Hacker News new | comments | show | ask | jobs | submit login
Operation Luigi: How I hacked my friend without her noticing (2017) (pdf.zone)
217 points by petethomas 7 days ago | hide | past | web | favorite | 58 comments





> She explains to me how she got an email from Apple about her account and there was a phone number in it. I tug my collar several meters into the next room, knocking over several carefully-potted indoor plants.

That line was fucking gold.


> Shout outs to Aerobatic for the smooth smooth phishing UX. Use the referral code DIANA to be immediately reported to the NSA.

This one definitely got me!


"I reach under my desk, unwrap a parcel addressed to “DIRECTOR OF CYBER, NSA”, slide out a yellow and black canister labelled “CHINA”, break open the safety seal, and use safety tongs to extract the following red-hot phish."

Gold.


Banks and the rest hate me. I use keypass to generate random alpha numeric 'passwords' I use for the answers to personal questions.

I have personally experienced a CS rep accepting “it’s just a bunch of random characters” as an answer. Combined with the fact that you just went on the record as using that scheme, your opsec just took a dramatic hit.

Use plausible sounding, but random answers.


The first time I had a CS rep require me to recite my 64-character alphanumeric answer was what prompted me to switch my strategy. Now I generate a list of four arbitrary words for every answer to security questions... so much easier to answer.

Whats the name of the first school you went to?

"School"

Whats the name of your first pet?

"Pet"

---

I use this scheme when i need to come up with these types of answers for a service that i dont deem as super critical or risky...


That’s twice in this thread that someone has revealed pretty potent details of their personal security.

it just goes to show that these questions are useless as a security barrier. Any institution still using them are doomed to have social-engineering vulnerability.

Any company employing low cost workers is vulnerable to social engineering and bribery.

I think I would refine that like this: among companies that train workers against social engineering, ones that pay workers peanuts are going to still be more susceptible than the others simply because of the don't-care factor.

Other than that, anyone is susceptible to social engineering, regardless of pay. Social engineering is crafted to suit demographics.


What's the absolute worst that could happen if you crack my free account on some cooking website?

Maybe you favorite a bunch of recipes with lima beans (which I hate). Instead, you discover that I was really into lentil dishes for a while, but have been more interested in dumplings this fall. Maybe this could be used in some sort of elaborate social engineering scheme that nets you more valuable information, but I'm not seeing how....


> What's the absolute worst that could happen if you crack my free account on some cooking website?

The worst that could happen is that you used the same password there as for your online banking, or important e-mail account and such.

If you didn't do that, then the impact is approximately zero.

Of course, that cooking site still wants you to use a sufficiently long password with at least one digit, capital and lower case letter, and special character ...


Wherever you can publish text or media (eg, on a cooking site) speech crimes can be committed under your account.

Fancy a prison term in one of the more enlightened European jurisdictions, or Canada?


Okay, I set myself up for this by saying "absolute worst", but this strikes me as so unlikely that it's not really worth worrying about. After all, someone could make a new account using your name (+ some numbers) /right now/!

I disagree. I do the same for certain sites. I have a gmail that I use for weird sites that I most likely won't visit again or any time soon and answer the security questions much the same. If this account gets compromised I literally lose nothing other then make a new gmail and do it again. This shows nothing about my bank or Facebook or actual gmail account security as those I do take steps to protect.

Hopefully they're using unique usernames and not using the same username all over the Internet. Or, worse, a variation of their real name as a username.

That's Amazing! I've got the same security answers on my luggage!

In this case a password like “to be repeated exactly: <random string>” has the same properties and can be divulged without affecting opsec particularly.

(Un)fortunately, normal people don't think like programmers. That's why security questions exist, in the first place. Do you think they won't accept "It's to be repeated exactly, and then gschgschgsch. Ahh, youth. Those were the days."

If you think that's bad: I always enter a fake phone nr. Once, a company turned out to use them as verification for phone support. I didn't know, and had forgotten, so gave my actual number. "Oh, it says something else here. Shall I just go ahead and remove that, then?". I wanted to cry.

Don't play games.


Not that I condone this strategy, but what is the threat model where an impersonator knows to say, "It's to be repeated exactly, and then adso&#fjsou..."?

I'd go with "putting your security question strategy on a public forum", for starters.

Security through obscurity strikes again.


Well yeah, in this case that's the weakness. But before parent announced their strategy on this forum, what was the threat model? Hell, let's assume OP obfuscated the introductory part in their comment to avoid that leak.

If they're willing to brag about their passwords on the internet, I'd be willing to bet that family and friends have the same information.

Assuming that wasn't true, a customer service rep for the phone company could call the customer's bank and try to impersonate the customer, assuming it's used often (like the poster stated).


Im always shocked by how small the fields for some of those inputs are though. How much space for entropy do you have left after including the notice about needing an exact match?

This is where "correct horse battery staple" password generators might be good.

Well, hell, I got off with just saying "I don't remember it" an then following up with details of _recent_transactions_ not one time. This whole "personal question" scheme is useless.

I just reset my password for American Airlines. They ask me 3 (what I would consider public questions) about myself, then let me reset the pw in browser. No emails or any other authentication. Im still blown away.

