Digital Deadly Force: How A Tech Expert Lost his Digital Life to a Hacker

516 views
456 views

Published on

Imagine a day when you wake up … all of your baby pictures are gone.. your iPad and your computer have been wiped .. you have no way of logging in to any of your accounts … the accounts that are tied to your checking, mortgage, bill pay, iTunes…

Kevin Williams and Matt Hall will tell the story of Matt Honan -- a tech savvy technology reporter who was just digitally carjacked -- for his twitter account… and how the hackers manipulated major corporations into aiding and abetting this digital robbery by a 19 year old hacker named Phobia.

Don't have an account? Not a computer guy? Well, your information is stored in companies all over the world where Hackers like PHOBIA lurk to take your identity, monetize it, and use it to all sorts of nefarious purposes.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
516
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • amazon: Call the customer service to add a credit card to his file.Amazon: hang up and call back. My account is locked out. Here is my credit card last four digits and billing address. Please add a new email address. Send account recovery to new email address.Amazon: log in with recovery info and reset password. Can see all the Credit Card numbers on file last 4 digits.Apple: Use original credit card last 4 digits and billing address after claiming amnesia on the security questions.Apple: He gets the mobile me accountGoogle: He goes to google. He resets the google mhonan@gmail.com and the reset is sent to the comprosomised apple mobile me EMAIL account.Twitter: Password reset to the compromised google account.
  • Digital Deadly Force: How A Tech Expert Lost his Digital Life to a Hacker

