM   Subscribe

Adam L. Penenberg challenged a white-hat group of hackers to see how much they could learn about him. Two months later, the result terrified him. SpiderLabs tells how they did it in three posts: one two three
posted by Chocolate Pickle (28 comments total) 42 users marked this as a favorite

 
My wife, Charlotte, was practically speechless when I told her about the hack.

Gosh, I'm pretty certain I wouldn't be if someone told me they had signed me up for this sort of experiment. I guess Professors of Journalism don't cover ethics any more.
posted by biffa at 7:31 AM on December 6, 2013 [11 favorites]


What no pizzas, pranks or tow trucks.

Psshhht. What's the point of getting dox?
posted by Samuel Farrow at 7:47 AM on December 6, 2013 [2 favorites]


Hacking a Reporter

A sad commentary on how my mind works, but at first I thought this was going to be about Trevor Greene.
posted by The 10th Regiment of Foot at 7:47 AM on December 6, 2013 [1 favorite]


I've always held that any security measure you take only raises the bar of how determined a theoretical thief/intruder has to be to overcome it. There is no absolute security.

The fact that it took several days constant work by a team of highly trained professionals to obtain access to Adam's financial information is a great comfort to me. Most actual thieves would move on to less difficult targets much more quickly than that.
posted by BigLankyBastard at 7:49 AM on December 6, 2013 [11 favorites]


This strikes me as being the computer security equivalent to Jack Barnes & Son's identification of the (first of the) Irukandji jellyfish.
posted by Slackermagee at 7:50 AM on December 6, 2013 [2 favorites]


The fact that it took several days constant work by a team of highly trained professionals to obtain access to Adam's financial information is a great comfort to me.

To be fair, they were somewhat hampered by the fact that they were trying to stay within the bounds of the law - for example, a real malicious hackers would not stop at breaking every Apple wifi router they encountered in an attempt to find the right one.

I appreciate that Penenberg mentioned "security through obscurity" right at the beginning - it's something that most articles like this one (for example, the description of Mat Honan's hacking from a few years ago) fail to discuss.
posted by muddgirl at 7:54 AM on December 6, 2013 [2 favorites]


...real malicious hackers would not stop at breaking every Apple wifi router they encountered in an attempt to find the right one.

Which only proves my point - unless these real criminals were specifically targeting you, they'd probably have hit someone else's less secure system before they reach your properly secured wireless network. So you only have to worry about stalkers, and the venn diagram where the sphere of "stalkers" intersects with "knowledgeable IT security professionals with spare time" is mercifully slim.
posted by BigLankyBastard at 8:01 AM on December 6, 2013


It seems like hacking of this sort is mostly spear phishing - only attainable because of a particular, highly distinct target who makes a critical mistake. Opening videos from random strangers is like asking for malware. It means that changing the online culture to focus on security is more important than anything else, which we've known for a long time.
posted by graymouser at 8:01 AM on December 6, 2013


The fact that it took several days constant work by a team of highly trained professionals to obtain access to Adam's financial information is a great comfort to me.
That's an interesting take on it. My reaction to these hacking demonstrations is utter horror at how unsophisticated the attacks are. It's not like these guys had to do heavy, arcane math or have access to secret information only privy to the hardware manufacturers. There was some code that had to be written, of course, but anyone with a little programming knowledge could look up Java security holes or sling together a fake password prompt. Their greatest weapons were cleverness and persistence. They basically did the Internet equivalent of ringing an old lady's doorbell and giving her a sales pitch and then, while her back was turned, stealing the silverware.
posted by deathpanels at 8:05 AM on December 6, 2013 [2 favorites]


Adam L. Penenberg challenged a white-hat group of hackers to see how much they could learn about him.

Never do that. I know what they say about "security through obscurity" but really, one of the best things you can do is not to paint a giant target on your face.
posted by Foosnark at 8:10 AM on December 6, 2013 [3 favorites]


Foosnark: Never do that. I know what they say about "security through obscurity" but really, one of the best things you can do is not to paint a giant target on your face.

Exactly. A low profile is a good first line of defense. The truth this that all security is obscurity. Whether its passwords, procedures, keys, etc, all security relies on keeping a secret that would render something vulnerable if known.
posted by dr_dank at 8:27 AM on December 6, 2013 [2 favorites]


A low profile is irrelevant unless you're being specifically targeted. If you get picked out of bulk data collection (see: almost all malware, the US government) a low profile means precisely squat.
posted by indubitable at 8:34 AM on December 6, 2013 [3 favorites]


There is no perfect security. There's reasonably good security and then there's arranging things so that somebody getting into your bank account will not cause your entire life to come toppling down if it happens. Keep an eye on your credit, keep a little cash in your sock drawer, balance your checkbook, take basic precautions, it's not going to kill you.

But most people don't even meet that "reasonably good" line, and they don't pay attention to their credit reports, and so on and so forth, which is why this is still a big deal.
posted by Sequence at 8:35 AM on December 6, 2013


I remember reading this article when it came out, but it's nice to have the insight of the people who performed this attack talk about what they did. "Hacking" is simply a combination of persistence and problem-solving, and that's what they did.
posted by antonymous at 8:39 AM on December 6, 2013 [2 favorites]



Exactly. A low profile is a good first line of defense.


In this day and age it's all too easy to be deprived of that option by somebody.
posted by ocschwar at 9:46 AM on December 6, 2013


I'd rather see what can be done without physical access. The requirement for physical access nullifies much of the scare.
posted by BentFranklin at 10:05 AM on December 6, 2013


Security through obscurity isn't much different from how most people handle their physical security. We trust that most people simply don't care enough to fuck with us. Even absent the existence of the internet, if someone cared enough about me, they could ruin my life. The invention of the internet doesn't really change that. I like that this article demonstrates this concept by contrasting the story from 1999 with the story from today.
posted by muddgirl at 10:05 AM on December 6, 2013 [1 favorite]


I'd rather see what can be done without physical access. The requirement for physical access nullifies much of the scare.

It seems to me like the damage was done without physical access, the same way many people are compromised - someone downloaded and ran a file they received in an email.
posted by muddgirl at 10:06 AM on December 6, 2013


This article is written like someone who just found out about "SCARY COMPUTERS!!!!! HACKERS CAN STEAL YOUR INFOS!!" just yesterday. In fact, it seems like this guy wrote that type of article back in 1999.

Social Engineering has been around for all time. I couldn't get through the article, did these guys do anything more complicated than what Kevin Mitnick was doing 25+ years ago?
posted by sideshow at 10:37 AM on December 6, 2013


muddgirl, the hackers point out that they drove by and snooped on the wifi as part of their attack, so there very much was a localized-access component.

That said, I think these targeted attacks vs mass-data-grab and such are two very different things.

I'm not so scared of these kinds of attacks, but considering all the news the past few years, but especially lately (since the adobe attack, in particular), I am getting a bit more worried in terms of mass data security.

It's a shame that the people who we SHOULD be trusting to protect us seem to have it more in their interests to create backdoors and systems designed to break any of the systems that should protect us. This leaves us up to our own, and hopefully finding solutions that are secure enough.

I wish a password solution existed beyond the keepass/lastkey/onepass type systems. I don't want to have to install a browser extension on each and every computer I access. I don't want to have to carry a flash drive around everywhere I go and hope that any system I have access to has the OS I need to operate such a tool, or that I have enough rights/privileges to run a flash drive or whatever.

I like the concept of OTP, but when even RSA has their methods attacked...

How can anyone feel fully secure?

I feel like the solution lies in multiple paths and implementations combined.

