backtop


Print 28 comment(s) - last by nico.the.murph.. on Aug 11 at 8:20 PM

Circumventing the writer's password proved easy thanks to some help from Apple

According to Kaspersky Labs, Apple, Inc. (AAPL) is ten years behind Microsoft Corp. (MSFT) in security.  Mat Honan, a former Wired editor and senior Gizmodo reporter found that out the hard way when a hacker took over the official Gizmodo Twitter feed and Mr. Honan's other accounts to spew foul racist and offensive messages onto the internet.

The culprit was a combination of Apple and Amazon.com, Inc.'s (AMZN) security procedures.  Like many journalists, Mr. Honan was a fan of Apple's popular gadgets.  And like many he shopped on Amazon.  But that popular commerce portal, Amazon, combined with those Apple gadgets' ubiquitous online interface -- iCloud -- proved the key to the unfortunate intrusion.  The real Mat Honan writes, "[The hacker] got in via Apple tech support and some clever social engineering that let them bypass security questions. " 

Via the iCloud (*.mac) email account, the hackers gained access to his Gmail and Twitter via common password recovery interfaces.  They also locked him out of his iCloud account, changing his password.

iCloud ban
By hacking Apple's iCloud and Amazon's commerce portal, a malicious user gained access to an award-winning journalist's accounts. [Image Source: 9 to 5 Mac]

At first Mr. Honan suspected his "7 digit alphanumeric" was cracked, given its shorter length.  However, he was puzzled because "I didn’t use elsewhere."

In the chaos that ensued Mr. Honan saw his MacBook Air, iPhone, and iPad remote wiped -- a glaring dark-side of these features that were designed to protect Apple users.  The "Genius Bar" is currently working with him to see what data is recoverable, and in the meant time he's managed to re-secure his accounts.

Aside from the newsworthiness of such a high profile, award-winning tech journalist being victimized by a malicious hacker, the story of Mr. Honan's misfortune also raises more serious questions regarding Apple and Amazon's security.  

Mat Honan
The hack of prize-winning journalist Mat Honan raises tough questions for Apple and Amazon.
[Image Source: Ibabuzz]

Based on the account by both the hacker who attacked him and Apple, Mr. Honan says virtually any iCloud user is at risk of having their account hijacked via a quick and dirty social engineering scheme.

He writes in a followup:

Via AppleCare, I was able to confirm the hacker’s account of how he got access to my account. I have an email in to Tim Cook and Apple PR, and want to give them a chance to respond (and make changes).  I want to give the company a little more time to look at its internal processes, but should be as simple as a policy change. So far, I haven’t received any acknowledgement from Apple corporate. I did, however, get an urgent call from AppleCare ten minutes after emailing Mr. Cook, informing me that my situation had been escalated and there is now only one person at Apple who can make changes to my account. So I gather corporate is aware of what happened and looking into how to most effectively respond to make sure this doesn’t happen again.

At least, I hope that’s what’s happening. 

In a post yesterday on Wired, he provides more information, explaining Amazon.com, Inc. (AMZN) is also to blame, by allowing unwanted account access through a bizarre loophole.  Mr. Honan writes in Wired:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.

The key gaff on Amazon's part appears to be to allow you to add a credit card to your account without verification at your original email.  Hopefully Amazon fixes this in a timely manner.

As for Apple, in many ways its flaw is worse, as virtually any compromised commerce portal provides a partial (last 4-digit) credit card number.  That Apple would allow this as identity verification is troubling, to say the least.

Apple has struggled over the last year with security.  In one extreme instance it was shown to be saving some user passwords in plaintext, an issue that took it months to remedy.  The company, whose value is largely built on an impression of superiority over conventional personal computers, has largely refused to publicly acknowledge these issues for fear of damaging its prized image.

Ultimately Mr. Honan would discover that the hacker involved -- who called themself "Phobia" -- didn't target him because he was a high profile writer.  He targeted him because he has a coveted 3-character Twitter handle (@mat).  The rest was, as hackers say "gravy" -- and thanks to Amazon and Apple there was plenty of gravy to go around.

Sources: Empty Age, Wired



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Ahh, you sheeples
By 325hhee on 8/7/2012 12:49:43 PM , Rating: 4
Gotta love all these people that are so die hard on Apple products and think it's cool to have an array of them all linking together, just sitting and waiting to get poached.

It's ok to enjoy a product, but to be a sheep and buy into one product is just a disaster waiting to happen. I'm a proud Windows user and Android user, I love to customize and build my own set up. This is the freedom of non Apple market.




