5. "In the space of one hour, my entire
digital life was destroyed...
— Mat Honan
6. "In the space of one hour, my entire
digital life was destroyed...
First my Google account was
taken over, then deleted...
— Mat Honan
7. "In the space of one hour, my entire
digital life was destroyed...
First my Google account was
taken over, then deleted...
Next my Twitter account was
compromised, and used as a platform
to broadcast racist and homophobic
messages...
— Mat Honan
8. "In the space of one hour, my entire
digital life was destroyed...
And worst of all, my
AppleID account was
broken into, and my
hackers used it to remotely
erase all of the data on my
iPhone, iPad, and
MacBook."
First my Google account was
taken over, then deleted...
Next my Twitter account was
compromised, and used as a platform
to broadcast racist and homophobic
messages...
— Mat Honan
@mat
16. Dec 2009 — 32 million
420K
???
8.2M
June / July 2012
17. Dec 2009 — 32 million
420K
???
8.2M
453K
6.5M 1.5M
June / July 2012
18.
19.
20.
21. "Two-factor authentication is one of
the best things you can do to make
sure your accounts don’t get
hacked."
— Lifehacker Australia
22.
23.
24.
25.
26.
27.
28. Best Security
PracticesStrong passwords / Two-
factor
Unique emails for accounts
brad+nytimes@gmail.com or
brad+news@gmail.com
brad+paypal@gmail.com or
brad+money@gmail.com
Use good “security
questions”
Secure websites (https://)
A cool twitter handle — that was their original motivation
Erasing the data was just a malicious act
OK ... so HOW did they do this? Amazing manipulation of information and different online companies...
First, they found his email address on his personal home page...
Meet Mat Honan — he is having a BAD day
“"In the space of one hour, my entire digital life was destroyed...”
“First my Google account was taken over, then deleted...”
Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages...
And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
Called Amazon (where Mat had acct) and “added” a CC to his account—all they needed was his name, email, billing address & Amazon lets you add a CC
Call back later and say you can’t access your account—provide the name, billing addr, and CC (that you just gave them) and they let you add a new email
Go to Amazon website and do a password reset to new email. OK now what?
Through GMail’s password recovery option they were able to determine that he had an AppleID
Not hard to figure out that m***n@me.com is mathonan@mac.com
To get to his AppleID account they needed a billing address (got through WHOIS) and the last 4 digits of a CC — so how’d they get the CC?
Called Amazon (where Mat had acct) and “added” a CC to his account—all they needed was his name, email, billing address & Amazon lets you add a CC
Call back later and say you can’t access your account—provide the name, billing addr, and CC (that you just gave them) and they let you add a new email
Go to Amazon website and do a password reset to new email. OK now what?
Amazon’s payment method page gives you the last 4 digits of all CC’s you have on file
With that information, they called Apple — by providing email, billing address, and last 4 digits of CC they got Apple to reset the account password
Now they have EVERYTHING — iCloud, remote wipe
OWNED!!
Are you at risk? Maybe you don’t use Apple or Amazon?
Let’s take a look at some password hacks that affected big companies, not just an individual
One of the biggest in history — just a few years ago
32 million emails / passwords compromised and posted online
More recently — FormSpring: 420K
Last.fm — who never would say how many
Gamigo (online multiplayer games) — 8.2 million!
OK, never heard of any of those...
Yahoo — 453K ... LinkedIn — 6.5 million ... eHarmony — 1.5 million
The passwords are encrypted, so hackers have to crack them ... the biggest problem is that we suck at passwords!
After analyzing the passwords, does anyone know what the most common password used is?
We choose EASY passwords!! Top 10: 123456789, password, qwerty, abc123, letmein, trustno1, iloveyou
Ave user logs in to 7-25 accounts per day; has to authenticate ~15 times a day
That’s a pain!
So we choose passwords that are EASY to remember AND...
We use the same password OVER and OVER
70% of people do not use a unique password for each website
Imagine a office desk drawer key—not very important—that opened your car, house, and safe!
Bad passwords: The above! Your or your kids names, personal information, words in the dictionary.
Good passwords: Long “pass phrases”
Some suggest using a letter from beg. of each word: Like “This little piggy went to market” becomes TLPWENT2M — it’s better to just use the phrase itself
What is two-factor authentication (or two-step verification)?
Something you know: Your login and password
Something you have: Your phone
Login like you normally would
Enter your code from phone
(Can remember computer for 30 days or validate every time)
That’s it!
Can have a text sent to you — or use Google Authenticator app (iPhone, Android, Blackberry)
App can be accessed even if you don’t have phone connectivity
What about your applications — Outlook, etc?
Google generates passwords for each application
You only have to enter it ONCE
You can revoke access to specific apps at any time
Facebook has the same thing
Called “Login Approvals”
BTW — you should turn on Login Notifications and Secure Browsing while you are here!
Other popular services that have two-factor auth: Dropbox and PayPal
Dropbox uses GAuth app
PayPal uses text messages
Unique emails make it harder for hackers to access a different account if one is compromised
Strong passwords — essential! All the easy ones are already cracked
Secure websites — why is this important? Starbucks!!
Security questions are a weak link!
NEVER use the truthful answer to a security question
Encrypts traffic between your browser and the website server
Encrypts traffic between your browser and the website server
Encrypts traffic between your browser and the website server
Mat Honan — bit of a happy ending
DriveSavers — recovered 75% of hard drive data
Turns out the “priceless” photos aren’t really priceless anymore...
Mat’s photos of his daughter: Priceless!
Cost to recover data from hard drive: $1690!!!
Use password storage programs like Lastpass or 1password to store all of your unique passwords and answers to security questions for each site