Never underestimate any person, they say. Ever wondered to what extent this statement is true? Popular YouTube content uploader Kevin Roose, learned this the hard way when he challenged a couple of hackers to try and gain access to his life, as a test of their abilities as ethical hackers.
Within a week, a hacker had gained access to his email account without the use of any code scripts or any programming language. She later also gained more sensitive information about him. Another hacker, Dan Tentler, gained access to almost Roose’s entire identity by sending him just an email. He had access to all of Roose’s information at his disposal.
So how did this happen and so soon? The approach used by the first hacker, who was female, was one which relies on the social skills and personality, and up to which extent these individuals are willing to use these skills to manipulate other people related to their target to get bits of sensitive information.
This hacker, by impersonating as Roose’s girlfriend, had been able to get sensitive information from situations in which the person on the other side of the phone had critical information about the target. And the entire mission, with the help of polished social skills and psychological manipulation, took her less than 10 minutes. It is almost unfathomable to see such a gaping hole in our security of the place, which holds almost all data about the entirety of our existence.
Then there was Tentler, who is an ethical hacker, and security expert working with the Phobos Group. Tentler, along with social engineering tactics, used a popular technique, used as ‘spear-phishing’. Roose received an official looking email from one company of one the services he used.
This can be an email from any service, your telecom provider, your cable company, a website whose subscription list you entered your email address in, or even your bank. Like most of the unsuspecting victims, he clicked on the malicious link which was embedded cleverly in the email, which led him to a site installing a security certificate on his browser. And just like that, Tentler had control of all his information, as he got all the passwords from the extension saving them in one place (in this case 1Password).
Now Tentler could actually become Roose and gain control of his life, and destroy it. These emails are very cleverly designed, and are near perfect plagiarisms of the official emails, with very few details varying in the fine print. It is due to this fact that almost 91% of cyber attacks are committed this way. This incident shook Roose, and this was found later in his journals:
“If he had been a malicious attacker, Tentler said, he could have done unspeakable damage: draining my bank account, ruining my credit score, deleting years’ worth of photos, videos, and important data from my hard drive, using secrets from my email inbox and my work Slack to ruin my reputation. Anything, really.”
But since both the hackers had no malicious intent, his Data was safe. The lesson that can be learnt in cases such as these is understanding how exposed our information is, and how very careful should we be about it. The entire ordeal was published on YouTube by Fusion channel.