Got bitten by this when I had to give a 32-character alphanumeric answer over the phone. I groaned and asked, "Can I just give you the beginning and the end?" The rep laughed and accepted my compromise. Since then, I use a collection of random words (in the style of correct-horse-battery-staple) for security questions.

What are some of the ways this blows back? Having to answer them over the phone when they're not passwords, but more like customer service gatekeepers?

I do this as well and it has yet to blow up in my face, though it does seem like an inevitability.


I got pretty good at memorising alpha bravo charlie[1] so I just jump straight into that, and for characters like #, * and ! I try and use the word I know is most common, e.g. in english "pound", "star" and "exclamation mark". "hash" and "bang" get me what I suppose are the equivalent of blank looks..

So I have nicely complex passwords generated by Keepass and the staff usually don't think anything of it once I mention I work in "computers".

[1] https://en.wikipedia.org/wiki/NATO_phonetic_alphabet


I used to do a slightly different system where I'd have ridiculous answers, sort of a word game play on the question itself, and forgetting your secret answers with a company like Verizon can take days to figure out.

I do this but instead of passwords like `NGIyNzgwMTEyNDczYTIyNjEwYWRhYWZh` I'd use `BatteryHorseStaple33` to the question: Where were you born.

I've never had it blow up in my face with any rep, and I make sure to keep the passwords in an offline (never touches any network) laptop.


My bank (HDFC India) specifically states while setting up the security question that the bank will never ask for these (over phone or elsewhere), so I'm happily using random UUIDs

HDFC appears to have truly terrible security, someone managed to sign up with my email address and a really weird mailing address - like an airport warehouse or something, then proceeded to fill up the card and never paid it back. I emailed HDFC about it but they never responded.

Apparently they don't even do e-mail verification.


What is the point of a security question if they never use it?

Asking you to fill them online for password recovery etc?

Yes, they use it for 2FA sometimes on netbanking transactions.

I get asked for single characters of mine a lot

I treat them as less secure passwords -- passwords that often a representative at the company has access to. (I've experienced instances of people on the phone (upon my calling the organization at a known number) soliciting their answers and checking them against what they have on their screen. Usually these days, with actual passwords, they undergo a computerized check and members of the organization have no access to their values -- or at least to their unencrypted values. (Although, don't blindly depend upon that assumption.)

Security questions introduce insecurity. I remember being mightily puzzled when they were considered a "best practice" and the organization I was at was all "het up" to implement them.

The real reason? They save head count / expense -- at least, in the short run. One less "I can't remember my password" interaction -- one that, from an optimistic perspective, at least doesn't just blindly depend upon emailing the email address of record... Only, many sites seem to implement that alongside their security questions flow, so...


Diceware phrases work well here, too!

the content of the article is good - but the writing style does not sit well with me. It's an odd sense of humour and a writing style more suited to instant messages perhaps rather than a blog.

Going off on quirky tangents can be an effective tool for keeping a reader interested. It reminds me a little of Douglas Adams. He punctuates the hard science fiction with goofy anecdotes to get the reader thinking about the subject from another perspective and to keep them entertained.

It is not a tutorial on how to phish or a vulnerability report, but rather a story about how motivation is potentially more important to phishing than technical skill. Without the casual writing style, the main character (and author) might have seemed more sophisticated, which would have diminished the point of the story.


A joke here and there is fine, but this person injects his jokes attempts pretty much every sentence. That gets annoying quickly.

I guess the threshold isn't the same for all of us, I didn't get irked by he jokes at all... however around halfway through I started wishing for it to be over soon(tm)

Eh, I liked it. Many writers in the tech space are trying to be as concise and clear as possible. If this article had been more 'academic' in that sense I think I would have lost interest after a few paragraphs because, well, nothing in this article is really new. It's just a fun anecdote about the reality of cyber security.

It can be seen as a style that emphasizes just how 'casual'/easy this attempt was, so I think it adds to the content.

My goal here is to figure out what Diana’s actual password is, given that I have her password hash. This process is commonly known as “hacking”.

This is hilarious!!


This is an interesting model for how to provide training/education

This post periodically makes it way back to the top. Last I checked it was 6 months ago

Posted numerous times, a year ago, including: https://news.ycombinator.com/item?id=14919845

On the site (https://mango.pdf.zone/), the above link is called 'Salty Hacker News comments'

That's pretty funny. I didn't like the writing style at first either, but it got funnier as I carried on (or maybe the writing got better too). By the end I was questioning why I was so resistant to light-heartedness in the first place.

Overall, a really great breakdown of a textbook phishing attack.


This is certainly not how trust in human relationships is reinforced :)

Get consent before hacking your friends.~~

Edit: This is awkward - I was sure I read it one of the previous times it was posted. Chapeau!


Consent was obtained, as described in the article.

Did you read the article? The author got consent.

> Please don't insinuate that someone hasn't read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."

https://news.ycombinator.com/newsguidelines.html


To be fair to the above it's a pretty central factoid that is mentioned more than a few times, but yes, I agree with you.



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: