Hackad (2021–…): Season 1, Episode 5 - Kändishacket - full transcript
The time now is 09.08. - Anders!
The time now is 09.08,
I'm now putting on the first product.
Linus found her downtown and
pretended to be a fan of some sort–
- and wanted a selfie.
Excuse me. Therese Lindgren?
My daughter watches you on Youtube.
- Can I take a selfie?
-Of course.
People tend to lower their guard a bit
when it comes to children.
It's a nasty tactic, but that's how it is
online. There are no rules there.
What does the CEO say about
how to protect yourself online?
You have a password and double password.
-He should have had triple passwords!
-Hope he has.
And do you know what their password was?
I'm not joking. They had Password01.
I love "Svenska Nyheter", so it
was fun to hit back.
SVT is letting professionals
hack individuals and companies -
-To show the vulnerabilities
in our society.
David, Linus, Jesper and Jinny
got 48 hours to hack–
- two public figures:
The influencer Therese Lindgren–
And the host
Kristoffer Appelquist.
To infiltrate and hijack their
largest and most important online accounts.
Password01 ...
I wonder if the experts believe–
- that there really is criminal
superminds behind this.
But the government need help with
keeping IT security at a reasonable level.
We've been looking
at his online footprint.
We've looked in leaked databases
and found some passwords.
Probably old passwords
to old accounts that leaked.
We checked his sites online.
Often people are already hacked
without knowing about it.
There are loads of information
for sale on the Internet.
For instance, your address or password
to your email is for sale.
They are incredibly cheap to buy,
so you can buy millions of them.
Then if I choose you,
I can try the password–
- since many people reuse the same password
in several places.
It's mainly two passwords
he's very in love with.
- He's not a mastermind of passwords?
-No.
"Katamaran" has been used more than
once. Then the best password–
-Which makes you like him:
"hatasj". He's probably commuted a lot.
It's quite frustrating, because we have
tested the passwords we found.
Nothing works.
Linus and I have coded a cool thing.
But it requires access to the computer.
We must somehow deliver
some form of code, a back door.
We need access
to a device on his computer.
It should work. We wont fail.
Lots of people here now. We NEED
to get access to his laptop.
We can't do it from the outside
in the time we have.
-Yes ... It's cheating, but ...
-Yeah, but you ask us to do magic.
We get so little time to do
something that takes a hell of a long time.
When you're fishing
for peoples password-
-you send 10 000 emails.
Eventually someone takes the bait.
Here you ask us
to go in and just ... / FINGER SNAP /
-It's not possible.
-If we get him away from the computer ...
It's a classic thing that people do,
they leave their computer unlocked.
Kristoffer has approved
to be hacked.
The only thing he knows is
that it will take place in the next few weeks–
- and that he will be interviewed by SVT.
I'll join you. I'll borrow a camera.
I don't know how it works, but ...
I'm from Gothenburg, It'll be fine.
The only cheat we're asking for ...
... is access to the computer
for a minute.
You get to join us, and if you can do stuff
with his computer you get to do it.
I'm reading comments.
I'm looking for...
... language and words I can use
in a phishing email.
Phishing is when you email
and claim to be someone–
-And then tries to trick the recipient
run a file or click on a link -
-Where they may need to log in
with a password or similar.
Our new identity
is Frida Kvarnesson.
I don't even know if it's a real name,
now it is anyway.
We have all this material
to create this character -
-and hopefully
get Therese into a false sense of security -
- that it's a child
and not someone who can hurt her.
We hope it increases the chance that she
gives us her login information.
It's uncomfortable for me to log in
with my index finger. Just a thing like that.
I started a makeup channel
on Youtube, but only after a year–
- I started to mention
that I was suffering from panic disorder.
Then I got a lot of questions about
mental illness and personal issues.
I then changed my content a bit
to what the people watching my videos–
- were interested in.
It suited me much better too.
Today it's a lifestyle channel.
I record my days.
Today there's one million followers
both on Youtube and Instagram.
I'm really a control freak,
so it feels uncomfortable that I'm ...
... not really in control
over the technical.
Should my Youtube channel vanish
because someone hacks it-
-Or whatever can happen online,
then I don't know what I'll do.
I don't have a number for Youtube
that can solve it. It's scary.
I'm very vulnerable. Every day I get
SMS from Snapchat, Instagram ...
... and Facebook, which says:
"This is the code to enter."
A two-step verification. So many
people trying to get into my accounts.
But so far I have never
been hacked.
"Hey, Tessan!"
"My dad met you
downtown."
We can "slam" a heart emoji here.
Hopefully
she'll click on the link -
And comes to a login page
for her Youtube account -
- that we have created - a fake page.
She's asked to log in to Youtube.
Hopefully she doesn't think twice
and enters her information.
Then we'll have it
and can log in to her Youtube.
I think I'm pretty
reserved. It'll probably backfire.
But I don't save my passwords
so that they are auto-filled.
When I enter
credit card numbers -
-It asks if I want to save it,
but I always press no.
I usually
turn off location services on apps.
I still think about it a bit, compared
to my partner who just pushes yes.
Phishing is behind 50-70% of
all data breaches. That's the key to
- the most complex crimes
we have in the world. It's the email itself ...
According to Statistics Sweden, it was sent to
three million Swedes some years ago–
–These types of emails.
And I know there are even more.
So it's the crime where you
use the power of the internet the most.
It's a simple way
to trick a large number of people.
It's enough that a few people falls for it
for the people behind to earn-
- an incredible amount.
There's a huge amount of money in it.
The plan is to try to infect
Kristoffer's laptop with a back door.
A hidden program that gives us
remote access to it-
-so we can spy on the user.
But many variables and obstacles
make it difficult, and time is short.
To avoid suspicion
Jesper pretends he's a photographer.
The goal is to run malicious code
on Kristoffer's computer via a USB
- without him noticing.
-Hey! Welcome.
-Thanks. I'm Jesper.
I got a camera
and pretended like I belonged.
I walked around the room and
pretended that I was one of the team.
At the same time I had contact
with my colleagues on the outside.
Everyone in Ocean's Thirteen
who intends to rob a bank
-But haven't managed to get the
blueprints yet, can relax.
Such blueprints have leaked!
Who are these hackers?
They are ingenious. We have to work
even harder to catch up.
I am a TV host at SVT
and host Svenska Nyheter.
I work full time with it
20 weeks a year.
Otherwise, I do podcasts
which we record and edit here.
Let's prepare the interview.
We'll take a picture when Jesper sits down.
I'll take one in here when it's empty.
When you left and did the interview
I was alone in one of the rooms.
There was no door in between. I could
have poked him in the neck.
Very close! Not much sound is needed
for someone to turn around.
While the team prepares the interview -
- David and Linus drives to Therese's
apartment to plant more traps.
- Do you have her address?
-No, I actually don't have that.
- Should I fix it?
-Yes, do it.
Therese: The worst that can happen
is everything that risk my safety.
It only takes one crazy person -
- to make it very uncomfortable
for me and my family.
The worst that can happen is
private information being spread-
-like phone number and address, and
that the wrong person uses it against me.
David is preparing
an envelope with her address on–
And a letter with a USB stick,
a usb memory.
There's a backdoor on it. It looks
like a pdf file but is a backdoor.
We'll drop it in her mailbox.
We trick her to open the file.
We'll say we nominate her
for an award–
-Because she's a good influencer
and has made a effort.
I'll see
if I can attack her wifi.
It could work
or completely fail, but here we go.
David and I were waiting outside
her gate for someone to enter.
Then the plan was to follow.
Two people came -
-Which entered the adjoining gate
so then we went in there instead.
It turned out that we got into her
staircase via that gate as well.
I have the PIN code for the door,
if we want to come back.
The USB stick is delivered. If she pluggs
it into the laptop and opens the file-
- then we'll get access to her computer
and can steal secrets–
-And maybe access password.
We have recorded signals
from the wifi.
If we break the wifi password, we go back.
We're trying
as many attack surfaces as possible–
- instead of all the eggs in one basket.
The risk is that it doesn't work.
She may not even read the email.
Someone else might handle her emails.
A lot can go wrong.
That's why we're throwing a wide net,
to increase the chance of success.
We agree that
that you should challenge your mandate.
Interesting things happen there,
whether you are a host -
-Or if you are the principal of a school.
Challenge what you are allowed to do
and consider what you'd rather do–
-And try to squeeze it
into your mandate.
It will be much more fun
if you do.
What happens will happen. The USB
will place files locally-
-But also sends two connections
to our server.
Älvsjö. It's running.
-Maybe it's the USB.
Yes, yes, yes!
I suspect
that my approach to IT security–
- is a bit like people's attitude
to safety at sea.
"I don't need a life jacket,
because I never go near the edge. "
You're thinking one step too short.
If there's a fire, you have to jump overboard.
Then the difference between
survival and death is a life jacket.
You don't understand what you're doing
But I don't think I'm the worst.
I've still made an effort at some point.
I don't want to be the guy who didn't want-
- there to be cars,
because horses were safer.
This is how it is.
There is nothing worse
than sitting in an internal system -
- like an uncle named Leif
has created, which sucks-
-Just to avoid
sharing our eating habits -
- with Silicon Valley. Which they
will find somewhere anyway.
I can 't do anything about it.
Deal with it.
- Is it still open?
-Yes.
-Now!
-Yes! We're in!
We have access to basically all
files, and we're downloading them.
Documents, photos,
but above all passwords.
We downloaded everything that may
contain passwords, such as browsers.
-Thanks so much. See you tonight.
-Yes, we will.
Even if the hackers have access
to Kristoffer's computer -
- they need to get the passwords.
This is where key chain comes into the picture.
Key chain is an encrypted container
where the computer saves passwords
PIN codes and credit card details.
For our hackers, it's a goldmine.
The problem is
that the lock is robust and hard to crack.
You are currently 1:st in the queue.
People often use the same basis
when picking passwords.
It's super common for people
to add a year and a special character.
So that he has one of his former
known passwords with a year after–
- is something we must try.
Welcome to the Tax Information.
Hi. My name is Linus. I want some
information about a person's child.
We'll see what information we have.
It's easy to call the Swedish Tax Agency,
it's like an open book.
- Is this about Kristoffer Appelquist?
-Yes.
Two adult children and a minor.
Want to know who the adults are?
Everyone.
- Was it the addresses you wanted?
–Social security numbers.
Something we know is common
is to use the children's birthyear.
-Only the first six digits?
- No, all of it.
-Great. Thanks so much.
-Thanks. Bye.
This is not Denmark,
with semi-secret social security numbers.
We guessed passwords like crazy.
Pretty slow against an Apple Keychain.
It went slowly. The hours went.
We had a deadline of 20:00.
I'm gonna have to stop now.
I just don't have enough time.
- Therese?
-Yes. It will be difficult.
We've tried to crack her wifi,
but failed.
We put a letter with a usb memory
in her mailbox.
She hasn't plugged it in it seems.
We still have the phishing attack.
I can imagine Therese's day
starts with her having her morning coffee.
Then she opens her computer,
and there's 56,000 unread emails.
Scroll, scroll. "Let's get to work."
I don't think she has time.
Since yesterday I have received text messages
which looks different.
It's an sms with asian characters,
I don't know what language. And...
And yesterday when I sat on Youtube,
I was logged out.
My partner asked: "Does this usually happen?"
It has not happened in eight years -
-That I was suddenly logged out of
Google and Youtube.
So that was weird.
The hackers realize that there's no time
to both steal Therese's password-
–And get past her two-factor-
authentication. The hack is canceled.
-Hello.
-Hello! Hey!
-How's it going?
-Good.
You have on the street
met a dad to a fan.
-Yes!.
I was so happy too.
And then I got an email from his daughter
and became so happy.
I clicked the link, because she had
seen something in a video. I clicked.
What happened then?
It came up that I should fill in
my details. So I closed it.
–Ah ...
- We sent you phishing emails.
The goal was to get you to click -
-And hopefully, sometime
when you're not so alert, log in–
-And then we hope that the details
were used elsewhere.
Oh, no! Was it phishing, phishing-
email, when you send out links?
-Exactly. "Nätfiske" in Swedish.
-I understand.
Very well done, Therese!
This was very unpleasant,
but it was very interesting.
I have learned a lot
about reflecting.
- Very kind of you, Therese.
-Thank you so much for today.
We all need to improve our
security on the internet, talk about it.
We need to educate ourselves
and each other.
We need to make demands on politicians
for major efforts -
- when it comes to our IT security.
They need to give more money
to the police–
So that they can investigate
and prevent crime on the internet.
These are important issues.
Passwords must be unique.
That is the most important thing.
Because if one service gets hacked,
you only need to change that password-
- and wont risk
something happening on the other sites.
The second is that it must be long
- at least 12-15 characters.
The children's names - no. The dog's name
or the registration number - no.
123456 - no, come on!
Rather than a character soup
you can use a phrase. You can have:
"MyMotherSangForMeOnce-
WhenIWasSleeping".
The longer, the harder it is to crack.
It is easier to remember phrases.
But we shouldn't have to remember
passwords - use password manager!
There are countless of them.
find out your needs, and choose tools.
–Hey! Good work!
-So damn nice!
The breakthrough came when my computer cracked
the password to his key chain.
It was a combination of his
old password "hatasj" -
And the birth year of one of his children.
Then the treasure chest opened: key chain.
Now we all have passwords in the key chain.
We have Chrome login passwords.
We have to decrypt it now,
because it contains more passwords.
David managed to decrypt it and
the secrets just poured out.
We all have passwords for Chrome
Extensions now. Everything!
–The works!
–162 different ones. Good.
-We can login to Instagram, right?
-What nasty tricks should we do?
-I think a picture is fun.
- I can check Facebook.
He has to put up with a bit of mischief.
We take a picture where we stand
with a sign: "Double passwords."
Are you ready? Smile.
Ten hours has passed since the hackers
infected Kristoffer's computer.
Now Jesper can be himself.
It's time to reveal himself.
-Hello! My name is Jesper.
-Welcome.
I work as an IT security specialist
- you probably already understood that.
-I have.
- You look a bit confused.
No, but ... I think we
have had contact during the day.
- I got some emails because of you.
-That's probably true.
-At least the last few hours.
-Right.
- Have you noticed anything else?
-I think Instagram, Facebook and ...
- Can we check Instagram now, or?
-Yes absolutely.
Damn, you didn't post on Instagram?
-No no no....
Check the latest post.
Are you nervous, or?
-Yes of course.
No worries, it's safe for work.
Do you recognize anyone?
/ JESPER LAUGHS /
Thank you very much.
It says "double passwords".
Proof that I was owned,
It hurt little.
I'm not an IT manager
at some damn security company.
-I'm a clown.
-But a pretty good clown.
But I didn't do this alone,
I had help. Here they are.
Can you see us? You're frozen.
-Yes now. Hey!
-Hello!
David and I were in the hotel room
and joined via Teams.
We could control his computer from there.
- Do you have your computer in front of you?
-I do.
Is there something on your screen now?
I opened this document
that I had-
- with over 100 usernames
and password, on the screen.
–Shit!
- You need triple passwords.
Thanks. I knew this would come back
and bite me in the ass.
It was fun hacking Kristoffer, since
Svenska Nyheter is quite provocative.
He took it well.
But ... oh yeah. It's pretty frustrating,
because it's not just my passwords.
It's SVT's password -
-Which I have been given as
trade secrets. Damn, this sucks!
But you know? I'm also super happy.
Because if I had this list,
I would have save so much time!
I've agreed to this,
so not much to whine about.
It's an eye opener
how all your stuff is connected.
"I have that password there too,
so if someone finds it "...
I get that someone malicious can
mess things up for me.
A bit like standing at the board
in The Luxury Trap:
"I knew I had bad economy
but not that it was this bad. "
Good summary.
The hackers' phishing
against Therese failed.
Therese clicked on a link, but
never entered her details.
Kristoffer's computer was infected.
The hackers could, after eight hours
unlock the computer key chain.
They stole just over 100 credentials,
like Kristoffer's Instagram account.
Kristoffer: I was happy to
join this program.
The reason is simple: It would be fun
to find out what I am worst at–
-So that I can be the best at it
instead. Now I can start doing it right.
I searched for passwords. Then I've
been reading. You have to kill me now?
-No, but ... Is the camera turned off?
- We need to fix this.
What you have found, we have to
fix - and it's pretty urgent.
