WIRED:LAST FRIDAY, the journalist Mat Honan was hacked – "hacked", as he says, "hard".
Honan used to work for Gizmodo, a tech blog that has its fair share of detractors, and personally attracts a fair level of attention for his writing; but in fact he was targeted because the hacker wanted to get to his three-letter Twitter handle, mat.
In the process Honan had his Twitter, Gmail, and Apple accounts taken over by his attackers.
The hackers posted obscenities on the Twitter feed, searched his Gmail account to obtain other passwords and details about his life and most drastically, used the Apple login to trigger remote wipes of his iPad, MacBook and iPhone.
“Remote wipe” is Apple’s new iCloud feature which allows users to ask Apple to destroy all the data on equipment that has been reported lost or stolen. It’s an operation you can start automatically – if you have the right password.
All of this happened within minutes of obtaining the first password; Honan had the movie thriller-like moment of watching his phone and other equipment shut down and start deleting the only copies of his personal data.
He backed up his data, but only to Apple’s iCloud service itself, which says it can only recover his data using forensics on his hard drive.
Just like any other cloud service, every copy of his data was accessible over the internet. He didn’t have an offline backup – a store of data that you only connect to your computer briefly, and then keep separate from any networks.
According to discussions with the attackers themselves (who got in touch with Mat and told him how they did it, in return for his promise not to pursue charges), it looks like it wasn’t high-tech techniques that let them break into Honan’s Apple account.
Honan’s password wasn’t easily guessed, either. Instead, the attack used the oldest trick in the book.
Among computer security types, it’s called “social engineering”, but the less fancy name for it is “conning a human being”.
Honan’s attacker simply called up both Amazon and Apple tech support, pretended to be him, and then skilfully evaded the normal security checks that usually prevent such masquerades.
Apple’s phone support agreed to reset the password, effectively handing over the account to the caller.
Social engineering remains one of the the weakest spots in any computing system that isn’t entirely automated – which is to say, all of them.
It’s amazing to me that even relatively cautious institutions such as banks seem to build online systems that are painfully vulnerable.
Take so-called “security questions”. How many times have you been asked your town of birth or your mother’s maiden name by a financial institution?
Now, consider: how hard would it be to obtain that information? Have you ever had an institution call you and ask you those security questions? Wouldn’t that be the perfect way to extract that data from you – pretend to be the company calling you, then call the bank, and give them the answers you provided?
As it turned out, the hackers managed to obtain the security details that Apple needed to reset the password by using another company’s security practices.
According to Honan, Apple requires a home address and the last four numbers of your credit card before they’ll reset your account.
Amazon will let you add a credit card to one of their accounts on the phone, and then will give you access to the last four digits of other credit cards on the same account, as long as you give them a valid email and an address. Discover your victims’ home address (not too hard), email (very easy), and you’re away.
Questions that bypass password security are a consumer convenience. They are not designed to defend against devoted attackers with a particular target in mind.
They are intended to defend a system as a whole, or the accounts of thousands or millions of users, against a computerised attack. In the case of individuals such as Honan, the hackers don’t intend to defraud thousands of users.
They want to target one person, and are happy to spend time on the telephone or searching out minor facts to get them.
Banks and internet companies need to get a lot better at this, and fast. Not just because of the bad day a dedicated attacker can cause by deleting all the data that an individual such as Honan has access to, but because of the vulnerability that access to that data provides to everyone else.
Everyone, especially journalists such as Honan, have sources, and confidential information in their data.
Access to one user will inevitably lead to secrets about others, including addresses, credit cards, security questions and more. And all users will be sharing – and linking – information between companies.
Commenters online were quick to criticise Honan for his poor security, but apart from the belt-and-braces protection of having offline backups, Honan did nothing wrong. It’s time we stopped blaming victims, and started fixing our security problems together.
