SlideShare a Scribd company logo
1 of 56
Man vs Internet
Current challenges and future tendencies of establishing trust between humans and
machines
Luis Grangeia
BSidesLisbon 2013
Image stolen from manvinternet.com
About me
Luis Grangeia <luis.grangeia at gmail.com>
• IT Security Auditor (pen-tester) since 2001
• First at SideStep, now at SysValue
• Computer nerd since 1987
• Breaking stuff (and failing to fix it back)
since 1979
Agenda
• What‟s this about
• The curious case of Mat Honan
• Trust and Authentication
• Future Tendencies
• Strategies for pitfall avoidance
About this talk
• This is not about:
• Open Source Intelligence
• The NSA
• SQL Injection or Buffer Overflows
• This is about:
• [Establishing | Maintaining | Exploiting] trust relations between
users, devices and services
• Explore current problems and future tendencies in authentication
• “Meta” stuff to start a dialogue
The “Mat Honan Hack”
From zero to total online identity compromise
Meet Mat Honan
• Tech savvy blogger/writer for Gizmodo, Wired
• Strong online presence:
• Twitter
• About.me
• Apple Account
• Google Account
• Etc.
• Has a cool twitter handle: twitter.com/mat
• Is about to get hacked
Mat Honan
Timeline: August 3rd 2012
• 16h33: Someone calls AppleCare pretending to be Mat
Honan, provides for some security information and asks for
a temporary password.
• 16h50: A password reset confirmation arrives at Mat‟s
me.com mailbox, completing the hijacking of the Mat‟s
iCloud service.
• 16h52: A Gmail password recovery email arrives at Mat‟s
me.com address. Two minutes later another email arrives
informing of a password change on the Gmail account.
• 17h00: Mat‟s iPhone is remotely wiped via iCloud.
Mat Honan
Timeline: August 3rd 2012 (cont.)
• 17h01: Mat‟s iPad is remotely wiped via iCloud.
• 17h02: Mat‟s Twitter account is reset. The password his
sent to his compromised Gmail Account.
• 17h05: Mat‟s Macbook is remotely wiped via iCloud
(containing the only copies of the birth of his baby
daughter).
• 17h05: Mat‟s entire Google account, containing 8 years
worth of personal e-mail messages, is deleted.
• 17h12: Attackers post a message to his Twitter account,
taking credit for the hack.
Mat Honan
Hacking Mat Honan
twitter.com/mat
Hacking Mat Honan
Hacking Mat Honan
Hacking Mat Honan
twitter.com/mat mhonan@gmail.com
Hacking Mat Honan
Hacking Mat Honan
twitter.com/mat mhonan@gmail.com mhonan@me.com
Hacking Mat Honan
Time to call Amazon
• Time to call Amazon‟s phone support
• Call #1:
• “Hi, my name is Mat Honan, please add a new Credit Card 123
number to my account. My billing address is xyz. Thanks!”
• Call #2:
• “Hi, I‟m Mat Honan. Please add e-mail address evil@me.com
to my account. Here is credit card information 123 to verify
my identity.”
• Step #3:
• Ask for password reset e-mail to evil@me.com address
Hacking Mat Honan
Account owned!
Last 4 digits of Mat‟s
real credit card
Account owned!
twitter.com/mat
Account owned!
mhonan@gmail.com
Account owned!
mhonan@me.com
What went Wrong?
• Poor password choices?
• Poor phone identity verification procedures?
• Bad trust relationship choices by Mat?
• Lack of 2-factor authentication? Where?
• What could we do better?
Authentication and Trust
Back to basics
Authentication vs Trust
• Authentication: To provide proof of identity by means
of one (or more) of these:
• Something you know
• Something you have
• Something you are
• Trust: belief in the reliability, truth, ability, or strength of
someone or something.
• Authentication is impossible to do without Trust!
Something you know
• Passwords
• Answers to „secret‟ security questions
• Date of Birth, registered VISA, home/billing
address, email, etc.
Something you know: Passwords
• Password Problems
• Simple passwords
• Same password used across services
• Services get hacked all the time
• Over 280 million password hashes leaked (2010-2012)
• Once the hash is out there, its probably getting cracked
• Eg. Google „qeadzcwrsfxv1331‟
Something you know: Passwords
• In the Mat Honan Hack:
• Mat used 1Password
• Long and robust password to decrypt keyfile
• Master password not used anywhere else
• Keyfile was stored in Dropbox and synced across all his
devices
• Caveat: never send master password through the network
or type it on a device you don‟t absolutely trust.
Something you know: Other
• Answers to ‘secret’ security questions
• Date of Birth, registered VISA, home/billing address,
email, etc.
• Information leaks by services
• Answers can be found on Google
• If it is a secret answer, why am I giving it away?
Something you know: Other
Security Questions
Something you know: Other
• In the Mat Honan hack:
• Google:
• leaked part of the recovery e-mail: m****n@me.com
• Amazon:
• Name + Billing Address == full account compromise
• Leaked last 4 digits of VISA after
• Apple:
• Public information + 4 Digits of VISA == full account compromise
Something you have
• Smartcards
• One Time Password tokens / Authenticators
Something you have
• Access to a previously authenticated/trusted device
• Access to a mobile phone number (SMS/voice code)
• Access to a mobile app (authenticator)
Something you have
• Access to third party accounts (email)
• Frequently used for password resets
Something you have
• In the Mat Honan hack:
• No second factor authentication used
• Chained trust relationships:
mhonan@me.com
GoogleTwitter
@mat
Apple
mhonan@gmail.com
Something you are
• Biometrics
• Still a gimmick but is now seeing a boost in usage:
• Android Face Unlock
• iPhone 5S Touch ID
• Voice recognition (in Google Now, probably Siri later)
• Xbox One (the creepiest of them all)
Something you are
Something you are
• Problems:
• Biometrics is only good for local device authentication
• Not fit for network authentication
• Unless you want to see your biometric info travelling through the
Internet…
• Must trust device completely
• Specially if its connected to a network!
• What happens if the device steals our biometric info or uploads it to the
cloud?
• If you lose the device, you lose your bio data to the attacker.
Something you are
• In the Mat Honan hack:
• Biometrics was not used at all
• Would not have prevented anything, as biometrics is only
useful for local (physically proximate) device
authentication.
Authentication: Is this it?
• Something you know
• Something you have
• Something you are
• ???
Is this all there is?
How do we humans authenticate ourselves?
Context Information
• Context!
• Complements Authentication
• Helps quantify trust
• Where you are (location)
• What are you doing (behavior)
• Who are you talking to (social relations)
Context: location
Context: behavior
“Actimize has core offerings across all
financial crime prevention and compliance
areas built on a unified reporting and case
management platform. Actimize is known
for its use of analytics and modeling
techniques that uncover anomalous
financial transactions, like
fraud, money laundering and market
manipulation.”
Context: social relations
Users, Devices, Services
Trust relationships everywhere
User
Smartphone
Tablet
Computer
Facebook
Amazon
Online Bank
Google
Users, Devices, Services
Trust relationships everywhere
User
Smartphone
Tablet
Computer
Facebook
Amazon
Online Bank
Google
Future Tendencies
How will authentication & trust mechanisms evolve
Future Tendencies:
Device Authentication
• Inexpensive wearable devices creating a “personal
network” that reinforces trust (and increases the number
of authentication factors):
• Bionym‟s Nymi
• (adds biometrics)
• NFC rings/wristband
• Smartwatches
Future Tendencies:
Service Authentication
• Increased usage of contextual factors for authentication:
• Toopher
• Next generation Google Authenticator
Future Tendencies:
Service Authentication
User
Smartphone
Tablet
Computer
Facebook
Amazon
Online Bank
Google
• More trust relationships == more trust
• That‟s why multiple device (multiple
factor) authentication is important
• The more the service knows about you,
the more he can use to verify your
identity:
• Facebook
• Google
• Apple
Strategies
Takeaways for better identity management
(safety not guaranteed)
Something you know: Passwords
• Password Strategies
• Use different passwords for every service
• Long and randomly generated
• Stored in a password vault:
• Keepass
• 1Password
• Password Safe
• Cloud synced encrypted password storage is a good
compromise
• Several key files on your cloud storage
• Plausible deniability
• Segregation of virtual “personas”
• Avoid trusting your passwords to one single online service
• Lastpass
Something you know: Other
• Security Questions & Personal Information
• Strategies:
• Never provide meaningful answers to security questions
• Give out a different random answer and treat it like a password
• Beware of services with lax/faulty procedures for account
recovery
• Apple, Amazon (presumably better by now)
Something you have
• Strategies:
• Put all the eggs on one basket and protect the basket!
• Make all accounts password reset go to a secure 2-factor account
(eg. Google)
Audit your accounts / services
• Regularly audit the relations between your services
• Password reset tokens (avoid the Mat Honan mistake)
• Look at what information leaks on password reset procedures for
some services
FacebookAmazon Google
(with 2-factor authentication)
Dropbox Twitter
Something you are
• Strategies:
• Use biometrics sparingly and only on devices you really
trust
• Beware of companies uploading your bio data to the cloud
(Microsoft)
• Have a plan ready if the device gets lost / stolen
• More on this later
• Hope that remote wipe works well 
Increasing Trust in Devices
• Have a plan if your phone/laptop gets stolen:
• Did you have encryption in place?
• Did you have pin/pattern/password lock?
• What information was in it?
• What information/accounts might be compromised?
• Can you remotely wipe the device? How fast can you do it?
• Can you de-authorize the device on the registered services?
Increasing Trust in Devices
• All your access to Internet services via devices!
• Make it so losing only one device does not grant the new
owner long term access to important services
Location History / Other
Context Information Smartphone
+ + = OK
Closing Thoughts
• No one is more interested than securing your online identities
than you. No one will do it for you!
• Having access to several services and devices should be a
strength, not a weakness.
• Plan for the loss/theft of a device or the compromise of a
service. It will happen.
• Look for vulnerabilities in Password Reset/Change Security
Information Procedures on Microsoft/Google/Facebook.
• You‟ll be amazed 
Thank you!
luis.grangeia@gmail.com