Subtitles: Barbro Garneij
Swedish Media Text for SVT
The time now is 09.08,
I'm now putting on the first product.
Linus found her downtown and
pretended to be a fan of some sort–
- and wanted a selfie.
Excuse me. Therese Lindgren?
My daughter watches you on Youtube.
- Can I take a selfie?
-Of course.
People tend to lower their guard a bit
when it comes to children.
It's a nasty tactic, but that's how it is
online. There are no rules there.
What does the CEO say about
how to protect yourself online?
You have a password and double password.
-He should have had triple passwords!
-Hope he has.
And do you know what their password was?
I'm not joking. They had Password01.
I love "Svenska Nyheter", so it
was fun to hit back.
SVT is letting professionals
hack individuals and companies -
-To show the vulnerabilities
in our society.
David, Linus, Jesper and Jinny
got 48 hours to hack–
- two public figures:
The influencer Therese Lindgren–
And the host
Kristoffer Appelquist.
To infiltrate and hijack their
largest and most important online accounts.
Password01 ...
I wonder if the experts believe–
- that there really is criminal
superminds behind this.
But the government need help with
keeping IT security at a reasonable level.
We've been looking
at his online footprint.
We've looked in leaked databases
and found some passwords.
Probably old passwords
to old accounts that leaked.
We checked his sites online.
Often people are already hacked
without knowing about it.
There are loads of information
for sale on the Internet.
For instance, your address or password
to your email is for sale.
They are incredibly cheap to buy,
so you can buy millions of them.
Then if I choose you,
I can try the password–
- since many people reuse the same password
in several places.
It's mainly two passwords
he's very in love with.
- He's not a mastermind of passwords?
-No.
"Katamaran" has been used more than
once. Then the best password–
-Which makes you like him:
"hatasj". He's probably commuted a lot.
It's quite frustrating, because we have
tested the passwords we found.
Nothing works.
Linus and I have coded a cool thing.
But it requires access to the computer.
We must somehow deliver
some form of code, a back door.
We need access
to a device on his computer.
It should work. We wont fail.
Lots of people here now. We NEED
to get access to his laptop.
We can't do it from the outside
in the time we have.
-Yes ... It's cheating, but ...
-Yeah, but you ask us to do magic.
We get so little time to do
something that takes a hell of a long time.
When you're fishing
for peoples password-
-you send 10 000 emails.
Eventually someone takes the bait.
Here you ask us
to go in and just ... / FINGER SNAP /
-It's not possible.
-If we get him away from the computer ...
It's a classic thing that people do,
they leave their computer unlocked.
Kristoffer has approved
to be hacked.
The only thing he knows is
that it will take place in the next few weeks–
- and that he will be interviewed by SVT.
I'll join you. I'll borrow a camera.
I don't know how it works, but ...
I'm from Gothenburg, It'll be fine.
The only cheat we're asking for ...
... is access to the computer
for a minute.
You get to join us, and if you can do stuff
with his computer you get to do it.
I'm reading comments.
I'm looking for...
... language and words I can use
in a phishing email.
Phishing is when you email
and claim to be someone–
-And then tries to trick the recipient
run a file or click on a link -
-Where they may need to log in
with a password or similar.
Our new identity
is Frida Kvarnesson.
I don't even know if it's a real name,
now it is anyway.
We have all this material
to create this character -
-and hopefully
get Therese into a false sense of security -
- that it's a child
and not someone who can hurt her.
We hope it increases the chance that she
gives us her login information.
It's uncomfortable for me to log in
with my index finger. Just a thing like that.
I started a makeup channel
on Youtube, but only after a year–
- I started to mention
that I was suffering from panic disorder.
Then I got a lot of questions about
mental illness and personal issues.
I then changed my content a bit
to what the people watching my videos–
- were interested in.
It suited me much better too.
Today it's a lifestyle channel.
I record my days.
Today there's one million followers
both on Youtube and Instagram.
I'm really a control freak,
so it feels uncomfortable that I'm ...
... not really in control
over the technical.
Should my Youtube channel vanish
because someone hacks it-
-Or whatever can happen online,
then I don't know what I'll do.
I don't have a number for Youtube
that can solve it. It's scary.
