How private is your Privacy?2nd April, 2014

Jerric Lyns John

Orion India Systems Pvt. Ltd.

What is privacy?Privacy is the ability of an individual

or group to seclude themselves or information about themselves and thereby express themselves selectively

What is privacy?Privacy is the ability of an individual

or group to seclude themselves or

information about themselves and thereby express themselves selectively

Lets go back in time!1700’s – Initial Postal Mails - opened by the system

1791 – The bill of rights – freedom of speech & freedom from unreasonable search and seizure

1800’s – Sealed Envelops

1868 – Right to privacy irrespective of race and color

1890’s – Govt. tapping telephone networks

1907 – First bugging apparatus –Dictograph

Lets go back in time!1934 – FCA Act Section 605: Prohibits 3rd party interception of communication

1950’s – Govt begins public surveillance

1967 – Interception requires Warrant

1989 – WWW service added to internet

2001 – Authorities allowed to search databases, after 9/11

2004 – Facebook debuts

And recently…2008 – Expands surveillance power of authorities.

2009 – Bradley Manning leaks classified information, Wiki Leaks

2013 – Edward Snowden leaks, highly classified intelligence information

- Govt wiretaps

- PRISM – Surveillance program

- Now he’s somewhere in Russia

Edward SnowdenAt TED Vancouver

Lets watch him

The PRISMEvery bit that passes through American soil was monitored

80% internet traffic passes through USAIt is so laid down in their rules, that they can observe any data that passes through American soil

Because 80% of the services are American Tell me one service that you prominently use and is not an

American?The top US companies are the forerunners in Machine Learning, so its completely normal to be paranoid!

How safe is your data?Now that you know about the revelations, I’m changing the question.

Adam L. PenenbergA journalism professor at New York University

- Pando Daily

- New York Times

- Forbes

- Fast Company

- The Economist

PandoDaily “I challenged hackers to investigate me and what they found out is chilling” – Adam L. Penenberg26th October, 2013

The hacker was..Nicholas Percoco

Nicholas PercocoDirector at KPMG

Earlier : VP of SpiderLabs

Adam L.P.

It’s my first class of the semester at New York University. I’m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. To receive the four-digit code I need to unlock it I’ll have to dial a number with a 312 area code. Then my iPhone, set on vibrate and sitting idly on the table, beeps madly.

I’m being hacked — and only have myself to blame.

Excerpts from the article.

Two months before the hack, he signed a contract with Nicolas

Over the years he has performed hundreds of pen-tests and physical break-ins, slipping into hospitals, insurance companies, manufacturers, magazine and newspaper companies, power companies, and many more

But these were on-site intrusion, Adam didn’t want an on-site intrusion

A personal “pen-test” contract

Rules Percoco would leave Adam’s kids out of pen-test

Adam shouldn’t sue PercocoMade with Trustware lawyers

The Team

Nicolas Percoco – VP

Garret Picchioni – Security Analyst

Josh Grunzweig – Digital Forensic Specialist

Matthew Jakubowski (Jaku) – Hacker

Jaku - Majored in “Sandwich Engineering” and minored in “Witch Hunting” at “College University.” – LinkedIn

SpiderLab

PlanningFrom confidential report after the hack

This is an initial rough plan

Plan failuresYou know real world scenario of an individual is different from the corporates

I mean break into ones house, obviously he was working on-site for long to get this idea!

Wi-Fi HackThese are just the public Wi-Fi Hotspots

Nicolas found 1200 spots within a tenth of a mile from Brownstone, Brooklyn Heights

Adam used a Mac so they were able to narrow it down.

Legal limitation made this a failure

Pilates StudioHis wife was the next vulnerable point of contact

A female friend of Jaku, the hacker, signed up for a Pilates group class at the wife’s studio

User a Flash drive to print “Resume”

But the remote backdoor installation was too good for the old Mac

Brooklyn HeightsBrownstone is too good a place to be sniffing around.

They had to drop plans since neighbors started to notice!

Post and replyAdam posted an article to get an instant reply

“We really wanted to get into your basement” – Twitter

Apparently the reply was from Jaku’s friend

Phish Attack - 1To Adam

Obviously he didn’t open because of .jar

Phish Attack - 2To “the wife”

Obviously she seldom reads the mail

Phish Attack - 3They resend the mail

Obviously when she reads the mail she will open the attachment

But the code had a bug , so it didn’t work

“The attachment didn’t work” –replied the wife

Success!Phish Attack - 4The newly updated OSX malware, which another member of the team, digital forensics specialist Josh Grunzweig coded, was dropped on to her machine

They now have full access over her computer

Got hold of W2S – SSN, Credit Card, Bank A/C, income etc..

PasswordThey got router password

Chase Bank account Password (used her cookies to prevent 2 step verification)

Now I hope you are getting cramps!

• Secure Socket Layer (SSL)

• Chase Dual ControlSM.

• Positive Pay Service and Reverse Positive Pay Service

Password + ForensicThey were able to creep more of his Passwords which were some how similar and followed a pattern

Humans do these and forensics knows that!

- Amazon

- Twitter

- Facebook

iCloud - HackedAdam was an Apple fanboy

SpiderLabs reported Adams iPhone and Mac as lost.

So coming back to that slide

Adam L.P.

It’s my first class of the semester at New York University. I’m discussing the evils of plagiarism and falsifying sources with 11 graduate journalism students when, without warning, my computer freezes. I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. To receive the four-digit code I need to unlock it I’ll have to dial a number with a 312 area code. Then my iPhone, set on vibrate and sitting idly on the table, beeps madly.

I’m being hacked — and only have myself to blame.

Excerpts from the article.

How “safe” are you? Privacy revisited.

Heartbleed Bug8 April 2014

OpenSSL – Heartbleed data –during an active TLS connection - 64KB

Although we can’t call this an infiltration, this is significant

Who do we hold accountable? –Well this is rectified and updated, but dates back to about 2 years

“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication” – heartbleed.com

“if you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle.”–torproject.org

RSADecember 2013

$10 million NSA-RSA deal

Used random number generator with skeleton key this was certified by National Institute of Standards and Technology (NIST)

Who do we hold accountable?

“RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm” – WIRED.com

Laptop bugDecember 2013

Implant bugs on laptops/accessories purchased online

It's a USB "hardware implant" that secretly provides the NSA with remote access to the compromised machine.

Who do we hold accountable?

“NSA, in collaboration with the CIA and FBI, routinely and secretly intercepts shipping deliveries”

“It appears the NSA also incorporates routers and servers from non-NSA networks into its covert network by infecting these networks with "implants" that then allow the government hackers to control the computers remotely”– spiegel.de

It goes on!

What do we do then?Lets do Radio-Technico

Zetas Drug Cartel $90 million in cash, 61 tons of narcotics, and "enough weapons to

equip an insurgency,"Mexico via TX

MethodsThe rest of the methods are nasty!

This is EPIC!

Take Control

Its time our governments come together and address this as a humanitarian issue and must be redressed.

Security against Terrorism shouldn’t hold our privacy at stake.

World is changing, Lets all hope for good!

If that doesn’t happen, then its time we become the “anon”

Of this situation

Lets not say it!We are anonymous

We are legion

We do not forgive

We do not forget

Expect Us

-Should we be paranoid about the government, then they should fear us!

This work by Jerric Lyns John is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.