Original Post: pandodaily.com
Quote:
I challenged hackers to investigate me and what they found out is chilling
By Adam L. Penenberg On October 26, 2013
It’s my first class of the semester at New York University. I’m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. To receive the four-digit code I need to unlock it I’ll have to dial a number with a 312 area code. Then my iPhone, set on vibrate and sitting idly on the table, beeps madly.
I’m being hacked — and only have myself to blame.
Two months earlier I challenged Nicholas Percoco, senior vice president of SpiderLabs, the advanced research and ethical hacking team at Trustwave, to perform a personal “pen-test,” industry-speak for “penetration test.” The idea grew out of a cover story I wrote for Forbes some 14 years earlier, when I retained a private detective to investigate me, starting with just my byline. In a week he pulled up an astonishing amount of information, everything from my social security number and mother’s maiden name to long distance phone records, including who I called and for how long, my rent, bank accounts, stock holdings, and utility bills.
The detective, Dan Cohn, owned and operated Docusearch, a website that trafficked in personal information, and at the time, he was charging $35 to dig up someone’s driving record, $45 for his bank account balances, $49 for a social security number, $84 to trace a mobile number, and $209 to compile his stocks, bonds, and securities. The site offered a simple clickable interface and Amazon-like shopping cart. It’s still around today, boasting similar services. “Licensed Investigators for Accurate Results” reads the tag line, calling itself “America’s premier provider of on-line investigative solutions.”
For Cohn, digging through what I had assumed was personal information, was less challenging than filling in a crossword puzzle. He was able to collect this amalgam of data on me without leaving the air-conditioned cool of his office in Boca Raton, Florida. In addition to maintaining access to myriad databases stuffed with Americans’ personal information, he was a master of “pre-texting.” That is, he tricked people into handing over personal information, usually over the telephone. Simple and devilishly effective. When the story hit newsstands with a photo of Cohn on the cover and the eerie caption: “I know what you did last night,” it caused quite a stir. It was even read into the Congressional Record during hearings on privacy.
A decade and a half later, and given the recent Edward Snowden-fueled brouhaha over the National Security Agency’s snooping on Americans, I wondered how much had changed. Today, about 250 million Americans are on the Internet, and spend an average of 23 hours a week online and texting, with 27 percent of that engaged in social media. Like most people, I’m on the Internet, in some fashion, most of my waking hours, if not through a computer then via a tablet or smart phone.
With so much of my life reduced to microscopic bits and bytes bouncing around in a netherworld of digital data, how much could Nick Percoco and a determined team of hackers find out about me? Worse, how much damage could they potentially cause?
What I learned is that virtually all of us are vulnerable to electronic eavesdropping and are easy hack targets. Most of us have adopted the credo “security by obscurity,” but all it takes is a person or persons with enough patience and know-how to pierce anyone’s privacy — and, if they choose, to wreak havoc on your finances and destroy your reputation.
I’ve never actually met Nick Percoco, which, for all he knows about me, might seem strange.
Earlier this year I contacted him to pen a guest post for PandoDaily. In it, Percoco warned that unscrupulous people could potentially intercept your private messages and inject malevolent code into your computer over a coffee shop’s Wi-Fi. I liked how he wrote the piece. He didn’t hype the threat. Instead he laid out the facts, relayed some anecdotes from his work, and offered basic, actionable prescriptions.
You can tell a lot about a person by the way he writes. As a journalism professor, I get to know my students’ writing better than they know it themselves. And Percoco, through his prose, struck me as someone who was smart, well informed on security issues, and careful with what he said and how he said it. “Comp-sec,” as it’s called – short for computer security – is rife with charlatans. It often seems the more fame someone accrues in that world, the less he’s accomplished and even less he knows.
For this particular job, trust would be vital. If I were to invite someone to wheedle his way into my life, sneak into my finances, sniff my email, capture my web surfing, maybe even break into my home, I had to be damn sure he and the people he worked with wouldn’t use this information for nefarious purposes. I checked up on Percoco and couldn’t find anything that reflected badly on his character.
Percoco, 38, considers himself a white hat hacker, and has been breaking into companies (with their blessing) for 14 years. In what is perhaps the perfect metaphor for what he does and who he is, he lacks recognizable fingerprints, a quirk of nature, he assures. Once in Colombia, he says, he was denied entry into a building because the turnstile, equipped with a fingerprint identification pad, couldn’t get a fix on his digits. Percoco prides himself on having the skills of a black hat hacker while maintaining what he calls the highest ethical standards.
