Pwnd.

How a Google hacker would steal your data.

Parisa Tabriz
Mar 18, 2015 · 6 min read

If I were a black hat

I bet I could pwn you. (No n00b, that was not a typo.)

If that fails, I’ll just try to phish your password.
That’s how we stole all those
nude celebrity pictures.

How? I’ll create a legitimate looking email or website and either offer you help masked as a technical employee, or tell you that you’ve won something. I’m not talking about the Nigerian lottery, I’m talking about a pixel-for-pixel replica of something tailored to your preferences and hobbies. I doubt you’ll pay too much attention to the spoofed email headers or full website URL. As long as I make the content look similar to what you’d expect, which I can do by yanking a real web page’s images and slapping together my own fake web site over lunch, you’ll probably give me your login name and password. You won’t even suspect something is wrong because… why in the world would someone be going after you?!

That’s what we saw when Gawker’s passwords got
owned
, and I bet you still use the same passwords
for more than one site today.

If all that doesn’t work, well, I’ll have to put a bit more effort in and get you to install malware on your computer, phone, tablet, whatever. I’ll either target outdated or notoriously vulnerable software on your computer, or maybe trick you into installing a program disguised as something safe. Once I install an evil program I wrote on your computer, I can steal each character you type in of your password.

Maybe I’ll get lucky and you’ll type your password
into a machine I’ve already compromised somewhere.

But… I’m not a black hat.

I want to protect you from black hats and the techniques I’ve seen them successfully use to harm users, just like you.

  • Don’t login to sensitive accounts on public or shared computers. It’s impossible to know if those machines are infected, so best to avoid using them for anything sensitive (i.e. anything you don’t feel comfortable sharing with the rest of the world).
  • Check or update your account recovery options, especially for your primary email address! Most online services have a way to reset or recover a forgotten password. Attackers know this too, and may try to exploit your recovery information.
  • Be mindful of all software or applications you install on your computer and phone. Lots of malware is disguised to be enticing, like free software (e.g. photoshop_crack.exe) or security updates. That goes for alluring mobile apps and browser extensions that may ask for lots of permissions. Be cautious!
  • Keep your programs up to date. I’m biased, but I strongly recommend Chrome and Chromebooks (which use the Chrome operating system). It automatically stays updated, so you don’t have to worry about it.

Thanks to jeff h white and Robert.

Parisa Tabriz

Written by

Adept at baking, eating, and hijacking cookies.

Practically Unhackable

by Intel