Garret Picchioni, a security analyst at Trustwave and a member of the hacking team, said he, "worked more than 200 hours on just the onsite component of the entire project, which took approximately 12 days to complete. I was so tired afterwards; I spent the rest of Labor Day weekend sleeping.
"Other work was also done beforehand such as (digital forensics specialist) Josh (Grunzweig) writing the custom malware and performing research on Adam," he said.
Picchioni didn't provide the total cost of the project, and Penenberg declined to respond to questions from CSO, but James Arlen, senior security consultant with Leviathan Security Group and a hacking expert, estimated that it took, "about six person-weeks of effort plus expenses. Call it $50,000 or so. If anything, that's low," he said.
The time frame squares with Penenberg's account. He wrote that his computer froze in his class about two months after he had challenged the SpiderLabs hacking team.
Picchioni did say the team kept its expenses to a minimum. Outside of hotel, food and airfare costs, "we brought nearly every piece of technology equipment we owned with us eliminating the need to really purchase any additional items," he said.
But he acknowledged that a pen test on a single person is more difficult and expensive than doing one on a company, given that with, "dozens to thousands of employees, where each person most likely has his or her own computer, the number of possible attack vectors increases. In this case, we were limited to Adam and his wife."
The task was also complicated by the need to avoid breaking any laws and arousing suspicion among Penenberg's neighbors in Brooklyn Heights, New York. And when trying to compromise Penenberg's home Wi-Fi network, the team was confronted by a virtual haystack of networks; 1,200 of them within a tenth of a mile radius of his brownstone. "We couldn't just start randomly compromising networks and checking to see if they happened to be Adam's," Picchioni said.
Perhaps another lesson of the project, however, is that it was not technology bells and whistles that finally led to success — it was human weakness. The plan included attempts to compromise Penenberg's home Wi-Fi, leaving USB drives loaded with malware in strategic places, trying to overwhelm his wireless router, attempts to lure him to a malicious "blog," visiting his office at NYU to try to identify his devices via the MAC (media access control) address in order to determine which wireless network he connected to at home, and trying to compromise Penenberg's wife's business — a Pilates studio. They even sent a fake student to one of the Pilates classes.
Sign up for CIO Asia eNewsletters.