RE: Ahh, you sheeples
By Scott66 on 8/7/12, Rating: -1
RE: Ahh, you sheeples
By Scott66 on 8/7/2012 12:59:49 PM , Rating: 2
Sorry meant to type Amazon's name is not in the title of other articles


RE: Ahh, you sheeples
By homernoy on 8/7/2012 1:00:56 PM , Rating: 2
I think you should look again. Amazon is in the title of this article.


RE: Ahh, you sheeples
By homernoy on 8/7/2012 1:02:26 PM , Rating: 2
I see you edited your comment.


RE: Ahh, you sheeples
By bobcpg on 8/7/2012 5:52:13 PM , Rating: 3
You can edit comments now?


RE: Ahh, you sheeples
By bah12 on 8/8/2012 10:06:38 AM , Rating: 2
You need to recheck your reading. Amazon exposed the last 4 (which virtually all sites do not to mention loads of other physical reciepts). It is a complete failure by Apple to use such a publicized number as a security key. Hell a simple snag of a receipt left at a gas pump will give you all you need.


RE: Ahh, you sheeples
By Miggleness on 8/7/2012 12:58:38 PM , Rating: 2
I'm beginning to think highly of you, sir.


RE: Ahh, you sheeples
By Tony Swash on 8/7/2012 1:05:44 PM , Rating: 2
Here is my take on this incident.

a) It's a bit scary

b) I felt desperately sorry for this guy when I learned he had lost many photos of his child, those sort of things are very precious indeed

c) Always be super paranoid about backups and backups of backups

d) Try to keep a firewall between your various online personae, different passwords seem a given

e) The various tech companies would do users a huge favour if they got together and agreed to review how their various security systems interacted, so a cascade breakdown of security becomes more difficult

f) Apple need to review their staff training

g) The person who did this is a piece of slime, it doesn't surprise me that the hack was used to tweet racist and homophobic crap, it fits the character type. A bit like the sort of turd who can casually dismiss hundreds of millions of people as sheep. A sad sap over compensating for a well deserved inferiority complex.


RE: Ahh, you sheeples
By Brandon Hill (blog) on 8/7/2012 1:22:10 PM , Rating: 3
My son will be three months old this week. If I lost all his pictures, I'd be devastated. However, I backup my machine to an external hard drive and my pictures to Dropbox.

This event scared me enough to enable Google's 2-step verification, but it still wouldn't save me from an Amazon sneak attack.


RE: Ahh, you sheeples
By croc on 8/8/2012 9:08:28 AM , Rating: 2
Brandon, you of all people should know that to depend on 'the cloud' for security is about as good as depending on your wife to keep an embarrassing incident secret from your mother-in-law... (No, I didn't hack your accounts...)

The take-away point from this story is that if something is a little bit convenient for you, it is a LOT convenient for something / one that wants your information. To make it hard for them to do that, unfortunately it is going to be a bit more difficult for you, too.

You have taken some steps in the right direction, now think it through and finish the job.

No one (or thing) is hack-proof, but at least make them WORK for it, for heaven's sake.

(Congrats on the new son, BTW... I haven't been following the site as much as i should, lately.)


RE: Ahh, you sheeples
By leviathan05 on 8/7/2012 1:32:42 PM , Rating: 2
You were on your way to a laudable comment and then you had to kill it with your last point. Bravo!


RE: Ahh, you sheeples
By theapparition on 8/7/2012 2:54:57 PM , Rating: 2
Comments by Mr. Swash on topics without Apple in the headline.

Zero

Doesn't that speak volumes?


RE: Ahh, you sheeples
By retrospooty on 8/8/2012 1:11:05 PM , Rating: 2
"Comments by Mr. Swash on topics without Apple in the headline. Zero Doesn't that speak volumes?"

Yup... When you create an ID and do nothing but post one-sided comments about one company, it says that you are either full of shit, or just a complete fool. Either way no-one takes you seriously.


RE: Ahh, you sheeples
By wickyman on 8/7/2012 7:43:23 PM , Rating: 2
But blaming Apple for all this is a bit like blaming any other company if someone stole your wallet and was able to perform this same "hack". If they have your valid information, and that information is the only means of proving you are who you claim to be then this is basically identity theft isn't it?

Only difference here is Phobia didn't lift a wallet, he went on facebook, twitter, personal websites, etc and used that information to exploit a loophole in Amazon's system to get the last bit of information. But someone who did lift your wallet could have done the same thing in half the time.

