Seriously, this story made me feel more secure. I imagined a lot more attack vectors (such as http://xkcd.com/792/ ) and having all those attempts fail seems kind of anticlimactic.
Basically they got in via phishing? First via a .jar file and then a video? I'd like more info on how the video can take over your computer. But in any case I don't fall for phihing scams.
The best thing I saw there was asking to print out the resume. Had the system been newer it would have worked.
Couldn't they have tried using one of those drive-by Javascript vulnerabilities?
The rest of it once they gain entry is straightforward.
Here is what I am wondering about: I use Google Apps for my email etc. If my company starts competing with Google on some fronta, can't Google just engage in corporate espionage by simply reading the email we store there? They'd also have access to all our accounts. How would this ever come to light?
> I'd like more info on how the video can take over your computer.
They didn't do it with a video. The supposed "video" in the zip file was just a bait so the victim has an incentive to open it. Most likely the zip contained a .jar again.
This is a fascinating story, but it actually made me feel more secure, not less. Look at the attack vectors they used - physical access, infected hardware, email attachments from strangers? I suppose the easy stuff worked, so they didn't have to come up with anything more sophisticated.
I'd still be more worried about the 1999 attack - social engineering the businesses who hold your information - than about anyone getting it directly from my personal footprint.
It wasn't easy for the attackers because they chose not to break the law. If they had just broken into every network in the neighborhood until they found the right one, it would have been simpler.
The interesting part is how much they managed to do without breaking the law, the scary part is how much more they could have done by breaking the law.
An absolutely fascinating article but not good for the old paranoia.
I actually found their initial attempts really disappointing. I was hoping for some really cool, advanced stuff. Emailing them .jar files? To me that's laughable. When my friends and I used to try and infect each other with sub7 in the 90s it was with a .jpg with the executable buried inside. That was more sneaky that a .jar claiming to be a resume.
I enjoyed this piece -- especially comparing the author's experience in asking a private investigator to check him out in 1999 versus a pen tester to do the same in 2013.
All the attack vectors seem fairly straightforward, but I suppose the combination used on each target changes each time, and that's where the skill comes in.
The take away from the story is not to open .JAR files and to setup all family members computers up such that they can't install any software or accept any email attachments, because quite probably, your family members will be stupid and open .JAR files.
I expected something more elaborate than sending malware as an email attachment, this is a commonly known way of infecting and hijacking machines so it makes the topic less news-worthy.
But it's always good to remind people to apply common sense when using email and the internet and be aware of their digital footprints.
Long read but very interesting, almost like a crime thriller. I think it is pretty obvious that privacy is dead. Any average computer user will leave scents - and a good expert needs to only pick one of these to unravel the whole story.
A very fascinating story indeed! For people already working in the security industry it might look easy because they used very common attack vectors but the generic public have no idea of these things and they are the typical victims.
Basically they got in via phishing? First via a .jar file and then a video? I'd like more info on how the video can take over your computer. But in any case I don't fall for phihing scams.
The best thing I saw there was asking to print out the resume. Had the system been newer it would have worked.
Couldn't they have tried using one of those drive-by Javascript vulnerabilities?
The rest of it once they gain entry is straightforward.
Here is what I am wondering about: I use Google Apps for my email etc. If my company starts competing with Google on some fronta, can't Google just engage in corporate espionage by simply reading the email we store there? They'd also have access to all our accounts. How would this ever come to light?