Pwnd.

How a Google hacker would steal your data.

Parisa Tabriz manages the Chrome Security team, who work on making Chrome the safest way to browse the web. The best defense requires an offensive mindset, so it’s her job to think like a criminal. Here’s how she’d hack you.


If I were a black hat

I bet I could pwn you. (No n00b, that was not a typo.)

I want to steal your credit card number, get access to your bank account, and embarrass you by posting to your social networks. Or maybe I have a larger goal, and you’re just a necessary casualty in my master plan.

If you’re like most people I know, you live a lot of your life online. I do too. The Internet is useful, fun, and so convenient! You pay your bills, check your bank statements, and one-click shop. You diss your ex and share secrets with friends, send pictures to loved ones on the latest social app, and spray enough personal details around the web that, intentionally or not, you have an online persona that will help me target you.

So, even though I may not know you in real life, I’m going after your online data. Most of the good stuff will require I break into your account(s), so I’ll go after your passwords. That’s usually the only thing I need to prove I’m you to the website, and once the site believes I’m you, I have an all-access-pass to do whatever I want.

There’s more than one way to steal a password, but most tactics I can do without getting out of bed.

First, I’ll try to guess it based on what I know about you, or figure it out by brute force guessing with my software sidekick, John the Ripper. I might try to recover it or reset it. That worked on Sarah Palin, and it works on lots of others too.

If that fails, I’ll just try to phish your password.
That’s how we stole all those
nude celebrity pictures.

How? I’ll create a legitimate looking email or website and either offer you help masked as a technical employee, or tell you that you’ve won something. I’m not talking about the Nigerian lottery, I’m talking about a pixel-for-pixel replica of something tailored to your preferences and hobbies. I doubt you’ll pay too much attention to the spoofed email headers or full website URL. As long as I make the content look similar to what you’d expect, which I can do by yanking a real web page’s images and slapping together my own fake web site over lunch, you’ll probably give me your login name and password. You won’t even suspect something is wrong because… why in the world would someone be going after you?!

I bet this would work, because phishing has worked against my dad and many of my friends. And they’re all pretty smart.

If you’re too savvy for phishing scams, well, I’ll try to lift your password from a compromised database dump I can buy from other black hats or find online. I know that lots of people use the same password for more than one account, so if I find a password in one place, you’re probably using that, or some derivative, for your other accounts.

That’s what we saw when Gawker’s passwords got
owned
, and I bet you still use the same passwords
for more than one site today.

If all that doesn’t work, well, I’ll have to put a bit more effort in and get you to install malware on your computer, phone, tablet, whatever. I’ll either target outdated or notoriously vulnerable software on your computer, or maybe trick you into installing a program disguised as something safe. Once I install an evil program I wrote on your computer, I can steal each character you type in of your password.

Maybe I’ll get lucky and you’ll type your password
into a machine I’ve already compromised somewhere.

Black hats leave malware on hotel computers, airport kiosks, and other public terminals since we know how many people need their Internet fix, even when they’re away from their personal devices. It’s hard to target you specifically this way, but if you’ve ever logged into a shared computer, assume one of us black hats has the password you typed in.

It still amazes me that people type their most sensitive details into a computer that’s been used by so many strangers! Isn’t anyone worried about digital germs?

But… I’m not a black hat.

I want to protect you from black hats and the techniques I’ve seen them successfully use to harm users, just like you.

The open access of the Internet has led to amazing opportunities, but unfortunately, it’s not free of criminals. Staying safe online, just like the real world, can seem overwhelming. Here are a few best practices that will increase your odds:

  • Be leery of offers of assistance or prizes in emails. If it sounds too good to be true, it probably is. If in doubt, try to verify the source directly (i.e. call a support number) or check with a tech savvy friend.
  • Don’t reuse the same password for sensitive accounts, and don’t share passwords with anyone! That includes your husband, girlfriend, and best bud. The relationship may turn sour, or the person might be unable to resist a peek. When possible, enable a second factor of security on your account, so you’re not only relying on your password for protection. Using a password manager that generates and stores unique, strong passwords is also a step in the right direction.
  • Don’t login to sensitive accounts on public or shared computers. It’s impossible to know if those machines are infected, so best to avoid using them for anything sensitive (i.e. anything you don’t feel comfortable sharing with the rest of the world).
  • Check or update your account recovery options, especially for your primary email address! Most online services have a way to reset or recover a forgotten password. Attackers know this too, and may try to exploit your recovery information.
  • Be mindful of all software or applications you install on your computer and phone. Lots of malware is disguised to be enticing, like free software (e.g. photoshop_crack.exe) or security updates. That goes for alluring mobile apps and browser extensions that may ask for lots of permissions. Be cautious!
  • Keep your programs up to date. I’m biased, but I strongly recommend Chrome and Chromebooks (which use the Chrome operating system). It automatically stays updated, so you don’t have to worry about it.

Unfortunately, no one, including me, is unhackable. That’s sobering, but for better or worse, it parallels the safety of the real world. I follow those practices and think it keeps me safer. I think you should too.


Practically Unhackable is an Intel publication on Medium. Supercharge the security of your online life with our step-by-step guides on everything from managing passwords to beating ransomware.