I Let Myself Be Hacked, Look What They Found!

Let me tell you this: it’s quite a disconcerting feeling to sign a form agreeing to let a hacker break into all your personal data. Even when it’s an ethical one.

I’d agreed to be hacked and to let cyber security expert Ollie Whitehouse do his worst, and access as much of my information online as possible. But waiting to see what he and his team had uncovered when they hacked me I found myself feeling surprisingly vulnerable: what on earth was I thinking opening up so much of my life to these strangers?

“We’re putting our entire lives on the internet, and that’s only going to accelerate. If our only defense against cybercrime is trying to keep everyone’s information hidden from the internet, we’re going to fail,” Whitehouse said. He’s the technical director of NCC Group, a firm that provides ethical security testing.

With 1.2 million customers affected, the TalkTalk hack uncovered a week ago is just the latest in the row of some very high-profile cases including Carphone Warehouse and Ashley Madison. But hacking is ramping up as an issue far beyond the big headlines.

Cybercrime cost global business over £200bn last year. One in six companies have been hacked in the past year alone, and the financial and legal sectors are especially targeted.

I went into my meeting with Whitehouse with a terrible sense of foreboding. After I’d signed the consent form, the ethical hacking team had one week to do their research on me – and I feared the worst. A couple of days ago I got an email purporting to be from a university friend sharing a Google Doc with me.

Having written quite a few articles about cyber security, I like to think I’m normally quite cautious about these things. But the email was very carefully crafted. Not only did it look exactly like shared Google Docs usually do, the lines from my “friend” were very detailed, about a blog we used to run together about women in technology.

I’d like to say I got the feeling something wasn’t right, but to be brutally honest, it was only after clicking on it and being asked to submit my Gmail password that I realized the link wasn’t quite right.

And sure enough: when I sat down with Ollie Whitehouse he told me I’d been the “victim” of spear phishing, or targeted phishing (albeit luckily only by NCC’s benign team of ethical hackers).

Unless you were of a very paranoid nature, it’s likely that you’d fall for this. So you’d only have to target four people in an organization to gain access to it.

It doesn’t take as much technical mumbo-jumbo as you might think, either.

The team researched me using only information publicly available on the internet. They learned about my interests by seeing what I post on Twitter. Getting my email address was no harder than simply asking Facebook for it – if you ask to reset the password of any account, the social network will give you a redacted version of that user’s email address, from which, shall we say, it is not exactly rocket science to guess the rest.

Some of the things the ethical hackers learned about me:

  • That I’m left-handed
  • What mobile operator I use and whether I’m an Android or iPhone user
  • Where I live
  • That I speak Swedish and French
  • Whether I prefer Mac or PC
  • That I use Spotify and that Chrome is my preferred browser

The team record information I’ve happily shared in tweets, not realizing its usefulness to potential attackers: a screenshot shows what programs I have pinned on my computer task bar, metadata reveals what mobile operator I use and a photo shows I have a Mac.

They know everything about me, and it hasn’t taken any particularly advanced hacking to find this out: I’m left-handed, I listen to music on Spotify and – crucially, in this case, that I’m a Google Docs user likely to trust emails coming from this particular friend.

“People think it’s all voodoo and magic, but it’s not that technically complicated. It’s more about hackers getting to know you,” said Whitehouse.

Spear phishing is becoming more common. A recent report from non-profit organization Get Safe Online found that one in five hacking victims believed they were specifically targeted.

Usually, of course, the target is a company rather than an individual reporter. But the principle remains the same: exploiting human weaknesses to gain access to private or company data.

Companies are increasingly turning to ethical hackers to do essentially the same as what I’ve just put myself through with NCC: hacking their own systems to uncover weaknesses – before someone else with more nefarious purposes does.

IBM found in its 2014 Cyber Security Intelligence Index that 95 per cent of incidents come from human error. Despite knowing the risks, it’s certainly true that many of us are surprisingly cavalier about online safety, using the same passwords across several sites and insisting on using unbreakable passwords like “123456” or “password”.

But Whitehouse argued our systems are the ones to blame, not the humans using them:

Did you make a mistake at all, or did technology let you down? Arguably, we’re designing systems that aren’t setting us up for success.

Original article by City A.M. can be found here.