Not only does he attack computer vulnerabilities, Percoco performs on-site intrusions. Over the years he has performed hundreds of pen-tests and physical break-ins, slipping into hospitals, insurance companies, manufacturers, magazine and newspaper companies, power companies, and many more – clients, he says, that he’s forbidden to reveal.
Once, he says, he was hired to gain access to a hospital’s computer systems housed in a data center. Wandering the hallways, he followed the signs until he saw one for the IT department. It led him to a server room behind a glass door. Inside there was a woman printing out patient records. All Percoco had to do was knock and she let him in, no questions asked. He ambled over to a computer with a mouse and in a few clicks logged on as the systems administrator. Now he had access to patient records, and could have, if he’d wanted, taken down the entire network. The hospital’s chief information officer had wanted more resources for security. He got them.
Percoco told me he was intrigued by my proposal because he and his team almost always investigate corporations, not individuals. He wondered aloud whether I would be easier or harder to attack than a corporation. Both he and I were eager to find out.
In 1999, detective Dan Cohn’s most powerful weapons were a telephone and unmitigated gall. True to his word, exactly one week after he started my investigation, he faxed me a three-page summary of my life. It began with my base identifiers – full name, date of birth, social security number, home address – which he obtained from my credit report. Companies like Equifax claim they have protections in place to prevent against fraudsters, but Cohn told me he went through a reseller.
Equipped with my credit header, Cohn had what he needed to access a Federal Reserve database listing my deposit accounts, some of which I had long forgotten – $503 at Apple Bank for Savings in an account held by a long-ago landlord as a security deposit; $7 in a dormant savings account at Chase Manhattan Bank; $1,000 in another Chase account. A few days later Cohn located my Merrill Lynch cash management account, which I had opened a few months earlier. He then had my checking and savings account balances, direct deposits from work, withdrawals, ATM visits, check numbers with dates and amounts, and the name of my broker. In addition to my finances, he also obtained utility bills and two unlisted phone numbers, which cataloged a bevy of long distance and local phone calls I had made.
Armed with this information, Cohn could have easily mapped out my routines. He knew how much cash I withdrew from ATMs each week, how much Forbes deposited into my checking account twice a month, the cafes and restaurants I frequented, the monthly checks I wrote to a shrink. He possessed my latest phone bill and a list of long distance calls to and from my home, including late-night fiber-optic dalliances with a woman I was dating and who worked for an advertising agency and traveled a lot. Cohn also divined phone numbers of a few of my sources, including a couple of computer hackers who had told me of their black hat activities.
While databases assisted him with my basic information, to secure the nitty-gritty detail of my life, he needed help, which he wrangled from the actual companies I did business with.
Part of the deal I struck with Cohn required him to tell me exactly how he did what he did, but he held back when it came time to pony up. To fill in the gaps I contacted my phone company (Bell Atlantic, now Verizon), long distance phone provider (Sprint), and bank (Merrill Lynch), telling them what Cohn had done and demanding an explanation. Each, in turn, launched an investigation. With the results I went back to Cohn, who confirmed the information and added additional detail.
Sprint informed me a Mr. Penenberg had called to inquire about my most recent bill. He posed as me, and had enough information to convince the customer service representative he was me. The caller had the operator run through the last couple of dozen calls I had made. It was a similar story with Bell Atlantic, only this time it was a Mrs. Penenberg who did the dirty deed.
With Merrill Lynch, Cohn also phoned customer service. This time, however, he was relatively upfront. “Hi,” he said, “I’m Dan Cohn, a licensed state investigator conducting an investigation of an Adam Penenberg.” Later Cohn told me official-sounding words like “licensed” and “state” make him sound legit, as if he worked in law enforcement. Then he reeled off my social security number, birth date and address, which he had gleaned from my credit report, and, he told me later, “before I could get out anything more he spat out your account number.”
Cohn wrote it down then told the helpful operator, “I talked to Penenberg’s broker, um, I can’t remember his name…”
“Dan Dunn?” the Merrill operator asked.
“Yeah, Dan Dunn,” Cohn repeated.
Merrill’s minion then recited my balance, deposits, withdrawals, check numbers and amounts. “You have to talk in the lingo the bank people talk so they don’t even know they are being taken,” Cohn said, obviously pleased with himself.
Such pretext calls are technically illegal under the Gramm-Leach-Bliley Act of 1999, at least if used to obtain financial data from individuals or financial institutions, but it’s rarely enforced and hard to catch.
But I needn’t have worried, Cohn assured me. He promised he would never resell the information to anyone else. “Unlike an information broker, I won’t break the law,” he told me. “I turn down jobs, like if a jealous boyfriend wants to find out where his ex is living.”
