Wired Writer Hack Shows Need For Tighter Cloud Security 132
Nerval's Lobster writes "Between 4:52 and 5:12 on August 3, attackers used Wired writer Mat Honan's Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities ('My accounts were daisy-chained together,' he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: 'Clan Vv3 and Phobia hacked this twitter.' In the wake of Honan's high-profile hack, there are some key takeaways. Even if a typical user can't prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital 'hub' accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook. The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target."
Update: 08/08 01:17 GMT by S : This high-profile security breach has had an impact already: Apple has suspended password resets through customer support, and Amazon no longer lets users call in to change account settings.
is there a way to turn it on without a phone #? (Score:3, Informative)
When I try to turn on two-factor authentication at Google, it gives me a screen that asks me for a phone number, and doesn't seem to have a way to bypass this. I'd rather not give them my phone number.
Their help pages say that you don't have to use SMS-based authentication. Apparently there is a setting, once two-factor authentication is enabled, to switch from receiving the codes via SMS, and instead either write down a batch of 10 "backup codes" at a time, or else install the Google Authenticator app, initialize it with a key, and then use it to generate tie-synchronized codes thereafter. Either of these solutions is fine with me. But how do I enable them without having to give Google my phone number on the initial screen?
Re:Pissants (Score:5, Informative)
Unfortunately, in this case, at least on the Amazon side, it doesn't look like social engineering. It looks like a classic escalation attack in the same theme as the cuckoo egg: use weak credentials to deposit a payload that can then be used as strong credentials.
While social engineering is pernicious and relies on people violating policy in the name of being helpful or customer service (often without realizing they are doing it!), this is a straight up bug in the CS procedures.
Unfortunately, a similar bug in Apple's CS procedures allowed for further escalation.
Re:is there a way to turn it on without a phone #? (Score:5, Informative)
You have to have a phone to set it up. You can then disable the phone and re-enable it with:
> Mobile application
> Switch to an app to get codes even when you don't have cell coverage.
And then remove your phone #. So at minimum it's going to cost you a burner phone.
The awesome thing about Google Authenticator is that it's open source. You can download and compile a PAM package (and it's in the Debian repositories). http://code.google.com/p/google-authenticator/ [google.com] So anything that uses PAM can use google authenticator.
I have it setup on my outward facing SSH server so to get into my house's server you're going to need my password and one of my devices.
Yet another post on this idiot? (Score:4, Informative)
Email is the weakest link (Score:3, Informative)
When a password reset is requested, a new password is sent to your email address. So, if a hacker gains access to your primary email account, then he has access to ALL of your accounts. (In fact, since email isn't encrypted, he only has to be able to intercept the password-reset message somewhere in transit.)
Email is the weakest link on the internet.