Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wired Writer Hack Shows Need For Tighter Cloud Security

Posted by timothy on from the internet-I-think-they-mean dept.

Nerval's Lobster writes "Between 4:52 and 5:12 on August 3, attackers used Wired writer Mat Honan's Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities ('My accounts were daisy-chained together,' he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: 'Clan Vv3 and Phobia hacked this twitter.' In the wake of Honan's high-profile hack, there are some key takeaways. Even if a typical user can't prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital 'hub' accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook. The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target." Update: 08/08 01:17 GMT by S : This high-profile security breach has had an impact already: Apple has suspended password resets through customer support, and Amazon no longer lets users call in to change account settings.

4 of 132 comments (clear)

  1. So much for ... by PPH · · Score: 5, Insightful

    ... single log on across the 'Net.

    --
    Have gnu, will travel.
  2. But first.. by js3 · · Score: 5, Insightful

    we need a tighter way to detect reposts

    --
    did you forget to take your meds?
  3. Non-authoritative authentication by mcelrath · · Score: 5, Insightful

    Hey, I have an idea. Let's stop using non-secret information as authentication credentials. Address, birthday, mother's maiden name, last 4 digits of CC or SSN, CVV, childhood pet's name are NOT AUTHENTICATION. Authentication information should never be printed, emailed, or typed in the clear.

    Personally, I've been putting random numbers in all those fields for years, and if the account contains sensitive information, recording that information in an encrypted way in the event that it is ever needed. So far, I've never needed such information (because I also record and encrypt my randomly-generated passwords).

    Get KeePass and enable two factor authentication. Then, call your bank and CC company and tell them the security on your credit card is absurd. Because who cares how good your Google password is if the guy standing behind you at 7/11 can get all the info he needs to defraud you by holding out his camera-phone while you buy your Gatorade?

    --
    1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
  4. Apple by busyqth · · Score: 5, Interesting

    It was Apple that coughed up his credentials to the attackers. If Apple hadn't done that, there wouldn't be a problem.
    There are some Apple employees that ought to lose their job over this and Apple ought to pay this guy something significant for screwing him over.