Wired Writer Hack Shows Need For Tighter Cloud Security 132
Nerval's Lobster writes "Between 4:52 and 5:12 on August 3, attackers used Wired writer Mat Honan's Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities ('My accounts were daisy-chained together,' he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: 'Clan Vv3 and Phobia hacked this twitter.' In the wake of Honan's high-profile hack, there are some key takeaways. Even if a typical user can't prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital 'hub' accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook. The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target."
Update: 08/08 01:17 GMT by S : This high-profile security breach has had an impact already: Apple has suspended password resets through customer support, and Amazon no longer lets users call in to change account settings.
So much for ... (Score:5, Insightful)
But first.. (Score:5, Insightful)
we need a tighter way to detect reposts
Re:is there a way to turn it on without a phone #? (Score:5, Insightful)
Well, for 20-ish dollars you can set yourself up with a burner prepaid phone and a very meagre SMS allotment...
Aside from that, though, I suspect that Team Google wants your convenient personal identifier for totally altruistic security reasons...
Non-authoritative authentication (Score:5, Insightful)
Hey, I have an idea. Let's stop using non-secret information as authentication credentials. Address, birthday, mother's maiden name, last 4 digits of CC or SSN, CVV, childhood pet's name are NOT AUTHENTICATION. Authentication information should never be printed, emailed, or typed in the clear.
Personally, I've been putting random numbers in all those fields for years, and if the account contains sensitive information, recording that information in an encrypted way in the event that it is ever needed. So far, I've never needed such information (because I also record and encrypt my randomly-generated passwords).
Get KeePass [keepass.info] and enable two factor authentication. Then, call your bank and CC company and tell them the security on your credit card is absurd. Because who cares how good your Google password is if the guy standing behind you at 7/11 can get all the info he needs to defraud you by holding out his camera-phone while you buy your Gatorade?
Re:Find My Mac / Fuckup My Mac (Score:4, Insightful)
The attacker can just turn it on again.
Re:is there a way to turn it on without a phone #? (Score:5, Insightful)
You have something important enough (maybe email) on Google that you want 2-step authentication, and you're concerned about them having your phone number? What exactly are you afraid they can do with it? (I get the point of not wanting other information online)
Re:So much for ... (Score:2, Insightful)
Exactly.
As anyone who has been following this story from the beginning knows no real hacking took place, no encryption was broken, no keys
were stolen. The man used the same password for all his logins, and the "hacker" simply talked Apple support into handing over
access to his account, and once one password was known, the hacker could log in everywhere.
What amazes me is how many people posted on the original thread here on slashdot their utter disbelief about how this happened, apparently astounded that Apple would do such a thing. Yet Social Engineering is one of the primary methods of spectacular security breaches.
Still one has to ask, why this guy was chosen as a target. I suspect the attacker had just that little piece of inside knowledge that gave him just enough to nudge the Apple tech over the brink.
Re:Apple (Score:4, Insightful)
What procedure would you suggest to tell the genuine customer that they just gave away your account and all your information you thought was properly backed up is now deleted?
Re:Apple (Score:4, Insightful)
Wait, why would any credit card digits and an address be sufficient?
You hand that over every time you buy something.
Why would apple bypass their own security questions and open the account to someone who can't remember any of those?
Seriously who forgets their Mother's maiden name or their first pets name?
Why insightful? (Score:2, Insightful)
The attacker can just turn it on again.
Why is this modded insightful? You can't "just turn on" remote wipe, er, remotely. You have to enable it on the machine first, and you need an administrator account to enable it on the machine.