As we approach an era where virtually everything in our modern societies will be connected all the time — I am referring to the ubiquity of the Internet of Things (IOT) — we unarguably become prone to malicious elements, most notably hacking. We are told not to worry as we aren’t interesting enough. We aren’t plutocrats, CEOs, celebrities, high ranking government officials so we can hide behind a principle termed “privacy through obscurity.” In essence, while anyone can theoretically be hacked by anyone with enough skill, time, and smarts, most of us simply aren’t interesting enough for hackers to attack.
That thought is of little comfort to professionals in the field of network connectivity and security. The more you know, the less you relax, the less sanguine you are about the possibility of an IOT attack on your own home. Ignorance is bliss.
So that we are all a bit less ignorant, I suggest this article and video by Kevin Roose, I dared two expert hackers to destroy my life. Here’s what happened:
Two excerpts (from Roose’s Fusion piece):
Part 1: Social Engineering
Chris began by compiling a dossier on me, using publicly available information like my email address, my employer, and my social media accounts. Most of this was information I’d made available on purpose, but some of it wasn’t. (They found my home address, for example, by enlarging and zooming in on a photo I’d posted to Twitter of my dog, which had the address listed in tiny type on the dog’s tag.)
Once he had my personal information, Chris and his team went to work. They called Time Warner Cable and Comcast, pretending to be my girlfriend, and figured out whether or not I had an account with either of the companies. (I don’t.) They called the local utility company to see if I had an account there. (I do, but it’s not under my name.) They found my Social Security number on a special-purpose search engine, and took a survey of my social media activities. In total, their dossier on me added up to 13 pages.
Part 2: The Shell
Dan began hacking me with an elaborate phishing scheme. Running a WHOIS search on my personal website, he found out who hosted my site (Squarespace), and registered an available domain name that was one letter away from Squarespace’s. He then set up a fake website that purported to be a Squarespace security page, and sent me a convincing-looking email that claimed to be from Squarespace’s security team, asking me to go to the page he’d set up and install a certificate that would improve the security of my site. I’ve received a lot of phishing emails over the years, and this was the slickest one I’d ever seen—so slick, in fact, that I clicked on it even though I had promised myself I would be extra-careful while the hackers were targeting me.
The certificate I installed, of course, wasn’t really from Squarespace—it was malware he’d written that created what’s called a “shell.” This shell allowed Dan to remotely log into my computer and execute commands it as if it were his own—essentially giving him control of my entire machine.
You can follow Kevin Roose on Twitter here: @kevinroose