Latest news
Where's My iPhone? A Lesson in Incident Response
by Paul Asadoorian - Pauldotcom - Wednesday, 30 January 2008.
Incident response 101: don't panic
So I called my wife in a panic, explaining to her how someone else now has possession of my phone, which not only contained countless pictures of our last vacation and family (mostly pictures of the dog), but also had access to ALL of my email accounts. I was on my way to a family members house to get a flashlight to do a more thorough search of the car, as I was still in disbelief that someone stole my phone. Human instinct is a funny thing, even though I have training in computer incident response (even worked a few cases of data theft) I was still in great disbelief that someone would actually steal my phone. Another search through the car, guess what no iPhone. My only saving grace was that I left my home phone number with the restaurant in case the phone magically appeared. On my way home I still thought there would be a chance that they found my phone and called the house to tell me. I got home, no phone call and still no iPhone.
When you can't prevent or detect, react
I picked up my wife's phone as soon as I got home and dialed 611, the number for direct access to AT&T customer service. I waded my way through the options and discovered that I could report the other phone line, and associated phone, lost or stolen right through the menu, after of course being prompted for the billing zip code. Thats right, the only authentication you need to cancel the other line is the billing zip code. This means you can use anyone's AT&T phone to disconnect the other line on that account, and all you need is access to that phone and the billing zip code (most people put their address on the phone in case its lost, how ironic). If you are a smart phone thief, you can disable the other line when you steal a phone.
My iPhone had access to all of my email via passwords stored on the phone itself. My first step was to change all of my email passwords immediately. Once that was done I also changed the pin number to my voicemail. There was nothing sensitive in my email lately (i.e. a password emailed from a credit card or bank account), but I wanted to be certain that no one used the phone to check my email. I checked the email logs on one of the email servers I controlled and it showed that no one had used it to access my email. I started feeling a little better. Calls to the phone were going directly to voicemail while the phone was missing, and my guess is that the thief turned the phone off and removed the SIM card, or the battery died. In either case I wanted to be certain there we no calls made from the phone, so we activated our account online with AT&T and checked the call logs, which showed calls to my voicemail (which was normal as my voicemail forwards to YouMail, which is a great service). Now I feel slightly better, and my wife, as always, puts things in perspective and points out that it was not my car or laptop that was stolen, and that no one was hurt (however, the thought of having the opportunity to defend my iPhone appealed to me, if ever so briefly).
I did call the police, who weren't much help and told me that I need to go back to the scene of the crime or come to the station to file a report. Since the damage was done, I did not follow through with a police report. However, had I not been in such disbelief, I would have most likely called the police on the spot.
Lessons learned
I try to look at all incidents, especially ones that have financial impact, as a learning experience. What could I have done better? Also, what can I do better/different in the future to have a positive impact on the outcome? Below is a list that I hope we can all learn from:
So I called my wife in a panic, explaining to her how someone else now has possession of my phone, which not only contained countless pictures of our last vacation and family (mostly pictures of the dog), but also had access to ALL of my email accounts. I was on my way to a family members house to get a flashlight to do a more thorough search of the car, as I was still in disbelief that someone stole my phone. Human instinct is a funny thing, even though I have training in computer incident response (even worked a few cases of data theft) I was still in great disbelief that someone would actually steal my phone. Another search through the car, guess what no iPhone. My only saving grace was that I left my home phone number with the restaurant in case the phone magically appeared. On my way home I still thought there would be a chance that they found my phone and called the house to tell me. I got home, no phone call and still no iPhone.
When you can't prevent or detect, react
I picked up my wife's phone as soon as I got home and dialed 611, the number for direct access to AT&T customer service. I waded my way through the options and discovered that I could report the other phone line, and associated phone, lost or stolen right through the menu, after of course being prompted for the billing zip code. Thats right, the only authentication you need to cancel the other line is the billing zip code. This means you can use anyone's AT&T phone to disconnect the other line on that account, and all you need is access to that phone and the billing zip code (most people put their address on the phone in case its lost, how ironic). If you are a smart phone thief, you can disable the other line when you steal a phone.
My iPhone had access to all of my email via passwords stored on the phone itself. My first step was to change all of my email passwords immediately. Once that was done I also changed the pin number to my voicemail. There was nothing sensitive in my email lately (i.e. a password emailed from a credit card or bank account), but I wanted to be certain that no one used the phone to check my email. I checked the email logs on one of the email servers I controlled and it showed that no one had used it to access my email. I started feeling a little better. Calls to the phone were going directly to voicemail while the phone was missing, and my guess is that the thief turned the phone off and removed the SIM card, or the battery died. In either case I wanted to be certain there we no calls made from the phone, so we activated our account online with AT&T and checked the call logs, which showed calls to my voicemail (which was normal as my voicemail forwards to YouMail, which is a great service). Now I feel slightly better, and my wife, as always, puts things in perspective and points out that it was not my car or laptop that was stolen, and that no one was hurt (however, the thought of having the opportunity to defend my iPhone appealed to me, if ever so briefly).
I did call the police, who weren't much help and told me that I need to go back to the scene of the crime or come to the station to file a report. Since the damage was done, I did not follow through with a police report. However, had I not been in such disbelief, I would have most likely called the police on the spot.
Lessons learned
I try to look at all incidents, especially ones that have financial impact, as a learning experience. What could I have done better? Also, what can I do better/different in the future to have a positive impact on the outcome? Below is a list that I hope we can all learn from:
Spotlight
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
Application vulnerabilities still a top security concern
Posted on 16 May 2013. | Respondents to a new (ISC)2 study identified application vulnerabilities as their top security concern. A significant gap persists between software developers’ priorities and security professionals’ concerns.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
