home History Arts&Craft Performance Arts Foods&Drinks China Today WuShu(kung fu) Travel
  Ad Support  
  Main Memu  
  Performance Arts  
  China Today  
  WuShu(kung fu)  
  Lastest News  
  Travel Netflixs Hastings makes th
  Star Apps Christina Perri Travel
  Mom tries to Facebook-shame daugh
  Travel Resources are the key
  Heres what Mars looks like during
  Why Sprints push for a T-Mobile m
  Privacy at peril From one tweet a
  Shermans Travel
  Travel Shermans
  Travel Vacation Deals
  Ad Support  
  Xiamen Travel
  Travel Lexus GS h
  Las Vegas Hotels? Travel
  Travel + Leisure
  Travel Deals
  Travel Oakland Tribune
  Samsung flags at Mobile World Con
  Travel Uh-oh this computer virus
  Travel $5 space robots
  Oregon Travel News
   home > Travel >
Privacy at peril From one tweet a full-blown hack

Alex is not a chief executive, a rock star or a celebrity, or a government employee with access to state secrets. This was an authorized vendetta. This was personal. I wanted to break into his life and crack it open to see what I could find. Its atypical from a black hat hacker who might scrape out personal information from a hack or data breach in order to siphon off money.

copyright dedecms

But it threw him off his privacy pedestal. And the results certainly put chills up and down my spine. copyright dedecms

Based on just his name and his employer, would that be enough to steal his identity and take over his life?


I was a little sickened with how much data I had collected on this mans life and mily by this point. I was already bordering on what felt like the side of unethical behavior -- the ct he had authorized me to keep going was the only thing that encouraged me to continue. 织梦好,好织梦

In that respect, it wasnt the average intelligence gathering exercise. copyright dedecms

Because the information I collected on Alex was so sensitive, it was inputted and stored on a locked-down computer. It was disconnected from the network and required a complex alphanumeric password to unlock it. That data was encrypted in a document that was also protected with a different, strong alphanumeric password. The information was subsequently obliterated with an erase tool once it was no longer needed. copyright dedecms

I had nothing but the Web to use as my hackers toolbox.


How I would have loved to have told you how I stood in his office with his phone on speaker, with him watching over me as I read aloud his personal and sensitive data, playfully chatting with a call center operator at his bank, joking along and chuckling about how my wife had spent a bit too much on the kids again, and wanting to review my current checking account balance. 内容来自dedecms

I sat down at my desk after our first began and immediately turned to Google. No matter which social network you use, Google is a ter engine for finding keywords -- even keywords within those social networks. I knew his first name, and I knew the company he worked for. I bashed in Alex and CBS Interactive, the owner of ZDNet and CNET, and behold, his LinkedIn page (and surname) landed at the top of the list.

Going too r? 内容来自dedecms

With the first and last character -- the first being the letter A and the latter being a number -- I assumed it was his full first name, with space for the first letter of his surname, perhaps, the last two digits of his year of birth. 本文来自织梦

After about three hours, I plugged in multiple combinations, unmasked the asterisks, and on my screen was his Facebook account. And yes, as I suspected, was his birth year. I now had his full date-of-birth, which tied in with the rough timing of his academic history from his LinkedIn account. 织梦好,好织梦

Uncovering personal data


We agreed that this was a good time to stop.

Alex is a British expat, likely in the country on a visa or a green card. When he married Sarah, a US citizen based on her Facebook profile, its possible that he had obtained permanent legal residency through a marriage-acquired green card. But, that was based on assumptions. Even if he submitted a green card application at the time he was married, would he have even received it by now? I was guessing, and going down this path of thinking likely wouldnt yield any definitive answers.

copyright dedecms

Both of our US banks require an alarmingly vague offering of details to access our bank accounts over the phone, such as our home addresses, our dates of birth, and now and then the last four digits of our Social Security numbers. In contrast, British banks rarely ask for anything less than username, password, three-digit, variable drop-down boxes of codes, memorable names, iris scans, fingerprints, the exact weight of your first-born child, and the name of your dog that you always forget even though he was your best friend growing up in the suburban bliss of outer London.

I tested with my own account. Facebook masks the exact number of characters from any e-mail addresses provided. It took a smidge common sense guess to iPrivacy at peril From one tweet a full-blown hackdentify he had a legacy Gmail account with a @谷歌 address. The next step in determining his e-mail address would not be easy, and would take multiple attempts and plugging in possible variables, but Facebooks password reset cility would be enough to fill in the blanks based on at least two hours worth of guesswork. 内容来自dedecms

One single innocuous tweet sent more than a year ago let him down.


But how would I get his Social Security number? Two hours of searching some of the Webs darker hacker forums was leading me nowhere.


Because the less I knew, the ter.


