What does a personal Pen Test reveal?
A pic of a dog. A YouTube video of a crying baby. And access to all your information.
Fusion’s Kevin Roose thought he was pretty careful with the way he handled his private information. He decided to put himself to the test. He enlisted two hackers to conduct a pen test — on his life.
The hackers had no problem getting through.
While the two methods used won’t be too surprising to security folks, it turns out to be an incredibly accessible way to explain the way companies can get hacked to the non-security folks in your organization.
He told his story to NPR, and it’s worth a listen.
“Social engineering”
The first hacker used no technical skills whatsoever and instead relied on sympathy.
Kevin had posted a picture of his dog on twitter. They zoomed in and found his home address on the dog tag. Now that the hacker knew his name and address, she called around to all his service providers to get as much information as they could about him. When she felt like she had enough information to go for broke, she called his cell phone company with a YouTube video of a baby crying in the background.
She played on the sympathy of the customer service rep and was able to gain full access to his phone account and all the personal data on the site.
Traditional hacking
A white hat hacker, usually hacking companies with their permission to test their vulnerabilities, deployed a pretty traditional phishing e-mail.
Kevin is a pretty tech-savvy guy, so it shows that truly anyone can be caught off guard. A certificate was installed on his machine, and he created system popups to gain more information from him.
He gained access to all his passwords, from his banks to stock trading to e-mails.
He even set up a program that would take pictures from his webcam every two minutes. And took control of his Nest security camera in his home.
Not just individuals
While it may not be likely someone would go to the trouble of hacking a person, companies face these threats regularly.
Even small businesses can find themselves vulnerable, especially if they work directly or indirectly with larger enterprises. And, likewise, larger enterprises may open themselves up to vulnerabilities with each vendor or piece of software they allow direct or indirect access to sensitive data.
As more data moves to the Cloud, Shadow IT becomes more prevalent and employees work from computers at home and access company data on cell phones and tablets, it’s much more complicated to contain data.
Many companies will begin adopting tools such as Cloud Access Security Brokers. And it gives hackers more access points.
If you need help
ASMGi has been simplifying vendor risk assessments for many companies, taking the burden off the busy security departments or filling the gaps for companies that don’t have dedicated security teams. We’re here to help.