Wired Writer Hack Shows Need For Tighter Cloud Security

← Back to Stories (view on slashdot.org)

Wired Writer Hack Shows Need For Tighter Cloud Security

Posted by timothy on Tuesday August 7, 2012 @02:57AM from the internet-I-think-they-mean dept.

Nerval's Lobster writes "Between 4:52 and 5:12 on August 3, attackers used Wired writer Mat Honan's Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities ('My accounts were daisy-chained together,' he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: 'Clan Vv3 and Phobia hacked this twitter.' In the wake of Honan's high-profile hack, there are some key takeaways. Even if a typical user can't prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital 'hub' accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook. The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target." Update: 08/08 01:17 GMT by S : This high-profile security breach has had an impact already: Apple has suspended password resets through customer support, and Amazon no longer lets users call in to change account settings.

36 of 132 comments (clear)

Min score:

Reason:

Sort:

So much for ... by PPH · 2012-08-07 02:59 · Score: 5, Insightful

... single log on across the 'Net.

--
Have gnu, will travel.
1. Re:So much for ... by Hatta · 2012-08-07 03:50 · Score: 2
  
  Single sign on vs multiple sign on is irrelevant when the attacker gets control of your main PC where all your credentials are.
  
  --
  Give me Classic Slashdot or give me death!
2. Re:So much for ... by sexconker · 2012-08-07 04:23 · Score: 3, Interesting
  
  Single sign on vs multiple sign on is irrelevant when the attacker gets control of your main PC where all your credentials are.
  No one got control over his PC in this case.
  And why would anyone store credentials on their PC?
3. Re:So much for ... by icebike · 2012-08-07 05:13 · Score: 2, Insightful
  
  Exactly.
  As anyone who has been following this story from the beginning knows no real hacking took place, no encryption was broken, no keys
  were stolen. The man used the same password for all his logins, and the "hacker" simply talked Apple support into handing over
  access to his account, and once one password was known, the hacker could log in everywhere.
  What amazes me is how many people posted on the original thread here on slashdot their utter disbelief about how this happened, apparently astounded that Apple would do such a thing. Yet Social Engineering is one of the primary methods of spectacular security breaches.
  Still one has to ask, why this guy was chosen as a target. I suspect the attacker had just that little piece of inside knowledge that gave him just enough to nudge the Apple tech over the brink.
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re:So much for ... by Hatta · 2012-08-07 05:28 · Score: 2
  
  How would SSH agent help here?
  People use the same credentials on multiple web sites for convenience. Something like SSH agent could provide the same convenience, while allowing people to have different keys for different systems AND keeping all those keys in one secure place.
  
  --
  Give me Classic Slashdot or give me death!
5. Re:So much for ... by tchuladdiass · 2012-08-07 06:58 · Score: 4, Interesting
  
  For those that don't know how ssh-agent works:
  You have two parts to your key, one part encrypts only (public key) and the other part decrypts only (private key). The remote server sends a random message encrypted with the public key; that message is sent to the ssh-agent program, which decrypts the message with your private key which it has in memory. This decrypted message is sent back to the remote server -- if it matches what it randomly generated, it know that your are in possession of the private half of the key and lets you in. The secure part is that your private key is never sent over the wire, and never leaves the memory of the ssh-agent program (unlike a regular password).
  Now one thing I've done in the past to make this more secure (when I carried a Nokia N900 linux-based phone) is I ran the agent on my phone only, and forwarded the connection to my PC via Bluetooth. I had it set up so that it would auto pair with PCs that I trusted (and play a particular sound on the pone during pairing and key usage), and require an accept button on the phone for other machines. I've been meaning to pick up Android programming so that I could port this over to my current phone. Oh, and when the agent program gets started on the phone, it requires a symmetric decryption key (protects it if the phone is stolen). Probably security overkill, but in my case I used it more for convenience than anything else.
But first.. by js3 · 2012-08-07 03:01 · Score: 5, Insightful

we need a tighter way to detect reposts

--
did you forget to take your meds?
1. Re:But first.. by paiute · 2012-08-07 04:05 · Score: 2
  
  What? The previous article was about Gizmodo editor Matt Honans. This is about Wired writer Mat Honan. Obviously two completely different people.
  He's not fooling anyone.
  