More Related Content

What's hot

Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a featureElizabeth Smith
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryChristopher Grayson
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 
Security Compensation - How to Invest in Start-Up Security
Security Compensation - How to Invest in Start-Up SecuritySecurity Compensation - How to Invest in Start-Up Security
Security Compensation - How to Invest in Start-Up SecurityChristopher Grayson
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?T.Rob Wyatt
 
Enter The back|track Linux Dragon
Enter The back|track Linux DragonEnter The back|track Linux Dragon
Enter The back|track Linux DragonAndrew Kozma
 
Zero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital IdentityZero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital IdentityClare Nelson, CISSP, CIPP-E
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
Technology in a global society presentation
Technology in a global society presentationTechnology in a global society presentation
Technology in a global society presentationdelmount
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 ||  “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 ||  “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat Security Conference
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawConnectSafely
 

What's hot (19)

Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
 
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
 
Security is not a feature
Security is not a featureSecurity is not a feature
Security is not a feature
 
Introduction to LavaPasswordFactory
Introduction to LavaPasswordFactoryIntroduction to LavaPasswordFactory
Introduction to LavaPasswordFactory
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to us
 
Security Compensation - How to Invest in Start-Up Security
Security Compensation - How to Invest in Start-Up SecuritySecurity Compensation - How to Invest in Start-Up Security
Security Compensation - How to Invest in Start-Up Security
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 
20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?
 
Enter The back|track Linux Dragon
Enter The back|track Linux DragonEnter The back|track Linux Dragon
Enter The back|track Linux Dragon
 
Why Web Security Matters!
Why Web Security Matters!Why Web Security Matters!
Why Web Security Matters!
 
