Attacks/Breaches
8/8/2012
11:21 AM
Connect Directly
RSS
E-Mail
50%
50%

8 Ways To Avoid Getting Your Life Hacked

How can you avoid an 'epic hack' involving your Apple iCloud account, as journalist Mat Honan just experienced? Follow these strategies.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
How can cloud service users avoid Mat Honan's fate?

For those not in the know, Honan was the unlucky journalist who had his Macbook Air, iPhone, and iPad remotely wiped Friday by an attacker who seized control of his Twitter account--simply for the lulz--and who wanted to make it difficult for Honan to regain control of it.

But as Honan detailed Monday in "How Apple and Amazon Security Flaws Led to My Epic Hacking," the attack led to the loss of a year's data, including personal photos, as well as the deletion of his Google account and eight years' worth of emails.

Security-wise, what should Honan have done differently? Unfortunately, the attack succeeded not through technical sophistication, but smooth talking on the part of the attacker. In a blog post, Paul Ducklin, head of technology for Sophos in the Asia Pacific region, characterized the attack as "a hack of the 'why bother with security when I can talk my way past it' sort for which Kevin Mitnick achieved his infamy. ... The hacker--forget that, the criminal--called up Apple support and tricked them into handing over control of Honan's iCloud account."

Thanks to a reconstruction of the attack--in return for Honan agreeing to not press charges, the attacker, who goes by the name Phobia, agreed to walk him through what he'd done--there are a number of techniques that other cloud service users can practice to help protect any data they store online. Here's where to start:

1. Don't trust cloud providers. Do you think that cloud services offer security or privacy by default? Think again, as cloud-storage businesses are in business to make money, and that can lead to business decisions which prioritize information sharing and ease of access over security or privacy concerns. Notably, "Google's services are not secure by default," said security and privacy researcher Christopher Soghoian in a blog post that points to comments made by Google officials that anyone concerned with government surveillance of their documents or communications--such as journalists--shouldn't rely on services like Google Docs just out of the box. But the same goes for anyone who's concerned about the security of information they store at Google, or with any other cloud storage service.

2. Use fake personal data. Mother's maiden name? Name of your favorite pet? Place where you were born? Thanks to the Internet, the personal information that many websites ask you to input--in case they later ever need to verify your identity--can be discovered by motivated online researchers. For example, Mitt Romney's personal Hotmail account was reportedly hacked thanks to the attacker guessing the name of his favorite pet. Accordingly, consider not just using unique passwords for every website that requires a password, but also inputting fake personal data for each one as well. Then use a password manager or password wallet to help track all of this information.

3. Regularly make local backups. Honan said he lost photos, emails, and documents that he'd been storing on his laptop, iPhone, and iPad, because the data existed only there or on cloud services. To prevent this from happening, the related fix is clear: regularly back up to an external hard drive—or, preferably, two. "Had I been regularly backing up the data on my MacBook, I wouldn't have had to worry about losing more than a year's worth of photos, covering the entire lifespan of my daughter, or documents and emails that I had stored in no other location," said Honan.

4. Avoid daisy-chaining accounts. Don't link online accounts. Notably, Honan's attacker came gunning for his Twitter account, which by the way was still linked to the Twitter account of Gizmodo, where he'd formerly worked. To get to the Twitter account, the attackers essentially worked backward. "My accounts were daisy-chained together," wrote Honan. "Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc."

5. Consider Google's two-factor authentication system. Per Honan's advice, Google users should employ Google's two-factor authentication system, a.k.a. "two-step authentication." It works by either having Google text a temporary password to a user whenever they attempt to log on to their Google account, or else by using a Google two-factor password generator smartphone app. According to user reviews of the service, however, it's prone to losing tokens, which then requires the user to reauthorize every device or application that's tied to Google. Still, the extra authentication might slow or stop would-be attackers.

6. Disable remote wiping for laptops. Honan's attacker was able to not only remotely wipe his iPhone and iPad, but also his laptop, using the iCloud "Find My Mac" service. But use that type of service with caution, because if breached, it gives attackers inordinate power. "Consider an independent remote wipe service, rather than relying on one which is part of the cloud offering it aims to protect," said Ducklin at Sophos.

7. Press cloud providers for better password practices. In the wake of the hack of Honan's accounts, Wired reported that Amazon and Apple have reportedly discontinued the password-reset practices that Phobia used in his social engineering attack.

Apple, for example, has temporarily discontinued password resets by phone, and Amazon has stopped taking new credit card numbers by phone. That's important, because Phobia had added a bogus credit card number to Honan's Amazon account, then later called back and used the bogus credit card number to "verify" that he was Honan. From there, Phobia was able to see the last four digits of Honan's actual credit card number, which he used to validate his identity with Apple technical support, which--together with a billing address (retrieved via a whois lookup of Honan's personal site)--was all he needed to have Apple generate a temporary password, despite his not being able to answer the security questions that Apple had on file.

