[Article first published as The "Epic Hack" of Wired's Mat Honan - Social
Engineering at Work on Blogcritics.]
I spend a lot of time and effort attempting to keep people
safe in the digital age.  Whether it's on a professional level at my job
or through my writing or social media, to me it's important that everyone is as
safe as they can be, knowing that nothing is 100% foolproof.  Part of what
I do professionally is keeping computer systems safe, and even I have had to go
through the pains of wiping everything from my computer and starting from
scratch more than a couple times.  It happens. Even to the nerd elite.
So when someone brings me their machine or reports some sort
of issue, I know it's going to be one of a few things - (1) a virus, (2)
malware/scareware or (3) phishing scams.  But these are all software
methods with the aim of destruction or data theft.  Sometimes, especially
with scareware, someone's looking for the user to give up a credit card number,
a user name or password, account numbers of any kind, hell, even social
security numbers.  The reason is that any combination of these things can
be pieced together enough for someone to pass themselves off as you.  And
once that happens, your digital life can be reduced to ruins. Accounts or
credit cards can be opened in your name, and you can wave bye-bye to your
credit, your money, or even your good name.  There are a lot of snippets
of code or scripts or SQL injections (and blah blah the list goes on) that can
do this to you.  But in my experience, knowing what I know and having had
to help people protect against it, I've found that there's one tool that works
better than all of the above combined, and that's social engineering. Low tech
compared to software hacks, but highly efficient.  I wrote a bit a while ago on the topic concerning RSA if
you want some details, but I'll nutshell the concept for you - social
engineering means hacking people, not machines.
It's a fancy way of saying "tricking people into giving
up information." And attempts have been made on all of you, whether you
know it or not.
So why am I going all into this topic today? 
Unfortunately the way things work in this world is that something has to happen
to someone with some clout for an issue to be addressed. What I just described happened recently to Wired Magazine's Mat Honan.  A
bit of social engineering with some security holes at both Amazon and Apple led
to what Honan addresses as an "epic hacking."  He outlined his
experiences for all to read yesterday, and it is 100% worth the read if you
have a couple of minutes to do so.  He details everything to the what and
the how all the way to actual talking to the hacker that broke into his life
and the conversation they had.  I'll go over a little of it here.
Mr. Honan realized there was a problem on Friday - while he was trying to restore his iPhone, he was getting messages on his
MacBook that his saved account information was wrong, asking him for a 4-digit
PIN number.  The problem was, he didn't have a 4-digit PIN
number.
His timeline that follows should scare the living hell out
of you. Especially those of you that entrust all of your accounts to an
AppleID.
Upon calling AppleCare for help, it was confirmed that they
handed over temporary .me e-mail credentials to someone claiming to be him, and
he watched over the next hour as that person reset credentials on his twitter,
then his Gmail, then wiped his iPad, and permanently reset his AppleID. But
that was only the start - next was outright deletion of his Google account,
followed by a remote "Find My" data wipe of his MacBook.  Now
not only were all of his accounts effectively locked out to him, but anything
on any of his devices that wasn't backed up was gone forever.  Maybe not
such a big deal on his iPhone or iPad, but on a MacBook, his primary machine,
that's a big deal.  He lost pictures of his kids, all of his email, and
other data from the laptop that he'd never see again.  The hacker posted a new
status on his now hacked twitter account - " Clan Vv3 and Phobia
hacked this twitter."
What the hell happened? On his extensive talk with
AppleCare, he realized that all that was needed to get a temporary .me password
reset were the last 4 digits of your credit card number and a billing
address.  And how did they get that information? Afterwards the hacker
(Phobia) contacted Honan.  In Honan's words:
"After coming across my account, the hackers did
some background research. My Twitter account linked to my personal website,
where they found my Gmail address. Guessing that this was also the e-mail
address I used for Twitter, Phobia went to Google’s account recovery page. He
didn’t even have to actually attempt a recovery. This was just a recon mission.
Because I didn’t have Google’s two-factor authentication
turned on, when Phobia entered my Gmail address, he could view the alternate
e-mail I had set up for account recovery. Google partially obscures that
information, starring out many characters, but there were enough characters
available, m••••n@me.com. Jackpot."