At the time, I thought this was an odd statement, strangely specific, which he had volunteered. What I didn’t know was that at the same time he was digging up dirt on me, Cohn was embroiled in a tragic case involving a stalker, who had paid Docusearch to locate his victim.
According to court documents, on July 29, 1999, New Hampshire resident Liam Youens paid Docusearch for the social security number, home and work addresses for 20-year-old Amy Lynn Boyer, another New Hampshire resident. Docusearch went through a subcontractor, Michele Gambino, who relied on pretexting. She called Boyer in New Hampshire, lying about who she was and why she was calling in a bid to trick Boyer into revealing her employment information. Gambino passed this information on to Docusearch, which provided it to Youens.
A week later Youens drove to the dentist’s office in Nashua, New Hampshire, where Boyer worked. He waited in ambush while she got in her car and drove up beside her. Leaning out of his car, he put the barrel against her window. He called her name so that she would look up.
Then he shot and killed her.
Seconds later he turned the gun on himself.
“Amy never knew it was coming,” her stepfather, Tim Remsberg, said in an interview with the tabloid news show, “48 Hours.”
Youens, who was unemployed and lived with his mother, had been stalking Boyer for years, chronicling his obsessions on a web site. On it, he confessed that he had fallen in love with her in 8th grade. Later, after Boyer rebuffed his advances, he decided she must die. On the website, “48 Hours” reported, he foretold how he would kill her: “When she gets in, I’ll drive up to the car blocking her in, window to window. I’ll shoot her with my Glock.”
Amy Boyer’s mother sued Docusearch, alleging that Cohn and his partner had invaded her daughter’s privacy and broke other laws when it assisted Youens in locating her while the online information broker claimed the information wasn’t private. After the case wound through the courts, the New Hampshire Supreme Court ruled that the lawsuit could proceed to a jury trial, and Cohn and Zeiss ended up settling with the family for a reported $85,000.
Afterward, Cohn promised, “Our policies and the way we do business has changed as a result.”
After Nick Percoco and I hammered out the broad outlines of our project – his team would not break any laws, and they would leave my kids out of this – I signed a waiver (courtesy of Trustwave’s lawyers) that barred me from suing the company if my information ended up in the wrong hands. Percoco kept the timetable vague and frankly, after a month dragged into two, I almost forgot about it. But his team, comprised of security analyst Garret Picchioni, digital forensics specialist Josh Grunzweig, and hacker Matthew Jakubowski (Jaku), were anything but idle.
Percoco didn’t tell me who my investigators would be, and even if he had told me in advance it wouldn’t have done me much good. Like most information security professionals who pen-test for a living, Picchioni and Grunzweig had taken steps to limit their online footprints. Google their names and you won’t find all that much, other than they have all given presentations at hacker conferences on highly technical topics.
Garret Picchioni’s Twitter bio says “Information Security Professional for {redacted}, Network Engineer, and resident pain in the ass” accompanied by a photo of South Park’s Cartman wearing a cheese hat. His LinkedIn profile also reveals little. He’s been in the information security business since 2004, authored an academic paper that analyzed more than 2.5 million anonymized passwords, took six years to graduate from the University of Arizona, where he majored in history and minored in information security). Meanwhile, SpiderLabs “has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally.”
Josh Grunzweig is even more stealthy. His Twitter bio is simply “malware reverser | beer drinker | hockey fan” and his LinkedIn profile barely qualifies as a profile. He graduated from Rochester Institute of Technology with a degree in Applied Networking and System Administration, and minored in criminal justice. Some activities he listed are information security, snowboarding, running, movies, music, traveling, and grabbing a drink with friends.
Of the three, Matthew Jakubowski, or “Jaku,” as he likes to be called, has the most Google juice. Last year he turned a dry erase marker into a tool that could pick a hotel lock in seconds flat. In the avalanche of media attention that followed, he revealed that he could steal credit cards wirelessly using a radio identification reader without your having to pull your Mastercard out of your wallet. His Twitter bio warns, “Neque dicas, quid neque,” which in Latin means “Don’t tell me what to do.” According to his scant LinkedIn profile Jaku majored in “Sandwich Engineering” and minored in “Witch Hunting” at “College University.”
Percoco told me they began the project by pulling up everything they could about me on the Web, sifting through my website and various writings, looking for anything that could point to potential vulnerabilities. They gleaned some interesting nuggets, including the type of computer I use (I’ve written that I’m an Apple aficionado), my home and work addresses (easily found through public records searches), and the location of the Pilates studio my wife, Charlotte, owns and operates. This helped them formulate a plan of attack.