    1. 1. Information Systems Division and Technical Services Unit Digital Deadly Force Narrative of a Digital Life DestroyedMatthew Jett Hall Kevin Williams 26 Oct 2012Assistant Director, ISD SAC, TSU
    2. 2. The Victim: Matt Honan  “In the space of one hour, my entire digital life was destroyed.”
    3. 3. Who is Matt Honan  Tech Journalist  Highly cloud dependent  Astute  Tech Savvy  Knows the rules of the road
    4. 4. The Harm  Google account deleted.  Twitter account compromised, and used to broadcast racist and homophobic messages.  AppleID account was seized.
    5. 5. The Harm  Wiped from existence  iPhone  MacBook Pro  iPad  Two years of baby pictures
    6. 6. Timeline: 3 Aug 12 @ 1633  “… according to Apple’s tech support records, someone called AppleCare claiming to be me.”  Apple issued the hacker a temporary password
    7. 7. Timeline: 3 Aug 12 @ 1650  “password reset confirmation arrived in my inbox. … the hackers …. permanently reset my AppleID password.”
    8. 8. Timeline: 3 Aug 12 @ 1652  “Gmail password … password had changed.
    9. 9. Timeline: 3 Aug 12 @ 1700  “… they used iCloud’s “Find My” tool to remotely wipe my iPhone.”
    10. 10. Timeline: 3 Aug 12 @ 1700  “my iPhone suddenly powered down.”  “When I opened my laptop … my Gmail account information was wrong.”
    11. 11. Timeline: 3 Aug 12 @ 1702  “they reset my Twitter password…”
    12. 12. Timeline: 3 Aug 12 @ 1705  “they remotely wiped my MacBook.…”
    13. 13. Timeline: 3 Aug 12 @ 1705  “they remotely wiped my MacBook.…”  “… they deleted my Google account. “
    14. 14. Timeline: 3 Aug 12 @ 1710  “I placed the call to AppleCare.”
    15. 15. Timeline: 3 Aug 12 @ 1712  “attackers posted a message to my account on Twitter taking credit for the hack.”
    16. 16. Why Matt Honan "I asked him why. Was I targeted specifically? Was this just to get to Gizmodos Twitter account [that had been linked to mine]? No, Phobia said, they hadnt even been aware that my account was linked to Gizmodos, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. Thats all they wanted. They just wanted to take it, and [mess it] up, and watch it burn. It wasnt personal.”
    17. 17. Social Engineering  “the art of manipulating people into performing actions or divulging confidential information”
    18. 18. The Sequence of Social 1. Amazon 2. Apple 3. Google 4. Twitter
    19. 19. Sara Palin 2008 • September 16, 2008 • Yahoo! Mail account of Sarah Palin • Cracked by “Rubico” • Social Engineering • From Date of Birth Info on Wikipedia
    20. 20. TBI’s CIA Confidentiality Integrity Availability
    21. 21. Identity  Non-repudiation  Access  Factors of Identification  Something you know  Something you have  Something you are
    22. 22. Password and PIN “Something you know” “a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource”
    23. 23. Password Fatigue • Excessive amount of passwords • Leads to careless password or pin construction
    24. 24. PIN Formulation PIN Freq#1 1234 10.713% • Usually 4 digits#2 1111 6.016% • Don’t use common#3 0000 1.881%#4 1212 1.197% PINs#5 7777 0.745% • Don’t use personal#6 1004 0.616%#7 2000 0.613% information#8 4444 0.526% • SSN#9 2222 0.516% • Birthdate#10 6969 0.512% • Birth year
    25. 25. Password Formulation• A`?KUJj• 47k0O#qt• 4vn1iSA • Passwords must contain• nwDSB/OL characters from three of the• 5*vFXggx• tF0ylI59 these categories:• PvmYk^k• $;T+qha2•• UnJJ:8c8 bU4DuwUM • Password generator in KeePass• bU1H&@56 • Upper Case Character•• BeU;i$X; 4q+!kkgg • Lower Case Character• $qDsrT35 • Base 10 Digit (0 through 9)• %:WbFlzk• HRvqt9j9 • Non-alphanumeric characters:• RcgR^cMt • ~!@#$%^&*_-+=`|(){}[]:;"<>,.?/• dM/`nxR
    26. 26. Password Formulation• A`?KUJj• 47k0O#qt• 4vn1iSA • Since these are tough• nwDSB/OL• 5*vFXggx• tF0ylI59 • Try a PassPhrase:• PvmYk^k• $;T+qha2•• UnJJ:8c8 bU4DuwUM • SteveFound4ApplesAndAFlute@hischair• bU1H&@56 • 6TacosAreDelicious@YourLocalTacoMart• BeU;i$X;• 4q+!kkgg• $qDsrT35• %:WbFlzk• HRvqt9j9• RcgR^cMt• dM/`nxR
    27. 27. Where to Store Passwords • Password Vault • In your mind!
    28. 28. Password CommandmentsThou shalt …1. construct a complex password2. Use a password vault3. Use dual factor authentication4. Protect thy mobile devices
    29. 29. Password Commandments Thou Shalt Not …. 1. Share thy Password 2. Use thy dog’s name 3. Write passwords on sticky notes 4. Use common words 5. Keep passwords in word documents
    30. 30. Before you lose a device ….  Learn if the device has “find me” features  Encrypt critical data at rest  Think carefully about what goes on the device  Don’t let unauthorized personnel utilize your device  Lock your device whenever you step away
    31. 31. If you lose a device …. Report it immediately BAD NEWS DOES NOT AGE WELL! FASTER RESPONSE THE BETTER Consumer in Control  Apple: iCloud.com  Microsoft Exchange  Blackberry: No self service
    32. 32. Example: iCloud
    33. 33. If you lose a device …. Locate it
    34. 34. If you lose a device …. If you can’t retrieve it, wipe it!
    35. 35. Data Classification Concept Impact to the TBI Mission  High  Medium  Low High  Reputation and Credibility  Exposing Personal Information  Exposing Sensitive Operations Information
    36. 36. On cloud computing  It’s here  It’s not going away  Windows 8  SkyDrive  DropBox  Google Drive  Google Applications  iCloud
    37. 37. On cloud computing  Guidance  No PII  Nothing Mission Sensitive  Experiment and learn  Preserve CIA  REALLY read terms of service
    38. 38. References “How Apple and Amazon Security Flaws Led to My Epic Hacking” Wired Magazine August 6, 2012 http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ Flickr Baby Photo: http://goo.gl/q2hSO Datagenetics.com PIN Anlaysis: http://goo.gl/bCGGW Security Now Episode 364: Twit.tv Security Now Episode 364: Transcript from grc.com Apple iCloud How to: http://www.apple.com/icloud/setup/ios.html Apple iCloud: icloud.com Sara Palin Email Hack: http://en.wikipedia.org/wiki/Sarah_Palin_email_hack Clipart: openclipart.org Social Engineering: http://en.wikipedia.org/wiki/Social_engineering_(security) Password: http://en.wikipedia.org/wiki/Password

    ×