Imagine a day when you wake up … all of your baby pictures are gone.. your iPad and your computer have been wiped .. you have no way of logging in to any of your accounts … the accounts that are tied to your checking, mortgage, bill pay, iTunes… Kevin Williams and Matt Hall will tell the story of Matt Honan -- a tech savvy technology reporter who was just digitally carjacked -- for his twitter account… and how the hackers manipulated major corporations into aiding and abetting this digital robbery by a 19 year old hacker named Phobia. Don't have an account? Not a computer guy? Well, your information is stored in companies all over the world where Hackers like PHOBIA lurk to take your identity, monetize it, and use it to all sorts of nefarious purposes.

1. Information Systems Division and Technical Services Unit
Digital Deadly Force
Narrative of a Digital Life Destroyed
Matthew Jett Hall Kevin Williams 26 Oct 2012
Assistant Director, ISD SAC, TSU

2. The Victim: Matt Honan
 “In the space of one
hour, my entire
digital life was
destroyed.”

3. Who is Matt Honan
 Tech Journalist
 Highly cloud
dependent
 Astute
 Tech Savvy
 Knows the rules of
the road

4. The Harm
 Google account deleted.
 Twitter account
compromised, and used to
broadcast racist and
homophobic messages.
 AppleID account was seized.

5. The Harm
 Wiped from existence
 iPhone
 MacBook Pro
 iPad
 Two years of baby pictures

6. Timeline: 3 Aug 12 @ 1633
 “… according to Apple’s
tech support records,
someone called
AppleCare claiming to be
me.”
 Apple issued the hacker a
temporary password

7. Timeline: 3 Aug 12 @ 1650
 “password reset
confirmation arrived in my
inbox. … the hackers ….
permanently reset my
AppleID password.”

8. Timeline: 3 Aug 12 @ 1652
 “Gmail password …
password had changed.

9. Timeline: 3 Aug 12 @ 1700
 “… they used iCloud’s
“Find My” tool to remotely
wipe my iPhone.”

10. Timeline: 3 Aug 12 @ 1700
 “my iPhone suddenly
powered down.”
 “When I opened my
laptop … my Gmail
account information was
wrong.”

11. Timeline: 3 Aug 12 @ 1702
 “they reset my Twitter
password…”

12. Timeline: 3 Aug 12 @ 1705
 “they remotely wiped my
MacBook.…”

13. Timeline: 3 Aug 12 @ 1705
 “they remotely wiped my
MacBook.…”
 “… they deleted my
Google account. “

14. Timeline: 3 Aug 12 @ 1710
 “I placed the call to
AppleCare.”

15. Timeline: 3 Aug 12 @ 1712
 “attackers posted a
message to my account
on Twitter taking credit for
the hack.”

16. Why Matt Honan
"I asked him why. Was I targeted
specifically? Was this just to get to
Gizmodo's Twitter account [that had been
linked to mine]?
No, Phobia said, they hadn't even been
aware that my account was linked to
Gizmodo's, that the Gizmodo linkage was
just gravy.
He said the hack was simply a grab for
my three-character Twitter handle.
That's all they wanted.
They just wanted to take it, and [mess it]
up, and watch it burn. It wasn't personal.”

17. Social Engineering
 “the art of
manipulating people
into performing
actions or divulging
confidential
information”

18. The Sequence of Social
1. Amazon
2. Apple
3. Google
4. Twitter

19. Sara Palin 2008
• September 16, 2008
• Yahoo! Mail account of
Sarah Palin
• Cracked by “Rubico”
• Social Engineering
• From Date of Birth Info
on Wikipedia

20. TBI’s CIA
 Confidentiality
 Integrity
 Availability

21. Identity
 Non-repudiation
 Access
 Factors of Identification
 Something you know
 Something you have
 Something you are

22. Password and PIN
 “Something you know”
 “a secret word or string of characters that is
used for authentication, to prove identity or
gain access to a resource”

