My personal Sony Hack

Hacking Sony Pictures Entertainment for a long time will be remembered not so much for the complexity of the attack, but for the amount of leaked data. "They took it all away, even the wallpaper peeled off." As often happens with high-profile attacks, we will never know all the details, but now it’s clear that it was possible to steal copies of films, passwords, social security data, and archives of correspondence from top managers only for one reason: it was bad . Learning from the experience of SPE is not easy: here you can’t do without antivirus as insurance, you need to change the whole system. And so: “well, it’s clear why they’re hacking, but maybe it’ll carry us.”

Will not carry. The price tag for targeted attacks fallsfaster than the ruble exchange rate: if in 2011 only the state could afford it, now the cost has dropped to the level of small business. Maybe it will be more convincing to go to the individual? If you try on the situation “everyone stole” on yourself, first of all you’ll think about secret working documents, and secondly, about spicy correspondence on Skype. The only problem is that this is not all, and first of all, criminals can use completely different information. A positive conversation with the owner of the company about protection methods can begin with the analysis of information that can be stolen personally from him, and how they can use it. I tried to understand this by my example.

What are our introductory notes? We analyze everything that is password protected is stored on hard drives and flash drives. We do not touch public data: Facebook posts, tweets and other instagrams (provided that the content on the social network is published only publicly, private messages and posts with limited access are used extremely rarely). Just in case, I will add the necessary disclaimer: everything that will be shown below is a fiction, it has no relation to reality, and if it does, it has been changed beyond recognition. And I did not begin to touch work mail and access to the corporate network: firstly, it is already very difficult to disclose something publicly, and secondly, the level of protection is incomparably higher. Thirdly, as I will show later, it is not necessary to break into the corporate network in order to receive working documents.

Go. Post office.
A wealth of private information. My personal mail on GMail has existed since 2003 and contains a lot of interesting information. We look carefully at the list of recent messages and immediately see an electronic ticket for the next business trip. We enter the ticket number on the airline’s website and get the opportunity to cancel the reservation: without entering any other data, I can be put in a very stupid position at the airport on the day of departure.

But it is, for a warm-up. Over 11 years of digital life, hundreds of letters confirming registration on various sites and forums have accumulated in the mail. In some of them, the password is indicated in plain text, and if I have one (actually not), then I have problems. Obviously, mail allows you to reset the password to almost any service registered on it - from facebook to skype.

Let's look at the last few hundred posts. Detail invoice from my mobile operator. Well, yes, even if it’s not a fresh, but a detailed list of phone numbers that I called, and from which they called me. Passport number from the ticket reservation. Home and work addresses from letters of online stores. Date of birth in electronic insurance policy. Yes, and the scan of the passport itself is present: sent to someone for some reason. And right. And a civil passport too. And the data sheet for the car. Domains and VPS registered on me. For starters: serial numbers of purchased software and even a couple of pictures of licensed Windows stickers from personal laptops.



And this was only the first thousand messages in the last six months; in total, the archive has more than 15,000 messages. Google’s two-factor authorization provides very decent protection for all this data: provided that you use it. But if you delve further, you can "suddenly" find a copy of the mail correspondence on two other services that are not so well protected (and the password there is old and simple). It was just once set up, and forgotten. But it still works.

Oh yes, when I was away, my wife asked me to write a (of course, very complicated) password for home WiFi. It is difficult to find a letter with a password in the archive (I myself found it only because I know the password). But he is there.

Money
In the same mail it is easy to find out in which bank I have a card and if I use their online banking: by letters of confirmation of operations. No, you won’t be able to steal money from me right away: you need to know the CVC code and steal the phone from me that receives the VISA 3-D Secure request. But no, there is still the opportunity not to send a one-time code, but to enter a reusable password. Have I used it anywhere else? Not excluded. Is there a credit card number in the mail or somewhere else? Fortunately not. All is well?



Not. The credit card is tied to at least two services where no confirmation is asked at all: PayPal and Amazon. To transfer money anywhere in the first case and buy different goods at my expense in the second, it is enough to know the password to the service.

