For the love of God, people – put a piece of tape over your computer’s camera.
In recent episode of REAL FUTURE by Fusion, journalist Kevin Roose proves that hacking isn’t just a trick you see in the movies. During a segment on hacking, Roose asked Dan Tentler, a well-known security expert, to hack as much information from Roose as possible in the 48 hours leading up to the interview.
Journalist Kevin Roose and his new daddy, Dan Tentler.
Within two days, Tentler was able to get access to the following things on Roose:
- Bank login username and password
- Email and password
- Stock trading login
- Credit card number and login information
- Social security number
- And creepiest of all, photos of Roose and his screen that were taken every two minutes for 48 hours using the laptop camera
The screenshots and photos taken of Roose.
When describing his power over Roose, Tentler said, “I could have made you homeless and penniless. I have control of your digital life in its entirety… I am you. The only thing I couldn’t doctor is your fingerprints.”
So how did Tentler gain access to all this? Within a few hours of the two-day challenge, Tentler realized that Roose had a Squarespace blog. Tentler then set up a bogus Squarespace account and emailed Roose a message that looked like it came directly from the admins at Squarespace. The email said that because of a recent security threat (ha) Roose needed to update his SSL security by installing a certificate. That “certificate installer” gave Tentler access to Roose’s computer.
From there, Tentler created fake popups that asked Roose for specific credentials. One of those credentials was Roose’s 1Password login, which is where he stored virtually every login and password he uses online.
“You didn’t even have to have my passwords,” Roose said, shocked after Tentler revealed what he had done. “No no, you gave them to me,” Tentler replied.
Earlier in the episode, social-engineer hacker Jessica Clark posed as Roose’s distraught and scattered wife and called Roose’s phone company. Using a YouTube video of a crying baby, Clark convinced the customer service rep that she is Roose’s wife and needs access to Roose’s account but has forgotten the password.
“I’m so sorry, can you hear me OK? My baby, I’m sorry. My husband is like, we’re about to apply for a loan and we just had a baby, and he’s like, ‘Get this done today!’,” Clark said, setting the scene that she’s an overwhelmed new mom who really needs help. “I’m trying to log in to our account for usage information and I can’t remember what email address we used.”
It only took 30 minutes before Clark gets access to Roose’s account, changes the password, and has him locked out of his own cell phone account.