Real life test shows with enough time, money, anyone can be hacked


People get hacked when they get lazy and fail to practice good security measures, goes the conventional thinking. While this may be true to a large extent, preparation failed to protect a professor from having his digital realm thoroughly compromised by ethical hackers to whom he issued a challenge.

The protagonist in this instance would be New York University (NYU) Professor and PandoDaily editor Adam Penenberg, while the ethical hacking team from Trustwave's SpiderLabs were involved in the penetration attempt. As reported on CSO here, the team attempted multiple ways of attacking Penenberg, including trying to overwhelm his home wireless router, trying to lure him to a malware-laden blog, as well as visiting his office at NYU to identify the MAC addresses of his devices.

The breakthrough apparently came through Penenberg's wife. According to the report, "The team sent an email using the name of an actual Pilates instructor to Penenberg's wife, with a 'video clip' containing malware that gave the team full access to her laptop whenever it was on the Internet." Once in, they were able to gain access to Penenberg's laptop and phone, likely by exploiting their ability to access his home network.

Ultimately, the team was able to remotely lock up Penenberg's computer while he was using it, get his iPhone to beep audibly even though it was set to vibrate, and set both his iPhone and laptop into stolen mode. Copies of credit card and bank statements, online bills and various social media accounts were also successfully compromised.

Of course, the team acknowledged that it would have been far easier and cheaper to attack a company with "dozens to thousands of employees" as potential targets. In this scenario, the time and level of difficulty was greatly increased as only Penenberg and his wife could be targeted. Indeed, a hacking expert cited by the report gave an estimate of at least $50,000.

With the cost of a successful compromise being so costly, individual users may be tempted to think that hackers would just pass on them. Trustwave's security analyst Garret Picchioni turns the thinking on its head though, by pointing out that while it may not be worthwhile to attack individuals, it all depends on the value of the final target. To put it simply, an employee working for a major online web store may well be deemed as being worth this level of effort for a chance to steal credit card numbers, for example.

So there you have it: With enough time and money, anyone can be hacked. So is security an unwinnable contest? - Paul Mah  (Twitter @paulmah)