A lot of listeners responded to Brian Krebs’ story on the Experian data breach last week. The consensus: we’re all worried about the security of our personal data. Brooke speaks to Journalist and PandoDaily editor Adam Penenberg, who did what many listeners seem to think is the ultimate nightmare. He challenged hackers to hack into all of his personal information. The only information he gave them to go on? His byline.
BROOKE GLADSTONE: Last week, I spoke with Brian Krebs about the Experian data breach and the selling of our personal data. We got a lot of comments and tweets, mostly along the lines of this one, from a commenter calling himself John E. Royt, who wrote, quote, “Just listened to the latest On the Media podcast. Now I'm off to curl up in a fetal position under the bed and shake for a few hours.” Journalist and PandoDaily editor Adam Penenberg did what many listeners seemed to think is the ultimate nightmare. He challenged hackers to hack into all of his personal information.
ADAM PENENBERG: So I reached out to a computer security firm, Trustwave. They have an ethical hacking department.
BROOKE GLADSTONE: And they said, well, this is interesting. Normally we do corporations, we don’t usually do individuals, but we’ll give it a go.
ADAM PENENBERG: That's what they said. It’s different for an individual because, as they put it, “Well, you offer far fewer attack vectors.”
BROOKE GLADSTONE: [LAUGHS] What a compliment.
ADAM PENENBERG: Very sexy. But it turns out, [LAUGHS] you know, if you’re gonna hack a company it just takes fooling one employee to do something –
BROOKE GLADSTONE: Mm-hmm.
ADAM PENENBERG: - and then getting that access to the network and then being able to leverage your access.
BROOKE GLADSTONE: Mm-hmm.
ADAM PENENBERG: But for an individual, it’s a little bit different.
BROOKE GLADSTONE: The rules you laid down for them: Your kids were off limits and they shouldn’t do anything illegal. But your wife was not off limits.
ADAM PENENBERG: Well, I wish I had said she was off limits.
And so does she, at this point.
BROOKE GLADSTONE: Take us through the steps that they went through to get into your life.
ADAM PENENBERG: The first thing they did is they did what I do as a reporter, which is pull up every piece of information that’s out there. Over the course of my career, I certainly have divulged information that would be useful for their mission. So, for example, I use Macintosh computers. I have for many years. When they create software code called malware, they usually do it for PCs, ‘cause most corporations run on PCs. So then they had to actually code malware for me. They couldn’t just use something they’d used in the past.
BROOKE GLADSTONE: So they created a chart, some nine different ways to penetrate your life. One of them was to try and infiltrate your office at New York University.
ADAM PENENBERG: They thought about it, but there was a security guard and, again, they can't break the law. And so, they didn't come upstairs. But they did send a three-man team to stake out the front of my apartment, and they spent a lot of time there. And they also moved over to a local park, where they had a bird’s eye view of my front stoop with binoculars from a park bench, which sounds really creepy, watching my wife and me come and go. They wanted to sniff my Wi-Fi network. And so, they bring their fancy tools to do that, and they realize there are 1200 wireless networks in a tenth of a mile radius of my apartment.
BROOKE GLADSTONE: Yeah.
ADAM PENENBERG: Which that must be another story there.
BROOKE GLADSTONE: [LAUGHS] So then they tried to infiltrate your wife's Pilates studio.
ADAM PENENBERG: Yes!
BROOKE GLADSTONE: Talk about that.
ADAM PENENBERG: Do I have to?
BROOKE GLADSTONE: Yes.
ADAM PENENBERG: They tried to get her to open up a phish. They did that to me too. They would send email to me, and it was very finetuned email, not like some of those phish scams you get where you can tell it's a scam, like –
BROOKE GLADSTONE: It wasn't from a Nigerian prince. When they tried to phish you, they’d created an aspiring journalism student in Cincinnati who wanted you to look at her stuff. And when they phished your wife, they created a Pilates instructor in San Francisco who was moving to New York and interested in your wife's operation.
ADAM PENENBERG: Exactly. And just at that time, she was looking for someone, and so the person wrote a very nice note, knew about my wife’s studio and asked whether there were any job openings. And my wife responded, well, maybe, yes. And she sent her a link to a video. And that video link was, it turned out, malware, and when my wife clicked on it, it ended up giving them access to her computer.
BROOKE GLADSTONE: What did they get?
ADAM PENENBERG: Buried in that hard drive were some of my old files.
BROOKE GLADSTONE: ‘Cause it used to be your computer.
ADAM PENENBERG: Well, I had given her a computer many years ago. The thing was that I never bothered to wipe my old hard drive when I’m giving it to my wife. I just gave her my old computer. I used to keep some passwords on there. And by looking at old passwords, they were able to then figure out, well, we’ll just try all these different combinations of passwords. And, ultimately, they cracked all of my passwords very quickly, and they were able to crack my Amazon password, and so, they ordered 100 plastic spiders to be delivered to my door.
Their company is called SpiderLabs, which was pretty funny. And also, they cracked my Twitter account. They posted a very funny message, for those who know me. It says, “I love Stephen Glass.” I was the one who broke the Stephen Glass story many years ago, and so, to people who know me they were shocked on Twitter, like, you, you love Stephen Glass?
What are you talkin’ about? I think the big weakness here are passwords. If you’re like me, you have dozens of passwords that you need to use. Well, how do I remember them? Oh well, I could store them in a file on my computer. Well, that’s not a good idea, is it, as we learned in my experience. So what are we supposed to do then, to keep track of all these passwords that we need to have with us to access all these services?
BROOKE GLADSTONE: What about these password management apps. The Times had an article on it just a couple of weeks ago. They generate more complicated passwords and store them in an encrypted site. They can automatically enter the passwords if you’re doing a credit card purchase. What about that?
ADAM PENENBERG: I don't know. That may be a great idea. I have a feeling, though, that whatever someone comes up with, someone will figure out a way to beat it.
BROOKE GLADSTONE: This is how these interviews always end, Adam, with, you’re incredibly vulnerable and there isn’t a damn thing you can do about it. I mean, surely, we can do better than that.
ADAM PENENBERG: You would think.
I can’t say. I do think that it takes great skill to do what these guys did. And to go after an individual, which took a lot of manpower and time, it’s not the kind of thing that’s scalable, so to speak. It’s not something you can automate and make it easy to do. And I don’t think that I’m a big enough target, personally.
BROOKE GLADSTONE: So then the real answer here is to remain unremarkable, obscure.
ADAM PENENBERG: You know, security by obscurity was the old motto.
BROOKE GLADSTONE: [LAUGHS] Adam, thank you very much.
ADAM PENENBERG: Thanks for having me.
BROOKE GLADSTONE: Adam Penenberg is the editor of PandoDaily and author of the new Play at Work: How Games Inspire Breakthrough Thinking.