Pular para o conteúdo principal

Hacker aqui

Interessante e assustadora a reportagem da CNN.


A hacker Rachel Tobac: como obter o endereço de alguém sem senhas ou acesso a emails


We asked a hacker to try and steal a CNN tech reporter's data. Here's what happened

Story by Donie O'Sullivan, CNN Business

Las Vegas (CNN Business)I share, therefore I am.

I am the kind of person who posts Instagram photos (filtered, of course) from my vacation. I am also the kind of person who tweets about buying an overly-expensive piece of furniture because I fell for a sleek online ad about how it would change my life.
I am basic.
Thing is, I thought my social media posts merely betrayed my desperate need for attention and likes. It turns out, though, that they're also a goldmine for hackers.
Using two of my posts -- an Instagram check-in at a hotel on the west coast of the United States and a tweet about a piece of furniture -- a hacker was quickly able to get my home address and my cell phone number.
How? Both the hotel and the furniture company handed my personal details to the hacker over the phone.
Logging into our social media and email accounts online can be an ordeal. We're often asked for a password, a second code that is texted to our phone, or sometimes the answers to anxiety-inducing personal questions like the name of our first girlfriend (who was definitely not imaginary at all, thank you very much).
But there are still basic and important vulnerabilities hiding in our daily lives. Data breaches and hacks get all our attention, but a hacker with a good phone persona and a few basic tools can trick customer support agents from major corporations into handing over a shocking amount of private information and more.
I let one of these hackers do this to me recently. And I'm here to tell you, it's disturbingly easy for them to do —even to someone like me who covers technology. It's a lesson for all of us: be careful to think about what you're sharing on social media and how that information can be used against you, and next time you're on the phone with your airline, hotel, or bank and they let you access your account, think about the questions they are asking you. If they're only asking for your birthday and email address to verify that you are who you say you are, ask if they can add some additional security to your account — maybe they could put a note on your account to require a special password or send you a verification code. Many companies don't have an option like this, unfortunately, but it's worth asking.
Here's what happened to me: In Las Vegas this August at DEF CON, one of the world's biggest hacking conferences, I met with Rachel Tobac.
Tobac is a celebrity among the DEF CON crowd. For three years in a row she has been among the winners in a competition in which hackers attack a company live in front of an audience of hundreds in Vegas — and do that hacking entirely over the phone.
Rachel Tobac is a white hat hacker who specializes in social engineering
Tobac and her competitors in the contest call up major corporations, often claiming to work in the companies' IT department. Tobac is not a coder, but she has been doing improv since she was 10 years old. By tapping into those skills — and using some other forms of deception, like an app that can change her voice to make her sound like a man — she convinces the person on the other end of the line to hand over private information.
This type of hacking is called social engineering.
But Tobac is one of the good hackers — the kind typically known as a "white hat." (The bad ones are called "black hats.")
She works with companies to run what are called penetration tests to discover and show them where and how they may be vulnerable to social engineering hacking.
I asked Tobac to hack me.
Without having my password, and without hacking into my email account, she was able to get my home address, my phone number and steal my hard-earned hotel points. In perhaps the cruelest act of all, she was even able to change my seat on my five-hour flight out of Vegas, moving me from a spacious exit aisle to a middle seat at the back by the restrooms.

How the government is using Siri and Alexa to stop the spread of Census misinformation

