His goal was to make himself relatively anonymous in the real world and scrub his (actual) personal info from public/for-sale databases. And while he didn't hire anyone to pentest his digital identity, he did hire a PI to try and find him.
To make sure he didn’t make any mistakes, Mr. Lopp paid private investigators to try to find him. It was an investigator who helped him figure out that his D.M.V. registration was making him vulnerable, which led him to getting a decoy address.
So it’s ok to lie to the DMV about your address? I had to give them three documents to prove my address to get a license and my wife did as well to get a state ID. Is the assumption that he knows he’s breaking the law and ok with it or is there some scenario where you can provide a false address and that’s ok?
In at least some states, yes, your driver's license needs to have your primary residence on it, or so an officer told me when I was pulled over and i hadnt updated mine yet.
How would the officer know that unless you told him? My address goes to a mailbox in a different state. If asked, I'm just living in the area temporarily for business.
I had only recently moved and had no idea if he was a neighbor or lived on the other side of the city. Not that I would have done anything differently otherwise, but I also happen to be a terrible liar.
In my area you are required to update our roads authority within 14 days of changing address, and they send you a sticker to put on the back of your current license card.
I heard about this again on NPR this afternoon. Turns out in addition to buying a new house and not telling anyone about it he also rented a super cheap, rundown apartment. He used this for anything he was required to provide a valid address for.
The niche market of folks with enough security-savvy to know they need the services of a pen tester is pretty small. That said it's also a pretty wealthy niche, so a boutique "personal security coach" business could probably thrive.
Companies spend lots of money on security. But then it happens that they're vulnerable when an employee is hacked. I can see in the future companies paying to test their employee's individual security. They might even promote it as an employee perk.
I already know of a company that was hacked due to an email exploit. So they cleaned things up and gave employees specific training. Then six months later they launched their own email attack, something like ten percent of their employees failed that test!
If the question is, are there services that target individuals (or individual employees in a corporation) to help protect them from attacks, yes, that exists. Tall Poppy is one of them (tallpoppy.io).
You probably can't reasonably pay someone to attack third parties that protect your information. For instance, at several of the startups we run security for, even with your password, a suspicious new pattern of login anomalies will generate an investigation that will consume resources on our end, and we'd be pretty pissed to find out that we'd done it because of a stunt you paid for.
While I agree with the general unfairness of this, on the other hand we currently have an ecosystem where SaaS products are used by most people to get their work done and generally manage their lives.
Shouldn't we have the right to know or be able to check how secure our data and identity is on these services?
I don't think this answers the question. Of course unsolicited pen testing is already illegal; that's not an interesting question imo. What I'm more curious about is security industry opinions about whether or not the current law is a good idea.
Are there any changes you would make to the law if you had the ability to do so, or do you see a more general danger in allowing customers to attack their own accounts?
Some SAAS companies set up bug bounties that offer explicit permission to test. Some companies offer that permission without a bounty. In the absence of either of those conditions, much of what a pentest firm would do to check the security of a website is a federal crime.
It's not a crime that is routinely prosecuted (at least not in the US; there are horror stories from the UK). But that doesn't mean it's safe to build a business around that activity.
(To be clear: I'm saying this about general security testing, not taking over someone's account who's paid you to do so. That's not criminal, just sort of unethical.)
Acunetix sells a product that you can use lawfully or unlawfully. In the very unlikely event you were to find and later exploit a serious vulnerability in a major SAAS company using the Acunetix scanner, it would not be Acunetix that the lawyers would target.
You do not have a general right. Obviously, 3rd-party penetration tests exist, and obviously there are a variety of things you can do short of actual testing to "check" security.
I imagine that if there was a larger market for this people like you would allow personal pen-testers to pre-register their attempts. Just out of necessity.
On the other hand, you might be able to profit from this, if these third parties are able to find vulnerabilities in your process. Free security audits.
From my years of working in big Banks, none would appreciate a stunt like "hi I gave the approval to hackerX to try and steal money from my account in YOUR bank."
Apart from an obvious black list you are looking at a world of pain both by the bank's lawyers AND the authorities. It may be YOUR money but tampering with a bank's systems is very much criminal activity in most countries.
I do not think it is that clear cut. Unless the bank assumes full responsibility for any kind of security breach, including social engineering, you need to be allowed to take care of protecting yourself (including the crucial step of testing the measures). It falls to the systems, both the banks and political/judicial, to have measures and rules in place to allow and account for that.
