What other information was Jason able to retrieve in just seven days?
• My Air New Zealand login details, sourced from an Airpoints update email. • My tax number, and with that my IRD number from my tax return email. • PayPal details and account balance from the withdrawal I made. • My credit card number, sourced from the card saved on My Vodafone site. • My Facebook login. • My TradeMe login, which supplied my bank account number. • My WordPress login, which is where I hid my customer data for the experiment. • My Adobe logins. • My physical address, and address of my two workplaces.
Believe it or not, that was only the tip of the iceberg. All that data was collected on the first day. When Jason explained that the entire hack only took him three days to complete I was both horrified and impressed.
The sheer ease with which he had broken through the first line of defence was astounding, and yes, I am fully aware I basically just gave him my password. But I didn’t know how much could be gained just from emails.
Apart from my opened emails, the call from the bank and Vodafone and the ominous Netflix panels, I hadn’t noticed any of what he had been taking.
Once Jason had explained how easy my emails had made everything, he moved on to getting access through my laptop.
When you connect to the internet via your home or business network, your computer is virtually assigned an IP address that uniquely identifies it to the rest of the internet. Think of it like a postal address: everything you send out has a return address so that the recipient knows exactly where to reply.
Usually, with finding an IP address, the radius can be relatively broad, but Jason could find where my network was connected to using an internet router that provides network address translation (NAT) and trace that router to my physical address.
The router itself took on the assigned IP address, then provided internal IP addresses to each connected computer.
After he had found my device, Jason could do what I was most paranoid about: access my webcam. Which, according to him is creepy yet insanely easy to do.
All it took was software called Meterpreter installed onto my device. Meterpreter is a service that gives the hacker command shell capability and communicates back to the hacker in code so it isn’t recognised by any antiviruses.
Jason explained that he had quite quickly been able to get past the antivirus on my computer because “we are not a virus; we are a hidden code”.
How did he manage to install it onto my device? With a hidden PDF file that was encrypted to open on my device, once I opened a blank email that had appeared to be sent from myself.
After opening the email, the code was able to download itself onto my device and be used as a back door controlling system.
From there Jason explained that you cannot watch someone through a webcam, but can install a code that makes the camera take a snapshot every few minutes or so, depending