Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wired Writer Hack Shows Need For Tighter Cloud Security

Posted by timothy on from the internet-I-think-they-mean dept.

Nerval's Lobster writes "Between 4:52 and 5:12 on August 3, attackers used Wired writer Mat Honan's Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities ('My accounts were daisy-chained together,' he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: 'Clan Vv3 and Phobia hacked this twitter.' In the wake of Honan's high-profile hack, there are some key takeaways. Even if a typical user can't prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital 'hub' accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook. The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target." Update: 08/08 01:17 GMT by S : This high-profile security breach has had an impact already: Apple has suspended password resets through customer support, and Amazon no longer lets users call in to change account settings.

13 of 132 comments (clear)

  1. So much for ... by PPH · · Score: 5, Insightful

    ... single log on across the 'Net.

    --
    Have gnu, will travel.
    1. Re:So much for ... by tchuladdiass · · Score: 4, Interesting

      For those that don't know how ssh-agent works:
      You have two parts to your key, one part encrypts only (public key) and the other part decrypts only (private key). The remote server sends a random message encrypted with the public key; that message is sent to the ssh-agent program, which decrypts the message with your private key which it has in memory. This decrypted message is sent back to the remote server -- if it matches what it randomly generated, it know that your are in possession of the private half of the key and lets you in. The secure part is that your private key is never sent over the wire, and never leaves the memory of the ssh-agent program (unlike a regular password).

      Now one thing I've done in the past to make this more secure (when I carried a Nokia N900 linux-based phone) is I ran the agent on my phone only, and forwarded the connection to my PC via Bluetooth. I had it set up so that it would auto pair with PCs that I trusted (and play a particular sound on the pone during pairing and key usage), and require an accept button on the phone for other machines. I've been meaning to pick up Android programming so that I could port this over to my current phone. Oh, and when the agent program gets started on the phone, it requires a symmetric decryption key (protects it if the phone is stolen). Probably security overkill, but in my case I used it more for convenience than anything else.

  2. But first.. by js3 · · Score: 5, Insightful

    we need a tighter way to detect reposts

    --
    did you forget to take your meds?
  3. Re:is there a way to turn it on without a phone #? by fuzzyfuzzyfungus · · Score: 4, Insightful

    Well, for 20-ish dollars you can set yourself up with a burner prepaid phone and a very meagre SMS allotment...

    Aside from that, though, I suspect that Team Google wants your convenient personal identifier for totally altruistic security reasons...

  4. Re:Pissants by GryMor · · Score: 4, Informative

    Unfortunately, in this case, at least on the Amazon side, it doesn't look like social engineering. It looks like a classic escalation attack in the same theme as the cuckoo egg: use weak credentials to deposit a payload that can then be used as strong credentials.

    While social engineering is pernicious and relies on people violating policy in the name of being helpful or customer service (often without realizing they are doing it!), this is a straight up bug in the CS procedures.

    Unfortunately, a similar bug in Apple's CS procedures allowed for further escalation.

    --
    Realities just a bunch of bits.
  5. Non-authoritative authentication by mcelrath · · Score: 5, Insightful

    Hey, I have an idea. Let's stop using non-secret information as authentication credentials. Address, birthday, mother's maiden name, last 4 digits of CC or SSN, CVV, childhood pet's name are NOT AUTHENTICATION. Authentication information should never be printed, emailed, or typed in the clear.

    Personally, I've been putting random numbers in all those fields for years, and if the account contains sensitive information, recording that information in an encrypted way in the event that it is ever needed. So far, I've never needed such information (because I also record and encrypt my randomly-generated passwords).

    Get KeePass and enable two factor authentication. Then, call your bank and CC company and tell them the security on your credit card is absurd. Because who cares how good your Google password is if the guy standing behind you at 7/11 can get all the info he needs to defraud you by holding out his camera-phone while you buy your Gatorade?

    --
    1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
  6. Re:is there a way to turn it on without a phone #? by 0100010001010011 · · Score: 4, Informative

    You have to have a phone to set it up. You can then disable the phone and re-enable it with:

    > Mobile application
    > Switch to an app to get codes even when you don't have cell coverage.

    And then remove your phone #. So at minimum it's going to cost you a burner phone.

    The awesome thing about Google Authenticator is that it's open source. You can download and compile a PAM package (and it's in the Debian repositories). http://code.google.com/p/google-authenticator/ So anything that uses PAM can use google authenticator.

    I have it setup on my outward facing SSH server so to get into my house's server you're going to need my password and one of my devices.

  7. Apple by busyqth · · Score: 5, Interesting

    It was Apple that coughed up his credentials to the attackers. If Apple hadn't done that, there wouldn't be a problem.
    There are some Apple employees that ought to lose their job over this and Apple ought to pay this guy something significant for screwing him over.

    1. Re:Apple by Anonymous Coward · · Score: 4, Insightful

      What procedure would you suggest to tell the genuine customer that they just gave away your account and all your information you thought was properly backed up is now deleted?

  8. Re:Find My Mac / Fuckup My Mac by Anonymous Coward · · Score: 4, Insightful

    The attacker can just turn it on again.

  9. Re:is there a way to turn it on without a phone #? by dell623 · · Score: 4, Insightful

    You have something important enough (maybe email) on Google that you want 2-step authentication, and you're concerned about them having your phone number? What exactly are you afraid they can do with it? (I get the point of not wanting other information online)

  10. Re:Yet another post on this idiot? by dell623 · · Score: 4, Interesting

    Because he's not the only idiot. You would be surprised how many tech savvy people have no backups and are equally vulnerable. Also it's something worth highlighting as it has shown critical flaws in bot Amazon and Apple's authentication systems. And it persuaded me to go ahead and set up 2-step authentication on Google, and I am damn glad I did.

  11. Re:Pissants by RazorSharp · · Score: 4, Interesting

    No "hacker" should call himself such, by simply being able to sweet-talk a minimum wage drone over the phone.

    You're being pedantic and glorifying the term 'hacker' way too much.

    http://en.wikipedia.org/wiki/Kevin_mitnick - this guy is usually referred to as a hacker, even though sweet talking minimum wage drones over the phone was his bread and butter. I get that you want to distinguish between the technologically adept and inept, using the terms 'hacker' and 'script kiddie' to do so, but the article is using the term 'hacker' in a legal sense; as in someone who commits crimes almost exclusively through the use of technology. My dad referred to himself as a hacker but he never committed a crime using his computer/phone. He just meant that he liked to hack out code.

    Joe can be a man's name. Joe can be a cup of coffee. Joe can be a member of the armed services. Basically, you're arguing that your cup of coffee shouldn't be called Joe because that's your name.

    --
    "From the depths of my skeptical and rationalist soul, I ask the Lord to protect me from California touchie-feeliedom."