Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Merge pull request #23 from IOC/master
Merge with Original Repo
- Loading branch information
Showing
2 changed files
with
126 additions
and
0 deletions.
There are no files selected for viewing
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| --- | ||
| titie: Case Studies | ||
| --- | ||
|
|
||
| # Mangham Case: | ||
| ## Mangham Case | ||
|
|
||
| - Glenn Mangham, Sentenced to 8 months for breaking into Facebook | ||
| - Reduced to 4 Months on appeal | ||
| - Prior to FB Bug Bounty Program | ||
|
|
||
| ## Details: | ||
|
|
||
| - Flaw in a separate subsystem of Facebook, used for puzzles. | ||
| - Gained Access to an employee account | ||
| - Accessed Mail Servers and Internal Tools | ||
| - Estimated cost of $200,000 | ||
|
|
||
| ## More Factors | ||
|
|
||
| - Had previously taken part in Bug Bounty programs. | ||
| - Paid for finding flaws by Yahoo | ||
| - However, Did not report Flaws to Facebook | ||
|
|
||
| ## Prosecution | ||
|
|
||
| > "This was not just a bit of harmless experimentation - you | ||
| > accessed the very heart of the system of an international | ||
| > business of massive size." | ||
| > | ||
| > "This was not just fiddling about in the business records of some | ||
| > tiny business of no great importance and you acquired a great | ||
| > deal of sensitive and confidential information to which you were | ||
| > simply not entitled... Potentially what you did could have been | ||
| > utterly disastrous to Facebook." | ||
| ## Appeal | ||
|
|
||
| > “The judge was entitled to conclude that his motive was not to | ||
| > inform Facebook of the defects in the system, but to prove that he | ||
| > could beat the system. | ||
| > “In our view, the combination of the aggravating factors and | ||
| >mitigating factors is such that the more appropriate starting point, | ||
| >in our view, would have been six months, reduced to four months given | ||
| >the appellant’s plea. | ||
| > “In particular, we would underline the point which the judge | ||
| > mentioned that the information had not been passed on to anyone and | ||
| > there was no financial gain involved.” | ||
| # Phone Hacking | ||
|
|
||
| ## Phone Hacking | ||
|
|
||
| - 2005 Leaked information on Prince William | ||
| - Other Celebrity activities leaked | ||
| - 2010 - 2011 Investigation | ||
|
|
||
| ## How | ||
|
|
||
| - Default PIN on voicemail messages | ||
| - Used to access devices | ||
|
|
||
| ## Issues | ||
|
|
||
| - Moral and Ethical Issues | ||
| - Legal Issues? | ||
| - Who paid attention to the Laws in the Case study? | ||
|
|
||
| ## Laws Broken | ||
|
|
||
| - Regulation of Investigatory powers | ||
| - Intercept communication over telecoms, unless legal investigation by security services | ||
| - DPA | ||
| - Personal Information | ||
| - CMA | ||
|
|
||
| # Password Phishing | ||
|
|
||
| ## Phishing 4 Passwords | ||
|
|
||
| - Which of these did you find most interesting? | ||
|
|
||
| ## Easy to Guess Passwords | ||
|
|
||
| - Picked a common PW, "Summer16" | ||
| - Gained access to 50 or 800 accounts | ||
| - Used this to escalate privileges to admin level | ||
| - What was it about password policy that caused this? | ||
|
|
||
| ## Phishing Via Email | ||
|
|
||
| - Standard method | ||
| - Learn something about the Organisation | ||
| - Craft an Email | ||
| - Wait for it to be clicked | ||
| - What was the payload here? | ||
|
|
||
| ## Phishing Via Phone | ||
|
|
||
| - Called organisation posing as Partner | ||
| - Claimed software wouldn't install | ||
| - Was given admin password to help install process. | ||
| - Who was at fault here? | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| # Task | ||
|
|
||
| ## Task | ||
|
|
||
| Coursework Preparation time. | ||
|
|
||
| In Groups: | ||
| - Pick one of the case studies above, or choose your own. | ||
| - Research this and look for the elements required for the coursework | ||
| - Prepare a short presentation (~5 Mins) on the topic addressing the points | ||
|
|
||
| ## Reminder of the topics needed for the coursework: | ||
|
|
||
| - Technical Details of the Hack Itself | ||
| - Legal and Ethical Issues | ||
| - Can we think of Similar Hacks that may have happened |