PenTesting, or Penetration Testing, is the next big thing in the pursuit of impenetrable cyber security protection. Ironically, it involves a company’s network being maliciously attacked by “hackers” – aka a hired cyber security company – in order to discover vulnerable endpoints. Kevin Roose, a writer at Fusion, hired two cyber security experts to do any and all manner of pentesting destruction to his network. Prior to the experiment, Roose gave himself an A- in personal cyber security protection; by the end of the experiment, not so much.
First to the plate is social engineering specialist Chris Hadnagy. Over the course of two weeks, Hadnagy and his team at Social-Engineer were able to:
- Ascertain the writer’s home address by enlarging a photo of his dog’s identification tag posted on Twitter
- Perform a phishing attack within an email from Internet shopping giant Alibaba about his recent hoverboard scooter purchase
- Conduct a vishing (voice phishing) call to his cell provider and have his password and account information changed
Roose concluded after the attacks had ended that Hadnagy, “could have caused all manner of havoc with the information he had. He could have gotten my electricity shut off, or gained access to my bank account and bled me dry.” While pentesting is an unsettling process to go through, ultimately this first test gave Roose a taste of what could happen without actually having to deal with major repercussions.
Next is security researcher and Phobos Group founder Dan Tentler – Tentler, unlike Hadnagy, employs a less nuanced approach and undermines a network through malicious script insertion. By creating a phishing scheme (explained in the next installment) to hook Kevin and gain access to his network, Tentler inserted the “shell” malware that gave him full remote network control and the ability to do the following:
- Obtained the network admin password via fake OSX system pop up prompts
- Installed a keylogger to steal all of his other account passwords
- Placed a program on the computer that captured images and snapshots of the computer screen via the webcam
When Roose and Hadnagy met in person, the cyber security expert stated, “I could have left you homeless and penniless” with unfettered access into Roose’s network. Obviously both these events were more than enough to prompt Roose into immediately reaching out to those who could secure his network and vital information from future hackers and cyber attacks. What did he learn? How do you successfully secure and monitor your personal network? Find out more in the next post.