His goal was to make himself relatively anonymous in the real world and scrub his (actual) personal info from public/for-sale databases. And while he didn't hire anyone to pentest his digital identity, he did hire a PI to try and find him.
To make sure he didn’t make any mistakes, Mr. Lopp paid private investigators to try to find him. It was an investigator who helped him figure out that his D.M.V. registration was making him vulnerable, which led him to getting a decoy address.
So it’s ok to lie to the DMV about your address? I had to give them three documents to prove my address to get a license and my wife did as well to get a state ID. Is the assumption that he knows he’s breaking the law and ok with it or is there some scenario where you can provide a false address and that’s ok?
The niche market of folks with enough security-savvy to know they need the services of a pen tester is pretty small. That said it's also a pretty wealthy niche, so a boutique "personal security coach" business could probably thrive.
Companies spend lots of money on security. But then it happens that they're vulnerable when an employee is hacked. I can see in the future companies paying to test their employee's individual security. They might even promote it as an employee perk.
I already know of a company that was hacked due to an email exploit. So they cleaned things up and gave employees specific training. Then six months later they launched their own email attack, something like ten percent of their employees failed that test!
You probably can't reasonably pay someone to attack third parties that protect your information. For instance, at several of the startups we run security for, even with your password, a suspicious new pattern of login anomalies will generate an investigation that will consume resources on our end, and we'd be pretty pissed to find out that we'd done it because of a stunt you paid for.
While I agree with the general unfairness of this, on the other hand we currently have an ecosystem where SaaS products are used by most people to get their work done and generally manage their lives.
Shouldn't we have the right to know or be able to check how secure our data and identity is on these services?
I imagine that if there was a larger market for this people like you would allow personal pen-testers to pre-register their attempts. Just out of necessity.
On the other hand, you might be able to profit from this, if these third parties are able to find vulnerabilities in your process. Free security audits.
From my years of working in big Banks, none would appreciate a stunt like "hi I gave the approval to hackerX to try and steal money from my account in YOUR bank."
Apart from an obvious black list you are looking at a world of pain both by the bank's lawyers AND the authorities. It may be YOUR money but tampering with a bank's systems is very much criminal activity in most countries.
>>I can find some which claim to test the security of CEOs and celebrities. But I can't find anything for ordinary people.
Those are the services for "ordinary people". The thing is, they advertise to celebrities & CEOs because there aren't many people willing to pay for pentesting. That will always be an expensive service, since it by definition requires highly-skilled employees. A service that advertises to celebrities would almost certainly be willing to work with an ordinary individual, but how many people are willing to pay for the service? Certainly not enough for this to be a million-dollar idea.
> When an organisation asks me to set a recovery question, I generate a 32 character passphrase
This is not actually the best way. For some services eventually you get to a person in a call center who can actually check those security questions to perform a password reset (when all else fails). Having a random string opens the door for someone to claim "oh I think I put something random in there, I really forgot what" and it's likely they'll pull it off. Especially if the hacker knows (somehow[0]) that you put a random string there and it's exactly 32 characters long.
Just go with a plausible name that's still not straightforward to guess.
[0] You may blog about it... Or discuss it loudly and is overheard.
I would go with a company that has a reputation. If you go find some randoms in an IRC channel they might take advantage of anything they find. A little crowdsourced service that offers rewards for finding vulnerabilities in your system might be a success but good luck managing that and dealing with the people you got tricked into hacking.
One thing to consider is the password manager generated security questions. Half the customer service agents out there will accept "it is just a bunch of random characters i typed". Security questions should go the "correct horse battery staple" route.
My security answers are often random "junk". I've tried to social engineer my way into my own accounts a couple of time - and all of them have insisted on me reading out the full "answer".
Those people would likely benefit much more from the awareness trainings pentest shops usually offer as well, snake oil reports without changes in behaviour really don't secure anything.
Do you need expert help in gaining access/passwords to Facebook, gmail, Instagram, bbm, yahoo-mail, snap-chat, twitter, Hotmail, badoo, zoosk, various blogs, icloud, apple accounts etc. Password retrieval, breaching of bank accounts: (for local and international banks, block transfers, make transfers), clear debts, pay for bills at give a way rates also provide cheap Holiday booking, breach of web host servers, firewall breaches, application cracks, change of school grades, professional hacking into institutional servers, clearing of criminal records, mobile airtime recharge, keylogging, smartphone,tablet portable device hacks, pc hacks on any OS and ip tracking and general tracking operations..........contact :[email protected]
Was going to talk a bunch of smack about pen-testing, but instead, if someone were offering this service, I'd love to go head to head with them to determine who delivered more value over time and money, a pen-test vs. a risk assessment.
Simulating a highly targeted attack is expensive, and the protection most people have against those is that they're not interesting enough to spend so much effort on.
For the average person, the main threats are various forms of social engineering, mostly the kind that is really obvious to anyone who has a rough idea how security works ("This is a secure document, please click yes when it asks you to allow this document to execute arbitrary code"), and software so far out of date that common exploit kits have pre-packaged exploits.
Most people probably forget how you could use a "stalk my ex" russian bulletin board service for $50 to stalk yourself. Russian script kiddies are probably happy to comply since the FBI can't really harm them.
But I think in most countries you would still be liable to Google/FB etc if the attack gets detected and linked to you.
To make such a business profitable, you'd need to invent a slew of new techniques for bringing down the cost of pen-testing. This would have applications far beyond the scope of your business idea.
