No-Tech Getting Hacked


While Johnny Long's talk about No-Tech Hacking at BlackHat and Defcon 15 was very informative (don't make things too hard on yourself), sometimes carrying around a camera, building trojan horses, or paying cash to a local thrift store for a 2.99 USD cable box is a little more work than you really want to go through. I'd like to introduce you to no-tech getting hacked.

Colleague is very particular about the computing environment at home. The "family computer", nobody runs as root, is frequently re-imaged, has quite a few best practices for keeping it safe, and it does not have any sensitive information. The family knows not to click links from emails, be careful where you visit, the whole nine.

Well, Student (a family member of Colleague) is beginning to apply for colleges. College applications are expensive to fill out (I think it was about 50-75USD at a lot of places last time I looked), and depending on scores or interests, you might get little favorable response from them.

The other night, Colleague got a phone call from University, asking to speak with Student. Student goes on the call, and Colleague goes about some other work. 20 minutes later, Student emerges, full of pride that Student had just completed a college application. Without having to pay for it. For free. Over the phone. Not only that, but the caller ID said local directory assistance. But the college was in a different state. Student didn't ask for a callback number or any way of verifying the recruiter was indeed from University. Whatever information the caller didn't have about Student before, they certainly have now. (I believe Colleague is now in the process of filling out the paperwork for having Student's name changed to Undercover).

Sometimes you have to look for it. Sometimes, it looks for you.