Presented at
DEF CON 27 (2019),
Aug. 10, 2019, 10:15 p.m.
(45 minutes).
In December 2018 INSINIA Security was involved in one of the biggest hacking stories of the year. A number of "celebrities", including Louis Theroux, Eamon Holmes and more, logged into their Twitter accounts just after Christmas to find a Tweet, from their account, saying:
"This account has been temporarily hijacked by INSINIA SECURITY".
The tweet immediately directed people to our blog post, and the compromised accounts retweeted INSINIA's Tweet, saying:
"This account is now under the control of @InsiniaSRT. Luckily, this has been H4CK3D to highlight an important vulnerability. The user of this account has NOT lost access to it, no data compromised and is NOT under attack. See how it was done…".
What we did was simple. We used spoof texts to Tweet from these accounts. We NEVER had access to these accounts. We could never read DM's. We simply passively controlled these accounts with no opportunity of getting confidential data in return.
So what did the hacking community, journalists and commentators do?! They LOST THEIR SH*T OVER IT!
"It's unethical" "It's a crime" "Computer Misuse Act counts for security researchers too!" "You guys are total f*cking idiots!
These are the types of things we'd heard from our peers. But why was the backlash so bad? In this talk, INSINIA explains why it was done, how it was done, how people reacted and how research can be released quickly and responsibly… Without always getting the warm reception you might expect!
Presenters:
-
Mike Godfrey
- Penetration Tester, INSINIA Security
Mike Godfrey, Director of INSINIA Security, started life as a "hacker" before he had hit his teens. With a professional background in Electro-technical / Electro-mechanical Engineering and almost 20 years' experience in building and breaking computers.
Mike offers a unique perspective when it comes to varied and multi-vector attacks and is regarded as one of the UK's most capable multi-skilled Cyber Security Specialists, gaining notoriety in the Cyber Security industry for using elements of different skills, both on hard and soft surfaces, to carry out highly technical and often highly intricate electronic attacks. One of these attacks includes hacking Costco's high security Sentry display safe with nothing more than a magnet and a sock! This research was utilised and referenced by @Plor in his talk at DEF CON 25 - "Popping a Smart Gun". Mike has also been lucky enough to become a DEF CON speaker in 2018, one of the proudest moments of his life!
Mike works as a Cyber Security contributor for the BBC, LBC, Channel 4 and was the Ethical Hacker who discovered the TalkTalk and O2 data breach stories.
Twitter: @MikeGHacks
-
Matthew Carr
- Penetration Tester, INSINIA Security
Matthew's previous roles including Senior Penetration Tester and Researcher at SecureLink, Europe's largest managed security services provider and Operational Security Specialist at Ikea overseeing worldwide Operational Security as part of a Specialist Team.
Matthew regularly speaks at industry events and lectures offensive security at Malmö's Technology University in Sweden.
Matthew spent over 3 years as part of an R&D team building intrusion detection software, a secure cloud platform, SIEM tools and other security software, Matthew is not only a competent red teamer but also a valuable asset to any blue team.
Matthew works as a Cyber Security contributor for the Telegraph, Talk Radio and SVT.
Twitter: @sekuryti
Links:
Similar Presentations: