Mat Honan's epic hacking

Doctor Glyndwr · **Joined:** 30th Mar, 2008 **Posts:** 32624

http://www.wired.com/gadgetlab/2012/08/ ... cking/all/

Quote:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

Those security lapses are my fault, and I deeply, deeply regret them.

But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

Read the whole thing. And then ponder your own security.

http://www.wired.com/gadgetlab/2012/08/ ... cking/all/

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14518

Doctor Glyndwr wrote:

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

I was going to post it on here this morning after seeing the follow up (the info yesterday was still unclear about how they actually got in) - I also wonder about these companies who are 'trusted' as a repository for everything so if for example he had his pictures backed up onto iphoto (or whatever the apple photo system was) could the people who already have control of everything just wiped those as easily ?

myp · **Posted:** Tue Aug 07, 2012 9:18

Setting up two-step auth on Gmail as we speak.

metalangel · **Posted:** Tue Aug 07, 2012 9:20

Fuuuuuuuuck.

Malabelm · **Posted:** Tue Aug 07, 2012 9:29

The Last Salmon Man wrote:

Setting up two-step auth on Gmail as we speak.

Everybody should be doing this. The amount of seriously sensitive data in most people's email account is staggering. It's the portal to almost everything.

myp · **Posted:** Tue Aug 07, 2012 9:34

Malabelm wrote:

The Last Salmon Man wrote:

Setting up two-step auth on Gmail as we speak.

Everybody should be doing this. The amount of seriously sensitive data in most people's email account is staggering. It's the portal to almost everything.

Very clever that it can generate app-specific passwords for programs that don't support it.

Bamba · **Joined:** 25th Jul, 2010 **Posts:** 11128

The Last Salmon Man wrote:

Setting up two-step auth on Gmail as we speak.

I should've done it ages ago but it just looked like such a pain in the arse but that's no excuse I suppose. Having to create a separate password specifically for Android was a surprise and I didn't entirely understand what was going on there if I'm honest but I'll read up on it later. Hopefully Google's implementation of this will be more reliable than fucking Steam's which pretty much asks me for an authentication code every time I login to the site for some reason.

Malabelm · **Posted:** Tue Aug 07, 2012 9:53

The Last Salmon Man wrote:

Malabelm wrote:

The Last Salmon Man wrote:

Setting up two-step auth on Gmail as we speak.

Everybody should be doing this. The amount of seriously sensitive data in most people's email account is staggering. It's the portal to almost everything.

Very clever that it can generate app-specific passwords for programs that don't support it.

Yep. It works quite well, really. So you can revoke individual apps/sites if they ever become compromised, without giving up access to anything outside that sandbox. As long as you don't re-use the app-specific passwords anywhere, of course. Pity generating them on mobile is such a fucking chore to find.

ApplePieOfDestiny · **Joined:** 17th Dec, 2008 **Posts:** 8293

Malabelm wrote:

The Last Salmon Man wrote:

Malabelm wrote:

The Last Salmon Man wrote:

Setting up two-step auth on Gmail as we speak.

Everybody should be doing this. The amount of seriously sensitive data in most people's email account is staggering. It's the portal to almost everything.

Very clever that it can generate app-specific passwords for programs that don't support it.

Yep. It works quite well, really. So you can revoke individual apps/sites if they ever become compromised, without giving up access to anything outside that sandbox. As long as you don't re-use the app-specific passwords anywhere, of course. Pity generating them on mobile is such a fucking chore to find.

I think that they now better explain app specific passwords now, and actually link through to generate them, rather than having to dig though to discover them when needed. I've had 2 Step Auth on for over a year now, and although I sometimes tut when I have to re-authenticate, it really has been no hassle. However, there is a potential glitch if your phone breaks and you then need to re-log in, or (potentially, not thought about it) unregister your phone if it is stolen.

markg · **Joined:** 30th Mar, 2008 **Posts:** 16640

ApplePieOfDestiny wrote:

However, there is a potential glitch if your phone breaks and you then need to re-log in, or (potentially, not thought about it) unregister your phone if it is stolen.

It gives you a set of single-use, printable codes to keep somewhere.

Malabelm · **Posted:** Tue Aug 07, 2012 10:04

ApplePieOfDestiny wrote:

I think that they now better explain app specific passwords now, and actually link through to generate them, rather than having to dig though to discover them when needed. I've had 2 Step Auth on for over a year now, and although I sometimes tut when I have to re-authenticate, it really has been no hassle. However, there is a potential glitch if your phone breaks and you then need to re-log in, or (potentially, not thought about it) unregister your phone if it is stolen.