  --
  If Slashdot were chemistry it would look like this:Cadaverine
is there a way to turn it on without a phone #? by Trepidity · 2012-08-07 03:03 · Score: 2, Informative

When I try to turn on two-factor authentication at Google, it gives me a screen that asks me for a phone number, and doesn't seem to have a way to bypass this. I'd rather not give them my phone number.
Their help pages say that you don't have to use SMS-based authentication. Apparently there is a setting, once two-factor authentication is enabled, to switch from receiving the codes via SMS, and instead either write down a batch of 10 "backup codes" at a time, or else install the Google Authenticator app, initialize it with a key, and then use it to generate tie-synchronized codes thereafter. Either of these solutions is fine with me. But how do I enable them without having to give Google my phone number on the initial screen?

--
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
1. Re:is there a way to turn it on without a phone #? by fuzzyfuzzyfungus · 2012-08-07 03:08 · Score: 4, Insightful
  
  Well, for 20-ish dollars you can set yourself up with a burner prepaid phone and a very meagre SMS allotment...
  Aside from that, though, I suspect that Team Google wants your convenient personal identifier for totally altruistic security reasons...
2. Re:is there a way to turn it on without a phone #? by 0100010001010011 · 2012-08-07 03:42 · Score: 4, Informative
  
  You have to have a phone to set it up. You can then disable the phone and re-enable it with:
  > Mobile application
  > Switch to an app to get codes even when you don't have cell coverage.
  And then remove your phone #. So at minimum it's going to cost you a burner phone.
  The awesome thing about Google Authenticator is that it's open source. You can download and compile a PAM package (and it's in the Debian repositories). http://code.google.com/p/google-authenticator/ So anything that uses PAM can use google authenticator.
  I have it setup on my outward facing SSH server so to get into my house's server you're going to need my password and one of my devices.
3. Re:is there a way to turn it on without a phone #? by dell623 · 2012-08-07 04:29 · Score: 4, Insightful
  
  You have something important enough (maybe email) on Google that you want 2-step authentication, and you're concerned about them having your phone number? What exactly are you afraid they can do with it? (I get the point of not wanting other information online)
4. Re:is there a way to turn it on without a phone #? by icebike · 2012-08-07 05:36 · Score: 2
  
  You don't have to give them YOUR phone number, nor does the phone have to be able to receive SMS.
  Google will use a computer voice to read the digits to you. This number does not need to be your permanent number.
  You just need ANY phone number that you can answer.
  You will need it exactly twice.
  Once to set things up on your computer.
  Then again to get the Google Authentication app authorized. From then on you don't need to give them your phone number.
  
  --
  Sig Battery depleted. Reverting to safe mode.
5. Re:is there a way to turn it on without a phone #? by icebike · 2012-08-07 05:41 · Score: 2
  
  Sign up for a google voice (or voip or something) account?
  Maybe with a different password.
  Second point in the FAQ:
  Why you shouldn’t use Google Voice to receive verification codes
  
  If you use Google Voice to receive verification codes, you can easily create a situation where you’ve locked yourself out of your account.
  For example, if you are signed out of your Google Voice app, you might need a verification code to get back in. However, you won’t be able to receive this verification code because it will be sent to your Google Voice, which you can’t access.
  
  --
  Sig Battery depleted. Reverting to safe mode.
Re:Pissants by benjfowler · 2012-08-07 03:18 · Score: 2

No, indeed, Gmail for a lot of people is the weakest link because it basically acts as the master key to one's online life.
That said, social engineering is a criminal skill, not a technical one. I've had a couple of friends who were quite serious crooks-- no prospects or skills, but got far by simply being able to blag things. In and out of jail their whole lives -- but then they were operating in the real world, where doing jail time comes with the territory. The Internet however is a free fire zone for scumbags, so the normal rules don't apply.
No "hacker" should call himself such, by simply being able to sweet-talk a minimum wage drone over the phone.
Nothing ever changes in IT by vlm · 2012-08-07 03:23 · Score: 2

Nothing ever changes in the eternal wheel of IT.
You as a customer are never worth more than the cost of sales of replacing you.
So it has always been in all previous IT fads, so it shall forever be in all future IT fads.

