Information Systems Division and Technical Services Unit

Matthew Jett Hall Kevin WilliamsAssistant Director, ISD SAC, TSU

Digital Deadly Force

Narrative of a Digital Life Destroyed

26 Oct 2012

The Victim: Matt Honan

“In the space of one

hour, my entire

digital life was

destroyed.”

Who is Matt Honan

Tech Journalist

Highly cloud

dependent

Astute

Tech Savvy

Knows the rules of

the road

The Harm

Google account deleted.

Twitter account compromised, and used to broadcast racist and homophobic messages.

AppleID account was seized.

The Harm

Wiped from existence

iPhone MacBook Pro iPad Two years of baby pictures

Timeline: 3 Aug 12 @ 1633

“… according to Apple’s

tech support records,

someone called

AppleCare claiming to be

me.”

Apple issued the hacker a temporary password

Timeline: 3 Aug 12 @ 1650

“password reset

confirmation arrived in my

inbox. … the hackers ….

permanently reset my AppleID password.”

Timeline: 3 Aug 12 @ 1652

“Gmail password … password had changed.

Timeline: 3 Aug 12 @ 1700

“… they used iCloud’s

“Find My” tool to remotely wipe my iPhone.”

Timeline: 3 Aug 12 @ 1700

“my iPhone suddenly

powered down.”

“When I opened my

laptop … my Gmail

account information was

wrong.”

Timeline: 3 Aug 12 @ 1702

“they reset my Twitter password…”

Timeline: 3 Aug 12 @ 1705

“they remotely wiped my MacBook.…”

Timeline: 3 Aug 12 @ 1705

“they remotely wiped my

MacBook.…”

“… they deleted my Google account. “

Timeline: 3 Aug 12 @ 1710

“I placed the call to

AppleCare.”

Timeline: 3 Aug 12 @ 1712

“attackers posted a

message to my account

on Twitter taking credit for

the hack.”

Why Matt Honan

"I asked him why. Was I targeted

specifically? Was this just to get to

Gizmodo's Twitter account [that had been

linked to mine]?

No, Phobia said, they hadn't even been

aware that my account was linked to

Gizmodo's, that the Gizmodo linkage was

just gravy.

He said the hack was simply a grab for

my three-character Twitter handle.

That's all they wanted.

They just wanted to take it, and [mess it]

up, and watch it burn. It wasn't personal.”

Social Engineering

“the art of manipulating people into performing actions or divulging confidential information”

The Sequence of Social

1. Amazon2. Apple3. Google4. Twitter

Sara Palin 2008

• September 16, 2008• Yahoo! Mail account of

Sarah Palin • Cracked by “Rubico”• Social Engineering• From Date of Birth Info

on Wikipedia

TBI’s CIA

Confidentiality Integrity Availability

Identity

Non-repudiation

Access

Factors of Identification Something you know Something you have Something you are

Password and PIN

“Something you know”

“a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource”

Password Fatigue

• Excessive amount of passwords

• Leads to careless password or pin construction

PIN Formulation

• Usually 4 digits• Don’t use common

PINs• Don’t use personal

information• SSN• Birthdate• Birth year

PIN Freq

#1 1234 10.713%

#2 1111 6.016%

#3 0000 1.881%

#4 1212 1.197%

#5 7777 0.745%

#6 1004 0.616%

#7 2000 0.613%

#8 4444 0.526%

#9 2222 0.516%

#10 6969 0.512%

Password Formulation

• Passwords must contain

characters from three of the

these categories:

• Password generator in KeePass• Upper Case Character• Lower Case Character• Base 10 Digit (0 through 9)• Non-alphanumeric characters:

• ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/

• A`?KUJ'j

• 47k0O#qt

• 4'vn1iSA

• nwDSB/OL

• 5*vFXggx

• tF0ylI59

• \PvmYk^k

• $;T+qha2

• UnJJ:8c8

• bU4DuwUM

• bU1H&@56

• BeU;i$X;

• 4q+!kkgg

• $qDsrT35

• %:WbFlzk

• HRvqt9j9

• RcgR^cMt

• dM/`nx\R

Password Formulation

• Since these are tough

• Try a PassPhrase:

• SteveFound4ApplesAndAFlute@hischair• 6TacosAreDelicious@YourLocalTacoMart

• A`?KUJ'j

• 47k0O#qt

• 4'vn1iSA

• nwDSB/OL

• 5*vFXggx

• tF0ylI59

• \PvmYk^k

• $;T+qha2

• UnJJ:8c8

• bU4DuwUM

• bU1H&@56

• BeU;i$X;

• 4q+!kkgg

• $qDsrT35

• %:WbFlzk

• HRvqt9j9

• RcgR^cMt

• dM/`nx\R

Where to Store Passwords

• Password Vault

• In your mind!

Password Commandments

Thou shalt …1. construct a complex

password2. Use a password vault3. Use dual factor

authentication4. Protect thy mobile

devices

Password Commandments

Thou Shalt Not ….1. Share thy Password2. Use thy dog’s name3. Write passwords on

sticky notes4. Use common words5. Keep passwords in

word documents

Before you lose a device ….

Learn if the device has “find me” features

Encrypt critical data at rest Think carefully about what

goes on the device Don’t let unauthorized

personnel utilize your device Lock your device whenever

you step away

If you lose a device ….

Report it immediately

BAD NEWS DOES NOT AGE WELL! FASTER RESPONSE THE BETTER

Consumer in Control Apple: iCloud.com Microsoft Exchange Blackberry: No self service

Example: iCloud

If you lose a device ….

Locate it

If you lose a device ….

If you can’t retrieve it, wipe it!

Data Classification Concept

Impact to the TBI Mission High Medium Low

High Reputation and Credibility Exposing Personal Information Exposing Sensitive Operations Information

On cloud computing

It’s here It’s not going away

Windows 8 SkyDrive DropBox Google Drive Google Applications iCloud

On cloud computing

Guidance

No PII Nothing Mission Sensitive Experiment and learn Preserve CIA REALLY read terms of

service

References

“How Apple and Amazon Security Flaws Led to My Epic Hacking” Wired Magazine August 6, 2012

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Flickr Baby Photo: http://goo.gl/q2hSO

Datagenetics.com PIN Anlaysis: http://goo.gl/bCGGW

Security Now Episode 364: Twit.tv

Security Now Episode 364: Transcript from grc.com

Apple iCloud How to: http://www.apple.com/icloud/setup/ios.html

Apple iCloud: icloud.com

Sara Palin Email Hack: http://en.wikipedia.org/wiki/Sarah_Palin_email_hack

Clipart: openclipart.org

Social Engineering: http://en.wikipedia.org/wiki/Social_engineering_(security)

Password: http://en.wikipedia.org/wiki/Password