In 2013 I got introduced to one of the most interesting people I’ve ever met. He jokingly claims to be an ex NSA employee (to this date I am not sure if this is a joke or truth) that is trying to live a simpler life. He’s not exactly the most secretive fellow but goes by the ever clever nickname of Mr. X. We came across each other as he was looking for some help to market a product teaching people basic computer security processes (attack and defend methods). Myself being an Information Technology professional and in the marketing scene, I was a great resource to help teach him about marketing his product.
At some point I made a deal with the devil and wagered 1 bitcoin (at the time worth about $1,000, now about $300 thankfully!) that he wouldn’t be able to hack me. I mean after all I kind of know my stuff. Turns out I wasn’t quite as secure as I think I am.
I granted him remote access to my computer, on a non-administrator account to prevent installing any programs. A week later he was showing me account passwords for my various email accounts, FTP logins, root VPS access, pretty much everything. It didn’t stop there, he had spidered access across accounts, basically penetrating other people’s accounts through my contacts. In a week he had accumulated over 300 logins.
I really thought he was totally messing with me and then I watched him as he popped open up like 30 different accounts. I was watching him crank open one after another, a few of them contacts in my address book!
It was truly shocking how insecure we are as a society in our internet age.
He went on to show me how he did it all. The exact process, the methods to his madness. The techniques, amateur at best, but incredibly effective.
What I Learned
- First of all we are all vulnerable to phishing attacks. It doesn’t matter if you are an amateur or a pro, we are all susceptible to excellent social engineering.
- Anti-virus programs are practically useless, do they ever work anyways?
- Mr. X claims that unauthorized penetration attempts are illegal in many geographic locations but finding someone to enforce such crimes is tough. He claims that someone breaking into a high level account (government official/celebrity/etc) or using stolen credit card data, etc. can all of a sudden make this a very trackable crime.
- Letting a hacker onto your computer is not a good idea…
- Letting a hacker onto your network, even worse idea. I witnessed numerous accounts popping up all coming from my IP address. In a bad world X could have easily made it look like I was the point man here.
- Change your default router logins! X jumped on mine and opened it up.
- There are ways to protect yourself better.
- Always keep your files backed up.
Now That I Know
Now that I know what is possible and how it happens I can protect myself a little bit better. I’m never going to make the statement that I couldn’t be hacked because like I mentioned everyone can, but knowing the means/methods/reasons really helps you safeguard yourself a little better.
I told Mr. X that if we had a go again he wouldn’t be so lucky. He said “Are you sure when I stick a Verizon sticker on my truck and show up in a hard hat that someone won’t let me in to look at your network router?”.
Well played Mr. X.
I would make the recommendation that if you have never practiced any penetration testing (the process of someone trying to break into your accounts) you should. Find your vulnerabilities, and fix them. This process is typically very expensive, at a corporate level I get quoted about $5k for external testing, and $5k for internal testing. I would recommend you find some computer science student, look for a shady hacker style one, and ask them to do it.
Back to our original discussions, now that I’m in the know a little bit better we are working on putting together a guide to help people prevent these attacks. My goal is to finish this guide first because X is also working on a guide to show how he goes about the process. The ying and yang of security I guess.
If you have any good stories about computer security feel free to share below.