Not many people would invite a stranger to look through all of their personal and private information. Yet, that’s exactly what one investigative reporter did in order to answer a burning question: what could hackers learn about him, and how much access could they gain, if they really wanted to? In this experiment, Adam Penenberg of PandoDaily.com used his own life as a testing ground for hackers. The results were alarming.
The inspiration for Penenberg’s personal experiment came from a story he wrote 14 years ago. During the nineties, Penenberg hired a private investigator (PI) to find out as much as he could about him, simply from his journalistic byline. Within a week, the PI sent back a report that included Penenberg’s full name, date of birth, Social Security number, home address, credit reports, bank accounts, utility bills, and more. Remembering how easily his information was obtained previously, Penenberg set out to see how a similar experiment would unfold in today’s digital landscape.
Penenberg asked SpiderLabs, an “advanced research and ethical hacking team” at Trustwave, to perform a personal “pentest” (penetration test) on him. SpiderLabs usually conducts pentests for large corporations, but SpiderLabs Senior VP, Dan Peroco, was intrigued by the prospect of investigating an individual identity. And so the team began chipping away at Penenberg’s digital life.
For two months, Penenberg heard nothing other than, “Peroco’s team was hard at work.” Then one day, while teaching a graduate journalism course at New York University, Penenberg’s computer and iPhone went completely out of his control. He had been hacked. But just how hacked was he?
The SpiderLabs team was able to gain access to personal documents such as W-2s, as well as passwords and logins for all sorts of accounts, including Penenberg’s bank, Twitter, Amazon, and Apple iCloud accounts. Finally, using all the combined information, the team broke into Penenberg’s digital devices, locking him out of his own phone and computer.
How did they get in?
Using a number of old and new school tactics, both digital and hands-on, the SpiderLabs team hacked Penenberg. While they applied a variety of methods, it was ultimately through malicious emails that the team hacked their way into Penenberg’s life. At first, they sent an email from a fake high school student who was interested in studying journalism at NYU (where Penenberg teaches), attached with “writing samples” that would release malware onto Penenberg’s laptop. Penenberg filed the email away because he wasn’t teaching at the moment and didn’t recognize the file type (.jar). The team then turned to Penenberg’s wife, sending her an email from a fake yoga teacher looking for a job in New York, attached with a “video sample.” Penenberg’s wife didn’t respond at first, but after a second attempt was sent, she opened the email and downloaded a file that gave the SpiderLabs team full access to her laptop.
What does this mean for consumers?
An attack on your sensitive data can come from anywhere. From paper bills tossed in the trash, to personal details shared on social media sites—no matter how protected or private you think your data may be, there are ways to get in. With the right amount of money and resources, hackers can gain access to our personal devices, homes, and entire digital lives when focused on a specific target. No matter how cautious you think you’re being on the Internet, your digital self will leave a trail. It’s become increasingly important to protect ourselves from our digital selves.
Protect your digital self
How do you protect yourself and your valuable information from digital intrusions, cyber snoopers and other unforeseen attacks on your data? Penenberg’s story can teach us a few lessons about basic steps we should take that will make it harder for hackers to break in:
- Limit what you share both online and offline. The SpiderLabs team was able to obtain a great deal of data from Penenberg’s online articles that proved crucial to the execution of their attacks, such as the types of devices he used and information about his wife’s yoga classes. Even the most innocuous detail shared online could be used against you in an attack. In addition to watching what personal clues you may leave behind on the web, be cautious when tossing out documents at home and work. Copies of your tax returns, applications for employment, and pre-approved credit card applications that come in the mail should all be shredded prior to being tossed in the trash.
- Use multiple passwords and manage them correctly. Penenberg had an old file on his wife’s computer that listed some of his account passwords. He also made the common mistake of using similar or identical passwords across accounts─which gave SpiderLabs access to multiple accounts with just one set of user information. The best way to protect your passwords is with unique password generation and a comprehensive password manager, both of which are available as part of the McAfee LiveSafe™ service.
- Be wary of emails and attachments from unrecognized senders. Both Penenberg and his wife were wise to be initially suspicious of the emails the SpiderLabs team sent, but eventually something got through. It’s important to remember that even if an email seems to be genuine, if you don’t recognize the sender it’s best to either ignore the correspondence or do a little digging of your own. Be especially cautious on mobile devices, where less screen real estate is devoted to displaying a sender’s email address and where we’re often moving so quickly that we don’t think twice before opening messages.
- Conduct regular checks of files saved on your devices. Penenberg had a combination of file types stored on his wife’s laptop, including some that he had forgotten about. Many were crucial to SpiderLabs’ attack of his identity.
- Be sure that all of your family’s devices are protected. McAfee LiveSafe protects your smartphones, tablets, PCs and Macs. It also offers secure cloud storage, which will prevent your sensitive documents from falling into the wrong hands.
We should always consider what we might be exposing by sharing personal details online. Be sure to stay up to date on the latest consumer security news by following us on Twitter @McAfeeConsumer and liking us on Facebook.