By Terry Cutler
“In the space of one hour, my entire digital life was destroyed,” Wired reporter Mat Honan wrote in a blog post (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/) detailing his experience after hackers hijacked his AppleID last week. These black hatters, later revealed to be a 19-year-old hacker calling himself “Phobia” ceased control of his iCloud account and then from who knows where remotely wiped the personal and work data from his Apple iPhone, iPad and Mac devices; and gained access to his Gmail, Twitter and Amazon accounts.
Scary, isn’t it? How many of us have these devices and multiple accounts? The answer is probably most of us, and with all our digital information and in many cases our digital identities now “in clouds” we are becoming more vulnerable. The main purpose of iCloud is to allow users to safely back up content, and to have a neat sync across all iDevices. iCloud will also help you restore all of your information and content to a new upgraded iPhone. Easy as falling off a log!
While it is a cool service, it is also cool for hackers. What happened to Honan can easily happen to you.
Here is how Honan’s hacker did it. Honan says the hacker’s intent on taking over his @mat Twitter account w able wreak so much havoc because of the way his various online identities were woven together. From his Twitter account to the Gmail address posted on his personal website, the hacker went to his Gmail’s Google account recovery page, reported Homan.
From there, the penetration continued. According to Homan, someone called up Apple technical support claiming to be Honan. The caller began complaining of email access issues, a little bit of social engineering http://searchsecurity.techtarget.com/definition/social-engineering, and got what he or she was after. This may surprise and outrage some because customer service issued a temporary password. Usually, there is some security question based on the initial set up of the account – mother’s maiden name, as one example.
But don’t blame Apple’s customer service completely. Honan on his blog admits that it was his own failure to enable Google’s two-factor login procedure. In two-factors, users must provide a code sent to their Smartphone in addition to their user ID and password. Honan left himself open. This meant the hacker could even view the alternate e-mail he’d set for emergencies.
“Google partially obscures that information, starring out many characters, but there were enough characters available, m••••email@example.com,” Honan wrote. “Jackpot.”
The Honan Hack is now being called The Alamo For Two Factor Authentication. http://www.networkworld.com/community/node/81181
“(Apple) did this after the hacker supplied only two pieces of information that anyone with an Internet connection and a phone can discover,” Honan explained, highlighting that one of those pieces was a partial credit card number visible in his Amazon account.
The hackers even had access to that, and that was all they needed. Honan explains that when the account was set using Amazon’s security policy at the time, customers could change their password by telephone using their name, email address and mailing address as proof of identity.
Apple issued a statement Monday emphasizing the company’s commitment to customer privacy and noting that Honan’s account was compromised by someone who had acquired his personal information.”
Ahhh, no kidding!
“In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.” http://www.cultofmac.com/183063/apple-responds-to-journalist-victim-of-icloud-hack/
It isn’t the first time. Back in June of 2012 cloud start-up CloudFlare found its Google Enterprise Apps account hacked, bypassing the two-factor authentication. http://www.informationweek.com/security/vulnerabilities/google-apps-security-beat-by-cloudflare/240001457. Hackers tricked AT&T customer service into giving up a social security number. Reports suggested that Gmail’s email recovery was weak, thus opening a door to reset CloudFlare’s Gmail password. That attack from start to finish, lasted less than two hours. http://share.cloudflare.com/3g1X141s2s3J2G2Z0e0O/o.
Like Honan, many of us started out years ago buying up from iTunes and later collecting apps and storing photographs, and so on, and now have amassed a fortune of digital data. In Honan’s cases, all his data may never be recovered. In many cases, most data is not recovered. iCloud seems like an easy way to get all that together. What may be problematic here is that there were some competing security policies here meaning Apple, Gmail, Twitter, Google and Amazon are not on the same security page.
So what to do?
Back it up! Need we say more?
Change your passwords on a regular basis. Here is the same old advice but advice that helps. While you are at it, make crazy passwords and stay away from birthdays or anniversaries. Create them longer than eight characters and use upper- and lower-letters, and numbers.
Have multiple online personalities, at least when it comes to your online ID access. One ID is asking for trouble. Once a hacker gets your one ID, you’re done.
Accept two-factor authentication and forget about the hassle. That’s right, that extra step to back up your “life” for many people is a hassle.
I’m a government cleared cybersecurity expert (a Certified Ethical Hacker), and the Vice-President of Cyber at SIRCO, an investigations and protections firm in Montréal, Canada.
I’m also a frequent contributor to National & Global media reportage about cyber-crime, spying, security failures, internet scams, and the real social network dangers that families and individuals face every day.
Latest posts by tcutler (see all)
- Terry Cutler wins prestigious International Cyber Security and Intelligence Academic and Leadership Awards - November 8, 2017
- Help donate to The Missing Children’s Networkfor the #GivingTuesday #KeepMeSafe campaign for the month of November - November 4, 2017
- Growing need for cyber security spawns new university program - November 3, 2017