
Hackers Prove They Can ‘Pwn’ the Lives of Those Not Hyperconnected - pavornyoh
http://bits.blogs.nytimes.com/2015/10/14/hackers-prove-they-can-pwn-the-lives-of-those-not-hyperconnected/
======
downandout
This is a silly article with an alarmist title. They look at a list of sites
she likes on Facebook, then they phish her from one of them. Then she lets
them into her house where they look for post-it notes with passwords on them.
For a grand finale, they open her garage door. I guess the takeaway here is
don't let people that identify themselves as "hackers" through your door and
into your home office if you have passwords written on post-its, but I am
fairly certain this is a rare occurrence.

~~~
FussyZeus
I'd disagree, I think is an excellent example of people who think they don't
need to worry about security because they aren't on the Internet very much. It
was all pretty mundane I agree, right up until they had her power of attorney
and social security number.

This should be a wake up call to the have-nots: You aren't safe just because
you don't post on Facebook and you don't use the computer. Just because you
don't drive doesn't mean you can't be hit by a car.

~~~
downandout
_> It was all pretty mundane I agree, right up until they had her power of
attorney and social security number._

They only got these _after she let them into her house and gave them physical
access to her computer_. Of course it's only common sense that anyone that is
allowed into your home and onto your computer can "pwn" you and worse - hacker
or not. That's why 99.9% of people, including this woman, wouldn't allow
strangers into their home and give them unfettered physical access to their
computer.

The article title implies that they were able to "pwn" her through "hacking".
The only mildly interesting they did in this regard was the spear-phishing
attack based on her Facebook likes.

~~~
FussyZeus
As I read it, they got that information from her email, and were I a betting
man I'd say probably Yahoo or Gmail. They already had her password; getting it
from the website would be trivial. This is all my own assumption of course.

The underscore here is that a limited use case person, someone who
occasionally posts limited things and doesn't do anything beyond casual
ebaying can still be a victim.

~~~
downandout
Yes, they got it from email, but they didn't get into the email until they
were in the house and got the password from a post-it note for the main
account, and the daughter had the browser auto-fill it. They wouldn't have had
either of these without a willing participant that let them into the house to
find the information. It's like saying "I was easily able to rob the bank
vault after the manager opened it".

~~~
FussyZeus
You make it sound like achieving remote access to this machine with two dozen
malicious programs on it would be difficult. I highly doubt the machine is as
hardened as her Facebook is.

The chain is only as strong as it's weakest link.

------
sdoering
Well actually, looking at the things my parents and parents in law did on
their home networks, their Smart TVs and so on, having this in a
understandable form for the lay person is really good.

To understand, that your door opener, your TV and other things can be "hacked"
is important. The information to use different passwords for every service is
important.

We as people in the know have to help our elders and peers to see how easy it
is to use a pwd-mgr and have a little bit more basic security.

If nothing more, this piece goes a step in the right direction.

~~~
oAlbe
Don't trust password managers. They are hackable pieces of software just like
the ones you are trying to protect. And they are not reliable (see last news
of Lastpass acquisition by LogMeIn).

I'm not saying you should ditch password managers and just memorize all of
your password. I'm just saying: use them as a well-informed user.

Back in the days, Bruce Schneier suggested to write passwords down on a piece
of paper and keep it in your wallet as the _least weak_ security measure.
Today, based on this article[0], he actually recommends the use of a password
manager _" [...] simply because it allows you to choose longer and stronger
passwords."_, which basically means it's the lesser of two evils.

