The "Epic Hack" of Wired's Mat Honan - Social Engineering at Work

[Article first published as The "Epic Hack" of Wired's Mat Honan - Social Engineering at Work on Blogcritics.]

I spend a lot of time and effort attempting to keep people safe in the digital age.  Whether it's on a professional level at my job or through my writing or social media, to me it's important that everyone is as safe as they can be, knowing that nothing is 100% foolproof.  Part of what I do professionally is keeping computer systems safe, and even I have had to go through the pains of wiping everything from my computer and starting from scratch more than a couple times.  It happens. Even to the nerd elite.

So when someone brings me their machine or reports some sort of issue, I know it's going to be one of a few things - (1) a virus, (2) malware/scareware or (3) phishing scams.  But these are all software methods with the aim of destruction or data theft.  Sometimes, especially with scareware, someone's looking for the user to give up a credit card number, a user name or password, account numbers of any kind, hell, even social security numbers.  The reason is that any combination of these things can be pieced together enough for someone to pass themselves off as you.  And once that happens, your digital life can be reduced to ruins. Accounts or credit cards can be opened in your name, and you can wave bye-bye to your credit, your money, or even your good name.  There are a lot of snippets of code or scripts or SQL injections (and blah blah the list goes on) that can do this to you.  But in my experience, knowing what I know and having had to help people protect against it, I've found that there's one tool that works better than all of the above combined, and that's social engineering. Low tech compared to software hacks, but highly efficient.  I wrote a bit a while ago on the topic concerning RSA if you want some details, but I'll nutshell the concept for you - social engineering means hacking people, not machines.

It's a fancy way of saying "tricking people into giving up information." And attempts have been made on all of you, whether you know it or not.

So why am I going all into this topic today?  Unfortunately the way things work in this world is that something has to happen to someone with some clout for an issue to be addressed. What I just described happened recently to Wired Magazine's Mat Honan.  A bit of social engineering with some security holes at both Amazon and Apple led to what Honan addresses as an "epic hacking."  He outlined his experiences for all to read yesterday, and it is 100% worth the read if you have a couple of minutes to do so.  He details everything to the what and the how all the way to actual talking to the hacker that broke into his life and the conversation they had.  I'll go over a little of it here.

Mr. Honan realized there was a problem on Friday - while he was trying to restore his iPhone, he was getting messages on his MacBook that his saved account information was wrong, asking him for a 4-digit PIN number.  The problem was, he didn't have a 4-digit PIN number.

His timeline that follows should scare the living hell out of you. Especially those of you that entrust all of your accounts to an AppleID.

Upon calling AppleCare for help, it was confirmed that they handed over temporary .me e-mail credentials to someone claiming to be him, and he watched over the next hour as that person reset credentials on his twitter, then his Gmail, then wiped his iPad, and permanently reset his AppleID. But that was only the start - next was outright deletion of his Google account, followed by a remote "Find My" data wipe of his MacBook.  Now not only were all of his accounts effectively locked out to him, but anything on any of his devices that wasn't backed up was gone forever.  Maybe not such a big deal on his iPhone or iPad, but on a MacBook, his primary machine, that's a big deal.  He lost pictures of his kids, all of his email, and other data from the laptop that he'd never see again.  The hacker posted a new status on his now hacked twitter account - " Clan Vv3 and Phobia hacked this twitter."

What the hell happened? On his extensive talk with AppleCare, he realized that all that was needed to get a temporary .me password reset were the last 4 digits of your credit card number and a billing address.  And how did they get that information? Afterwards the hacker (Phobia) contacted Honan.  In Honan's words:

"After coming across my account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission.

Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••n@me.com. Jackpot."

Two-factor authentication being turned on probably would have been the end of this story.

But it went on.  Phobia indicated that any email address associated with an Apple account is pretty easy to get, and Amazon was the next target.  The same kind of trickery was used to fool Amazon into believing that Phobia was a legitimate Amazon user that couldn't access their account - changing the associated email, getting a password reset sent to that email, and logging in.  And what's on file on an Amazon account?  You guessed it, the last 4 digits of the user's stored credit card numbers.

And that's how it all comes together.  Like I said at the top of the post - Low tech, high efficiency.

Mr. Honan asked Phobia why they did this to him. Phobia's response was that they like to publicize security exploits so that all users can see what happens and be able to defend themselves from hackers.  It sounds like the so-called "hacktivism" we've seen over the last two years with stories like Sony's PSN fiasco.  But I'm really not sure how destroying a private user's irrecoverable data was needed to make their point.  If you want to do this thing for the public good, it is well within your power to do it without hurting any of the public involved.

But I digress.  Admittedly Mr. Honan made a lot of mistakes on how he had his personal security set up that led to his digital demise.  I don't mean stuff like strong passwords for people trying to hack their way in through brute force.  I mean other things people can do specifically to reduce their risk of low-tech hacks.  And I'm going to walk you through some of them to help you all stay a little safer at home.