If they don't, I feel there's a rather lopsided situation.
How does that translate to the physical world? What happens if I pay someone to break into the bank and access my safety deposit box? What if they break into the branch manager's home to steal their key?
I’m not saying physical security is easy, but it’s better understood in general, and at the very least, it’s pretty easy to insure against. Most banks offer insurance on safety deposit boxes so if your item goes missing, you are compensated.
I was talking to a guy who provides online security services for financial institutions. I asked him what happens when someone loses money due to a hack. I found his response amusing and horrifying.
“When someone breaches your online account and steals money, if the amount is $50, the bank will restore it at their expense to keep you happy as a customer. If the amount is $50,000... well, the bank doesn’t care about having you as a customer that much.”
The bank will seek to see who/what was at fault. If you handed someone your passwords etc, they carry no responsibility and kiss that 50k goodbye. Your pin/passwords are yours and yours alone. You should protect them. At least in the UK there have been plenty of cases were people were tricked to hand in their passwords. They never got anything back from the banks.
If someone breaks in physically and steals the contents of your safety deposit box they will hunt-them-down. If you come forth and you say "I know who it was, I helped him/her as part of a pen-test" then you are going down with them.
And yet I get much more assistance in keeping my login secure from a two-bit social media site than I do from virtually every bank I’ve had an account with (speaking of banks in the USA).
Two factor using something like Google Authenticator? Nope.
Two factor using a less-secure text messsge? Rarely.
An email asking for secondary confirmation when logging in from a new device or IP address? Forget it.
A history within my account that shows all logins and login attempts, along with the request IP address and location? I wish.
I’m sure banks do stuff behind the scenes to secure my account. But it seems they could do a lot more to empower me to help in the process. I understand that it’s difficult to pin the blame on a bank for a password stolen by a virus a customer picks up that had nothing to do with them. But it seems they’d do a whole lot more to help me protect my account.
I’m generalizing, I know, but I find it comical (and frustrating) at how often I see banks attempt to do things in the name of security that don’t help at all, but go a long way to destroy UX, or even decrease security.
- Prevent paste on the password field.
- Security questions, often with ridiculous questions.
>>I can find some which claim to test the security of CEOs and celebrities. But I can't find anything for ordinary people.
Those are the services for "ordinary people". The thing is, they advertise to celebrities & CEOs because there aren't many people willing to pay for pentesting. That will always be an expensive service, since it by definition requires highly-skilled employees. A service that advertises to celebrities would almost certainly be willing to work with an ordinary individual, but how many people are willing to pay for the service? Certainly not enough for this to be a million-dollar idea.
> When an organisation asks me to set a recovery question, I generate a 32 character passphrase
This is not actually the best way. For some services eventually you get to a person in a call center who can actually check those security questions to perform a password reset (when all else fails). Having a random string opens the door for someone to claim "oh I think I put something random in there, I really forgot what" and it's likely they'll pull it off. Especially if the hacker knows (somehow[0]) that you put a random string there and it's exactly 32 characters long.
Just go with a plausible name that's still not straightforward to guess.
[0] You may blog about it... Or discuss it loudly and is overheard.
> In your scenario the service is already broken and the door is wide open no matter what you choose as the recovery answer.
You'd be safer with this assumption anyway. But again, after telling the whole internet you're using random 32 character strings for that it's likely that you just lowered the bar a little for social engineering. It is easier than you think to call a call center and convince someone to perform a password reset or a SIM porting (for hijacking). At least don't give them another plausible avenue.
I would go with a company that has a reputation. If you go find some randoms in an IRC channel they might take advantage of anything they find. A little crowdsourced service that offers rewards for finding vulnerabilities in your system might be a success but good luck managing that and dealing with the people you got tricked into hacking.
One thing to consider is the password manager generated security questions. Half the customer service agents out there will accept "it is just a bunch of random characters i typed". Security questions should go the "correct horse battery staple" route.
My security answers are often random "junk". I've tried to social engineer my way into my own accounts a couple of time - and all of them have insisted on me reading out the full "answer".
This doesn't work for Wells Fargo, at least IME as of 9 months ago. I didn't have access to my main password manager (only a phone, I was on a trip), but they did just accept my answer of "random chars generated by a password manager". After that, I went and changed security answers on anything important, I just made a script that pulls random words from a dictionary.
While some services are secure, without testing it isn't safe to assume that any particular service is. And even with testing, it can vary depending on the particular CSA. So in general, I don't think this is a good idea, since there is no way of knowing if any particular service will be secure.