[0]
[https://www.schneier.com/blog/archives/2014/09/security_of_p...](https://www.schneier.com/blog/archives/2014/09/security_of_pas.html)

~~~
scintill76
Not all password managers are commercial, closed-source, and cloud-connected.
This probably wasn't a main point of yours, but since you mentioned LastPass I
felt this should be clarified.

I'm currently using PasswordSafe (in Wine on Linux) with git to
version/synchronize between systems. It _is_ kinda painful, but at least it's
nice to not be syncing to somebody's cloud or running in a browser.

I've been thinking about converting an old Android device into a more secure
password manager. I envision having the device hold the decryption key for the
PW "vault" as long as it's connected to my authenticated system. I either
request credentials from the PC and approve on-device, or select them on the
screen, and it types them as a USB keyboard (or perhaps some other way less
prone to garden-variety keyloggers.) I guess I haven't because it's kind of a
lot of effort and will lower convenience levels. :)

I ought to at least find a better way than the clipboard, to transfer
passwords from the manager app to the browser etc...

~~~
zwp
I want a small hardware, non-connected tablet that acts exclusively as a
password manager. It connects to the computer I'm using as a USB keyboard
device and only "types" a password when I physically tell it to ("yubikey on
steroids"). Backups and system updates via flash card with encrypted
filesystem. No wifi, no bluetooth, no phone, no ethernet, no other purpose.

Edit: heh, that's funny, you edited your comment as I was replying? Now we
just need someone to build it for us :)

~~~
reefab
This exists:
[https://hackaday.io/project/86-mooltipass](https://hackaday.io/project/86-mooltipass)

~~~
scintill76
Cool, thanks! It's funny that I and other potential target audience members
here, were apparently unaware of this; the internet is a big place. It's a bit
too expensive for me, I think -- at least the pre-assembled version. I may
steal the smartcard idea, though (or some other form of hardware security.) It
might be possible to coerce a phone's SIM slot into serving as an interface to
a card.

------
TlDrBot
Summary: Hackers send grandmother phishing mail. Grandmother enter her email
address and password. Hackers go into house of Grandmother. Hackers change
settings on router and and television of grandmother.

~~~
lqdc13
Yeah, I don't consider the phishing scams interesting at all. This seems like
more of a marketing stunt than anything. And it's borderline not hacking.

They actually didn't even do the whole thing themselves. Instead hired a
phishing service...

To me this is more similar to people dressed as UPS truck drivers going inside
an apartment and stealing keys. Or a cashier taking a picture of a customer's
credit card.

P.S. Excellent bot if it is a bot. It seems to be taking sides on an issue and
not just summarizing, which I haven't seen happen previously with any other
summary bots.

~~~
rezistik
Social Engineering is absolutely hacking. This wasn't a sophisticated example,
but it's still a very real threat.

~~~
coldpie
I guess I have a narrower definition of hacking, specifically that it is using
technology in a way it wasn't intended. If you ask someone for their
credentials and they give them to you, I don't see that as being "a hack,"
although I guess modern parlance would say the victim "was hacked."

~~~
kqr
"Hacking" is in everyday parlance not too far from "gaining unauthorised
access to a technical system."

Social engineering is often a very efficient alternative to rainbow tables,
wiretapping, buffer overruns and other technical exploits.

~~~
rezistik
It's often the only or best way too. The more secure a place is the easier it
is to get in. People become very trusting. Carry a clipbord and look like you
know where you're going and you can walk damn near anywhere.

------
spyder
_" Critical points were that Mrs. Walsh needed a new garage door opener..."_

I'm surprised they only care about the electronic locks and didn't show how
easy it is to pick most of the mechanical locks. Especially when they are
talking about the "not hyperconnected" hacks.

~~~
comex
Or, you know, break the window, if the garage has a window, or use some other
more brute force technique. Less stealthy, but not incredibly different for
most purposes.

~~~
ryanlol
And with just a roll of duct tape you can silently break a window.

------
cxseven
Fake virus warnings also sucker a lot of older people. Putting them on
Chromebooks kills a lot of birds with one stone.