Right off the bat he broke one of the cardinal rules of keeping your stuff safe - routine backups of important information.  Personally about once a month, or when I do something important or official, I back up one or more file sets.  It's the single best way of adding a layer of redundancy to your data in case something should go wrong.  You can use external USB drives, a cloud solution (if you're into that), CD's or DVD's, or a number of other forms of media.  Apple operating systems as well as Microsoft's Windows OS's come with native tools to back up your data.

Secondly, he used a common prefix for all of his accounts. if you have multiple email accounts, try not to use the same prefix for all of them - as in abc@hotmail.com, abc@yahoo.com, abc@me.com, etc.  If someone knows one of your addresses it becomes that much easier to guess what your other accounts could be called.

For Google accounts and increasing in popularity in a lot of things is two-factor authentication.  For those of you that play any Blizzard games, this is the equivalent of your Authenticator.  It means that even if someone has your password, they can't alter your user info without that second piece of information.  Google and others use an "alternate email" or even phone numbers for extra verification.

Next is something that's Mac-specific, and that's the Find My Mac feature.  This is a great feature for the iPhone, because people lose their phones pretty frequently, and need to have some sort of tool to wipe that data.  For a laptop it could be useful, but be real, how apt are you to lose your laptop like you could lose your phone?  And as Honan notes, there's some problems with implementing the service that has been part of their system starting with the Lion OS. Reversing a remote hard drive wipe is easy - but only if you're the one that did it.  If someone remotely wipes your machine, you don't have the PIN number you need to make that happen.  So until they improve it, my suggestion for most of you is to turn Find My Mac off.

In addition to these things that were relevant in what happened in this case, you need to make sure you know who you're giving information to and what you're entering information into. Let me give you an example - if I get a call claiming that there's an issue with my credit card, I don't engage it.  I will call my bank myself using a number that I know is real so I minimize any chances of someone getting my information.  It's little things like this that will help you minimize your risk of becoming a victim of social engineering.  And with all of the forms of social media, email and other types of accounts, there's more information out there to be got than ever before.

Since this event occurred, Apple has suspended over-the-phone AppleID password resets and Amazon has tightened up their security as well. Unfortunately Mr. Honan had to get hacked for them to take a closer look at their practices.

If you have any questions, of course you know by now that I'm here for you America. You can find me at helpdesk@tusharnene.com if you need some pointers.  Of course I can't do the fixes for you (I do have a day job) but I can try and point you in the right direction.

96. Common Damn Sense: Does the Facebook Spam Wave Reflect Deeper Issues with User Habits?

[Article first published as Does the Facebook Spam Wave Reflect Deeper Issues with User Habits? on Blogcritics.]

It’s been a while since I jumped into a good old-fashioned rant.  As there is, as the kids say these days, no time like the present, I figure now would be a good time.  On the morning news as well as all over the internet were reports of a massive Facebook spam attack that flooded users’ profiles with violenct and pornographic images.  So I thought to myself, “That’s kind of messed up.  Let me go to my account and make sure I’m good.”

And of course I was.  And there was nothing in my friends’ feeds either.  Not because we did anything special or have security settings configured in a certain way, but because there are still some of us left who have some common damn sense.  After reading about how this attack was executed, it became clear to me that, while it was through trickery, the exploitation was invited by the affected users themselves.

The attack tricked Facebook users into pasting a malicious snippet of javascript into their web browsers and running it, which then exploited a browser vulnerability causing them to “share” and “like” the malicious content without even knowing it.

That’s when I stopped reading for a while.  I had to weigh my feelings on this one – on the one hand we as tech people have a responsibility to educate our friends and the public at large as to how to protect themselves in the digital age.  On the other hand, we’ve been doing that forever and no one seems to care.  And while attacks and malware have evolved, the method for preventing this type hasn’t, as it’s one of the big ones we’ve been advocating for years – don’t click on crap that looks suspect.  This case takes it a step further – now someone’s telling you, “Hey, stick this code in your browser and run it.  Cool stuff to follow,” and users mindlessly do it.  Then the public end result is a number of Facebook users on Twitter expressing their disgust and delivering empty threats to close their accounts, as if the internet is a magical and safe place where nothing bad has ever happened and people honestly just want to give you free stuff.

While spam on Facebook is nothing new, it’s never been this bad or spread at such a rapid pace before.  But at the time I’m writing this, Facebook has already claimed to have eliminated the malicious pages and identified the users responsible.  “Our team responded quickly and we have eliminated most of the spam caused by this attack,” a Facebook statement said. “We are now working to improve our systems to better defend against similar attacks in the future.”  This must have been a tough one for them to counter, seeing as the spread not only was user-generated, but exploited vulnerabilities in browsers, not actually Facebook itself.  I didn’t see any info on which browsers were the ones jacked, but I can guarantee that it affected the people who don’t follow their tech friends’ advice to “make sure everything’s always updated.”

Standard advice: Keep your software updated, keep your antivirus updated, don’t click links from people you don’t know, and be suspicious of people sending you links about free iPads, trips, or naked Beyoncé videos, no matter how hopeful you are to see all the single ladies.