23. Password Fatigue
• Excessive amount of
passwords
• Leads to careless
password or pin
construction

24. PIN Formulation
PIN Freq
#1 1234 10.713% • Usually 4 digits
#2 1111 6.016% • Don’t use common
#3 0000 1.881%
#4 1212 1.197%
PINs
#5 7777 0.745% • Don’t use personal
#6 1004 0.616%
#7 2000 0.613%
information
#8 4444 0.526% • SSN
#9 2222 0.516%
• Birthdate
#10 6969 0.512%
• Birth year

25. Password Formulation
• A`?KUJ'j
• 47k0O#qt
• 4'vn1iSA • Passwords must contain
• nwDSB/OL characters from three of the
• 5*vFXggx
• tF0ylI59 these categories:
• PvmYk^k
• $;T+qha2
•
•
UnJJ:8c8
bU4DuwUM
• Password generator in KeePass
• bU1H&@56 • Upper Case Character
•
•
BeU;i$X;
4q+!kkgg
• Lower Case Character
• $qDsrT35 • Base 10 Digit (0 through 9)
• %:WbFlzk
• HRvqt9j9 • Non-alphanumeric characters:
• RcgR^cMt • ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
• dM/`nxR

26. Password Formulation
• A`?KUJ'j
• 47k0O#qt
• 4'vn1iSA • Since these are tough
• nwDSB/OL
• 5*vFXggx
• tF0ylI59 • Try a PassPhrase:
• PvmYk^k
• $;T+qha2
•
•
UnJJ:8c8
bU4DuwUM
• SteveFound4ApplesAndAFlute@hischair
• bU1H&@56 • 6TacosAreDelicious@YourLocalTacoMart
• BeU;i$X;
• 4q+!kkgg
• $qDsrT35
• %:WbFlzk
• HRvqt9j9
• RcgR^cMt
• dM/`nxR

27. Where to Store Passwords
• Password
Vault
• In your
mind!

28. Password Commandments
Thou shalt …
1. construct a complex
password
2. Use a password vault
3. Use dual factor
authentication
4. Protect thy mobile
devices

29. Password Commandments
Thou Shalt Not ….
1. Share thy Password
2. Use thy dog’s name
3. Write passwords on
sticky notes
4. Use common words
5. Keep passwords in
word documents

30. Before you lose a device ….
 Learn if the device has “find
me” features
 Encrypt critical data at rest
 Think carefully about what
goes on the device
 Don’t let unauthorized
personnel utilize your device
 Lock your device whenever
you step away

31. If you lose a device ….
 Report it immediately
 BAD NEWS DOES NOT AGE WELL!
 FASTER RESPONSE THE BETTER
 Consumer in Control
 Apple: iCloud.com
 Microsoft Exchange
 Blackberry: No self service

32. Example: iCloud

33. If you lose a device ….
 Locate it

34. If you lose a device ….
 If you can’t retrieve it, wipe it!

35. Data Classification Concept
 Impact to the TBI Mission
 High
 Medium
 Low
 High
 Reputation and Credibility
 Exposing Personal Information
 Exposing Sensitive Operations Information

36. On cloud computing
 It’s here
 It’s not going away
 Windows 8
 SkyDrive
 DropBox
 Google Drive
 Google Applications
 iCloud

37. On cloud computing
 Guidance
 No PII
 Nothing Mission Sensitive
 Experiment and learn
 Preserve CIA
 REALLY read terms of
service

38. References
 “How Apple and Amazon Security Flaws Led to My Epic Hacking” Wired Magazine August 6, 2012
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
 Flickr Baby Photo: http://goo.gl/q2hSO
 Datagenetics.com PIN Anlaysis: http://goo.gl/bCGGW
 Security Now Episode 364: Twit.tv
 Security Now Episode 364: Transcript from grc.com
 Apple iCloud How to: http://www.apple.com/icloud/setup/ios.html
 Apple iCloud: icloud.com
 Sara Palin Email Hack: http://en.wikipedia.org/wiki/Sarah_Palin_email_hack
 Clipart: openclipart.org
 Social Engineering: http://en.wikipedia.org/wiki/Social_engineering_(security)
 Password: http://en.wikipedia.org/wiki/Password