15-Year-Old Hacker Shows Everyone At Tech Show That They're Completely Screwed When It Comes To Security

At once entertaining and terrifying.

One of the hottest panels at this year’s ILTACON involved self-taught hacker Marcus Weinberger walking the audience through just how easy it is to hack law firms and their clients. If you labored under the illusion that hacking is a difficult, arcane skill that only well-resourced, highly trained attackers can pull off, Weinberger shattered all that in a matter of minutes showing off his arsenal of equipment that he purchased for pocket change.

Weinberger’s father, Prosperoware’s lawyer-in-residence Ben Weinberger, kept the audience entertained by dutifully repeating disclaimers throughout his son’s presentation. Marcus Weinberger only hacks for purely educational purposes everyone.

Some of the key equipment Weinberger uses to mess with people on Wifi goes for as little as $1.50. And these tools aren’t buried deep within the Dark Web, all the products he showed off are readily available through mainstream sites like Amazon and eBay. The most expensive device of the whole presentation was a Wifi Pineapple that he claimed ran around $50. If you don’t know what a Pineapple does, it can basically force your phones to join a network of his choosing where a hacker could record your activity. “Man-in-the-middle” attacks through public wifi networks can be devastating and we all expose ourselves to these risks every day. Good luck feeling safe after learning that.

He explained that vulnerable websites can be identified through simple Google searches. With a vulnerable site and the help of massive password dictionaries, breaking into a site is a snap. By creating convincing spoof sites — often by registering domains that look like established firms but actually have non-English characters in the name that appear to be English characters. For example, did you know there are Cyrillic letters that look identical to English characters? Because hackers do. And someone trying to log into a spoof site won’t be content to enter one password and be denied. Once given an error message, Weinberger says the average person starts rolling through all their alternative passwords — getting each recorded by the hacker who will now be armed with multiple username/password combinations.

Will your clients divulge private information falling for attacks like this? Will your lawyers? When high-profile attorneys are still falling for spoofed emails, it’s hard to imagine they’re ready for this level of sophistication.

If there’s one tool outlined in this presentation that everyone should adopt, it’s a routine check of Have I Been Pwned, a website that tells you if your email has ever been compromised. Without naming any names, I entered firm email addresses for some well-known attorneys and detected multiple breaches. You’re probably not safe out there, and this kid proves it.

You can listen to the whole presentation here. Video should be available soon and we’ll update this story with that when it arrives.

Sponsored


HeadshotJoe Patrice is a senior editor at Above the Law and co-host of Thinking Like A Lawyer. Feel free to email any tips, questions, or comments. Follow him on Twitter if you’re interested in law, politics, and a healthy dose of college sports news.

Sponsored

CRM Banner