So let’s consider the world to be “techs” and “users.”  Techs’ responsibility has to end at some point and users’ responsibility has to begin.  We do all we can to make sure people are educated and browsing safely.  Some onus has to be put on the users, because you’ve been informed of how things work.  It makes me wonder how we’re still in the age of “I wonder what this button does?” 

Computers, the internet, smartphones and mobile devices – these are the things we use in our everyday lives now.  They govern a large percentage of what we do – which is why it’s infuriating that it’s so easy for people to throw their hands up in the air and say “Oh, it’s tech, I don’t understand it and I don’t want to.”  That attitude makes people not take steps to protect themselves, and complain and whine when they get hit.  So don’t tell me things like how you forgot to install antivirus on your computer because you’re not a tech or you clicked a link because “how could I know” without being a tech person.

You’re not a mechanic either, but you still know you need gas in the damn tank to drive your car to work.  

94. Hacking, Social Engineering and RSA

[Article first published as Hacking, Social Engineering and RSA on Blogcritics.]

More than occasionally people will come to one of my tech friends or me with a computer problem.  No longer an uncommon occurrence with the ever-present digital influence in our lives, we’ve all grown accustomed to the fact that this will, in fact, never end. 

If what they say is true that knowledge is power, it’s kind of our duty as computer nerds – versions of “keyboard cowboys” if you’ll allow me to make a reference to Hackers, to help people when it comes to all things technical.  But we’ve all noticed a sharp shift in what people come to us for – when a few years ago it might have been basic OS reinstalls or simple virus cleans, today it’s a lot of security and protection of personal data.  And the reason for that is the evolution of the development of viruses and other pieces of malicious software. 

Back then viruses were designed for one of a few goals: humor and annoyance (i.e. Yankee Doodle and its ilk) or at worst, data destruction (remember Michelangelo?).  But once the internet age took hold, destruction of data wasn’t enough.  Now there are networks.  Now there are advanced communication methods.  Which means now there are means and opportunity.

Where there’s means and opportunity of course there’s theft.  Why just destroy data when systems are in place now to try and leverage that data for gain?  That’s the kind of thinking we need to deal with now.  And while most people may think that the biggest thing to fear on that front is a virus or worm that could steal information or holes in their security, they’re only half right.  What’s more dangerous is the blind spot they have which prevents them from seeing the human element – how those security holes are exploited and how those and trojans and malware are deployed to begin with.  And that human element is called social engineering.

In a nutshell, social engineering means bending someone to your will, whether they know it or not, into giving you their trust, and any information that comes along with that.  It’s a method for skimming information in which a human is the target, not necessarily a computer, and for that reason doesn’t even need a computer.  It can be done over the phone or even in person.  A common form of social engineering is phishing, where a user is baited into handing over information.  Have you ever gotten those emails that appear to be from Amazon or UPS linking a tracking number or purchase ID?  Yet, when you click on the link, it takes you somewhere that isn’t Amazon or UPS and starts asking for names, passwords and credit card numbers?  What the phisher is hoping is that they gain your trust by hoping to be someone you routinely do business with, then convince you to give them the information they want.  See?  A metaphorical bait and hook.  There’s a myriad of other types of social engineering that I may get into in later posts, but this just background for a specific story.

RSA, a highly respected security company who provides the popular SecurID two-factor authentication system was hacked back in March of this year, and that hack started a wave of attacks on companies that do contract work for the US Government like Lockheed Martin, L-3 and Northrop Grumman.  They’re in the news again, this time with some theories after investigating the incident with the FBI and Department of Homeland Security.  At RSA’s security conference in the UK on Tuesday, their president Tom Heiser stated, based on the complexity of the attack, that “we can only conclude it was a nation-state sponsored attack.”  They believe that the hackers’ goal was to directly exploit companies that did work for our government, and of course for security reasons have withheld other information.  Scary as hell right?

So how did all of this happen to a company of such reputation in the field of security?  It’s been reported (unconfirmed by RSA) that access was gained through a phishing email targeting employees in the HR department with an excel spreadsheet entitled “2011 Recruitment Plans” and a body text of nothing but “I forward this file to you for review.  Please open and view it.”  No signature, no name, no contact information and presumably unsolicited.  All it took was for someone to trust that the mail was legitimate, open the attachment, and unwittingly let the code execute.  Supposedly in this case it was an exploit in Adobe Flash that allowed the real attack to be executed, but simple phishing provided the entry point.

So what point am I trying to drive home here?  Hackers don’t need to rely on a toolkit of scripts and exploits to gain unauthorized access to networks.  Sophistication isn’t a prerequisite for to successfully find a point of intrusion – even primitive social engineering schemes like this one were enough to break into a company like RSA.  So next time you get an email that’s asking you for personal information, or someone’s asking questions that are getting a bit too personal, do yourself a favor and don’t answer them, whether it’s over the phone, via email or on the web.  Ask your service provider if what you received was really from them and legitimate, and consult one of your nerd friends.

And go buy some antivirus software, I know too many of you are running systems without.