Imagine a day when you wake up … all of your baby pictures are gone.. your iPad and your computer have been wiped .. you have no way of logging in to any of your accounts … the accounts that are tied to your checking, mortgage, bill pay, iTunes…
Kevin Williams and Matt Hall will tell the story of Matt Honan -- a tech savvy technology reporter who was just digitally carjacked -- for his twitter account… and how the hackers manipulated major corporations into aiding and abetting this digital robbery by a 19 year old hacker named Phobia.
Don't have an account? Not a computer guy? Well, your information is stored in companies all over the world where Hackers like PHOBIA lurk to take your identity, monetize it, and use it to all sorts of nefarious purposes.
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Digital Deadly Force: How A Tech Expert Lost his Digital Life to a Hacker
1. Information Systems Division and Technical Services Unit
Digital Deadly Force
Narrative of a Digital Life Destroyed
Matthew Jett Hall Kevin Williams 26 Oct 2012
Assistant Director, ISD SAC, TSU
2. The Victim: Matt Honan
“In the space of one
hour, my entire
digital life was
destroyed.”
3. Who is Matt Honan
Tech Journalist
Highly cloud
dependent
Astute
Tech Savvy
Knows the rules of
the road
4. The Harm
Google account deleted.
Twitter account
compromised, and used to
broadcast racist and
homophobic messages.
AppleID account was seized.
5. The Harm
Wiped from existence
iPhone
MacBook Pro
iPad
Two years of baby pictures
6. Timeline: 3 Aug 12 @ 1633
“… according to Apple’s
tech support records,
someone called
AppleCare claiming to be
me.”
Apple issued the hacker a
temporary password
7. Timeline: 3 Aug 12 @ 1650
“password reset
confirmation arrived in my
inbox. … the hackers ….
permanently reset my
AppleID password.”
8. Timeline: 3 Aug 12 @ 1652
“Gmail password …
password had changed.
9. Timeline: 3 Aug 12 @ 1700
“… they used iCloud’s
“Find My” tool to remotely
wipe my iPhone.”
10. Timeline: 3 Aug 12 @ 1700
“my iPhone suddenly
powered down.”
“When I opened my
laptop … my Gmail
account information was
wrong.”
11. Timeline: 3 Aug 12 @ 1702
“they reset my Twitter
password…”
12. Timeline: 3 Aug 12 @ 1705
“they remotely wiped my
MacBook.…”
13. Timeline: 3 Aug 12 @ 1705
“they remotely wiped my
MacBook.…”
“… they deleted my
Google account. “
14. Timeline: 3 Aug 12 @ 1710
“I placed the call to
AppleCare.”
15. Timeline: 3 Aug 12 @ 1712
“attackers posted a
message to my account
on Twitter taking credit for
the hack.”
16. Why Matt Honan
"I asked him why. Was I targeted
specifically? Was this just to get to
Gizmodo's Twitter account [that had been
linked to mine]?
No, Phobia said, they hadn't even been
aware that my account was linked to
Gizmodo's, that the Gizmodo linkage was
just gravy.
He said the hack was simply a grab for
my three-character Twitter handle.
That's all they wanted.
They just wanted to take it, and [mess it]
up, and watch it burn. It wasn't personal.”
