“How I Hacked My Friend Without Her Noticing,” The Hacker Alex Tells All

Editor's Note: This article is repurposed from "Operation Luigi: How I hacked my friend without her noticing."

‍

There’s a sign-up page for a club she started at her university. The page says “Contact Diana Lastname at dianalastname@hotmail.com or [her phone number]”… I find an old blog of hers from 2009. It has a search box. I immediately slam “pet”, “cat” and, “dog” in that search box like it’s 2009. The name of someone’s pet is often somehow involved in their security, either as their password or as a “Security” question or something.

When was the last time you really looked at your Google search results? Your 2008 Myspace posts with all your favorite bands. The swimming competition results in a local newspaper linking your full name to your home town and first school. You might even have an old personal blog full of cringe-worthy posts – all ideal fodder for a determined snoop.

And it’s not just your history that lasts forever. Data dumps and text links are hosted anonymously and publicly for years, available for anyone to download.

‍

Pick your services wisely

Before I set up email forwarding, I try it out on a hotmail account I control. I’m testing to see if setting up “forward all your email to this address” sets off any notifications I’ll have to delete, or notifies you in any other way.

In gmail, when you forward all your mail to another email address, the other address gets emailed a code, and also a big red bar appears on your gmail inbox saying “you’re sending literally all of your email to this address FYI” for 7 days.

We, personally, have awful security. We reuse passwords, and we make them too easy to guess. We keep important information in written in plain text on unsecured devices. Two factor authentication annoys us, and we turn it off if it takes too long.

Some websites and services force us to make better choices, so make educated choices about what you use. The gig was almost up for our hacker when Apple sent his phone number to his target as he tried to recover her password.

This also shows why it’s good practice to reset a password rather than recover it – as our hacker finds out, not leaving a trace requires knowing the password, not changing it.

‍

Just because you're not a target, doesn't mean you're safe

The thing is, right now you’re very alert, because you’re reading a blog post about hacking. If you were just reading your email, half-paying-attention on a train as normal, security wouldn’t likely be on your mind. If sending trick emails is good enough for whoever the NSA, are emailing, then it’s probably good enough to work on you and me.

This hacking story shows us we’re sailing along without a care in the world, oblivious to our terrible security practices. It’s the internet equivalent of the town where everyone leaves their doors unlocked – which is all great, until someone really wants to rob you.

This is especially dangerous when it’s someone who knows your behavior and habits – phishing is most effective when it’s human and personalized. Snipers get better results than machine guns.

How well would you fare if someone close to you tried to hack you? Did you realize your LinkedIn password hasn’t been changed since 2012 and is almost certainly is visible in plain text somewhere? Did you finally delete your Livejournal? We’ll be back – after checking all our services have two factor-authentication.