SlideShare ist ein Scribd-Unternehmen logo

Hacking Mat Honan

Bill Condo
Bill Condo
1 von 12
Downloaden Sie, um offline zu lesen
HACKING MAT HONAN Bill Condo // 12/12/2012 Thursday, December 13, 12
WHO IS MAT HONAN? Senior Writer at Wired honan.net @mat Thursday, December 13, 12
WHAT HAPPENED? • Amazon.com Account Compromised • Apple / iTunes Account Compromised • Gmail Hacked • Mac Wiped • iPhone Wiped • Twitter Account Stolen Thursday, December 13, 12
TIMELINE • 4:33 p.m. Attacker calls Apple support, requests a reset without being able to answer the security questions. Reset email sent. Data Required: E-mail address (website, Gmail), credit card number (via Amazon), billing address (whois). • 4:50 p.m. Reset email arrives to me.com email, and sent to trash. Email then used to to set a new password. • 4:52 p.m. Gmail password reset sent to me.com email. Attacker resets Gmail password, then notice email is sent to me.com. • 5:00 p.m. iCloud’s Find My tool used to wipe Mat’s iPhone. • 5:01 p.m. iCloud’s Find My tool used to wipe Mat’s iPad. • 5:02 p.m. Twitter password reset email sent. Attacker sets a new Twitter password. • 5:05 p.m. iCloud’s Find My tool used to wipe Mat’s MacBook Pro. • 5:10 p.m. Mat calls Apple Care. • 5:12 p.m. Attacker posts to Twitter. with Mat’s account. Thursday, December 13, 12
FAILURES • Amazon accounts can be easily compromised. • Apple Care doesn’t enforce security questions. Thursday, December 13, 12
WHAT’S REALLY NEEDED? • Do you need remote wipe? • Do you need to store credit cards? • Do you need public whois info? Thursday, December 13, 12
DO: BACKUP • Consider both local snapshots and off-site backup options • Time Machine (Mac) or Windows Backup (PC) • Carbonite, BackBlaze, Mozy are some of the off-site options • Test / Verify Backups Thursday, December 13, 12
DO: SETUP 2ND EMAIL • Consider a second email, one with a different prefix. • Consider second factor authentication • Different (stronger) password Thursday, December 13, 12
FOLLOWUP: AMAZON • Amazon updated their policy, removing the option for over- the-phone account settings changes (credit cards, emails, etc.) Thursday, December 13, 12
FOLLOWUP: APPLE • “We found that our own internal policies were not followed completely.” - Apple • Apple suspends password change requests via the phone Thursday, December 13, 12
MORE INFO • Wired: http://www.wired.com/gadgetlab/ 2012/08/apple-amazon-mat-honan-hacking/ • Security Now: http://twit.tv/show/security-now/364 • Wired: http://www.wired.com/gadgetlab/ 2012/11/ff-mat-honan-password-hacker/all/ Thursday, December 13, 12
COMMENTS? @mavrck bill@billcondo.com Thursday, December 13, 12

Empfohlen

Web 101 by Jennifer Lill
Web 101 by Jennifer LillWeb 101 by Jennifer Lill
Web 101 by Jennifer LillJennifer Lill
 
Nocall 2009 Friend Feed
Nocall 2009 Friend FeedNocall 2009 Friend Feed
Nocall 2009 Friend FeedJaye Lapachet
 
Hot technologies
Hot technologiesHot technologies
Hot technologiesKim
 
Better newsbizmodels
Better newsbizmodelsBetter newsbizmodels
Better newsbizmodelsDan Pacheco
 
Werksmail pitch
Werksmail pitchWerksmail pitch
Werksmail pitchwerksmail
 
Adapting to a Responsive Web Design - TFM&A - 26-02-14
Adapting to a Responsive Web Design - TFM&A - 26-02-14Adapting to a Responsive Web Design - TFM&A - 26-02-14
Adapting to a Responsive Web Design - TFM&A - 26-02-14Matt Gibson
 
Think Multi Screen
Think Multi ScreenThink Multi Screen
Think Multi ScreenSerge Jespers
 
Jumping the Hurdles of Collaboration (TLA Session)
Jumping the Hurdles of Collaboration (TLA Session)Jumping the Hurdles of Collaboration (TLA Session)
Jumping the Hurdles of Collaboration (TLA Session)Amber Baumann
 

Empfohlen

Web 101 by Jennifer Lill
Web 101 by Jennifer LillWeb 101 by Jennifer Lill
Web 101 by Jennifer LillJennifer Lill
 
Nocall 2009 Friend Feed
Nocall 2009 Friend FeedNocall 2009 Friend Feed
Nocall 2009 Friend FeedJaye Lapachet
 
Hot technologies
Hot technologiesHot technologies
Hot technologiesKim
 
Better newsbizmodels
Better newsbizmodelsBetter newsbizmodels
Better newsbizmodelsDan Pacheco
 
Werksmail pitch
Werksmail pitchWerksmail pitch
Werksmail pitchwerksmail
 
Adapting to a Responsive Web Design - TFM&A - 26-02-14
Adapting to a Responsive Web Design - TFM&A - 26-02-14Adapting to a Responsive Web Design - TFM&A - 26-02-14
Adapting to a Responsive Web Design - TFM&A - 26-02-14Matt Gibson
 
Think Multi Screen
Think Multi ScreenThink Multi Screen
Think Multi ScreenSerge Jespers
 
Jumping the Hurdles of Collaboration (TLA Session)
Jumping the Hurdles of Collaboration (TLA Session)Jumping the Hurdles of Collaboration (TLA Session)
Jumping the Hurdles of Collaboration (TLA Session)Amber Baumann
 
Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)
Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)
Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)Bill Condo
 
Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)
Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)
Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)Bill Condo
 
Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)Bill Condo
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web SecurityBill Condo
 
Getting to know composer - (PHP)
Getting to know composer - (PHP)Getting to know composer - (PHP)
Getting to know composer - (PHP)Bill Condo
 
Introduction to Web Development: Part 1
Introduction to Web Development: Part 1Introduction to Web Development: Part 1
Introduction to Web Development: Part 1Bill Condo
 
Intro to Laravel PHP Framework
Intro to Laravel PHP FrameworkIntro to Laravel PHP Framework
Intro to Laravel PHP FrameworkBill Condo
 
Mobile Development with Icenium
Mobile Development with IceniumMobile Development with Icenium
Mobile Development with IceniumBill Condo
 
Seo Session by Bill Condo
Seo Session by Bill CondoSeo Session by Bill Condo
Seo Session by Bill CondoBill Condo
 

Weitere ähnliche Inhalte

Mehr von Bill Condo

Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)
Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)
Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)Bill Condo
 
Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)
Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)
Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)Bill Condo
 
Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)Bill Condo
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web SecurityBill Condo
 
Getting to know composer - (PHP)
Getting to know composer - (PHP)Getting to know composer - (PHP)
Getting to know composer - (PHP)Bill Condo
 
Introduction to Web Development: Part 1
Introduction to Web Development: Part 1Introduction to Web Development: Part 1
Introduction to Web Development: Part 1Bill Condo
 
Intro to Laravel PHP Framework
Intro to Laravel PHP FrameworkIntro to Laravel PHP Framework
Intro to Laravel PHP FrameworkBill Condo
 
Mobile Development with Icenium
Mobile Development with IceniumMobile Development with Icenium
Mobile Development with IceniumBill Condo
 
Seo Session by Bill Condo
Seo Session by Bill CondoSeo Session by Bill Condo
Seo Session by Bill CondoBill Condo
 

Mehr von Bill Condo (9)

Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)
Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)
Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)
 
Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)
Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)
Digital Literacy - Web vs Mobile Apps, File Transfers (Session 2)
 
Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
 
Getting to know composer - (PHP)
Getting to know composer - (PHP)Getting to know composer - (PHP)
Getting to know composer - (PHP)
 
Introduction to Web Development: Part 1
Introduction to Web Development: Part 1Introduction to Web Development: Part 1
Introduction to Web Development: Part 1
 
Intro to Laravel PHP Framework
Intro to Laravel PHP FrameworkIntro to Laravel PHP Framework
Intro to Laravel PHP Framework
 
Mobile Development with Icenium
Mobile Development with IceniumMobile Development with Icenium
Mobile Development with Icenium
 
Seo Session by Bill Condo
Seo Session by Bill CondoSeo Session by Bill Condo
Seo Session by Bill Condo
 

Hacking Mat Honan

  • 1. HACKING MAT HONAN Bill Condo // 12/12/2012 Thursday, December 13, 12
  • 2. WHO IS MAT HONAN? Senior Writer at Wired honan.net @mat Thursday, December 13, 12
  • 3. WHAT HAPPENED? • Amazon.com Account Compromised • Apple / iTunes Account Compromised • Gmail Hacked • Mac Wiped • iPhone Wiped • Twitter Account Stolen Thursday, December 13, 12
  • 4. TIMELINE • 4:33 p.m. Attacker calls Apple support, requests a reset without being able to answer the security questions. Reset email sent. Data Required: E-mail address (website, Gmail), credit card number (via Amazon), billing address (whois). • 4:50 p.m. Reset email arrives to me.com email, and sent to trash. Email then used to to set a new password. • 4:52 p.m. Gmail password reset sent to me.com email. Attacker resets Gmail password, then notice email is sent to me.com. • 5:00 p.m. iCloud’s Find My tool used to wipe Mat’s iPhone. • 5:01 p.m. iCloud’s Find My tool used to wipe Mat’s iPad. • 5:02 p.m. Twitter password reset email sent. Attacker sets a new Twitter password. • 5:05 p.m. iCloud’s Find My tool used to wipe Mat’s MacBook Pro. • 5:10 p.m. Mat calls Apple Care. • 5:12 p.m. Attacker posts to Twitter. with Mat’s account. Thursday, December 13, 12
  • 5. FAILURES • Amazon accounts can be easily compromised. • Apple Care doesn’t enforce security questions. Thursday, December 13, 12
  • 6. WHAT’S REALLY NEEDED? • Do you need remote wipe? • Do you need to store credit cards? • Do you need public whois info? Thursday, December 13, 12
  • 7. DO: BACKUP • Consider both local snapshots and off-site backup options • Time Machine (Mac) or Windows Backup (PC) • Carbonite, BackBlaze, Mozy are some of the off-site options • Test / Verify Backups Thursday, December 13, 12
  • 8. DO: SETUP 2ND EMAIL • Consider a second email, one with a different prefix. • Consider second factor authentication • Different (stronger) password Thursday, December 13, 12
  • 9. FOLLOWUP: AMAZON • Amazon updated their policy, removing the option for over- the-phone account settings changes (credit cards, emails, etc.) Thursday, December 13, 12
  • 10. FOLLOWUP: APPLE • “We found that our own internal policies were not followed completely.” - Apple • Apple suspends password change requests via the phone Thursday, December 13, 12
  • 11. MORE INFO • Wired: http://www.wired.com/gadgetlab/ 2012/08/apple-amazon-mat-honan-hacking/ • Security Now: http://twit.tv/show/security-now/364 • Wired: http://www.wired.com/gadgetlab/ 2012/11/ff-mat-honan-password-hacker/all/ Thursday, December 13, 12
  • 12. COMMENTS? @mavrck bill@billcondo.com Thursday, December 13, 12