Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
courtesyy she didn’t think twice about accepting it from a colleague. A
couple of weeks later she received an e-mail that appeared to be from an
anonyymous whistle-blower organization that was about to release sensitive
documents. As a reporter who had covered groups such as Anonyymous and
WikiLeaks, she had received e-mails like this before, and she was curious
about the request. The file attachment looked like a standard file, so she
clicked to open it.
Immediatelyy she realized something was wrong. Windows Defender, the
securityy program that comes with everyy copyy of Windows, started issuing
warnings on her desktop. And the warnings kept piling up on the screen.
Curtis, like a lot of people todayy, had been tricked into clicking on an
attachment that she thought was an ordinaryy file. While pretending to have
information she wanted to see, the file downloaded and unpacked a series of
other files that allowed the remote attacker to take complete control over
her computer. The malicious software even took a picture of her with her
own webcam. In it her face bears a look of sheer frustration as she tries to
understand how someone could’ve taken over her computer.
Actuallyy Curtis knew full well who had taken over her computer. As an
experiment, a few months earlier she had hired a penetration tester, or pen
tester. Someone like me. Individuals and companies hire professional
hackers to tryy to break into a companyy’s computer network to see where
theyy need fortification. In Curtis’s case, the process was spread out over
several months.
At the start of jobs like this, I alwayys tryy to get as much information
about the client as I can. I spend time learning about his or her life and
online habits. I track the client’s public posts to Twitter, Facebook, and, yyes,
even LinkedIn. Which is exactlyy what Sophie Curtis’s pen tester did. Amid
all her e-mails was one carefullyy constructed message—the first one sent byy
her pen tester. The pen tester knew that she worked as a reporter and knew
that she was open to e-mail solicitations from previouslyy unknown
individuals. In that first case Curtis later wrote that there was not enough
context for her to be interested in interviewing a particular person for a
future storyy. But she was impressed byy the amount of research the hacker
and his colleagues at the securityy companyy did.
Curtis said: “Theyy were able to use Twitter to find out myy work e-mail
address, as well as some of myy recent locations and the name of a regular