My personal Sony Hack

Hacking Sony Pictures Entertainment will long be remembered not so much by the complexity of the attack as by the amount of leaked data. "They took everything away, even the wallpaper was peeled off." As is often the case with loud attacks, we will never know all the details, but it is already clear that it was only possible to steal copies of films, passwords, social security data, and archives of correspondence of top managers only for one reason: it was bad . Learning from the experience of SPE is not easy: you can’t get away with antivirus as insurance, you need to change the whole system. And so: “well, they are understandable for what they are being hacked, and maybe they will carry us”.

Will not carry. The price tag for targeted attacks drops faster than the ruble exchange rate: if in 2011 only the state could afford it, now the cost has dropped to the level of small business. Maybe it will be more convincing to get personal? If you try on the “stole everything” situation for yourself, first of all you will think about secret working papers, and secondly - about spicy correspondence in Skype. The only problem is that everything is not limited to this, and first of all the criminals can use completely different information. A positive conversation with the owner of the company about the methods of protection can begin with an analysis of information that can be stolen personally from him, and how it can be used. I tried to understand it with my own example.

What are our introductory? We analyze everything that is protected by a password, stored on hard drives and flash drives. We don’t touch the public data: posts on Facebook, tweets and other instagrams (provided that the content on the social network is published only publicly, private messages and posts with restricted access are rarely used). Just in case, I will add the necessary disclaimer: everything that will be shown below is fiction, has no relation to reality, and if it does, it has been changed beyond recognition. And I didn’t touch the work mail and access to the corporate network: firstly, it’s already quite difficult to disclose something in public, and secondly, the level of protection is incomparably higher. Thirdly, as I will show further, it is not necessary to crack the corporate network in order to receive working documents.

Go. Post office.
A storehouse of private information. My personal mail on GMail exists since 2003 and contains a lot of interesting information. We look carefully into the list of recent messages and immediately see the e-ticket for the nearest business trip. Enter the ticket number on the airline's website and get the opportunity to cancel the reservation: without entering any other data, I can be put in a very stupid position at the airport on the day of departure.
')
But it is for warming up. For 11 years of digital life, hundreds of letters have been accumulated in the mail confirming registration on various websites and forums. In some of them, the password is in plain text, and if I have the only one (actually, no), then I have problems. Obviously, the mail allows you to reset the password to almost any service registered to it - from facebook to skype.

Look at the last few hundred posts. Bill details from my mobile operator. Well, yes, albeit not a fresh, but detailed list of phone numbers that I called and called me from. Passport number from ticket reservation. Home and work addresses from letters online stores. Date of birth in the electronic insurance policy. Yes, and the passport scan itself is present: sent to someone for some needs. And right. And a civil passport too. And the registration certificate for the car. Registered on me domains and VPS. For a snack: the serial numbers of the purchased software and even a couple of pictures of licensed Windows stickers from personal laptops.



And it was only the first thousand messages in the last six months, the archive totals more than 15,000 messages. Google’s two-factor authorization provides quite decent protection for all this data: provided that you use it. But if you dig further, you can “suddenly” find a copy of mail correspondence on two other services that are not so well protected (and the password is old and simple). It was just once set up and forgotten. But it still works.

Oh yeah, when I was away, my wife asked me to write a (of course very complicated) password for my home WiFi. It is difficult to find a letter with a password in the archive (I myself found it only because I know the password). But he is there.

Money
In the same mail, it is easy to find out which bank I have in my card and whether I use their online banking: letters of confirmation of operations. No, it’s not possible to steal money from me right away: you need to know the CVC code and steal the phone from me, which receives the VISA 3-D Secure request. But no, there is still the possibility not to send a one-time code, but to enter a reusable password. Did I use it anywhere else? It is not excluded. Is there a credit card number in the mail or somewhere else? Fortunately not. All is well?



Not. The credit card is linked to at least two services where no confirmation is ever asked: PayPal and Amazon. To transfer money anywhere in the first case and buy different goods at my expense in the second, it is enough to know the password to the service.