1) PasswordGen/Key system (onepass, lastpass, keepass)
2) OTP
3) Biometric, maybe? I don't think those are nearly as accurate as can be and provide wiggle room despite the fact they're supposed to be tied to you, the user.
4) Encryption of Mail and other documents individually
5) Encryption of one's complete drive.
6) Never ever ever ever saving a password in any form ever never.
7) Always scan for malware upon boot, throughout the day and when shutting down, get the latest updates. Run 10 different programs (but not all realtime - only one realtime program).
8) Backup backup backup

Thinking about the average person, who knows only the basics of computer, expecting them to know/do all these things we find a lot of issue. Fuck I *KNOW* what I should be doing and I don't do it. Humans are lazy. The best solution is the one that simplifies the process and reduces complexity. But anything that does that relies on code behind the scene, which means that itself is hackable.

--------
I mentioned this in my LJ, not sure if I ever have on the blue, but listening to my parents over the holidays and how afraid they are of so much in the world... The thing that hit me was my dad asking why I was turning my debit card in the drive thru window. I mean, technically he's right, but there comes a point where you have to draw a line. I am, personally, more concerned regarding large scale attacks across a vast population than I am by some chumpy fast food worker who may or may not have a way to copy your info.

I'm actually more concerned about a regular restaurant worker who takes the card away while you wait than I am a fast food worker who usually scans right in the window. I'm more afraid of card skimmers looking "legit" than I am of any particular individual.

This is the contrast between these targeted attacks as in the article, and the "low-profile"/obscurity view. That doesn't mean one can't be the victim of a targeted attack, but in general, I think you need to make some enemies first (or have a high enough profile that you become a juicy target).
posted by symbioid at 12:17 PM on December 6, 2013


HOLY SHIT! I just tabbed over to my RSS feed, and this hackaday article is starting the process towards collectively creating an offline password keeper system. Hmm...
posted by symbioid at 12:20 PM on December 6, 2013


Hrmm, nope - still requires browser plugin/code and a usb plugin fob. meh.
posted by symbioid at 12:22 PM on December 6, 2013


muddgirl, the hackers point out that they drove by and snooped on the wifi as part of their attack, so there very much was a localized-access component.

Did I miss something? My reading was that the number of wifi points was too dense to actually snoop the correct wifi router. That angle of attack did not work in this particular case.
posted by muddgirl at 12:24 PM on December 6, 2013


I guess we're talking about two different things, maybe. Are you saying that you think the article would have been better with no mention of physical methods of snooping? I think that would be an entirely different article than the one presented.
posted by muddgirl at 12:25 PM on December 6, 2013


Keepass is offline. Your passwords are stored in an encrypted archive on your computer's hard drive, or on a USB key for the portable version. You access the archive by logging into the Keepass application (available in standard, portable, and Android flavors -- not sure about iOS) which is local and non-networked, and copy and paste your passwords out of it and into whatever you are trying to access. It clears the clipboard automatically after a few seconds. It's a very simple system, and it doesn't integrate directly with any other programs or store your passwords in "the cloud". I like it a lot.
posted by Scientist at 8:56 PM on December 6, 2013


The ultimate offline password solution.

OS agnostic and no browser needed!
posted by baniak at 8:56 AM on December 7, 2013


Nth-ing keepass -- there are browser plugins, but they're just there to make it easier so you don't have to switch back and forth between the browser and your password app (I use KyPass Companion on OS X and KeePassDroid on Android.) You *can* safely sync the encrypted password archive using cloud service to make things easier, but that's not necessary, either. Everyone gets to pick their own spot on the sliding scale of tradeoffs between security and ease of use.
posted by tonycpsu at 10:55 AM on December 7, 2013


Symbioid: For most things I just hash a master password and the domain name, using this JavaScript page or bookmarklet. No browser extension, no thumb drive, no cloud sync.
posted by nicwolff at 5:38 AM on December 10, 2013


« Older From 1989, when Calvin & Hobbes was still pretty n...  |  "Alt lit [previously] is accus... Newer »


This thread has been archived and is closed to new comments