I'm very vulnerable. Every day I get
SMS from Snapchat, Instagram ...
... and Facebook, which says:
"This is the code to enter."
A two-step verification. So many
people trying to get into my accounts.
But so far I have never
been hacked.
"Hey, Tessan!"
"My dad met you
downtown."
We can "slam" a heart emoji here.
Hopefully
she'll click on the link -
And comes to a login page
for her Youtube account -
- that we have created - a fake page.
She's asked to log in to Youtube.
Hopefully she doesn't think twice
and enters her information.
Then we'll have it
and can log in to her Youtube.
I think I'm pretty
reserved. It'll probably backfire.
But I don't save my passwords
so that they are auto-filled.
When I enter
credit card numbers -
-It asks if I want to save it,
but I always press no.
I usually
turn off location services on apps.
I still think about it a bit, compared
to my partner who just pushes yes.
Phishing is behind 50-70% of
all data breaches. That's the key to
- the most complex crimes
we have in the world. It's the email itself ...
According to Statistics Sweden, it was sent to
three million Swedes some years ago–
–These types of emails.
And I know there are even more.
So it's the crime where you
use the power of the internet the most.
It's a simple way
to trick a large number of people.
It's enough that a few people falls for it
for the people behind to earn-
- an incredible amount.
There's a huge amount of money in it.
The plan is to try to infect
Kristoffer's laptop with a back door.
A hidden program that gives us
remote access to it-
-so we can spy on the user.
But many variables and obstacles
make it difficult, and time is short.
To avoid suspicion
Jesper pretends he's a photographer.
The goal is to run malicious code
on Kristoffer's computer via a USB
- without him noticing.
-Hey! Welcome.
-Thanks. I'm Jesper.
I got a camera
and pretended like I belonged.
I walked around the room and
pretended that I was one of the team.
At the same time I had contact
with my colleagues on the outside.
Everyone in Ocean's Thirteen
who intends to rob a bank
-But haven't managed to get the
blueprints yet, can relax.
Such blueprints have leaked!
Who are these hackers?
They are ingenious. We have to work
even harder to catch up.
I am a TV host at SVT
and host Svenska Nyheter.
I work full time with it
20 weeks a year.
Otherwise, I do podcasts
which we record and edit here.
Let's prepare the interview.
We'll take a picture when Jesper sits down.
I'll take one in here when it's empty.
When you left and did the interview
I was alone in one of the rooms.
There was no door in between. I could
have poked him in the neck.
Very close! Not much sound is needed
for someone to turn around.
While the team prepares the interview -
- David and Linus drives to Therese's
apartment to plant more traps.
- Do you have her address?
-No, I actually don't have that.
- Should I fix it?
-Yes, do it.
Therese: The worst that can happen
is everything that risk my safety.
It only takes one crazy person -
- to make it very uncomfortable
for me and my family.
The worst that can happen is
private information being spread-
-like phone number and address, and
that the wrong person uses it against me.
David is preparing
an envelope with her address on–
And a letter with a USB stick,
a usb memory.
There's a backdoor on it. It looks
like a pdf file but is a backdoor.
We'll drop it in her mailbox.
We trick her to open the file.
We'll say we nominate her
for an award–
-Because she's a good influencer
and has made a effort.
I'll see
if I can attack her wifi.
It could work
or completely fail, but here we go.
David and I were waiting outside
her gate for someone to enter.
Then the plan was to follow.
Two people came -
-Which entered the adjoining gate
so then we went in there instead.
It turned out that we got into her
staircase via that gate as well.
I have the PIN code for the door,
if we want to come back.
The USB stick is delivered. If she pluggs
it into the laptop and opens the file-
- then we'll get access to her computer
and can steal secrets–
-And maybe access password.
We have recorded signals
from the wifi.
If we break the wifi password, we go back.
We're trying
as many attack surfaces as possible–
- instead of all the eggs in one basket.
The risk is that it doesn't work.
She may not even read the email.
Someone else might handle her emails.
A lot can go wrong.
That's why we're throwing a wide net,
to increase the chance of success.
We agree that
that you should challenge your mandate.
Interesting things happen there,
whether you are a host -
-Or if you are the principal of a school.