17. Social Engineering
“the art of
manipulating people
into performing
actions or divulging
confidential
information”
18. The Sequence of Social
1. Amazon
2. Apple
3. Google
4. Twitter
19. Sara Palin 2008
• September 16, 2008
• Yahoo! Mail account of
Sarah Palin
• Cracked by “Rubico”
• Social Engineering
• From Date of Birth Info
on Wikipedia
20. TBI’s CIA
Confidentiality
Integrity
Availability
21. Identity
Non-repudiation
Access
Factors of Identification
Something you know
Something you have
Something you are
22. Password and PIN
“Something you know”
“a secret word or string of characters that is
used for authentication, to prove identity or
gain access to a resource”
23. Password Fatigue
• Excessive amount of
passwords
• Leads to careless
password or pin
construction
24. PIN Formulation
PIN Freq
#1 1234 10.713% • Usually 4 digits
#2 1111 6.016% • Don’t use common
#3 0000 1.881%
#4 1212 1.197%
PINs
#5 7777 0.745% • Don’t use personal
#6 1004 0.616%
#7 2000 0.613%
information
#8 4444 0.526% • SSN
#9 2222 0.516%
• Birthdate
#10 6969 0.512%
• Birth year
25. Password Formulation
• A`?KUJ'j
• 47k0O#qt
• 4'vn1iSA • Passwords must contain
• nwDSB/OL characters from three of the
• 5*vFXggx
• tF0ylI59 these categories:
• PvmYk^k
• $;T+qha2
•
•
UnJJ:8c8
bU4DuwUM
• Password generator in KeePass
• bU1H&@56 • Upper Case Character
•
•
BeU;i$X;
4q+!kkgg
• Lower Case Character
• $qDsrT35 • Base 10 Digit (0 through 9)
• %:WbFlzk
• HRvqt9j9 • Non-alphanumeric characters:
• RcgR^cMt • ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
• dM/`nxR
27. Where to Store Passwords
• Password
Vault
• In your
mind!
28. Password Commandments
Thou shalt …
1. construct a complex
password
2. Use a password vault
3. Use dual factor
authentication
4. Protect thy mobile
devices
29. Password Commandments
Thou Shalt Not ….
1. Share thy Password
2. Use thy dog’s name
3. Write passwords on
sticky notes
4. Use common words
5. Keep passwords in
word documents
30. Before you lose a device ….
Learn if the device has “find
me” features
Encrypt critical data at rest
Think carefully about what
goes on the device
Don’t let unauthorized
personnel utilize your device
Lock your device whenever
you step away
31. If you lose a device ….
Report it immediately
BAD NEWS DOES NOT AGE WELL!
FASTER RESPONSE THE BETTER
Consumer in Control
Apple: iCloud.com
Microsoft Exchange
Blackberry: No self service
34. If you lose a device ….
If you can’t retrieve it, wipe it!
35. Data Classification Concept
Impact to the TBI Mission
High
Medium
Low
High
Reputation and Credibility
Exposing Personal Information
Exposing Sensitive Operations Information
36. On cloud computing
It’s here
It’s not going away
Windows 8
SkyDrive
DropBox
Google Drive
Google Applications
iCloud
37. On cloud computing
Guidance
No PII
Nothing Mission Sensitive
Experiment and learn
Preserve CIA
REALLY read terms of
service
38. References
“How Apple and Amazon Security Flaws Led to My Epic Hacking” Wired Magazine August 6, 2012
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
Flickr Baby Photo: http://goo.gl/q2hSO
Datagenetics.com PIN Anlaysis: http://goo.gl/bCGGW
Security Now Episode 364: Twit.tv
Security Now Episode 364: Transcript from grc.com
Apple iCloud How to: http://www.apple.com/icloud/setup/ios.html
Apple iCloud: icloud.com
Sara Palin Email Hack: http://en.wikipedia.org/wiki/Sarah_Palin_email_hack
Clipart: openclipart.org
Social Engineering: http://en.wikipedia.org/wiki/Social_engineering_(security)
Password: http://en.wikipedia.org/wiki/Password
Editor's Notes
amazon: Call the customer service to add a credit card to his file.Amazon: hang up and call back. My account is locked out. Here is my credit card last four digits and billing address. Please add a new email address. Send account recovery to new email address.Amazon: log in with recovery info and reset password. Can see all the Credit Card numbers on file last 4 digits.Apple: Use original credit card last 4 digits and billing address after claiming amnesia on the security questions.Apple: He gets the mobile me accountGoogle: He goes to google. He resets the google mhonan@gmail.com and the reset is sent to the comprosomised apple mobile me EMAIL account.Twitter: Password reset to the compromised google account.