Attacks/Breaches
8/10/2012
02:24 PM
50%
50%

Apple, Amazon Security Fails: Time For Change

What will it take for cloud service providers to overhaul their customer identification mechanisms and finally get serious about social engineering attack vectors?

Call it the "security fail" experience for Amazon and Apple.

On Aug. 3, an "epic hack" compromised technology journalist Mat Honan's Twitter account. Along the way, the attacker--known as "Phobia"--also managed to remotely erase Honan's Apple laptop, iPhone, and iPad. Furthermore, Phobia did it by socially engineering--as in, tricking--customer service representatives at Amazon and Apple, allowing him to gain sufficient information to first access Honan's iCloud and Gmail accounts.

Obviously, a self-described 19-year-old's ability to execute a multi-layered social engineer attack also calls into question who else--intelligence agencies, criminals, or legions of bored teenagers--may have already been putting these techniques to work, only without victims ever wising up.

Who's to blame? Start with the identity verification system employed by the technology giants. "Amazon's system is partially at fault, but the weakest link by far is Apple," says Marco Arment, the co-founder of Tumblr, on his blog. "It's appalling that they will give control of your iCloud account to anyone who knows your name and address, which are very easy for anyone to find, and the last four digits of your credit card, which are usually considered safe to display on websites and receipts."

[ Learn how to protect yourself. Read 8 Ways To Avoid Getting Your Life Hacked. ]

When it comes to screening consumers, businesses are lazy. "What it comes down to is authentication--how do you verify that someone is who they say they are? Right now, the industry norm is that you provide some bits of personal information," says the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," speaking by phone. Cue the now-obvious problem: "None of that stuff is secret information," he says. "All of that is fairly easily gotten to through Google or other methods."

The failure of the security teams at Amazon and Apple to proactively spot--or else bother to address--Phobia-style attacks is glaring. (Both companies are reportedly reevaluating their checks and balances.) At the Black Hat Europe conference in Amsterdam earlier this year, penetration testers detailed gigs in which they'd been hired by a business to identify its information security vulnerabilities. Oftentimes, they found the expected flaws in Web applications. But too often, they literally also encountered unlocked backdoors to the office itself, and printouts of usernames, passwords, or other sensitive information carefully indexed inside unlocked filing cabinets.

Professional penetration testers would have made short work of Amazon and Apple, given the ease with which consumers can be impersonated. "People do this all the time, this isn't an isolated case that happened to Honan," says Space Rogue, who helped found noted consultancy @Stake, and who's previously worked for security research think tank L0pht Heavy Industries.

If businesses are lazy, so are consumers, and Honan admitted culpability in the attack against his online identity. "Those security lapses are my fault, and I deeply, deeply regret them," he wrote in a recap of the attacks. Still, after making that statement early on in his article, Honan then spent 3,300 words analyzing everything that others, including Amazon and Apple, did wrong.