Here in the UK, it seems that most reputable organisations are GDPR conscious. I've deliberately got my birthday slightly wrong to see what they do - 100% of the time they refuse to proceed.
Those people would likely benefit much more from the awareness trainings pentest shops usually offer as well, snake oil reports without changes in behaviour really don't secure anything.
Do you need expert help in gaining access/passwords to Facebook, gmail, Instagram, bbm, yahoo-mail, snap-chat, twitter, Hotmail, badoo, zoosk, various blogs, icloud, apple accounts etc. Password retrieval, breaching of bank accounts: (for local and international banks, block transfers, make transfers), clear debts, pay for bills at give a way rates also provide cheap Holiday booking, breach of web host servers, firewall breaches, application cracks, change of school grades, professional hacking into institutional servers, clearing of criminal records, mobile airtime recharge, keylogging, smartphone,tablet portable device hacks, pc hacks on any OS and ip tracking and general tracking operations..........contact :wizardcyprushacker@gmail.com
Was going to talk a bunch of smack about pen-testing, but instead, if someone were offering this service, I'd love to go head to head with them to determine who delivered more value over time and money, a pen-test vs. a risk assessment.
Simulating a highly targeted attack is expensive, and the protection most people have against those is that they're not interesting enough to spend so much effort on.
For the average person, the main threats are various forms of social engineering, mostly the kind that is really obvious to anyone who has a rough idea how security works ("This is a secure document, please click yes when it asks you to allow this document to execute arbitrary code"), and software so far out of date that common exploit kits have pre-packaged exploits.
Most people probably forget how you could use a "stalk my ex" russian bulletin board service for $50 to stalk yourself. Russian script kiddies are probably happy to comply since the FBI can't really harm them.
But I think in most countries you would still be liable to Google/FB etc if the attack gets detected and linked to you.
To make such a business profitable, you'd need to invent a slew of new techniques for bringing down the cost of pen-testing. This would have applications far beyond the scope of your business idea.
> I can find pentesting services for companies. I can find some which claim to test the security of CEOs and celebrities. But I can't find anything for ordinary people.
I'm sorry to be harsh on this person but this is quite a dumb post. What is the difference between hacking a celebrity vs an ordinary person? None.
Any penetration testing / security consultancy will be able to do what you're asking for, provided you can pay their rate.
> Does this service exist? If not, is this a million-dollar start-up idea?
No it is definitely not a million-dollar startup idea. It also wouldn't be a startup it would be a consultancy. Penetration testing firms can easily charge clients up to around $1000 / day. How many individuals are going to pay multiples of $1000 to see how secure their online data is?
You cannot in fact pay a pentest firm to hack a SAAS provider that has your data. The companies claiming to do this for "CEOs and celebrities" are, to some extent, lying.
One why would be, as long as you don't have a clause permitting this in your contract with the SaaS provider (which "ordinary" people as in this context usually don't have) it would be considered an offense in most countries.
If you're a company and the SaaS provider is of similar or small scale you might be able to work with them if you have special security concerns that exceed their regular customer base. You could maybe even get them to hire a consultancy to check or recheck their services but in no case would you ever just go out and do that of your own volition.
Independent of that, even in a personal context, people use SaaS providers because they trust their ability to do a certain job better and/or cheaper than you could do yourself. That usually includes the factor of securing their data, if only because it's in their best interest not to have PR disasters and lose customers.
You either need prior approval or follow certain rules to conduct any pen-testing, red-team exercises etc. on most cloud platforms, largely to prevent happy-go-lucky/break-things-fast types from installing Kali on a whim and running a riot.
In general, obtaining access to your account at some service providers requires you to defraud, social engineer or hack that service. To be able to do that legally, you need permission from the service provider, permission of the owner of the account isn't sufficient.
So any company claiming to provide such service is either not doing so legally or (more likely) limiting their activities to various passive approaches and not attempting to actually pentest/social engineer access to your accounts in ways like an actual attacker would; so they're implying that they provide a better, more serious service than they actually do.
His goal was to make himself relatively anonymous in the real world and scrub his (actual) personal info from public/for-sale databases. And while he didn't hire anyone to pentest his digital identity, he did hire a PI to try and find him.
To make sure he didn’t make any mistakes, Mr. Lopp paid private investigators to try to find him. It was an investigator who helped him figure out that his D.M.V. registration was making him vulnerable, which led him to getting a decoy address.
[1] https://twitter.com/lopp/