Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wired Writer Hack Shows Need For Tighter Cloud Security

Posted by timothy on from the internet-I-think-they-mean dept.

Nerval's Lobster writes "Between 4:52 and 5:12 on August 3, attackers used Wired writer Mat Honan's Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities ('My accounts were daisy-chained together,' he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: 'Clan Vv3 and Phobia hacked this twitter.' In the wake of Honan's high-profile hack, there are some key takeaways. Even if a typical user can't prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital 'hub' accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook. The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target." Update: 08/08 01:17 GMT by S : This high-profile security breach has had an impact already: Apple has suspended password resets through customer support, and Amazon no longer lets users call in to change account settings.

20 of 132 comments (clear)

  1. So much for ... by PPH · · Score: 5, Insightful

    ... single log on across the 'Net.

    --
    Have gnu, will travel.
    1. Re:So much for ... by sexconker · · Score: 3, Interesting

      Single sign on vs multiple sign on is irrelevant when the attacker gets control of your main PC where all your credentials are.

      No one got control over his PC in this case.
      And why would anyone store credentials on their PC?

    2. Re:So much for ... by tchuladdiass · · Score: 4, Interesting

      For those that don't know how ssh-agent works:
      You have two parts to your key, one part encrypts only (public key) and the other part decrypts only (private key). The remote server sends a random message encrypted with the public key; that message is sent to the ssh-agent program, which decrypts the message with your private key which it has in memory. This decrypted message is sent back to the remote server -- if it matches what it randomly generated, it know that your are in possession of the private half of the key and lets you in. The secure part is that your private key is never sent over the wire, and never leaves the memory of the ssh-agent program (unlike a regular password).

      Now one thing I've done in the past to make this more secure (when I carried a Nokia N900 linux-based phone) is I ran the agent on my phone only, and forwarded the connection to my PC via Bluetooth. I had it set up so that it would auto pair with PCs that I trusted (and play a particular sound on the pone during pairing and key usage), and require an accept button on the phone for other machines. I've been meaning to pick up Android programming so that I could port this over to my current phone. Oh, and when the agent program gets started on the phone, it requires a symmetric decryption key (protects it if the phone is stolen). Probably security overkill, but in my case I used it more for convenience than anything else.

  2. But first.. by js3 · · Score: 5, Insightful

    we need a tighter way to detect reposts

    --
    did you forget to take your meds?
  3. Re:is there a way to turn it on without a phone #? by fuzzyfuzzyfungus · · Score: 4, Insightful

    Well, for 20-ish dollars you can set yourself up with a burner prepaid phone and a very meagre SMS allotment...

    Aside from that, though, I suspect that Team Google wants your convenient personal identifier for totally altruistic security reasons...

  4. Re:Pissants by GryMor · · Score: 4, Informative

    Unfortunately, in this case, at least on the Amazon side, it doesn't look like social engineering. It looks like a classic escalation attack in the same theme as the cuckoo egg: use weak credentials to deposit a payload that can then be used as strong credentials.

    While social engineering is pernicious and relies on people violating policy in the name of being helpful or customer service (often without realizing they are doing it!), this is a straight up bug in the CS procedures.

    Unfortunately, a similar bug in Apple's CS procedures allowed for further escalation.

    --
    Realities just a bunch of bits.
  5. Non-authoritative authentication by mcelrath · · Score: 5, Insightful

    Hey, I have an idea. Let's stop using non-secret information as authentication credentials. Address, birthday, mother's maiden name, last 4 digits of CC or SSN, CVV, childhood pet's name are NOT AUTHENTICATION. Authentication information should never be printed, emailed, or typed in the clear.

    Personally, I've been putting random numbers in all those fields for years, and if the account contains sensitive information, recording that information in an encrypted way in the event that it is ever needed. So far, I've never needed such information (because I also record and encrypt my randomly-generated passwords).

    Get KeePass and enable two factor authentication. Then, call your bank and CC company and tell them the security on your credit card is absurd. Because who cares how good your Google password is if the guy standing behind you at 7/11 can get all the info he needs to defraud you by holding out his camera-phone while you buy your Gatorade?

    --
    1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
    1. Re:Non-authoritative authentication by null+etc. · · Score: 3, Interesting

      Nothing annoys me more than "security" questions. First, so many sites share the "secret" answer that it's really not secret, is it? Second, I'd prefer to not make vulnerable even yet more personally identifying information. Third, I really dislike needing to remember the hundreds of variations of stupid personal trivia that comprise my "answer". "In what city did you first drive a car?" How the hell should I know, I barely remember my name anymore!

  6. Find My Mac / Fuckup My Mac by djdavetrouble · · Score: 3, Funny

    Wow did even realize icloud had the ability to Remote wipe my computer.

    Currently Turning OFF this feature !

    --
    music lover since 1969
    1. Re:Find My Mac / Fuckup My Mac by Anonymous Coward · · Score: 4, Insightful

      The attacker can just turn it on again.

  7. Re:is there a way to turn it on without a phone #? by 0100010001010011 · · Score: 4, Informative

    You have to have a phone to set it up. You can then disable the phone and re-enable it with:

    > Mobile application
    > Switch to an app to get codes even when you don't have cell coverage.

    And then remove your phone #. So at minimum it's going to cost you a burner phone.

    The awesome thing about Google Authenticator is that it's open source. You can download and compile a PAM package (and it's in the Debian repositories). http://code.google.com/p/google-authenticator/ So anything that uses PAM can use google authenticator.

    I have it setup on my outward facing SSH server so to get into my house's server you're going to need my password and one of my devices.

  8. Apple by busyqth · · Score: 5, Interesting

    It was Apple that coughed up his credentials to the attackers. If Apple hadn't done that, there wouldn't be a problem.
    There are some Apple employees that ought to lose their job over this and Apple ought to pay this guy something significant for screwing him over.

    1. Re:Apple by Dragonslicer · · Score: 3, Interesting

      There are some Apple employees that ought to lose their job over this...

      It shouldn't be the support person that answered the phone, though. Apparently they followed Apple's procedure of requiring only a billing address and the last four digits of a credit card number to gain access to the account.

    2. Re:Apple by Anonymous Coward · · Score: 4, Insightful

      What procedure would you suggest to tell the genuine customer that they just gave away your account and all your information you thought was properly backed up is now deleted?

    3. Re:Apple by icebike · · Score: 3, Insightful

      Wait, why would any credit card digits and an address be sufficient?
      You hand that over every time you buy something.

      Why would apple bypass their own security questions and open the account to someone who can't remember any of those?
      Seriously who forgets their Mother's maiden name or their first pets name?

      --
      Sig Battery depleted. Reverting to safe mode.
  9. Yet another post on this idiot? by retech · · Score: 3, Informative

    Seriously, why is everyone screaming security when it was not a hack but a social engineering entry? And why cry for an idiot who had NO personal backups of his own data? He's an idiot.

    1. Re:Yet another post on this idiot? by dell623 · · Score: 4, Interesting

      Because he's not the only idiot. You would be surprised how many tech savvy people have no backups and are equally vulnerable. Also it's something worth highlighting as it has shown critical flaws in bot Amazon and Apple's authentication systems. And it persuaded me to go ahead and set up 2-step authentication on Google, and I am damn glad I did.

  10. Email is the weakest link by Anonymous Coward · · Score: 3, Informative

    When a password reset is requested, a new password is sent to your email address. So, if a hacker gains access to your primary email account, then he has access to ALL of your accounts. (In fact, since email isn't encrypted, he only has to be able to intercept the password-reset message somewhere in transit.)

    Email is the weakest link on the internet.

  11. Re:is there a way to turn it on without a phone #? by dell623 · · Score: 4, Insightful

    You have something important enough (maybe email) on Google that you want 2-step authentication, and you're concerned about them having your phone number? What exactly are you afraid they can do with it? (I get the point of not wanting other information online)

  12. Re:Pissants by RazorSharp · · Score: 4, Interesting

    No "hacker" should call himself such, by simply being able to sweet-talk a minimum wage drone over the phone.

    You're being pedantic and glorifying the term 'hacker' way too much.

    http://en.wikipedia.org/wiki/Kevin_mitnick - this guy is usually referred to as a hacker, even though sweet talking minimum wage drones over the phone was his bread and butter. I get that you want to distinguish between the technologically adept and inept, using the terms 'hacker' and 'script kiddie' to do so, but the article is using the term 'hacker' in a legal sense; as in someone who commits crimes almost exclusively through the use of technology. My dad referred to himself as a hacker but he never committed a crime using his computer/phone. He just meant that he liked to hack out code.

    Joe can be a man's name. Joe can be a cup of coffee. Joe can be a member of the armed services. Basically, you're arguing that your cup of coffee shouldn't be called Joe because that's your name.

    --
    "From the depths of my skeptical and rationalist soul, I ask the Lord to protect me from California touchie-feeliedom."