The trouble with
daring a hacker


It has become something of a journalistic fad for reporters to invite hackers to, well, hack them. Without exception, they emerge shaken by two observations: Just how vulnerable they are; and just how much sensitive data they’d forgotten about that awaited discovery.

TIME reporter Joel Stein is one of the latest to give it a whirl. He writes about his experience in his column dated March 23. Unsuccessful at recruiting real hackers—those he contacted may have feared embarrassing him or worried about entrapment—he finally cornered a pair of young staffers at the magazine with no hacking abilities, gave them his passwords, and told them to have at it.

“The advice hackers give when looking for dirt in a pile of data,” Stein says, “is to …

… search for words such as pissed or angry. They suggest figuring out to whom the most emails are sent, since that signals a trusted relationship. And to use Facebook to suss out relationships—ex-girlfriends, college acquaintances—to spot dubious interactions. Deleted photos are telling, as are erased emails. And they say to always, always look in the draft folder, which houses the truly horrible stuff people are too smart to send … Using this advice, my two hackers delivered an 18,000-word document of humiliations three weeks later.”

Three years earlier, Telegraph reporter Sophie Curtis wondered,

… is the threat of being hacked something that you or I really need to worry about? And if someone did hack into your computer, what would they be able to do with the information they found?

Over the summer I decided to put these questions to the test. I got in touch with an ‘ethical hacker’ called John Yeo, who works for cyber security firm Trustwave, and asked him to try and hack me.

Curtis had written a good deal about cyber security, so, she wrote, “most of my profiles are fairly locked-down.” But, not so fast. Her hired hackers found indirect ways of learning more about her. Next, they faked an email appearing to come for LinkedIn, a source she trusted. The mere act of opening the email—without clicking links—embedded a single pixel that let her hackers “fingerprint” her computer, that is, identify …

… which operating system the computer is running, as well as which browser I was using, which browser add-ons I had, and which security software might be running on the computer.

That’s where Curtis’s tale turns scary. I recommend reading her article by clicking here. You might also check out this piece by Kevin Roose, who “dared two expert computer hackers to ruin my life.” Roose reported,  “If I had to give myself an overall digital security grade, I’d give myself an A-.” But then he found out that 

… it didn’t matter how good my defenses were. Against a pair of world-class hackers, my feeble protections were about as useful as cardboard shields trying to stop a rocket launcher. For weeks, these hackers owned the hell out of me. They bypassed every defense I’d set up, broke into the most sensitive and private information I have, and turned my digital life inside out.

“Please hack the Pentagon”

According to the Infosec Institute, in the 1960s the word hacker originally meant

… someone dedicated to solving technical problems in machines in a different, more creative fashion than what is set out in a manual … “hacking” just intended to find out a quick way to evaluate and improve problematic systems that need to be optimized.

Yet the potential threat wasn’t hard to anticipate. The Unites States government routinely hired hackers to test online security as early as the 1960s and 70s. Despite such precautions, it caused no small stir when in 1990 three men not retained by the government were indicted for hacking into classified U.S. military data. Meanwhile, the 1983 movie War Games, with Matthew Broderick and Ally Sheedy, had already fanned the public’s fears.

War Games was highly fictionalized, but the threat of hacking is real and continues to grow. This is from Symantec’s 2016 Internet Security Threat Report:

In 2015, we saw a record-setting total of nine mega-breaches, and the reported number of exposed identities jumped to 429 million. But this number hides a bigger story. In 2015, more companies chose not to reveal the full extent of their data breaches. A conservative estimate of unreported breaches pushes the number of records lost to more than half a billion.

The threat of nefarious hacking has increased the demand for “ethical” hacking. Last year, a call went out from no less than the Pentagon seeking hackers to try to penetrate their defenses. Of course, applicants had to pass a background check. Even that’s a little unsettling, since more experienced, not-so-ethical hackers usually don’t bother submitting to background checks before setting to work. In any case, according to USA Today, the program …

… launched in April and the Pentagon said it would [offer] prize money awards and other recognition … The Pentagon has acknowledged that its networks are under daily assault by hackers and securing the systems are [sic] a high priority. Last year, an email system used by the Joint Chiefs of Staff was penetrated by hackers and had to be taken offline in order to cleanse the system.

Somewhere in all of this are important takeaways:

  • Vigilance is a must. Even with good security in place, you must never assume you’re invulnerable.
  • Most of us have no clue as to the sophistication of determined hackers.
  • Just opening an email can be dangerous, even without clicking on links.

It creates something of a juggling act for an industry like banking, whose markets demand digital services. The trick is to keep clients forewarned and forearmed while avoiding frightening them so much as to lose their confidence. Perhaps paradoxically, the proper presentation of information on staying safe from hackers can increase client confidence by dont-post-it croppedconveying that a financial institution is knowledgeable and cares about its customers.

In the meantime, a bit of good advice for us all is summed up in a cartoon, which, out of respect for copyright laws, I shall not post. But I can link to it.

Comments are closed.