I'll have a look at that. Last time, I had to dig around the Google site for ages, switching it to the desktop version and praying it didn't kick me back to mobile. It was useless.

Hah, yeah… especially awkward when I only get a phone signal when I'm next to the bedroom window upstairs. Stupid house.

I think you can set a backup email address, can't you? I can't remember.

Doctor Glyndwr · **Joined:** 30th Mar, 2008 **Posts:** 32624

Malabelm wrote:

Hah, yeah… especially awkward when I only get a phone signal when I'm next to the bedroom window upstairs. Stupid house.

Install the Google Authenticator app for iOS, Android or Blackberry and you don't need signal.

Malabelm · **Posted:** Tue Aug 07, 2012 10:25

Doctor Glyndwr wrote:

Malabelm wrote:

Hah, yeah… especially awkward when I only get a phone signal when I'm next to the bedroom window upstairs. Stupid house.

Install the Google Authenticator app for iOS, Android or Blackberry and you don't need signal.

I did not know such a thing existed. Brilliant. Cheers!

asfish · **Joined:** 5th Dec, 2010 **Posts:** 3353

Pretty shit thing to have happened, fair play to the guy for admitting his own failings, but Apple have some issues to address.

The hackers were just a pair of wankers then was no need or nothing proved by trashing the guys photos on his MAC. Hopefully he can get some of them back via a data recovery program.

I keep stuff on the cloud, but is replicated to my own RAID storage as well.

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

Can't be arsed with the 2 step authentication, but this has at least got me to change a few passwords to be much more secure ones. (now a conjoined word string and number string)

myp · **Posted:** Tue Aug 07, 2012 12:16

Trooper wrote:

Can't be arsed with the 2 step authentication

Malabelm · **Posted:** Tue Aug 07, 2012 12:17

The Last Salmon Man wrote:

Trooper wrote:

Can't be arsed with the 2 step authentication

It takes a little bit of set-up, depending on how many apps need access to your Google account for any reason (not that many), but after that it isn't any hassle at all. On trusted computers, tick a box and you won't need to authenticate for 30 days. Easy.

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

The Last Salmon Man wrote:

Trooper wrote:

Can't be arsed with the 2 step authentication

What? I can't

I have it for work and it is an utter ballache.

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

Malabelm wrote:

The Last Salmon Man wrote:

Trooper wrote:

Can't be arsed with the 2 step authentication

It takes a little bit of set-up, depending on how many apps need access to your Google account for any reason (not that many), but after that it isn't any hassle at all. On trusted computers, tick a box and you won't need to authenticate for 30 days. Easy.

30 day open sessions and single passwords for all devices that use the API? You are getting the illusion of safety at the cost of annoyance.

Grim... · **Posted:** Tue Aug 07, 2012 12:24

Trooper wrote:

Can't be arsed with the 2 step authentication, but this has at least got me to change a few passwords to be much more secure ones. (now a conjoined word string and number string)

You'll notice that in the story above they never found out his password once.

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

Oh sure, but I used this as a pointer to do something I have been meaning to do for ages

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

"In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover."

This is the thing that failed in that chain and that caused the rest, nothing any of us can really do to protect against idiotic companies and call centre agents.

asfish · **Joined:** 5th Dec, 2010 **Posts:** 3353

Trooper wrote:

"In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover."

This is the thing that failed in that chain and that caused the rest, nothing any of us can really do to protect against idiotic companies and call centre agents.

I always get the impression that Apple are a bit less focused on security than they should be, it’s always about the freedom to do what you like with their devices. This is fine and it works well, however when you start with data in the cloud security needs to be tighter.

Doctor Glyndwr · **Joined:** 30th Mar, 2008 **Posts:** 32624

Trooper wrote:

30 day open sessions

...on computers that already authenticated. Crucially, no-one with your password can log in from any random computer on the Internet.

Quote:

and single passwords for all devices that use the API?

You mean "one password per device that uses login methods like POP and IMAP that don't support two-factor auth".

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

Doctor Glyndwr wrote:

Trooper wrote:

30 day open sessions

...on computers that already authenticated. Crucially, no-one with your password can log in from any random computer on the Internet.

Quote:

and single passwords for all devices that use the API?

You mean "one password per device that uses login methods like POP and IMAP that don't support two-factor auth".

Yes, that is what I mean.

2-step that isn't always 2-step, and isn't ever 2-step on some devices isn't the saviour of your security. Don't just turn it on and think all is well.

As mentioned in the article, the failure was a human one. It was Apple who have lax security, that is the root cause of the issue.

myp · **Posted:** Tue Aug 07, 2012 13:12

Quote:

Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened

WTB · **Joined:** 27th Mar, 2008 **Posts:** 14497

I already use Google's two stage process, and would recommend to all. As noted, it's only on new machines and every 30 days on authorised machines.

I also use Facebook's similar process, which requires a code for any new machine but doesn't do the 30 day thing.

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

The Last Salmon Man wrote:

Quote:

Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened

Had he not used an apple email address as his reserve account, then it definitely wouldn't have happened.
Had Apple not given out a new password without the hacker knowing the security password it definitely wouldn't have happened.

WTB · **Joined:** 27th Mar, 2008 **Posts:** 14497

Regardless, it's not going to hurt to make your Google account a bit more secure... :shrug:

Cras · **Joined:** 30th Mar, 2008 **Posts:** 49244

WTB wrote:

Regardless, it's not going to hurt to make your Google account a bit more secure... :shrug:

He who would trade liberty for some temporary security, deserves neither liberty nor security.

Fascist.

WTB · **Joined:** 27th Mar, 2008 **Posts:** 14497

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

WTB wrote:

Regardless, it's not going to hurt to make your Google account a bit more secure... :shrug:

It is going to hurt, in extra faff, for not a huge amount of gain.

The faff/gain ratio is all off for me personally, others may differ.

My point is, that this article shows how shit Apple are, not how "good" google 2-step is.

It's worth noting that the only place I actually use my gmail address anywhere is in my domain account, everywhere else has my domain address used.
And actually, due to my fucking idiot namesake who can't get his head around the fact that he doesn't own the email address he signs up to stuff with, if you actually searched using my gmail address, you would most likely find his personal details everywhere

myp · **Posted:** Tue Aug 07, 2012 13:24

Trooper wrote:

WTB wrote:

Regardless, it's not going to hurt to make your Google account a bit more secure... :shrug:

It is going to hurt, in extra faff, for not a huge amount of gain.

The faff/gain ratio is all off for me personally, others may differ.

Can I just quote this so I can dig it up when your Gmail inevitably gets hacked now?

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

The Last Salmon Man wrote:

Trooper wrote:

WTB wrote:

Regardless, it's not going to hurt to make your Google account a bit more secure... :shrug:

It is going to hurt, in extra faff, for not a huge amount of gain.

The faff/gain ratio is all off for me personally, others may differ.

Can I just quote this so I can dig it up when your Gmail inevitably gets hacked now?

As long as I can do the same when you get hacked, even with 2-step on

myp · **Posted:** Tue Aug 07, 2012 13:39

Trooper wrote:

The Last Salmon Man wrote:

Trooper wrote:

WTB wrote:

Regardless, it's not going to hurt to make your Google account a bit more secure... :shrug:

It is going to hurt, in extra faff, for not a huge amount of gain.

The faff/gain ratio is all off for me personally, others may differ.

Can I just quote this so I can dig it up when your Gmail inevitably gets hacked now?

As long as I can do the same when you get hacked, even with 2-step on

DEAL!

lasermink · **Joined:** 31st Mar, 2008 **Posts:** 1883

I have to say I'm quite shocked that anyone can get full control of an Amazon account with just name, email address and billing address - that's is often fairly easily obtained information for any given person.

I am going to have to set up a new email account just for Amazon, I think.

WTB · **Joined:** 27th Mar, 2008 **Posts:** 14497

*gets to work hacking myp's Gmail account*

zaphod79 · **Joined:** 16th Apr, 2008 **Posts:** 14518

lasermink wrote:

I have to say I'm quite shocked that anyone can get full control of an Amazon account with just name, email address and billing address - that's is often fairly easily obtained information for any given person.

I am going to have to set up a new email account just for Amazon, I think.

To me thats one of the security holes which need to be tightened up , that loophole should not exist.

If you've not read the story the Wired team tried this with someone else s account (i assume one of theirs) and also got things reset - Amazon *should* require you to authenticate to do anything on your account however for some reason they are quite happy to add another credit card without going through any authentication (and that new credit card number is then the mechanism to grant them access to the rest of the account)

However as pointed out on the article any typical receipt will also include the last 4 digits of a credit card (with the rest starred out) so those things are easy to come by and Apple should not accept that for authentication

WTB · **Joined:** 27th Mar, 2008 **Posts:** 14497

Is there any good reason for showing four digits of a card number on receipts and stuff anyway? Obviously it helps you to identify which card you used, but I've never found the need to do that anyway!

If I'm in a shop and the guy asks "do you want your card receipt, or...?" and I see that it's already printed off, I always think "well fuck yes I'd rather have it than leave it with you".

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

It would actually be better to show the first 4 digits, as they are specific to each provider but generic across those providers cards. So you could identify which card, but has nothing specific about you on it.

...and then not using that as ID for password changing in a phone call! :belm:

Doctor Glyndwr · **Joined:** 30th Mar, 2008 **Posts:** 32624

Trooper wrote:

It would actually be better to show the first 4 digits, as they are specific to each provider but generic across those providers cards.

I have two accounts at NatWest (private and joint), the cards have the same prefix.

Grim... · **Posted:** Tue Aug 07, 2012 15:01

Doctor Glyndwr wrote:

Trooper wrote:

It would actually be better to show the first 4 digits, as they are specific to each provider but generic across those providers cards.

I have two accounts at NatWest (private and joint), the cards have the same prefix.

Same.

Although not for much longer!

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

Doctor Glyndwr wrote:

Trooper wrote:

It would actually be better to show the first 4 digits, as they are specific to each provider but generic across those providers cards.

I have two accounts at NatWest (private and joint), the cards have the same prefix.

Fair point, I just assumed that most have a different card from a different provider, rather than two from the same provider. I wonder how common that is?
I know I had two from Lloyds, but that was because one was an Amex and one was a Visa and hence had two different originator numbers.

Doctor Glyndwr · **Joined:** 30th Mar, 2008 **Posts:** 32624

Trooper wrote:

It would actually be better to show the first 4 digits, as they are specific to each provider

Also, no. You need six digits at least to get it down to the card issuer level: hhttp://en.wikipedia.org/wiki/List_of_I ... on_Numbers

E.g. consider

Quote:

4239** - St George Bank Visa Debit (Australia)
423966 - Suffolk County National Bank Visa Debit (NY)

522223 - Avangard Bank, Russia
522276 - Chase Manhattan Bank MasterCard Credit Card

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

Doctor Glyndwr wrote:

Trooper wrote:

It would actually be better to show the first 4 digits, as they are specific to each provider

Also, no. You need six digits at least to get it down to the card issuer level: hhttp://en.wikipedia.org/wiki/List_of_I ... on_Numbers

E.g. consider

Quote:

4239** - St George Bank Visa Debit (Australia)
423966 - Suffolk County National Bank Visa Debit (NY)

522223 - Avangard Bank, Russia
522276 - Chase Manhattan Bank MasterCard Credit Card

Well, I meant * for the individual* for them to see which card they used. I would be extremely surprised if you had a card from both Chase Manhattan and Avangard Russia...

Doctor Glyndwr · **Joined:** 30th Mar, 2008 **Posts:** 32624

Trooper wrote:

Don't you work in QA?!

Trooper · **Joined:** 4th Mar, 2010 **Posts:** 22396

Doctor Glyndwr wrote:

Trooper wrote:

Don't you work in QA?!

I do indeed. *

Accuracy is overrated.

*

ZOMG Spoiler! Click here to view!

Although currently I spend my time helping decide where your tax monies are being spent on government IT projects, or more precisely which mountain of shit we aren't going to plough £700 million into this time around. I hope you now feel safe and secure that I know what i'm doing

Dimrill · **Posted:** Tue Aug 07, 2012 16:49

I'm going to use a bewildering array of different usernames and passwords for each application and service I use. Bound to be fine.

YOG · **Posted:** Tue Aug 07, 2012 17:01

2-step verification stopped the straight-to-YouTube publishing part of Windows Movie Maker from working, for me. It kept saying I needed to enter my Google password instead of my YT one, but I was already doing that. When I disabled it, everything worked again...

Dimrill · **Posted:** Tue Aug 07, 2012 17:02

YOG wrote:

2-step verification stopped the straight-to-YouTube publishing part of Windows Movie Maker from working, for me. It kept saying I needed to enter my Google password instead of my YT one, but I was already doing that. When I disabled it, everything worked again...

Probably need to generate an application specific password then. I remember I had to do that with Thunderbird.

Be Excellent To Each Other

Mat Honan's epic hacking

Who is online