This story originally appeared as How this one innocuous tweet could hack a bank account on ZDNet. 织梦好,好织梦

It turned out that sooner rather than later, I would have to use those very techniques directly on my target. 织梦内容管理系统

I took him up on his offer, and we agreed on a strict set of rules. 织梦好,好织梦

If I could find his cell phone number, and if he used a cell provider that required a Social Security number, I could then, in theory, acquire at least a few of those golden government digits from his cell provider through similar social engineering techniques I would reserve for his bank. 织梦好,好织梦

And then, out of nowhere and in a chilling moment of awkwardness, I forgot his surname -- despite the ct wed met before and shared a pint in the pub over the road. copyright dedecms

All that from a workplace wager and a single, innocuous tweet? It wasnt bad for just shy of two days of work. The information I had would have, as it turns out, been enough to socially engineer my way through to the Verizon customer call center. Whether or not the operator would have divulged his Social Security number to someone they thought was in ct him, we will never know. But if that were the case, there would have been a strong possibility that I could have, with that -digit number, accessed his bank account.


Hours later, my eyes lit up. What is one of the first things you get if you relocate to a foreign country? A cell service plan. 内容来自dedecms

What I was ultimately after were possible or even specific security questions that a bank might ask for. Armed with those, I could -- in theory -- take over almost every aspect of his life.


For one, I would be acting the civilian hacker, rather than a journalist. (Journalists often have access to paid-for accounts that would churn out public records and other data.) Because of this, I was not allowed to use CBS internal tools to find out any information on him, or strap down and waterboard our human resources director into handing over information.

copyright dedecms

How exactly would I get his phone number? By asking for it -- directly or indirectly -- by sending him an e-mail asking for it. Knowing his work and what he does for a living, I would need to throw out the phishing line by pretending to be a potential client. And for the purposes of this exercise, I would want to talk to him on the phone about it. 本文来自织梦

I was unthinkably close to acquiring the golden goose: at very least the final -digits of his US government-issued identifier, or at most the full -digit figure. 织梦内容管理系统

I was even able to tell him what color his front door was. He slumped back in his chair, clearly taken back. 本文来自织梦

In a matter of minutes, I created a full-name personal e-mail address with Gmail, and, with knowledge of his work and expertise, carefully crafted an e-mail that would not only get his attention, but also surely warrant a reply.

Surely there were Github or browser scripts that could have scraped his entire Twitter account, which confirmed in his profile that he lived in Charlotte, N.C., along with more than , tweets and the occasional uploaded photo. But instead, I took the raw viewing approach, by scrolling down to his very first tweet and began to search through the stream. It was quick and lazy, but easily searchable within my browser 内容来自dedecms

A few more further keyword searches yielded Alexs birthday, a date in mid-June, from a written confirmation from one of his tweets -- something he likely thought nothing about at the time. I could guess his age, but it wasnt enough for a fifth data reference that could be used as a security question or code. copyright dedecms

Yes,临沂三小在哪 Alex. Yes, it would. 织梦好,好织梦

The was laid and the plan we formulated was enough: to gather enough intelligence about Alex to convince his call center operator at his bank that I was him. Like something out of a Mission: Impossible film, I would have to bypass the automated phone system, steer through the security questions, and -- armed with a fictional and empathy-driven sob story -- socially engineer my way into his bank account.

Facebook would once again hold the answer, or at least part of it. What came next took logic and variable plugging.


I needed his Social Security number, but my options were ding st. 织梦内容管理系统

Alas, that call I had longed to make for days never came to fruition. 织梦内容管理系统

I geared back into journalism mode, and set up a call with Alex to discuss my findings. Every shred of my being wanted to fight until the bitter end and see how r I could go. The thirst for this data reached such levels that I was uncomfortable in how I was acting. There was a line in the sand though that I would not cross. I would not impersonate him without him being physically there in our New York office -- a place he rarely visited. 本文来自织梦

The amount of information available from their mercilessly open Facebook pages was nothing short a hackers dream. From photos, status updates, the about page, and other check-in and location data, I was able to determine intimate details of his mily -- his childs name and date-of-birth, and the anniversary of his marriage to Sarah -- which I saw as the second, third, and fourth personal data references.

copyright dedecms

In theory, the next challenge seemed easy enough. In reality, I would rely on sheer luck.


Meet Alex.


Because Alex is -- like myself -- a British expat, he and I chat now and then about the differences ween life in the UK and here in the US. Last month, we fell into conversation about the backward approach of online banking security in America.


Armed with his full personal e-mail address, I next hit Gmails password reset cility. Although Googles security and validation system for inaccessible e-mail accounts is ter than most e-mail providers, Alexs own security questions let him down. Often the weakest link in the security chain is the person in question. 本文来自织梦

Thats my house number... How the fk did you get that?


