Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Hackers meet professor's challenge to pen test his online world

Taylor Armerding | Dec. 5, 2013
An NYU professor challenged a team of hackers to break into his online world. They did, but it was not easy or cheap

Ultimately, however, success came from the con art of the phish. The team sent an email using the name of an actual Pilates instructor to Penenberg's wife, with a "video clip" containing malware that gave the team full access to her laptop whenever it was on the Internet. And through that, they got to Penenberg's laptop and phone.

The technical term for getting access to the target through another person, Picchioni said, is "pivoting," or "using a small fish to catch a big fish."

But he added that the time and expense of this project should not make "average" users think they are not at much risk. The "double-edged sword" element for average users is that while it might be far too complex and expensive to attack them individually, it likely would be well worth it to hack a large company from which they make online purchases.

"What if an attacker compromises a company that has your credit card number on file or other sensitive information that could make identity theft extremely easy?" Picchioni said. "While no system or company is ever going to be 100 percent hack proof, for companies you're giving your business to, it's important to be aware of their security practices."

And Deena Coffman, CEO of IDT911 Consulting, said it is not expensive for malicious hackers to cast a wide net for careless victims. "Efficient markets exist where intruders can purchase malware kits and widely distribute them via email, social networking sites — Facebook, Instagram and Pinterest are the favorites currently — or hijack an unprotected website and plant malware on that site so that anyone who browses to it will pick up the malware without even knowing," she said.

Arlen agreed, saying while it involves modern technology, it is based on the same, "human-scale problems that make it possible for con artists to do what they've been doing for 10,000 years."

Given that reality, how can people protect their confidential information without withdrawing entirely from the Internet? For starters, where should they keep all the complex, impossible-to-remember passwords they need for dozens of sites or accounts?

Arlen offers the advice Bruce Schneier, CTO at BT and security guru, offered eight years ago in a blog post: Write them down and keep them in your wallet. "The modern variant on this is of course the use of tools like KeyPass, LastPass, 1Password, etc.," he said. "These tools make it very easy to have a completely unique, and complex, password for each authentication requirement you might have."

Most experts recommend encryption, but Picchioni also suggests creating a passphrase rather than a word. Not only are they easier to remember, but they are difficult to crack. A simple password, he said, offers almost no protection at all. "Using Hello1234 as your home Wi-Fi password is comparable to locking the front door but still leaving the key in the lock outside," he said.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.