What hackers can discover about you is 'chilling'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.smh.com.au/digital-life/consumer-security/what-hackers-can-discover-about-you-is-chilling-20131028-2wbec.html

A journalist who challenged a team of hackers to find out as much
information about him as possible has described their findings as
"chilling" after they were able to access all of his bank accounts and
crack all of his passwords.

Adam Penenberg, a US investigative journalist and editor of technology
website PandoDaily, questioned whether anyone was protected from prying
online eyes following his experiment with an "ethical hacking team" this
year.

Fourteen years ago, Penenberg wrote an article for Forbes magazine in which
he paid a private investigator to delve into his personal life.

Within a week, the private investigator was able to uncover astonishing
details, including Penenberg's date of birth, social security number,
mother's maiden name, home address, bank details and stock holdings.

In the new digital era, and in the wake of the snooping scandal surrounding
fugitive NSA contractor Edward Snowden, Penenberg decided to repeat the
experiment using a team of hackers from SpiderLabs, the advanced research
and ethical hacking team at Trustwave.

The hacking team was given only Penenberg's name, and was asked to perform
a personal "penetration test" on him.

The only rules were that they could not break the law, and not involve
Penenberg's children in the investigation.

And their results far surpassed those of the private investigator.

"What I learned is that virtually all of us are vulnerable to electronic
eavesdropping and are easy hack targets," Penenberg wrote on PandoDaily
last week following the experiment.

"Most of us have adopted the credo 'security by obscurity', but all it
takes is a person or persons with enough patience and know-how to pierce
anyone's privacy – and, if they choose, to wreak havoc on your finances and
destroy your reputation."
On August 20, SpiderLabs' three-member team flew to New York and staked out
Penenberg's home.

They also sent an email containing a malware link to Penenberg's wife
Charlotte, who owned a pilates studio nearby.

When Charlotte clicked on the link, the hacking team had complete access to
her laptop whenever she was on the internet.

On the laptop were the family's social security numbers, income details,
copies of credit card and banking statements, as well as a password the
family's home router.

"More frightening, they discovered her password and log in to our Chase
online banking account," wrote Penenberg.

"They could, if they wanted to, have wiped us out financially."

On the computer, they also discovered passwords for several online
accounts, including Penenberg's Amazon account.

While that might seem a minor security issue, the password Penenberg used
formed the basis for all of his online passwords.

"Because I can't possibly remember every single one to every site I use not
only do I reuse passwords, I also have come up with an informal formula to
create them," Penenberg wrote.

One of SpiderLabs' team members was an expert in computer forensics, and
soon cracked all of Penenberg's passwords.

The hacking team broke into his Twitter and Facebook accounts, leaving
cryptic messages, and also ordered 100 plastic spiders from Amazon to let
Penenberg know they had infiltrated his account.

They also cracked his iCloud password, and activated the Find My iPhone
app, before putting both his iPhone and laptop devices into "stolen mode".

The first Penenberg learned that his devices had been breached was when,
while teaching a class at New York University, his laptop and phone both
shut down.

"As for me, since we concluded this exercise I've changed my passwords and
log ins but I don't delude myself into thinking I'm protected from prying
eyes — the government's or anyone else's, if they belong to someone with
the right combination of skills, resources and determination," Penenberg
wrote in his article.

"And if I'm not safe, are you?"

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.