8. Keep fingers crossed. Unfortunately, the hack of Honan's Apple, Amazon, Google, and Twitter accounts demonstrates that a determined attacker--Phobia told Honan he was only 19--can find ways to circumvent cloud service security. As Soghoian noted in a blog post, the incident offers "a clear demonstration of how difficult it is for users to protect their data even when using tools and services created by billion-dollar corporations." Thanks to internal customer-service changes made by Amazon and Apple, these types of attacks might be more difficult, but whenever using cloud services, always consider what would be possible if an attacker does manage to gain access to your account.

One of the biggest challenges facing IT today is risk assessment. Risk measurement and impact assessment aren't exact sciences, but there are tools, processes, and principles that can be leveraged to ensure that organizations are well-protected and that senior management is well-informed. In our Measuring Risk: A Security Pro's Guide report, we recommend tools for evaluating security risks and provide some ideas for effectively putting the resulting data into business context. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TS_Time
50%
50%
TS_Time,
User Rank: Apprentice
8/21/2012 | 1:18:49 PM
re: 8 Ways To Avoid Getting Your Life Hacked
This is kind of a sad story, but I hope it serves as a kick in the pants that some companies and individuals need kick this complacent attitude about authentication and passwords. But the sad fact is there are millions of people just like him who are not taking advantage of this awesome functionality that is being offered to them by several sites. Two-Factor Authentication has jumped into the mainstream over the last few months. Although itGs been around for a while but it is good to see some of the big companies like Google promoting this option. 2-Factor Authentication for email wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.
Eric_Brown
50%
50%
Eric_Brown,
User Rank: Apprentice
8/15/2012 | 2:57:05 PM
re: 8 Ways To Avoid Getting Your Life Hacked
Thanks for the article. This is a sad fact of the 20th century that we live in. We all need to be more proactive about our personal account security. I agree with you on point 5, 2FA is a must. While he can blame both of the big guys (A+A) who failed him, he still needs to blame himself for failing himself. 2FA was an option that was made available to him and he did not see the need or want to take the time to set it, so it is his own fault. And that would have limited to damage done. But the sad fact is there are millions of people just like him who are not taking advantage of this awesome functionality that is being offered to them by several sites. I really hope this serves as a wake-up call to companies and individuals alike, for the need to kick this complacent attitude about authentication and passwords. An article posted on telesign.com mentioned some good points about how we all need to be more proactive about our personal account security. Take a look: http://www.telesign.com/news-a...
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
8/9/2012 | 1:02:21 PM
re: 8 Ways To Avoid Getting Your Life Hacked
Mat is involved in the tech business yet he buys the "I trust Apple" mantra? He's using iCloud yet it appears he never backed up his data... even to that service? He has a registered Internet Domain name yet he fails to make his registration private using an available option that nearly every Registrar provides?

Fail on many accounts. And, huge FAIL on Amazon and Apple for not adhering to their security practices when it comes to authenticating user identity. Lastly, I wouldn't use Google's services if it were the last one on earth.
Mark Sitkowski
50%
50%
Mark Sitkowski,
User Rank: Apprentice
8/9/2012 | 5:29:12 AM
re: 8 Ways To Avoid Getting Your Life Hacked
I think I can help anyone with a web site to avoid getting hacked.
Our site was hit by an attack from a machine in Sweden at 4am, this morning, which continued till 11am, The attacker launched 23,000 probes before the firewalls caught him and blocked him, whereupon he gave us a port scan of all 65535 ports, once ascending and once rescending. Attackng machine name is h92n5-m-sp-gr1.ias.bredband.te..., IP address 195.252.46.92.

The good thing that came out of this, was that our logs contained details of every file that he tried to access, which I can now pass on.
I've extracted details of the first 10,000 of these probes into a file, to help other potential victims secure those areas.
Get it from www.designsim.com.au/hacker.tx..., or go to the intro.html page and follow the link
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
8/9/2012 | 2:19:05 AM
re: 8 Ways To Avoid Getting Your Life Hacked
I really hate to say it, but welcome to the new reality.

I feel bad for Mat - losing control of those devices and accounts, much less losing the data on them, can make for a really, REALLY bad day.

Don't trust cloud providers? That's exactly why I've built my own infrastructure as part of my recording studio. File server, industrial strength firewall, backup procedures... all things that I've learned and mastered from roughly 20 years in the business.

The fake personal data thing, I've heard that before - but, you have to have a good memory when using things like that, otherwise a lost password that requires a reset turns into even more of an ordeal.

Backups? Yes, that's why I still run DDS-4, thank you. :) Sure, maybe I can't restore my music collection from halfway around the world (I'd like to try, if a plane ticket fell into my lap), but I know that my data is safe.

Account security is always a good thing to look at, consider, and reconsider. If you want to use randomly generated passwords and keep them all in a safe "electronic lockbox", there are a number of generators available on the Internet - even downloadable ones if you don't care to have your passwords transmitted via a web application.

Remote laptop wipe - I'm somewhat on the fence with this one. A lot of it depends on whether or not you are encrypting your hard drive (which I recommend). I like the idea of being able to nuke a device (laptop, tablet, mobile phone) remotely if it ever falls out of my posession.

I think the big take-away here, for everyone reading the article - don't just read, act on it. Learn from these events, lest it happen to you as well.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.