Two-factor authentication being turned on probably would
have been the end of this story.
But it went on.  Phobia indicated that any email
address associated with an Apple account is pretty easy to get, and Amazon was
the next target.  The same kind of trickery was used to fool Amazon into
believing that Phobia was a legitimate Amazon user that couldn't access their
account - changing the associated email, getting a password reset sent to that
email, and logging in.  And what's on file on an Amazon account?  You
guessed it, the last 4 digits of the user's stored credit card numbers.
And that's how it all comes together.  Like I said at
the top of the post - Low tech, high efficiency.
Mr. Honan asked Phobia why they did this to him. Phobia's
response was that they like to publicize security exploits so that all users
can see what happens and be able to defend themselves from hackers.  It
sounds like the so-called "hacktivism" we've seen over the last two
years with stories like Sony's PSN fiasco.  But I'm really not sure how
destroying a private user's irrecoverable data was needed to make their
point.  If you want to do this thing for the public good, it is well
within your power to do it without hurting any of the public involved.
But I digress.  Admittedly Mr. Honan made a lot of
mistakes on how he had his personal security set up that led to his digital
demise.  I don't mean stuff like strong passwords for people trying to
hack their way in through brute force.  I mean other things people can do
specifically to reduce their risk of low-tech hacks.  And I'm going to
walk you through some of them to help you all stay a little safer at home.
Right off the bat he broke one of the cardinal rules of
keeping your stuff safe - routine backups of important information. 
Personally about once a month, or when I do something important or official, I
back up one or more file sets.  It's the single best way of adding a layer
of redundancy to your data in case something should go wrong.  You can use
external USB drives, a cloud solution (if you're into that), CD's or DVD's, or
a number of other forms of media.  Apple operating systems as well as
Microsoft's Windows OS's come with native tools to back up your data.
Secondly, he used a common prefix for all of his accounts.
if you have multiple email accounts, try not to use the same prefix for all of
them - as in abc@hotmail.com, abc@yahoo.com, abc@me.com, etc.  If someone
knows one of your addresses it becomes that much easier to guess what your
other accounts could be called.
For Google accounts and increasing in popularity in a lot of
things is two-factor authentication.  For those of you that play any
Blizzard games, this is the equivalent of your Authenticator.  It means
that even if someone has your password, they can't alter your user info without
that second piece of information.  Google and others use an
"alternate email" or even phone numbers for extra verification.
Next is something that's Mac-specific, and that's the Find
My Mac feature.  This is a great feature for the iPhone, because people
lose their phones pretty frequently, and need to have some sort of tool to wipe
that data.  For a laptop it could be useful, but be real,
how apt are you to lose your laptop like you could lose your phone?  And
as Honan notes, there's some problems with implementing the service that has
been part of their system starting with the Lion OS. Reversing a remote hard
drive wipe is easy - but only if you're the one that did it.  If someone
remotely wipes your machine, you don't have the PIN number you need to make
that happen.  So until they improve it, my suggestion for most of you is
to turn Find My Mac off.
In addition to these things that were relevant in what
happened in this case, you need to make sure you know who you're giving
information to and what you're entering information into. Let me give you an
example - if I get a call claiming that there's an issue with my credit card, I
don't engage it.  I will call my bank myself using a number that I know is
real so I minimize any chances of someone getting my information.  It's
little things like this that will help you minimize your risk of becoming a
victim of social engineering.  And with all of the forms of social media,
email and other types of accounts, there's more information out there to be got
than ever before.
Since this event occurred, Apple has suspended over-the-phone AppleID password resets and Amazon has tightened up their security as well.
Unfortunately Mr. Honan had to get hacked for them to take a closer look at
their practices.
If you have any questions, of course you know by now that
I'm here for you America. You can find me at helpdesk@tusharnene.com if you
need some pointers.  Of course I can't do the fixes for you
(I do have a day job) but I can try and point you in the right direction.





 
 
This incident goes to show why validating with a pin that isn't recorded anywhere is better than the last four of a CC; at the very least the last 6 of a CC should be used if that's an option
ReplyDelete