قالب وردپرس درنا توس
Home / Technology / We asked a hacker to steal data from a CNN tech reporter. The following happened

We asked a hacker to steal data from a CNN tech reporter. The following happened



I'm the guy who posted Instagram photos (filtered of course) from my vacation. I'm also the kind of person who tweets about buying overly expensive furniture because I fell for an elegant online ad that would change my life.

I thought my social media posts just betrayed my desperate need for attention and likes. However, it turns out that they are also a goldmine for hackers.

Using two of my posts – an Instagram check-in at a hotel on the West Coast of the USA and a tweet about a piece of furniture – a hacker was able to quickly find out my home address and my mobile number.

How? Both the hotel and the furniture company passed my personal information by phone to the hacker.

Signing up online on our social media and email accounts can be an ordeal. We are often asked for a password, a second code that is sent to our phone, or sometimes for answers to anxiety-causing personal questions such as the name of our first girlfriend (who was definitely not conceited at all, thank you very much). ,
  Exclusive: The FBI turns off Facebook ads for Russians in Washington.
But there are still fundamental and important security holes in our daily lives. Data breaches and hacks get our full attention, but a hacker with a good phone personality and a few basic tools can trick big business account managers into sharing a shocking amount of private information and more.

Hackers are doing this to me recently. And I'm here to tell you, it's worryingly easy for them – even for someone like me who's into technology. This is a lesson for all of us: think carefully about what you share on social media and how that information can be used against you, and next time you talk to your airline, hotel or bank you can Access your account and think about the questions they ask you. If you're just asked for your birthday and e-mail address to confirm that you're the one you claim to be, ask if they can give your account extra security by sending you a verification code. Unfortunately, many companies do not have such an option, but it's worth asking.

The following happened to me: In Las Vegas, I met this August at DEF CON, one of the largest hacking conferences in the world Rachel Tobac.
Tobac is a celebrity among DEF CON audiences. For three consecutive years, she has been one of the winners of a competition in which hackers attack a company live in front of hundreds of viewers in Vegas – all over the phone.
  Rachel Tobac is a White Hat hacker specializing in social engineering

Tobac and her competitors in The Competition Invites large companies that often claim to work in the company's IT department. Tobac is not a coder, but she's been improvising since she was ten years old. Using those skills – and using other types of deception, such as an app that changes her voice to sound like a man – she persuades the person on the other end of the line to share private information.

This kind of hacking is called social engineering.

But Tobac is one of the good hackers – the guy known as the "white hat". (The bad ones are called "black hats.")

She works with companies to run so-called penetration tests to find out where and how vulnerable they are to social engineering hackers.

I asked Tobac to hack me.

Without my password and without hacking into my email account, she was able to retrieve my home address and phone number and steal my hard-earned hotel points. In perhaps the most cruel act of all, she was even able to change my seat on my five-hour flight from Vegas and move from a spacious exit to a middle seat in the back of the lavatories.

  How the government uses Siri and Alexa to stop the spread of misinformation about censuses

She has done all this by her used some of the information she found online about me, like which airlines I fly with and which hotels I live in – because I twitter about them.

Then, using this information, she called up some of my favorite companies and used software to make them. It looks like she's calling from my phone and a voice changer so she could sound like a man when she needs it , That sounds complicated, but it's disturbingly easy.

To get my home address, she called a furniture company I had tweeted about. Tobac claimed she was my wife, and she wanted to check that the company had filed my correct home address before placing another order. She purposely specified the wrong address and the person at the other end corrected it with my full private address.

So easy.

She was also quite easily able to convince a hotel that I checked into on Instagram to give my phone number.

Tobac is not trying to embarrass these companies: she wants them to use the types of authentication processes on the phone they use online. She says that some of the biggest airlines and hotel chains leave a massive vulnerability open – and their customers fail – by not doing so.

Instead of a telephone customer service representative asking for my date of birth to verify my identity (information that Tobac or another hacker might easily have), Tobac suggests companies provide a code to their phone number or email address they have saved for this customer and have the code read back by phone.

But that's easier said than done. Often airlines receive calls from customers in distress. If you ask somebody to take a few seconds longer to eradicate an email with some code inside, customers may be deterred from flying with the airline in the future, and we want everything to be easy.

Tobac hopes to convince businesses and consumers that things are a little harder to do.

In the meantime, I've stopped tweeting about everything I buy. I still check into hotels. I have to get those likes.


Source link