To reiterate: Don't be a Honan. He failed to back up his devices to a hard drive, despite the amazing "fire and forget" Time Machine backup software included with his Apple OS X laptop. He used identical email address prefixes--first initial, last name--across numerous services, which made his account addresses easy for an attacker to guess. And he tied numerous accounts together, thus creating a single point of failure.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
9/5/2012 | 12:46:36 AM
re: Apple, Amazon Security Fails: Time For Change
Whenever I read one of these cautionary tales, I wonder how long it will be before organisations realise that passwords, PIN codes, biometrics and eyeball scans are not the answer. As Andrew rightly says, if it's difficult, people won't use it. I personally, have a directory on my machine containing about 80 files, with the username and password for every online connection I make - and I'm in the security business.
Security hole? Definitely. Avoidable? Definitely.
How much easier it would be, if all I had to remember was just one key word, of arbitrary length and, when I had to login to something, I was presented with an alphabet, and a string of corresponding random zero's and one's. All I'd have to do, is enter the numbers matching my word, and nobody, unless they read my mind, would know what my word was. If they tried copying what I'd typed, it wouldn't match the second set of random numbers. A nine-year old could do use it.
Oh, yes. When I entered my key word for the first time, or decided to change it, perhaps I could be presented with a random array of jpeg's of letters, which I could drag and drop into a field, so that malware didn't know what my new word was. That would be easier than typing, and a nine-year old could manage that, too. Perhaps there already is such an authentication system and, perhaps, a couple of banks, cloud providers and law-enforcement agencies are already implementing it. Perhaps it's described in a document at www.designsim.com.au/What_is_S....
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/17/2012 | 9:59:56 AM
re: Apple, Amazon Security Fails: Time For Change
Great comment, Anon. Reminds me of Norman Mailer's "Harlot's Ghost," in which one of the characters is trained in spycraft techniques which (if memory serves) involve applying arbitrary colors and object names to help memorize important words or concepts.
But the problem word in that statement is training--teaching yourself how to do this, then remembering what your system is.
So here's a suggestion: For those of us not so well-versed in such systems (myself included), use password safe software that works across PC/Mac, tablets, and smartphones. If you're using such software to keep track of unique passwords for every website you use--which you should be doing anyway--there's ample room to also track just which unique "mother's maiden name" you've used for any given website.
-- Mathew Schwartz
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
8/16/2012 | 5:15:34 PM
re: Apple, Amazon Security Fails: Time For Change
No security question need be a problem because YOU DON'T HAVE TO GIVE THE RIGHT ANSWER!!! This info does not get verified. You are asked for a fact about yourself to minimize the risk of your forgetting the answer to the security question.

I began my "lying" strategy when banks would ask for my mother's maiden name so that they could verify my identity if I later needed to bank by phone. This was years before the internet.

When asked for my mother's maiden name I give a syllable from the middle that's a very obscure but charming word. No one else would think of it, but I now remember it right alongside her actual name.

The trick is to develop one fake answer for each of the researchable standard questions as it comes up. Once you've got it, always give that answer for that question. Make your fake answer relate to the question with an association that's strong for you. That way it'll be just as easy for you to remember as the correct answer.

For example, would-be predators can look up your city of birth but they can't guess or research if you give another city instead. I give the city and state where my parents lived at that time and where I lived for the first seven months of my life.

If asked for my grandmother's first name, I give the name of her favorite sister, first and married names. If asked for my high school, I give one of the school's cross streets. Etc., etc.

This strategy works very well even for technophobes; each of us has associations that will support our recall of well-crafted bogus answers. Get a small library and you're set. So coach your friends!
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
8/14/2012 | 2:14:12 AM
re: Apple, Amazon Security Fails: Time For Change
Every time you make things "difficult" for a user to use, the more likely they're not to use it.

But, when you have the simplicity of "Oh look, one click and my entire life gets backed up on the cloud and I never have to worry about it"... that sells people on your solution.

What needs to happen is the ability for users to determine how many levels of security that they want for their accounts. Give a user the option of adding things like call back verification, two factor authentication, etc, etc. instead of applying a "one size fits all" solution across the board. Grandma storing her chicken cacciatore recipes on the cloud doesn't necessarily have the same security level requirements of someone doing on-line bill paying.

Andrew Hornback
InformationWeek Contributor
ANON1243950556912
50%
50%
ANON1243950556912,
User Rank: Apprentice
8/13/2012 | 6:43:59 PM
re: Apple, Amazon Security Fails: Time For Change
My bank allowed me to sign up for online banking with my account number (available to anyone to whom I ever sent a check, or anyone whose check I cashed) and the last four digits of my phone number. Gee, I wonder how you could find out what someone's phone number is.

Typical security questions: "What is your grandfather's first name?" "What was the name of your high school?" and the ever-popular "Mother's maiden name."

But some halfway decent ones: Name of your first pet, favorite movie.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?