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Re:Pissants by GryMor · 2012-08-07 03:33 · Score: 4, Informative

Unfortunately, in this case, at least on the Amazon side, it doesn't look like social engineering. It looks like a classic escalation attack in the same theme as the cuckoo egg: use weak credentials to deposit a payload that can then be used as strong credentials.
While social engineering is pernicious and relies on people violating policy in the name of being helpful or customer service (often without realizing they are doing it!), this is a straight up bug in the CS procedures.
Unfortunately, a similar bug in Apple's CS procedures allowed for further escalation.

--
Realities just a bunch of bits.
Non-authoritative authentication by mcelrath · 2012-08-07 03:41 · Score: 5, Insightful

Hey, I have an idea. Let's stop using non-secret information as authentication credentials. Address, birthday, mother's maiden name, last 4 digits of CC or SSN, CVV, childhood pet's name are NOT AUTHENTICATION. Authentication information should never be printed, emailed, or typed in the clear.
Personally, I've been putting random numbers in all those fields for years, and if the account contains sensitive information, recording that information in an encrypted way in the event that it is ever needed. So far, I've never needed such information (because I also record and encrypt my randomly-generated passwords).
Get KeePass and enable two factor authentication. Then, call your bank and CC company and tell them the security on your credit card is absurd. Because who cares how good your Google password is if the guy standing behind you at 7/11 can get all the info he needs to defraud you by holding out his camera-phone while you buy your Gatorade?

--
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
1. Re:Non-authoritative authentication by null+etc. · 2012-08-07 04:29 · Score: 3, Interesting
  
  Nothing annoys me more than "security" questions. First, so many sites share the "secret" answer that it's really not secret, is it? Second, I'd prefer to not make vulnerable even yet more personally identifying information. Third, I really dislike needing to remember the hundreds of variations of stupid personal trivia that comprise my "answer". "In what city did you first drive a car?" How the hell should I know, I barely remember my name anymore!
Find My Mac / Fuckup My Mac by djdavetrouble · 2012-08-07 03:42 · Score: 3, Funny

Wow did even realize icloud had the ability to Remote wipe my computer.
Currently Turning OFF this feature !

--
music lover since 1969
1. Re:Find My Mac / Fuckup My Mac by Anonymous Coward · 2012-08-07 04:04 · Score: 4, Insightful
  
  The attacker can just turn it on again.
Apple by busyqth · 2012-08-07 03:50 · Score: 5, Interesting

It was Apple that coughed up his credentials to the attackers. If Apple hadn't done that, there wouldn't be a problem.
There are some Apple employees that ought to lose their job over this and Apple ought to pay this guy something significant for screwing him over.
1. Re:Apple by Dragonslicer · 2012-08-07 04:27 · Score: 3, Interesting
  
  There are some Apple employees that ought to lose their job over this...
  It shouldn't be the support person that answered the phone, though. Apparently they followed Apple's procedure of requiring only a billing address and the last four digits of a credit card number to gain access to the account.
2. Re:Apple by rmstar · 2012-08-07 04:43 · Score: 2
  
  Apparently they followed Apple's procedure of requiring only a billing address and the last four digits of a credit card number to gain access to the account.
  It happens to make sense. It is so much more likely that such a call comes from a genuine customer in distress than from a hacker that, from a risk management point of view, that procedure is much better than telling a genuine customer "you should have been more careful, now you are hosed". Welcome to the real world.
  Perhaps they should require a different subset of digits from the credit card number. The last four is a rather weak choice.
3. Re:Apple by sFurbo · 2012-08-07 04:55 · Score: 2
  
  The first eight are not random*, so if the last four is out, only number 9-12 are left.
  
  *In fact, for any one type of card from any one Danish bank, the first 8 are identical.
4. Re:Apple by Anonymous Coward · 2012-08-07 05:27 · Score: 4, Insightful
  
  What procedure would you suggest to tell the genuine customer that they just gave away your account and all your information you thought was properly backed up is now deleted?
5. Re:Apple by icebike · 2012-08-07 05:28 · Score: 3, Insightful
  
  Wait, why would any credit card digits and an address be sufficient?
  You hand that over every time you buy something.
  Why would apple bypass their own security questions and open the account to someone who can't remember any of those?
  Seriously who forgets their Mother's maiden name or their first pets name?
  