~~~
pja
There’s still the possibility of malicious Chrome extensions: I had to
eliminate one or two from my son’s Chromebook recently. The naive will always
be vulnerable to bad actors unfortunately.

~~~
axelfreeman
I recommend this extension to find malicious chrome extensions.
[https://chrome.google.com/webstore/detail/chrome-apps-
extens...](https://chrome.google.com/webstore/detail/chrome-apps-extensions-
de/ohmmkhmmmpcnpikjeljgnaoabkaalbgc)

------
a3n
So many people here are dismissing this as unsophisticated.

Burglars have always targeted items that are valuable to them. Easy to sell,
gets a good price, etc.

Now we have digital assets in the home, and burglars are going to focus on
those things too. For most of the population, and probably many of "us",
physical access to those digital assets isn't particularly secure. And to have
those assets "taken" today is much more far reaching than to have lost a
stereo or checkbook.

Just because the attacker had to get off his couch and go somewhere shouldn't
minimize this threat. "Physical access means's you're pwned" is a true
statement.

One thing I do at home, for example, is to use full disk encryption on my
laptop, _and hibernate it when I leave_. So that if someone steals it, it's
just a plastic brick. For exactly the scenario described in the article.

~~~
notfoss
I have always considered it to be a good practice to use disk encryption on
laptops (or other mobile devices), but after thinking about the burglar
scenario, I think it is better to encrypt the desktops as well.

------
methou
>> To spare Mrs. Walsh any actual harm, the hackers used a service called
Phish5, which does not actually store passwords and is often used by employers
to test employees’ ability to spot malicious phishing cons.

I'm signing up for Phish5. Looks like exactly what I need for my team.

------
6stringmerc
An interesting piece and definitely has some merit depending on the audience.
False sense of security. Bad habits. This is kind of an exaggerated approach
to teaching.

For anybody who doubts that "gaining physical access" automatically
disqualifies the results, let me share a recent uptick in a specific con in my
area that could very well be adapted as a template to other unsuspecting
areas:

Two men in hard-hats and workman clothes approach a home, clipboard in hand,
and claim to be with the "power company" and want to have a moment of time to
talk about some trees close to the power lines. It's a right of way issue.
They ask for the resident to come out and take a look with them. All seems
pretty normal.

The talker gets the person or couple's attention while the other makes a quick
excuse to go back to the truck out in front of the house. The talker carries
on about how they're going to take care of the trees at no cost to the
residents, and they act very cordial overall. Meanwhile, the partner has gone
into the home via the front door which was left unlocked, goes for the most
likely targets of value (ex: jewelry). The partner goes to the truck while
talker wraps up and leaves. By the time the residents notice anything is
amiss, the duo are long gone.

Trust-cons are a huge issue for a large portion of the population, in my
opinion. Being prepared to be charmed while being fleeced is not how normal
people go about their day.

------
jtchang
It's easy to dismiss it as a phishing scam but these days some of them can be
very convincing and elaborate. It's not hard to obscure URLs, obtain good
looking SSL certs, and have a good story behind it. Social engineering will
always work.

------
746F7475
So "those not hyperconnected" means just normal people?

I don't claim to be hacking proof since I don't control every bit of my data
myself, but if someone came into my house they wouldn't find passwords in a
notebook or saved passwords in my browsers

------
tefo-mohapi
This is more about how hackers use phishing (old) to get passwords etc.
Nothing new. Actually looks like phishing works best on those not
hyperconnected or heavy internent users because they would most likely know
the pitfalls.

------
axelfreeman
Hackers can "pwn" you by not even hacking you. If someone can hack e.g. your
phone provider or something you can get even worse problems and you did not
anything wrong.

------
dalacv
does anyone really say 'Pwn' anymore?

~~~
mhurron
[https://en.wikipedia.org/wiki/Pwn2Own](https://en.wikipedia.org/wiki/Pwn2Own)

------
edem
Aren't they crackers instead of hackers?

------
curiousjorge
yeah you can break into anyone's homes without a computer, imagine that media!

------
artjacob
So cute :)