Zero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital IdentityZero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital Identity
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_final
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the Cloud
 
Technology in a global society presentation
Technology in a global society presentationTechnology in a global society presentation
Technology in a global society presentation
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 ||  “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 ||  “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
 
The Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted ListThe Internet of Insecure Things: 10 Most Wanted List
The Internet of Insecure Things: 10 Most Wanted List
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
 

Viewers also liked

RSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do InfosecRSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do InfosecLuis Grangeia
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Confraria Security And IT - End Point Security
Confraria Security And IT - End Point SecurityConfraria Security And IT - End Point Security
Confraria Security And IT - End Point SecurityLuis Grangeia
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && WirelessLuis Grangeia
 

Viewers also liked (7)

RSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do InfosecRSA, A Vaca Sagrada do Infosec
RSA, A Vaca Sagrada do Infosec
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Confraria Security And IT - End Point Security
Confraria Security And IT - End Point SecurityConfraria Security And IT - End Point Security
Confraria Security And IT - End Point Security
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Heartbleed && Wireless
Heartbleed && WirelessHeartbleed && Wireless
Heartbleed && Wireless
 

Similar to Man vs Internet - Current challenges and future tendencies of establishing trust between humans and machines

Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupBrian Pichman
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleBrian Pichman
 
Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Justin Denton
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcareNicholas Davis
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security PracticeBrian Pichman
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsStephen Cobb
 
Mobile Security for the Modern Tech Mogul
Mobile Security for the Modern Tech MogulMobile Security for the Modern Tech Mogul
Mobile Security for the Modern Tech MogulAndrew Schwabe
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxBrian Pichman
 
How To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayHow To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayMichele Chubirka
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government  ppt By Vishwadeep BadgujarCyber security government  ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarVishwadeep Badgujar
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security Awareness2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security AwarenessPedro Serrano
 
E business internet fraud
E business internet fraudE business internet fraud
E business internet fraudRadiant Minds
 
TheCyberThreatAndYou2_deck.pptx
TheCyberThreatAndYou2_deck.pptxTheCyberThreatAndYou2_deck.pptx
TheCyberThreatAndYou2_deck.pptxKevinRiley83
 

Similar to Man vs Internet - Current challenges and future tendencies of establishing trust between humans and machines (20)

Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library Setup
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
 
Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...Creating a digital toolkit for users: How to teach our users how to limit the...
Creating a digital toolkit for users: How to teach our users how to limit the...
 
Social Media Risks
Social Media RisksSocial Media Risks
Social Media Risks
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcare
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
 
Enjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber CriminalsEnjoy Safer Technology and Defeat Cyber Criminals
Enjoy Safer Technology and Defeat Cyber Criminals
 
Mobile Security for the Modern Tech Mogul
Mobile Security for the Modern Tech MogulMobile Security for the Modern Tech Mogul
Mobile Security for the Modern Tech Mogul
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptx
 
How To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber MondayHow To Keep the Grinch From Ruining Your Cyber Monday
How To Keep the Grinch From Ruining Your Cyber Monday
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government  ppt By Vishwadeep BadgujarCyber security government  ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep Badgujar
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security Awareness2016 Secure World Expo - Security Awareness
2016 Secure World Expo - Security Awareness
 
E business internet fraud
E business internet fraudE business internet fraud
E business internet fraud
 
TheCyberThreatAndYou2_deck.pptx
TheCyberThreatAndYou2_deck.pptxTheCyberThreatAndYou2_deck.pptx
TheCyberThreatAndYou2_deck.pptx
 
Computer / Internet Security WHPL
Computer / Internet Security WHPLComputer / Internet Security WHPL
Computer / Internet Security WHPL
 
Do it Best Corp. Techapalooza 2014 Presentation
Do it Best Corp. Techapalooza 2014 PresentationDo it Best Corp. Techapalooza 2014 Presentation
Do it Best Corp. Techapalooza 2014 Presentation
 
Passwords
PasswordsPasswords
Passwords
 

Recently uploaded

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in  GERMANY for 2024: IPTVreelTHE BEST IPTV in  GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreelreely ones
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 

Recently uploaded (20)

Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in  GERMANY for 2024: IPTVreelTHE BEST IPTV in  GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 

Man vs Internet - Current challenges and future tendencies of establishing trust between humans and machines

  • 1. Man vs Internet Current challenges and future tendencies of establishing trust between humans and machines Luis Grangeia BSidesLisbon 2013 Image stolen from manvinternet.com
  • 2. About me Luis Grangeia <luis.grangeia at gmail.com> • IT Security Auditor (pen-tester) since 2001 • First at SideStep, now at SysValue • Computer nerd since 1987 • Breaking stuff (and failing to fix it back) since 1979
  • 3. Agenda • What‟s this about • The curious case of Mat Honan • Trust and Authentication • Future Tendencies • Strategies for pitfall avoidance
  • 4. About this talk • This is not about: • Open Source Intelligence • The NSA • SQL Injection or Buffer Overflows • This is about: • [Establishing | Maintaining | Exploiting] trust relations between users, devices and services • Explore current problems and future tendencies in authentication • “Meta” stuff to start a dialogue
  • 5. The “Mat Honan Hack” From zero to total online identity compromise
  • 6. Meet Mat Honan • Tech savvy blogger/writer for Gizmodo, Wired • Strong online presence: • Twitter • About.me • Apple Account • Google Account • Etc. • Has a cool twitter handle: twitter.com/mat • Is about to get hacked
  • 7. Mat Honan Timeline: August 3rd 2012 • 16h33: Someone calls AppleCare pretending to be Mat Honan, provides for some security information and asks for a temporary password. • 16h50: A password reset confirmation arrives at Mat‟s me.com mailbox, completing the hijacking of the Mat‟s iCloud service. • 16h52: A Gmail password recovery email arrives at Mat‟s me.com address. Two minutes later another email arrives informing of a password change on the Gmail account. • 17h00: Mat‟s iPhone is remotely wiped via iCloud.
  • 8. Mat Honan Timeline: August 3rd 2012 (cont.) • 17h01: Mat‟s iPad is remotely wiped via iCloud. • 17h02: Mat‟s Twitter account is reset. The password his sent to his compromised Gmail Account. • 17h05: Mat‟s Macbook is remotely wiped via iCloud (containing the only copies of the birth of his baby daughter). • 17h05: Mat‟s entire Google account, containing 8 years worth of personal e-mail messages, is deleted. • 17h12: Attackers post a message to his Twitter account, taking credit for the hack.
  • 15. Hacking Mat Honan twitter.com/mat mhonan@gmail.com mhonan@me.com
  • 16. Hacking Mat Honan Time to call Amazon • Time to call Amazon‟s phone support • Call #1: • “Hi, my name is Mat Honan, please add a new Credit Card 123 number to my account. My billing address is xyz. Thanks!” • Call #2: • “Hi, I‟m Mat Honan. Please add e-mail address evil@me.com to my account. Here is credit card information 123 to verify my identity.” • Step #3: • Ask for password reset e-mail to evil@me.com address
  • 17. Hacking Mat Honan Account owned! Last 4 digits of Mat‟s real credit card Account owned! twitter.com/mat Account owned! mhonan@gmail.com Account owned! mhonan@me.com
  • 18. What went Wrong? • Poor password choices? • Poor phone identity verification procedures? • Bad trust relationship choices by Mat? • Lack of 2-factor authentication? Where? • What could we do better?
  • 20. Authentication vs Trust • Authentication: To provide proof of identity by means of one (or more) of these: • Something you know • Something you have • Something you are • Trust: belief in the reliability, truth, ability, or strength of someone or something. • Authentication is impossible to do without Trust!
  • 21. Something you know • Passwords • Answers to „secret‟ security questions • Date of Birth, registered VISA, home/billing address, email, etc.
  • 22. Something you know: Passwords • Password Problems • Simple passwords • Same password used across services • Services get hacked all the time • Over 280 million password hashes leaked (2010-2012) • Once the hash is out there, its probably getting cracked • Eg. Google „qeadzcwrsfxv1331‟
  • 23. Something you know: Passwords • In the Mat Honan Hack: • Mat used 1Password • Long and robust password to decrypt keyfile • Master password not used anywhere else • Keyfile was stored in Dropbox and synced across all his devices • Caveat: never send master password through the network or type it on a device you don‟t absolutely trust.
  • 24. Something you know: Other • Answers to ‘secret’ security questions • Date of Birth, registered VISA, home/billing address, email, etc. • Information leaks by services • Answers can be found on Google • If it is a secret answer, why am I giving it away?
  • 25. Something you know: Other Security Questions
  • 26.
  • 27. Something you know: Other • In the Mat Honan hack: • Google: • leaked part of the recovery e-mail: m****n@me.com • Amazon: • Name + Billing Address == full account compromise • Leaked last 4 digits of VISA after • Apple: • Public information + 4 Digits of VISA == full account compromise
  • 28. Something you have • Smartcards • One Time Password tokens / Authenticators
  • 29. Something you have • Access to a previously authenticated/trusted device • Access to a mobile phone number (SMS/voice code) • Access to a mobile app (authenticator)
  • 30. Something you have • Access to third party accounts (email) • Frequently used for password resets
