Skip to content
Permalink
3f852be7be
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
title author
Hackers and the Hacked
Dan Goldsmith

Case Studies

This weeks Future learn

  • We looked at a few case studies
  • Different views on Hacking and the Hacked

Mangham Case:

Mangham Case

  • Glenn Mangham, Sentenced to 8 months for breaking into Facebook
  • Reduced to 4 Months on appeal
  • Prior to FB Bug Bounty Program

Details:

  • Flaw in a separate subsystem of Facebook, used for puzzles.
  • Gained Access to an employee account
  • Accessed Mail Servers and Internal Tools
  • Estimated cost of $200,000

More Factors

  • Had previously taken part in Bug Bounty programs.
    • Paid for finding flaws by Yahoo
  • However, Did not report Flaws to Facebook

Prosecution

"This was not just a bit of harmless experimentation - you accessed the very heart of the system of an international business of massive size."

"This was not just fiddling about in the business records of some tiny business of no great importance and you acquired a great deal of sensitive and confidential information to which you were simply not entitled... Potentially what you did could have been utterly disastrous to Facebook."

Appeal

“The judge was entitled to conclude that his motive was not to inform Facebook of the defects in the system, but to prove that he could beat the system.

“In our view, the combination of the aggravating factors and mitigating factors is such that the more appropriate starting point, in our view, would have been six months, reduced to four months given the appellant’s plea.

“In particular, we would underline the point which the judge mentioned that the information had not been passed on to anyone and there was no financial gain involved.”

Phone Hacking

Phone Hacking

  • 2005 Leaked information on Prince William
  • Other Celebrity activities leaked
  • 2010 - 2011 Investigation

How

  • Default PIN on voicemail messages
  • Used to access devices

Issues

  • Moral and Ethical Issues
  • Legal Issues?
  • Who paid attention to the Laws in the Case study?

Laws Broken

  • Regulation of Investigatory powers
    • Intercept communication over telecoms, unless legal investigation by security services
  • DPA
    • Personal Information
  • CMA

Password Phishing

Phishing 4 Passwords

  • Which of these did you find most interesting?

Easy to Guess Passwords

  • Picked a common PW, "Summer16"
  • Gained access to 50 or 800 accounts
  • Used this to escalate privileges to admin level
  • What was it about password policy that caused this?

Phishing Via Email

  • Standard method
  • Learn something about the Organisation
  • Craft an Email
  • Wait for it to be clicked
  • What was the payload here?

Phishing Via Phone

  • Called organisation posing as Partner
  • Claimed software wouldn't install
  • Was given admin password to help install process.
  • Who was at fault here?

Task

Task

Coursework Preparation time.

In Groups:

  • Pick one of the case studies above, or choose your own.
  • Research this and look for the elements required for the coursework
  • Prepare a short presentation (~5 Mins) on the topic addressing the points

Reminder of the topics needed for the coursework:

  • Technical Details of the Hack Itself
  • Legal and Ethical Issues
  • Can we think of Similar Hacks that may have happened