If someone got all the information they needed about you to perform the same type of identity theft, would you blame Google? As far as they know, you just changed your password and then made changes to your account. Are Microsoft actively monitoring your computer and Google your Android phone? Would they step in because they think something odd is happening? If not, you are just as vulnerable to identity theft if someone REALLY wants to target you. Even if you shun yourself from the norms of social media, you are still posting here. Someone could just as easily hack into dailytech and get some clues that would lead them closer and closer until they get the information they really wanted. Welcome to the sheeple, you should have kept your mouth shut.


RE: Ahh, you sheeples
By blue_urban_sky on 8/8/2012 3:29:22 AM , Rating: 2
I think the point was that Apple used the last 4 digits of the CC as a security check. As far as I remember these are even shown on the advice slips you get from the ATM? They are definitely shown on most websites. If my bank account was hacked in this way I would not be blaming Amazon.

Apart from social engineering they didn't have a great deal of info on the guy? a user name, real name and address? not quite identity theft I think.


RE: Ahh, you sheeples
By Dug on 8/8/2012 1:38:28 PM , Rating: 1
Ah yes, because no one has an Amazon account tied to a Google account tied to their Android.

Keep being proud there buddy. BTW no one has to sync multiple Apple devices. But I guess you wouldn't know that.


Confused
By really on 8/7/2012 1:14:47 PM , Rating: 2
I'm a little confused. How did the hacker get all of this guys various user accounts just from getting a 4 digit partial cc # from Amazon. Does Amazon use a common logon with Apple?

Once he got the apple account reset how did that give him access to twitter? Did he add a new phone to the iCloud and then do a restore to get all the guys info. So man bits of missing info here.




RE: Confused
By Brandon Hill (blog) on 8/7/2012 1:32:02 PM , Rating: 2
http://www.wired.com/gadgetlab/2012/08/apple-amazo...

quote:
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.


You have to read the whole story. It's quite an elaborate attack


RE: Confused
By really on 8/7/2012 1:49:06 PM , Rating: 2
Thank you Sir! This is why I don't use other sites authentication. For example using an app or website and it allows you to conveniently use your facebook account as your login for their site. While it is convenient for you it is also convenient for someone trying to get all your info.

1. Use strong passwords (never use words found in the dictionary these are the easiest to hack)
2. Use different passwords and possibly usernames for each website(as hard as it is to keep track of)
3. If you have to reset your password for a site make sure you change the password from the one they give you. Otherwise if your email account gets hacked they now have your other passwords.
4. If you have to use standard provided security questions don't give a correct answer to the question. (as someone else mentioned) The best option is if they give you the ability to create your own custom security question go that route and don't make the question based on info someone could find on one of your social networking sites like facebook, G+, linkdn etc


RE: Confused
By Camikazi on 8/7/2012 2:12:11 PM , Rating: 2
I never use those type of sites, I keep all my accounts separate, while it may be more work to remember them all it keeps me a bit more secure. Dunno who thought it would be a good idea to use one account for lots of websites, seemed like a huge security hole to me from the beginning.


RE: Confused
By augiem on 8/8/2012 4:34:56 PM , Rating: 2
Those login with Facebook things are just plain stupid. What's to stop someone from just putting up a fake username/password box and have you just hand over your private info to them? Even using Paypal to pay sometimes seems iffy, but at least there you can tell by looking at the URL bar what site you're really on.

As for your #4, I always just make a 2nd impossible to guess password for any security question. It's so annoying when they force you to enter those as they're useless.


Gizmodo
By kleinma on 8/7/2012 1:26:25 PM , Rating: 5
Shouldn't gizmodo have stopped trusting apple security when apple security had the police raid them for an iPhone prototype?




RE: Gizmodo
By nico.the.murph on 8/11/2012 8:20:54 PM , Rating: 2
I was just about to make a similar comment. Apple does hae a punitive bent.


Stop using easy to obtain data
By Marlin1975 on 8/7/12, Rating: 0
By Rukkian on 8/7/2012 2:36:16 PM , Rating: 2
Apparently, you either did not read the article, or have a learning disability, as what you said has nothing to do with how this hack worked.


Correction...
By smegz on 8/7/2012 6:08:13 PM , Rating: 2
Mat Honan is a current Wired blogger and former Gizmodo blogger.




Home cloud!
By Kepler on 8/8/2012 12:36:25 PM , Rating: 2
DynDNS + NAS + linux VM with *only* SSH running (forwarded from a high port) + SSH key + foldersync = personal cloud.

I snap a picture, it uploads it automatically when the the camera folder changes. If I use a normal camera, I sync it as soon as I get to a computer.

NAS (raid5) backs up to an external, in case of a dual drive failure.

If all three drives fail, phone/camera mem fail, or there is a fire, I'm screwed, I guess.




"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki