It’s my first class of the semester at New York University. I’m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. To receive the four-digit code I need to unlock it I’ll have to dial a number with a 312 area code. Then my iPhone, set on vibrate and sitting idly on the table, beeps madly.
I’m being hacked -- and only have myself to blame.
Two months earlier I challenged Nicholas Percoco, senior vice president of SpiderLabs, the advanced research and ethical hacking team at Trustwave, to perform a personal “pen-test,” industry-speak for “penetration test.” The idea grew out of a cover story I wrote for Forbes some 14 years earlier, when I retained a private detective to investigate me, starting with just my byline. In a week he pulled up an astonishing amount of information, everything from my social security number and mother’s maiden name to long distance phone records, including who I called and for how long, my rent, bank accounts, stock holdings, and utility bills.
The detective, Dan Cohn, owned and operated Docusearch, a website that trafficked in personal information, and at the time, he was charging $35 to dig up someone’s driving record, $45 for his bank account balances, $49 for a social security number, $84 to trace a mobile number, and $209 to compile his stocks, bonds, and securities. The site offered a simple clickable interface and Amazon-like shopping cart. It’s still around today. boasting similar services. “Licensed Investigators for Accurate Results” reads the tag line, calling itself “America’s premier provider of on-line investigative solutions.”
For Cohn, digging through what I had assumed was personal information, was less challenging than filling in a crossword puzzle. He was able to collect this amalgam of data on me without leaving the air-conditioned cool of his office in Boca Raton, Florida. In addition to maintaining access to myriad databases stuffed with Americans’ personal information, he was a master of “pre-texting.” That is, he tricked people into handing over personal information, usually over the telephone. Simple and devilishly effective. When the story hit newsstands with a photo of Cohn on the cover and the eerie caption: “I know what you did last night,” it caused quite a stir. It was even read into the Congressional Record during hearings on privacy.
All it takes is a person or persons with enough patience and know-how to pierce anyone’s privacy — and, if they choose, to wreak havoc on your finances and destroy your reputation.
A decade and a half later, and given the recent Edward Snowden-fueled brouhaha over the National Security Agency’s snooping on Americans, I wondered how much had changed. Today, about 250 million Americans are on the Internet, and spend an average of 23 hours a week online and texting, with 27 percent of that engaged in social media. Like most people, I’m on the Internet, in some fashion, most of my waking hours, if not through a computer then via a tablet or smart phone.
With so much of my life reduced to microscopic bits and bytes bouncing around in a netherworld of digital data, how much could Nick Percoco and a determined team of hackers find out about me? Worse, how much damage could they potentially cause?
What I learned is that virtually all of us are vulnerable to electronic eavesdropping and are easy hack targets. Most of us have adopted the credo “security by obscurity,” but all it takes is a person or persons with enough patience and know-how to pierce anyone’s privacy -- and, if they choose, to wreak havoc on your finances and destroy your reputation.
I’ve never actually met Nick Percoco, which, for all he knows about me, might seem strange.
Earlier this year I contacted him to pen a guest post for PandoDaily. In it, Percoco warned that unscrupulous people could potentially intercept your private messages and inject malevolent code into your computer over a coffee shop’s Wi-Fi. I liked how he wrote the piece. He didn’t hype the threat. Instead he laid out the facts, relayed some anecdotes from his work, and offered basic, actionable prescriptions.
You can tell a lot about a person by the way he writes. As a journalism professor, I get to know my students’ writing better than they know it themselves. And Percoco, through his prose, struck me as someone who was smart, well informed on security issues, and careful with what he said and how he said it. “Comp-sec,” as it’s called – short for computer security – is rife with charlatans. It often seems the more fame someone accrues in that world, the less he’s accomplished and even less he knows.
For this particular job, trust would be vital. If I were to invite someone to wheedle his way into my life, sneak into my finances, sniff my email, capture my web surfing, maybe even break into my home, I had to be damn sure he and the people he worked with wouldn’t use this information for nefarious purposes. I checked up on Percoco and couldn’t find anything that reflected badly on his character.
Over the years [Percoco] has performed hundreds of pen-tests and physical break-ins, slipping into hospitals, insurance companies, manufacturers, magazine and newspaper companies, power companies, and many more.
Percoco, 38, considers himself a white hat hacker, and has been breaking into companies (with their blessing) for 14 years. In what is perhaps the perfect metaphor for what he does and who he is, he lacks recognizable fingerprints, a quirk of nature, he assures. Once in Colombia, he says, he was denied entry into a building because the turnstile, equipped with a fingerprint identification pad, couldn’t get a fix on his digits. Percoco prides himself on having the skills of a black hat hacker while maintaining what he calls the highest ethical standards.
Not only does he attack computer vulnerabilities, Percoco performs on-site intrusions. Over the years he has performed hundreds of pen-tests and physical break-ins, slipping into hospitals, insurance companies, manufacturers, magazine and newspaper companies, power companies, and many more – clients, he says, that he’s forbidden to reveal.
Once, he says, he was hired to gain access to a hospital’s computer systems housed in a data center. Wandering the hallways, he followed the signs until he saw one for the IT department. It led him to a server room behind a glass door. Inside there was a woman printing out patient records. All Percoco had to do was knock and she let him in, no questions asked. He ambled over to a computer with a mouse and in a few clicks logged on as the systems administrator. Now he had access to patient records, and could have, if he’d wanted, taken down the entire network. The hospital’s chief information officer had wanted more resources for security. He got them.
Percoco told me he was intrigued by my proposal because he and his team almost always investigate corporations, not individuals. He wondered aloud whether I would be easier or harder to attack than a corporation. Both he and I were eager to find out.
In 1999, detective Dan Cohn’s most powerful weapons were a telephone and unmitigated gall. True to his word, exactly one week after he started my investigation, he faxed me a three-page summary of my life. It began with my base identifiers – full name, date of birth, social security number, home address – which he obtained from my credit report. Companies like Equifax claim they have protections in place to prevent against fraudsters, but Cohn told me he went through a reseller.
Equipped with my credit header, Cohn had what he needed to access a Federal Reserve database listing my deposit accounts, some of which I had long forgotten – $503 at Apple Bank for Savings in an account held by a long-ago landlord as a security deposit; $7 in a dormant savings account at Chase Manhattan Bank; $1,000 in another Chase account. A few days later Cohn located my Merrill Lynch cash management account, which I had opened a few months earlier. He then had my checking and savings account balances, direct deposits from work, withdrawals, ATM visits, check numbers with dates and amounts, and the name of my broker. In addition to my finances, he also obtained utility bills and two unlisted phone numbers, which cataloged a bevy of long distance and local phone calls I had made.
Armed with this information, Cohn could have easily mapped out my routines. He knew how much cash I withdrew from ATMs each week, how much Forbes deposited into my checking account twice a month, the cafes and restaurants I frequented, the monthly checks I wrote to a shrink. He possessed my latest phone bill and a list of long distance calls to and from my home, including late-night fiber-optic dalliances with a woman I was dating and who worked for an advertising agency and traveled a lot. Cohn also divined phone numbers of a few of my sources, including a couple of computer hackers who had told me of their black hat activities.
While databases assisted him with my basic information, to secure the nitty-gritty detail of my life, he needed help, which he wrangled from the actual companies I did business with.
Part of the deal I struck with Cohn required him to tell me exactly how he did what he did, but he held back when it came time to pony up. To fill in the gaps I contacted my phone company (Bell Atlantic, now Verizon), long distance phone provider (Sprint), and bank (Merrill Lynch), telling them what Cohn had done and demanding an explanation. Each, in turn, launched an investigation. With the results I went back to Cohn, who confirmed the information and added additional detail.
Sprint informed me a Mr. Penenberg had called to inquire about my most recent bill. He posed as me, and had enough information to convince the customer service representative he was me. The caller had the operator run through the last couple of dozen calls I had made. It was a similar story with Bell Atlantic, only this time it was a Mrs. Penenberg who did the dirty deed.
He knew how much cash I withdrew from ATMs each week, how much Forbes deposited into my checking account twice a month, the cafes and restaurants I frequented, the monthly checks I wrote to a shrink.
With Merrill Lynch, Cohn also phoned customer service. This time, however, he was relatively upfront. “Hi,” he said, “I’m Dan Cohn, a licensed state investigator conducting an investigation of an Adam Penenberg.” Later Cohn told me official-sounding words like “licensed” and “state” make him sound legit, as if he worked in law enforcement. Then he reeled off my social security number, birth date and address, which he had gleaned from my credit report, and, he told me later, “before I could get out anything more he spat out your account number.”
Cohn wrote it down then told the helpful operator, “I talked to Penenberg’s broker, um, I can’t remember his name…”
“Dan Dunn?” the Merrill operator asked.
“Yeah, Dan Dunn,” Cohn repeated.
Merrill’s minion then recited my balance, deposits, withdrawals, check numbers and amounts. “You have to talk in the lingo the bank people talk so they don’t even know they are being taken,” Cohn said, obviously pleased with himself.
Such pretext calls are technically illegal under the Gramm-Leach-Bliley Act of 1999, at least if used to obtain financial data from individuals or financial institutions, but it’s rarely enforced and hard to catch.
But I needn’t have worried, Cohn assured me. He promised he would never resell the information to anyone else. “Unlike an information broker, I won’t break the law,” he told me. “I turn down jobs, like if a jealous boyfriend wants to find out where his ex is living.”
At the time, I thought this was an odd statement, strangely specific, which he had volunteered. What I didn’t know was that at the same time he was digging up dirt on me, Cohn was embroiled in a tragic case involving a stalker, who had paid Docusearch to locate his victim.
According to court documents. on July 29, 1999, New Hampshire resident Liam Youens paid Docusearch for the social security number, home and work addresses for 20-year-old Amy Lynn Boyer, another New Hampshire resident. Docusearch went through a subcontractor, Michele Gambino, who relied on pretexting. She called Boyer in New Hampshire, lying about who she was and why she was calling in a bid to trick Boyer into revealing her employment information. Gambino passed this information on to Docusearch, which provided it to Youens.
A week later Youens drove to the dentist’s office in Nashua, New Hampshire, where Boyer worked. He waited in ambush while she got in her car and drove up beside her. Leaning out of his car, he put the barrel against her window. He called her name so that she would look up.
Then he shot and killed her.
Seconds later he turned the gun on himself.
“Amy never knew it was coming,” her stepfather, Tim Remsberg, said in an interview with the tabloid news show, “48 Hours.”
Youens, who was unemployed and lived with his mother, had been stalking Boyer for years, chronicling his obsessions on a web site. On it, he confessed that he had fallen in love with her in 8 th grade. Later, after Boyer rebuffed his advances, he decided she must die. On the website, “48 Hours” reported, he foretold how he would kill her: “When she gets in, I’ll drive up to the car blocking her in, window to window. I'll shoot her with my Glock.”
Amy Boyer’s mother sued Docusearch, alleging that Cohn and his partner had invaded her daughter’s privacy and broke other laws when it assisted Youens in locating her while the online information broker claimed the information wasn’t private. After the case wound through the courts, the New Hampshire Supreme Court ruled that the lawsuit could proceed to a jury trial, and Cohn and Zeiss ended up settling with the family for a reported $85,000 .
Afterward, Cohn promised, “Our policies and the way we do business has changed as a result.”
After Nick Percoco and I hammered out the broad outlines of our project – his team would not break any laws, and they would leave my kids out of this – I signed a waiver (courtesy of Trustwave’s lawyers) that barred me from suing the company if my information ended up in the wrong hands. Percoco kept the timetable vague and frankly, after a month dragged into two, I almost forgot about it. But his team, comprised of security analyst Garret Picchioni, digital forensics specialist Josh Grunzweig, and hacker Matthew Jakubowski (Jaku), were anything but idle.
Percoco didn’t tell me who my investigators would be, and even if he had told me in advance it wouldn’t have done me much good. Like most information security professionals who pen-test for a living, Picchioni and Grunzweig had taken steps to limit their online footprints. Google their names and you won’t find all that much, other than they have all given presentations at hacker conferences on highly technical topics.
Garret Picchioni’s Twitter bio says “Information Security Professional for
thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally.”
Josh Grunzweig is even more stealthy. His Twitter bio is simply “malware reverser | beer drinker | hockey fan” and his LinkedIn profile barely qualifies as a profile. He graduated from Rochester Institute of Technology with a degree in Applied Networking and System Administration, and minored in criminal justice. Some activities he listed are information security, snowboarding, running, movies, music, traveling, and grabbing a drink with friends.
Of the three, Matthew Jakubowski, or “Jaku,” as he likes to be called, has the most Google juice. Last year he turned a dry erase marker into a tool that could pick a hotel lock in seconds flat. In the avalanche of media attention that followed, he revealed that he could steal credit cards wirelessly using a radio identification reader without your having to pull your Mastercard out of your wallet. His Twitter bio warns, “Neque dicas, quid neque,” which in Latin means "Don't tell me what to do." According to his scant LinkedIn profile Jaku majored in “Sandwich Engineering” and minored in “Witch Hunting” at “College University.”
Percoco told me they began the project by pulling up everything they could about me on the Web, sifting through my website and various writings, looking for anything that could point to potential vulnerabilities. They gleaned some interesting nuggets, including the type of computer I use (I’ve written that I’m an Apple aficionado), my home and work addresses (easily found through public records searches), and the location of the Pilates studio my wife, Charlotte, owns and operates. This helped them formulate a plan of attack.
Here’s the strategy they sketched out (from the confidential report I was provided afterward):
After doing some initial research on Adam and his family, a preliminary game plan was created before traveling onsite that included both technical and physical (security) attacks on Adam.
The initial rough plan is outlined as follows and included multiple attack vectors as contingency plans:
Just rereading that feels weird. Even though I brought this on myself, I still marvel at how many attack vectors someone like me can provide any would-be attacker. Substitute your name for mine; your wife’s, husband’s, or partner’s business for my wife’s; your office locations for mine. How would you feel?
SpiderLabs’ three-member team failed at some of these tasks, like 1) breaking into my apartment, 2) cracking the security on my Time Warner cable modem, and 6) gaining access to my computer and office at NYU. Sneaking into my home would have necessitated coming through neighbors’ apartments or trespassing through their yards, or climbing a fence at the courthouse down the street. One thing they did not want to do was violate any laws. Others, like 8) luring me to a malicious blog and 9) using my web designer to help them access my website, turned out to be unnecessary.
Still, what they did end up doing is impressive. They flew to New York on August 20th to stake out my home and immediately ran into problems that an urban environment can present. Brooklyn Heights is saturated with Wi-Fi networks. The team sniffed 1200 of them within a tenth of a mile radius of my brownstone. The fact they knew I use Apple computers narrowed it down somewhat, since they determine that through their canvassing. But they couldn’t identify, with any certainty, which specific Wi-Fi network was mine, and they could run afoul of the law if they intercepted traffic from someone else’s.
They then repaired to my wife’s Pilates studio, located 10 blocks away, and confronted similar wireless saturation. From the 2 nd floor of a Barnes & Noble they could see through the studio’s side windows, which offers a limited view inside. While they had pictures of my wife they found online on her studio’s website – just typing that creeps me out – they couldn’t see her while she was working nor could they determine her work schedule.
One bench gave them a bird’s eye view of my front stoop if they looked through binoculars. From there they watched my wife and me come and go.
As a result, they hatched a plan for a “client-side attack.” A female friend of Jaku, the hacker, signed up for a Pilates group class at my wife’s studio. Since Charlotte only teaches private sessions at Streamline (although she runs a class at another studio she operates, but it has a private membership) the friend enrolled in an introductory class taught by one of the other instructors. Before leaving she left behind a large purple flash drive in a changing room. The SpiderLab’s team hoped an instructor would find it and plug it into the studio’s computer in an attempt to identify the owner. The flash drive held various payloads titled “Resume” but would actually install a remote backdoor on the system upon opening of the file and “phone home” to the team.
No one, however, plugged the thumb drive into the studio’s computer. A few days later Jaku took the decoy back to the Pilates studio for another session, this time equipped with another flash drive. After the class was over the decoy informed the instructor that she had a job interview shortly after class, and asked if she could print out her resume, which was located on the flash drive. What the team didn’t know was that the studio runs an old version of Apple’s operating system – so old, in fact, that the hacker program Jaku coded couldn’t execute its nefarious deeds.
Meanwhile, the team, back in front of my apartment, had to cope with nosy neighbors. I live in a city but my block is quiet and residential, home to many families. The SpiderLabs guys had a police scanner tuned to the local Brooklyn Heights precinct, just in case someone called the cops. Three men hanging around in front of my building, however, was bound to attract attention, and it did. While trying to secret a laptop computer behind a potted plant on my stoop in an attempt to try and isolate my Wi-Fi network, they spotted a woman in a red shirt glaring from a short distance away. Eventually she gave up. Another neighbor confronted the men as she was walking her dog, telling them she had noticed them hanging around the past few days. Picchioni, the team leader, finessed an answer, claiming they were from out of town, here on business, and wanted to work outside because it was such a nice day.
The SpiderLabs gang had been put on notice. They ended up renting a ZipCar and trawled around the front of my building by hiding in the back of the car and whiling away hours in a nearby park. One bench gave them a bird’s eye view of my front stoop if they looked through binoculars. From there they watched my wife and I come and go.
Around this time, I published a piece on PandoDaily about my experience with an iPad app that coaxes children into purchasing virtual crap if they want to progress in the game. I talked a bit about my own children’s screen habits and how they read insatiably on Kindle Paperwhites. I wrote: “I prefer ebooks to hardcovers and paperbacks because we live in Brooklyn and don’t have space for all the books they read. Our basement is packed with them. Feel free to come by and cart them away to your favorite library or charity.”
Shortly after my piece posted, a woman on Twitter asked if she could take me up on my offer. It was a real Twitter account, which, I learned later, belonged to a friend of Jaku’s. “We really wanted to get into your basement,” he later told me. Not suspecting anything, I responded that my wife and I would have to go through these books before we’d give any away.
Really, though, all this on-premises mishegas would turn out to be for naught. Like Dan Cohn, the team from SpiderLabs was able to get the information they sought through other means. Not with pretext calls, which are oh-so last century. Nick Percoco and his minions are children of the Internet, and have little need of a telephone. Instead, they know the art of the phish.
The first one they tried was a message to me from a student in Ohio who expressed interest in attending NYU to study journalism.
I read the email but didn’t open the attachment because it was a file type I didn’t recognize. I remember thinking why would a high school student send me an attachment with a JAR suffix? Plus, I was on break from teaching and filed the email away for the week after the semester would begin.
Since I didn’t reply the team took aim at Charlotte with a phish.
(Editor's note: Amber, whose last name has been redacted from these images, is a real person -- a Pilates instructor, in fact. The SpiderLabs team did what hackers often do, which was to use a real person's identity in case Charlotte looked her up online. The email address, however, was fake. The real Amber contacted us after the story was published. We then added the redactions.)
When Charlotte didn’t respond, they re-sent Amber's message, and at 4:30 p.m. ET on August 27, she clicked on the link and by doing so downloaded the malware that Jaku had coded especially for us.
The video didn’t work, so Charlotte sent a reply, telling Amber that while she couldn’t meet over Labor Day, she would like to see her resume, and said she couldn’t open the video clip.
There was, however, a bug in the malware (Jaku says this was his first time writing it for a Mac) and the SpiderLabs gang couldn’t maintain persistent access. So they replied to Charlotte's reply. This time, instead of a web link the payload was a zip file:
The newly updated OSX malware, which another member of the team, digital forensics specialist Josh Grunzweig coded, was dropped on to her machine. SpiderLabs now had complete access to her laptop whenever it was on the Internet.
They got into our checking and savings accounts, a corporate bond account, our credit card statements and online bills. They could, if they had wanted to, wipe us out financially.
On Charlotte’s machine were our family’s W2s, which included our social security numbers as well as our income and all of our deductions, paperwork and copies of credit card and banking statements. They also came upon a password to our home router. More frightening, they discovered her password and log in to our Chase online banking account.
Chase.com uses a two-step verification system, which momentarily stymied SpiderLabs’ hackers. Every time she or I logs on from an IP address that Chase doesn’t recognize, it offers to send us an activation code via text to our mobile phones. But a search of Charlotte’s hard drive revealed Chase cookies, which the team copied and used to convince Chase that she was logging in from home. While inside they got into our checking and savings accounts, a corporate bond account, our credit card statements and online bills. They could, if they wanted to, have wiped us out financially.
What’s more, buried deep on the hard drive, they located something else: old files of mine. Some years earlier I had bequeathed Charlotte my old PowerBook G4 Titanium, and didn’t bother to wipe clean the hard drive. Months later I smelled acrid smoke in our apartment and saw that the keyboard was on fire. After I put out the flames, the laptop refused to boot up. (The motherboard had melted.) We brought it to the Apple Store and staff -- I refuse to call them geniuses, except ironically -- copied the hard drive to a new Mac laptop. That was two or three computers ago, and each time my wife has had her hard drive ported over to the next machine. All these years these files of mine have persisted. One of them contained passwords for several online accounts, including Amazon.
In and of itself, you might think this wasn’t much of a find. So what? The SpiderLabs boys could rack up charges on my Amazon credit card. But like many people, I have developed my own system for passwords. Because I can’t possibly remember every single one to every site I use not only do I reuse passwords, I also have come up with an informal formula to create them. I might spell out a common name like Gracie (my old cat) but spell it ‘Gray see’ and use an ‘8’ to stand in for the ‘G’ and a ‘5’ for the ‘s.’ You get the idea. Recall that one of SpiderLabs’ team members is an expert in computer forensics. It didn’t take him long to crack all of my passwords.
The SpiderLabs gang broke into my Twitter account and tweeted “I love Stephen Glass,” which led to some head scratching on Twitter from those who know my role in that story. (I’m the one who outed the serial fabulist from The New Republic.) They breached my Facebook account and ordered 100 plastic spiders from Amazon then had them shipped to my home. And they cracked my iCloud password, sending me an email with the subject: SpiderLabs was here and a message consisting of a single emoticon. -)
Once they cracked iCloud they activated the “find my iPhone” app. Apple had also enabled this functionality for laptops, so they put both my iPhone and laptop in stolen mode.
The first I learned to what extent SpiderLabs had penetrated my privacy was during my class at NYU, when my laptop shut down and demanded a four-digit code to gain re-entry and my iPhone began beeping.
During our debriefing, Percoco told me that I had been, in some ways, more difficult to get to than many of his corporate clients. With a company employing thousands, there are thousands of potential vulnerabilities that can be attacked. What’s more, the rules are more constrained. For example, a corporate client will tell SpiderLabs which specific servers to target once they’re inside the network or what division to focus on within the corporate hierarchy.
With me, however, there were fewer paths that could lead to the mother lode: my laptop, email, bank, social media accounts, and home. Once in, though, his team found few firewalls protecting my data, and mostly in the form of a pastiche of passwords and log-in credentials. These, I quickly learned, were not secure.
My wife, Charlotte, was practically speechless when I told her about the hack. I had not given her any advance warning, hoping to keep the experiment as realistic as possible. At first she was fascinated, but the more she thought about it, the more uncomfortable she became. The idea that an undercover client had visited her studio and a team of spies had put our home under surveillance made her uneasy. She was relieved, as I was, that our children had been off limits.
"Promise me you'll never do anything like this again," she said. And, of course, I did.
Earlier this month, Percoco left SpiderLabs for a new job as Director at KPMG, the professional services firm, in the Information Protection practice where he’s running the same kinds of penetration tests.
As for me, since we concluded this exercise I’ve changed my passwords and log ins but I don’t delude myself into thinking I’m protected from prying eyes -- the government's or anyone else's, if they belong to someone with the right combination of skills, resources and determination.
And if I’m not safe, are you?
[Illustrations by Alex Schubert for Pandodaily]
- Share this article on Facebook
- Share this article on Twitter
- Share this article on Google Plus
- Share this article on LinkedIn