  --
  Sig Battery depleted. Reverting to safe mode.
Re:the cloud would have made it more secure by iluvcapra · 2012-08-07 03:51 · Score: 2

Basically you're saying that no one should have an entry in the whois database because we can't have nice things.
The whois was just one way of doing this, I'm sure more than a few people's mailing address can be obtained from a google search (I know mine can, I've had to post too many PDF resumes.)
The problem is Apple and Amazon use knowledge of a mailing address as a credential, in the same way that many silly organizations use knowledge of the last four of your SSN.

--
Don't blame me, I voted for Baltar.
no one will care for your data like you do by Dan667 · 2012-08-07 03:52 · Score: 2

if you put something valuable on mainframes at other companies (ie the new marketing buzzword "the cloud") then you are accepting the risk. Not worth it IMHO.
Yet another post on this idiot? by retech · 2012-08-07 03:53 · Score: 3, Informative

Seriously, why is everyone screaming security when it was not a hack but a social engineering entry? And why cry for an idiot who had NO personal backups of his own data? He's an idiot.
1. Re:Yet another post on this idiot? by dell623 · 2012-08-07 04:33 · Score: 4, Interesting
  
  Because he's not the only idiot. You would be surprised how many tech savvy people have no backups and are equally vulnerable. Also it's something worth highlighting as it has shown critical flaws in bot Amazon and Apple's authentication systems. And it persuaded me to go ahead and set up 2-step authentication on Google, and I am damn glad I did.
Email is the weakest link by Anonymous Coward · 2012-08-07 03:55 · Score: 3, Informative

When a password reset is requested, a new password is sent to your email address. So, if a hacker gains access to your primary email account, then he has access to ALL of your accounts. (In fact, since email isn't encrypted, he only has to be able to intercept the password-reset message somewhere in transit.)
Email is the weakest link on the internet.
1. Re:Email is the weakest link by gander666 · 2012-08-07 05:17 · Score: 2
  
  Email is the weakest link on the internet.
  This. I am amazed by the professionals in information handling who genuinely answer that Email is fine for exchanging sensitive information. I heard a hospital IT manager honestly answer that he thought that email of patient record via PDF was fine. Sigh.
  
  --
  Suppose you were an idiot and suppose you were a member of Congress ... but I repeat myself. - Mark T
Re:Pissants by RazorSharp · 2012-08-07 05:29 · Score: 4, Interesting

No "hacker" should call himself such, by simply being able to sweet-talk a minimum wage drone over the phone.
You're being pedantic and glorifying the term 'hacker' way too much.
http://en.wikipedia.org/wiki/Kevin_mitnick - this guy is usually referred to as a hacker, even though sweet talking minimum wage drones over the phone was his bread and butter. I get that you want to distinguish between the technologically adept and inept, using the terms 'hacker' and 'script kiddie' to do so, but the article is using the term 'hacker' in a legal sense; as in someone who commits crimes almost exclusively through the use of technology. My dad referred to himself as a hacker but he never committed a crime using his computer/phone. He just meant that he liked to hack out code.
Joe can be a man's name. Joe can be a cup of coffee. Joe can be a member of the armed services. Basically, you're arguing that your cup of coffee shouldn't be called Joe because that's your name.

--
"From the depths of my skeptical and rationalist soul, I ask the Lord to protect me from California touchie-feeliedom."
Why insightful? by Anonymous Coward · 2012-08-07 05:41 · Score: 2, Insightful

The attacker can just turn it on again.
Why is this modded insightful? You can't "just turn on" remote wipe, er, remotely. You have to enable it on the machine first, and you need an administrator account to enable it on the machine.
Clouds! by DarthVain · 2012-08-07 06:38 · Score: 2

It doesn't surprise me in the least that clouds are not secure. I mean they are fluffy white things in the sky made mostly from water vapour. How can something like that be secure! Though they are someone intangible, and pretty hard to reach without some sort of assistance from earth. But hell birds can access them, birds! Do you think anything that birds can access is really secure?
Birds, the sky hackers!
Also Apple tech support sucks (believe me, I used to know some), and don't use the same password for everything...
Well I'm off, gotta go change my Apple passwords, see ya! :)