diff --git a/labs/Extra_CaseStudies/CaseStudys.md b/labs/Session9_CaseStudies/CaseStudys.md similarity index 100% rename from labs/Extra_CaseStudies/CaseStudys.md rename to labs/Session9_CaseStudies/CaseStudys.md diff --git a/labs/Session9_CaseStudies/Slides.md b/labs/Session9_CaseStudies/Slides.md new file mode 100644 index 0000000..22cd4a4 --- /dev/null +++ b/labs/Session9_CaseStudies/Slides.md @@ -0,0 +1,126 @@ +--- +titie: Case Studies +--- + +# Mangham Case: +## Mangham Case + + - Glenn Mangham, Sentenced to 8 months for breaking into Facebook + - Reduced to 4 Months on appeal + - Prior to FB Bug Bounty Program + +## Details: + + - Flaw in a separate subsystem of Facebook, used for puzzles. + - Gained Access to an employee account + - Accessed Mail Servers and Internal Tools + - Estimated cost of $200,000 + +## More Factors + + - Had previously taken part in Bug Bounty programs. + - Paid for finding flaws by Yahoo + - However, Did not report Flaws to Facebook + +## Prosecution + +> "This was not just a bit of harmless experimentation - you +> accessed the very heart of the system of an international +> business of massive size." +> +> "This was not just fiddling about in the business records of some +> tiny business of no great importance and you acquired a great +> deal of sensitive and confidential information to which you were +> simply not entitled... Potentially what you did could have been +> utterly disastrous to Facebook." + +## Appeal + +> “The judge was entitled to conclude that his motive was not to +> inform Facebook of the defects in the system, but to prove that he +> could beat the system. + +> “In our view, the combination of the aggravating factors and +>mitigating factors is such that the more appropriate starting point, +>in our view, would have been six months, reduced to four months given +>the appellant’s plea. + +> “In particular, we would underline the point which the judge +> mentioned that the information had not been passed on to anyone and +> there was no financial gain involved.” + +# Phone Hacking + +## Phone Hacking + + - 2005 Leaked information on Prince William + - Other Celebrity activities leaked + - 2010 - 2011 Investigation + +## How + + - Default PIN on voicemail messages + - Used to access devices + +## Issues + + - Moral and Ethical Issues + - Legal Issues? + - Who paid attention to the Laws in the Case study? + +## Laws Broken + + - Regulation of Investigatory powers + - Intercept communication over telecoms, unless legal investigation by security services + - DPA + - Personal Information + - CMA + +# Password Phishing + +## Phishing 4 Passwords + + - Which of these did you find most interesting? + +## Easy to Guess Passwords + + - Picked a common PW, "Summer16" + - Gained access to 50 or 800 accounts + - Used this to escalate privileges to admin level + - What was it about password policy that caused this? + +## Phishing Via Email + + - Standard method + - Learn something about the Organisation + - Craft an Email + - Wait for it to be clicked + - What was the payload here? + +## Phishing Via Phone + + - Called organisation posing as Partner + - Claimed software wouldn't install + - Was given admin password to help install process. + - Who was at fault here? + + + + + +# Task + +## Task + + Coursework Preparation time. + + In Groups: + - Pick one of the case studies above, or choose your own. + - Research this and look for the elements required for the coursework + - Prepare a short presentation (~5 Mins) on the topic addressing the points + +## Reminder of the topics needed for the coursework: + + - Technical Details of the Hack Itself + - Legal and Ethical Issues + - Can we think of Similar Hacks that may have happened