Challenge what you are allowed to do
and consider what you'd rather do–
-And try to squeeze it
into your mandate.
It will be much more fun
if you do.
What happens will happen. The USB
will place files locally-
-But also sends two connections
to our server.
Älvsjö. It's running.
-Maybe it's the USB.
Yes, yes, yes!
I suspect
that my approach to IT security–
- is a bit like people's attitude
to safety at sea.
"I don't need a life jacket,
because I never go near the edge. "
You're thinking one step too short.
If there's a fire, you have to jump overboard.
Then the difference between
survival and death is a life jacket.
You don't understand what you're doing
But I don't think I'm the worst.
I've still made an effort at some point.
I don't want to be the guy who didn't want-
- there to be cars,
because horses were safer.
This is how it is.
There is nothing worse
than sitting in an internal system -
- like an uncle named Leif
has created, which sucks-
-Just to avoid
sharing our eating habits -
- with Silicon Valley. Which they
will find somewhere anyway.
I can 't do anything about it.
Deal with it.
- Is it still open?
-Yes.
-Now!
-Yes! We're in!
We have access to basically all
files, and we're downloading them.
Documents, photos,
but above all passwords.
We downloaded everything that may
contain passwords, such as browsers.
-Thanks so much. See you tonight.
-Yes, we will.
Even if the hackers have access
to Kristoffer's computer -
- they need to get the passwords.
This is where key chain comes into the picture.
Key chain is an encrypted container
where the computer saves passwords
PIN codes and credit card details.
For our hackers, it's a goldmine.
The problem is
that the lock is robust and hard to crack.
You are currently 1:st in the queue.
People often use the same basis
when picking passwords.
It's super common for people
to add a year and a special character.
So that he has one of his former
known passwords with a year after–
- is something we must try.
Welcome to the Tax Information.
Hi. My name is Linus. I want some
information about a person's child.
We'll see what information we have.
It's easy to call the Swedish Tax Agency,
it's like an open book.
- Is this about Kristoffer Appelquist?
-Yes.
Two adult children and a minor.
Want to know who the adults are?
Everyone.
- Was it the addresses you wanted?
–Social security numbers.
Something we know is common
is to use the children's birthyear.
-Only the first six digits?
- No, all of it.
-Great. Thanks so much.
-Thanks. Bye.
This is not Denmark,
with semi-secret social security numbers.
We guessed passwords like crazy.
Pretty slow against an Apple Keychain.
It went slowly. The hours went.
We had a deadline of 20:00.
I'm gonna have to stop now.
I just don't have enough time.
- Therese?
-Yes. It will be difficult.
We've tried to crack her wifi,
but failed.
We put a letter with a usb memory
in her mailbox.
She hasn't plugged it in it seems.
We still have the phishing attack.
I can imagine Therese's day
starts with her having her morning coffee.
Then she opens her computer,
and there's 56,000 unread emails.
Scroll, scroll. "Let's get to work."
I don't think she has time.
Since yesterday I have received text messages
which looks different.
It's an sms with asian characters,
I don't know what language. And...
And yesterday when I sat on Youtube,
I was logged out.
My partner asked: "Does this usually happen?"
It has not happened in eight years -
-That I was suddenly logged out of
Google and Youtube.
So that was weird.
The hackers realize that there's no time
to both steal Therese's password-
–And get past her two-factor-
authentication. The hack is canceled.
-Hello.
-Hello! Hey!
-How's it going?
-Good.
You have on the street
met a dad to a fan.
-Yes!.
I was so happy too.
And then I got an email from his daughter
and became so happy.
I clicked the link, because she had
seen something in a video. I clicked.
What happened then?
It came up that I should fill in
my details. So I closed it.
–Ah ...
- We sent you phishing emails.
The goal was to get you to click -
-And hopefully, sometime
when you're not so alert, log in–
-And then we hope that the details
were used elsewhere.
Oh, no! Was it phishing, phishing-
email, when you send out links?
-Exactly. "Nätfiske" in Swedish.
-I understand.
Very well done, Therese!
This was very unpleasant,
but it was very interesting.
I have learned a lot
about reflecting.
- Very kind of you, Therese.
-Thank you so much for today.
We all need to improve our
security on the internet, talk about it.
We need to educate ourselves
and each other.
