See How Easy it is to Get Hacked
I dared two expert hackers to destroy my life. Here’s what happened.
This is Episode 8 of Real Future, Fusion’s documentary series about technology and society. More episodes available at realfuture.tv.
Several months ago, while I was typing a few e-mails at my dining room table, my laptop spoke to me.
“You…look…bored,” it said in a robotic monotone, out of nowhere.
Startled, I checked my browser tabs and my list of open applications to see if anything had been making noise. Nothing had. I hadn’t been watching any YouTube videos, browsing any pages with autoplay ads, or listening to any podcasts when the voice appeared.
Then I realized: this was the hacker. The same hacker who, for the prior two weeks, had been making my life a nightmare hellscape — breaking into my email accounts, stealing my bank and credit card information, gaining access to my home security camera, spying on my Slack chats with co-workers, and—the coup de grâce—installing a piece of malware on my laptop that hijacked my webcam and used it to take photos of me every two minutes, then uploaded those photos to a server owned by the hacker.
Hence the robot voice. From his computer on the other side of the country, the hacker spied on me through my webcam, saw that I was unenthused, and used my laptop’s text-to-speech function to tell me “you look bored.”
I had to admit, it was a pretty good troll. And I couldn’t even be mad, because I’d asked for it.
Last year, after reporting on the hacks of Sony Pictures, JPMorgan Chase, Ashley Madison, and other major companies, I got curious about what it felt like to be on the victim’s side of a giant data breach, in a time when so much of our lives is contained in these giant, fragile online containers.
So I decided to stage an experiment that, in hindsight, sounds like a terrible idea: I invited two of the world’s most elite hackers (neither of whom I’d ever met) to spend two weeks hacking me as deeply and thoroughly as they could, using all of the tools at their disposal. My only conditions were that the hackers had to promise not to steal money or any other assets from me, reveal any of my private information, or do any harm to me, my data, or anyone else. And then, at the end of the hack, I wanted them to tell me what they found, delete any copies they’d made, and help me fix any security flaws or vulnerabilities I had.
Fortune 500 companies do this kind of thing all the time. It’s called “penetration testing,” or “pentesting,” and it’s a staple of the modern corporate security arsenal. Large corporations and government agencies pay professional white-hat hackers thousands of dollars an hour to try to hack their servers, in the hopes that they’ll find holes and vulnerabilities that can be patched before a malicious hacker gets hold of them.
I’m not a Fortune 500 company, but I still wanted to subject myself to a personal penetration test to see how my security measured up. I’m a pretty privacy-conscious guy, and I’ve taken lots of steps to keep my data safe. I put two-factor authentication on my accounts; I have strong passwords and a password manager; and I use a VPN when I’m on public wifi networks.
If I had to give myself an overall digital security grade, I’d give myself an A-.
But as it turned out, it didn’t matter how good my defenses were. Against a pair of world-class hackers, my feeble protections were about as useful as cardboard shields trying to stop a rocket launcher. For weeks, these hackers owned the hell out of me. They bypassed every defense I’d set up, broke into the most sensitive and private information I have, and turned my digital life inside out. And then, when they’d had enough, I met them at DefCon (the world’s biggest hacker convention, held in Las Vegas every year) and they told me exactly how bad the damage was.
You can see the full, terrifying story of what happened to me in the video above. But here are the broad strokes.
Read the full article found here.