  • 31. Something you have • In the Mat Honan hack: • No second factor authentication used • Chained trust relationships: mhonan@me.com GoogleTwitter @mat Apple mhonan@gmail.com
  • 32. Something you are • Biometrics • Still a gimmick but is now seeing a boost in usage: • Android Face Unlock • iPhone 5S Touch ID • Voice recognition (in Google Now, probably Siri later) • Xbox One (the creepiest of them all)
  • 34. Something you are • Problems: • Biometrics is only good for local device authentication • Not fit for network authentication • Unless you want to see your biometric info travelling through the Internet… • Must trust device completely • Specially if its connected to a network! • What happens if the device steals our biometric info or uploads it to the cloud? • If you lose the device, you lose your bio data to the attacker.
  • 35. Something you are • In the Mat Honan hack: • Biometrics was not used at all • Would not have prevented anything, as biometrics is only useful for local (physically proximate) device authentication.
  • 36. Authentication: Is this it? • Something you know • Something you have • Something you are • ??? Is this all there is? How do we humans authenticate ourselves?
  • 37. Context Information • Context! • Complements Authentication • Helps quantify trust • Where you are (location) • What are you doing (behavior) • Who are you talking to (social relations)
  • 39. Context: behavior “Actimize has core offerings across all financial crime prevention and compliance areas built on a unified reporting and case management platform. Actimize is known for its use of analytics and modeling techniques that uncover anomalous financial transactions, like fraud, money laundering and market manipulation.”
  • 41. Users, Devices, Services Trust relationships everywhere User Smartphone Tablet Computer Facebook Amazon Online Bank Google
  • 42. Users, Devices, Services Trust relationships everywhere User Smartphone Tablet Computer Facebook Amazon Online Bank Google
  • 43. Future Tendencies How will authentication & trust mechanisms evolve
  • 44. Future Tendencies: Device Authentication • Inexpensive wearable devices creating a “personal network” that reinforces trust (and increases the number of authentication factors): • Bionym‟s Nymi • (adds biometrics) • NFC rings/wristband • Smartwatches
  • 45. Future Tendencies: Service Authentication • Increased usage of contextual factors for authentication: • Toopher • Next generation Google Authenticator
  • 46. Future Tendencies: Service Authentication User Smartphone Tablet Computer Facebook Amazon Online Bank Google • More trust relationships == more trust • That‟s why multiple device (multiple factor) authentication is important • The more the service knows about you, the more he can use to verify your identity: • Facebook • Google • Apple
  • 47. Strategies Takeaways for better identity management (safety not guaranteed)
  • 48. Something you know: Passwords • Password Strategies • Use different passwords for every service • Long and randomly generated • Stored in a password vault: • Keepass • 1Password • Password Safe • Cloud synced encrypted password storage is a good compromise • Several key files on your cloud storage • Plausible deniability • Segregation of virtual “personas” • Avoid trusting your passwords to one single online service • Lastpass
  • 49. Something you know: Other • Security Questions & Personal Information • Strategies: • Never provide meaningful answers to security questions • Give out a different random answer and treat it like a password • Beware of services with lax/faulty procedures for account recovery • Apple, Amazon (presumably better by now)
  • 50. Something you have • Strategies: • Put all the eggs on one basket and protect the basket! • Make all accounts password reset go to a secure 2-factor account (eg. Google)
  • 51. Audit your accounts / services • Regularly audit the relations between your services • Password reset tokens (avoid the Mat Honan mistake) • Look at what information leaks on password reset procedures for some services FacebookAmazon Google (with 2-factor authentication) Dropbox Twitter
  • 52. Something you are • Strategies: • Use biometrics sparingly and only on devices you really trust • Beware of companies uploading your bio data to the cloud (Microsoft) • Have a plan ready if the device gets lost / stolen • More on this later • Hope that remote wipe works well 
  • 53. Increasing Trust in Devices • Have a plan if your phone/laptop gets stolen: • Did you have encryption in place? • Did you have pin/pattern/password lock? • What information was in it? • What information/accounts might be compromised? • Can you remotely wipe the device? How fast can you do it? • Can you de-authorize the device on the registered services?
  • 54. Increasing Trust in Devices • All your access to Internet services via devices! • Make it so losing only one device does not grant the new owner long term access to important services Location History / Other Context Information Smartphone + + = OK
  • 55. Closing Thoughts • No one is more interested than securing your online identities than you. No one will do it for you! • Having access to several services and devices should be a strength, not a weakness. • Plan for the loss/theft of a device or the compromise of a service. It will happen. • Look for vulnerabilities in Password Reset/Change Security Information Procedures on Microsoft/Google/Facebook. • You‟ll be amazed 

