Where's My iPhone? A Lesson in Incident Response
by Paul Asadoorian - Pauldotcom - Wednesday, 30 January 2008.
Security incidents come in many forms, from attackers breaking into computers, unauthorized attempts to sniff wireless networks and collect information, and stolen laptops or phones. This example is the latter, a stolen smartphone.

What follows is the incident response procedure that I followed once I found out my iPhone had been stolen. It's not a comfortable feeling to know that someone else has control over a device containing your information. However, you must remain calm and follow some sort of incident response procedure. Sometimes this is not as easy as it sounds (as you will see below). Once the incident is over the most important thing you must do is learn from it. Hopefully you can learn from my experience.

Some days are better than others

This all started with one of the things I enjoy most in this world, and thats sushi (In fact Josh just pointed out that I was the one who introduced him to sushi, and now he has an entire site named after this fabulous food!). I was going out to eat with my family and was talking on my iPhone on the way. I pulled into a spot in the parking lot, got out of the car and went into the restaurant where I draped my long trench coat over the chair on the table behind me. After feasting on some sushi ("slammin' salmon" roll was awesome) we paid the bill and I all of a sudden realized I did not have my phone. I searched my pockets, no iPhone. I thought, "well, I must have left it in my coat". I searched my coat, no iPhone. I searched around the table and the table behind us where my coat had been, no iPhone. I then thought, "well, it must be in the car". I searched the car, making everyone get out all while I cursed aloud, and no iPhone. I went back into the restaurant and searched the tables again, no iPhone. The conclusion, someone had stolen my iPhone when I either dropped it getting our of the car or when it fell out of my coat pocket.

Incident response 101: don't panic

So I called my wife in a panic, explaining to her how someone else now has possession of my phone, which not only contained countless pictures of our last vacation and family (mostly pictures of the dog), but also had access to ALL of my email accounts. I was on my way to a family members house to get a flashlight to do a more thorough search of the car, as I was still in disbelief that someone stole my phone. Human instinct is a funny thing, even though I have training in computer incident response (even worked a few cases of data theft) I was still in great disbelief that someone would actually steal my phone. Another search through the car, guess what no iPhone. My only saving grace was that I left my home phone number with the restaurant in case the phone magically appeared. On my way home I still thought there would be a chance that they found my phone and called the house to tell me. I got home, no phone call and still no iPhone.

When you can't prevent or detect, react

I picked up my wife's phone as soon as I got home and dialed 611, the number for direct access to AT&T customer service. I waded my way through the options and discovered that I could report the other phone line, and associated phone, lost or stolen right through the menu, after of course being prompted for the billing zip code. Thats right, the only authentication you need to cancel the other line is the billing zip code. This means you can use anyone's AT&T phone to disconnect the other line on that account, and all you need is access to that phone and the billing zip code (most people put their address on the phone in case its lost, how ironic). If you are a smart phone thief, you can disable the other line when you steal a phone.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th