The card is also tied to the account of my mobile operator, which allows you to divert money through your personal account. However, here you may already need physical access to the phone or sim card. This topic is more complex, but having a copy of a passport even theoretically makes it easier.

Phone
But what is worth talking about is access to iCloud and Google account. Well, what happens when hacking iCloud, we all know. Not everyone knows that these services provide access not only to the app store. And those who know that “in the cloud” is stored a lot of data, often underestimate the threat. Let's look at examples.

A photo. No, photos of cats and a collection of animated hypnotoads are not so interesting. Interesting propensity to use the camera phone as a notebook. And what's in there? Well, if the scan of the passport was not stolen from my mail, then a copy of the phone is carefully stored in the phone (and at the same time a couple of passports of relatives: it's so simple, no need to rewrite the numbers, just take a photo of the document!). There are also slides taken from the screen from various presentations, sometimes not entirely public. If you, like me, like to draw on the board with a felt-tip pen on the board, and then photograph schemes for conquering the world for memory, then you have another problem.

This example well shows how difficult it is to draw a line between the worker and the personal in modern conditions. I do not conduct business correspondence in my personal mail, and I do not forward secret documents for memory. But thanks to the smartphone, camera and cloud service, commercial information strives to get into private space. It’s good that iCloud now has two-factor authentication. It’s bad that when installing Dropbox, it’s very persistently offering to send all the photos also to your storage. They also have two-factor authentication. Did you remember to turn it on?



My second smartphone is based on Android. And Google kindly provides the opportunity to see their movements in space, on any single day and year. And show the GPS track to someone else if the account is not secure enough. This may be a memorable track from a trip around the island of Tenerife, and quite routine, but more dangerous data about your movements from home to work. If someone hacks into my Google account, you will get access to both mail and geotags, and therefore - my home address will be obtained from two sources at once. I have already said that the WiFi password in the mail is also somewhere in there. My router is very good, the signal is quietly caught on the street. Well, you understand what I'm getting at.

Computer
Compared to the wealth of personal data on network services, on my laptop is silence and grace. The amount of data is more (music, video, non-critical photos from trips), but the danger is less. This is due to the fact that work and personal life are divided at the level of iron, and for the case uses a separate machine with a much higher degree of security. In a more typical case, the documents folder would probably be stored in the Documents folder, in Autluk - a copy of the working correspondence, on Skype - all negotiations.



The problem is that in this hypothetical attack, the laptop is most likely the entry point. It is through him that all the data mentioned above will be accessed. Through a letter with an infected attachment, malicious code on the site or something similar.

findings
So, a simple glance at my personal data from a certain angle showed that:
• In the event of a hack, the offender will have access to a vast array of personal information.
• This information is repeatedly duplicated on both devices and network services. It is enough to choose the most vulnerable.
• Hacking mail is likely to lead to the compromise of all network accounts.
• It is highly likely that money will be stolen from a credit card through the services to which it is attached.
• Even if working documents are not fundamentally stored on personal devices, corporate information is still under threat.
• Protection of any important data is complex and requires a lot of effort, because third-party services that store this information do not always provide adequate protection.
• Security tools must be complemented by data culture (do not store passport scans in the mail and phone).

And that we did not even touch the moral costs. Finally, another important point. Recently, in a stack of old CDs, I found a CD-R blank, labeled briefly: “Distributives”. The disc contained, naturally, the distributions of useful software: an early version of iTunes for the third iPod, Reget Deluxe, The Bat, and the like. And in a separate folder, I found a long-forgotten digitized version of my life until 2003, which fit only 300 megabytes. Archive mail. ICQ logs. Photos from a two-megapixel digital soap dish. Documents, pdf, couple of albums in mp3.

I looked through the photo, read the mean working correspondence, finally got to the detailed abstract of conversations with beautiful ladies, but here the hand on the face began to interfere with the viewing. Over the past years, information has become much more, and services for its storage and processing have become more convenient. But there is one nuance. I can delete my story “before 2003” at one moment: it is enough to destroy the disk, it has only one copy. Modern digital ecosystem is designed so that we no longer control the distribution of personal information.