Wired Writer Hack Shows Need For Tighter Cloud Security 132
Nerval's Lobster writes "Between 4:52 and 5:12 on August 3, attackers used Wired writer Mat Honan's Apple ID to wipe his MacBook, before seizing control of his Gmail and other online identities ('My accounts were daisy-chained together,' he wrote in an Aug. 6 postmortem on Wired), and posting a message on Twitter for all to see: 'Clan Vv3 and Phobia hacked this twitter.' In the wake of Honan's high-profile hack, there are some key takeaways. Even if a typical user can't prevent a social-engineering attack on the company hosting their cloud account, they can armor their online life in ways that make attacks more difficult. First, two-factor authentication can prevent an attacker from seizing control of those vital 'hub' accounts (such as Gmail) where users tend to store much of their most vital information. Google offers two-step verification for signing in, as does Facebook. The truly security-conscious can also uncouple their cloud accounts; for example, making sure that iCloud and iTunes use two different sets of credentials. That might rob daily life in the cloud of some of its convenience, but it could also make you a harder target."
Update: 08/08 01:17 GMT by S : This high-profile security breach has had an impact already: Apple has suspended password resets through customer support, and Amazon no longer lets users call in to change account settings.
the cloud would have made it more secure (Score:1, Interesting)
hackers grab his info from whois because he has a personal site from blogging
they use that to hack his amazon account
and then use the info from amazon to hack icloud
if he had just used wordpress or blogger or some other cloud service this hack would have been A LOT harder. it's 2012, no need to reinvent the wheel by setting up your own server for email, web site photo sharing or the 20 other things that da cloud has made easier and more secure. he just wanted to be uber tech cool and show off how he can run his own site and waste time managing it instead of letting someone else do it
Apple (Score:5, Interesting)
There are some Apple employees that ought to lose their job over this and Apple ought to pay this guy something significant for screwing him over.
Re:So much for ... (Score:3, Interesting)
Single sign on vs multiple sign on is irrelevant when the attacker gets control of your main PC where all your credentials are.
No one got control over his PC in this case.
And why would anyone store credentials on their PC?
Re:Apple (Score:4, Interesting)
There are some Apple employees that ought to lose their job over this...
It shouldn't be the support person that answered the phone, though. Apparently they followed Apple's procedure of requiring only a billing address and the last four digits of a credit card number to gain access to the account.
Re:Non-authoritative authentication (Score:4, Interesting)
Nothing annoys me more than "security" questions. First, so many sites share the "secret" answer that it's really not secret, is it? Second, I'd prefer to not make vulnerable even yet more personally identifying information. Third, I really dislike needing to remember the hundreds of variations of stupid personal trivia that comprise my "answer". "In what city did you first drive a car?" How the hell should I know, I barely remember my name anymore!
Re:Yet another post on this idiot? (Score:5, Interesting)
Because he's not the only idiot. You would be surprised how many tech savvy people have no backups and are equally vulnerable. Also it's something worth highlighting as it has shown critical flaws in bot Amazon and Apple's authentication systems. And it persuaded me to go ahead and set up 2-step authentication on Google, and I am damn glad I did.
Re:Pissants (Score:5, Interesting)
No "hacker" should call himself such, by simply being able to sweet-talk a minimum wage drone over the phone.
You're being pedantic and glorifying the term 'hacker' way too much.
http://en.wikipedia.org/wiki/Kevin_mitnick [wikipedia.org] - this guy is usually referred to as a hacker, even though sweet talking minimum wage drones over the phone was his bread and butter. I get that you want to distinguish between the technologically adept and inept, using the terms 'hacker' and 'script kiddie' to do so, but the article is using the term 'hacker' in a legal sense; as in someone who commits crimes almost exclusively through the use of technology. My dad referred to himself as a hacker but he never committed a crime using his computer/phone. He just meant that he liked to hack out code.
Joe can be a man's name. Joe can be a cup of coffee. Joe can be a member of the armed services. Basically, you're arguing that your cup of coffee shouldn't be called Joe because that's your name.
Re:So much for ... (Score:5, Interesting)
For those that don't know how ssh-agent works:
You have two parts to your key, one part encrypts only (public key) and the other part decrypts only (private key). The remote server sends a random message encrypted with the public key; that message is sent to the ssh-agent program, which decrypts the message with your private key which it has in memory. This decrypted message is sent back to the remote server -- if it matches what it randomly generated, it know that your are in possession of the private half of the key and lets you in. The secure part is that your private key is never sent over the wire, and never leaves the memory of the ssh-agent program (unlike a regular password).
Now one thing I've done in the past to make this more secure (when I carried a Nokia N900 linux-based phone) is I ran the agent on my phone only, and forwarded the connection to my PC via Bluetooth. I had it set up so that it would auto pair with PCs that I trusted (and play a particular sound on the pone during pairing and key usage), and require an accept button on the phone for other machines. I've been meaning to pick up Android programming so that I could port this over to my current phone. Oh, and when the agent program gets started on the phone, it requires a symmetric decryption key (protects it if the phone is stolen). Probably security overkill, but in my case I used it more for convenience than anything else.