diff --git a/labs/Session9_CaseStudies/CaseStudys.md b/Aula-Slides/Session9_CaseStudies/CaseStudys.md similarity index 100% rename from labs/Session9_CaseStudies/CaseStudys.md rename to Aula-Slides/Session9_CaseStudies/CaseStudys.md diff --git a/Aula-Slides/Session9_CaseStudies/Slides.hmtl b/Aula-Slides/Session9_CaseStudies/Slides.hmtl new file mode 100644 index 0000000..81db597 --- /dev/null +++ b/Aula-Slides/Session9_CaseStudies/Slides.hmtl @@ -0,0 +1,216 @@ + + + + + + + Hackers and the Hacked + + + + + + + + + +
+
+ +
+

Hackers and the Hacked

+

Dan Goldsmith

+
+ +
+
+

Case Studies

+ +
+
+

This weeks Future learn

+
    +
  • We looked at a few case studies
    • +
  • Different views on Hacking and the Hacked
    • +
+
+
+
+

Mangham Case:

+ +
+
+

Mangham Case

+
    +
  • Glenn Mangham, Sentenced to 8 months for breaking into Facebook
    • +
  • Reduced to 4 Months on appeal
    • +
  • Prior to FB Bug Bounty Program
    • +
+
+
+

Details:

+
    +
  • Flaw in a separate subsystem of Facebook, used for puzzles.
    • +
  • Gained Access to an employee account
    • +
  • Accessed Mail Servers and Internal Tools
    • +
  • Estimated cost of $200,000
    • +
+
+
+

More Factors

+
    +
  • Had previously taken part in Bug Bounty programs. +
      +
    • Paid for finding flaws by Yahoo
      • +
    • +
  • However, Did not report Flaws to Facebook
    • +
+
+
+

Prosecution

+
+

“This was not just a bit of harmless experimentation - you accessed the very heart of the system of an international business of massive size.”

+

“This was not just fiddling about in the business records of some tiny business of no great importance and you acquired a great deal of sensitive and confidential information to which you were simply not entitled… Potentially what you did could have been utterly disastrous to Facebook.”

+
+
+
+

Appeal

+
+

“The judge was entitled to conclude that his motive was not to inform Facebook of the defects in the system, but to prove that he could beat the system.

+
+
+

“In our view, the combination of the aggravating factors and mitigating factors is such that the more appropriate starting point, in our view, would have been six months, reduced to four months given the appellant’s plea.

+
+
+

“In particular, we would underline the point which the judge mentioned that the information had not been passed on to anyone and there was no financial gain involved.”

+
+
+
+
+

Phone Hacking

+ +
+
+

Phone Hacking

+
    +
  • 2005 Leaked information on Prince William
    • +
  • Other Celebrity activities leaked
    • +
  • 2010 - 2011 Investigation
    • +
+
+
+

How

+
    +
  • Default PIN on voicemail messages
    • +
  • Used to access devices
    • +
+
+
+

Issues

+
    +
  • Moral and Ethical Issues
    • +
  • Legal Issues?
    • +
  • Who paid attention to the Laws in the Case study?
    • +
+
+
+

Laws Broken

+
    +
  • Regulation of Investigatory powers +
      +
    • Intercept communication over telecoms, unless legal investigation by security services
      • +
    • +
  • DPA +
      +
    • Personal Information
      • +
    • +
  • CMA
    • +
+
+
+
+

Password Phishing

+ +
+
+

Phishing 4 Passwords

+
    +
  • Which of these did you find most interesting?
    • +
+
+
+

Easy to Guess Passwords

+
    +
  • Picked a common PW, “Summer16”
    • +
  • Gained access to 50 or 800 accounts
    • +
  • Used this to escalate privileges to admin level
    • +
  • What was it about password policy that caused this?
    • +
+
+
+

Phishing Via Email

+
    +
  • Standard method
    • +
  • Learn something about the Organisation
    • +
  • Craft an Email
    • +
  • Wait for it to be clicked
    • +
  • What was the payload here?
    • +
+
+
+

Phishing Via Phone

+
    +
  • Called organisation posing as Partner
    • +
  • Claimed software wouldn’t install
    • +
  • Was given admin password to help install process.
    • +
  • Who was at fault here?
    • +
+
+
+
+

Task

+ +
+
+

Task

+

Coursework Preparation time.

+

In Groups: - Pick one of the case studies above, or choose your own. - Research this and look for the elements required for the coursework - Prepare a short presentation (~5 Mins) on the topic addressing the points

+
+
+

Reminder of the topics needed for the coursework:

+
    +
  • Technical Details of the Hack Itself
    • +
  • Legal and Ethical Issues
    • +
  • Can we think of Similar Hacks that may have happened
    • +
+
+
+
+ + + + // reveal.js plugins + + + + + + + + diff --git a/labs/Session9_CaseStudies/Slides.md b/Aula-Slides/Session9_CaseStudies/Slides.md similarity index 94% rename from labs/Session9_CaseStudies/Slides.md rename to Aula-Slides/Session9_CaseStudies/Slides.md index 22cd4a4..dba102e 100644 --- a/labs/Session9_CaseStudies/Slides.md +++ b/Aula-Slides/Session9_CaseStudies/Slides.md @@ -1,7 +1,15 @@ --- -titie: Case Studies +title: Hackers and the Hacked +author: Dan Goldsmith --- +# Case Studies + +## This weeks Future learn + + - We looked at a few case studies + - Different views on Hacking and the Hacked + # Mangham Case: ## Mangham Case diff --git a/labs/Session7_Guilty/lab_w7_court.md b/Aula-Slides/Week6_Courrt.md similarity index 100% rename from labs/Session7_Guilty/lab_w7_court.md rename to Aula-Slides/Week6_Courrt.md