Editor's Notes

  1. - This is not a technical talk- This is not about open source intelligence- This is not about the NSA reading your email - This talk is about exploiting the bond between the human element and the technology element - This is about maintaining trust between individuals/services/devices - This is about authenticating (establishing trust) individuals and services - This is about exploiting trust relationships between services/devices/individuals -
  2.  Mat Honan is an online Journalist, your usual late twenties, early thirties journalist/blogger. He writes for gizmodo and Wired magazine, where he regularly reviews all sorts of new gadgets and other Internet trends. He is up to speed with current Internet trends and memes, in other words, he is not a grandma or grandpa. He is tech savvy.Mat Honan uses the latest and greatest gadgets and online services. He has Gmail account, uses Twitter several times during the day. He has Macbook, an ipad and an iphone. All linked to the cloud via Apple’s icloud service. He frequently buys books and other items via his Amazon account.Mat is fairly informed about password security. He uses 1Password heavily. Most of his passwords are long, alphanumeric strings of gibberish with random symbols which he stores on his cloud synched encrypted keychain.Everything was fine and good until one friday, on the 3rd of August 2012, in the space of an hour, while he was happily playing with his baby daughter, his entire digital life was destroyed. His twitter account was hijacked and used to post racist and homophobic messages. His AppleID account was broken into and used to remotely erase all of the data on his iPhone, iPad and Macbook. His Gmail hijacked as well.And all of that because the attacker wanted to take over his Twitter account “because it had a cool three-letter handle”.
  3. What followed was a painful process of several days of him trying to figure out exactly what happened, recovering access to his accounts and his files. It was not easy. It wasn’t cheap either. A lot of stuff was permanently wiped from his macbook. He got most of his photos and documents back by calling a data recovery company. It cost him around 1700 USD, just for this service.Eventually he got his digital life back, but it was a traumatic experience.
  4. We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
  5. We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
  6. We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
  7. We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
  8. We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
  9. We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
  10. We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
  11. We actually have a very good picture of the details of the hack because one hacker involved in the hack came forward and detailed exactly how they did it.Here’s how they did it:They started by first looking at what they wanted: twitter.com/matLooking at his Twitter profile they found his Gmail address and (correctly) assumed it to be the password reset address for Twitter.By attempting a password reset for the Google account, they learned that the password reset address for Gmail was a “.me” address: m****n@me.com which they (correctly) assumed to be mhonan@me.comThey then attempted to recover information that would allow them to recover an Apple ID account. For this they hijacked his amazon account like so:Added a fake credit card number to his amazon account simply by calling up and giving the correct name and billing addressOn a separate call they added a new e-mail address to the account by providing the fake credit card number they just addedThen they did a password reset on the account, sending the reset link to the newly added email address.This allowed them to hijack the Amazon account. This allowed them access to the last 4 digits of Mat Honan’s VISAWith the 4 digits of his VISA and the rest of the information the hackers called up AppleCare and successfully reset the password.With full access to Mat’s AppleID account they gained access to his Gmail account by sending a password reset request.Using the recently hijacked Google account they gained access to his Twitter account by sending a password reset request.After getting their prize (the Twitter account) the hackers proceeded to delete Mat’s iDevices and his Google Account. Note that they could have gained access to more of Mat’s services, such as linkedin, Facebook, Dropbox and other services that were linked either to his Apple or Google accounts.
  12. So what went wrong here?Poor password choices?Poor password reset mechanisms?Poor trust relationship choices?All of the above?  Let’s try to expose the weaknesses of this particular case and also other issues that could have been exploited.
  13. First lets review the basic notions. What is authentication? In information security, a unanimous definition of authentication can be the act of providing proof of identity by means of a proof. That proof can be:Something you knowSomething you haveSomething you areThis is the basic stuff. Let’s go over these three factors and try to relate them with the Mat Honan hack.
  14. Sources: Over 280 million password hashes leaked between 2010-2012http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/Something you knowThe first factor is “Something you know”. This is basically a piece of information that is shared between the user and the service, and supposedly only the authorized user may know.The obvious first example of “something you know” is passwords. I know most of us are aware that passwords have several problems and need to be used properly, and it’s important that we search for an alternative or complement to passwords. However, for 90% of the services you use, passwords remain the only alternative for authentication. The most common mistakes are choosing a simple password, based on a dictionary word, that could be vulnerable to an online dictionary or brute force attack. Also one of the most common (and most dangerous) mistake is to use the same password for all your services.Web sites and services get hacked all the time. Even high profile sites such as Linkedin and Yahoo got hacked. Passwords get leaked, usually in hashed form. I wont go over this topic as this has already been covered a lot, but I’ll just give you this little fact: over 280 MILLION password hashes got hacked between 2010 and 2012. That’s a lot. What’s interesting to learn is that for a random sample of 10.000 password hashes, experienced crackers can usually crack around 80% to 90% of these in the space of one hour.So we need a strategy to deal with passwords.
  15. Is that all there is? Is this all that we, humans, use to trust each other?What if:…I left this room and 5 seconds later appeared on a live TV broadcast next to Obama in Washington?…I left this room and 500 years later appeared exiting an Alien UFO, looking exactly the same?…I didn’t leave this room and another person looking and talking like myself appeared here next to me?…And every time, I knew the same, had access to the same and appeared (inside and out) exactly like me in all three cases?We humans don’t think much about it (because these things don’t happen a lot), but we use more to authenticate ourselves: Context!Where you are (location);What are you doing (behaviour);Who are you talking to (relation/social);
  16. We humans don’t think much about it (because these things don’t happen a lot), but we use more to authenticate ourselves: Context!Where you are (location);What are you doing (behaviour);Who are you talking to (relation/social);
  17. [Password Strategies]Personal note about Lastpass: the reason I don’t like it is because your basically putting all your trust on one entity. If Lastpass gets compromised all your passwords are automatically gone. The main advantage of Keepass and dropbox (or another cloudbased file storage) is that you are basically segregating the trust between to entities. Dropbox stores your encrypted password file but never actually receives the password to decrypt it. Keepass receives the decryption password but, unless the program is modified to send your decrypted passwords through the network (possible but unlikely and easy to detect), you are good.