|How To Not Get Hacked, According To Expert Hackers |
Feb 27 2016, 10:04 AM
Recently, I got hacked. Not like normal, everyday, steal-your-Twitter-password hacked. I got mega-ultra-super-hacked. My hack was so bad that several security experts have told me it’s the worst one they’ve ever seen. For two weeks, a group of expert hackers burrowed into my digital life and stole everything — all my passwords, my credit cards, bank accounts, personal emails, work emails, access to my social media accounts, my Dropcam, my wireless account. They installed malware on my computer that secretly took photos of me out of my own webcam every 2 minutes, and uploaded them to a remote server. They spied on my work Slack. They logged every keystroke I made, and accessed any file they wanted to. They owned my entire digital life.
They did this because I asked them to. For an episode of my TV show, “Real Future,” I decided I wanted to see what it was like to be the victim of a giant hack. Thanks to the extraordinary variety of internet-connected gadgets we’re putting in our homes, and the interconnectedness of our digital lives more general, we’re at a greater risk for hacking than ever. And I wanted to assess my own risk level by, essentially, opening myself up to the worst stuff possible. So I challenged these hackers to spend two weeks doing as much (reversible) damage to me as they could. ( You can see the video of my hack here; it’s one of the most dangerous and terrifying things I’ve ever done.)
While we were filming the show, I also asked these hackers — Dan Tentler of Phobos Group, Chris Hadnagy and Jessica Clark of Social-Engineer, and Morgan Marquis-Boire of First Look Media — what normal people can do to prevent a hack like this.
We all know the usual security advice: use strong passwords, enable two-factor authentication, don’t click on strange-looking links in your email. But the hackers had more advice for people trying to take their security up a notch. Here’s what they told me:
1. Download a password manager. Even before my hack, I used 1Password, which stores all your passwords in a secure vault. It didn’t keep me safe — in fact, the hacker was able to break into my laptop and steal my 1Password master key, which gave him access to all of my passwords — but for most scenarios, using a password manager like 1Password, Dashlane, or LastPass is a more secure option than not having one.
2. Use a VPN. A VPN (virtual private network) is a way to avoid some of the dangers lurking in public wifi networks, by routing your internet traffic through a middleman server. I use VPN Unlimited, which costs $3.99 a month and gives you a choice of dozens of servers. A VPN is a must if you spend any time on wifi networks in coffee shops or hotels. (As a bonus, it also lets you watch Netflix if you’re traveling abroad.)
3. Familiarize yourself with urlquery.net, and use it to vet shady-looking websites. It’s a site that scans sites for web-based malware.
4. Download Little Snitch, an app that monitors your computer for sketchy outgoing connections. It will alert you if, for example, your computer tries to send data to an unknown server — perhaps a sign that your machine has been compromised.
5. When clicking links in an email, hover over the link to make sure the address matches the URL you’re trying to visit. They aren’t always the same.
6. Turn off wi-fi and Bluetooth on your phone when you leave the house. It'll save battery and help protect your privacy.
7. If you currently lock your phone with a 4-digit numerical code or a simple pattern, switch to a complex passcode. Short numerical codes and patterns can be bypassed — use this iOS guide or this Android guide to learn how to switch your existing code to a longer, alphanumeric password.
8. If your laptop isn't currently using full disk encryption, turn it on. See this Intercept guide to encrypting your hard drive. It will help protect your data if your computer is lost or stolen.
9. Call your cable company, cell phone company, and internet service provider, and instruct them not to give anyone access to your account details without a PIN or password you provide. There is an entire branch of hacking, known as “social engineering,” that focuses on exploiting human weaknesses in the security process. One hacker called my cell phone company, found a sympathetic customer service rep, pretended to be my non-existent wife, and persuaded the company to let her into my account. You can avoid that if you take proactive steps to make sure your service providers are keeping your data safe.
10. Make your social media accounts private. Social media accounts are one of the main sources of easily accessible personal information that can be used in a hack. Social-Engineer, one of the firms that hacked me, found my home address by enlarging and enhancing a Twitter photo of my dog, which had it listed in very tiny type on the dog’s tag. It then used my address to do further damage.
11. Use fake answers for security questions. Thanks to sites like Whitepages.com and social media, it’s not hard to figure out a person’s mother’s maiden name, or the street they grew up on. So make up fake answers to the most common security questions, so an attacker can’t guess them.
12. Beware the wedding website. Many couples put their life stories on their wedding websites — with tons of personal information that a hacker can find and use. So keep it minimal, if you have a public wedding site.
13. Don’t lose too much sleep over hacking fears, unless you’re famous. Everyone should take basic security precautions against a potential hack. But unless you’re a government official, a major celebrity, or a Fortune 500 company, you probably don’t need to worry about being hacked to the degree I was. Most people have what one hacker I talked to called “privacy through obscurity” — the idea that although expert hackers could theoretically target you with an epic hack, for 99.9% of people, they probably wouldn’t care enough to spend the time or effort it would take to do it.