The card is also tied to the account of my mobile operator, which allows me to withdraw money through my personal account. However, here you may already need physical access to your phone or SIM card. This topic is more complex, but having a copy of a passport even theoretically simplifies it.

Phone
But what’s worth talking about is access to iCloud and your Google account. Well, what happens when iCloud is hacked, we all know. Not everyone knows that these services provide access not only to the application store. And those who know that a lot of data is stored “in the cloud” often underestimate the threat. Let's look at some examples.

A photo. No, photographs of cats and a collection of animated hypnotes are not so interesting. An interesting tendency is to use the phone’s camera as a notebook. And what's in there? Well, if the scan of the passport was not stolen from my mail, then a copy is carefully stored in the phone (and at the same time a couple of passports of relatives: it’s so simple, you don’t have to rewrite the numbers, just take a picture of the document!). There are also slides taken from the screen from various presentations, sometimes not entirely public. If you, like me, like to draw with a felt-tip pen on a board during negotiations, and then take pictures of the world’s conquest schemes as a keepsake, then you have one more problem.

This example shows well how difficult it is to draw a line between the worker and the personal in modern conditions. I do not conduct business correspondence in my personal mail, and I do not forward secret documents for memory. But thanks to a smartphone, camera and cloud service, commercial information is trying to get into personal space. It's good that iCloud now has two-factor authentication. It’s bad that the same Dropbox during installation, well, very persistently offers to send all photos also to its storage. They also have two-factor authentication. And you did not forget to turn it on?



My second smartphone is Android. And Google kindly provides the opportunity to see their movements in space, on any given day and year. And show the GPS track to someone else if the account is not secure enough. This can be a memorable track from a trip to the island of Tenerife, and quite routine, but more dangerous data about your movements from home to work. If someone hacks my Google account, then they will get access to both mail and geotags, and therefore - my home address will be obtained from two sources at once. I already said that the WiFi password in the mail is also available somewhere. I have a very good router, the signal is quietly caught on the street. Well, you understand what I'm getting at.

A computer
Compared to the wealth of personal data on network services, on my laptop is silence and grace. The amount of data is more (music, video, non-critical photos from trips), but the danger is less. This is due to the fact that work and personal life are separated at the iron level, and a separate machine with a much higher degree of protection is used for business. In a more typical case, a breakthrough of business information would probably be stored in the Documents folder, in Autluk - a copy of the working correspondence, in Skype - all negotiations.



The problem is that in this hypothetical attack, the laptop is most likely the entry point. It is through him that access to all the data mentioned above will be obtained. Through a letter with an infected attachment, malicious code on a site or something similar.

conclusions
So, a simple look at my personal data from a certain angle showed that:
• In the event of a hack, the offender will gain access to a huge array of personal information.
• This information has been duplicated many times on both devices and network services. It is enough to choose the most vulnerable.
• Hacking mail is likely to compromise all network accounts.
• It is very likely that the credit card is stolen through the services to which it is attached.
• Even if working documents are not fundamentally stored on personal devices, corporate information is still at risk.
• Protection of any important data - the event is comprehensive and requires considerable effort, since third-party services that store this information do not always provide adequate protection.
• Protection tools should be complemented by a culture of working with data (we do not store passport scans in mail and phone).

And we didn’t even touch the moral costs. Finally, another important point. Recently, in a stack of old discs, I found a CD-R disc, briefly labeled: “Distributives”. The disk contained, naturally, distributions of useful software: an early version of iTunes for the third iPod, Reget Deluxe, The Bat and the like. And in a separate folder, I found a long-forgotten digitized version of my life until 2003, which fit in only 300 megabytes. Mail Archive. Logs ICQ. Photo from a two megapixel digital soap dish. Documents, PDFs, a couple of albums in mp3.

I looked at the photo, read the mean working correspondence, finally got to the detailed abstracts of conversations with beautiful ladies, but here the hand on my face began to interfere with the viewing. Over the past years, information has become much more, and services for its storage and processing have become more convenient. But there is one caveat. I can delete my story “before 2003” at one point: it is enough to destroy the disk, there is only one copy on it. The modern digital ecosystem is designed so that we no longer control the distribution of personal information.