We need to make demands on politicians
for major efforts -
- when it comes to our IT security.
They need to give more money
to the police–
So that they can investigate
and prevent crime on the internet.
These are important issues.
Passwords must be unique.
That is the most important thing.
Because if one service gets hacked,
you only need to change that password-
- and wont risk
something happening on the other sites.
The second is that it must be long
- at least 12-15 characters.
The children's names - no. The dog's name
or the registration number - no.
123456 - no, come on!
Rather than a character soup
you can use a phrase. You can have:
"MyMotherSangForMeOnce-
WhenIWasSleeping".
The longer, the harder it is to crack.
It is easier to remember phrases.
But we shouldn't have to remember
passwords - use password manager!
There are countless of them.
find out your needs, and choose tools.
–Hey! Good work!
-So damn nice!
The breakthrough came when my computer cracked
the password to his key chain.
It was a combination of his
old password "hatasj" -
And the birth year of one of his children.
Then the treasure chest opened: key chain.
Now we all have passwords in the key chain.
We have Chrome login passwords.
We have to decrypt it now,
because it contains more passwords.
David managed to decrypt it and
the secrets just poured out.
We all have passwords for Chrome
Extensions now. Everything!
–The works!
–162 different ones. Good.
-We can login to Instagram, right?
-What nasty tricks should we do?
-I think a picture is fun.
- I can check Facebook.
He has to put up with a bit of mischief.
We take a picture where we stand
with a sign: "Double passwords."
Are you ready? Smile.
Ten hours has passed since the hackers
infected Kristoffer's computer.
Now Jesper can be himself.
It's time to reveal himself.
-Hello! My name is Jesper.
-Welcome.
I work as an IT security specialist
- you probably already understood that.
-I have.
- You look a bit confused.
No, but ... I think we
have had contact during the day.
- I got some emails because of you.
-That's probably true.
-At least the last few hours.
-Right.
- Have you noticed anything else?
-I think Instagram, Facebook and ...
- Can we check Instagram now, or?
-Yes absolutely.
Damn, you didn't post on Instagram?
-No no no....
Check the latest post.
Are you nervous, or?
-Yes of course.
No worries, it's safe for work.
Do you recognize anyone?
/ JESPER LAUGHS /
Thank you very much.
It says "double passwords".
Proof that I was owned,
It hurt little.
I'm not an IT manager
at some damn security company.
-I'm a clown.
-But a pretty good clown.
But I didn't do this alone,
I had help. Here they are.
Can you see us? You're frozen.
-Yes now. Hey!
-Hello!
David and I were in the hotel room
and joined via Teams.
We could control his computer from there.
- Do you have your computer in front of you?
-I do.
Is there something on your screen now?
I opened this document
that I had-
- with over 100 usernames
and password, on the screen.
–Shit!
- You need triple passwords.
Thanks. I knew this would come back
and bite me in the ass.
It was fun hacking Kristoffer, since
Svenska Nyheter is quite provocative.
He took it well.
But ... oh yeah. It's pretty frustrating,
because it's not just my passwords.
It's SVT's password -
-Which I have been given as
trade secrets. Damn, this sucks!
But you know? I'm also super happy.
Because if I had this list,
I would have save so much time!
I've agreed to this,
so not much to whine about.
It's an eye opener
how all your stuff is connected.
"I have that password there too,
so if someone finds it "...
I get that someone malicious can
mess things up for me.
A bit like standing at the board
in The Luxury Trap:
"I knew I had bad economy
but not that it was this bad. "
Good summary.
The hackers' phishing
against Therese failed.
Therese clicked on a link, but
never entered her details.
Kristoffer's computer was infected.
The hackers could, after eight hours
unlock the computer key chain.
They stole just over 100 credentials,
like Kristoffer's Instagram account.
Kristoffer: I was happy to
join this program.
The reason is simple: It would be fun
to find out what I am worst at–
-So that I can be the best at it
instead. Now I can start doing it right.
I searched for passwords. Then I've
been reading. You have to kill me now?
-No, but ... Is the camera turned off?
- We need to fix this.
What you have found, we have to
fix - and it's pretty urgent.
Subtitles: Barbro Garneij
Swedish Media Text for SVT