Most cell service providers -- AT&T, Verizon, and Sprint, among others -- require you to present certain forms of identification, often including a Social Security number, before you can sign up. copyright dedecms

I was already walking on thin ice. Though I had uncovered his security question, I refrained from attempting to answer it. Suffice to say, I probably could have. 织梦内容管理系统

We discussed my findings at length. I explained that going any further would be unethical, and possibly illegal. Enough was enough, and my point was made.


I knew remarkably little about him when we first met. Alex is not his real name -- its a pseudonym to protect his identity. But everything else about him is very real. He travels to our New York newsroom and our San Francisco office from his home near Charlotte, N.C., where he lives with his mily. 内容来自dedecms

In just half an hour, I walked back into his office and read out a five-digit number. copyright dedecms

Though I already had his personal Gmail account, I needed to send him a note through his work e-mail. I already had knowledge of his works e-mail address naming scheme, but after a few searches it was clear that it was, like many organizations, it followed the firstname dot lastname at the companys domain scheme. copyright dedecms

One tweet was enough to start a chain reaction of information-gathering that could have rivaled the work of a government intelligence agency. And with data, a hacker could have ended up ruining one mans life.


By this point, I had already discovered at least five pieces of data that could be used as a security answer or code with his bank. But in order to get access to his checking or savings account, I would almost certainly require his Social Security number. Many banks require a full bank account, or credit or debit card number. Accessing his physical cards would be nigh on impossible. When no card details are given, a Social Security number is almost always used as a llback.


And thats where I stopped.


Alex is one of a growing population of privacy ambivalent users. He keeps his Social Security number close to his chest, and rarely gives out his personal e-mail address unless he has to. But he isnt clued up on the latest Facebook privacy options, and doesnt particularly mind who reads his tweets.


Hi Alex. Were a BB startup based in Mountain View, and were looking to advertise. Im traveling for the next couple of days, could you email me back letting me know how might be the best approach going forward? --John


The hackers toolbox


Sharing personal anecdotes of how lax US banks appear to be with our life savings compared to British banks left us both a little shaken. 本文来自织梦

But all that from a workplace wager and a single, innocuous tweet? It wasnt bad for just shy of two days of work.


By opening an incognito window, removing my own cookies and Facebook account from the equation, I plugged his information into the sites password reset cility.

But, being British and all, one doesnt beat about the bush. On the verge of asking him, I stumbled over my words -- I admitted I didnt know, but also didnt want to know -- stopping him as he was about to mutter, Oh, its... copyright dedecms

I was mortified. 织梦内容管理系统

But I didnt stop there. He authorized me to look further. copyright dedecms

Thrown back at me was:


There were a few scatterings of location-based tweets. Some from New York, some from San Francisco, and a few others from places where we have offices around the world. A few search terms later, I found one single search term reference to NC, or North Carolina. From just one tweet buried in the midst of innocuous tweets, a new tab opened and Google Maps pinpointed his suburban home address -- at least, so I assumed -- with ground-level Street View imagery on demand.

I knew more about Alex than most of our other colleagues did. I had his home address, date of birth, the date of his wedding anniversary, and his childs date of birth -- all of which may have served as security answers to his various real-world accounts. I also had his personal and work e-mail address, his cell phone number, his employment status and history, and even a good guess at his immigration status. copyright dedecms

Public records showed how much he paid for his home and when. This gave me the very first personal data reference, which could be a PIN code or security question that I may use later. There were also North Carolina public records, which churned out tax receipts and other information that pointed me to his wifes name, who we shall call Sarah.


Thats my house number, he said. His ce was mixed with shock, terror, and awe. How the fk did you get that?

He asked me: Wouldnt it be interesting to see how much information there was on me out there? Like, what you can find out from the Internet and try to get on the phone with my bank?


His LinkedIn account confirmed his full name, his position, and his employer. I found his Twitter account on his LinkedIn profile, but the other top three Google search results also churned out his handle. copyright dedecms

In as little as half-an-hour later, I walked back into his office and announced a five-digit number that made Alexs smile loosen and his jaw drop.


I knew his personal username from his Facebook account URL, but the hacker in me -- admittedly with the restraint of a saint -- could have garnered even more personal and sensitive information if I were to access his personal e-mail account without his authorization. At least, that was the assumption I was going with.


I sent the e-mail, and waited. The next day, he replied. Behold, in his e-mail signature, was his cell phone number. I didnt need to continue the thread any further. I plugged the phone number into a popular cell provider lookup Web site. His cell phone provider was Verizon.


What I was ultimately after were possible or even specific security questions that a bank might ask for. Armed with those, I could -- in theory -- take over almost every aspect of his life. copyright dedecms

上一篇:Shermans Travel   下一篇:Why Sprints push for a T-Mobile merger will likely be in vai
无法在这个位置找到: foot.htm