Slashdot Mirror
Wired Writer Hack Shows Need For Tighter Cloud Security
Nerval's Lobster writes "Between 4:52 and 5:12 on August 3, attackers used Wired writer Mat Honan's Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities ('My accounts were daisy-chained together,' he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: 'Clan Vv3 and Phobia hacked this twitter.' In the wake of Honan's high-profile hack, there are some key takeaways. Even if a typical user can't prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital 'hub' accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook. The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target."
Update: 08/08 01:17 GMT by S : This high-profile security breach has had an impact already: Apple has suspended password resets through customer support, and Amazon no longer lets users call in to change account settings.
Have gnu, will travel.
we need a tighter way to detect reposts
did you forget to take your meds?
When I try to turn on two-factor authentication at Google, it gives me a screen that asks me for a phone number, and doesn't seem to have a way to bypass this. I'd rather not give them my phone number.
Their help pages say that you don't have to use SMS-based authentication. Apparently there is a setting, once two-factor authentication is enabled, to switch from receiving the codes via SMS, and instead either write down a batch of 10 "backup codes" at a time, or else install the Google Authenticator app, initialize it with a key, and then use it to generate tie-synchronized codes thereafter. Either of these solutions is fine with me. But how do I enable them without having to give Google my phone number on the initial screen?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I'm sure there's people out there who are saying 'ooooh hacker skills', in that somebody managed to hack this guy's mail account (or snag his password). Bunch of amateur script kiddies who'd otherwise be huffing hair spray and smashing up bus shelters.
hackers grab his info from whois because he has a personal site from blogging
they use that to hack his amazon account
and then use the info from amazon to hack icloud
if he had just used wordpress or blogger or some other cloud service this hack would have been A LOT harder. it's 2012, no need to reinvent the wheel by setting up your own server for email, web site photo sharing or the 20 other things that da cloud has made easier and more secure. he just wanted to be uber tech cool and show off how he can run his own site and waste time managing it instead of letting someone else do it
What we need, good sirs is more security. We need three factor authentication with biometric neural iris chips. We need 35 alpha numeric with symbols and special character passwords and voice authentication.
Further more we need to make sure the information is encrypted, using an even more sophisticated method.
To combat the increasing risk of identity theft, hacking, global warming and obesity we have launched iSuperSecureCloud Protection Plus.
Trust us, THIS TIME IT'S SAFE!
Nothing ever changes in the eternal wheel of IT.
You as a customer are never worth more than the cost of sales of replacing you.
So it has always been in all previous IT fads, so it shall forever be in all future IT fads.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Hey, I have an idea. Let's stop using non-secret information as authentication credentials. Address, birthday, mother's maiden name, last 4 digits of CC or SSN, CVV, childhood pet's name are NOT AUTHENTICATION. Authentication information should never be printed, emailed, or typed in the clear.
Personally, I've been putting random numbers in all those fields for years, and if the account contains sensitive information, recording that information in an encrypted way in the event that it is ever needed. So far, I've never needed such information (because I also record and encrypt my randomly-generated passwords).
Get KeePass and enable two factor authentication. Then, call your bank and CC company and tell them the security on your credit card is absurd. Because who cares how good your Google password is if the guy standing behind you at 7/11 can get all the info he needs to defraud you by holding out his camera-phone while you buy your Gatorade?
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
Wow did even realize icloud had the ability to Remote wipe my computer.
Currently Turning OFF this feature !
music lover since 1969
It was Apple that coughed up his credentials to the attackers. If Apple hadn't done that, there wouldn't be a problem.
There are some Apple employees that ought to lose their job over this and Apple ought to pay this guy something significant for screwing him over.
if you put something valuable on mainframes at other companies (ie the new marketing buzzword "the cloud") then you are accepting the risk. Not worth it IMHO.
Seriously, why is everyone screaming security when it was not a hack but a social engineering entry? And why cry for an idiot who had NO personal backups of his own data? He's an idiot.
When a password reset is requested, a new password is sent to your email address. So, if a hacker gains access to your primary email account, then he has access to ALL of your accounts. (In fact, since email isn't encrypted, he only has to be able to intercept the password-reset message somewhere in transit.)
Email is the weakest link on the internet.