[+] [-] mikejarema|7 years ago|reply
His goal was to make himself relatively anonymous in the real world and scrub his (actual) personal info from public/for-sale databases. And while he didn't hire anyone to pentest his digital identity, he did hire a PI to try and find him.
To make sure he didn’t make any mistakes, Mr. Lopp paid private investigators to try to find him. It was an investigator who helped him figure out that his D.M.V. registration was making him vulnerable, which led him to getting a decoy address.
[1] https://twitter.com/lopp/
[+] [-] smhenderson|7 years ago|reply
Maybe ir differs state to state?
[+] [-] swiftcoder|7 years ago|reply
The niche market of folks with enough security-savvy to know they need the services of a pen tester is pretty small. That said it's also a pretty wealthy niche, so a boutique "personal security coach" business could probably thrive.
[+] [-] rmason|7 years ago|reply
I already know of a company that was hacked due to an email exploit. So they cleaned things up and gave employees specific training. Then six months later they launched their own email attack, something like ten percent of their employees failed that test!
[+] [-] tptacek|7 years ago|reply
[+] [-] lukecameron|7 years ago|reply
Shouldn't we have the right to know or be able to check how secure our data and identity is on these services?
[+] [-] YjSe2GMQ|7 years ago|reply
[+] [-] progval|7 years ago|reply
[+] [-] HenryBemis|7 years ago|reply
Apart from an obvious black list you are looking at a world of pain both by the bank's lawyers AND the authorities. It may be YOUR money but tampering with a bank's systems is very much criminal activity in most countries.
[+] [-] HenryBemis|7 years ago|reply
Judge: who gave you the right to invite someone to hack a company's e-banking security process or Facebook's security processes?
You: it is my data
Judge: it is THEIR system, see you and your friend in 5-to-10 (or whatever the penalty is in whichever country)
[+] [-] zrobotics|7 years ago|reply
Those are the services for "ordinary people". The thing is, they advertise to celebrities & CEOs because there aren't many people willing to pay for pentesting. That will always be an expensive service, since it by definition requires highly-skilled employees. A service that advertises to celebrities would almost certainly be willing to work with an ordinary individual, but how many people are willing to pay for the service? Certainly not enough for this to be a million-dollar idea.
[+] [-] DaniloDias|7 years ago|reply
The tester would be taking on legal risk for performing any kind of account takeover.
Consequently, I don’t see this as a viable service offering.
[+] [-] close04|7 years ago|reply
This is not actually the best way. For some services eventually you get to a person in a call center who can actually check those security questions to perform a password reset (when all else fails). Having a random string opens the door for someone to claim "oh I think I put something random in there, I really forgot what" and it's likely they'll pull it off. Especially if the hacker knows (somehow[0]) that you put a random string there and it's exactly 32 characters long.
Just go with a plausible name that's still not straightforward to guess.
[0] You may blog about it... Or discuss it loudly and is overheard.
[+] [-] lstodd|7 years ago|reply
I go another step and do not keep that recovery answer once put into the form. Does wonders to make sure everything else does not fail.
In your scenario the service is already broken and the door is wide open no matter what you choose as the recovery answer.
[+] [-] edoo|7 years ago|reply
One thing to consider is the password manager generated security questions. Half the customer service agents out there will accept "it is just a bunch of random characters i typed". Security questions should go the "correct horse battery staple" route.
[+] [-] edent|7 years ago|reply
[+] [-] berbec|7 years ago|reply
[+] [-] OliverJones|7 years ago|reply
Is this service available to public figures like:
* John Podesta (of the US Democratic National Committee, phishing target)
* John Brennan (former CIA director, whose AOL account was pwnd by teenagers while he held that job)
Of course it is. But these sorts of powerful people always think somebody else is the target.
Mr. Eden's proposal is a good one. Too bad such a business would need more lawyers than pentesters.
[+] [-] peteretep|7 years ago|reply
You’re aware that Mr Podesta flagged the email as being suspicious, sent it to their security person, and was given the all clear before following it?
[+] [-] goshx|7 years ago|reply
It's amazing how those people don't really have much clue about it all. Imagine who's not in the tech field.
I had the same idea at the time. I am not sure if people would pay for such service, but they definitely need it.
[+] [-] tastroder|7 years ago|reply
[+] [-] kimperly|7 years ago|reply
[+] [-] motohagiography|7 years ago|reply
[+] [-] tgsovlerkhgsel|7 years ago|reply
For the average person, the main threats are various forms of social engineering, mostly the kind that is really obvious to anyone who has a rough idea how security works ("This is a secure document, please click yes when it asks you to allow this document to execute arbitrary code"), and software so far out of date that common exploit kits have pre-packaged exploits.
[+] [-] etaerc|7 years ago|reply
But I think in most countries you would still be liable to Google/FB etc if the attack gets detected and linked to you.
[+] [-] aboutruby|7 years ago|reply
You could also hide a bounty somewhere (e.g. in an email, in a private Github repo, etc.).
You don't even need to mention this is your account, e.g. "I want the email password of X for Y bitcoins".
Both solutions comes with its own issues, but I don't think there is a legal way to do a full pentest.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] gitpusher|7 years ago|reply
[+] [-] alexnewman|7 years ago|reply
[+] [-] abhinai|7 years ago|reply
[+] [-] dboreham|7 years ago|reply