I let myself be hacked by an ethical hacker and this is what I learned about cybersecurity
Let me tell you this: it’s quite a disconcerting feeling to sign a form agreeing to let a hacker break into all your personal data. Even when it’s an ethical one.
I’d agreed to let cybersecurity expert Ollie Whitehouse do his worst, and access as much of my information online as possible. But waiting to see what he and his team had uncovered I found myself feeling surprisingly vulnerable: what on earth was I thinking opening up so much of my life to these strangers?
“We’re putting our entire lives on the internet, and that’s only going to accelerate. If our only defence against cybercrime is trying to keep everyone’s information hidden from the internet, we’re going to fail,” Whitehouse said. He’s the technical director of NCC Group, a firm that provides ethical security testing.
With 1.2 million customers affected, the TalkTalk hack uncovered a week ago is just the latest in the row of some very high-profile cases including Carphone Warehouse and Ashley Madison. But hacking is ramping up as an issue far beyond the big headlines.
Read more: Seven questions businesses should be asking themselves to stay out of the hacking headlines
Cybercrime cost global business over £200bn last year. One in six companies have been the victims of hacking in the past year alone, and the financial and legal sectors are especially targeted.
I went into my meeting with Whitehouse with a terrible sense of foreboding. After I’d signed the consent form, the ethical hacking team had one week to do their research on me – and I feared the worst. A couple of days ago I got an email purporting to be from a university friend sharing a Google Doc with me.
Having written quite a few articles about cybersecurity, I like to think I’m normally quite cautious about these things. But the email was very carefully crafted. Not only did it look exactly like shared Google Docs usually do, the lines from my “friend” were very detailed, about a blog we used to run together about women in technology.
I’d like to say I got the feeling something wasn’t right, but to be brutally honest, it was only after clicking on it and being asked to submit my Gmail password that I realised the link wasn’t quite right.
And sure enough: when I sat down with Ollie Whitehouse he told me I’d been the “victim” of spear-phishing, or targeted phishing (albeit luckily only by NCC’s benign team of ethical hackers).
Unless you were of a very paranoid nature, it’s likely that you’d fall for this. So you’d only have to target four people in an organisation to gain access to it.
It doesn’t take as much technical mumbo-jumbo as you might think, either.
The team researched me using only information publically available on the internet. They learned about my interests by seeing what I post on Twitter. Getting my email address was no harder than simply asking Facebook for it – if you ask to reset the password of any account, the social network will give you a redacted version of that user’s email address, from which, shall we say, it is not exactly rocket science to guess the rest.
[infographic id="393"]
The team record information I’ve happily shared in tweets, not realising its usefulness to potential attackers: a screenshot shows what programmes I have pinned on my computer taskbar, metadata reveals what mobile operator I use and a photo shows I have a Mac.
They know everything about me, and it hasn’t taken any particularly advanced hacking to find this out: I’m left-handed, I listen to music on Spotify and – crucially, in this case, that I’m a Google Docs user likely to trust emails coming from this particular friend.
“People think it’s all voodoo and magic, but it’s not that technically complicated. It’s more about hackers getting to know you,” said Whitehouse.
Read more: How much are your stolen credit card details worth?
Spear-phishing is becoming more common. A recent report from non-profit organisation Get Safe Online found that one in five hacking victims believed they were specifically targeted.
Usually, of course, the target is a company rather than an individual reporter. But the principle remains the same: exploiting human weaknesses to gain access to private or company data.
Companies are increasingly turning to ethical hackers to do essentially the same as what I’ve just put myself through with NCC: hacking their own systems to uncover weaknesses – before someone else with more nefarious purposes does.
IBM found in its 2014 Cyber Security Intelligence Index that 95 per cent of incidents come from human error. Despite knowing the risks, it’s certainly true that many of us are surprisingly cavalier about online safety, using the same passwords across several sites and insisting on using unbreakable passwords like “123456” or “password”.
But Whitehouse argued our systems are the ones to blame, not the humans using them:
Did you make a mistake at all, or did technology let you down? Arguably, we’re designing systems that aren’t setting us up for success.