My current theory on cyber security is to put all of my eggs in a few baskets rather than spreading them out. My primary email accounts are operated by Google, with Google Authenticator providing two-factor security. I have LastPass providing complex and unique passwords for every website out there, and again, I have Google Authenticator providing two-factor security for that as well. Because LastPass has essentially scrambled all of my logins, I cannot access any website--including the email--without LastPass and two-factor security. All of my pictures and docs are backed up using CrashPlan with client-side encryption, with the key stored on LastPass. This set up seems smarter than spreading everything thinly.
A NYC lawyer blogs. http://www.chuangblog.com/
So, the Apple intrusion would not have happened if Amazon had not facilitated the recovery of this guy's credit card details.
If Amazon had not allowed the addition of a credit card number OVER THE PHONE and had not reset the password OVER THE PHONE all would have been ok.
Both Apple and Amazon should have required email confirmation before resetting passwords.
This is just run of the mill human fail in multiple ways, by multiple people, who should know better. Yawn, it is not surprising or spectacular.
Cloud services are some of what he was using that was chained together that made it easier for the hacker, but it didn't fail, in fact, it worked spankingly good! Took out all his Apple with one account, I call that working great... What did fail was the dude not having his digital pics on his laptop backed up.
there's no security either!! But we've all known this for a very long time, now haven't we??? And you're going to entrust your persoal data to "the cloud"???
The attacker can just turn it on again.
Why is this modded insightful? You can't "just turn on" remote wipe, er, remotely. You have to enable it on the machine first, and you need an administrator account to enable it on the machine.
Thanks for warning everyone else to not be such a dumbass and include easy ways for an attacker to tip over your entire security posture. Yes, enable two-factor, yes, backup, we get it, you didn't do this and now you're screwed. Why is this Apple or Amazons fault? If your in a position to write a blog that gets significant attention across the web, secure your shit.
People created banks.
Banks created currency - a way for people to buy things without having to lug around a sack of whatever they grew.
Economies grew. Production economies became consumer economies because there was just so much stuff to buy.
Consumer economies circulate currency faster than banks can easily count it. Banks then want an easily calculatable currency.
Computers are made to calculate. Banks created as system where currency became computer code.
People still wanted banks to act like banks. They want their money to be visible. The only way to make digital money visible was to give people access to the computers and the easiest way for banks to grant access was through the internet. Q.E.D.
Here' s an interesting fact: the Internet is NOT the only way banks could have provided access to their computers, it's just the easiest. Creating a secure banking protocol and connecting it up to the internet through a proprietary VPN connection would be much safer but probably much more expensive and we all know how banks are about money.
2-step authentication from Google still requires a cell phone. For anyone who does not own a cell phone (such as myself), it is major hurdle to upgrading the security on my account.
It is a shame google does not sell SecurID or similar key fobs for those who want security, but don't have a cell phone.
It doesn't surprise me in the least that clouds are not secure. I mean they are fluffy white things in the sky made mostly from water vapour. How can something like that be secure! Though they are someone intangible, and pretty hard to reach without some sort of assistance from earth. But hell birds can access them, birds! Do you think anything that birds can access is really secure?
Birds, the sky hackers!
Also Apple tech support sucks (believe me, I used to know some), and don't use the same password for everything...
Well I'm off, gotta go change my Apple passwords, see ya! :)
NOTE, if you RTFA Apple used the last four digits of a credit card as a verification and Amazon makes those digits available as plain text. There was no "hacking" just a con game of stolen identity. The only reason this is "news" is because Apple was the real target, not the "journalist."
how did the Apple tech know the users password in the first place? That would imply they don't hash apple ID passwd's, and so, were able to hand it over rather than generate a random one and email it to him. Which would have prevented the issue period. Sure, they may have told the hacker the new passwd over the phone, but then, atleast, it wouldn't have allowed access to gmail and twitter. Or any other account using the same credentials.
The real concern here is not iCloud security, but the underlying practice that apple uses for account security and the storage of user credentials.
The people with the excuses on why the cloud isn't at fault, how it's always the fault of the users.
Cloudbois?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
it's true. on my android I can't expand the comments.
He writes for Gizmodo.
I asked him why. Was I targeted specifically? Was this just to get to Gizmodo’s Twitter account? No, Phobia said they hadn’t even been aware that my account was linked to Gizmodo’s, that the Gizmodo linkage was just gravy. He said the hack was simply a grab for my three-character Twitter handle. That’s all they wanted. They just wanted to take it, and fuck shit up, and watch it burn. It wasn’t personal.