She did all this by using some information she found about me online, like which airlines I fly with and what hotels I stay at — because I tweet about them.
Then, using that information, she called up some of my favorite companies, using software to make it appear as if she were calling from my phone and a voice changer so that she could sound like a man if she needed to. It sounds complicated, but it's worryingly easy to do.
To get my home address, she called up a furniture company I had tweeted about. Tobac claimed she was my wife and that she wanted to check that the company had my correct home address on file before she placed another order. She deliberately gave the wrong address and the person on the other end of the line corrected her with my full home address.
That simple.
She was also pretty easily able to convince a hotel I had checked into on Instagram to hand over my phone number.
Tobac isn't trying to embarrass these companies: she wants them to start using the type of authentication processes on the phone that they use online. She says some of the biggest airlines and hotel chains are leaving open a massive vulnerability — and failing their customers — by not doing so.
Rather than a telephone customer service representative asking for my date of birth to confirm my identity (a piece of information Tobac or another hacker could easily have), Tobac suggests companies should send a code to the phone number or email address they have on file for that customer and have them read back the code over the phone.
That's easier said than done, however. Often airlines get calls from customers who are in a travel emergency. Asking someone to take a few extra seconds to root out an email with a code in it might dissuade customers from flying with the airline in the future.
It is the ultimate consumer protection dilemma -- we all want to be secure, but we also want everything to be easy.
Tobac hopes she can start convincing corporations and consumers that making things a little more difficult is worth it.
In the meantime, I have stopped tweeting about everything I buy. I still check in at hotels though. Gotta get those likes.

Comentários

Postagens mais visitadas deste blog

Abaixo o cancelamento

A internet virou o novo tribunal da inquisição — e isso é péssimo Só se fala na rapper Karol Conká, que saiu do BBB, da Rede Globo, com a maior votação da história do programa. Rejeição de 99,17% não é pouca coisa. A questão de seu comportamento ter sido odioso aos olhos do público não é o principal para mim. Sou o primeiro a reconhecer que errei muitas vezes. Tive atitudes pavorosas com amigos e relacionamentos, das quais me arrependo até hoje. Se alguma das vezes em que derrapei como ser humano tivesse ido parar na internet, o que aconteceria? Talvez tivesse de aprender russo ou mandarim para recomeçar a carreira em paragens distantes. Todos nós já fizemos algo de que não nos orgulhamos, falamos bobagem, brincadeiras de mau gosto etc… Recentemente, o ator Armie Hammer, de Me Chame pelo Seu Nome, sofreu acusações de abuso contra mulheres. Finalmente, através do print de uma conversa, acabou sendo responsabilizado também por canibalismo. Pavoroso. Tudo isso foi parar na internet. Ergue

Rogério Andrade, o rei do bicho

No dia 23 de novembro do ano passado, o pai de Rodrigo Silva das Neves, cabo da Polícia Militar do Rio de Janeiro, foi ao batalhão da PM de Bangu, na Zona Oeste carioca, fazer um pedido. O homem, um subtenente bombeiro reformado, queria que os policiais do quartel parassem de bater na porta de sua casa à procura do filho — cuja prisão fora decretada na semana anterior, sob a acusação de ser um dos responsáveis pelo assassinato cinematográfico do bicheiro Fernando Iggnácio, executado com tiros de fuzil à luz do dia num heliporto da Barra da Tijuca. Quando soube que estava sendo procurado, o PM fugiu, virou desertor. Como morava numa das maiores favelas da região, a Vila Aliança, o pai de Neves estava preocupado com “ameaças e cobranças” de traficantes que dominam o local por causa da presença frequente de policiais. Antes de sair, no entanto, o bombeiro confidenciou aos agentes do Serviço Reservado do quartel que, “de fato, seu filho trabalhava como segurança do contraventor Rogério And

OCDE e o erro do governo na gestão das expectativas

O assunto do dia nas redes é a tal negativa dos Estados Unidos para a entrada do Brasil na OCDE (Organização para Cooperação e Desenvolvimento Econômico). Enquanto os oposicionistas aproveitam para tripudiar, os governistas tentam colocar panos quentes na questão, alegando que não houve propriamente um veto à presença do Brasil no clube dos grandes, a Série A das nações. Quem trabalha com comunicação corporativa frequentemente escuta a frase "é preciso gerenciar a expectativa dos clientes". O problema todo é que o governo do presidente Bolsonaro vendeu como grande vitória a entrada com apoio de Trump - que não era líquida e certa - do país na OCDE. Ou seja, gerenciou mal a expectativa do cliente, no caso, a opinião pública brasileira. Não deixa de ser irônico que a Argentina esteja entrando na frente, logo o país vizinho cujo próximo governo provavelmente não será dos mais alinhados a Trump. A questão toda é que o Brasil não "perdeu", como o pobre Fla-Flu que impe