Reporter challenged hackers to investigate him & what they found out is chilling

Article first appeared in pandodaily:

Two months earlier I (Adam Penenberg) challenged Nicholas Percoco, senior vice president of SpiderLabs, the advanced research and ethical hacking team at Trustwave, to perform a personal “pen-test,” industry-speak for “penetration test.” The idea grew out of a cover story I wrote for Forbes some 14 years earlier, when I retained a private detective to investigate me, starting with just my byline. In a week he pulled up an astonishing amount of information, everything from my social security number and mother’s maiden name to long distance phone records, including who I called and for how long, my rent, bank accounts, stock holdings, and utility bills.

The detective, Dan Cohn, owned and operated Docusearch, a website that trafficked in personal information, and at the time, he was charging $35 to dig up someone’s driving record, $45 for his bank account balances, $49 for a social security number, $84 to trace a mobile number, and $209 to compile his stocks, bonds, and securities. The site offered a simple clickable interface and Amazon-like shopping cart. It’s still around today, boasting similar services. “Licensed Investigators for Accurate Results” reads the tag line, calling itself “America’s premier provider of on-line investigative solutions.”

For Cohn, digging through what I had assumed was personal information, was less challenging than filling in a crossword puzzle. He was able to collect this amalgam of data on me without leaving the air-conditioned cool of his office in Boca Raton, Florida. In addition to maintaining access to myriad databases stuffed with Americans’ personal information, he was a master of “pre-texting.” That is, he tricked people into handing over personal information, usually over the telephone. Simple and devilishly effective. When the story hit newsstands with a photo of Cohn on the cover and the eerie caption: “I know what you did last night,” it caused quite a stir. It was even read into the Congressional Record during hearings on privacy.

What I learned is that virtually all of us are vulnerable to electronic eavesdropping and are easy hack targets. Most of us have adopted the credo “security by obscurity,” but all it takes is a person or persons with enough patience and know-how to pierce anyone’s privacy — and, if they choose, to wreak havoc on your finances and destroy your reputation.

Earlier this year I contacted him to pen a guest post for PandoDaily. In it, Percoco warned that unscrupulous people could potentially intercept your private messages and inject malevolent code into your computer over a coffee shop’s Wi-Fi. I liked how he wrote the piece. He didn’t hype the threat. Instead he laid out the facts, relayed some anecdotes from his work, and offered basic, actionable prescriptions.

You can tell a lot about a person by the way he writes. As a journalism professor, I get to know my students’ writing better than they know it themselves. And Percoco, through his prose, struck me as someone who was smart, well informed on security issues, and careful with what he said and how he said it. “Comp-sec,” as it’s called – short for computer security – is rife with charlatans. It often seems the more fame someone accrues in that world, the less he’s accomplished and even less he knows.
http://pandodaily.com/2013/10/26/i-challenged-hackers-to-investigate-me-and-what-they-found-out-is-chilling/#!